Abstract
Privacy law and privacy in practice are not the same thing. Companies can follow GDPR
guidelines perfectly and still obscure what they do with user data. My STS research looks at
exactly that gap, examining how platforms satisfy GDPR’s consent requirements without giving
users any real control over their personal data. My technical project, GymSight, is a mobile app
that uses infrared imaging to map real-time equipment usage in a university gym. The two
projects are not directrl6y related, but they share a common thread. GymSight’s infrared camera
was a deliberate design choice because it cannot capture faces or identify people, and that
decision reflects the same question my STS research asks from a policy angle. What does it
actually mean to protect someone’s privacy, and who is responsible for doing it.
The technical portion of my thesis produced GymSight, a mobile app designed to help
students plan their gym visits. The app connects to an infrared camera mounted in a university
gym and renders a live heatmap showing which equipment and floor areas are currently in use. A
student can open the app before heading to the gym and see in real time whether the squat racks
are occupied or the cardio section is busy. The working prototype was tested with real usages
data and accurately reflected occupancy patterns throughout the day. The main technical
challenge was integrating the infrared camera feed into a responsive mobile interface that
updates the heatmap in real time.
In my STS research, I examined how GDPR’s consent framework actually functions
when implemented by major platforms. GDPR requires that users give informed, freely given
consent before their personal data is collected and used. On paper, that sounds like a meaningful
protection. In practice, however, platforms have found ways to satisfy the regulations technical
requirements while keeping their data flows largely opaque. I compared two cases, Barati and
Rana’s (2022) work on backend compliance verification, and De Joyee and Imine’s (2020)
analysis of Facebook’s Off-Facebook Activity consent interface. The backend systems can verify
that a platform is technically compliant. However, the frontend tools users actually interact with
are designed in ways that discourage real engagement with consent choices. The result can be
called compliance theater. Platforms meet the legal standard without giving users any meaningful
control over their data. GDPR’s architecture makes that outcome not only possible, but
predictable.
Shoshana Zuboff’s concept of surveillance capitalism describes a system where human
behavior becomes raw material, collected and processed to predict and influence future actions.
GDPR was designed to push back against that logic by giving users legal rights over their data.
My STS research shows that those rights mostly exist on paper. Platforms have strong financial
incentives to collect as much data as possible, and GDPR’s compliance framework does not
seriously disrupt that incentive structure. GymSight did not face those pressures, but the infrared
design choice still required an active decision to limit what the system could collect. I find this
connection between the two projects most useful. One shows what happens when a technical
system is designed without meaningful limits on data collection, and the other shows what it
looks like when a designer imposes those limits from the start. STS frameworks push engineers
to ask not just whether a system works, but what it does to the people it effects. A gym app that
tracks heat signatures instead of faces is a technical choice, but it is also an ethical one. My STS
research suggests that GDPR cannot reliably produce that kind of decision from platforms
operating under surveillance capitalism’s incentives. That means the responsibility falls earlier in
the process, at the design stage, before lawyers get involved.
