An Atlantic article suggests that the digital advertising industry is coalescing around the position “restrict data use if you must, but go easy on data collection and retention.”
There is a fascinating scrum over what “Do Not Track” tools should do and what orders websites will have to respect from users. The Digital Advertising Alliance (of which the NAI is a part), the Federal Trade Commission, W3C, the Internet Advertising Bureau (also part of the DAA), and privacy researchers at academic institutions are all involved. In November, the DAA put out a new set of principles that contain some good ideas like the prohibition of “collection, use or transfer of Internet surfing data across Websites for determination of a consumer’s eligibility for employment, credit standing, healthcare treatment and insurance.”
This week, the White House seemed to side with privacy advocates who want to limit collection, not just uses. Its Consumer Privacy Bill of Rights pushes companies to allow users to “exercise control over what personal data companies collect from them and how they use it.” The DAA heralded its own participation in the White House process, though even it noted this is the beginning of a long journey.
There has been a clear and real philosophical difference between the advertisers and regulators representing web users. On the one hand, as Stanford privacy researcher Jonathan Mayer put it, “Many stakeholders on online privacy, including U.S. and EU regulators, have repeatedly emphasized that effective consumer control necessitates restrictions on the collection of information, not just prohibitions on specific uses of information.” But advertisers want to keep collecting as much data as they can as long as they promise to not to use it to target advertising. That’s why the NAI opt-out program works like it does.
That’s a drum I’ve been beating for years, so to a first approximation I’m pleased. However:
- I don’t think currently proposed protections go nearly far enough, for reasons I previously stated plus others that keep coming to me. (For example, substantially all consumer privacy protections could be nuked simply by user agreements that compel you to “voluntarily” renounce most privacy rights in return for unfettered use of the internet.)
- If current trends are followed, it could end up that data use restrictions are too mild and data collection restrictions are too severe — and maybe that will all work out in a rough balance, at least for a while.
- In the not-so-near term, however, these rough political compromises may not work so well. That’s why I think next-generation digital advertising ecosystem design should start yesterday, or perhaps sooner.
So to sum up my views on consumer privacy:
- Focusing on data use is basically good.
- It is important to also focus on data collection, at least for a transitional period.
- For the whole thing to work out well, a major rethinking of systems is needed.
That’s the good news. The bad news is on the side of government data collection and use. As I wrote last year:
… there is a lot more electronic information than there used to be. Indeed:
- Sufficient information exists to provided a very detailed picture of our activities.
- Much of it is recorded for very good and beneficial reasons. We wouldn’t want that part to stop.
- This information is inevitably available to government.
Here’s what I mean by the inevitability claim. Whether or not you think anti-terrorism concerns are overblown, as a practical matter your fellow voters* will allow a broad range of governmental information access. Besides, just the widely-available credit card and similar commercial data is enough to provide a fairly detailed picture of what you’re up to. In most countries, anti-pornography, anti-file-sharing, and/or general civilian law enforcement efforts serve to strengthen the point further.
*If you live in a country too unfree for voters to much matter, then it is surely also the case that governmental information has few practical limits.
Examples of information being tracked (more particulars were covered in the first post of this series):
- Almost everything we buy is recorded, via credit card transactions, point-of-sale data, and/or website transaction records. This data is summarized in files covering 100s of millions of individuals, with 1000s of fields per person. Those files can be used for a broad variety of business or law enforcement purposes.
- That data gives a great picture of what we eat, where we commute or travel, what we pay attention to, and so on.
- All our other financial information also passes through computer systems, such as at banks.
- Increasingly, our physical movements are tracked more directly, via cell phones (our own), police cameras, and the like.
- Other than face-to-face conversations, almost all our communications are electronic. Even social media non-adopters rely heavily on telephones, email, and the like.
- Increasingly, our reading and viewing entertainment choices are electronically recorded as well.
And the list of ways the government collects data keeps going up — sidewalk cameras, overhead drones, Transportation Security Administration sweeps beyond airports, forced decryption of computing devices, examination of cell phones upon arrests, forced examination of computing devices at the national border, and many more. In the United States, it’s an open secret that the government has access to substantially all email and telecom connection data. And of course there are also GPS devices on cars, and the confusing jurisprudence that has resulted.
At least in the US, it is barely possible to argue that everything will be all right because the Fourth Amendment makes it that way. But I don’t like the odds on that. Rather, I favor:
- Supporting people who are already trying to limit intrusive governmental data collection.
- Taking leadership in constructing reasonable limits on government data use as well.
I don’t believe there’s enough technical expertise across government for it to construct a sensible privacy-protection regime on its own.