I’m livetweeting today’s final FTC Privacy Roundtable (check out the #FTCPriv hashtag on Twitter). Check out the day’s agenda or watch the webcast here. Adam Thierer and I expressed our concerns about the rush to regulation at the First Roundtable back in December—see my written comments and Adam’s summary of his remarks. David Vladeck, Director of the Bureau of Consumer Protection offered the following summary of the Roundtable process at the kick-off this morning:
- Benefits & risks of technology. “March of technology has blurred and threatens to obliterate the distinction between PII [personally identifiable information) and non-PII…. It’s getting harder and harder for users to choose anonymity.”
- Privacy challenges raised by emerging business models. What do consumers know? Consumers are often presented with confusing and unfamiliar situations. Consumers understand little about how their information is handled.
- Innovation in disclosure. Industry is testing privacy icons.
- Privacy policies are too vague, too long, too complicated and too hard to find. We need effective ways to disclose what information is being collected and to give consumers a meaningful way to control its use. There’s no way to put the genie back in the bottle once information has been shared.
On the critical question of next steps, Vladeck claims the agency isn’t certain where it will go and plans to “sit back” and think about the detailed record before making public a set of detailed recommendations on which the public will be invited to provide input. I’d like to believe him and I hope the agency really does think long and hard about the evidence provided in this process as to the trade-offs inherent in increased regulation, the complexity of this space, and the need for a cautious approach when it comes to tinkering with the data flows that are the lifeblood, both technological and financial, of the Internet. But based on their recent public statements, I fear that Vladeck and FTC Chairman Jon Liebowitz have already made up their minds about the need for regulation, and that this process is really just paving the way for a report this summer that will call for sweeping new legislation—just as the FTC did back in its 2000 Report to Congress.
The FTC would do well to remember two sage pieces of advice:
- “First, do no harm.” – The Hippocratic Oath
- “The curious task of economics is to demonstrate to men how little they really know about what they imagine they can design.” – F.A. Hayek
I’d particularly like to hear more focus on technological solutions that could do more to empower users to make choices for themselves—which the first panel is currently discussing. In particular, if the central problem lies in the failure of today’s privacy policies, why not focus on making privacy disclosures machine readable by browser tools so that users don’t actually have to find and read lengthy, legalistic documents? Tools built on P3P could make disclosure actionable. As I’ve been saying, that kind of innovation offers a much better solution than simply giving up on disclosures and concluding that preemptive, prophylactic regulation is the only option.
The ideal state of affairs would be to create a system of tools and data disclosure practices that would empower each user to implement their personal privacy preferences while also recognizing the freedom of those who rely on advertising revenues to “condition the use of their products and services on disclosure of information”—not to mention the viewing of ads!
Self-regulatory efforts can be refined, especially through technological innovation to better satisfy the concerns of policymakers, privacy advocates, and average consumers. For example, if websites and ad networks participating in a self-regulatory framework supplemented their current “natural language” privacy policies with equivalent “machine-readable” code [e.g., P3p], that data could be “read” by browser tools that would implement pre-specified user preferences by blocking the collection of information depending on whether the privacy policies of certain websites or ad networks met the user’s preferences about data-use. Such robust and granular disclosure, if implemented for behavioral advertising, would exceed the wildest dreams of those who argue that users currently do not read privacy policies—without disrupting the browsing experience or cluttering websites. But this system would only work if users had to make real choices about “paying+ for ‘free’ content and services by disclosing their personal information.”