It was a rough year to be a customer of Marriott, Facebook, Reddit, Google+, Quora, British Airways, Cathay Pacific, Orbitz, Ticketfly, Under Armour, OnePlus or any of the other numerous companies which were revealed this year to have cumulatively lost hundreds of millions of users' personal details.
Compounding the data breaches of years past -- Twitch, Yahoo, Twitter, LinkedIn, Equifax, Uber, Target -- it's clear that if you're a human who uses the internet regularly, you're affected.
The FBI says it's safe to assume that every American's information has been leaked somewhere. On the dark web, social-security numbers of a specific person reportedly sell for $3, credit-card numbers for as little as $7 and bank accounts for a few thousand dollars depending on the balance.
This situation makes losers of us all. Yet like climate-change debates or toxic politics, we seem to have reached saturation point, where each revelation loses its power to shock, and we feel disempowered to meaningfully change the situation at all. Every year, we give up more intimate data and eventually lose it to businesses that mine data for profit.
There is no magic bullet, but there may be a few rays of hope: the most comprehensive data privacy legislation yet in the EU's General Data Protection Regulation (or GDPR), a groundswell of movements for greater tech policy and ethics.
One repeated but perhaps unfamiliar avenue will hopefully come into focus in 2019: the right to data portability.
Never mentioned in pre-GDPR data-privacy laws, portability allows for you to move the data you've given to online companies to another service, ideally without needing to download and re-upload it yourself.
"Privacy-invasive practices have fueled the massive growth of companies like Facebook and Google: They've gotten big by scooping up as much user data as possible."
It's a simple idea that quickly lowers the barriers to entry for any company that wants to compete with user-rich businesses like Facebook or Twitter. Instead of having to convince users to start from scratch rebuilding their networks, they could simply import every post and contact. The history you've built up with one dominant company won't keep you tethered to them forever. An often-cited comparison is the fact that you can switch your cell-phone number from one carrier to another without penalty.
"The problem [so far] isn't just bad privacy practices or just bad competition practices, it's how each fuels the other," said Gennie Gebhart, associate director of research at the Electronic Frontier Foundation. The powerful network effects and subsequent lack of competition for many data-mining companies have incentivized them to skirt user privacy already. "Privacy-invasive practices have fueled the massive growth of companies like Facebook and Google: They've gotten big by scooping up as much user data as possible."
Data portability enshrines the idea that your data belongs to you, to give to companies and take away from them if you please. It means businesses can fear being stripped of the resource they've been extracting (and subsequently losing to hackers) for years.
Today, you can download your data in hefty zip files from services like Google. Yet we're a long way from true interoperability, which would transfer user data straight to a competitor seamlessly. An eventual possibility is the universal digital profile that would unite every account we have online under a standardized format. The Data Transfer Project is an early step towards a common interface that will let customers move their information between Google, Microsoft, Facebook and Twitter. While it's still in development and limited to only a few large services, it's a hint at where portability could be headed.
Yet there are open questions with how this system will be adapted. The right to transmit data from one service directly to another is only granted "where technically feasible" in the GDPR, and it remains to be seen how companies and enforcement agencies might interpret that. A truly interoperable system of data transfer is a hope among advocates, not a right -- as is the hope that companies will apply GDPR standards globally, not just in the EU where they're obligated.
Moreover, as companies increasingly allow data to escape their walled gardens, it may increase the risk of breaches or misuse. Developing a fluid, interoperable system is as much about finding secure ways to move data from one service to another as it is about getting APIs to match up.
A world of true data portability would not stop foreign spies or committed hackers per se. Neither would it necessarily prevent data barons from handing our information to the next Cambridge Analytica. But it would give consumers a little more leverage and a little more freedom of movement. It would mean that the next time companies misuse their customers' data, users aren't just helplessly frustrated but can walk away and not look back.