Informed Consent, Martial Arts and Privacy Data

This article has previously been posted on my Medium blog.

Did you know that Tinder has the right to read all the messages you send in your private Tinder chats? They are allowed to read your pick-up lines and your failed flirts, as well as the hot sex chats that end in exchanging of phone numbers.



 It’s right there in plain text — paragraph 8. And you agreed to it. By ticking the “I accept Terms of Use and the Privacy Policy” box. These “click-through agreements” are common practice, and although it’s not always clear whether these contracts have any bearing in court, they are used as base to collect and process big parts of your life.

In any free society, we have the right to agree upon contracts with other entities. But in my view, this freedom should not entail the right for powerful entities to abuse the fact that the other party rarely reads the 40 page legalese jibberish.

What is Informed Consent?

It is illegal to physically assault another person. Yet, under informed consent, it is perfectly legal to hit someone in the face — It’s called Mixed Martial Arts. Or thai boxing, or ice hockey. Outside the cage these very same people are not allowed to touch another human being — including the person they just punched.

The default setting is that violence is prohibited, but there is also place to temporarily agree upon under which circumstances exceptions can be made. If this were a firewall, this rule would be called “default deny”. In the infosec world, this would be “limiting the attack surface”. In violence or in sex, this would be called “informed consent”.

This is the first part of an ongoing series where I hope to facilitate the discussion about and outline the prerequisites for an Ethical End User License Agreemenet (EULA) under the principle of Informed Consent.

An Ethical EULA:

  • Your personal information, the data and the metadata you produce is owned by you, and can be loaned by another entity by means of EULA
  • The company’s loan of your personal data is limited in time
  • The company’s loan of your personal data is limited in space
  • The company’s loan of your personal data cannot be transferred
  • The company’s loan of your personal data should be opt-in
  • The scope of the personal data loan must be proportional and minimal
  • It must be possible to agree to some parts and not to other parts
  • It must be understandable by the average person

Thing is: if you’re an EU citizen this is already the law.

The General Data Protection Regulation — GDPR — is in force since 2016, and any company that violates these simple principles by May 2018 will (hopefully) be subjected to substantial fines. I believe that the GDPR can bring great things, but I am concerned that advocacy groups and the civil societt are so quiet about what amazing new legal rights we actually are having. A right that is not claimed is not worth very much, and it’s time to step up our game.

How do I propose to do that? That’s the topic of an upcoming article 🙂