Conflating privacy debates has become a hobby of chattering class as of late. The former chairman of the FTC, Jon Leibowitz, discussed this conflation (without seeing a problem) recently when he said:
“The implications of the NSA data breach are going to be greater in the context of protecting consumers’ commercial privacy…. People are increasingly concerned about their own privacy vis-à-vis commercial entities…. Americans are going to be concerned about this breach, and things will move much more quickly into the commercial context.”
While Leibowitz might accurately reflect the political reality, having public backlash from the NSA controversy seep into the consumer commercial privacy debate is, at best, unhelpful and, at worst, dangerous. Commercial privacy and warrantless government surveillance are two different animals. Even though some overlap exists, at their heart they have different foundations, and — more importantly for the purposes of this blog — different policy imperatives.
At the 30,000 foot level, the key difference is self determination. Users choose to use Google and its suite of services, or they don’t. If the concept of a company providing free services in exchange for targeting advertising doesn’t appeal to an individual user, they can use another service (or ratchet up their privacy controls, as companies like Google and Facebook allow users to do). In fact, one Google competitor ran a multi-million dollar advertising campaign highlighting this very choice. Furthermore, according to a study by Forrester research, consumers are actually starting to pay more attention and opting not to use online services that don’t comport with their privacy standards.
The core issues in private sector privacy policies are transparency and accountability that empower informed competition driven by consumer choice (even if that choice is an all or nothing, either use a company’s product or not). Different consumers have different desired levels of privacy. I welcome targeted Amazon book reviews (and so do authors), Google Now predicting what it thinks I need to know before I search, and being able to search my friends profiles on Facebook for restaurants they like in New York City (or friends searching for restaurants I like). Other users do not and select their sharing levels accordingly. Making sure companies clearly articulate their privacy policies and live up to those standards or be held accountable when they don’t is the meat of that debate. Furthermore, clear standards and penalties should be articulated for companies that negligently store consumer data unsecurely. These are complex issues that need to be sorted through. Mistargeted paranoia does not help.
However, massive, secret information gathering by governments is a different beast entirely that necessitates a different balancing test. The main thrust of the WSJ article, the fact that internal privacy policies are hotly debated inside Internet companies (in fact, the WSJ article makes clear that this was being handled at the CEO level), illustrates the key difference. Internet companies must routinely balance how to be responsible stewards of their users’ data. If they are not, the blowback could be severe, costly and potentially terminal to a company’s business model.
Governments have no such imperative. Democratic governments face blowback from the voters, but much of the government’s “privacy policies” are shrouded from the public and, as we have seen, government employees have been willing to lie to the public about them in some sort of convoluted sense of public duty. Furthermore, as we have seen with the NSA controversy, real checks and balances are severely lacking. For all intents and purposes, citizens cannot “opt out” of government surveillance (although more awareness of encryption like PGP is a start). In this sense, “competition” as a force disciplining government overreach does not exist. (Not to mention, it is difficult to conduct a public policy cost/benefit analysis when government officials are obfuscating about the privacy costs and exaggerating the benefits.)
A corporation is not a sovereign entity. A corporation does not have the legal power to compel participation in the name of national security and force secrecy on unwilling interlocutors. A corporation does not have a political interest in using a person’s information against his or her own will (although they might be tempted to do so for financial gain, but that is why we have the FTC). A corporation cannot jail its users. History is rife with examples of governments abusing their sovereign powers for self-serving ends (i.e. crushing opposition and tampering dissent). In fact, it is a core concern embedded in the founding documents and constitutions of modern democracies.
The fact remains, however, that your privacy is only as strong as its weakest link. Right now, voluntary contextual advertising is not the weakest link in the privacy chain. Focusing upon advertising, with nothing more, is like leaning on auto manufacturers to improve crash test ratings, but then never fastening your seat belt.
If we are concerned about consensual use of data by companies under government supervision, we should be more concerned about non-consensual use of that data by companies that the U.S. Government vigorously defended when they were sued for violating federal law and millions of Americans’ privacy, and who Congress retroactively immunized from liability lest people find out what criminality had actually been committed at the government’s behest.
If we are concerned about social networks knowing where we update our status from, we should be at least as concerned about U.S. Government getting your exact location from our mobile providers, when government lawyers just last year told the Supreme Court that our location was not private information at all, and the Fifth Circuit Court of Appeals seems to agree (or, conversely, we could choose not update our status on Facebook or Foursquare if we don’t want people to know where we are).
Ultimately, anyone who thinks changes to website privacy policies alone will make any difference in actual privacy is a victim of privacy theatre. Privacy theatre placates with superficial exercises while obfuscating the fact that nothing has been done about the clearest threats to privacy.
I am not arguing we should ignore commercial privacy issues any more than we should ignore vehicle crash test ratings. I am saying this: it is a waste of time to worry about crash test ratings if we’ve already resolved not to wear a seat belt.
The commercial privacy debate is one of balancing transparency and accountability with the benefits of utilizing personal data in a responsible way that benefits both companies and users. The government surveillance debate is about protecting civil liberties vis-a-vis a government that, whether it admits it or not, has perverse incentives to abuse that data. Conflating the two risks generating policies that short-circuit private sector innovation, while at the same time failing to produce real privacy gains that enhance citizens security and privacy online.