Law in the Internet Society

Regulating Privacy

-- By JohnStewart

As more services move “on-line” so does more personal information. The past 10 years have seen a meteoric rise in the amount of personal information exchanged online and the next 10 is certain to see exponentially more. This information has moved online so quickly that a system of regulations and social norms have not developed yet in the same way privacy protections and expectations exist in other contexts such as healthcare (doctor patient privilege), legal services (client confidentiality) and even the handling of sensitive tax information.

The lack of a legal framework to govern the handling of personal information online has led to a variety of privacy concerns in the online context. NYU Professor Helen Nissenbaum has published a series of works discussing her theory of contextual integrity which is an attempt to provide a conceptual framework to create privacy protections, whether it be through governmental regulations or a company’s privacy policy. Her views have begun to make an impact and it is important to take a closer look at the direction they may be pushing policy makers and companies. Against a backdrop of industry lobbying and studies, attempting to avoid US adoption of EU-style opt-in advertising tracking regulation, the FTC has begun to make some progress by publishing a proposed framework for business and policymakers, and The White House has made public it’s Privacy Bill of Rights.

While a good starting point for discussion, I believe Professor Nissenbaum’s theory is fatally flawed because of her assertion that “the net” is not a distinctive space, and rather is merely an extension of our traditional social life. Whether you are banking in person at a brick and mortar bank, or logging in online she views both situations as analogous. Her theory suggests that privacy norms that govern these activities in the offline world should be applied to analogous activities online.

The New Information of the Net

This approach may work when consumers engage in behavior online that has a readily analogous counterparts in the real world – shopping on Amazon vs. shopping in a Target store, interacting with a healthcare provider online vs. in the doctor’s office – presumably one doesn’t expect your doctor to share your health records, whereas it wouldn’t be surprising if Target tracked your buying habits to try to stock more popular items. Applying a stricter privacy standard to healthcare providers than online shopping merchants makes sense.

The model however begins to break down when one begins to examine all of the ways in which the two contexts are not similar or analogous at all. Professor Nissenbaum acknowledges that “the key to creating a privacy framework for the Net is to establish appropriate constraints on the flow of personal information via these new channels.” However, it isn’t that the net merely provides new channels for information to flow, it’s that it has created entirely new types of personal information that is collectable, analyzed and used, all without the knowledge of the user. By beginning from the premise that “the net” isn’t fundamentally different she is constrained to thinking of information on the net in the context of offline activities, a sort of pre-net mindset.

While a conceptual framework of privacy might be appealing in the abstract, its inability to offer guidance for the new types of information being collected online is a problem. The second the ink is dry writing regulations dealing with today’s data collection practices new practices will spring up. I believe an opt-in tracking regime, mandated by the government, is the only way that the consumer will be protected against ever-changing tracking and uses of personal information online. The advertising companies argue this will cripple the lifeblood of the internet – advertising supported sites. I find this argument unpersuasive. Simply because curbing data collection practices would cause economic harm to certain companies, does not mean that the practices should be allowed to have developed in the first place.

Others, as Professor Nissenbaum does, argue that the notice and consent approach to privacy has failed in large part because the many ways information gets collected online is often too complex to explain to the consumer in order to give them a meaningful, informed choice to opt-out. However, simply because consumers may not understand how their data is being collecting doesn’t mean, by default, it should be collected. This is exactly why a consumer regulatory agency, like the FTC needs to go beyond publishing an aspirational bill of rights and instead, regulate strong, meaningful privacy protections based along the lines of what the EU has done.

From a practical standpoint her essay appears to assume that the government and companies are actually interested in working towards a better system of privacy protection. This assumption may be true for companies who’s reputations depends upon consumer confidence that their information is protected, like banks or healthcare providers, pharmacies, universities etc.

But, the online companies that present the biggest privacy concerns, again the ones her framework is most likely to overlook, are more likely to resist regulation or changes to the data collection practices. Her theory assumes that the interests of the traditional offline companies and those that exist entirely on the “net” are aligned when they are not.

Any sort of industry self-regulation is only going to co-opt real regulatory overhaul. What consumers need is for the government to set a basic floor for privacy protection (a floor much higher than exists today) that companies are free to build upon as they see fit. While not perfect, this would be a step in the right direction, and better than the laissez-faire approach taken thus far.

- John Stewart


Webs Webs

r6 - 23 Aug 2014 - 19:33:50 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM