Second-order effects¶
Each threat model follows a particular watcher and the harm it does. The effects gathered here answer to no single one of them, and they outlast any one breach: what a whole data economy does to the people growing up inside it, slowly, and without a moment anyone could point to. Everyone is tracked, always, some of it chosen and most of it not, and these are the things that settle into the soil once that becomes the norm.
Some of what follows is growing; some of it is being worn away. Both directions are the same weather.
↑ Bias and discrimination¶
AI was meant to be the rational gardener: pruning with precision, impartial and tireless. Instead the result is topiary nightmares that reflect their makers’ worst habits.
Bias is often built in. The systems are opaque, the data is messy, and the consequences are real. Tay, Microsoft’s chatbot, famously turned racist in less than 24 hours of exposure to the internet, thriving like a greenhouse fungus on what it was fed. Tay was a curiosity, though. The serious version does lasting damage: from 2013 the Dutch tax authority ran a risk-classification model over childcare-benefit claims that scored dual nationality and a non-Dutch-sounding name as markers of fraud, and some 26,000 families were wrongly accused, many driven into debt, bankruptcy, or the removal of their children, with the government resigning over it in 2021 and the data-protection authority later fining the tax service for processing nationality data unlawfully. HR algorithms downgrade CVs from women, minorities or older applicants because their profiles do not fit the mould, as if hiring were a matter of preferred soil pH. Loan models exclude students from poor areas because their postcodes are “risky”: no loan, no education, no way out, a vicious composting cycle. And some DNA test companies hand anonymised health data to insurers, where the averages may stay the same but the premiums certainly do not, especially for subgroups already under strain.
Models reward the lucky, punish the rest, and rarely apologise. Worse, the solution often presented is to “add a human in the loop”. But humans are where the biases came from; they just taught the machine to be more efficient about it.
The techniques for spotting bias exist, and so do the tests; what is missing is the incentive. Bias, like poor security in the past, is not profitable to fix. At least not yet.
↑ Loss of context¶
Data grown for one purpose gets quietly harvested for another, and the second harvest is the one that bites. A postcode given for delivery sets an insurance premium. A liked tweet joking about depression marks someone as vulnerable to an algorithm. A face uploaded to an app trains a recognition system the person will never meet.
The harm rarely needs anything sensitive to be disclosed. Someone permanently in a wheelchair browses, out of curiosity or kindness, a product they would never use themselves, and the brief detour blooms into a campaign for goods they cannot use. A teenager whose browsing of a baby-product site triggers unsolicited catalogues to the family home has disclosed nothing and been read anyway. A little click, a lot of consequence.
↑ Datafication of the self¶
Personal worth becomes a metric: engagement rate, credit score, productivity level, likes, followers, sleep cycles. A person is no longer a person. They are a performance indicator.
This creates stress, alienation, and a strange new kind of inequality: algorithmic precarity. If a data profile does not match what the system thinks is “successful”, the person’s options quietly shrink.
It is data feudalism.
↓ Accountability¶
When something goes wrong (a wrongful arrest, a job rejection, a loan denial due to automated profiling), it is hard to trace. Was it the model, the data, the person who trained it, or the person who used the output?
These systems create accountability gaps where no one is clearly at fault, and the harmed person has no clear path to recourse.
↓ Competition¶
Data has become the prized orchid of the tech world: valuable, delicate, and aggressively protected.
Microsoft bought LinkedIn for \(26.2 billion. IBM acquired Truven Health for \)2.6 billion, and with it the records of over 200 million patients.
Those were the last era’s land-grabs, done by acquisition. The current one is quieter and aimed at AI: platforms rewrite their terms to train models on the content people have already posted, and sign content-licensing deals for the archives they hold, so the value is extracted without the data ever changing hands.
This is not just capitalism in bloom. It is an arms race. The more data a platform has, the more it can learn, and the more it dominates. It is the network effect: the biggest platforms pull in more users, more advertisers, and more data, until moving elsewhere feels impossible.
The result is a landscape where privacy is a luxury rather than a standard, because the individual is not really the customer. They are the ground being fought over.
↑↓ Regulation across borders¶
For years the map was patchy: a few well-fenced plots, and a right that held inside one fence going soft the moment data crossed into weaker ground. That gap has narrowed, and from an unexpected direction. The GDPR became a template the rest of the world copied, the Brussels effect in plain sight, since a company finds it cheaper to run one strict standard everywhere than to sort its users by border. More than a hundred countries now have a comprehensive data-protection law, Brazil’s LGPD, India’s DPDP Act, China’s PIPL and South Africa’s POPIA among them. The United States, still with no federal statute, grew a patchwork of its own instead: twenty state privacy laws by 2026, California’s the strictest and most of the others built to Virginia’s lighter pattern.
More law has not meant more protection, and that is the catch. The regimes vary, overlap, and are enforced unevenly, and a statute on the books is not the same as a regulator with the budget and the will to use it. Arbitrage has simply changed address, from routing around the absence of a rule to routing toward the softest enforcement of one. The newest contests are about flattening the differences: a 2026 US federal proposal, the draft SECURE Act, would set a national standard that overrides the stronger state laws, which could lift the floor or lower the ceiling depending on where it settles.
Under the legal churn, the rules still struggle with the line they most depend on. A post is public, but the location metadata riding inside it is another matter, and something shared in one spirit is read as evidence in another, where nuance is lost and a snarky comment may not survive data mining intact. Marginalised communities have long carried more than their share of that reading, through profiling, infiltration and covert monitoring, and a thicker rulebook has not much changed who the watching lands on. Legal scholars mark off SOCMINT, social-media intelligence, from the older OSINT, open source intelligence, precisely because the social layer is murkier and easier to abuse.
↑ Global inequity¶
Regulations like the GDPR are regional, and like seeds they travel further than the conditions that let them root. A country in the global South can pass a data-protection law and still lack the regulator to enforce it or the economic weight to make a large platform notice.
The result is a digital colonialism dynamic. Rich countries export surveillance tools, extract data, and impose their standards. Poorer regions become both test beds and resource mines, with little say in what happens to either.
Last reviewed: 2026-07-17.