The Illusion of Privacy
We have been told that privacy is a right, something we can control through consent forms, privacy settings, or careful online choices. But in reality, privacy has become more of an illusion than a guarantee.
Despite new frameworks such as India’s Digital Personal Data Protection Act, 2023 (DPDPA) and the European General Data Protection Regulation (GDPR), most people still have little meaningful control over their data. We express concern about privacy yet willingly give up personal information for convenience.
The reason lies in the way our digital world is structured. As Lawrence Lessig argued in Code and Other Laws of Cyberspace (1999), our behaviour is shaped by four forces i.e., law, social norms, markets, and technology (or architecture). Together, they regulate how privacy is created, eroded, or preserved.
Law
The DPDPA is a crucial step for India. It brings a legal vocabulary for consent, purpose limitation, and data subject rights. Yet, law by itself is reactive it intervenes after harm occurs.
Even the GDPR, the world’s most influential privacy law, reveals the limits of law. Enforcement remains uneven, and large corporations can absorb penalties as a cost of doing business. As privacy scholar Daniel Solove notes, privacy harms are rarely dramatic breaches; they are the slow accumulation of small intrusions that collectively define our digital identity.
Law can create obligations, but it cannot, on its own, undo a system that profits from surveillance.
Norms
Social norms often shape behaviour more powerfully than legislation. Smoking was once a symbol of sophistication; now it’s a social taboo. In contrast, our digital culture has normalised exposure.
We now share personal details, locations, and habits as part of everyday life. We call it engagement. The idea of “oversharing” has faded and replaced by a culture where we need validation.
This shift means that privacy is no longer the default social value. In the name of convenience, data tracking has been repackaged as service and that is far harder to regulate than any legal violation.
Markets
At the core of the problem is the market logic of data. As Shoshana Zuboff describes in The Age of Surveillance Capitalism (2019), personal data has become the raw material of modern capitalism. The true value lies not in what companies collect, but in what they can predict from it what Zuboff calls the “behavioural surplus.”
Consider Google. Every photo stored in Google Photos, every route traced in Maps, and even the metadata surrounding our emails such as, flight confirmations, purchase receipts, and calendar prompts feed into a vast ecosystem of behavioural insights. These insights are not mere records of our activity; they are predictive interpretations of intent. Google can infer when we travel, what interests we pursue, and even what we are likely to buy next.
When Google says that this data helps “improve user experience,” that is only partly true. The same information also trains algorithms, personalises ads, and sharpens prediction models that power its advertising engine. Each service such as Maps, Gmail, Photos, YouTube adds a layer to the company’s behavioural graph, turning routine user behaviour into commercial intelligence.
The business model rewards data extraction, not privacy preservation. Users are not forced to share; they are persuaded to share nudged by convenience and trust. The more we rely on these systems, the richer and more predictive the behavioural profiles become. Privacy, in this model, is not designed to protect autonomy; it is designed to sustain engagement. Convenience becomes the hook; dependence, the outcome.
Architecture
Lessig’s observation that “code is law” remains profoundly relevant. The architecture of technology, how systems are designed dictates what users can and cannot do.
Most digital systems are built with default settings that favour disclosure. “Dark patterns” subtly guide users to accept all permissions, click “Agree,” or surrender data just to proceed. Even when users disable permissions, residual data often remains through metadata, backup systems, or inferred patterns.
In short, the architecture of the internet is not privacy-neutral. It is engineered for continuous observation, which law and norms struggle to keep pace with this design.
The Cigarette Analogy
The journey of data collection mirrors that of the tobacco industry.
- It began without awareness of harm. Early cigarettes were marketed as harmless indulgences and as health enhancers, even doctors endorsed with brands like Camel and Lucky Strike and appeared in their advertisements in the 1940s. Similarly, the early internet promised connection and empowerment, with little understanding of the long-term consequences of mass data collection. When Gmail launched in 2004 with 1GB of free storage, few realised that “free” meant paying with personal information.
- It was glamorised as progress and empowerment. Tobacco advertising turned smoking into a symbol of liberation, Virginia Slims famously told women, “You’ve come a long way, baby.” Tech companies did the same with data, they framed constant connectivity, sharing, and “personalisation” as digital empowerment.
- Regulation followed only after the damage became undeniable. The tobacco industry faced regulation only after decades of mounting evidence linking smoking to cancer and heart disease. Similarly, meaningful data protection laws from the EU’s GDPR (2018) to India’s DPDPA (2023) emerged only after repeated privacy breaches, election manipulation scandals, and algorithmic harms became impossible to ignore. By then, surveillance-based business models were already entrenched.
- The industry adapted, rebranding addiction as choice. When smoking was restricted, tobacco companies pivoted to “light” cigarettes and vaping reframing harm as lifestyle choice. Tech companies have done something similar: after public backlash, they introduced “privacy dashboards,” “consent pop-ups,” and “data portability” measures that give users the feeling of control while the underlying business model of behavioural tracking remains untouched.
There is no such thing as a “safe cigarette.” Likewise, there is no such thing as “safe surveillance.” What we can aim for is harm reduction through stronger enforcement, ethical design, and public awareness.
Just as society had to treat smoking as a public health crisis, we now need to see privacy as a collective digital health challenge, not an individual preference.
Reframing Privacy
Privacy cannot survive as an individual battle against billion-dollar ecosystems. It requires a systemic shift:
- Law must move from punishment to preventive governance;
- Norms must evolve to make reckless data use socially unacceptable;
- Markets must start rewarding companies that protect, not exploit, personal data; and
- Technology must embed restraint and transparency by design.
This alignment is what Lessig called regulatory coherence when all four forces work in the same direction. Without it, privacy will remain symbolic: something we say we value but rarely practice.
Conclusion
Like smoking, privacy thrives on habit. The more we rely on digital systems, the harder it becomes to disconnect. But convenience should not come at the cost of autonomy.
We do not need to reject technology we need to redesign trust. That means laws that anticipate harm, technologies that minimise data by default, and societies that treat privacy as a shared value, not a private luxury.
Privacy is not dead. It is diseased and, like any public health crisis, recovery begins with recognising the symptoms.