Technology cannot, and should not, stand apart from the ethics and norms of civil society. In particular, we continue to wrestle with the relationship between software and individuals’ privacy. Public awareness of online privacy seems to be rising inexorably: we need only look at Snowden, Cambridge Analytica, and the growing patchwork of privacy legislation (GDPR, CCPA and beyond). But how much is actually changing in the products and services we choose to use online?

Mosaic has already invested in technologies that decentralise systems to protect and empower the user (e.g. in crypto and privacy-preserving analytics), and we take great care to ensure that our portfolio companies that capture sensitive data (e.g. Nexar, Clue) do so in a privacy-preserving manner.

Now seems a good moment to ask ourselves: is there a meaningful consumer market in helping individuals protect their privacy? Popular tools like ad-blockers, VPNs, and privacy-first browsers showed the first wave of consumer demand for privacy-preserving applications. Today, Apple continues to derive consumer advantage (and undermine its ad-dependent competitors) by bundling privacy as a feature, at least to its Western customers. Meanwhile, the continued rise of cryptonetworks demonstrates a groundswell of demand to transact and interact outside the control of centralised authorities. 

As these trends converge, will there be a “killer app” that gives individuals sovereignty over their online identities at global scale? And what is the role of startups in a domain ever more contested by governments and Big Tech alike?

Do enough consumers care? 

Much of today’s privacy-focused technology has emerged from a relatively small group of engineers, descending from the cypherpunks’ mailing list of the early 90s. This tradition combined technological sophistication with political engagement into a point of view that is rarely shared by the average Jane and John Doe. Empirically, claims of privacy violations, pervasive surveillance, and behaviour modification have been vindicated, with widespread media outrage. Yet surprisingly little has actually changed in the patterns of usage of internet products. Mosaic Venture Partner Benedict Evans wryly presents this as akin to the classic “false consciousness” problem in Marxism. It’s an indictment on us all, but perhaps the general population really just doesn’t care that much about privacy, and/or are happy (or cynical) enough to exchange it for services they value. If the product seems free, the user’s attention is really the product – and perhaps for the majority of the population, that’s okay.

But there’s a difference between knowingly trading off privacy for a service of some sort, and passively resigning oneself to an unfair trade, or one you feel somewhat compelled to participate in due to network effects, because there is no alternative. Recent surveys corroborate the anecdotal picture here. For the many citizens of countries living under authoritarian regimes, these concerns have been urgent for much longer and are increasingly existential. Gen Z are much wiser to privacy than their predecessors, and already tend towards a culture of controlled access to sensitive personal information via multiple social media accounts for different audiences. (How technically “private” these are is a different question, of course). This swell of consumer interest in privacy is supported by increasingly aggressive regulation pioneered by the European Union, and more recently the state of California. Public metaphors and narratives are also evolving: from assets, to power. 

Adding more pressure to the business models of Facebook, Google and their supplicants is Apple’s recent repositioning as a privacy company. It suits Apple’s strategy to give privacy away for free in the bundle as part of monetising their (high gross margin) hardware. It remains to be seen whether this remains true as Apple scales its services businesses. For now, Tim Cook reminds us that “privacy is a fundamental human right”, and recent product announcements have supported this message across a range of vectors - most recently, Private Relay effectively renders IP addresses useless as a fingerprinting mechanism, on top of previous anti-cookie features. The extent to which this is a truly cypherpunk move is qualified by the fact that this feature is sadly not available in China and other countries. How radically these changes, extending the “cookie apocalypse”, ultimately disrupt the central business model of the internet remains to be seen: “what happens next? No one in advertising quite knows”. It seems undeniable, though, that some version of “privacy” is emerging into the Zeitgeist, and that to be (seen to be) on the right side of history is becoming a branding competitive advantage.

Positive privacy

How can startups harness this new energy? We believe that privacy-preserving products selling to consumers need to go beyond defence. Beyond VPNs, current blockchain technologies, while predicated on cryptography, offer superficial privacy (as criminals are increasingly finding out); we are seeing exciting innovation here to unlock use cases that genuinely protect user identity, while simultaneously guarding against criminal activity. 

We are excited by the rise of self-sovereign identity (SSI) as the potential end state. There is an elegance in allowing users to hold and control their own verifiable credentials, with identities attested by decentralised identifiers rather than by the fiat declaration of a centralised authority. We welcome Europe’s global leadership in working towards a transnational standard for self-sovereign identity – and are intrigued by the founders making early progress in productising such initiatives.

It will take considerable time before most consumers become actively woke to privacy, short of an unpredictable 9/11 type public trauma caused by privacy invasion – and it’s hard to fathom something an order of magnitude worse than the narrow electoral wins arguably catalysed by social media manipulation. That’s not to say that the affluent segment of those who do care won’t be a valuable one - hundreds of millions of users, as enjoyed by products like Adblock Plus, Signal, Brave or DuckDuckGo, suggests a market exists. In the 1990s, SSL enabled the commercial internet. In the 2020s, could SSI have similarly huge impact? Given the original sin of foundational internet protocols, that by design were naively open, fixing some of our problems might entail a return to the fundamental architecture of the internet. 

We’re starting to see the next wave of infrastructure projects that could enable a generational shift towards privacy by design. If you’re building one, we’d love to talk.

With thanks to Jacob Goodwin for co-authorship