Privacy & the Internet
-
Upload
adam-thierer -
Category
Documents
-
view
221 -
download
0
Transcript of Privacy & the Internet
-
8/6/2019 Privacy & the Internet
1/31
Privacy & The Internet:
An Overview of Key Issues
Adam ThiererSenior Research FellowMercatus Center at George Mason University
May 19, 2011
-
8/6/2019 Privacy & the Internet
2/31
Outline of Presentation
1) What do we mean by privacy?
2) Different approaches to defining / protecting
it
3) Trade-offs associated with privacy regulation
4) The challenge of information control
5) Specific regulatory proposals
6) An alternative vision / the 3-E Solution
2
-
8/6/2019 Privacy & the Internet
3/31
What is Privacy?
Privacy is a remarkably vague concept Means different things to different people
Varies by cultures
An ever-changing concept
Reacts to evolving social norms & technologicalchange
If it is a right, we must determine how it plays
alongside other, well-established rights (ex:freedom of speech & press freedoms)
3
-
8/6/2019 Privacy & the Internet
4/31
Privacys Fuzzy Concepts
Harm How do we define and measure harm?
Is creepiness a harm?
Should emotional harms (feelings) be actionable?
Ownership Who owns shared data?
What is personally identifying information?
Informed Consent
Are strict contracts possible?
Sensitive Data
Health, financial, what else?
4
-
8/6/2019 Privacy & the Internet
5/31
Alan Westins 3 Visions / Paradigms
1. Privacy Fundamentalists: Absolutists about
privacy being a right & one that trumps
most other values / considerations
2. PrivacyPragmatists: Values privacy to
some extent but also sees benefits of
information sharing
3. Privacy Unconcerned: Have little concernabout who knows what about them
5
-
8/6/2019 Privacy & the Internet
6/31
How to Enforce / Protect Privacy?(U.S. vs. E.U. Visions)
United States
Privacy not viewed as a
fundamental right
Issue-specific / Sectoral approach
Bottom-up case law / torts
States have role; often more
stringent than fed law
More focus on opt-out
Big Brother generally = govt
= a reactive regime
European Union
Privacy viewed as a
fundamental dignity right
Broad-based approach
Top-down directives
More focus on opt-in
Big Brother = private
sector as much as govt = apreemptive regime
6
-
8/6/2019 Privacy & the Internet
7/31
The U.S. Sectoral / Issue-Specific
Approach to Privacy Law Privacy Act (1974) = govt data collection
FERPA (1974) = fed-funded education institutions
Cable Comm.Policy Act (1984) = cable data
Video PrivacyProt. Act (1988) = video rental records DriversPrivacyProt. Act (1994) = DMV records
HIPPA (1996) = health records
Gramm-Leach-Bliley (1999) = financial records
COPPA (1998) = kids (under 13) online privacy
CAN-SPAM Act (1993)
Do Not Callregistry (2003)
7
-
8/6/2019 Privacy & the Internet
8/31
The Battle over Online Privacy
Policy battle has been raging since late 1990s
FTC & Congress appeared poised to actaround 2000, but...
Industry self-regulation was given a chance 9/11 preempted this debate to some extent
Framework for past decade:
Focus on Notice / Choice / Access / Security
Rise of self-regulatory bodies & mechanisms
Targeted FTC & state enforcement
8
-
8/6/2019 Privacy & the Internet
9/31
New Fault Lines in the Online Privacy Wars
(and the legislative response)
New activity driven by: Fears of targeting & tracking = creepy factor
General unease with ubiquity of data access & availability
Proposals:
Baseline legislation / FIPPS (Kerry-McCain, Rush, Stearns) Do Not Track mechanism + regulation (Speier & Rockefeller bills)
Do Not Track Kids / COPPA expansion (Markey-Barton)
Internet Eraser Button (Markey-Barton)
Geolocation restrictions (Markey-Barton)
Data breach disclosure (Kerry-McCain) Data minimization requirements (Kerry-McCain, Rush)
ECPA vs. Data retention laws
9
-
8/6/2019 Privacy & the Internet
10/31
Privacy Trade-Offs & Opportunity Costs
Internet feels like the ultimate free lunch; most sites,services & content are free of charge.
But, in reality, there is no free lunch.
The implicit quidpro quoof online life: you gotta give a little
to get a little (or a lot!). And most people like this deal. The Net is powered byadvertising& data collection.
Information is lifeblood of Digital Economy.
Info may be collected to facilitate a better browsing
experience or to help the site or service remain viable.
In essence, information used in lieu of payment.
Regulation could break thissystem& have other unintended
consequences.
10
-
8/6/2019 Privacy & the Internet
11/31
The Problem of Information Control
Even if weagreeprivacyis importantandworthprotecting, itwillbeveryhard.
Information wants to be free - Stewart
Brand and that includes personal information
The Net interprets censorship as damage androutes around it. - John Gilmore
and privacy regulation is, at root, a form of dataflow censorship
11
-
8/6/2019 Privacy & the Internet
12/31
10 Factors That Complicate
Information Control EffortsDrivers ResultsDigitization Convergence
Intangibility Decentralized, Distributed
Networking
Moores Law Scale & Scope
Falling Storage Costs Volume
Ubiquitous High-Speed
Networks
User-Generation of Content
and Self-Revelation of Data
12
-
8/6/2019 Privacy & the Internet
13/31
Some Facts (or Why Putting
Genies Back in Bottles is So Hard) Facebook: users submit @ 650,000 comments on the 100
million pieces of content served up every minute on its site.
YouTube: over 35 hours of video uploaded every minute.
Twitter: 300 million users produce 140 million Tweets / day, =a billion Tweets every 8 days. (@ 1,600 per second)
Apple: more than three billion apps have been downloaded
from its App Store by customers in over 77 countries.
Humankind shared 65 exabytes ofinformation in 2007, theequivalentofeveryperson in the world sending out the contents
ofsix newspapers every day. - Hilbert and Lopez
13
-
8/6/2019 Privacy & the Internet
14/31
The Privacy Paradox
People value theirprivacy, but then gooutoftheir way to give it up. Larry Downes, Laws ofDisruption
We give away information aboutourselvesvoluntarily leave visible footprints ofour daily
livesbecause we judge, perhaps without
thinking about it very much, that the benefits
outweigh the costs. To be sure, the benefits
are many. Abelson, Ledeen & Lewis, Blown to Bits
14
-
8/6/2019 Privacy & the Internet
15/31
What We Must Learn to Accept
Once information is out there, it is very hard to keep
trackofwho has it and what he has done with it. --David Friedman, Future Imperfect
Privacy is not dead as some have claimed, but it is
different than it was in past
New realities of info dissemination, accessibility,
searchability
Rushed, heavy-handed solutions will be costly and
perhaps not effective anyway
15
-
8/6/2019 Privacy & the Internet
16/31
Policy Responses
(and their problems)
-
8/6/2019 Privacy & the Internet
17/31
Do Not Track The Theory
Could be voluntary, but might be mandated.
Would demand that websites honor amachine-readable header indicating that the
user did not want to be tracked. In theory, this will allow privacy-sensitive web
surfers to signal to websites they would like toopt-out of any targeted advertising, or not
have any information about them collectedwhen visiting sites.
17
-
8/6/2019 Privacy & the Internet
18/31
Do Not Track Potential Downsides
Costs: If law breaks the quidpro quo something must give Paywalls and higher prices?
less relevant or more intrusive advertising?
Fewer services? Less media content?
Intl Competitiveness: Goldfarb & Tucker - after the [EUs]
Privacy Directive was passed [in 2002], advertisingeffectiveness decreased on average by around 65 % inEurope. Because regulation decreases ad effectiveness,this may change the number and types of businessessustained by the advertising-supporting Internet.
Prac
tical?
Does DNT scale? Apply internationally? To otherdevices?
Regulatorycreep: Will it serve as a template for otherforms of Net regulation?
18
-
8/6/2019 Privacy & the Internet
19/31
COPPA Expansion Background
Special concerns about youth & online
marketing
COPPA (98) was first attempt to deal with it
Requires verifiable parental consent for sites
directed at children that collect info
FTC defines rules (safe harbors) and enforces
Never constitutionally challenged
19
-
8/6/2019 Privacy & the Internet
20/31
COPPA Expansion Potential Problems
What works for under 13 not likely to work for
teens
Would basically require mandatory age
verification ofallweb surfers COPPA becomes COPA? = unconstitutional
Serious free speech issues
Irony = in name of protecting privacy, more infoabout users would need to be collected!
20
-
8/6/2019 Privacy & the Internet
21/31
Internet Eraser Button Concept
Goal: Make it easier for people (esp. kids) to
delete posted comments or content they later
regret
PracticalProblem: Where is this button? Who
controls it? What if info is shared content? Back-
door to fraud / abuse?
Principled Problem: Conflicts mightily withfreedom of speech & press freedoms
21
-
8/6/2019 Privacy & the Internet
22/31
A Different VisionforPrivacy Protection
-
8/6/2019 Privacy & the Internet
23/31
The Conflict of Visions:
Anticipatory Regulation vs. Resiliency Long-standing conflict of visions about how to
best manage risks:
1. Anticipa
tion
Prevention is prime value
Focus on the Precautionary Principle
2. Resiliency
Experimentation is prime value
Focus on Learning / Coping
23
-
8/6/2019 Privacy & the Internet
24/31
Anticipatory vs. Resiliency-Based
SolutionsAnticipatoryReg Approach
Mandatory Do Not Track
Mandatory Opt-In for all
data collection Bans on apps / functionality
Restrictions on sharing / all
defaults to private
Eraser Button mandates /
demands for data deletion
Resiliency Approach
Voluntary Do Not Track
Offer opt-outs (encourages
experimentation & innovation) No preemptive bans on tech
No restrictions on sharing, but
education about downsides
Voluntary data purges &
data hygiene
24
-
8/6/2019 Privacy & the Internet
25/31
Constructive Alternatives to Regulation
1. Be careful @ how harm & market failuredefined. (ex: Creepiness not a likely harm; databreech likely a harm)
2. Focus on a 3-ESolution to problems:Education, Empowerment, & (Targeted)Enforcement
3. Encourage corporate and personal responsibility
4. Think of privacy as an evolving set ofnorms,interactions & experiments
5. Dont Panic! We can learn to cope withtechnological change.
25
-
8/6/2019 Privacy & the Internet
26/31
26
The 3-E Solution
-
8/6/2019 Privacy & the Internet
27/31
#1: Educational Solutions
Education at all levels Awareness campaigns from privacy advocates,
govt, industry, educators, etc.
Encouraging better online
netiq
uette anddata hygiene
Push for better transparency across the board
Better notice & labeling
Need more watch-dogging of privacy promisesmade by companies
27
-
8/6/2019 Privacy & the Internet
28/31
#2: Empowerment Solutions
= Helping users help themselves
User self-help toolsare multiplying
AdBlockPlus, NoScript, other browser tools
Industry self-regulation More cross-industry collaboration on privacy
programs
More education efforts (better notice)
Best practices & better defaults More and better tools to respond to new
developments and needs
28
-
8/6/2019 Privacy & the Internet
29/31
#3: Enforcement Solutions
Holding companies to the promises they make
stepped-up FTC Sec. 5 enforcement
Demand better
notic
e&
tra
nspar
ency
Mandatory disclosure of data breaches
Targeted regulation of sensitive data, but with
flexibility
29
-
8/6/2019 Privacy & the Internet
30/31
-
8/6/2019 Privacy & the Internet
31/31