Are there people who want their data to be sold?

A few years ago, people started realizing that their personal data (browsing activity, IP address, etc) were being monetized and/or exploited for profit. To combat this, the California Consumer Privacy Act (CCPA) was passed, which said that companies have to let users say no to the sale of their personal data. Other states are now passing similar bills.

For the uninitiated, personal data like IP addresses and other unique identifiers are used by advertisers, data brokers, and tracking companies to build a shadow profile of you, and to follow you across websites. That’s why if you’re shopping for blue hiking shoes, and then went to read the news on different site, you’ll see ads for blue hiking shoes on the news site. The fact that everyone has a unique IP makes it the most common and easily exploitable personal data.

So this new law passes, and now sites slap on a “Do Not Sell My Data” button to appease the regulators. What do they do? Do they work? I clicked a bunch of ‘em to find out:

Six sites with the "Do Not Sell My Data" button at the site footer.Six sites with the “Do Not Sell My Data” button at the site footer.

For shopping sites Bloomingdale’s, Nordstrom, and Lowe’s, the “Do Not Sell My Info” links lead to forms where, ironically, you’re required to give more of your personal data in order to proceed to the next step. If you’re someone who is concerned about your data being sold, why would you give away your full name, emails, phone number, home address, and credit card numbers to another third party? What are they going to do with this info?

How many companies are in the “Intel Alliance”? Who is OneTrust and what happens if Google acquires them? And WTF is “service-now.com”?How many companies are in the “Intel Alliance”? Who is OneTrust and what happens if Google acquires them? And WTF is “service-now.com”?

On popular news site “The Hill”, clicking “Do Not Sell My Data” shows a dialog that links to the privacy policies of the 32 advertising and tracking companies they work with. The “Save & Exit” button makes no sense because there are no options to save, and clicking it does nothing. The “Do Not Sell My Data” button dismisses the dialog without any visible response. Did that… do something? Do I have to click that every time I visit the site? And am I expected to read and stay updated with all 32 privacy policies just to read the news?

A sort of “Forbes 30 under 30” of tracking and ad companies. Congrats to all who made it.A sort of “Forbes 30 under 30” of tracking and ad companies. Congrats to all who made it.

Clicking “Do Not Sell My Data” buttons on other sites, other issues surfaced:

First, the opt-out forms apparently need to be completed using every browser and device I use to access the apps or sites. So the number of times I have to do this process is (number of sites & apps) * (number of devices) * (number of browsers). The time wasted ends up getting pretty huge, pretty quickly.

Big “getting websites to stop selling my info” Mood. [Source](https://www.biblio.com/the-myth-of-sisyphus-and-by-camus-albert/work/2720)Big “getting websites to stop selling my info” Mood. Source

Second, I learn that every time I clear my cookies (which are another way websites track users), I have to redo everything. So if I attempt to reduce tracking by clearing my cookies, I’m actually also implicitly agreeing to let companies sell my personal data, and I have to opt-out on every site again. 🤦🏻‍♂️

Why do we have to find and click a tiny button, fill out forms, give more personal data, and jump through whatever hoops on every single site and app, on every device and browser, just to not have our personal data sold to third parties? Should we also have to specifically tell every restaurant we dine at to not spit in our food? Or have to specifically tell every plumber we hire to not steal from our homes?

Obviously, nobody wants their personal data to be sold, so a more reasonable system would be for every website to by default not sell users’ personal data, instead of requiring users to opt-out.

So if we changed the law to simply penalize companies that sold user data without explicit consent, would that work better?

Nope, that wouldn’t work either — for three reasons:

First, tracking companies are already challenging what “sale” in “sale of data” means — arguing that many instances are a gray area. For example, if TRACKERS-R-US paid ACME App to add a tracker, does this count as “sale”? A high-powered attorney could argue that it’s not, because the data goes directly from users to TRACKERS-R-US, so it’s not owned by ACME — and you can’t sell what you don’t own. Or what if ACME doesn’t get cash, but instead gets a share of revenue or some service in return? Or what if TRACKERS-R-US is branded as a “analytics tool” that’s “crucial” to the functioning of ACME App? These nitpicky questions may seem inane and stupid to you, but the fact that there’s even some tiny chance of ambiguity can create years of litigation and appeals, because companies, like anyone else, are innocent until proven guilty. In these cases, companies don’t need to win — they simply need to drag out the legal battles as long as possible (see Uber).

Second, enforcing laws about what companies should do internally is nearly impossible, because catching violations relies on self-reporting, and also because many violators are outside of the law’s jurisdiction. There’s simply no scalable way to know if companies are selling user data. If a company claims they don’t sell user data, but does it anyway, they’ll get away with it 99.999% of the time, because the only people that know about the violation are themselves. Add a few more 9’s if the company is based outside the USA.

I thought Facebook might have put their “Do Not Sell” link under the “More” menu. Nah.I thought Facebook might have put their “Do Not Sell” link under the “More” menu. Nah.

Third, some companies just don’t give a flying f about what the laws say, because they can easily afford the fines, and because the political climate doesn’t exactly lend itself to serious regulatory action against mega-corporations. While companies like CNN and Wal-Mart make attempts to comply by adding “Do Not Sell” links, Facebook (who collects more personal data than anybody else) has completely ignored it, choosing instead to wait for the next slap on the wrist.

If you want companies to not sell your personal data, we know what doesn’t work: It doesn’t work to spend all your free time clicking “Do Not Sell” buttons that probably do nothing, and it doesn’t work to pass regulations that are ultimately ignored or rely on ineffective self-policing.

So what would work?

Let’s go to the source: Sites and apps you want to use are simultaneously serving you third-party trackers that you don’t want. Remember news site The Hill from earlier and their 32 tracking companies? You *want *the news, but you *don’t want *the third-party data sharing. And if it’s an app (instead of a site), this tracking can even happen in the background, when the app isn’t even open.

The simple solution that we (two ex-Apple engineers) came up with is to directly block the trackers, so that your personal data doesn’t get out to third parties in the first place. This is way more effective than allowing tracking and hoping that apps and sites don’t later sell your info.

We built a free and open source app that you can you can download right now called Lockdown, and it blocks trackers, ads, and badware in not just your browsers, but all apps. So you don’t have to stop reading the news, online shopping, or playing games— just install Lockdown, push a button to activate it, and then go on living your life — we take care of the rest. Here’s what it looks like:

Simple to use for everyone, powerful customizability for advanced users.Simple to use for everyone, powerful customizability for advanced users.

“Wait a second… free? What’s the catch?”, you’re asking, “Are you guys trying to Zuck us over in some hidden, nefarious way?”

Nope. We’re pretty open about how we pay the bills. Lockdown lets you automatically block trackers with its free Firewall, but if you want more protection by hiding your IP address and encrypting your connections (for safety on public wi-fi and insecure sites/apps), you can pay for Lockdown’s fully-audited Secure Tunnel (VPN) service. Revenue goes to keeping the Firewall free and updated with the constantly changing (and increasingly clever) landscape of trackers, ads, and badware.

We believe people and companies that build privacy products have a unique responsibility to be more transparent than any other product line. That’s why Lockdown is 100% open source and openly operated — so that anyone can see what it’s doing, and just as importantly, what it’s not doing.

We built Lockdown because it’s something we wished existed: a simple, transparent, and powerful tool for stopping invasive third-party tracking. We hope it can do the same for you. Get it for free at LockdownPrivacy.com.

(Update: Lockdown was featured by App Store and also featured in Forbes — check it out and share the story! )