Posts tagged as:

The OECD Privacy Guidelines at 30

by on September 29, 2010 · 0 comments

If you blinked, you missed it. Heaven knows, I did. The OECD privacy guidelines celebrated their 30th birthday on Thursday last week. They were introduced as a Recommendation by the Council of the Organization for Economic Cooperation and Development on September 23, 1980, and were meant to harmonize global privacy regulation.

Should we fete the guidelines on their birthday, crediting how they have solved our privacy problems? Not so much. When they came out, people felt insecure about their privacy, and demand for national privacy legislation was rising, risking the creation of tensions among national privacy regimes. Today, people feel insecure about their privacy, and demand for national privacy legislation is rising, risking the creation of tensions among national privacy regimes. Which is to say, not much has been solved.

In 2002—and I’m still at this? Kill me now—I summarized the OECD Guidelines and critiqued them as follows on the “OECD Guidelines” Privacilla page.

The Guidelines, and the concept of “fair information practices” generally, fail to address privacy coherently and completely because they do not recognize a rather fundamental premise: the vast difference in rights, powers, and incentives between governments and the private sector. Governments have heavy incentives to use and sometimes misuse information. They may appropriately be controlled by “fair information practices.” Private sector entities tend to have a balance of incentives, and they are subject to both legal and market-punishments when they misuse information. Saddling them with additional, top-down regulation in the form of “fair information practices” would raise the cost of goods and services to consumers without materially improving their privacy.

Not much has changed in my thinking, though today I would be more careful to emphasize that many FIPs are good practices. It’s just that they are good in some circumstances and not in others, some FIPs are in tension with other FIPs, and so on.

The OECD Guidelines and the many versions of FIPs are a sort of privacy bible to many people. But nobody actually lives by the book, and we wouldn’t want them to. Happy birthday anyway, OECD guidelines.

SHARE: 0 comments

Look to the Marketplace, Not Government, For Better Privacy

by on September 21, 2010 · 1 comment

As the Internet evolves and new data collection technologies emerge, privacy concerns are increasingly in the spotlight. Few doubt that these concerns are, in many cases, legitimate. The major point of contention is which institutions in society are best equipped to address the privacy challenges of the information age. While a number of privacy scholars point to stricter federal regulation as the answer, others are very skeptical of granting government a more expansive role in safeguarding sensitive information on the Internet.

In this week’s issue of Advertising Age, Carolyn Homer and I have a guest column in which we discuss the role of market institutions in addressing privacy concerns:

A series of recent high-profile privacy gaffes involving internet firms such as Google, Microsoft and Facebook has spurred a public outcry for stronger privacy protections. Politicians in Congress have responded with a slew of blustering letters, hearings, and legislative threats. On July 19, Rep. Bobby Rush, D-Ill., introduced a sweeping privacy bill in the House of Representatives, and Sen. John Kerry, D-Mass., has pledged to introduce a similar bill in the Senate. This legislation would stifle the dynamic internet economy and targeted advertising while doing little to improve consumer privacy. Mr. Rush’s bill, titled the Best Practices Act, would give the Federal Trade Commission broad new powers to regulate nearly any organization that routinely collects even basic data about individuals, including phone numbers and email addresses. The bill would empower the FTC to dictate businesses’ data security practices, perform extensive compliance audits, and even restrict which kinds of information firms can collect and how long they can store it. This approach may sound sensible, but it ignores the crucial role of responsible data collection in the information age. Limiting such practices will impede e-commerce and endanger free internet content backed by advertising. The internet’s ubiquitous information sharing is a feature, not a bug.

Continue reading →

SHARE: 1 comment

Open Video Conference, New York City, Oct. 1-2

by on September 2, 2010 · 0 comments

I’ll be there, speaking on a privacy-focused panel entitled: “We Know What You Watch.”

Spooky!

There’s an interesting agenda and, as conferences go, this one seems to be pretty well organized. For example, they have a page of badges they encourage participants to use in promotions like this one. (What do you think of the one I selected?)

And they suggest the Twitter hashtags #openvideo and #ovc10.

Once again, New York TLFers, that’s the Open Video Conference, Oct. 1-2 at the Fashion Institute of Technology.

SHARE: 0 comments

Economist Debate: “Governments Must Do Far More to Protect Online Privacy”

by on August 30, 2010 · 0 comments

I’m at the mid-point of an online debate hosted by the Economist.com on the proposition: “This house believes that governments must do far more to protect online privacy.”

I’m on the “No” side. In my opening statement, I tried to give some definition to the many problems referred to as “privacy,” and I argued for personal responsibility on the part of Internet users. I even gave out instructions for controlling cookies, by which people can deny ad networks their most common source of consumer demographic information if they wish. Concluding, I said:

Government “experts” should not dictate social rules. Rather, interactions among members of the internet community should determine the internet’s social and business norms.

In the “rebuttal” stage, which started today, I dedicated most of my commentary to documenting how governments undermine privacy—and I barely scratched the surface.

Along with surveillance program after surveillance program, I discussed how government biases protocols and technologies against privacy, using the Social Security number as an example. I don’t know what syndrome causes many privacy advocates to seek protection in the arms of governments, which are systematic and powerful privacy abusers themselves.

Nonetheless, I’m opposing the “free lunch” argument, which holds that a group of government experts can come up with neutral and balanced, low-cost solutions to many different online problems without thwarting innovation. Right now the voting is with the guy offering people the free lunch, not the guy arguing for consumer education and personal responsibility.

You can vote here.

SHARE: 0 comments

Two Paradoxes of Privacy Regulation

by on August 25, 2010 · 5 comments

As a cyber-libertarian, I’ve been lucky enough to work with people of all ideological stripes in pursuit of various public policy objectives.  I’ve made selective alliances with people on the Right on economic policy issues (like opposing Net Neutrality regulation, Internet taxes, etc) and also worked closely with folks on the Left on speech and culture issues (content controls, anonymity, online safety concerns, etc).

While engaging with with people on both sides of the political fence, I’m often struck by some of their internal inconsistencies.  Conservatives, for example, talk about a big game about personal responsibility on some issues, but quickly abandon that notion when they claim media content or online speech should be regulated by the State (typically “for the children.”)  In this essay, I’d like to discuss interesting inconsistencies on the political Left, especially among advocates of strong privacy regulation (most of whom tend to be Left-leaning in their worldview).  In particular, here are the two things I find most interesting about modern privacy advocates:

(1) Most privacy advocates are vociferous First Amendment supporters, yet they abandon their free speech values and corresponding constitutional tests when it comes to privacy regulation.  When it comes to proposals to regulate media content or online speech, most folks on the Left have a very principled, clear-cut position: people (or parents) should take responsibility for unwanted information flows in their lives (or the lives of their children). In particular, they rightly argue that the many user empowerment tools on the market (filters, monitoring software, other parental control technologies) constitute a so-called “less-restrictive means” of controlling content when compared to government regulation.

Advocacy groups that I have a great deal of respect for and work with quite closely on these issues–such as EFF, CDT and ACLU—all take this position.  Generally speaking, they argue that, when it comes to speech regulation, “household standards” (user-level controls) should trump “community standards” (government regulation). And in Court—where I frequently file joint amicus briefs with them—they repeatedly employ the “less-restrictive means” test to counter government efforts to regulate information flows.

But when it comes to privacy, they throw all this out the windowContinue reading →

SHARE: 5 comments

Meditations in a Privacy Emergency

by on August 24, 2010 · 4 comments

Emotions ran high at this week’s Privacy Identity and Innovation conference in Seattle.  They usually do when the topic of privacy and technology is raised, and to me that was the real take-away from the event.

As expected, the organizers did an excellent job providing attendees with provocative panels, presentations and keynotes talks—in particular an excellent presentation from my former UC Berkeley colleague Marc Davis, who has just joined Microsoft.

Continue reading →

SHARE: 4 comments

PFF Progress on Point on Title II “sins”

by on August 20, 2010 · 0 comments

The Progress and Freedom Foundation has just published a white paper I wrote for them titled “The Seven Deadly Sins of Title II Reclassification (NOI Remix).”  This is an expanded and revised version of an earlier blog post that looks deeply into the FCC’s pending Notice of Inquiry regarding broadband Internet access. You can download a PDF here.

I point out that beyond the danger of subjecting broadband Internet to extensive new regulations under the so-called “Third Way” approach outlined by FCC Chairman Julius Genachowski, a number of other troubling features in the Notice indicate an even broader agenda for the agency with regard to the Internet. Continue reading →

SHARE: 0 comments

Privacy Isn’t Dead, It’s Evolving

by on August 19, 2010 · 0 comments

Recent revelations about Microsoft’s internal debate over Internet Explorer’s handling of tracking cookies, as chronicled by The Wall Street Journal earlier this month, have prompted harsh criticism from self-described privacy groups, who’ve called on Congress to investigate Microsoft’s actions. But as Jim Harper pointed out in an excellent WSJ essay, Web users stand to lose a great deal if online tracking is squelched by the hand of government. Data gathering on the Internet is largely harmless, and individually targeted advertising coexists with robust privacy safeguards.

Over on AOLNews.com, my colleague Carolyn Homer discusses these privacy tradeoffs, arguing that Microsoft and other Internet firms have a strong incentive to set privacy defaults that align with their users’ preferences. She points out that most consumers are, in practice, quite willing to live with allegedly “pervasive” tracking in exchange for the enormous benefits that targeted advertising makes possible. While many surveys and polls indicate consumers are very worried about their privacy, the actual decisions that consumers make every day tell a very different story (as documented extensively by Berin Szoka). From Carolyn’s piece:

A body of research reveals a sizable disparity between how much people say they value privacy and how willing they are to actually protect it. In a 2003 Duke Law Journal article, Michael Staten and Fred Cate found that fewer than 10 percent of users exercise their right to opt out and share less. Conversely, if given the opposite choice, fewer than 10 percent of users elect to opt in and share more. The vast middle is apparently indifferent. If consumers were required to affirmatively opt in before sharing data, the Internet’s prevailing advertising-based business model would be decimated. The effectiveness of online advertising in Europe, for example, fell 65 percent after the European Union in 2002 required a blanket opt-in system. For more than a decade, the Internet has thrived on the assumption that most people believe it is a fair trade to receive free content in exchange for viewing ads. Mere advertisements shouldn’t be equated with gross privacy violations.

She goes on to discuss how privacy settings are evolving as consumer preferences adapt to new technologies and firms experiment with new ways to use and collect data. You can read the rest over at the AOL News website.

SHARE: 0 comments

The Great Privacy Debate on WSJ

by on August 7, 2010 · 16 comments

I have a piece on Internet privacy in the Wall Street Journal today. It’s one side of a “debate” on Internet privacy and tracking. I say be careful what you give up if you thwart online tracking—personalization, free content, and other goodies may go by the wayside.

My “opponent” is Nicholas Carr, whose identity and arguments I didn’t know as I wrote, nor likely did he mine. His is a good piece that lays out the many legitimate concerns with online tracking. Must be nice to be the maximal-privacy “good guy”!

For the sake of making it interesting I’ll pick out one important point that highlights the nub of the issue.

Privacy tradeoffs have always been a part of life, Carr says, “But now, thanks to the Net, we’re losing our ability to understand and control those tradeoffs—to choose, consciously and with awareness of the consequences, what information about ourselves we disclose and what we don’t.”

This sentence brought back to me a memorable moment from law school. In a seminar course, the professor called upon a fellow student who rather dopily apologized, “Sorry, I didn’t have time to do the reading.”

“In fact you did have time to do the reading,” replied the teacher, “but you just didn’t take it. Isn’t that correct?”

It was funny, if embarrassing for my colleague, and a great illustration of precision with language.

Holding to that standard of precision, I’ll disagree with Carr’s statement: The Net is not affecting our ability to understand and control privacy tradeoffs. Its development has outstripped that capacity. Developing consumers’ understanding of information flows, information uses, and consequences will position them to restore privacy.

I don’t think Carr would disagree with that sentiment in the main. Later he says, agreeably to me, “We need to take personal responsibility for the information we share whenever we log on.”

And I do think that’s the heart of the problem: “Education is the hard way, and it is the only way, to get consumers’ privacy interests balanced with their other interests.”

SHARE: 16 comments

Redbook on Facebook (and sharing information online)

by on August 4, 2010 · 0 comments

It’s not often that you see advice on Internet privacy sandwiched between articles on “4 Times it Pays to Splurge” and  how to “Be a Full-time Mom with a Part-time Passion.” But online privacy is such a hot topic that even Redbook, the women’s magazine, has a story in its August issue.  The article is an informed, well-balanced look at providing practical tips (well it should be, I was interviewed for it!) on being secure and private when on various Internet sites:

If you’re a LIVE-LIFE-OUT-LOUD GIRL (i.e., you offer a play-by-play of your life to your 1,000 Facebook friends, blog readers, and Twitter followers), these are the guidelines you — and everyone — should follow:
  • On your social networking profiles, take the time to check out the privacy settings and decide whom you want to have access to what information. The risks here aren’t great, but do you really want your cousins to read about your sex life, or your frenemy to see photos of the party you didn’t invite her to?
  • If you’re on a public wireless network, like at Starbucks, don’t do your online banking or log on to other sites that contain sensitive information about you. Other users accessing the network might be able to access it.
  • Teach your kids about the risks of sharing personal information on the Web. If it feels appropriate for your child, bring up the countless cases of tweens’ and teens’ personal photos and videos that have ended up in the wrong inboxes because of how easy it is to forward email. Have a conversation about what sites they’re visiting online, and make sure they’re staying safe by signing up for a free limiting service such as AOL Parental Controls, which allows you to log in and monitor their activity. Check with your wireless carrier for similar services on your kids’ phones, too.

There’s more tips if interested, or read about unboring veggies sides for grilled food.

SHARE: 0 comments

← Previous Entries

Next Entries →