logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Analytics-and-informed-consent.md (2666B)

    

  1. ---
  2. title: Web analytics should at least meet the standards of informed consent
  3. date: 2020-12-04
  4. outputs: [html, gemtext]
  5. ---
  7. Research conducted on human beings, at least outside of the domain of
  8. technology, has to meet a minimum standard of ethical reasoning called
  9. [informed consent](https://en.wikipedia.org/wiki/Informed_consent). Details
  10. vary, but the general elements of informed consent are:
  12. 1. Disclosure of the nature and purpose of the research and its implications
  13.    (risks and benefits) for the participant, and the confidentiality of the
  14.    collected information.
  15. 2. An adequate understanding of these facts on the part of the participant,
  16.    requiring an accessible explanation in lay terms and an assessment of
  17.    understanding.
  18. 3. The participant must exercise voluntary agreement, without coercion or fear
  19.    of repercussions (e.g. not being allowed to use your website).
  21. So, I pose the following question: if your analytics script wouldn't pass muster
  22. at your university's ethics board, then what the hell is it doing on your
  23. website? Can we not meet this basic minimum standard of ethical decency and
  24. respect for our users?
  26. Opt-out is not informed consent. Manually unticking dozens of third-party
  27. trackers from a cookie pop-up is not informed consent. "By continuing to use
  28. this website, you agree to..." is not informed consent. "Install [uBlock
  29. Origin](https://ublockorigin.com/)" is not informed consent.
  31. I don't necessarily believe that ethical user tracking is *impossible*, but I
  32. know for damn sure that most of these "pro-privacy" analytics solutions which
  33. have been cropping up in the wake of the GDPR don't qualify, either.
  35. Our industry's fundamental failure to respect users, deliberately mining their
  36. data without consent and without oversight for profit, is the reason why we're
  37. seeing legal crackdowns in the form of the GDPR and similar legislation.  Our
  38. comeuppance is well-earned, and I hope that the regulators give it teeth in
  39. enforcement. The industry response — denial and looking for ways to weasel
  40. out of these ethical obligations — is a strategy on borrowed time. The law
  41. is not a computer program, and it is not executed by computers: it is executed
  42. by human beings who can see through your horseshit. You're not going to be able
  43. to seek out some narrow path you can walk to skirt the regulations and keep
  44. spying on people.
  46. You're going to stop spying on people.
  48. *P.S. If you still want the data you might get from analytics without
  49. compromising on ethics, here's an idea: compensate users for their participation
  50. in your research. Woah, what a wild idea! That's not very growth hacker of you,
  51. Drew.*