Performative privacy in a surveillance economy
In 2020, I lost my entire online presence. All my social media accounts were hijacked through session cookies, and I was locked out. My accounts and associated pages were later used to run Vietnamese propaganda ads. I managed to block all my cards in time, but the damage was already done. This left me devastated, embarrassed, and powerless.
Over the past five years, I have become increasingly conscious of online privacy. I have undergone a comprehensive security overhaul of my home network and its devices. I'm doing all I can to protect myself from hackers and scammers, but at the same time, I'm voluntarily sharing a lot of my data with artificial intelligence models like ChatGPT and handing over live photos and NID scans for platform verification. I also rarely mute my Google Nest speaker. All these habits often make me wonder if my digital privacy practices are just performative.
For all latest news, follow The Daily Star's Google News channel. Performative privacy
After some research, I realised I'm not alone. The idea that people treat privacy more as a performance than as genuine protection is not new. A UK government-funded study conducted in 2022 found that while 77 percent of adults express concerns about online privacy, only 31 percent actively refuse marketing cookies when given the choice. This gap between people's intentions and actions is known as the privacy paradox. It shows us that online privacy is less about firm principles and more about negotiation, influenced by convenience and a growing sense of resignation.
This resignation has a name, too: privacy cynicism. It's the sinking belief that no matter what you do, your data is already out there. And when you feel powerless, you stop trying.
Cornell Professor Helen Nissenbaum offers an alternative perspective with her concept of contextual integrity. She explains that privacy doesn't mean keeping everything a secret, but rather making sure information only moves in ways that fit the situation. For example, sharing health details with a doctor makes sense, but sharing them with an advertiser does not.
These ideas help define performative privacy in the digital space. It is a set of actions we take that gives us the illusion of being in control of our data. However, it fails to change how authorities and big tech use surveillance systems to exploit said data. Our actions may demonstrate resistance, but the structures that influence data flows rarely change.
The illusion of control via compliance
Even the actions we take towards privacy are rarely what they seem. For example, one of the preconditions for compliance is the use of cookie banners. Many countries require websites to display a banner that prompts users to give their consent before collecting data.
However, there are numerous loopholes. In a critique of California Privacy Rights Act's (CPRA) regulations, an article in The University of Chicago Business Law Review pointed out that 80.9 percent of cookie-consent notices contain dark patterns, such as large "accept" buttons contrasted with hidden or obscured "reject" options.
In Bangladesh, most websites do not even bother with California Consumer Privacy Act (CCPA) or General Data Protection Regulation (GDPR)-style banners. At best, you get a one-liner: "By using this site, you accept cookies." A notable example of its consequences would be when, earlier this year, the Election Commission discovered that five organisations were leaking NID data. And as Dwight Schrute said, "Identity theft is not a joke, Jim. Millions of families suffer every year."
Surveillance capitalism in action
My experience made me feel like I was robbed. But what's worse is that we let ourselves be robbed by Big Tech every day. And most of the time, we don't even notice.
Your data is mostly used for targeted advertising, and the system that runs the show is called real-time bidding (RTB). Every time you load a page that shows ads, your personal data (location, browsing history, device information, etc) is auctioned off to the highest bidder in milliseconds.
In the US alone, Google's ad exchange leaks your data 300 billion times daily. In Europe, that number is close to 200 billion. RTB has been called the biggest data breach ever recorded. And the worst part is that it's ongoing.
This is surveillance capitalism in practice. Shoshana Zuboff, who coined this term, warned that no democracy can survive a model built on manipulating human behaviour for profit.
So how do they get away with it? Are there no laws protecting us from this?
In Europe, the General Data Protection Regulation (GDPR) is the gold standard for data protection. Each European country has its own regulator that enforces the GDPR. So far, these regulators have issued over 6 billion pound in penalties. However, Big Tech continues to evade scrutiny because the regulators are slow, causing cases to drag on for years, and fines become just another operating cost for them. Meanwhile, the auction keeps running. Thus, the GDPR has proved that strong privacy laws can be written, but enforcing them against Big Tech is an entirely different battle.
Here in Bangladesh, the situation is even worse. Privacy regulation often reads like a manual for control, not a charter for citizens' rights. The infamous Digital Security Act (DSA) jailed journalists and minors for Facebook posts. In 2023, it was replaced by the Cyber Security Act (CSA), a rebrand so thin that Amnesty called it a repackaged repression.
Afterwards, the interim government issued the Personal Data Protection Ordinance (PDPO), 2025. On paper, it looks promising: rights for individuals, obligations for companies. In reality, the draft gives sweeping exemptions to government agencies, and the regulator operates under one of the ministries. This basically means that the government gets to police itself.
Towards honest privacy
So, what does non-performative privacy look like? It's less about what actions we take and more about the outcomes we achieve. Using ad blockers, password managers, and VPNs will definitely help you in your digital privacy journey, but they won't erase the deeper issue. The systems that trade, profile, and surveil us are still running underneath. So, honest privacy starts with being clear-eyed about the trade-offs. Sometimes you'll hand over a passport or NID scan to avail a service. Sometimes you'll keep a smart speaker in your home for convenience. The point isn't to pretend these compromises don't happen; it's to make them consciously, rather than as part of a performance.
And the basics still matter: (i) use strong, unique passwords for each platform; (ii) enable two-factor authentication wherever it is available; (iii) reject the non-essential cookies; (iv) keep your devices updated; (v) separate work and personal accounts; and (vi) use a VPN on public Wi-Fi.
There's a lot more you can do at a personal level. But to truly serve your interests, you should demand laws that restrain both corporations and governments from breaching your privacy and exploiting your data.
Saad Mahmud is a Dhaka-based communication researcher and tech journalist who writes on digital privacy, cybersecurity, and platform governance.
Views expressed in this article are the author's own.
Follow The Daily Star Opinion on Facebook for the latest opinions, commentaries and analyses by experts and professionals. To contribute your article or letter to The Daily Star Opinion, see our guidelines for submission.
Comments