This isn't a debate about privacy. It's a debate about power.

When Edward Snowden disclosed the scale of the NSA's surveillance programs in 2013, it seemed for a few months that this was the moment the world would do something about it. There were congressional hearings. European commissioners weighed in. The UN issued reports. Ten years later, the tools of surveillance are more powerful, more dispersed, and more privatized — and the frame of the debate has shrunk from "a threat to democracy" to "a question of privacy." That narrowing is not an accident. It is a public-relations triumph for an industry that needed to break a political problem down into individual disputes over user preferences.

Human-rights organizations have to return to the frame that was pushed aside: what Big Tech does is not a technical problem to be solved with a setting in a menu. It is a problem of power — who wields it, over what, in whose name, and under what kind of citizen oversight. The 33 cases in this database are not 33 privacy violations. They are 33 illustrations of the privatization of political infrastructure, which no democratic mandate legitimizes.

From privacy to democracy

The Cambridge Analytica case, which we invoked at the opening of this series, is the best known, but not the most revealing. People remember Cambridge Analytica because of Trump and Brexit. It is worth remembering for another reason: it was the first time, on that kind of scale, that citizens noticed that the infrastructure of a social platform could be the object of a foreign state's intelligence operation. SCL Group, Cambridge Analytica's parent, was a military-sector firm that had previously worked with the British government on psychological operations in the developing world. The tools built to manipulate public opinion in Iraq and Nigeria were moved into elections in the US and the UK — because the infrastructural market in which those tools could be deployed had extended into places where it had not previously reached.

In Myanmar, from 2016 to 2018, Facebook was the dominant public medium. For most of the people there who had any internet access at all, the internet was Facebook — thanks to the Free Basics program, which subsidized access to a single platform at the expense of the open web. Over the same period, content calling for the ethnic cleansing of the Rohingya circulated on the platform for more than two years. Meta's internal reports, disclosed by the whistleblower Frances Haugen, showed that the company knew and did not act with sufficient force. In a 2018 report, the UN described Facebook as a "determining instrument" in mass violence that left 25,000 people dead and produced more than 700,000 refugees. Privacy is not the story here. Genocide is.

These are extreme cases, but they show the mechanism. A platform that captures a large enough share of the communication market in a given society becomes political infrastructure — even if it never wanted to be. Elections, public space, public-health debates, moral panics, civic movements — all of it runs through its algorithms. Technical decisions made by engineers in Menlo Park or Mountain View become decisions about the shape of politics in Warsaw, Lagos, and Manila. Without elections. Without accountability. Without public debate.

From face to body

Facial recognition — Clearview AI, PimEyes, the operators of commercial databases — is a transgression of a different kind. Online privacy is a problem of data we share voluntarily. Facial recognition is a problem of the body. A face is not something you share. A face is something you carry with you always. A company that builds a database of 30 billion facial images scraped from publicly available internet sources — as Clearview has done, by its own account — creates infrastructure that eliminates the possibility of moving anonymously through public space. Police, intelligence services, private security firms, employers, stalkers — anyone who pays for a license gets access to the identification of every person in every photo.

This is a qualitative change. Until now, the law protected freedom of assembly, demonstration, and protest — in part because anonymity in a crowd was practically achievable. You could not identify ten thousand people in a photo of a protest. Now you can. And identification is cheap, fast, and scalable. Chinese authorities use it openly. American police use it unofficially, without a judicial warrant. Polish services — through purchases of surveillance technology that remain classified — use it on a scale we do not know. A state that is democratically accountable to its citizens cannot use tools over which the citizen has neither knowledge nor control — and yet it does.

From content to the public sphere

The recommendation algorithm of TikTok, Reels, YouTube Shorts, X, Facebook — each of them is an editorial decision made hundreds of times per second, with no human in the loop. It is described as neutral. It is not neutral: it is tuned to hold attention, which means it favors content that engages emotionally. The emotions that engage most strongly are rage, fear, and disgust. Meta's internal research, disclosed by Haugen, showed that "negative content earns five times more than neutral content." This is not the algorithm's fault. It is the direct consequence of the goal for which it was built — the algorithm is effective at exactly what it was designed to do.

When an algorithm like this is the principal source of information for 40 percent of the population under the age of 25 — and TikTok is exactly that in Poland, the US, France, and most of Europe — something is being constituted that has historically been the function of the press, the public broadcaster, and the school: the determination of what is visible and what is discussed. Except that the press, public broadcasters, and schools had an editorial mission, legal accountability, codes of ethics. The algorithm has none of these. It has a business objective.

This is not censorship — the old argument platforms reach for whenever a regulator tries to impose a moderation duty on them. It is the opposite of censorship: it is the amplification of a particular kind of content at the expense of other kinds. Freedom of speech is a right that protects the speaker from power. Algorithmic amplification is not freedom of speech. It is the pushing of certain voices onto center stage and the muting of others, with no rule governing it beyond the logic of maximizing engagement.

Poland: three fronts

At the national level, civil society in Poland is contending with three intertwined problems. The first is state surveillance, which Pegasus has come to symbolize but whose scope is far wider: the services buy communications-monitoring tools through classified procurement, oversight is pro forma, and parliamentary control is reduced to trusting the service. The Panoptykon Foundation has been documenting this problem for years; the political payoff has been modest.

The second front is the corporate surveillance documented in this database. The Polish user is a subject without agency here: fines against Meta go to the European Commission's coffers, not to the user's bank account; lawsuits land in Dublin, not in Warsaw; interfaces are designed for the American user. The Polish data-protection authority has limited resources, the press rarely picks up the topic, and the country's political class does not treat it as a priority.

The third front is the weakness of Poland's domestic digital-rights ecosystem. Panoptykon is a single organization facing a task that in Germany is carried by a dozen organizations and in the US by several dozen. Funding rests largely on grants, not on systematic citizen support. Any Polish citizen who reads this database and thinks this is a problem has a very concrete step in front of them: supporting a nongovernmental organization that, often without their knowing it, is fighting on their behalf.

What to do

Human-rights organizations have a repertoire of action that is well documented in the literature and poorly visible in public debate. Strategic litigation — complaints, interventions, lawsuits — is a slow instrument but an effective one; the Court of Justice of the EU's rulings in Schrems I and II began as the one-person initiative of an Austrian lawyer. Public education — workshops, reports, campaigns — builds the critical mass required for political decisions; without it, no politician will risk a fight with a giant. Participation in the legislative process — consultations, expert submissions, presence in Brussels — is the condition for ensuring that the law being written is not written solely by one side.

But the most important role for organizations at the moment we are living through is to shift the frame. So long as the debate is about privacy — about whether the user shared something, ticked the right box, read the terms of service — it is a debate we are losing. The user has neither the competence, the time, nor the tools to manage their privacy in an ecosystem with thousands of points of contact every day. The debate has to be about power: who holds it, on what basis, with what oversight. That is a frame in which the fight can be won — because then the citizen is not set down in front of the supermarket shelf as a consumer, but stands as a citizen, to whom something is owed by virtue of citizenship itself.

The 33 cases in this database can be 33 illustrations of pessimism, or 33 reasons to act. That choice is not ours; it is yours. Human-rights organizations exist to show what is possible. They do not decide for you what you will do with the knowledge. They can only ensure that when you do decide to act, you will not be acting alone.