« Previous | Next »

A Practical Model for Real Privacy Protection

A computer user poses in front of a Google search page in this photo illustration taken in Brussels May 30, 2014. Google has taken the first steps to meet a European ruling that citizens can have objectionable links removed from Internet search results, a ruling that pleased privacy campaigners but raised fears that the right can be abused to hide negative information.

In their recent paper “Databuse and a Trusteeship Model of Consumer Protection in the Big Data Era”, Benjamin Wittes and Wells Bennett argue we need to reconceptualize privacy. Privacy has morphed into a notion that could describe a range of beliefs and precisely but captures none of the potential harms. Consumers care about privacy, “in proportion to whether it is used for our benefit or to our detriment and critically, how seriously to our detriment.” The authors invoke the concept of databuse. Databuse is a negative right that invokes companies to safeguard consumers from undesired harms that might result from the sharing of data.

The Trusteeship Approach

They argue for a trusteeship model where companies are responsible to serve as good stewards of the data consumers entrust to them. Companies also have a lot to gain in this new paradigm. Establishing themselves as protectors of data fosters consumer confidence, which is a valuable asset for any company.

The authors identify several attributes of a good data trustee:

  • Safely store private data
  • Never use data in a way that injures consumers
  • Disclose uses of data in an open and clear manner
  • To the greatest degree possible give users control over how their data is shared and used
  • Keep promises to consumers about data

Three Categories of Corporate Data Usage

Wittes and Bennett imagine three broad ways to categorize how companies use data. The categories are based on the premise that consumers face different benefits and harms depending on the actions of companies. They provide a strong model to understand how to best protect “privacy”.

Category One- Aligned Interests

Category one encompasses uses of data where the interests of the consumer and the company are aligned. A service where the consumer wants the company to make use of its data or desires a product that couldn’t exist without their data. For example credit card companies searching through purchasing records to help detect fraudulent activity.

Category Two- Data for Service

This includes activities that benefit a company but neither hurts nor benefits the consumer. The most popular example is personalized advertisements. Ads generate revenue for the business and are relatively inconsequential for consumers.

Category Three- Databuse

Databuse occurs when a company actively harms the interests of the consumer through its use of data. When a company breaks an explicit agreement with a consumer or when it doesn’t take reasonable steps to protect data.

Protecting privacy is difficult to achieve because it can have different definitions for different people. One person may comfortably tweet out personal details of their life while another would gasp at having their search results archived. Many people have data anxiety or a fear about the potential unwanted sharing of data. These complexities create challenges for policymakers who want to address the range of expectations that consumers have about privacy. The trustee approach overcomes these barriers by establishing specific protections that are easier to enforce.

Read the whole paper from Benjamin Wittes and Wells Bennett here.

blog comments powered by Disqus