> How is that achievable?

The core ill is aggregated data, because that's what allows the mass in surveillance, data mining, etc.

The collection actions are almost immaterial. Without persistence they must be re-performed for each request, which naturally provides a throughput bottleneck and makes "for everyone" untenable.

If we agree the aggregated data at rest is the problem, then addressing it would look like this:

1. Classify all data holders at scale into a regulated group

2. Apply initial regulations

   - To respond to queries for copies of personal data held
   - To update data or be liable in court for failing to do so
   - To validate counterparties apply basic security due diligence before transferring data (or the transferer also faces liability)
   - To maintain a *full* chain of custody of data (from originator through every intermediate party to holder) so that leaks / misuse can be traced
   - To file yearly update on the types, amount of data, and counterparties it was transferred to with the federal government that are made public

It's not. But the first step is classifying and documenting the problem.

Sorry, I was ambiguous in what I meant.

It is not realistic to say that no person is allowed to keep track of another person; watch where they go, when, with who, etc.

It should not be acceptable for a company to gather information on "everyone"; where they have been going, when, with who, how often, etc. And it should not be acceptable for them to sell that information (to government agencies OR private citizens).

It's a matter of scale.

- Making the first one illegal/impossible would be difficult/costly; and not doing so has a limited impact (to society, not to the single person affected).

- Making the second one illegal is much easier, and it's much easier to shut down a large company doing it than it is 1,000 individual stalkers. The impact of making it illegal is much wider and better for society as a whole.

We don't want anyone being stalked. But in a cost/benefit analysis, we can do something about one of them but not the other.

It's not achievable.

The only way is through - everybody should get into the practice of stalking and gossiping about each other in a Molochian environment, where the people who do not do so suffer from the losing side of an information asymmetry.

Expect AI, especially post-Mythos, to just enable this at even further scale. Consumer grade wireless networking gear as a whole is a very wide attack surface and is basically never updated.

If PIs can "legally" do it then it sounds like there is a law which allows them to do it. That law can be revoked (unless the power comes from Constitution which would make it effectively impossible to revoke).

Note that PIs are effectively illegal under GDPR by default. They would generally need to provide Article 13 notice, i.e. you would become aware of them unless they were just asking around without actually following you. Member states can make them legal though (via Article 23) and likely in many cases they have done so.