privacy beyond the state last week – discussion of political disputes over the relationship...
TRANSCRIPT
Privacy beyond the statePrivacy beyond the state
Last week – discussion of political disputes Last week – discussion of political disputes over the relationship between security and over the relationship between security and privacy.privacy.
But this doesn’t exhaust the issue of But this doesn’t exhaust the issue of privacy.privacy.
A more general set of concerns surround A more general set of concerns surround the vast explosion of private information the vast explosion of private information available to available to non-state actorsnon-state actors (firms, non- (firms, non-profits, other citizens etc).profits, other citizens etc).
A major public policy challenge.A major public policy challenge.
Dog Poop GirlDog Poop Girl
The Star Wars KidThe Star Wars Kid
Non-policy problemsNon-policy problems
These are problems that it is difficult These are problems that it is difficult for policy makers to deal with.for policy makers to deal with.
May be leading to substantial May be leading to substantial sociological changes – but these sociological changes – but these changes are happening primarily in changes are happening primarily in private life.private life.
Same is not true of a variety of other Same is not true of a variety of other changes in personal information, and changes in personal information, and its use (and sometimes abuse) by its use (and sometimes abuse) by firms.firms.
Choicepoint scandalChoicepoint scandal
Choicepoint – a Georgia based company Choicepoint – a Georgia based company that sells personal information including that sells personal information including credit rating information etc to companies.credit rating information etc to companies.
Included SSNs and other highly sensitive Included SSNs and other highly sensitive data.data.
In February 2005, it was revealed that In February 2005, it was revealed that they had sold personal information on at they had sold personal information on at least 145,000 Americans to a fraud ring.least 145,000 Americans to a fraud ring.
Criminals can use this data for identity Criminals can use this data for identity theft, major credit card fraud etc.theft, major credit card fraud etc.
How are these problems linked?How are these problems linked? We are in a world of ubiquitous information We are in a world of ubiquitous information
gathering (esp. on online behaviour).gathering (esp. on online behaviour). Getting information is cheap.Getting information is cheap. Buying and selling this information is non-Buying and selling this information is non-
transparent and mostly non-regulated.transparent and mostly non-regulated. May have benefits for consumers (get more May have benefits for consumers (get more
targetted advertising, lower interest rates etc)targetted advertising, lower interest rates etc) But may also lead to uncontrollable losses of But may also lead to uncontrollable losses of
privacy.privacy. Especially problematic in Web 2.0 applications – Especially problematic in Web 2.0 applications –
where people provide information themselves where people provide information themselves whether they are aware or not.whether they are aware or not.
OutlineOutline
Background - reasons for lack of Background - reasons for lack of regulation.regulation.
Different approaches in EU and USDifferent approaches in EU and US New policy problems posed by ‘cloud New policy problems posed by ‘cloud
computing’ and ‘Web 2.0’computing’ and ‘Web 2.0’ Benefits and drawbacks of Benefits and drawbacks of
government regulation vs. self-government regulation vs. self-regulation in new context.regulation in new context.
The Beginnings of the Privacy The Beginnings of the Privacy RevolutionRevolution
1970s saw spread of large 1970s saw spread of large mainframe computers to government mainframe computers to government and large firms.and large firms.
Also saw major concerns develop Also saw major concerns develop about individual privacy vs. about individual privacy vs. government and business.government and business.• Worries especially marked in Europe, Worries especially marked in Europe,
given history of Nazi use of personal given history of Nazi use of personal data.data.
US as exceptionUS as exception Privacy officials began to develop so-called ‘fair Privacy officials began to develop so-called ‘fair
information principles’ (on notice, choice, access, information principles’ (on notice, choice, access, accuracy etc).accuracy etc).• Became the basis for OECD principles, Council of Europe Became the basis for OECD principles, Council of Europe
Treaty.Treaty. However, US proved to be an exception.However, US proved to be an exception. Most other countries in industrialized world Most other countries in industrialized world
developed blanket privacy laws that applied developed blanket privacy laws that applied bothboth to government and to private business.to government and to private business.
For example, European states developed national For example, European states developed national laws and, eventually, a blanket EU Directive.laws and, eventually, a blanket EU Directive.
US only had blanket laws that applied to US only had blanket laws that applied to government (1974 Privacy Act) and government (1974 Privacy Act) and notnot to the to the actions of private firms etc.actions of private firms etc.
Private sector and privacyPrivate sector and privacy
Privacy regulations that apply to US Privacy regulations that apply to US private sector firms are incoherent.private sector firms are incoherent.
There is stronger protection for video There is stronger protection for video rental records than for key personal data.rental records than for key personal data.
Complex and non-compatible regimes Complex and non-compatible regimes governing financial information, health governing financial information, health information etc.information etc.
No real rules governing how many forms No real rules governing how many forms of information can be shared for marketing of information can be shared for marketing purposes.purposes.
Different privacy systemsDifferent privacy systems
Thus, two basic approaches to private Thus, two basic approaches to private sector privacy protection.sector privacy protection.
Approach of EU and many other states – to Approach of EU and many other states – to provide provide blanket regulation of privacyblanket regulation of privacy..
Approach of US and a smaller group of Approach of US and a smaller group of states.states.
A mixture of A mixture of limited regulationlimited regulation in some in some sectors, and sectors, and no government regulationno government regulation in in others.others.
European Approach: Positive European Approach: Positive ConsequencesConsequences
Provides stable, simple and secure Provides stable, simple and secure expectations to citizens.expectations to citizens.• Have a pretty good idea of what Have a pretty good idea of what
businesses are likely to do with their businesses are likely to do with their data.data.
Means that unexpected abuses are Means that unexpected abuses are less likely to happen (e.g. where less likely to happen (e.g. where personal data sold to criminals).personal data sold to criminals).
Reduces levels of junk mail etc.Reduces levels of junk mail etc.
European Approach: Negative European Approach: Negative ConsequencesConsequences
A one-size-fits-all approach may be A one-size-fits-all approach may be inappropriate for some business sectors.inappropriate for some business sectors.
Is hard to update over time given Is hard to update over time given changing technologies.changing technologies.• Basic principles were laid out in the 1970s.Basic principles were laid out in the 1970s.
May also involve commercial inefficiencies May also involve commercial inefficiencies (e.g. less information may raise (e.g. less information may raise transaction costs, encourage opportunism transaction costs, encourage opportunism etc in credit and other markets)etc in credit and other markets)
US Approach: Positive US Approach: Positive ConsequencesConsequences
Lack of privacy has arguably resulted Lack of privacy has arguably resulted in cheaper credit.in cheaper credit.• Because it is easier to obtain Because it is easier to obtain
information on individuals’ past information on individuals’ past behavior, banks may more easily assess behavior, banks may more easily assess how trustworthy they are.how trustworthy they are.
May also have helped further May also have helped further development of e-commerce through development of e-commerce through allowing different profit models etc.allowing different profit models etc.
US Approach: Negative US Approach: Negative consequencesconsequences
May be difficult for individuals to May be difficult for individuals to assess or understand how their assess or understand how their personal information can be used.personal information can be used.
Very different rules (or lack of rules) Very different rules (or lack of rules) across different industries.across different industries.• Confusing privacy statements.Confusing privacy statements.
Self-regulatory schemes may be Self-regulatory schemes may be much weaker than they might much weaker than they might appear to be at first glance.appear to be at first glance.
New problemsNew problems
New Internet applications present New Internet applications present important challenge to both EU and important challenge to both EU and US regulatory systems.US regulatory systems.
(1) Involve individuals voluntarily (1) Involve individuals voluntarily giving over high levels of intimate giving over high levels of intimate data to WWW based firms.data to WWW based firms.
How can (or should) this be How can (or should) this be regulated?regulated?
Obvious case: FacebookObvious case: Facebook Facebook involves individuals providing Facebook involves individuals providing
personal data (much of which is sensitive – personal data (much of which is sensitive – covering personal behavior etc).covering personal behavior etc).
But individuals only have moderate But individuals only have moderate influence over how this information is influence over how this information is distributed.distributed.
Have some options to limit information to Have some options to limit information to friends etc.friends etc.
But many people don’t bother/don’t know But many people don’t bother/don’t know that this is an option.that this is an option.
And potential employers often get alumni And potential employers often get alumni to scour candidates’ Facebook pages for to scour candidates’ Facebook pages for potentially embarrassing data.potentially embarrassing data.
Facebook as a profit modelFacebook as a profit model Facebook also lends itself to more substantial Facebook also lends itself to more substantial
datamining.datamining. Facebook’s executives are still trying to figure out Facebook’s executives are still trying to figure out
how to make a profit.how to make a profit. One way that they have tried: Beacon – which One way that they have tried: Beacon – which
broadcasts friends’ purchasing decisions to each broadcasts friends’ purchasing decisions to each other.other.
But resulted in massive outcry, and damage to But resulted in massive outcry, and damage to brandname.brandname.
Facebook’s main asset remains its wealth of Facebook’s main asset remains its wealth of personal information.personal information.
Likely that it will seek to capitalize on this in less Likely that it will seek to capitalize on this in less visible ways in the future.visible ways in the future.
GoogleGoogle
Google is less obviously problematic Google is less obviously problematic for privacy.for privacy.
But may be becoming more so over But may be becoming more so over time.time.
Its business model relies on Its business model relies on combining advertising with access to combining advertising with access to targeted information.targeted information.
Originally search – but increasingly Originally search – but increasingly involves other stuff too.involves other stuff too.
GmailGmail Gmail – an incredibly convenient and well-Gmail – an incredibly convenient and well-
designed webmail system.designed webmail system. Yet one that shows how Google is moving Yet one that shows how Google is moving
away from pure search to providing a suite away from pure search to providing a suite of online tools.of online tools.
These tools are (mostly) provided for free These tools are (mostly) provided for free – what is in it for Google?– what is in it for Google?
Opportunity to gather data, and to target Opportunity to gather data, and to target ads accordingly.ads accordingly.
Use of keywords from email etc to target Use of keywords from email etc to target ads.ads.
Google DocsGoogle Docs
Google Docs a more advanced version of Google Docs a more advanced version of this.this.
An early example of ‘cloud computing’An early example of ‘cloud computing’• Move of important activities online rather than Move of important activities online rather than
using offline storage (computer hard disks etc).using offline storage (computer hard disks etc). But this creates key privacy challenges.But this creates key privacy challenges. Who will control the personal data arising Who will control the personal data arising
from this move? How will (or will it) be from this move? How will (or will it) be regulated?regulated?
Challenges for the US systemChallenges for the US system US has seen significant breaches of US has seen significant breaches of
personal data a la Choicepoint.personal data a la Choicepoint. But it may be that it hasn’t seen anything But it may be that it hasn’t seen anything
yet.yet. As people move more information online, As people move more information online,
they also increase their vulnerability both they also increase their vulnerability both to accidental disclosure and to criminal to accidental disclosure and to criminal efforts to gather information for identity efforts to gather information for identity theft etc.theft etc.
Also, perhaps, to blackmail, discrimination Also, perhaps, to blackmail, discrimination from lenders or others, discovery in legal from lenders or others, discovery in legal cases and other unexpected uses.cases and other unexpected uses.
Likely US responseLikely US response US response typically invokes self-US response typically invokes self-
regulation and market mechanisms.regulation and market mechanisms. Also, consumers may tolerate many things Also, consumers may tolerate many things
that would annoy privacy activists.that would annoy privacy activists. These may forestall, at least some of the These may forestall, at least some of the
time.time.• Facebook backing down.Facebook backing down.
But may not be sufficient if major data But may not be sufficient if major data breaches occur. breaches occur.
Will we see new pressures for regulation Will we see new pressures for regulation (more likely under a Democratic (more likely under a Democratic administration on past form)?administration on past form)?
Challenges for EUChallenges for EU
European consumers haven’t suffered any European consumers haven’t suffered any equivalent scandals to date.equivalent scandals to date.
Protections seem to work for the moment.Protections seem to work for the moment. But European laws are designed for But European laws are designed for
computers of twenty years ago.computers of twenty years ago. How can they be updated to handle new How can they be updated to handle new
technologies?technologies? And are they just liable to be rendered And are they just liable to be rendered
obsolete a few years from now again?obsolete a few years from now again?
European responseEuropean response
Europeans have sought to respond by Europeans have sought to respond by delegating authority to specialized privacy delegating authority to specialized privacy officials (who have been pushing the officials (who have been pushing the boundaries of their transnational boundaries of their transnational authority).authority).
Have forced Google, for example, to Have forced Google, for example, to change its data holding practices.change its data holding practices.
But this again may have limits in a global But this again may have limits in a global economy – at a certain point, other economy – at a certain point, other countries (such as the US) may see EU countries (such as the US) may see EU efforts as interference.efforts as interference.
FluxFlux This is a set of policy issues where there is no This is a set of policy issues where there is no
very clear set of regulations or self-regulatory very clear set of regulations or self-regulatory scheme that can do everything people might scheme that can do everything people might want it to do.want it to do.
But also – likely to be a hot-button issue over the But also – likely to be a hot-button issue over the next ten years or so.next ten years or so.
More of people’s lives are being lived (or More of people’s lives are being lived (or reflected) online.reflected) online.
This creates both opportunities and This creates both opportunities and vulnerabilities.vulnerabilities.
We don’t have good means of balancing these We don’t have good means of balancing these opportunities and vulnerabilities at the moment.opportunities and vulnerabilities at the moment.
