Computers, Privacy & the Constitution
The Administration’s proposal

The Obama Administration recently unveiled The Consumer Privacy Bill of Rights,(1) which outlines a series of goals and policies that aim to build a stronger(2) data privacy framework to protect consumers’ privacy online. Unfortunately, the proposal will likely fail to meaningfully protect consumer privacy, and it may actually make things worse. This essay briefly examines one of the proposal’s critical weaknesses.

Why use footnotes in a hypertext document? Just link sources to their relevant callout phrases.

Notice and Consent

The first principle outlined in the Privacy Bill of Rights states that individual consumers should have a right to exercise control over what personal data companies collect from them and how they use it. This principle provides that consumers should be given choices about data collection, use, and disclosure that are “appropriate for the scale, scope, and sensitivity of personal data.” In theory, consumers will possess the ability to control what information they share online because companies will be required to explicitly inform consumers of the information to be collected, and to obtain consumers’ consent before collecting it.

Notice and consent is generally a valuable concept that attempts to balance the interest of permitting individuals to direct their own lives on the one hand, with the interest of protecting individuals from unwittingly engaging in activities that pose substantial danger to the individual. For example, there is an interest in ensuring that individuals understand the risks of smoking before deciding whether to start. But once informed, the individual should be free to decide for herself whether to engage in the activity.

In the online privacy context, giving consumers a “right to exercise control” will likely do more harm than good. The consequence of a user’s consent is that the user waives his right to challenge the data aggregator’s spying, since the consumer’s consent is affirmatively granting to the data collector a license to spy. The “right to control” will more likely function as a mechanism for immunizing the conduct of data collectors. Thus, although the notice/consent regime effectively balances policy goals in some contexts, it will likely (ironically) lead to greater invasions of privacy in the online context than society might otherwise tolerate.

Through what other mechanism might this non-tolerance be expressed? What policy better allows people to choose than a policy of requiring informed consent? Your remaining objection goes not to the insufficiency of the policy approach, but rather to the likelihood that people will give consent too easily, without absorbing the required information. This appears to call for education, but is not an argument against giving people choices, or making informed consent a precondition for potentially risky courses of action.

Trey Parker and Matt Stone hit this nail on the head in last year’s HUMANCENTiPAD? (3) episode. In the episode, Kyle is kidnapped by Apple employees, who then use him in an experimental new product that combines the iPhone, iPad, and three human beings.(4) The volunteers all agreed to become Apple’s first “truly-interfaced device”; they will have their lips removed and will become sewn together mouth to anus, so that the bowels from the first volunteer will enter the mouth of Kyle, leading through Kyle’s anus to the mouth of the third volunteer, which then goes to a tablet device. Together, they create a device that is “part human, and part centipede, and part web browser, and part emailing device.” Mr. Jobs repeatedly assures the audience that this is all consensual. The volunteers agreed to all of this when they downloaded the latest iTunes and clicked “Agree” to Apple’s Terms and Conditions.(5)

Problems emerge during the testing stages when the engineers test the device’s reading capabilities. In one scene, a team attempts to rescue the HUMANCENTiPad? by breaking it out of its holding cage and bringing it to an operating room where a doctor says that he can separate the volunteers. The doctor just needs to obtain Kyle’s consent. Kyle, anxious to be freed, immediately agrees without reading the agreement. A buzzer sounds as the operating room splits in half to reveal that it was all a setup to see if Kyle would read the agreement before agreeing. Jobs is furious that the device has again failed to read.

Like Kyle, most people don’t read the lengthy legal agreements before installing iTunes or other soft/hardware. Even if we did, we wouldn’t completely understand what we’re agreeing to, particularly since the agreements typically cover future circumstances that are currently unknown. Further, there’s no room for negotiation; the agreements are presented to users on a take it or leave it basis. So requiring disclosure and user consent won’t actually empower users. Instead, companies will press for more access and will be immunized from user complaints since those users were informed of the policies and freely consented.(6)

I'm not sure why it took all these words to state the familiar and almost self-evident proposition that most people do not read most informed consent disclosures in any context, and consent too easily to transactions on adhesionary terms. Like the discovery that people do not cast their votes on careful political scrutiny of the candidates' positions relevant to their own political needs, which is not an argument against elections, this point is not an argument against requiring both disclosure and consent. How to make disclosures more informative and consent more reasoned are issues policy-implementers should be concerned with, but if you have arguments to offer against the principles on which the policy is being constructed, these aren't they.

Consumers will probably continue to consent, even in the face of further reaching policies, because of the convenience/utility that many of these products offer. Most people will continue to consent to Facebook spying in exchange for the ability to connect and share information with their friends and family on one convenient platform. At least in some contexts, users might not see any harm in sharing tons of personal data. For example, many users probably consent to sharing their email address book with Facebook because they view this as a harmless and helpful way to more easily find their acquaintances’ accounts.

Solutions

The notice/consent regime cannot be counted on to afford users meaningful choices in the context of online privacy, but perhaps the market will produce viable solutions. A potential remedy to Facebook’s spying might be to create an alternative to the free(7) service with a platform supported by user subscription revenue.

Why is this a better alternative than free as in freedom software that federates the service of sharing with friends on the Web, and removes the spying man in the middle altogether?

This would help relieve part of the need to rely on advertising/spying revenue in order to operate. Additionally, companies dedicated to protecting users’ online privacy have begun to emerge and are gaining popularity in the wake of recent privacy scandals.(8) However, I predict that things will continue to get worse, at least in the near future. Companies will continue to press users for more information and users will continue to consent. We’re still in the early stages of these new forms of spying and most people do not appreciate the harms, but a time will come when the boundary will be pushed too far and a backlash will occur. Most people still don’t realize the extent to which they are being spied on. But as users become more aware of the extent of and implications of spying, they may begin to push back and collectively demand changes.

-- LeeSilver - 20 Mar 2012

The concerns I have about this draft are explained above. Improvement lies in the direction of sharper focus: the problem can be stated compactly, and it's the discussion of the possible policy responses that should be at the center of the draft. You haven't explained what should replace the principle of notice and informed consent in preferable policy, so we are weighing nothing against something. Concerns about the seriousness with which people give consent is not an argument against seeking consent, but is an argument for other policy responses you neither outline nor discuss. Substituting plot summary of television comedy performances for these forms of analysis doesn't work very well.

 

Notes

1 : See We Can’t Wait: Obama Administration Calls for A Consumer Privacy Bill of Rights for the Digital Age, available at http://www.whitehouse.gov/blog/2012/02/23/we-can-t-wait-obama-administration-calls-consumer-privacy-bill-rights-digital-age.

2 : Apparently the Administration is of the view that the current consumer data privacy framework in the US is, “in fact, strong.” See Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, available at http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.

3 : It’s a great episode. If you haven’t already seen it, it is available at http://www.southparkstudios.com/full-episodes/s15e01-humancentipad.

4 : Mr. Jobs laments that the only thing the first iPad couldn’t do was “walk, or read. Until now.”

5 : The relevant portions included, “By clicking Agree, you are also acknowledging that Apple may sew your mouth to the butthole of another iTunes user . . . Apple and its subsidiaries may also, if necessary, sew yet another person's mouth onto your butthole, making you a being that shares one gastric tract."

6 : Moreover, many companies may continue to try to work around privacy settings. For example, Google was recently caught bypassing user privacy settings in Apple’s Safari browser. See Google faces new investigations over Safari tracking, available at http://news.cnet.com/8301-1023_3-57398571-93/google-faces-new-investigations-over-safari-tracking/.

7 : “Free” meaning price.

8 : For example, Disconnect, a year-old startup that creates software designed to prevent sites from collecting data about its visitors, has capitalized on Google’s latest privacy misstep. See Google Privacy Missteps A Boon For Rivals, available at http://www.huffingtonpost.com/2012/02/24/google-privacy-policy-private-data_n_1297672.html.


Navigation

Webs Webs

r4 - 11 Jan 2013 - 21:48:52 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM