SWITCHED ON
The daily technology series nobody asked for but everyone needed
Nothing to Hide: Online Privacy and the Surveillance Economy
"I have nothing to hide" is the most successfully implanted phrase in the history of corporate public relations. Let's talk about what is actually being collected, by whom, and why it matters even if you are spectacularly boring.
Saying you have nothing to hide is like saying you have nothing to say, so freedom of speech doesn't matter. Privacy is not about secrets. It is about the power to decide what you share, with whom, and on what terms. That power has been systematically transferred from you to people you have never met and cannot hold accountable.
Yesterday we covered tech monopolies and antitrust — how network effects and killer acquisitions built the dominance of Google, Apple, Meta, Amazon, and Microsoft, the landmark Google search monopoly ruling, the App Store wars and Apple's talent for technically-compliant non-compliance, the EU's Digital Markets Act versus the US's century-old litigation framework, and why the tools currently available are not producing structural change at the pace the concentration of digital market power requires. Today we are going somewhere that connects every episode we have run — because the data collection practices of the surveillance economy are the foundation on which platform power is built, the mechanism through which algorithmic systems make their inferences, and the raw material from which the AI models shaping your life were trained. Online privacy: what is actually happening to your data, who is making money from it, what the law says, and whether any of it is meaningfully under your control.
Start with a clarification of what we mean by surveillance economy, because the word surveillance makes people think of governments and spy agencies, when the more pervasive and in some ways more consequential version is entirely commercial.
01 — What the Surveillance Economy Actually Is
The surveillance economy — the term was coined by academic Shoshana Zuboff in her 2019 book The Age of Surveillance Capitalism — describes a business model in which human experience is claimed as raw material, processed into behavioural data, analysed to generate predictions about future behaviour, and sold to advertisers who want to influence that behaviour. The product, in this model, is not the search engine or the social media platform or the maps application. The product is the prediction. You are the mine from which it is extracted.
The scale of data collection is difficult to grasp in the abstract. Google processes roughly 8.5 billion searches per day. Each search is a signal about intent, interest, concern, desire, or need. Combined with location data from Android phones, browsing history from Chrome, email content scanned in Gmail, viewing patterns from YouTube, and purchase behaviour inferred from Google Pay, the profile that emerges is not merely a record of what you have done online. It is a continuously updated model of who you are, what you want, what you fear, and what you might do next. Meta builds a comparable model from Facebook activity, Instagram interactions, WhatsApp messages — which Meta has maintained are end-to-end encrypted and not used for targeting, a claim that has been scrutinised — and data purchased from third-party brokers about offline behaviour.
You are not the customer of these platforms. You are the product. This has been said so often it has lost its force. It should not have. The economic relationship it describes has profound implications for every other relationship you have with these companies.
The data broker industry — companies whose entire business model is aggregating, packaging, and selling data about individuals — operates largely invisibly to the people whose data is being traded. There are estimated to be several hundred data brokers operating in the US market. They hold records on virtually every American adult, including name, address, phone number, email, income range, political affiliation, religious beliefs, health conditions inferred from purchase patterns, relationship status, sexual orientation inferred from browsing behaviour, and much else. This data is sold to advertisers, employers, insurers, landlords, law enforcement agencies, and anyone else willing to pay for it. The individuals whose data is sold have, in the US, virtually no legal right to know what is held about them or to have it deleted.
02 — The Cookie Monster and What Replaced It
Third-party cookies — small files placed on your browser by websites other than the one you are visiting — were the foundational tracking technology of the early commercial web. They enabled advertisers to follow you across sites, building a profile of your browsing behaviour that could be used for targeted advertising. They were never consented to in any meaningful sense; they simply existed, silently, in the background of every website visit.
The regulatory and competitive response to third-party cookies has been slow and imperfect, but it has happened. The EU's General Data Protection Regulation, which came into force in 2018, required explicit consent for non-essential cookies — producing the consent banners that now greet every website visit with a dark-pattern-laden interface designed to make opting out as difficult as possible while technically complying with the law. Firefox and Safari blocked third-party cookies years ago. Google announced plans to deprecate third-party cookies in Chrome, then delayed the plan multiple times under advertiser pressure, and as of 2026 has implemented a partial privacy-preserving alternative called the Privacy Sandbox that the advertising industry finds inadequate and privacy advocates find insufficient. The cookie is dying slowly and being replaced by tracking mechanisms that are in many respects more difficult to block.
Fingerprinting — using the unique combination of browser settings, installed fonts, screen resolution, hardware configuration, and dozens of other signals to identify a device without placing any file on it — is increasingly used as a cookie alternative. Unlike cookies, fingerprints cannot be deleted. They are extraordinarily difficult to block without significantly degrading the browsing experience. Device fingerprinting combined with email-based identity matching — linking your device to your email address when you log into any service — creates persistent tracking that persists across browsers, devices, and sessions in ways that the cookie never could.
03 — What GDPR Actually Did
The EU's General Data Protection Regulation is the most comprehensive data protection law in the world and the one that has had the most demonstrable global impact, because companies that want to operate in the EU must comply with it regardless of where they are headquartered. It establishes rights for individuals — the right to access data held about them, the right to correct it, the right to erasure, the right to data portability, the right to object to processing — and obligations for companies around consent, data minimisation, and security.
The enforcement record is mixed. The Irish Data Protection Commission, which is the lead supervisory authority for most major US tech companies because their European headquarters are in Ireland, has been persistently criticised by other EU data protection authorities for moving too slowly and fining too leniently. Meta has been fined billions of euros in aggregate under GDPR. These fines represent fractions of its annual revenue and have not produced the structural changes in data practices that the regulation's architects intended. The relationship between the size of GDPR fines and the actual deterrent effect on companies with hundred-billion-dollar market capitalisations is, charitably, unclear.
What GDPR unambiguously did was raise global awareness of data rights and inspire similar legislation elsewhere — California's CCPA and CPRA, Brazil's LGPD, India's Digital Personal Data Protection Act, and others. The global regulatory landscape for data protection is considerably more developed than it was in 2018. It is also considerably less developed than the data collection practices it is attempting to govern, and enforcement remains the persistent weak point across every jurisdiction.
04 — The "Nothing to Hide" Argument, Dismantled
The "nothing to hide" framing deserves specific attention because it is genuinely effective as a rhetorical device and genuinely wrong as an argument. It works by reframing privacy as a concern only for people with something to conceal — criminals, the unfaithful, the embarrassed — and implying that those who value privacy must therefore belong to one of those categories. This is a category error so fundamental it is almost elegant.
Privacy is not about hiding wrongdoing. It is about the conditions that make autonomy, self-development, and authentic relationships possible. You lower your voice in a restaurant not because you are saying something wrong but because some conversations are not for general broadcast. You close the bathroom door not because you are doing something illegal but because some things are simply private. The argument that you have nothing to hide assumes that privacy is only valuable as a shield for misconduct, which is false on its face and demonstrably so from any serious engagement with what privacy actually enables in human life.
The practical harms from surveillance are concrete and documented. Behavioural data has been used to target vulnerable people with predatory financial products, identify and exploit addiction, manipulate political beliefs, enable stalking through data broker records purchased by abusive partners, discriminate in housing and employment through inferred characteristics, and provide law enforcement with location records that have been used in investigations of constitutionally protected activities including attendance at protests and visits to abortion providers in states where abortion is restricted. "Nothing to hide" is a comfortable argument for people to whom none of these harms have yet applied.
The nothing-to-hide argument assumes a permanent and benign status quo. It does not account for the fact that what is legal today may not be tomorrow, that who has access to your data today is not who will have access tomorrow, and that the harm from surveillance is often not visible until it is too late to prevent it.
05 — What You Can Actually Do
The privacy advice column is a genre that tends to oscillate between two equally unhelpful extremes: the paranoid manifesto that instructs you to use Tor, self-host your email, and communicate exclusively through encrypted channels that your friends will never adopt, and the breezy reassurance that clearing your cookies and using a VPN is all you really need. The honest version sits between them and acknowledges that individual action has real but limited effect in a system where the data collection infrastructure is embedded in the basic operation of the modern internet.
Things that meaningfully reduce your data exposure: using a privacy-focused browser (Firefox with uBlock Origin, or Brave) instead of Chrome; using a search engine that does not profile users (DuckDuckGo, Startpage, Kagi); using Signal instead of SMS for sensitive communications; reviewing and limiting app permissions on your phone; opting out of data broker records through services like DeleteMe; and paying for products where possible rather than trading your data for a free service, because the economic relationship shapes the data collection incentive.
Things that are largely theatre: cookie consent banners designed to make opt-out difficult, most VPN services that are themselves surveillance operations, and privacy settings on major platforms that provide granular controls over the least consequential data while the most consequential collection happens through means the settings do not reach.
The structural problem cannot be solved by individual behaviour. The data broker industry will continue to aggregate and sell your records regardless of your browser settings. The advertising ecosystem will continue to develop fingerprinting and identity matching regardless of your cookie preferences. The meaningful change is regulatory, and it requires regulators with technical expertise, enforcement budgets, and political will to use them. The trajectory is toward more regulation in more jurisdictions. The pace remains considerably slower than the industry it is attempting to govern.
Tomorrow we are going somewhere that will feel familiar after today's episode — cybersecurity. The state of digital security in 2026: ransomware as an industry, the most consequential breaches of the past decade, what nation-state hacking actually looks like, and what individuals and organisations can realistically do to be less catastrophically vulnerable. See you then.
Switched On is a daily technology series covering AI, social media, data privacy, and the digital forces reshaping modern life — with no corporate spin, no false comfort, and absolutely no mercy for buzzwords.
