Regulating behavioral collection

-- By RohanGeorge1 - 9 Nov 2017

The scale of behavioral collection should not surprise. However current privacy laws fail to protect us from it. This model, which has been called Privacy Self-Management, focuses on principles of notice, consent and purpose limitation. It does not account for new technology and the political economy that emerged from it.

Additionally, as exemplified by Article 8(1) of the EU’s Charter on Fundamental Rights, “Everyone has the right to the protection of personal data concerning him or her”, somehow society has decided that what ought to be protected is information about humans, and not humans themselves.

Instead, ‘data protection’ legislation seems most focused on fostering a digital market, rather than protecting individual freedom and privacy. For example, EU data protection legislation is framed as part of the EU’s Digital Single Market policy, which aims to capitalize on the economic opportunities presented by technology.

Thus, we could say that the regulatory landscape sanctions behavioral collection instead of attempting to regulate it.

How Should Privacy Regulation Change?

One starting point in trying to reduce behavioral collection is adjusting the power balance between individuals and platform companies. But how did such a fundamental imbalance of power emerge? Why do they collect so much information (behavior) about us? Where did they get the mandate to use our information for profit?

Societal Consensus on Regulating Platform Companies?

Surely, there must exist some societal consensus on the proper role of platform companies in society, which lawmakers can base regulations on?

In actual fact, society has not considered the issue in the first place. Instead, we have been seduced by the convenience of social networking and an appeal to the innate human desire for connection with other humans. This seduction has precluded society from seriously considering how technology has affected our lives.

What should consensus look like? For example, should everyone have a fundamental right to not have his/her behavior collected? Should individuals and not platform companies own data they generated by using certain online services? What kind of mandate should these companies have with respect to using individuals information for profit, (and potentially at our expense)?

It is also important to translate any societal consensus from concept to law. This will involve dealing with the issue that individuals trade privacy in exchange for convenience and good quality services.

Dealing with the convenience / e-commerce vs privacy ‘trade-off’

First, the idea that individuals must surrender their privacy and freedom to companies in exchange for use of their services is misguided. Modern technology allows each person to, for example, store all their personal information on a hard drive connected to their own personal server, and use a ‘raspberry pi’ to automate negotiation of data disclosure from your own private storage to the relevant company for each transaction: it can specify the purpose, duration, permission to store or permission to distribute downstream.

However, the above idea rests on some debatable assumptions. For one, assuming self-management of privacy via a ‘privacy-management-bot’ assumes a basic level of computer literacy that is far beyond the layperson’s current capabilities.

While the technology for such a privacy-management-bot already exists in its constituent pieces, and that every technological revolution is impossible until it becomes inevitable, it remains true that expecting individuals to configure their own privacy bot is untenable in the short term. Technology like FreedomBox needs to be made ‘idiotproof’ in that it should not negatively impact user experience.

I feel the above idea is a long-term solution. Privacy-friendly substitutes for essential services that commercially exploit mass data collection, like social networking or search engine provision, will take time to develop.

Moreover, these substitutes will have to compete against multi-billion dollar market incumbents. The political economy of the current e-commerce industry, backed by supportive data protection legislation, militates against a new paradigm where companies are no longer able to commercially exploit customer data.

Some positive trends include device manufacturers trying to privacy-wash their new devices. If anything, this business-decision aimed to poach revenues from the platform companies will also improve individual privacy.

Moreover, the experience of in India exemplifies a wave of anti-digital colonialism, challenging the entry and dominion of big-US-tech companies. These sentiments could be harnessed by device manufacturers as a source of new growth.

However, I think there is no political will in the ‘West’ to challenge the dominion of the platform companies in the near future. There needs to be a more immediate regulatory solution to the problem of excessive behavioral collection.

Short-term Solutions

Perhaps the answer lies in use restrictions, as Dan Geer suggested. For example, there could be restrictions on what queries organizations can run on their datasets, to prevent data analytics premised on discriminatory correlations. Or we could regulate the kind of training data used to develop machine learning algorithms, to prevent inbuilt algorithmic discrimination.

The main objection to use restrictions is the resulting inhibition of freedom of expression. In a business context, this manifests itself in restraining software engineers’ creativity.

However, I see a potential middle ground, where businesses are required to disclose certain aspects about their data handling practices (such as types of queries run on their datasets), while not giving away trade secrets. These mandated disclosures about types of use could add transparency and accountability to the quasi-public services that currently function without public oversight.

Another short-term alternative is privacy by design. This essentially mandates privacy nudges and privacy default settings. They work by countering individuals cognitive and behavioral biases and are aspects of a system or user interface that could be re-engineered to offer services in a more privacy-conscious fashion.

A combination of privacy defaults and use restrictions are the best short-term legislative solution to minimize privacy harms that occasion mass behavioral collection. Especially if the laws are accompanied by credible threats, they will hopefully have the teeth to deter organizations from infringing privacy.

Importantly, these short-term solutions should not prevent the development of privacy-conscious substitutes. Such technical solutions have the advantage of shifting power away from the big corporates back to individuals. The short-term solutions should be seen as part of an ongoing process toward reducing privacy harms that moves toward the technical solutions, with use restrictions and privacy defaults marking not the zenith of privacy protection, but a milestone along the way.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.