Salon with Robin Chase

Robin Chase, co-founder and original CEO of Zipcar and author of Peers Inc: How People and Platforms are Inventing the Collaborative Economy and Reinventing Capitalism, will speak at the Ostrom Workshop s Beyond the Web Salon Series at Indiana University at 2:00 PM Eastern this coming Monday, February 7, 2022. The event link is here, where you’ll also find the Zoom link.

The full theme of the salon series is Beyond the Web: Making a platform-free online marketplace for goods, ideas and everything else, about which you can read more here.

Robin’s work with transportation and peer production has been VRooMy from the start, and especially consistent with our work with the Ostrom Workshop on the Intention Byway in Bloomington, Indiana.

Upcoming speakers in the Salon Series (mark your calendars) are Ethan Zuckerman and Shoshana Zuboff. Both are BKC veterans and, like Robin, devoted to moving beyond status quos that vex us all. Ethan will be with us on March 7 and Shoshana on April 11. Days and times for both are Mondays at 2:00 PM Eastern. Details at those links.<

These events are all participatory, informative, challenging and fun. Please join us.

Shall we commit advercide?

On our mailing list, there is a suggestion that we need a browser that kills all the advertising it sees on the Web. Not just the rude kind, or the tracking-based kind. The idea is to waste it all. The business model is, “$10 a month for a browser which guarantees no adverts, ever. If you see an advert, you file a bug report.”

I dismissed the idea a few years ago, when it first came up, for what seemed good and obvious reasons: that lots of advertising is informative and useful, that good and honest (e.g. non-tracking-based) advertising supports most of the world’s journalism, and so on.

But now most advertising on the Web is tracking-based (“programmatic” mostly means tracking-based), and most of the businesses involved seem hellbent on keeping it that way.

As for regulations, the GDPR and CCPA mean well, but they’ve done little to stop tracking, and much to make it worse.  Search for gdpr+compliance on Google and right now and see how many results you get. (I get way over a billion.) Nearly all of the finds you’ll see are pitches for ways sites and services can obey the letter of the GDPR while screwing its spirit. In other words, the GDPR and the CCPA have created a giant market for working around them.

Clearly the final market for goods and services on the Net—that’s you and me, ordinary human beings—don’t like being tracked like marked animals, and all the lost privacy that tracking involves. And hell, ad blocking alone was the biggest boycott in world history, way back in 2015. That says plenty.

So why not give our market a way to speak? Why not incentivize publishers to start making money in ways that respect everyone’s privacy?

Also, we’re not alone. Dig CheckMyAds.org and their efforts, such as this one.

Comments work on this blog again, so feel free to weigh in.

 

Making Me2B happen

The IEEE P7012 working group has been baking a Standard for Machine Readable Personal Privacy Terms for the last two years. What’s original here is that these are terms that you proffer. Not ones that sites and services present on a take-it-or-leave-it basis. P7012 is one of several overlapping efforts that work on empowering you and me—customers, users, consumers, individual human beings—and not just entities selling us stuff, or requiring that everything we do with them is confined to an account they control.

Born in 2006, ProjectVRM is the oldest of these efforts. Customer Commons, spun out of ProjectVRM in 2013, is another. The most recent is the Me2B alliance, founded and run by Lisa LeVasseur, who now also chairs P7012.

Progress forward on all of these efforts is steady, incremental, and not nearly fast enough. But here is something that I hope will speed things up: supporting the Me2B label. The need for this was made clear by Lisa on our last P7012 call, when she explained that Me2B is its own thing. A category. A term of art. Meaning it’s not about the Me2B Alliance, just like VRM is not about ProjectVRM.

By now it should be clear that Me2B a better name for our category than VRM. As I said in VRM is Me2B, Me2B is blessed by containing an actual word: Me—a first-person singular pronoun we all use—and far better than the unclear V in the TLA that is VRM. It also doesn’t help that “vendor” is used more often in business to refer to B2B suppliers, rather than to B2C retailers or service providers.

We also have experience with tissue rejection of the VRM label within our own community. Throughout the history of ProjectVRM, not one developer has called what they do VRM. Worse, some have avoided using the VRM label because they were afraid competing developers would also use it.  In other words, VRM developers, across the board, would rather differentiate with exclusive offerings than establish VRM as a category. So our own internal market has spoken on that.

Meanwnhile, one of those companies did us a big favor by calling what they did “Me2B.” So did the analyst house CtrlShift, with The Me2B Opportunity. Then Lisa came up with Me2B independently. I think in all three cases we heard the market speaking.

So I encourage all of us to start talking about Me2B, rather than VRM.

To be clear, “VRM” won’t go away. It’s in Wikipedia as well as in the name of our project here. And it’s a good way to label the customer hand that a CRM system will need to shake. But it has proven inadequate as the name for the business category we wish to see cohere in the world, while Me2B shows promise to succeed at the same. We should support it.

Thoughts welcome.

Homeless on the Web

Do you have a home on the Web?

I mean a page or a site that is yours. Not one that belongs to some .com, .org or .edu. One that’s truly yours, with a name you gave to it, nobody else has, and you fully inhabit.

Some of us do. I’m one of those, but with nothing to brag about. Go to searls.com and you’ll find a placeholder I’ve been updating every couple of years since the mid-’90s.  Behind that façade is a garage full of files I keep stored online but blocked from search engines. That’s so I can find them from anywhere, or so I can point other people to them every once in a while.

Like the rest of us, most of what I’ve done on the Web are on the sites that belong others. The goods in those sites are mine in the sense that I’ve created them. But where they are is not mine. Not in the least.

Nearly all the pages called “home” are those of what in the trade we call enterprises. Mine here is in an enterprise called Harvard University. I thank it for that grace.

Still, in a literal sense, most of us are homeless here. In a literal way maybe all of us are, because we don’t own our domain names. We rent them. Searls.com will exist only so long as I, or my heirs, continue paying to keep it active.

This isn’t a bad thing. Hell, the benefits of the Web are enormous in the extreme. I’m not knocking those.

I am, however, saying we are homeless. Here.

Yet there is nothing about the Internet that says you can’t have a home there—which is a deeper here, underneath the Web.

This is important because we need to clearly and finally make a sharp distinction between the Web and the Internet. Because they are not the same. The Internet is what the Web sits on. And, big and broad as it is, the Web is not the only thing that can sit on the Internet. This was true for Web as it was in the first place,  for what we called Web 2 in the early ’00s, and for what we call Web 3 today.

The Internet is different.  And there are few limits to what the Internet can support, much as there are few limits to what can be built on land or float on ocean.

But there are limits to what we can build on the Web. One of those is a home for ourselves. A real home. One that does not require renting a domain name. One that lets us zero-base what we can do upon the infinite grace granted us by simply connecting to a worldwide network of networks that exists only to move packets of data from any end to any other end.

So let’s start thinking about that.

Some of us (present company included) are on the case already. We need more.

While we ponder that, here’s a thought: Maybe one reason VRM has been slow to happen is that we’ve been trying to do it on the Web.

---

The photo above is on Love Ranch Road, in the center of Wyoming. The story of the ranch, and the home now abandoned there, is central to John McPhee’s Rising from the Plains. I was there to shoot the solar eclipse of August 2017, which was at its totality there. The darkness on the horizon is the shadow of the moon, approaching from the west.

Beyond the Web

The Cluetrain Manifesto said this…

…in 1999.

And now, in 2021, it’s still not true—at least not on the Web.

If it was true, California’s CCPA wouldn’t call us mere “consumers” and Europe’s GDPR  wouldn’t call us mere “data subjects,” whose privacy is entirely at the grace of corporate “data processors” and “data controllers.” (While the GDPR does say a “natural person” can be either of those, the prevailing assumption says no. Worse, it assumes that what privacies we enjoy on the Web should be valved by choices we make when confronted with “consent” notices that pop up when we first visit a website, and which are recorded somewhere we don’t know and can’t audit or dispute.)

Simply put, we are not free, and our reach does not exceed their grasp. Again, on the Web.

But (this is key), the Web is not the Internet. It’s a haystack of stuff on the Net. It’s a big one, and hugely good in many ways. And maybe we can be really free there eventually. But why not work outside of it? That’s the question.

And that’s what some of us are answering. You might call what we’re doing a blue ocean strategy:

For example, Joyce and I are now in Bloomington, Indiana, embedded as visiting scholars at Indiana University’s Ostrom Workshop, where we are rolling out a new project called the Byway, for Customer Commons, ProjectVRM’s nonprofit spin-off. We will also be working with local communities of interest here in Bloomington. Stay tuned for more on that.

To find out more about what we’re up to—or just to discuss whatever seems relevant—please come to our first Beyond the Web salon, by Zoom, on Monday at 3pm Eastern time. The full link: https://events.iu.edu/ostromworkshop/event/264653-ostrom-salon-series-beyond-the-web

ProjectVRM at 15

This project started in September 2006, when I became a fellow at what is now the Berkman Klein Center. Our ambitions were not small.:

1. To encourage development of tools by which individuals can take control of their relationships with organizations — especially in commercial marketplaces.
2. To encourage and conduct research on VRM-related theories, usage of VRM tools, and effects as adoption of VRM tools takes place.

The photo above is of our first workshop, at Harvard Law School, in 2008. Here is another photo with a collection of topics discussed in breakout sessions:

Zoom in on any of the topics there (more are visible on the next photo in the album), and you will find many of them still on the table, thirteen years later. Had some prophet told us then that this would still be the case, we might have been discouraged. But progress has been made on all those fronts, and the main learning in the meantime is that every highly ambitious grassroots movement takes time to bear fruit.

One example is what we discussed in the “my red dot” breakout at the May 2007 Internet Identity Workshop (the 3rd of what next week will be our 33rd ) is now finally being done with the Byway, which is about to get prototyped by our nonprofit spin-off, Customer Commons, with help from the Ostrom Workshop at Indiana University Bloomington, where Joyce and I are currently embedded as visiting scholars.

Our mailing list numbers 567 members, and is active, though it won’t hog your email flow. Check out the action at that link. And, if you like, join in.

You can also join in at our next gathering, VRM Day 2021b, which happens this coming Monday, 11 October.  We’ll visit our learnings thus far, and present progress and plans on many fronts, including

And we thank the BKC for its patience and faith in our project and its work.

How the Web sucks

This spectrum of emojis is a map of the Web’s main occupants (the middle three) and outliers (the two on the flanks). It provides a way of examining who is involved, where regulation fits, and where money gets invested and made. Yes, it’s overly broad, but I think it’s helpful in understanding where things went wrong and why. So let’s start.

Wizards are tech experts who likely run their own servers and keep private by isolating themselves and communicating with crypto. They enjoy the highest degrees of privacy possible on and around the Web, and their approach to evangelizing their methods is to say “do as I do” (which most of us, being Muggles, don’t). Relatively speaking, not much money gets made by or invested in Wizards, but much money gets made because of Wizards’ inventions. Those inventions include the Internet, the Web, free and open source software, and much more. Without Wizards, little of what we enjoy in the digital world today would be possible. However, it’s hard to migrate their methods into the muggle population.

‍Muggles are the non-Wizards who surf the Web and live much of their digital lives there, using Web-based services on mobile apps and browsers on computers. Most of the money flowing into the webbed economy comes from Muggles. Still, there is little investment in providing Muggles with tools for operating or engaging independently and at scale across the websites and services of the world. Browsers and email clients are about it, and the most popular of those (Chrome, Safari, Edge) are by the grace of corporate giants. Almost everything Muggles do on the Web and mobile devices is on apps and tools that are what the trade calls silos or walled gardens: private spaces run by the websites and services of the world.

Sites. This category also includes clouds and the machinery of e-commerce. These are at the heart of the Web: a client-server (aka calf-cow) top-down, master-slave environment where servers rule and clients obey. It is in this category that most of the money on the Web (and e-commerce in general) gets made, and into which most investment money flows. It is also here that nearly all development n the connected world today happens.

 Ad-tech, aka adtech, is the home of surveillance capitalism, which relies on advertisers and their agents knowing all that can be known about every Muggle. This business also relies on absent Muggle agency, and uses that absence as an excuse for abusing the privilege of committing privacy violations that would be rude or criminal in the natural world. Also involved in this systematic compromise are adtech’s dependents in the websites and Web services of the world, which are typically employed by adtech to inject tracking beacons in Muggles’ browsers and apps. It is to the overlap between adtech and sites that all privacy regulation is addressed. This is why, the GDPR sees Muggles as mere “data subjects,” and assigns responsibility for Muggle’s privacy to websites and services the regulation calls “data controllers” and “data processors.” The regulation barely imagines that Muggles could perform either of those roles, even though personal computing was invented so every person can do both. (By the way, the adtech business and many of its dependents in publishing like to say the Web is free because advertising pays for it. But the Web is as free by nature as are air and sunlight. And most of the money Google makes, for example, comes from plain old search advertising, which can get along fine without tracking. There is also nothing about advertising itself that requires tracking.)

 Crime happens on the Web, but its center of gravity is outside, on the dark web. This is home to botnets, illegal porn, terrorist activity, ransom attacks, cyber espionage, and so on. There is a lot of overlap between crime and adtech, however, given the moral compromises required for adtech to function, plus the countless ways that bots, malware and other types of fraud are endemic to the adtech business. (Of course, to be an expert criminal on the dark web requires a high degree of wizardry. So I one could arrange these categories in a circle, with an overlap between wizards and criminals.)

I offer this set of distinctions for several reasons. One is to invite conversation about how we have failed the Web and the Web has failed us—the Muggles of the world—even though we enjoy apparently infinite goodness from the Web and handy services there. Another is to explain why ProjectVRM has been more aspirational than productive in the fifteen years it has been working toward empowering people on the commercial Net. (Though there has been ample productivity.) But mostly it is to explain why I believe we will be far more productive if we start working outside the Web itself. This is why our spinoff, Customer Commons, is pushing forward with the Byway toward i-commerce. Check it out.

Finally, I owe the idea for this visualization to Iain Henderson, who has been with ProjectVRM since before it started. (His other current involvements are with JLINC and Customer Commons.) Hope it proves useful.

QR codes are becoming fishhooks

We’ve been very bullish on QR codes here, because they’re an excellent way for customers and vendors to shake hands, to start doing business, and to form constructive relationships.

Alas, they have become bait for tracking by marketers. In QR Codes Are Here to Stay. So Is the Tracking They Allow, Erin Woo (@erinkwoo) of the NY Times explains how:

Restaurants have adopted them en masse, retailers including CVS and Foot Locker have added them to checkout registers, and marketers have splashed them all over retail packaging, direct mail, billboards and TV advertisements.

But the spread of the codes has also let businesses integrate more tools for tracking, targeting and analytics, raising red flags for privacy experts. That’s because QR codes can store digital information such as when, where and how often a scan occurs. They can also open an app or a website that then tracks people’s personal information or requires them to input it.

As a result, QR codes have allowed some restaurants to build a database of their customers’ order histories and contact information. At retail chains, people may soon be confronted by personalized offers and incentives marketed within QR code payment systems.

“People don’t understand that when you use a QR code, it inserts the entire apparatus of online tracking between you and your meal,” said Jay Stanley, a senior policy analyst at the American Civil Liberties Union. “Suddenly your offline activity of sitting down for a meal has become part of the online advertising empire.”

So that’s one more thing to fix in our apps and browsers. But how?

Obviously, we can try to avoid QR codes; but there are a growing number of places where that’s not possible.

Providing ways to opt out is a giant non-starter, as we’ve learned at great pain on the Web. (Do you have any record at all of the separate privacy settings you’ve made at all the sites and services where those choices have been provided? Of course not.)

We need at least two things here, and fast.

One is some way, in our phones or browsers, to prevent QR code scanning on phones from turning into tracking. Are you listening, Apple and Google? Plus everybody else in the QR code business?

The other is regulation. And I hate to say that, because too many regulations protect yesterday from last Thursday, and distort markets in ways seen and unseen for decades to come. But this is a case where we really need it.

[Two days later…]

There has been much follow-up to this piece. If you’re interested in that, start with this clip rom Wednesday;s FLOSS Weekly podcast, where Jonathan Bennett (@JP_Bennett) provides some excellent answers to questions raised here and elsewhere.

On Twitter, @QRcodeART has some good follow-up under an @TWiT tweet pointing to that clip. In that thread I stand accused of “pure babbling,” to which I plead guilty (providing, as I do, an example of how, as Garrison Keillor once put it, “English is the preacher’s language because it allows you to talk until you think of what to say”).

The main point in the thread is that QR codes are essentially “innocent.” Also, “#Bluetooth is much worse! Creative names, unique IDs (!) and such and usually open and “seeable” for everybody. Similar to your #Wifi searching always for a #WLan in the perimeter. Unique funny names and identifiable MAC addresses. Think about that !”

Good advice. Clearly, there are concerns for all the tech we use, especially the networked kind. If we fail to take precautions such as those Jonathan recommends, we’re likely being tracked in ways we wouldn’t welcome if we knew about it. Returning to the metaphor, everything you carry, scan or click on can be a fishhook. And, to the hookers, you’re just a fish.

 

 

Solving Subscriptions

---

Count the number of companies you pay regularly for anything. Add up what you pay for all of them. Then think about the time you spend trying and failing to “manage” any of it—especially when most or all of the management tools are separately held by every outfit’s subscription system, all for their convenience rather than yours. And then think about how in most cases you also need to swim upstream against a tide of promotional BS and manipulation.

There is an industry on the corporate side of this, and won’t fix itself. That would be like asking AOL, Compuserve and Prodigy to fix the online service business in 1994.

There’s also not much help coming from the subscription management services we have on our side: Truebill, Bobby, Money Dashboard, Mint, Subscript Me, BillTracker Pro, Trim, Subby, Card Due, Sift, SubMan, and Subscript Me.

Nor from the subscription management systems offered by  Paypal, Amazon, Apple or Google (e.g. with  Google Sheets and Google Doc templates).

All of those are too narrow, too closed, too exclusive, too easily purposed for surveillance on subscribers, and too vested in the status quo. Which royally sucks. For evidence, see here, or just look up subscription hell.

So it’s long past time to unscrew it. But how?

The better question is where?

The answer is on our side: the customer’s side.

See, subscriptions are in a class of problems that can only be solved from the customers’ side. They can’t be solved from the companies’ side because they’ll all do it differently, and always in their interests before ours.

Also, most of them will want to hold you captive, just like Compuserve, AOL and Prodigy did with online services before the Internet solved that problem by obsolescing them.

A refresher: the Internet is ours. Meaning everybody’s. It doesn’t just belong to companies.

We need a similar move here. Fortunately, by subscriptions as easy as possible to make, change and cancel—in standardized ways—companies living on subscriptions will do a better job of making their goods competitive.

Now to how.

The short answer is with open standards, code and protocols. The longer answer is to start with a punch list of requirements, based on what we, as customers, need most. So, we should—

• Be able to see all our subscriptions, what they cost, and when they start and end
• Be able to cancel or renew, manually or automatically, in the simplest possible ways
• Get the best possible prices
• Be able to keep records of subscriptions and histories
• Show our actual (rather than coerced) loyalty
• Be able to provide constructive help, as loyal and experienced customers
• Join in collectives—commons—of other customers to start normalizing the way subscriptions should be offered on the corporate side and managed on the personal side

Some tech already exists for at least some of this, but we’ll leave that topic for another post. Meanwhile, give us suggestions in the comments below. Thanks!

Bonus link: From coffee to cars: how Britain became a nation of subscribers, by Tim Lewis in The Guardian. (Via John Naughton’s excellent newsletter.)

---

The modified image above is a Doctor Who TARDIS console, photographed by Chris Sampson, offered under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0) license, published here, and obtained via Wikimedia Commons, here. We thank Chris for making it available.

Also, the original version of this post is at Customer Commons, here.

A New Way

Cross-posted from Customer Commons

Some questions:

1. Why do you always have to accept websites’ terms? And why do you have no record of your own of what you accepted, or when‚ or anything?
2. Why do you have no way to proffer your own terms, to which websites can agree?
3. Why did Do Not Track, which was never more than a polite request not to be tracked off a website, get no respect from 99.x% of the world’s websites? And how the hell did Do Not Track turn into the Tracking Preference Expression at the W2C, where the standard never did get fully baked?
4. Why, after Do Not Track failed, did hundreds of millions—or perhaps billions—of people start blocking ads, tracking or both, on the Web, amounting to the biggest boycott in world history? And then why did the advertising world, including nearly all advertisers, their agents, and their dependents in publishing, treat this as a problem rather than a clear and gigantic message from the marketplace?
5. Why are the choices presented to you by websites called your choices, when all those choices are provided by them? And why don’t you give them choices?
6. Why does the GDPR call people mere “data subjects,” and assign the roles “data controller” and “data processor” only to other parties?* And why are nearly all the 200+million results in a search for GDPR+compliance about how companies can obey the letter of the law while violating its spirit (by continuing to track people)?
7. Why does the CCPA give you the right to ask to have back personal data others have gathered about you on the Web, rather than forbid its collection in the first place? (Imagine a law that assumes that all farmers’ horses are gone from their barns, but gives those farmers a right to demand horses back from those who took them. It’s kinda like that.)
8. Why, 22 years after The Cluetrain Manifesto said, we are not seats or eyeballs or end users or consumers. we are human beings and our reach exceeds your grasp. deal with it. —is that statement still not true?
9. Why, 9 years after Harvard Business Review Press published The Intention Economy: When Customers Take Charge, has that not happened? (Really, what are you in charge of in the marketplace that isn’t inside companies’ silos and platforms?)

The easiest answer to all of those is the cookie.  Partly because without it none of those questions would be asked, and partly because it’s at the center of attention for everyone who cares today about the issues involved in those quesions.

The idea behind the cookie (way back in 1994, when Lou Montulli thought it up) was for a site to remember its visitors by planting reminder files—cookies—in visitors’ browsers. That would make it easy for site visitors to pick up where they left off when they arrived back. It was an innocent idea at the time; but it reified a construct: one that has permanently subordinated visitors to websites.

And it has thus far proven impossible to change that construct. It is, alas, the way the Web works.

Hey, maybe we can still change it. But why bother when there should be any number of other ways for demand and supply to signal each other in a networked marketplace? Better ways: ones that don’t depend on sites, search engines, social media and other parties inferring, mostly through surveillance, what might be “relevant” or “interest-based” for the individual? Ones that give individuals full agency and signaling power?

So we’d like to introduce one. It’s called the Intention Byway. It’s the brain-baby of our CTO, Hadrian Zbarcea, and it is informed by his ample experience with the Apache Software Foundation, SWIFT, the FAA and other enterprises large and small.

In this model, the byway is the path along which messages signaling intent travel between individuals and companies (or anyone), each of which has a simple computer called an intentron, which sends and receives those messages, and also executes code for the owner’s purposes as a participant in the open marketplace the Internet was designed to support.

As computers (which can be physical or virtual), intentrons run apps that can come from any source in the free and open marketplace, and not just from app stores of controlling giants such as Apple and Google. These apps can run algorithms that belong to you, and can make useful sense of your own data. (For example, data about finances, health, fitness, property, purchase history, subscriptions, contacts, calendar entries—all those things that are currently silo’d or ignored by silo builders that want to trap you inside their proprietary systems.) The same apps also don’t need to be large. Early prototypes have less than 100 lines of code.

Messages called intentcasts can be sent from intentrons to markets on the pub-sub model, through the byway, which is asynchronous, similar to email in the online world and package or mail forwarding in the offline world. Subscribers on the sell side will be listening for signals from markets for anything. Name a topic, and there’s something to subscribe to. Intentcasts on the customers’ side are addressed to markets by topical name. Responsibilities along the way are handled by messaging and addressing authorities. Addresses themselves are URNs, or Uniform Resource Names.

These are some businesses that can thrive along the Intention Byway:

• Intentron makers
• Intentron sellers
• App makers
• App sellers (or stores)
• Addressing authorities
• Messaging authorities
• Message routers (operating like CDNs, or content distribution networks)

—in addition to sellers looking for better signals from the demand side of the market than surveillance-based guesswork can begin to equal.

We are not looking to boil an ocean here (though we do see our strategy as a blue one). The markets first energized by the promise of this model are local and vertical. Real estate in Boston and farm-to-table in Michigan are the two we featured on VRM/CuCo Day and in all three days of the Internet Identity Workshop, which all took place last week. Over the coming days and weeks, we will post details on how the Intention Byway works, starting with those two markets.

We also see the Intention Byway as complementary to, rather than competitive with, developments with similar ambitions, such as SSI, DIDcomm, picos, and JLINC. Once we take off our browser blinders, a gigantic space for new e-commerce development appears. All of those, and many more, will have work to do in it.

So stay tuned for more about life after cookies—and outside the same old bakery.

---

*Specifically, a “data controller” is “a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.”

While this seems to say that any one of us can be a data controller, that was not what the authors of the GDPR had in mind. They only wanted to maximize the width of the category to include solo operators, rather than to include the individual from whom personal data is collected. (Read what follows from that last link to see what I mean.) Still, this is a loophole through which personal agency can move, because (says the GDPR) the “data subject” whose rights the GDPR protects, is a “natural person.”