Site logo
Users Are Not a Resource. They are a Relationship.
#data privacy #tech accountability #business strategy #user trust #customer loyalty

Users Are Not a Resource. They are a Relationship.

Hamzah·17 April 2026

Introduction

I will focus on technical businesses throughout this blog, but the principles of data protection and privacy apply more broadly - to healthcare, finance, retail, and any industry where trust is the foundation of a customer relationship.

Most tech companies begin with a genuine purpose. Facebook was built to strengthen social connections. WhatsApp was built to let people reach each other cheaply across borders. Windows and macOS were built as platforms for creativity, work, and play. Smartphones put a powerful computer in your pocket. The intentions were present and the products lived up to them.

What made those early years feel different was momentum. Technology was genuinely improving people's lives, and each year brought something new and unique.

Internet
Dial-up → ADSL → Cable → Fibre
Pages went from loading in minutes to seconds. Video calls, streaming, and remote work all became possible.

Storage
Floppy disk → CD/DVD → HDD → SSD → Cloud
From 1.44 MB to terabytes in your pocket. Near-instant access replaced minutes of loading.

Operating systems
Command line → Nice user interactive and accessible interfaces
Computers went from expert-only tools to something anyone - at any age - could pick up. Accessibility improved dramatically too, opening up technology to users who had previously been locked out entirely.

Navigation
Paper maps → GPS devices → smartphone maps → real-time traffic
Getting lost became rare. Live traffic, public transport routes, and walking directions all in one device.

Each of these shifts felt like progress. Users welcomed the changes, adopted the platforms, and over time built their lives around them. That loyalty created something enormously valuable: trust at scale. Billions of people, handing over pieces of themselves - their locations, their messages, their searches, their habits - because they believed the companies holding that data would treat it with care and respect.

That belief is the thread this article is about. And what happened when companies started pulling on it.

Businesses losing their intended direction

Fast-forward to 2026: we're in an era of AI and some of the biggest technological breakthroughs in history - and yet, according to Ofcom's April 2026 report, people feel more negative about being online than ever. A large part of that, I believe, is a slow erosion of trust. Companies that once earned user loyalty through genuine value have started treating that loyalty as a resource to extract rather than a relationship to maintain.

The examples are not hard to find.

🖥️ Microsoft Windows - Recall (2024–2026)

Microsoft introduced Recall for Windows 11 - a feature that screenshots everything you do every few seconds to build a searchable history of your activity. The initial version stored all data in a plaintext database, making it trivially easy to steal. After a sustained backlash from security researchers and privacy advocates, Microsoft pulled the feature entirely, rebuilt it, and made it opt-in only. Even after the redesign, new vulnerabilities kept surfacing.

💬 Discord - ID breach & age verification (2025–2026)

In 2025, hackers exposed government ID images for around 70,000 Discord users via a breach at 5CA, a third-party customer support firm Discord had outsourced to. Also exposed were names, email addresses, support conversation transcripts, IP addresses, and partial payment details. When Discord then announced mandatory age verification requiring face scans or ID uploads, users pointed directly at that breach as evidence the platform couldn't be trusted with sensitive data.

📱 WhatsApp → Signal exodus (2021)

After WhatsApp announced it would share user data with parent company Facebook, 42 million users switched to Signal in a matter of days - handing a direct competitor a massive, free recruitment campaign. WhatsApp later clarified that the change only affected business messaging features, not personal chats - but by then the damage was done and users became very cautious about future changes.

🧬 23andMe - blaming the victims (2024)

23andMe told breach victims it was their own fault - claiming users had "negligently recycled" passwords. In reality, 6.9 million people had their genetic data exposed through the platform's DNA Relatives feature, not because of password reuse. The response told users more about how their data was valued than the breach itself.

📷 Amazon Ring - from home security to state surveillance (2023–2026)

The FTC found Ring had given employees broad access to customers' private home footage, with hackers in some cases taking over cameras to harass families. Ring paid $5.6 million in settlement. But that was just the beginning. In October 2025, Ring announced a partnership with Flock Safety - an AI surveillance network used by ICE, federal agencies, and police - to connect doorbell footage into a broader law enforcement grid. After public backlash, Ring cancelled the deal in February 2026. Amazon itself has also faced protests over its ties to Palantir, whose AI systems are used to track individuals for deportation.

📘 Meta - a pattern of data misuse (2018–2025)

In 2018, the Cambridge Analytica scandal revealed that the personal data of up to 87 million Facebook users had been harvested without their knowledge through a third-party quiz app and handed to a political consulting firm. The data was used to build detailed voter profiles and target political advertising - including during the 2016 US election and the Brexit campaign. Facebook was fined $5 billion by the FTC. Zuckerberg testified before Congress. It was the biggest privacy scandal of its era.

In 2024, Meta announced it would use years of EU users' public posts to train its AI models, citing "legitimate interest" rather than asking for consent. Instead of a simple opt-in, 400 million users were directed to a complex objection form - one that required a login just to view. Content shared for social networking was quietly repurposed for something else entirely.

🔍 Google - saying one thing, doing another (2018–2024)

In 2018, an AP investigation found that Google was tracking users' locations even when they had explicitly turned location tracking off. Opening Google Maps, checking the weather, or searching for something unrelated would silently record your precise location and save it to your account. Google paid $392 million to settle with 40 states over the practice in 2022.

In April 2024, Google agreed to destroy billions of data records collected from users browsing in Incognito mode, after a lawsuit found it had been tracking people who believed they were browsing privately. Two separate privacy settings. Both doing the opposite of what users were told.

🎮 Nvidia - from gaming GPUs to AI arms dealer (2024–2026)

Most people know Nvidia as the company that makes graphics cards for gaming. That's still true - but it's no longer the main story. Nvidia's chips now power the majority of the world's AI infrastructure, and with that shift has come a set of business direction decisions.

In 2024, authors filed a class action lawsuit against Nvidia alleging that its NeMo AI model was trained on a "shadow library" of nearly 197,000 copyrighted books - sourced from piracy databases - without permission or payment. Internal emails later emerged suggesting Nvidia had actively sought out pirated sources to expand its training data. The lawsuit has since grown as more authors joined the class action.

Then there is the military angle. Nvidia partnered with Palantir in 2026 to build a joint AI infrastructure for defence customers. Palantir's systems are already embedded in the Pentagon's Project Maven - an AI targeting platform capable of generating 1,000 weapons targeting recommendations per hour. The company that made your gaming GPU is now a core part of the infrastructure that decides what gets targeted in a conflict zone.

Enshittification but why?

The term enshittification was coined by writer Cory Doctorow to describe the predictable lifecycle of online platforms: first they're good to users, then they abuse users to serve businesses, then they abuse businesses to claw back value for shareholders - until there's nothing left. The platforms we described above didn't become extractive overnight. There's a pattern, and several forces drive it.

Politics & deregulation

Like any powerful tool, technology attracts political interest. America's drawn-out battle to force a TikTok sale wasn't about protecting users - it was about who controls the algorithm. Facebook has run targeted political advertising that can reach specific demographics with specific messages at scale, with very little transparency.

More recently, the deregulatory mood in US politics has allowed big tech to operate with far fewer guardrails. When antitrust enforcement weakens and privacy regulators are defunded or ignored, companies face less consequence for crossing lines - and then the lines move.

Advertising & data mining

"If the product is free, you are the product." Google runs free email, free maps, free video hosting, and free search - services that cost billions to operate. The business model is straightforward: your behaviour, interests, and personal data are harvested and sold to advertisers who want to reach you. The more they know about you, the more precisely they can target you, and the more they can charge.

This model doesn't just incentivise collecting more data - it actively punishes restraint. A company that collects less data has a less valuable advertising product. That structural pressure sits behind a huge proportion of the privacy erosion we've seen.

AI training at your expense

The AI race has created a new and powerful incentive to harvest data without asking for permission. Building a competitive AI model requires enormous amounts of training data - and that data has to come from somewhere. The easiest place to get it is from users who have already handed over years of content, posts, documents, and behaviour without realising it might one day be used for this purpose.

This is what makes AI-driven enshittification particularly serious: it's largely irreversible. In the past, if a company stole a feature or copied a design, the law had a remedy - courts could order it removed, products recalled, infringing code deleted. You cannot do that with a trained model. You cannot extract specific data the way you delete a feature. A fine or a lawsuit might punish the company, but it doesn't undo anything.

Lock-in & switching costs

One reason companies feel comfortable pushing users around is that leaving is genuinely hard. Your photos are in Google Photos. Your messages are in iMessage. Your business contacts are on LinkedIn. Your work files are in Microsoft 365. These aren't accidents - they're designed to make the cost of switching feel like a chore.

Network effects compound this. WhatsApp has over 2 billion users. Leaving means losing contact with people who haven't left. The platform knows this. Lock-in is the structural reason companies can test users' tolerance repeatedly without losing them - and why each new privacy erosion tends to stick.

Investor pressure & growth at all costs

Behind most enshittification is a financial pressure - the demand for perpetual growth. A product that has found its audience and serves it well is, to an investor, a disappointment. Revenue must grow quarter on quarter. New monetisation must be found. Data that was collected for one purpose gets repurposed for another because it's an asset.

The sad reality is that many founders who start with a genuine vision slowly get swallowed by this cycle. Survival, growth targets, and investor expectations gradually displace the original mission. The product that was once built out of curiosity and care becomes a vehicle for extracting value - and the people running it often don't notice the moment it happened.

What good looks like

The cases above weren't inevitable. Most of them could have been avoided with a different set of principles. Whether you're building a product or just using one, these are the standards worth knowing - and worth demanding.

Collect only what you need

Every piece of data stored is a liability. The question to ask before collecting anything is: do we actually need this? A weather app needs a postcode - not a full address, not a phone number, not a last name. If the data has no clear use today, don't collect it. A smaller database means a smaller breach when something goes wrong - and something always eventually goes wrong.

Don't repurpose data without asking

Data collected for one purpose shouldn't quietly become fuel for something else. If users shared posts to connect with friends, those posts shouldn't later train an AI model without their knowledge. If an app stored location for navigation, that data shouldn't flow to an advertising profile. The moment data gets repurposed without consent, the implicit contract with the user is broken.

Make opt-out as easy as opt-in

If a company needs to bury its opt-out behind a login screen and a complex form, that's a signal they know users wouldn't choose it freely. Consent should be genuine - not manufactured through friction. A good test: if the opt-out process takes longer than thirty seconds, it's probably a dark pattern.

Vendors should be held to the same standard

The Discord breach wasn't caused by Discord's own systems - it was a third-party support vendor. But the users' trust was in Discord. The first question to ask is whether a vendor needs the data at all: a customer support firm does not need government IDs, payment details, or IP addresses to resolve a ticket. Don't share data with vendors that they don't genuinely need to do their job. For the data they do need, vendor relationships inherit the same trust and accountability.

Walled ecosystems are a red flag

Locking users in through data - making their files, messages, or history impossible to take elsewhere - isn't a product feature. It's a trap. Products that earn continued use because they're genuinely good don't need to manufacture switching costs. Data portability are signs of a product that respects its users.

Sensitive data should always be encrypted

Sensitive data should be encrypted at rest and in transit - at minimum. End-to-end encryption is the gold standard for anything truly private - it means the data is scrambled in a way that only the intended recipient can read it. The company ifself and their support team can't even read it. Encryption won't stop a breach, but it means a breach doesn't automatically become a disaster.

Data doesn't have to be the business model

Founders have a choice in who they take money from. Investors who see user data as the primary asset will push for it to be maximised - so seek investors who don't. Signal and Proton have shown that user trust is a competitive advantage in its own right, and that is a fundable story.

For users: free services are not free. Someone is paying, and usually it is you, with your data. When you pay for a service, you become a customer with leverage rather than a data point to be sold. And when enough people become data points, the consequences go beyond adverts - they can reach into elections, with candidates winning races that once seemed unthinkable, on the back of targeting powered by your data.

Regulation exists - use it and push for more

Laws like GDPR in the EU and the UK GDPR give users real rights: the right to access what a company holds on you, the right to have it deleted, and the right to object to how it's used. The EU's AI Act - the first major law regulating AI systems - adds further protections around automated decision-making and high-risk AI uses. These aren't perfect laws, and enforcement has been patchy - Meta's GDPR fines have run into billions of euros and the behaviour has continued. But regulation is one of the few structural levers that exists outside of individual choice.

For companies: compliance is a floor, not a ceiling. The fact that something is technically permitted under GDPR doesn't mean it's right. For users: if a company has misused your data, you have the right to file a complaint with your national data protection authority. A lot of people never do - which is part of why enforcement remains weak.

Final thought

Users are not a resource to be extracted. They are the reason these products exist at all - and without their continued trust, many of of them wouldn't survive.

Some of the companies that have broken that trust drifted there slowly - genuine visions consumed by growth pressure and investor demands. Others were extractive by design from the start, building the appearance of a free service while the real product was always the data. The difference is whether there was ever a moment worth trying to return to.

That doesn't have to be the default. The principles in this blog aren't idealistic, they are practical. Collect less. Encrypt more. Be honest about what you're building and who it's for. Choose investors who understand that a trusted product is a durable product. And if you're a user: pay attention to what you're handing over, and to whom.

Technology has always been a reflection of the intentions behind it. The question - now more than ever - is whose intentions are shaping it.

Writing

More posts

All posts
Age Verification: Evidence, Risks and Alternatives
#privacy #anonymity #age-verification #legislation #online-safety #surveillance

Age Verification: Evidence, Risks and Alternatives

Governments around the world are rushing to pass age verification laws in the name of child safety. Here is why anonymity online matters more than ever, and why these laws deserve far more scrutiny by experts who actually understand the subject and implications.

27 April 2026

How the UK Really Uses the Internet in 2026
#media #ai #privacy #digital #society

How the UK Really Uses the Internet in 2026

Ofcom's 2026 Adults' Media Use and Attitudes report is out. Privacy awareness is declining, security habits are creating measurable harm, and people are feeling worse about being online. Here's what the data actually says.

6 April 2026

Self-Hosting Launchfolio: Setup Guide
#launchfolio #self-hosting #docker #portfolio

Self-Hosting Launchfolio: Setup Guide

Launchfolio is a self-hostable portfolio, blog, and CV app distributed as a Docker image. Here's everything you need to get your own instance running.

27 March 2026