The Opt-In Illusion
Investigation | Echo Truth Hub | April 25, 2026
By Mímir Mímisbrunnr
There is a specific kind of confidence that only institutional language can produce. Google calls it "Personal Intelligence." Meta calls it "legitimate interests." LinkedIn calls it "Professional Community Policies." Governments call it "digital sovereignty." The individual, somewhere at the bottom of this vocabulary stack, calls it Tuesday.
This is not a conspiracy. It is something more mundane and therefore more durable: a structural alignment of interests dressed in the language of user benefit.
The Architecture
AI-generated illustration.
Google's Personal Intelligence, live in the U.S. since January 2026, connects your Google Photos library, Gmail, and Calendar to Gemini. The stated benefit is personalisation. What the Gemini Apps Privacy Hub documentation actually grants, once opted in, is broader: your data is used to "improve Google services, including training generative AI models." (support.google.com/gemini — Gemini Apps Privacy Hub, April 2026; policies.google.com/privacy)
The Gemini app does not "directly train" on your Photos library, Google is careful to say. Connected apps, however, do feed training. Google distinguishes between real-time personalisation using connected app data and model training. That distinction, while documented in the privacy hub, is not surfaced during the opt-in flow. It is technically accurate and practically invisible to the person who clicked "enable."
Meta's approach to Instagram removes even the opt-in courtesy. Public posts from accounts of users aged 18 and over are collected by default for AI training, on the basis of what Meta terms "legitimate interests" under GDPR. Past data use is irreversible; the "right to object" available to EU and UK users only blocks future training. The process itself is four to six steps deep: Profile, then Settings and Activity, then Privacy Centre, then a form that demands written justification. (facebook.com/privacy/genai — AI at Meta training data page, April 2026)
The friction is the product.
This is not an accident of interface design.
The Precedent Nobody Dropped
AI-generated illustration.
In 2021, Apple announced on-device scanning of iCloud Photos to detect known child sexual abuse material. (apple.com/child-safety — Expanded Protections for Children, 2021) The backlash was swift and global. The proposal was withdrawn. This is generally reported as a win.
It was also a starting gun.
The EU's Chat Control proposal, which would have mandated scanning of private communications across platforms, followed. It stalled repeatedly on technical and legal objections. The ambition did not. What governments could not legislate directly, they began requesting through softer channels: cooperation frameworks, AI safety obligations, identity verification mandates.
The result is an inversion. Tech companies, under political pressure to address online harm, have been granted regulatory legitimacy for data access they would previously have pursued at their own reputational risk. The infrastructure existed. The political will to oppose it dissolved. The handshake was quiet.
When the Machine Decides
AI-generated illustration. An automated system flags a family photograph as pornographic content. The appeal button is broken.
The account holder has been anonymised at their request. The underlying correspondence, regulatory referral documentation, and case timeline are on file with Echo Truth Hub and available to verified press and legal parties upon request. Exhibits 9 through 15 constitute the evidentiary record.
A documented case illustrates what this looks like at the individual level.
In 2021, during the Apple CSAM debacle, a cybersecurity consultant, professionally engaged in advising on digital exposure risks and user vulnerability, was discussing IT security on LinkedIn, specifically about multinational platforms using automated systems to scan user content. To support the point, the account holder referenced a 2016 article from Redbook, a Hearst Digital Media publication syndicated on OprahDaily.com. (redbookmag.com — Brie Schwartz, Deputy Editor OprahDaily.com, January 2016)
The article's title: "This Sweet Photo of a Dad Kissing His Baby Has Left The Internet Entirely Perturbed." The image: a father kissing his baby's chubby neck while the mother plays with the infant's legs. The baby is wearing a "My Aunt Is My BFF" onesie. A family moment of completely mundane tenderness, photographed from an angle the internet found momentarily confusing. Redbook found it wholesome enough to publish and syndicate. LinkedIn's platform found it sufficient grounds for a permanent ban. The platform's own correspondence, reproduced below:
Exhibit 15 — LinkedIn Account Recovery Appeal, 23 August 2021. Account restricted for "sharing inappropriate Pornographic or Sexually Explicit content." Personal identifiers redacted. Full correspondence on file with ETH.
Exhibit 11 — LinkedIn second review, 30 August 2021. Permanent restriction upheld. No specific violation identified. Personal identifiers redacted. Full correspondence on file with ETH.
Exhibit 15 — LinkedIn Account Recovery Appeal, 22 August 2021 (redacted)
"Your account has been restricted due to multiple violations of LinkedIn's User Agreement and Professional Community Policies related to sharing inappropriate Pornographic or Sexually Explicit content."
Source: LinkedIn Member Safety and Recovery Consultant. Full redacted correspondence on file with ETH.
The source material was a mainstream family lifestyle piece that went viral for its warmth and mild visual ambiguity. By LinkedIn's automated moderation logic, the journalist who wrote it could not have shared their own published work on a professional network without risking the same outcome.
Worth noting: the first response of most people who see that image is a baby and its parents. The disturbed reading is not in the photograph. It is in the viewer. Which raises a question the institutions involved have not publicly asked: if the trained system saw something that most humans did not, what exactly was it trained on? And if the answer is embarrassing, the correct response is to say so. Not to uphold the restriction, close the case, and forward the complaint to a different department.
The account holder contested this methodically. Publisher details, editorial credits, and article context were submitted in full. LinkedIn conducted a second review. The outcome: "we confirmed your content posted goes against our Professional Community Policies." No specific post, image, or act was identified as the violation. The account was permanently restricted. The case was closed.
A GDPR data request followed in June 2025, asking what violations had occurred, what data was held, how the submitted government ID had been stored, and, under Article 22, where was the human review of an automated decision with significant professional consequences. LinkedIn did not respond within the statutory one-month period. (Source: GDPR Article 22; anonymised case correspondence, on file with ETH)
The Dutch Data Protection Authority received the formal complaint in December 2025. Its conclusion: this matter falls not under GDPR but under the Digital Services Act, Article 17, governing account closures on very large platforms. (Source: DSA Article 17; AP referral correspondence, December 2025, on file with ETH) File forwarded to the Authority for Consumers and Markets. File closed.
The account holder is still waiting.
The AI deployed to protect children could not distinguish between discussing that protection and violating it. Two regulatory bodies have since demonstrated a comparable difficulty establishing who is responsible for the outcome.
While one cybersecurity consultant is still waiting for a human to review an automated decision that destroyed his professional account, governments quietly hand the very infrastructure citizens rely on to the same ecosystem that built those moderators. The pattern is identical: individual recourse is illusory; institutional alignment is seamless.
The Government Mirror
AI-generated illustration.
DigiD, the Dutch national digital identity infrastructure used by approximately 16.5 million citizens, is operated by Solvinity under contract to Logius, a Ministry of the Interior agency. In November 2025, Solvinity's acquisition by U.S.-based Kyndryl was announced. (digid.nl/en/solvinity — Logius statement, January 2026)
The implications are not subtle: U.S. jurisdiction under the CLOUD Act and FISA potentially reaches infrastructure physically located in the Netherlands.
A majority motion in the Tweede Kamer, adopted April 2026 by 141 votes to 9, requests the government not renew the DigiD contract with Solvinity if the acquisition proceeds. (tweedekamer.nl — motie 2026Z08340 / 2026D18701, Kathmann/Stoffer, April 2026) The cabinet describes the situation as "linked to political choices and government regulations" and promises extensive investigation. Logius's own privacy officer, Pieter van Oordt, had previously warned that internal security analysis showed incomplete risk mitigation — and that the Kamer would only be briefed confidentially after the May recess. His assessment: "Dan is het eigenlijk al te laat." He was dismissed for raising it. (De Telegraaf — Ambtenaar die waarschuwde voor overname DigiD: ik werd neergesabeld) The contract expires 6 August 2026. Cancel three months before that date or it rolls automatically for two more years. That deadline is now. A transition to an alternative provider would take six months. They could have started in November.
The marketing language for DigiD is "banking-level security" and "Dutch and remains Dutch." The contractual reality is a foreign acquisition pending approval, with critical national infrastructure in the balance.
On 25 April 2026, De Telegraaf reported that the cabinet extended the DigiD contract with Solvinity by at least two years regardless, signing begin May 2026. The decision was taken on 27 March — before the Kamer majority motion was voted on. The stated reason: switching providers would endanger "continuity and security of service delivery." The CLOUD Act risk analysis remains confidential until after the May recess. (De Telegraaf, 25 April 2026; cross-verified NOS, NRC, NU.nl, Tweakers, 25 April 2026)
The parliamentary majority said no. The cabinet had already said yes. The impact analysis was withheld until the moment of decision had passed. This is not a failure of the opt-in architecture. It is the opt-in architecture — applied to sovereignty itself.
The Illusion in Practice
Pieter van Oordt, the Central Privacy Officer at Logius, raised concerns internally and publicly about the acquisition of DigiD operator Solvinity by U.S. company Kyndryl. He identified concrete risks: potential U.S. access to Dutch personal data via DigiD and MijnOverheid under the CLOUD Act, and the possibility of a remote kill switch.
The consequence: he was first suspended, then silenced and dismissed. The Dutch cabinet deployed the State lawyer against its own chief privacy advisor, ignored a Tweede Kamer majority motion, and extended the Solvinity contract by two years regardless.
When someone simply does their job and takes privacy seriously, the system does not reward them. It neutralises them. A textbook illustration of how fragile the opt-in promise is once the powers that be are directly involved.
Sources: BNR Nieuwsradio (audio); De Telegraaf (25 April 2026); reporting by @beek38.
De illusie in de praktijk
Pieter van Oordt, de Centrale Privacy Officer van Logius, sloeg intern en publiekelijk alarm over de overname van DigiD-beheerder Solvinity door het Amerikaanse Kyndryl. Hij wees op concrete risico's: mogelijke Amerikaanse toegang tot Nederlandse persoonsgegevens via DigiD en MijnOverheid op grond van de CLOUD Act, en de mogelijkheid van een op afstand bedienbare kill switch.
Gevolg: hij werd eerst geschorst, daarna monddood gemaakt en ontslagen. Het kabinet zette de landsadvocaat op zijn eigen hoogste privacy-adviseur af, negeerde een motie van de Tweede Kamer met een ruime meerderheid, en verlengde het Solvinity-contract desondanks met twee jaar.
Wie gewoon zijn werk doet en privacy serieus neemt, wordt niet beloond, maar geneutraliseerd. Een schoolvoorbeeld van hoe fragiel de opt-in-belofte in werkelijkheid is, zodra de machthebbers zelf in het geding zijn.
Bronnen: BNR Nieuwsradio (audio); De Telegraaf (25 april 2026); berichtgeving van @beek38.
Deze Nederlandse vertaling is tot stand gekomen met behulp van AI-assistentie (Claude, Anthropic). De redactionele verantwoordelijkheid voor de inhoud berust bij Echo Truth Hub.
The Enforcement Question
AI-generated illustration.
GDPR fines across the EU exceeded €5.6 billion between 2018 and early 2026. (EDPB Annual Report 2025. The aggregate reflects cumulative enforcement decisions across all EU supervisory authorities from GDPR's entry into force through Q1 2026, including the Irish DPC's €1.2 billion Meta decision of 2023 and subsequent multi-jurisdictional actions. Annual totals vary; 2025 alone recorded approximately €1.15 billion.) Both companies continued scaling their data operations throughout. The fines are real. The operational disruption is not measurable.
What GDPR has reliably produced is a compliance industry, a legal vocabulary, and a set of consent flows engineered to satisfy the letter of the regulation while preserving the commercial logic beneath it. The opt-in exists. The friction around opting out is the product.
What Is Actually Being Solved
AI-generated illustration. Identity redacted. Keys still in hand.
The problems being addressed by Personal Intelligence, digital identity mandates, and automated content moderation are real. Child protection online is a genuine challenge. Fragmented national identity systems create genuine inefficiencies. Generic AI responses are genuinely less useful than personalised ones.
The question worth asking is whose friction is being removed.
The LinkedIn case answers it plainly. A cybersecurity consultant, whose professional function is precisely to assess digital exposure risk, was permanently banned from a professional network by an automated system that could not distinguish between the threat and the person hired to identify it. The individual had no effective appeal. The regulators disagreed about jurisdiction. The data request went unanswered. The professional account remains restricted.
The system was not designed to fail the individual. It was simply never designed with the individual in mind at all. That is a harder problem than malice. Malice can be prosecuted.
#TruthWithTeeth
Primary Sources
- Google Gemini Apps Privacy Hub — support.google.com/gemini; policies.google.com/privacy (April 2026)
- Meta AI Training Data Page — facebook.com/privacy/genai (April 2026)
- Apple Child Safety — Expanded Protections for Children — apple.com/child-safety (2021)
- Redbook / Hearst Digital Media — Brie Schwartz, Deputy Editor OprahDaily.com (January 2016)
- De Telegraaf — Ambtenaar die waarschuwde voor overname DigiD: ik werd neergesabeld
- De Telegraaf — Kabinet verlengt DigiD-contract met Solvinity, ondanks wens Kamer — 25 April 2026 (cross-verified NOS, NRC, NU.nl, Tweakers)
- Logius / DigiD — Solvinity Statement — digid.nl/en/solvinity (January 2026)
- Tweede Kamer — Motie 2026Z08340 / 2026D18701, Kathmann/Stoffer (April 2026)
- EDPB Annual Report 2025 — edpb.europa.eu
- GDPR Article 22 — EUR-Lex
- DSA Article 17 — EUR-Lex
- LinkedIn / AP / ACM case — Anonymised correspondence on file with ETH (August 2021 – April 2026)