The BigBrotherAward  in the “Communication” Category goes to Facebook Deutschland GmbH a “gated community”.

Do you know what gated communities are? They are fenced, secured housing estates – access for residents only. Until recently, you would only find them in places like the US, South Africa, or Brazil, but now they have sprung up in Germany as well. High walls, blinds, guarded entrances – and inside: houses, gardens, pools, playgrounds, parties and nice neighbours. The people who live here work hard, so they appreciate not having to manage every domestic issue themselves; they are sociable people who just want to have a good time. So what are you waiting for – join them!

Sure, the entrance is guarded by security. And there is sophisticated monitoring all over the place: CCTV with face recognition, infrared motion detectors, GPS and RFID scanners. This, they say, is not so much for the residents’ safety, but for the sake of convenience and a better service in general. The houses on the estate are “smart”, they always “know” when people are in a room and they regulate light and heating accordingly.

The area has its own communication system, free to use. Who still needs e mail? Oh, by the way, the messages are electronically scanned and analysed. Not just traffic data – who writes to whom when – but the message contents as well. The operators periodically compute a “happiness index” from the messages, so they know when the people are happy and they can optimise their services to provide a truly modern community experience.

Meeting friends is easy, because everyone is so close. And there are so many parties going on – you would probably never hear about these events if you were not a resident. It almost feels like a “club vacation”. Services are constantly being improved: Shops in the vicinity anticipate your every wish; even when you’re on a journey outside the community, they can follow you and gather information about your interests.

In your early days as a resident, you felt a bit uneasy about all those fences and the constant surveillance – but hey, all your friends are here too, so who cares.

Previously, you were allowed to put curtains in your windows. But the renovation service has been making more unannounced visits recently – great, isn’t it, how they keep renovating everything round here; but unfortunately, you often find the odd curtain or door missing after they’ve gone. And getting these back from the administration is quite complicated.

But that’s not really a big thing – after all, you didn’t move in here to hide yourself away. “See and be seen” is the motto.

The opportunity to live here is an offer that can hardly be refused: the houses are rent-free! Wow! You did wonder for a moment how the operators finance the whole thing – but, whatever.

Then there were newspaper reports about contacts between the operating company and the intelligence agencies. But surely those are just conspiracy theories. There were other reports about the operators’ financial and political backgrounds: American hedge funds, tax haven aficionados, followers of the right-wing Tea Party … But that cannot be – so many progressive, politically active people are here; they would not stay around if all that was true.

You think this whole story is quite absurd? – We think so, too!

Only, this scenario is largely real – not on a housing estate, but on the Internet. Which leads us to our BigBrotherAward winner:

Facebook!

Facebook – the nice, “social” network – would make Orwell’s “Big Brother” go pale with envy. It is growing into a “gated community” of global proportions. A closed society whose rules are made by a company. A “data octopus” with insatiable appetite – and people happily enter the embrace of its tentacles, and feed it.

The fact is: Facebook collects all data it can get. Not just name, address, profile image, phone and mobile number, photos, texts, status updates, location, messages to friends, visited websites and on and on and on …

Facebook can claim to have its users’ consent, because this is all laid down in the company’s terms. But how many people actually read the terms and privacy policy before setting up a Facebook account? The text is more than 50,000 characters long (making it longer than the US constitution), and quite full of complex legal and technical jargon. But this quantity should not be taken as an indication that privacy would be important to Facebook. It is in fact a classic case of hiding unpleasant facts in the sheer volume of text.

Facebook keeps changing its privacy policy without notification. As a result, privacy protections have continually diminished since 2005. On Facebook, private information is shared by default – if you want to protect your information or restrict access to certain people, it will take you a lot of effort to find all the places where a box needs to be checked or an option disabled. If users do not invest that time, their online presence turns into an open book.

But even if users do go to the lengths of changing the defaults and set everything to private – they might have excluded their teachers, parents or human resources managers, but they can never exclude the host: Facebook sees everything.

The changes in Facebook’s default settings between 2005 and 2010 have been visualised very clearly by programmer Matt McKeon. His diagram¹ uses the symbol of a flower in which each petal represents some kind of Facebook content (name, profile image, gender, friends, networks, wall posts, photos, “Like” button clicks). White means the information is “private”, blue “public”. The further a blue petal extends from the centre, the more people can see that particular content. Fascinating how the flower’s colour changes to blue over time … Bit by bit, the users’ private details are publicised, without any intervention on their part, just because Facebook wants it that way.

Also, new features keep cropping up: with the “Friend Finder”, users are enticed to import their e mail contacts into Facebook. The company uses these addresses when non-registered people are “invited”. And those who use the Friend Finder via Facebook’s iPhone App are not informed that Facebook leeches the iPhone’s full contact data: names, phone numbers, postal addresses, associated photos, birthdays, even personal annotations. These doors open wide both ways: with “Instant Personalization”, websites linked to Facebook can access personal data in Facebook profiles. And the automated text analysis to compute a Facebook Happiness Index really exists. And there is the “Places” function, with which users can tell their friends – and Facebook – where they are. Any questions left?

The operators of Facebook keep pushing the boundaries, and they don’t give a damn about laws or their users’ expectations or what’s customary on the Internet. Only massive protest from the users can lead to small changes. But the tactic clearly is: three steps forward, and when met with stress, half a step back.

“Gated communities” are distinguished by the fact that the state has practically no influence on the rules that govern inside. Facebook is happy to ignore European data protection regulations and German laws. Ilse Aigner, German minister for consumer protection, unfortunately had no better idea than to cancel her own Facebook account as publicly as possible – in effect, a capitulation. Surely a minister should exercise her governmental role and act in the interests of the consumer: First, a quasi-monopoly needs to be regulated, and the regulations must be enforced; second, we need research on decentralised alternatives to foster competition; and third, we need to develop new business models for social networks that don’t depend on the marketing of personal data.

The German consumer association (Verbraucherzentrale Bundesverband) sued Facebook in November 2010 over its terms and privacy policy, as these and the “Friend Finder” violate consumer and data protection laws. The data protection commissioners of the states of Schleswig-Holstein and Hamburg took up the issue as well. A tiny result was reached: changes to the Friend Finder were announced. There we have it, the half-step back.

One important issue is overshadowed by all these privacy details – the question who the people behind Facebook actually are. Who profits from accumulating all this data? There is Marc Zuckerberg, of course, he is well-known. But two other people on the Facebook board deserve closer attention: Peter Thiel and Jim Breyer, who have both bought themselves into Facebook with venture capital.

Peter Thiel is a hedge funds manager and made a fortune by founding the Internet payment service PayPal, which he sold to eBay for one and half billion US dollars. Peter Thiel wasn’t just interested in personal profit at PayPal, his goal was also to create a global currency independent from state banks, and thus to circumvent tax collection. Peter Thiel is a radical conservative and a libertarian at the same time, he likes Ronald Reagan and tax havens, and he supports the Tea Party movement in the US. And he has close links to the right-wing Internet platform “The Vanguard”.

Jim Breyer, of the risk capital company “Accel Partners”, is not a nobody – he was chairman of the National Venture Capital Association in the US. His predecessor in that position was Gilman Louie, who moved on straight to the CIA and founded the company In-Q-Tel. It may be a weak link, but they clearly know each other. The company name, by the way, was coined from “In-Tel” as in “intelligence”, and “Q” alludes to the genius inventor in the James Bond movies. According to their own website², In Q Tel is a venture capital company that works for the CIA, and its express purpose is to harvest technological developments of interest to the secret services.

Facebook is clearly interesting to secret services. What more could agents wish for than to have people deliver their personal details, every movement, private messages and all their personal, professional and political contacts, for free, straight to a server in the United States?

And the link gets closer: Facebook’s third large investor is a company called Greylock Partners. Greylock’s Advisory Partner Howard Cox has maintained top contacts in the Pentagon for decades, and – surprise – he is on the In-Q-Tel board.

All that goes far beyond hypothetical concerns like “Oh, the data is stored in the US – the CIA might get to see it”.

This gated community with its nice “club vacation” feel should make us seriously worried. Because Facebook is doing whatever it can to become indispensable. It aims to replace personal websites, e mail, mailing lists and chat rooms. In 2010 it introduced “Facebook credits”, its own currency. Facebook asserts copyright over the contents that its users supply, and it censors unfavourable links.

The brightest stroke of genius for a long time, however, is the “Like” button on third-party websites. Facebook users can endorse web pages by clicking it. That way, Facebook even learns what people get up to “outside”, and what their interests are. A complete psychological and social profile is gathered – even if the “Like” button is never clicked! If, for example, a Facebook user looks at the bild.de website (Bild is Germany’s most popular tabloid newspaper), Facebook will plant two persistent cookies onto their computers in passing. After this, Facebook can always re identify that user. Web surfers that have not registered with Facebook receive a cookie as well, enabling Facebook to recognise them not by name, but by IP address.

Facebook aims to be no less than the first port of call on the net for as many people as possible, and through that it wants to monopolise communication, control it, and impose its rules on it.

Tim Berners-Lee, the inventor of the World Wide Web, shares our conviction that social networks that accumulate their users’ data and establish data monopolies shielded from the outside net rank among the greatest threats to a free Internet. We would like to add that they also threaten the rule of law.

Why do so many people entrust so much of their personal data to Facebook? Years ago in a chat, company founder Marc Zuckerberg put it in a nutshell: “they trust me – dumb fucks.”

By the way, the BigBrotherAwards website will not be garnished with a Facebook “Like Button”. Because with “friends” like that, you don’t need enemies.

Congratulations on the BigBrotherAward, Facebook.

The BigBrotherAward 2011 in the category Government and Administration goes to the chairman of the Census Commission.

Prof. Dr. Prof. Dr. Gert G. Wagner for the all-encompassing population survey in Germany called “Zensus 2011”. He is awarded this negative prize representatively for all those involved. The current census will create profiles from more than 80 million people’s sensitive data, which will be stored in person-related form for up to four years after the deadline of 9 May 2011. Data from population registers, the Federal Employment Agency (Bundesagentur für Arbeit), and federal employers are misused for the purpose without adequately informing citizens, and without any means for appeal.

The full English text is not yet available, sorry.

Our online poll placed the award in the category “Health” to Doctolib first. It was a very close result, the runner-up was the “what makes me really angry” award to Google. Both of these received just over a fhird of the votes.

The BigBrotherAward 2021 in the “Education” Category goes to Proctorio GmbH, München-Unterföhrung, for their AI-based exam software, also known as Proctorio.

The name Proctorio is derived from proctoring, which is another word for supervision or monitoring during exams. Proctorio is about online-proctoring of exam candidates at universities via the Internet.

For this business model, the outbreak of the Corona pandemic in early 2020 was an absolute stroke of luck: due to extensive lockdown-measures and the “shutdown”, lecturers had to stop giving presence exams overnight. Using public transport to arrive for a written exam was as big a health hazard as sitting in a lecture hall for hours on end. Students were worried about the continuation or conclusion of their studies, and not without reason.

In this situation, viable technical solutions for conducting online exams were desired almost as badly as an effective vaccine against the SARS-CoV-2 virus. This was the perfect time for the Proctorio software, which is claimed to offer “fully automatic and secure supervision of online exams”, and which is at the same time, according to marketing, “scaleable, cost-effective and GDPR-compliant”¹. According to the company website, the software enables the cheat-protected conduct of online exams in the student’s own home with their own devices, without the need for direct human supervision and monitoring.

But at what cost?

The Proctorio software severely compromises the integrity of the students’ personal devices. In order to participate in exams, they have to install the software on their computers and surrender control of their devices to Proctorio for the duration of an exam.

Use of the Proctorio software also requires the Google Chrome browser to be installed on the students’ computers. The Proctorio software also activates third-party cookies in order to provide “proactive chat support” – via the US-based company OLARK.²

The only way to participate in an online exam is to allow Proctorio access to the webcam, which has to be turned on for the entire duration of the exam. Examiners can decide if they want to monitor the candidates themselves, or if they have the software do it for them. And the examiners can instruct Proctorio to prevent the start of applications and downloads, or block extensions and personal settings. Even copy-and-paste can be disabled completely. If the examiners so choose, a “room scan” has to be performed before the start of the exam, where the candidates have to show the entire room to the camera. This “room scan” needs to be repeated on request during the exam.

But it gets worse. Universities and lecturers are lured in by Proctorio as potential customers with the argument that written exams can be conducted under “fully automated supervision”. To this end, incoming video signals are evaluated by the software using artificial intelligence, which is claimed to be able to detect the presence of an additional person the room.

On top of that there is an eye-movement analysis called “face detection”³ by Proctorio. The company describes this as follows: “The system detects anomalies from repeated glances into a certain direction, and flags these incidents as potentially suspicioius.”⁴ A few sentences later it says, “this does not mean that you cannot look away when taking a break for thinking. If you don’t use any aids, you don’t have to worry.”⁵ How generous of the Proctorio software to allow pause for thought! But if the software somehow still finds that suspicious, the candidates bear the full risk.

In fully automatic mode, the observed behaviour of the candidates is compared to patterns that are stored in the software as “normal behaviour”. If the software thinks the behaviour is fine, whatever that means, then the recordings are routinely deleted by Proctorio after 30 days. If there was something suspicious, however, the examiners can take a look at the respective videos. This means that in automatic mode, Proctorio’s artificial intelligence alone decides if there is suspicion of cheating. All by itself.

These kinds of automated evaluations of human behaviour are always questionable. In the realm of schools and universities, this revocation of the principle of presumption of innocence by any form of “automated grounds for suspicion” should be absolutely taboo, especially in view of the educational goals and basic values to be conveyed.

Many students will suffer from increased exam stress levels when they have to work eye-to-eye with a camera for hours on end, without knowing if their behaviour has just raised the suspicion of a supervisor or a piece of software.

I have been a university teacher for 25 years, and during this time I have proctored many written tests and given many oral exams. That is how I know that for many students exam situations can be very stressful, independent of the actual level of subject knowledge, and may often cause anxiety. During exams in personal presence, examiners can often alleviate the students’ stress and anxiety with just a few friendly, encouraging words. And I never find it suspicious when someone lets their eyes wander while thinking, as long as the gaze does not fall onto the neighbour’s text. The same is true for oral exams, where one can quickly figure out whether students really don’t know the answer, or are just too nervous to find the right words. Examiners are able to reduce the pressure when physically present, to build bridges, or to encourage the candidate by giving permissible hints. A machine, on the other hand, can only work through its algorithms, but cannot perceive if someone just lets the eyes wander, lost in thought, or with the intention of copying the neighbour’s solution.

Based on that knowledge, I would have strongly disagreed, before the Corona pandemic, with conducting monitored mass online exams, as would many of my colleagues. That we still permitted online exams to go ahead in this special situation, despite strong reservations, does not mean that these should now be considered normal. For all standard situations universities will have to return to presence exams “after Corona”. And in cases where online written or oral exams can make sense, they must take place under the supervision of humans, who will not just see a glance, but also understand it.

A software like Proctorio has no understanding of students, but instead tests if their behaviour is consistent with what other people have defined to be “normal”. Students in the USA, where Proctorio is in use at a number of universities, have reported in the Washington Post⁶ that the program grew suspicious if they merely moved their head, eyes or mouse unusually frequently during an exam. It was also deemed suspicious if they scrolled, clicked or resized windows “too often” – whatever the relevance of these insights may be. Finishing the exams too quickly, or too slowly, was also classified as “deviant”, “abnormal”, or “conspicuous”. Students also reported they did not dare leave their room to visit the bathroom for fear of being accused of cheating. In their own home.

Those who had the misfortune of having to take the exam in a room with lots of external noise, a slow Internet connection, poor lighting or a flickering camera were also flagged to the examiner by the software. To eliminate such factors, Proctorio advises students in their “FAQ for students” concerning the selection of a suitable room: “Early enough beforehand, consider in which room you would like to take your exam. You may also take your exam in a place where you can ensure adequate silence (e. g. an office).”⁷ Considering the tough financial situation many students have been facing since the start of the pandemic, this seems really cynical.

During normal times we would expect to see students taking to the streets to protest the planning of such a “complete and total control”. But we are in a pandemic. Protests and assemblies are hard to organise. And of course the students’ primary goal is to get on with, and finish their studies. So they will accept online exams, especially when there are no alternatives.

But perhaps students in the USA are just somewhat ahead of us. There were multiple protests directed at Proctorio and posted on social media. In Germany, on the other hand, our awardee, Proctorio GmbH in Munich, tries to present itself as being praised unanimously by universities, teachers and students. If we are to believe the company’s press releases there should be armies of students hungry for online exams, calling out in unison, “all is well as it is. Honest students are rewarded, and cheaters will be uncovered by the software.”

I don’t want to deny, as a university teacher, that online written exams at home may be more attractive and convenient to students than sitting in a university lecture hall. But whoever makes online exams the norm will have to accept the loss of educational fairness and equal opportunity. Those who are forced to write their online exams in a small room of a shared flat on a slow and old notebook while being bombarded with loud music from the room next door won’t have the same chances of success as those who can use a well-equipped study in a quiet neighbourhood. This is especially true when the Proctorio software considers nervous glances or loud external noises suspicious, prompting examiners to take a closer look.

What we have learned

• Use of the Proctorio software for supervising and monitoring online exams is a severe incursion into the integrity of the students’ personal devices.

• Permanent video surveillance of the candidates during the exam is a severe violation of their privacy and their private spaces, especially if a room scan is performed.

• The automatic analyses of their behaviour performed by the “AI” software are intransparent to students. The general presumption of innocence, which applies to all citizens, is effectively suspended by the algorithms and the resulting intransparent control.

• Gestures and particularly eye movements are monitored and evaluated continuously. The software can use these to draw negative conclusions, which in turn increases the pressure and stress for the students.

• online exams at home are probably considered convenient by some students. But due to the diversity of living conditions, they are a threat to equal opportunity, which is to be ensured when conducting “presence” exams.

• The potential for savings that Proctorio promises for automated proctoring makes the software attractive for cost-conscious universities. But the costs of these savings are borne by the students who are more comfortable with conventional presence exams than with online exams under the watchful eyes of a piece of software.

• Compliance with data-protection legislation is already doubtful because of the absence of robust statements about a legal basis, and it seems unlikely that “freely given consent” can be ensured for students in an exam situation.

This is sufficient justification for the BigBrotherAward in the category “education”.

Congratulations, Proctorio GmbH.

The category for this award is a new one.

It is called: “What makes me really angry!”

And this year’s award goes to … – yes, to whom exactly?

It wasn’t that simple this time round. As you will see.

So: What makes me really angry:

Cookie banners! They’re such a pest! You know this: you enter a website and – bam! – immediately this box pops up, terribly designed and covering what you actually wanted to see. And now you need to decide: Do you just want to get to this web page quickly, then just click the large coloured “Okay” button. But if you take this “your rights” thing seriously, it gets complicated. Eyes squinted, you read the small-print, grey on white, and spend minutes clicking away everything that you don’t want. And that is quite a lot: The German broadsheet Süddeutsche Zeitung uses up to 470 trackers. “I don’t want any of this!” is not even an option. And if you do the arduous work of manually deselecting each and every tracker, be very careful because the next friendly and colourful button says “Accept All” and not “Save Selection”. That button is grey. But careful again – you shouldn’t even click on that one. Because first you need to find the well-hidden category called “Legitimate Interest”. In there, everything is set to active still, and again you need to deactivate everything. Did you know that?

What makes me really angry about that:

These cookie dialogs are designed in accordance with the latest findings on human perception, psychology and web design for ergonomically appealing web pages. Therefore:

• Important choices are hidden in the text flow, while the “Okay” option is displayed as a big button.

• These choices are written in illegible colours and font sizes.

• The “Accept All” button is at the bottom right – where we would normally expect to find the button to confirm our choices.

• Often the left–right alignment of options is swapped: If I click where I previously clicked to deactivate trackers, there now is a central switch that will activate everything again.

• And then there are linguistic monsters, complex wordings and multiple negations, to maximise our confusion.

This kind of trickery in design is called “Dark Patterns”. They could also rightly be called “deceit”, “unethical”, or “manipulation by design”.

If we are in a good mood – and not in a hurry – we could regard it all as an absurd game. A dark pattern adventure: Will I make it through the maze and decline all the trackers? What are they going to try next in order to trick me? And once I got through to the other side: Can anyone remind me which article I wanted to read? Oh, never mind …

Cookie banners are not a game. They are miserable and mean. They steal my lifetime. This is design made to tire me out and wear me down. The intention is to make me give up and eventually click “Okay”.

Everybody please note once and for all: It is not data protection that is to blame! No, these unnerving queries are by no means mandated by law – on the contrary, a large part of these cookie banners are outright illegal. In May 2021, the privacy organisation noyb.eu¹ that Max Schrems² initiated sent more than 500 complaints to companies using illegal cookie banners on their websites. There could be a lot more. Thank you for that! Also, thanks to the members of the European parliament who started the initiative “trackingfreeads.eu”³ against tracking-based advertising.

And cookie banners are only the most visible materialisation of the ways we are spied upon on the Internet.

Next to cookies, there are various other spying methods. There is the Facebook pixel, for example, which is included invisibly on many media websites⁴ and betrays our clicking behaviour to Facebook. There is the browser fingerprint, which uses information such as the operating system we use, browser type, plugins and installed fonts in order to re‑identify us without the need for any cookies at all.

What makes me really angry:

Do you know what goes on in the background the moment you “enter” a website? While the first parts of the page are loading, your personal profile is being offered on the online advertising market. An auction for your attention begins. You are the commodity. This is called “Real-time Bidding”; it happens in milliseconds. Various groups of online advertising providers identify and analyse and classify you, using your online profile, which is kept by even different companies. Say you are male, in your mid-40s, and you have a taste for expensive watches? Whoosh, and your news website is showing you ads for BMW cars. Or the student who has just looked for a flatshare online is now being baited with supposedly convenient credit offers.

A whole ecosystem of advertising companies is wagering in “Real-time Bidding”, trying to be the one to show you their adverts. A giant network of service providers and other beneficiaries. And those who actually make the web interesting, all those publishers, blogs, content providers, are the ones getting the smallest piece of the cake.

What also makes me really angry …

… are the people that shout: But this is how all that content can be made available for free! Free? Well – snooping and manipulation is quite a high price for this “free” content, I believe. Then there is the claim that the media producing this interesting content could not exist without personalised advertising. And that we should just understand that and accept tracking and personalised ads.

That is nonsense. Media companies have been selling advertising space for a long time. However, until the 1990s they were actually able to keep the largest share of the takings for themselves, and from that they could pay their journalists, photographers, cartoonists, researchers etc. a proper wage. Since the 2000s, media revenue is in free-fall. Because meanwhile 50–70% (!) of the money spent by advertising customers does not reach the publishers any more, it is taken by the service providers and advertising platforms that have got in the way.⁵

And where does all that money that does not reach the media end up? Have a look at this chart⁶.

By now, the main share goes to Google, and to Facebook. To summarise: personalised advertising means that users are snooped upon – and media companies are starved out.⁷

What really makes me angry:

Google now presents itself as a white knight by announcing: Chrome, Google’s own browser, will block third-party cookies from 2022. Big cheers from the Internet and the media: Google will rescue us from the cookie banners!

But blocking third-party cookies in no way means that this will stop tracking and spying on the net. No, Google simply wants to introduce a new technology for that: “FLoC” – Federated Learning of Cohorts. FLoC means: according to our browsing behaviour of the current week, we are put into a group, or cohort, of 1,000–5,000 people who have visited similar websites. Chrome stores the information on cohort membership on the local computer.

If now you believe that you can vanish in this group of one thousand, you are mistaken. If a person logs into an account on a website, for example, of course they are no longer anonymous. Their personal details can then be connected with the current FLoC cohort. The same applies to those who have a Google or Facebook account and stay logged in all the time for convenience – they can be identified, too. And we can also be recognised by our browser fingerprint. So Floc is going to make sure that we are analysed even more precisely than we are already. And the Chrome browser these days has a global market share of about 70%.

FLoC is not a privacy-friendly technology. It will not end tracking on the net in any way – quite the contrary⁸. But who could seriously expect this from Google anyway – a company that makes 99% of its revenue from advertising. It would be more believable if piranhas were to announce that they were going vegan.

There is a side effect to FLoC and blocked third-party cookies that is welcome to Google: They are ousting competitors in the advertising market. Well, it’s not like we are going to miss these other providers terribly much. But this means that the concentration in this market is escalating again. Google is number one already, then comes Facebook and recently Amazon. And then, for quite a distance, no one. “Competition is for losers.”⁹ Free market? Ah, come on. What a Big Tech corporation wants is a monopoly.

What makes me really angry:

How these corporations treat every one of us. How they regard people as a resource, which they can exploit and whose personal experience they can own. The disdain for the people, the ruthlessness and the intention to deceive. The scorn for paying taxes and for state infrastructure. And the contempt for legal regulation. Shoshana Zuboff has found a word for that: “surveillance capitalism”¹⁰.

There is not just one single data leech – there is a whole leeching ecosystem. This includes insurances that want to exclude every possible risk to themselves, the scoring companies that secretly rate us all, determining our opportunities in real life, the lobbyists, the think tanks, the PR agencies, the law firms that make this dispossession possible, and the secret services that profit from it all and like to fish in murky waters themselves.

So who is now going to receive this BigBrotherAward?

The cookie bakeries? The online advertising industry? The big platform monopolists? The psychological nudging experts and dark pattern designers? The people that steal our time and get on our nerves? The profile peddlers and real time bidding casino operators? The smart ones, the unscrupulous ones and the hangers-on in the media? The career guys and the naïve ones among digital policy makers?¹¹

It was a tough choice. But then something happened.

Something that really amused me.

Because Google basically nominated themselves.

We don’t know if it was human error, the heroic deed of a whistleblower or an AI that had been sampling a digital truth serum …

The story goes like this: Ten U.S. states led by Texas filed a lawsuit against Google in 2020. They complained that Google was using its market power to fix prices for online advertising, forming a monopoly and manipulating auctions for advertising space. Google was claimed to be abusing, without restraint, its double role as advertising platform provider and as a provider of ads itself as well as its access to user data. Ken Paxton, the Attorney General of Texas, explained the issue with a baseball image: Google is acting as the pitcher, catcher, batter and umpire, all at the same time.¹²

So Google filed documents at the U.S. district court in Texas, intending to prove their innocence. The filed documents were excessively relevant to the case – but not in the way Google intended. Because these documents had not been redacted, so the really interesting passages had not been blacked out.

A few hours later Google noticed its mistake and asked to refile its documents. But it was too late – some court reporters at the legal portal MLex¹³ had read the unredacted versions and quickly realised the treasure that had fallen into their laps:

These documents described that since 2013, Google as an auctioning platform has been using its knowledge of previous auctions to predict which offers would be just high enough. This enabled them in their other role as an ad provider to win advertising auctions at a minimal price.¹⁴ This is what stock markets call insider trading. It had been suspected for a long time – but now here was the proof in Google’s own documents.

With this trick, Google does not only gain an advantage over its competitors, they also push down the prices that publishers can achieve for their advertising space. Users are snooped upon – and media companies are starved out.

What makes me really angry:

Google has internally named this process “Project Bernanke” – after Ben Bernanke, the former chair of the U.S. Federal Reserve. This code name signifies nothing else but “Google’s licence to print money”. The sheer arrogance.

But there is more: In 2018, Google struck a secret deal with Facebook, number 2 in the advertising market. The internal code name is “Jedi Blue”. In this deal Google assures Facebook, its competitor, that Facebook are going to win 10% of the auctions that they participate in on Google’s platform. How could that be assured in a market with supposedly free competition?

This is how: Google delivers information to Facebook about Internet users, which Facebook can use to uniquely identify 60% of desktop users and 80% of mobile users. This way Facebook knows for which users it will be worth to invest for their ads. Facebook assures in return that they will invest a certain amount in advertising and that they will stop pursuing a rival technology called “Header Bidding”, which would have given other advertising networks next to Google a better chance. If that is not anti-competitive behaviour, then what is?

But: you were caught!

What makes me hopeful:

• The lawsuits and sanctions against Big Tech due to privacy and competition law violations are increasing, both in individual countries (such as in France just now) as well as in the EU and the United States. Yay – enforce the law!¹⁵

• California – yes, that is the U.S. state of the Silicon Valley – has enacted a data protection law. The European GDPR was the blueprint – but the Californian law is actually stricter!¹⁶

• The New York Times decided in 2018 (after the GDPR came into force) to forego trackers and personalised advertising for their international edition, selecting their ads on context again. In addition to better privacy, this is also a financial success: Now that the tracking services are kept out, more ad revenue remains with the paper.¹⁷

• The British daily The Guardian finished its 2019 financial year with a healthy profit after several difficult years – without any paywall, funded solely by readers’ donations.¹⁸

• The EU is preparing two regulations that will intervene in the Internet giants’ business: The Digital Services Act (DSA) and the Digital Markets Act (DMA). Lobbyists and Big Tech law firms are up in arms.¹⁹

• What should give us extra momentum: A bipartisan movement is actually starting in the U.S. aimed at curtailing the might of large digital corporations. We are looking forward to Lina Khan²⁰, who was nominated for the Federal Trade Commission (FTC, the agency for enforcing antitrust law and promoting consumer protection) – she is a competent critic of Big Tech.²¹

• And: Google receives the BigBrotherAward 2021 for recently exposed large-scale manipulations of the Internet advertising market, for starving creators and the media, and for dispossessing our digital personalities.

Maybe this is the beginning of something that will make Google really angry.

Heartfelt congratulations, Google.

The BigBrotherAward in the category “Public Intellectual” is awarded to philosopher and vice chairperson of the German Ethics Council, Prof. Dr. phil. Dr. h. c. Julian Nida-Rümelin, for his untenable claim, repeatedly made in public, that “data protection” had hindered the fight to contain the Corona pandemic and was responsible for thousands of deaths.

Now, of course, the discord surrounding the fight against Corona must find an echo at the BigBrotherAwards. It took me quite a long time to settle on a specific award winner. There is a lot that might be said about both sense and nonsense in Corona politics – and unfortunately, there are a lot of people who do. I’ll get to that later.

But first, let me state my grounds for the ire which Mr. Nida-Rümelin has inspired in me.

He expressed, and has repeated the notion that (in a nutshell) “in Germany, data protection stood in the way of a decent Corona warning app. Quite different from South Korea, where thanks to apps without data protection they got a super grip on the pandemic.”

The journalist Markus Beckedahl calls this viewpoint a “talkshow myth”¹. It transpires that the app in South Korea is used mainly to ensure that quarantine is upheld, rather than to trace back and break chains of infection. And blogger Linus Neumann, who has actually stood right in this spot and held a laudation himself, adds²: „The South Korean app had a grave data leak at the end of July, and South Korea is currently fighting the second wave. An outbreak in August was controlled successfully – with a lockdown. So not even this ‘success’ could serve as a factual basis for Nida-Rümelin’s claims.”

In his blog³, Linus Neumann also gleefully shreds other claims by Nida-Rümelin.

What is it that drives an ostensibly intelligent man such as Nida-Rümelin to hold forth on television, in radio shows, in newspapers about how data protection was “responsible for thousands of Corona deaths”? How small must his great mind be, that it does not even whisper a warning to him before he spouts off such blatant stupidity to the world?

Mr. Nida-Rümelin is a philosopher, politician, former Cultural Minister of State, vice chairperson of the German Ethics Council, where he serves as press contact for digitalisation.

As early as May of last year he held forth on the radio channel SWR1⁴. We studiously ignored this for the last BigBrotherAwards in September 2020: „Don’t make stupid views famous.“ Unfortunately, the thinker Nida-Rümelin did not use this chance to think. Come December 2020 and the entertainment television show “Anne Will”⁵, he repeated his false rallying cry against “data protection”.

And then, in March 2021 – when all the facts he had drawn upon had long been refuted – he spread his alternative opinions again, this time via the German press agency, dpa. That’s when I really thought: Oh, philosopher, if only you had kept your silence …

No, Julian Nida-Rümelin and the rest of you “anti-data-protection” apologists: data protection does not kill. Data protection is the delicate membrane that shelters us from the barbarism of governmental and commercial encroachment.

Data protection, respectively ‘informational self-determination’ respectively ‘people protection’, which the Federal Constitutional Court in 1983 derived from the first two articles of the German constitution, a worldwide motor for innovation since the GDPR has come into effect, is a subject matter almost unrivalled in its need for educated philosophical thinking, because this damned digital networked world just does not compare to hammers and nails and cannot be explained using mechanical models.

In the past four decades we have deconstructed our representation of the world and our communication about it into zeros and ones. These are fluctuating currents potentially copied in millions and billions of places at once, up into near-Earth orbit and the universe – without this being at all noticeable at the source.

What this means for human existence is something that neither you, Mr. Nida-Rümelin nor the other numbskulls who are currently passing one digital pro-terror law after another, have come even close to fathoming. This is something that one must think about, before interrupting the grown-ups. This is where one listens when the grown-ups are speaking. This is where it is necessary to apply reason, if one wants to help society along.

(I must ask you to excuse the arrogance of the preceding sentences. They arise from my despair.)

The digital protection of people and society requires precision.

Yes, I am rephrasing the term “data protection” to improve comprehension. Data protection does not refer to data needing to be protected – that would be data security. It is people and society who need to be protected.

So, once again: The digital protection of people and society requires precision.

The digital protection of people and society requires educated thinking.

The digital protection of people and society requires philosophy.

This does not think itself between hors d’oeuvres and an interview.

I have expectations toward a philosopher who is educated and who educates. I expect him to do better than some random conspiracy dweeb who trumpets unreflected nonsense into the world. Or am I asking too much? Has my dangerous half-knowledge of Platon’s Dream of a rule by philosophers clouded my mind? Is that why I am deeply disappointed and disillusioned? In the face of what appears to be an elite of thinkers who do no more than fire off half-baked platitudes?

In no way do I support or intend to feed anyone’s burgeoning hate of intellectuals. On the contrary.

Naturally it is a philosopher’s profession to proclaim far-flung theses. However, this also means to engage in discourse, have those theses tested and attacked, and to learn from the exchange. And what was learned must then be constructed into a new thesis. And then, when one has firmed one’s thesis in many tedious and inspiring discussions, only then does one take the stage and deliver into society that which advances society as a whole. One does not rush center stage and repeat stupid claims for more than a year – especially as the facts that underwrite them are utterly refuted, one by one.

Whammm.

And now I ask myself what makes me different from Mr. Nida-Rümelin (apart from the fact that I claim the profession of an “artist”). I too stand on stages of a certain size, and postulate insights. And, though I would prefer this not to be true, I am also just an older gentleman, who becomes very angry now and then, and feels the urge to express and share my ill-humour with others – the objective being to attain improvement.

When I look around the Corona discussions, I see a cacophony of many gentlemen and a few ladies who want to bombard us with their insights and opinions with the force of the media they use. Open the schools? Yes! Close the schools? Yes! Lockdown? That’s not a lockdown! Close everything! Open everything up? Spahn (the Minister of Health) is doing it all wrong! Data protection stinks! The Luca App is a scam! You’re gendering wrong! IP addresses are not personal data! Yes, they are! Corona is a collusion by the World Economic Forum. They just want to get ID2020 passed. And make billions with vaccines. Putin is a perfect democrat (a quote from former German chancellor Schröder). Assemblies are categorically forbidden. I meant that satirically!

Julian Nida-Rümelin took part in this cacophony as a thinker. To put it bluntly: he was not helpful.

Should I take pity on him, show compassion? Let me try. Here we stand, poor fools that we are, and without any warning – no thunder, no lightning, no rain of ashes – a pandemic breaks out. We can’t smell or taste it. We can’t heroically cast ourselves into the flames to save women and children. Our destiny is to step aside and make way for the experts.

He and I are no pandemic experts.

That’s why nobody is interested in us. We are not in demand. All I would have been able to tell people is: I have some friends who work as scientists, they understand statistics, and they told me at the beginning of the pandemic: hunker down, lock yourself away. At least until we have more information.

And then you find a bit of time to read the infection protection law (Infektionsschutzgesetz). You then understand the official mandate of the RKI (Robert-Koch-Institut, the federal agency responsible for disease control and prevention). You suddenly get the difference between disaster control and citizens’ protection. You learn that disease control is a question of federal states’ law. And then you discover that the public health departments are totally unequipped to handle a pandemic. That many years of law-making have passed without making any preparations for a pandemic. While at the same time, one moronic law after another was passed for the fetish of “more security”. In the public health departments, people sit with pencil and paper, fax machine and rotary dial telephones, and they are simply overwhelmed by the blizzard of information and demands. We are looking at a minimum of 30 years of governmental failure. And then add to that the infighting around who should be the CDU party’s candidate for chancellor in the upcoming elections, which was not helpful. With this power play going on, it was never clear which measures actually made sense and which were only due to cock-fighting …

But data protection is what’s at fault? Seriously?! Come on!

I don’t know if anyone in this room has been to a demonstration of Corona-deniers. I have. I pocketed my press ID, put on my medical mask, and I spoke to many people there. People like you and me. People that I can imagine seeing at one of our own demos. But I also saw people who lacked the mental guardrails to be autonomous. Who are so unsettled by what they think is corruption, by this sledgehammer lawmaking without sense or reason, that they grasp at the nearest and cheapest alternative explanation.

I can’t really blame them. Especially since more and more professional confounders are coming out of the woodwork, and now it is not only foolish wise people but also nasty smart people who are playing up the confusion. Now, some people there are completely lost, but a majority are sincere about their convictions and their doubts and the “alternative” information they have ingested. These are the people who have been abandoned by those who are paid to think. They have been cast into the social hateworks and exposed to their structural populism⁶. Abandoned not only by Mr. Nida-Rümelin but also by the other gentlemen (and ladies) of his calibre.

And this is why we introduced the category of the “Public Intellectual” – because we really, urgently need people who can think and show the way for the rest of us. How bitter it is that people like Mr. Nida-Rümelin shamefully betray this mandate and opt for cheap populism.

During this cursed Corona pandemic, many who suffered the requisite limitations of freedom or ruinous financial losses may have said one thing or another which they would not have said with a clear mind. To these people, we must show compassion. To the actors (a group of prominent German actors that posted misguided video statements, then had to hastily declare them as satire) who are now ashamed of their comical actions. To the “Querdenker.innen” (‘alternative thinkers’, a name assumed by Corona skeptics) who made a few unscrupulous hate trolls rich. And who did not realize that for a while, their faculty of reason led them astray. To you all – and also to Mr. Nida-Rümelin – I would like to shout out: Just because you said something once does not mean you have to keep repeating it. It is possible to realize that what you said was wrong.

In this spirit: Congratulations, Julian Nida-Rümelin, to the BigBrotherAward 2021.

The BigBrotherAward in 2021 in the category Health goes to the company Doctolib in Berlin for their appointment scheduling portal for medical doctors.

The Doctolib portal processes data of many thousands of patients without regard to medical confidentiality.

For health professionals, especially doctors, and their patients, the offer is ingenious: The doctors enter into a contract with Doctolib, allow access to patient data and can then have appointments for treatments, consultations or vaccinations arranged via a website. And just like that, patients can book their appointments online. No more waiting in a telephone queue, no stressed personnel, Doctolib even reminds the patient of their appointment – and for all of this the practices pay only slightly more than 100 € a month. For the patients it is free of cost. And it gets better. Doctolib promises:

“For DOCTOLIB, data security and the confidentiality of user’s personal data is of the highest priority. Therefore DOCTOLIB is committed to complying to all German and European regulations on the protection of personal data. DOCTOLIB adheres to the rules of professional conduct issued by the respective chambers and associations for doctors and healthcare professionals.”

Well then, everything is just fine. On the surface.

Functionality

In truth, doctors should become suspicious very soon, because when a doctor wants to use Doctolib for their practice, a company employee appears and asks for access to the complete patient data recorded in their information system.

And that is not all: After importing the patient list, the appointment schedules in the practice system and in Doctolib’s scheduling system have to synchronised at regular intervals.

That seems objectionable from the start. Nevertheless, practices do participate in this service. Most doctors do not understand the technical process adequately and rely on the expertise of Doctolib and their promise to respect patient confidentiality and data security.

As an additional service, Doctolib offers the patient a list of doctors nationwide as well as a video service for tele-consultations. Since the beginning of the Corona pandemic, Doctolib also arrange vaccination appointments for the French department of health as well as for the health authorities in Berlin.

And it really does work. Doctolib boasts a customer satisfaction rate of 97%. According to its own claims, 150.000 doctors and health professionals in France and Germany and 50 million patients use their service. Three different seals of quality affirm that everything is in order.

Lack of transparency

However, a deeper look at the fine print reveals much worse to the trained eye. To begin with, the sheer number of documents is confusing: Whereas other service providers have a single terms and conditions document, Doctolib has a dozen: terms of use, privacy notice, health data protection principles (each of these differentiated for patients and health professionals), a cookie guideline, a processing list, privacy and security notices, FAQs, processing contract and definition of terms. That is too much for one single service. The documents are confusing and unclear, sometimes contradictory. Most of them are not numbered consecutively, which makes it difficult to refer to them.

The devil is in the detail: Doctolib formally differentiates between processing on behalf of the health professional and Doctolib’s own responsibility for its web content. So far, so good and correct. But then Doctolib presumes to merge data that they have processed on behalf of a doctor in Doctolib’s own appointment scheduling database. For doctors and patients, and also for us, it remains unclear how these data will be further used.

Especially sensitive health data

It should be beyond dispute that medical appointments as well as metadata from video consultations are sensitive health data, which are under the special protection of the General Data Protection Regulation (GDPR). The patient’s trust in their doctor forbids that names, appointments, and treatments should fall into the hands of third parties or used for purposes other than treatment or consultation in the trusted practice. Legally, doctors are allowed to enter into processing contracts without requiring their patients’ consent. But this trust relationship would be violated in a punishable way if Doctolib accesses a doctor’s data on those patients who have not arranged any appointments nor have an account with Doctolib, and if those affected are not informed that the data was shared.

Advertising, tracking, analysis – who is responsible?

However strongly Doctolib professes to be committed to data protection and patient confidentiality, we have to question this promise after examining all the fine print.

For example, Google appears in the Doctolib cookie list with their Analytics and Adwords and Ads services. The stated purposes are tracking or tracing website usage. For Ads, the purpose is simply advertising. Once consent has been given to data utilisation for advertisements and opinion polls, this apparently means that each time an appointment is made the data is shared with, for example, Google. The same problem arises when social networks such as Twitter, Instagram, Facebook, LinkedIn, Medium and YouTube are integrated into Doctolib’s start page. What purpose this serves, why an appointment allocation page needs a YouTube button, is a question that Doctolib should seriously be asked. The respective cookie settings on offer are “accept all”. And Doctolib innocently explains that they are not responsible for the way these services handle data.

Here Doctolib is mistaken: The European Court of Justice recently decided in three independent cases that in such data processing the website provider, in this case Doctolib, shares resposibility. We say: commercial social media providers have no part to play in the doctor–patient relationship, especially not when they are seated in an unsafe third country such as the United States.

Professional confidentiality

In Doctolib’s “user terms and conditions” of 2019, patients can read that by giving their consent, they release their doctors from professional confidentiality. The patients are not told why and what for, and we were not told either when we asked. It should be clear that such a release in the fine print is not valid.

In fact, the breach of confidentiality starts earlier and it has vast proportions: It is true that under a new legal regulation of 2017 doctors are explicitly allowed to use services like Doctolib. However, there is the prerequisite that the disclosed confidential patient data are truly necessary for the service. It is definitely not necessary for Doctolib to import a doctor’s full list of patients. It would be sufficient for the company’s appointment scheduling to have a list of available times from the doctor and then negotiate these with the doctor’s system.

Client separation

As a service acting for a doctor and as its data processor, Doctolib is obligated to separate its clients. That means Doctolib is not permitted to merge patient data from different doctors. But that is exactly what the company appears to do. At the Chaos Computer Congress 2020 it was reported¹ that a Doctolib database was leaked to the Chaos Computer Club. It was possible via the reported gap to access over 150 million scheduled appointments. These data presumably arose from synchronisation with appointment calendars from doctor’s practices and reached back to the year 1990². How the data were or still are processed, what Doctolib does with this collection and why outdated data has not been deleted remains the business secret of our awardee.

The allegedly awarded seals of quality do not relate to the GDPR, contrary to the company’s claims. What was given a seal here and why remains largely Doctolib’s secret. What is known is that Doctolib uses an Amazon cloud service certified in France – with European computers.³

What does Doctolib really do?

Our enquiries with the company about the millionfold downloading of patient data, client separation and much more remained unanswered.

Therefore we can only speculate about what goes on in the servers of AWS and Doctolib.

By the way, to speculate is what venture capitalists do as well. The company, established in 2013, was provided with 23 million € in 2016, a further 35 million € in 2017 and another 150 million € in 2019. Doctolib has now become one of the so-called Unicorns; that is a term for companies valued at over a billion € on the capital market.⁴

Whereas the global and European market for Internet user data is divided up between Facebook and Google, the market for health data has become a new playing field for IT companies and speculators. So far US companies could be largely kept out of this European market with reference to doctor’s confidentiality obligations. Doctolib is working on grabbing a large piece of this cake by professing a wholehearted commitment to this confidentiality, without really being oriented towards it.

The digitalisation of our health system is important, in order to improve public health care and maintain it at a high level. This must not happen at the expense of confidentiality between patients and health professionals. Since Doctolib subordinates this confidentiality to its drive for expansion, the company deserves the BigBrotherAward 2021 in the category Health.

Congratulations, Doctolib.

Thilo Weichert has written a comprehensive report about Doctolib on behalf of Netzwerk Expertise, which was published on the day of the gala (PDF) (German)

The BigBrotherAward 2021 in the category “Mobility” is awarded to The European Commission for the introduction of the “On-Board Fuel Consumption Meter” (OBFCM).

What’s the rationale behind this?

Auto manufacturers tend to fudge the data when it comes to emissions. Actually, you could say: there are lies, damned lies – and emissions data. We have known this since the “Dieselgate” emissions scandal became public. And it’s not really a surprise either that petrol consumption is much higher on the road than under lab conditions.

Now, it’s important for the EU to get accurate information, since CO₂ limits have been introduced for new cars. Manufacturers whose cars exceed the limits have to pay significant fines¹. Also, potential buyers are supposed to get an idea of their new dream car‘s appetite for fuel – in real life, not just in the sales brochure. This is why consumption is supposed to be measured under actual driving conditions and not just in the lab.

The well-intentioned rationale goes like this: why not use the comprehensive data that modern cars already record, in the engine management system, the fuel injection system, and so on? Modern cars have powerful on-board computers, and thanks to the “e-Call” system – a BigBrotherAward winner in 2014 – there is also a mobile communications module that can transmit data in real time. This is called “telemetry”, which is really just another way of saying that the cars “phone home”. We gave Microsoft a BigBrotherAward in 2018 for the telemetry in Windows 10. So if a car can do all that, there is no need for lab values that could be massaged or tweaked.

Now, you might think, cell phone transmission in real time, isn’t that a bit over the top? Couldn’t you just … collect the data and upload it the next time the car is in the garage? Well, yes, you could do that, but new cars in Germany can go without inspection for three years, and the EU Commission would have to wait until then to receive the data. In view of climate change, that is a long time.

For the five-year trial period that has now started, the EU Commission decided, in the implementation of EU Regulation 2019/631², to task the manufacturers with the collection of this data.

Right. The automobile manufacturers.

Those who have proven soooo “trustworthy” when it came to emissions and consumption data.

Seriously?

It almost seems like the EU Commission had its doubts, too, because they decided to ask for detailed data from each car, at frequent intervals: consumption values, distance travelled and possible additional parameters, all tied to the vehicle information number, and this is how they plan to stop the manufacturers from pulling the wool over our eyes again.

But there is a catch, because the manufacturers are still in the loop. Not only that: Manufacturers get the complete telemetric data set, served up on a silver platter, where they used to have to ask the vehicle keeper for permission. Now the legal obligation obviates the need for consent. Beyond that, there is more data which the Regulation calls “additional parameters”, and no doubt the manufacturers will be very happy to get their hands on those as well.

The EU Regulation states that the vehicle identification number “shall be used only for the purpose of that data processing and shall not be retained longer than needed for that purpose”³, but nobody really wants to commit to a specific length of time. The fact is: while the engine data are linked to the vehicle ID, it will be possible to gain far-reaching insights into individual driving behaviour.

In reply to an official question by the liberal party FDP⁴, the German Federal Government stated that the OBFCM technology could not be used to establish movement profiles. They also state that only the Federal Motor Transport Authority (Kraftfahrt-Bundesamt) and insurance companies will be able to connect the vehicle information number to specific vehicle keepers. But as we have learned in the past: where there is a trough, the swine will come. Once the data are collected, new “needs” and “legitimate” interests will materialize.

And it is not just the EU Commission. The German Federal Government would also like to have this kind of data. It is currently planning an iniative on mobility data, “Datenraum Mobilität”, in which German auto manufacturers and mobility providers “share” data, so the objective. It is far from clear for now who will share what with whom. No doubt there are reasonable uses for such a data pool. But we get to make a decent guess that drivers will be fighting an uphill battle if they want make sure that their movement data do not become a free for all.

The electronic On-Board Fuel Consumption Meter (OBFCM) is another stone paving the road toward the transparent driver – even though this would not have been necessary in any way. We are very concerned to see how telematics are increasingly finding their way into cars, and how data protection is cast by the wayside.

And this is why we say, for the EU Regulation 2019/361: Congratulations, EU Commission, on your BigBrotherAward 2021.

The BigBrotherAward 2020 in the “Historical Amnesia” Category goes to the conference of interior ministers of the German federal states, represented by its acting chairman, Georg Maier, Minister of the Interior of the federal state of Thuringia, for their intention to create a life-long personal identification number based on the tax identification number.

Border(line) Experience

Nineteen-hundred eighty-one; almost forty years ago. I was on tour, travelling by railway with a bag full of 8-millimeter films from Graz in Austria to Düsseldorf. That is to say: I wanted to go to Düsseldorf, but by the time I reached the Austrian–German border, my journey came to a premature end. In Austria my only identification document, my passport, had been taken away. (That is a story for another time.)

I had not expected any big problems, because – so I imagined – I was in possession of a secretive power: I could recite the number of my identity card from memory, and with that – so I imagined – it could quickly be determined that I was the one and true padeluun and I would be allowed to cross the border and be on my way. In the following eight hours, which I spent in the company of friendly border guards, I learned about personal identification numbers.

I learned, in particular, that after 1945, when it had become clear how much the counting and the collection of statistical data had helped the Nazis with murdering people, such personal identification numbers should never be created again. This is what the Parliamentary Council, tasked with writing the German Constitution and consisting of 66 men and four women, almost all of them convicts, concentration camp inmates, deserters or resistance fighters¹, wrote in Article 1 of the Constitution:

“Human dignity is inviolable.”

This is why the identity card number cannot be traced back to the person, and a new number is assigned for every new identification document for which I apply. No person on German soil shall ever again be reduced to a number – or even worse, uniquely tattooed with such a number.

And I, being a young fool, just thought this was terribly inefficient. I had to stay put at this border post for eight hours, just because “they” would not release the number for search purposes because of some “romantic” reasons. I didn’t think it was important. The war had been over for a long time, the Nazis and fascists would never return. That was my youthful misjudgment.

What I wasn’t aware of: personal identification numbers like this were used in two dictatorships on German soil: in Nazi Germany and in the East German GDR – for registration, repression and in the end for extermination. They violate the spirit of the constitution.

Rejected Time and Time Again

As early as 1969 the German Federal Constitutional Court (“Bundesverfassungsgericht”) decidedly rejected such personal IDs for the first time in the “Micro Census” ruling. As they did several more times after that. The judges found it unconstitutional, ...

“... to register and to catalogue someone in their entire personality […] and thus treat them like an object allowing a complete inventory in every respect.”²

In May 1976 the judicial committee of the german federal parliament stated that ...

“... for reasons of constitutional and legal policy it is not permissible to develop, deploy and use a numbering system which allows for a uniform enumeration of the entire population.” This vote caused the first draft of a federal registration law to fail.³

But in 2007 Peer Steinbrück, then finance minister, introduced the tax ID. Back then, 13 years ago, we already gave him a BigBrotherAward for that. At the time solemn oaths were taken that this tax ID would never be extended into a personal identification number. And now look at the mess we’ve got.

What is planned for 2020

In our February 2020 session of the BigBrotherAwards selection committee we talked about the personal identification number as a possible candidate. I remember that at first we refused to believe that such a bill was actually being proposed.

We came across the National Regulatory Control Council (“Normenkontrollrat”), which presented an expert report by McKinsey&Company concluding that a “register modernisation act” was needed, and that this would save 6 billion euros. It would require courageous political actions, it says. And I think to myself, yes, it does takes courage to offer the keyboard and monitor to the mundane evil.

Markus Reuter of the netzpolitik.org blog writes about this McKinsey report (quote):

“The report mentions that from a constitutional and from a privacy perspective it is difficult to introduce a personal identification number. Among other reasons the introduction of such a personal identification number is problematic because of the census ruling of the Federal Constitutional Court and because of a possible violation of the fundamental right to informational self-determination. This ruling prohibits the administration from linking personal data with an overarching identification number which could be used for profiling.” (End quote)

However, according to a submission of the Department V II 2 of the federal ministry of the interior, the 212^th conference of interior ministers has been discussing the report and decided to go through with it.⁴ Not unanimously, I’d like to add. Some federal states were apparently opposed, but to no avail. As early as December, the initiative “Freiheitsfoo” (“freedom foo”) had contacted and queried all interior ministers in Germany. According to the replies, the states of Baden-Württemberg, Bavaria and Saxony were unconditionally in favour of the personal ID. Berlin and Bremen needed more time for consideration, North Rhine Westphalia, Saxony-Anhalt, and Saarland declined to comment, and all the other states and the federal ministry simply ignored the request.⁵

The tax ID is intended to become a personal ID this summer⁶ (hidden away by the federal cabinet in the economic stimulus package). This will once more reduce humans to numbers. For all dealings with any government institution. To make this new crime against the constitution somewhat less obvious, an ominous additional agency will be inserted in between. A similar stunt had been used years ago for the de-facto merging of the civil registers: the databases remained separate, but a common linking index was created on top.

If all this is now introduced as a “stimulus” called “register modernisation”, because “digitalisation is so important”, then we should finally suggest “digitalisation” as the bad word of the year. We have to digitalise? We have to do no such thing. Our sole obligation is to create a world worth living in, for all creatures, flora and fauna, and to live together peacefully.

The only response left to us is sarcasm: at least the personal ID does not encode the entire family history (as was the case with the original Nazi ID), it will only reveal the responsible local tax office. No, that is not really a consolation.

What it all means

Those who think “how convenient” might have a point. There’s a single number for all occasions, we no longer have a notebook full of little numbers for different agencies, but everything at a single glance: in every file, for every agency I have to deal with. Yes, that is convenient. But it is one more step in disregarding and undermining the constitution, and not only deprives the true sovereign, the citizens, of their power, but also of their dignity.

Today, looking back 39 years, I can see a reflection of my own avant-garde stupidity in thousands of expressions of opinion. Not only in the grubby streets of social-media comments, but also in workers’ homes, in citizens’ houses, in the media and, worst of all, even in parliaments, which, forgetting history, try to forge such plans and sneak them through.

The economic dictatorship

Modern thinking about sovereignty is dominated by the promises of big money from the big Internet without big effort, and by the whining struggle against all those who might somehow stand in the way of making big profits from sovereign administrative acts, too. Six billion euros – that is the great promise – could be saved by introducing this personal ID. But it is really the other way around: these six billion euros, which apparently is the price tag for maintaining separate administrative databases, are a good investment in protecting the population from the government.

And we need this protection, not only if ever more fascists enter the parliaments, but also, and specifically, when they are bustling with “flawless democrats” (translator’s note: this is the tag once given by former chancellor Gerhard Schröder to Vladimir Putin).

What needs to be done

Where are the elected persons who cry out and who desire what is true and right, who defend the constitution against attacks from government agencies and the administration? In their absence, all we hear from the ministries and parliaments is “What is it you say?! This is unconstitutional? Even though it is so convenient? We still want it anyway!”

Although the constitutional corrective, the Federal Constitutional Court, raises its supreme-court voice every now and then, the government is not getting any wiser.

Should the personal identification number be codified into law, those of us who do not suffer from historical amnesia will have to rise against this new presumptuousness of governmental action. We call upon lawyers and other experts in constitutional law to support us.

Until then,

congratulations for the BigBrotherAward 2020 in the category “Historical Amnesia”, Mr. Maier, and all other members of the conference of interior ministers.

The BigBrotherAward 2020 in the “Workplace” category goes to H&M Hennes & Mauritz B.V. & Co. KG.

The BigBrotherAward jury thus honours the long-standing, devious, and illegal collecting and processing of employee data, distinctly protected by privacy laws, in the H&M customer centre in Nuremberg.

It seems unbelievable that such a young, modern, hip company like H&M should receive a BigBrotherAward – at least it would be if the company would implement and live up to the values they present on their job application website. There it is claimed that the corporate culture of H&M follows these values:

WE ARE A TEAM

WE BELIEVE IN PEOPLE

ENTREPRENEURIAL IN THOUGHT AND ACTION

CONTINUOUS IMPROVEMENT

COST CONSCIOUSNESS

OPEN AND FORTHRIGHT

KEEP IT SIMPLE

At the very least “OPEN AND FORTHRIGHT” certainly did not function in the customer centre. Here 700 H&M call centre employees serve customers in Germany and Austria. In October 2019 it became publicly known that this customer centre took great interest not only in customer wishes, needs or problems, but also in highly private and personal information about the employees working there.

Personal and health data

On 25 Oct 2019 the FAZ newspaper (Frankfurter Allgemeine Zeitung – a major German paper) first reported¹ that in the Nuremberg customer centre, management personnel and team leaders had access to computer documents in which detailed personal employee information had been systematically and secretly recorded.² This included details on relationships among employees, with which partner they had spent the night, where marriage problems existed or where a divorce was imminent. Similarly, conflicts within the family or deaths of family members or friends were added to the list. And it was recorded whether employee’s vacations had been restful or perhaps rather stressful due to personal problems.

The thirst for information at H&M’s management level made no exception with health-related data. Individual-related files contained, for instance, information regarding diseases of employees or family members including the progression of the disease.³ The Hamburg commissioner for data security and freedom of information, Johannes Caspar, announced after an initial investigation⁴ that in Nuremberg diverse health-related employee data, everything from incontinence to cancer were registered. To make it complete, the information was enhanced with assumptions and rumours, for instance about menstruation problems of individual colleagues.

Employees selectively targeted

All this sensitive information was compiled by team leaders and other superiors. The information originated especially from informal chats with employees in the office or on breaks, but also from “welcome back” talks, for example after a vacation. These talks included questions clearly targeting private matters.⁵ The findings, digitally noted in detail, were made available to the entire H&M management level.⁶ Of course, the employees were at no time informed that private information would be specifically queried and then incorporated into centralised files.

Bosses take advantage of trust

While I was doing research for the BigBrotherAwards, several employees personally showed me the notes made about them. Since these people still work for H&M and fear consequences, I am unable quote them directly. But I can say I was appalled that superiors do not cringe about establishing a friendly atmosphere for dialogue in order to pry out private and very personal information, then put this information in writing structured to management needs, and store it. To describe such an approach, on the basis of an existing occupational relationship of trust, as wretched, would be putting it politely. In any case it is illegal.

Discovered through a data leak

This all came to light accidentally in 2019, as the personal dossiers were suddenly accessible on the internal network. This clearly suggests that H&M's technical and organisational data security is not in a consistently good state. If I were one of their customers, I would be troubled by this situation.

Self-denunciation and apology – Everything okay?

At least the company, after the initial press releases about the records in October 2019, did inform the supervisory authority responsible for their Hamburg headquarters. They have been dealing with the incident since then. The employees themselves were told in internal communication that it was simply a matter of “isolated” cases and that the majority of management would abide by the privacy guidelines.

A message to the employees states that:

“We want to sincerely apologise that these incidents have put you in an unpleasant situation and that insecurity has arisen.”

So, everything okay? Some team leaders make mistakes, management denounces itself, apologises, and that's it? No.

Already in January 2020 a circle of employees reported that the promises for prompt clarification of the matter were not being fulfilled. In addition, the suspicion was voiced that the files had been manipulated before they were inspected.⁷ An employee was quoted as saying that a climate of fear and intimidation prevailed. She consequently did not wish to be named.⁸

A number of employees have resigned, because the personal working conditions have deteriorated since the spying became public. They were especially angered that there would be a compensation payment of 2500 € per person, which the team leaders who conducted the spying would also receive.

But at least, according to these employees, the Nuremberg facility now has a works council (Betriebsrat, formal employee representation in German industrial law).

Surveillance is often evident in call centres

The rampant control mania at H&M is not an isolated case. In the call centre sector much has changed during the last twenty years and a number of firms abide sufficiently by labour and data protection guidelines. Comprehensive surveillance of employees occurs occasionally in other call centres. However, it is often no longer necessary in these places to tediously sound out employees in order to gain information about moods or diseases or such. Specialised software will do that job much more easily, and we have denounced this repeatedly with BigBrotherAwards. For example in 2014 for a subsidiary of RWE (a large energy supplier) that registered mouse clicks and keystrokes, or last year (2019) with a BigBrotherAward for the voice analysis software from Precire.

Why is the call centre sector so susceptible to surveillance excesses and poor working conditions? It's simple: because people in call centres do not work for their own amusement, but rather to earn a living, and therefore are afraid to talk publicly about working conditions. Whoever takes a critical stance and demands their rights may face not having their fixed-term contract extended or not turned into permanent employment after many years of work. What's more, it is technically so easy to register and evaluate the activities in a call centre. And whoever complains about illegal or excessive monitoring is also soon out of a job. It is still to a large extent a precarious business sector. Where works councils exist, their members tell of personal repressions and even threats. So employees consider carefully whether to pass along details of ongoing surveillance. Particularly since an effective law protecting whistle-blowers from disadvantages and sanctions still does not exist in Germany. So, we would not be surprised if in the following years the call centre sector produces further award winners.

In this sentiment: Heartfelt congratulations, H&M, on your BigBrotherAward 2020!