Web Chat: Protecting Online Privacy

Aiming to protect online privacy without stifling innovation, President Obama has proposed a “Consumer Privacy Bill of Rights” to help users exercise more control over the data they share when accessing the internet through their web browsers, smart phones and tablets.

What level of anonymity should consumers expect when browsing the internet? Will companies implement President Obama’s recommendations? On February 29, Allan Friedman answered your questions during a live web chat with POLITCO.

12:30 Vivyan Tran: Welcome everyone, let’s get started.

12:30 Allan Friedman: Privacy is one of those values that everyone wants, but no one wants to define. Yet as studies by academics, industry, and the government attest, there is widespread demand for clearer and better defined rules about who has our data and how they are using it.

The administration’s recent proposal reaffirms well-known values of the Fair Information Practices in a Privacy Bill of Rights, and calls for a multi-stakeholder process to better define a framework for the privacy practices of the myriad of firms and organizations that hold our data. To move the ball forward quickly, the administration has worked with leading web companies to adopt Do Not Track technology, although how this will be implemented at the company level remains to be seen. Indeed, while it is nice to see a clear articulation of privacy goals without heavy-handed or industry-specific regulation, compliance with robust voluntary codes of conduct is more likely with the prospect of enforcement.

Ultimately, understanding and respecting consumer preferences is good business and creates a more trustworthy environment for the information economy. Doing this in a digital world with short attention spans and imperfect interfaces will not be easy, but transparency and collaboration between different stakeholders is a necessary start.

12:30 Comment From Anne: Why has President Obama chosen to release his privacy bill of rights now? Is it in response to Google’s new effort to standardize information across its sites?

12:31 Allan Friedman: Like all major policy initiatives, this has taken some time. It’s been in the works for a while, with the cooperation of many different agencies. The Department of Commerce has been particularly active, and released a green paper over a year ago that sought to explore why privacy is important, gathering feedback from a very large sample of the tech industry. They also worked hard to engage the marketing industry for support behind “do not track.”

12:32 Comment From Samantha T: Can you briefly explain the new privacy bill of rights? How would companies have to protect users’ data under the new guidelines?

12:34 Allan Friedman: Bill of Rights is an affirmative statement of values, rather than a specific set of rules to be followed. It includes provisions for transparency—how is our data being used—and access—what does someone know about me. This latter property requires some interface and a robust way of making sure you can’t learn about my data. Some are even trickier—user control of data requires companies providing mechanisms for control. This will require the cooperation of firms that collect data and hopefully lead to more responsible data collection and storage.

12:34 Comment From Sammy: Since President Obama’s privacy bill of rights is only voluntary, will Congress eventually need to pass legislation to define consumers’ rights online?

12:35 Allan Friedman: The question of enforcement is key. The Obama administration has favored voluntary, multi-stakeholder initiatives to encourage industry to resolve their own policy issues, saving the administration the political hassle of a fight, and the industry the costs of regulation. Sometimes this works; other times, less so.

12:35 Comment From Charles: Switching for a moment to data security, how successful are U.S. companies in protecting users’ data from outside hacking? It seems as though every day we hear stories of how China is now using teams of hackers to access sensitive information.

12:37 Allan Friedman: “Hacking” is a broad term that covers all manner of sins, from negligent system administrators to sophisticated foreign operatives. Thanks to data breach disclosure laws, we can track the number of breaches of personally identifiable information. We have seen that number decline from regularly reported large breaches to less frequent and smaller breaches, with the occasional high profile attack. This is different than news reports of strategic attacks against firms’ trade secrets and intellectual property.

12:37 Comment From Janet T: How do you get consumers to pay attention to these issues? Most people don’t even read the fine print on the web, and when they do, their eyes glaze over. Why should they care? How can you communicate that?

12:38 Allan Friedman: Some consumers honestly won’t care, and that’s fine. The important approach is to lower the cost of consumers safeguarding their privacy by making the statements easier to understand, and control easier to enact. This does not absolve the companies that hold our data from their obligations to safeguard this information and respect our wishes.

12:39 Comment From Christina: I keep hearing more and more about storing information “in the cloud,” including data like medical records. How can we be sure that extremely sensitive information like this would be secure?

12:40 Allan Friedman: “The Cloud” refers to remote storage, as opposed to keeping things locally, on your computer, or in a company’s basement. There are a few other properties, but the essential policy question is who has responsibility to protect this data. The cloud providers are clearly developing expertise to safeguard their services, but there needs to be clear, contractual delineation about risk and responsibility.

12:40 Comment From Ben L: Will this new bill of rights provide protection against the government subpoenaing information like search data?

12:42 Allan Friedman: No, this bill of rights applies to companies and how they use our data. It might lead to firms capturing and storing less, but will not limit government powers in that regard. Currently, the different treatment of data stored remotely vs. locally is an inhibitor of growth in cloud services, as discussed above.

12:42 Comment From Robert E: Could stronger measures to protect data stifle innovation in the tech sector?

12:43 Allan Friedman: On some level, these rules could stop a firm from finding new ways to exploit consumer data. There’s no question about that, any more than other popular consumer protection laws such as automobile safety or drug testing can have that unintended effect. However, I would argue that finding ways to engage consumers while respecting their privacy and giving them control of their own data could create far more opportunities for innovation. For example, the “personal data ecosystem” movement aims to shift control of data to consumers, allowing more opportunities for people and firms to exploit the value of our digital lives.

12:44 Comment From Tim A: Will this do anything to prevent companies from implementing new privacy policies that have caused public outrage? Policies like Google’s Google Buzz, or some of Facebook’s photo policies?

12:46 Allan Friedman: The model for privacy regulation classically followed what I call “Shame-based regulation”: a firm would overstep some boundary, and get pilloried in the press. We see that less in the last few years, particularly with Facebook. This framework will help establish some guidelines for the intent of these privacy policies, and give critics tools to object. What is lacking in the current proposal is an enforcement mechanism beyond existing FTC Fair Trade powers. Ideally, these will not be necessary if companies take the principles to heart.

12:46 Comment From EJ: Google and Microsoft have all agreed to implement a “do not track bar” into their browsers. Is the answer really that simple?

12:48 Allan Friedman: Do Not Track has two components: the ability for users to express their preference, and the web sites’ interpretation of these preferences. There has already been some disagreement between privacy advocates and the marketing industry on how they should interpret a do-not-track header from the browser: does it merely refer to targeted advertisements, or does it apply to more general tracking across different web sites and contexts?
12:49 Comment From Sarah: What are some ways that the average consumer can help to better protect their own privacy while surfing online?

12:50 Allan Friedman: Learn more about what your browser and computer are telling the world, and take advantage of browsers and plug-ins that minimize the amount of information you are sharing. Using different browsers for different purposes can not only limit the ability to correlate your behavior, but can protect you against malicious criminal activity.

12:50 Comment From Sally: How do U.S. privacy laws compare to Europe’s? I feel that ours are very lax.

12:52 Allan Friedman: The EU has a more comprehensive approach, but this can be limiting at times. The United States has focused on regulating specific types of data, such as medical, or educational records (or even what videos you rent!). This allows for a more flexible approach that does not inhibit non-privacy invasive innovations as much. The United States also focuses on privacy harms, such as requiring transparency following a data breach.

12:52 Comment From Teddy: For a large part, internet services are free because users share their data and companies are then able to sell targeted advertisements. Nothing is free in life. Aren’t users essentially “paying” Yahoo or Google by providing them their data?

12:55 Allan Friedman: “If you aren’t paying, you aren’t the customer” is a common refrain. But if data is going to be an important part of the digital economy, we need to have a transparent marketplace—why shouldn’t I know how much I’m paying? Why can’t we have competition based on the “price” of less invasive data collection. Good information is necessary for markets to flourish.

12:56 Comment From Tim: Is there a positive case to be made for sharing user data? It makes the user experience more seamless and helps organizations better tailor their services, correct?

12:59 Allan Friedman: Data is a currency, as mentioned above, and certainly there are many things that I love to customize. But studies by Berkeley & Penn and CMU have shown that customization is not always as popular as we may think. The policy question hinges on the question of both control and context. Can I get a seamless experience from a service, but then use it without tying it to my permanent identity some of the time? Privacy is about having different identities in different contexts. We have the ability to link across those contexts, but sometimes we may want to reinforce the separation. It’s harder to make the business case for the latter, but I think there is some value there—you just need to change the domain of competition.

12:59 Vivyan Tran: Thanks for the great questions, we’ll see you next week!