Privacy online: what’s the problem?
Why do those concerned about online privacy see state regulation as the solution?
The internet’s sweeping ability to collect and distribute people’s demographic and purchasing information through their online activities has raised questions about our ‘electronic footprints’ in cyberspace: the inadvertent collection of data and insights into personal behaviour that can be stored, monitored and used in the future.
As a consequence of this heightened concern with privacy, more than 300 privacy-related bills have been put forward for consideration in state legislatures across the USA (1). In Europe, too, as surveys have been published showing that 80 percent of European websites do not comply with current EU data protection laws, Erkki Liikanen, European Commissioner for Enterprise and Information Society, has promised ‘changes in EU law that…will close the loopholes of new technologies’ (2).
But is it true that new technologies – and particularly the internet – represent a fundamental threat to our privacy, as some have argued? And what is the basis to the preoccupation with privacy online?
Many commentators argue that society has become more privacy-conscious as a result of the growing awareness of IT-induced surveillance and the threat to online security (particularly in relation to financial transactions). The average British adult today can expect his or her personal details to be held on at least 300 different databases – and electronic and networked data storage systems increasingly control important areas of daily life, from credit ratings and medical records to employment-related data and information about shopping habits.
Others suggest that concerns about privacy have gained pace as a consequence of the dotcom collapse. For example, when Toysmart.com, the defunct online toy retailer, attempted to sell its customer databases to overcome financial ruin, the Federal Trade Commission launched a lawsuit to stop this kind of thing happening. Financially troubled DoubleClick.com was met with outcry when its hope to merge its databases with Abacus Direct, whose database included the names of people and their purchasing habits, was revealed.
But while these developments have certainly raised the profile of privacy, what is meant by ‘privacy’ in these discussions is not civil rights, underpinned by the political principle of freedom, but consumer rights, underpinned by the principles of data protection and by the law of trading standards.
Today, privacy is primarily regarded as a matter of ‘balance’. The erosion of previously upheld civil liberties is increasingly seen as the price worth paying for the promise of security. Civil liberties, it is argued, should not be rights that overrule all others, and society should be able to invade privacy when the public good is at stake. The widespread acceptance of this argument has robbed privacy of its defining feature – that privacy means the privacy of the individual from surveillance and intrusion by the state.
What the preoccupation with privacy indicates is the tendency to perceive people less as individuals with civil rights, than as individual consumers with data rights. But data protection laws are very seldom privacy laws. They are information laws, which protect data rather than people. They only deal with the way data is collected, stored, used and accessed.
More data protection laws effectively allow for many violations of genuine privacy – primarily because they exempt the state from controls over access to this data, but also because they do little or nothing to limit the collection of the information in the first place (3). The reduction of privacy to consumer rights not only fails to challenge privacy violations – it implicitly calls for more of them, through the demand for consumer protection.
The narrow consumer focus underlying the elevation of privacy today focuses attention on the least important area of privacy infringements – where companies collect information in order to sell things to their customers – while making encroachments on privacy and personal liberties by the state seem legitimate. This helps to explain why, despite the heightened public anxiety about privacy, there is little outcry about the steady erosion of privacy-related civil liberties by the state.
Look, for example, at the UK Regulation of Investigatory Powers (RIP) Act (2000), which grants the authorities unprecedented powers to monitor electronic communications. Among other things, the Act ensures that the police and security services can intercept all internet and mobile phone communications. Even if you are not suspected of a crime, you can be imprisoned for two years if you fail to disclose a computer password or encryption key.
Apart from the level of intrusion that this represents, the imperative to surrender a key or password shifts the juridical balance – in the event of a lost or forgotten password, the burden of proof is on the defendant, and the assumption of innocence until proven guilty has gone. Yet there was little revolt against the RIP Act, as it was seen as a way of protecting people from other abuses online.
Likewise, developments in the workplace that allow for greater monitoring of employees have stirred little dissent. A study published by the American Management Association in spring 2000, for example, found that the number of companies conducting some form of ‘active monitoring’ of their employees jumped from 45 percent in 1998 to 74 percent by the end of 1999. Email monitoring rose from 27 to 38 percent in the same period. International Data Corporation estimates that spending on internet filtering and monitoring software is set to rise to $561million by 2005 (4).
The focus on consumer rights in relation to the internet has another damaging consequence. Not only does it concentrate on the least important area of the internet – the internet as a consumer tool or delivery system for consumption – but within this sphere, it presents the technology itself as necessarily intrusive and abusive.
The reaction to Microsoft’s announcement of its new Hailstorm initiative – a ‘web service’ that will allow internet users to store their personal details such as name, address, calendar and even credit card details online – illustrated this prejudice (5). What generated numerous column inches across the world media wasn’t the technological advances underlying Hailstorm and Microsoft’s far-reaching .NET vision of distributed computing; and very little was discussed about how web services could transform the user’s experience of the internet, by making possible the management (and control) of personal information across multiple applications and devices. Rather, the coverage dwelt on fears about the consequences of customers surrendering their personal details to Microsoft.
Little was explained about exactly how and why it would be a problem to give personal data to a company that can only use this to try to sell you things you might want. The other fear – that corporations would mine this data and sell it, thus making connections that could potentially be harmful to individuals – is less than logical.
The hypothetical scenario, for example, that a prospective employer could, by having access to your shopping history, know your drinking habits and use this in a decision about whether to employ you, underestimates the extent to which data mining is costly and time-consuming. The most profitable use of tracking an individual’s purchasing history is discovering and targeting offers to that individual based on that history – for example, through advertising new products directly to individuals (6).
The narrow consumerist focus on the potential for companies to collect and abuse data not only downplays the impact of privacy invasions by the state. By stressing the vulnerability of consumers online, it effectively reduces users of the internet to children who-know-not-what-we-do online, and are thus in need of protection from big corporations who might abuse the data we willingly give them.
This notion surely underestimates the capabilities of internet users. Almost all surveys about online privacy make the point that, while many fear the misuse of information, the majority are willing to trade personal information in return for online benefits and services. This is what sensible adults do and can be expected to do. In fact, the major problem with the internet as it is presently constituted is that it remains a crude collector of this information – a blunt instrument too often subject to the short-termism of business concerns.
As we move towards the Next Generation Internet, where real-time computing holds out the possibility of personalised information and services communicated across platforms and diverse devices, the possibility of being able to refine data collection and delivery could transform this blunt instrument into a remarkable and indispensable tool for business and for everyday life. But to realise this, more, not less information is going to have to be given up.
Once concerns about the abused consumer are pushed to the fore, the internet becomes a focus for protection and regulation, not for discussions about innovation and freedom. The very institutions that are the problem in terms of the threat to privacy – the institutions of the state – come to be seen as the solution, the champion of privacy as data protection.
How has this happened? As I have indicated, the widespread concern about privacy is not a reflection of consumers’ vocal, everyday concerns. Rather, it reflects a broader disengagement from politics in society, and a widespread – if incoherent – mistrust of big business. This has elevated data protection advocacy groups to a position of influence that is disproportionate to their social weight.
The number of organisations active in the sphere of online privacy and data protection has grown immensely in recent years (7). As the popular disdain for parliamentary politics has grown, the government increasingly looks to consumer and advocacy groups in an attempt to keep in touch with public opinion.
In this climate, consumer activists gain access to powerful institutions, government think-tanks, and focus groups – all of which give them more clout. For the government, meanwhile, this helps to create the impression of engagement: the more it seems to be listening and conducting a dialogue, the more accountable it hopes to appear.
A similar process is taking place with big business. Like governments, the business world has begun to see that building trust is now a key to future survival. Lou Gerstner, CEO of IBM, now argues that privacy is a key ‘business ethics’ issue. The rise of the CPO – the Corporate Privacy Officer – expresses how far this concern with trust has gone. These newly minted executives oversee company privacy policies to ensure that they do not embarrass the company or, worse, permanently destroy its reputation by unwittingly violating the rights of its customers.
Microsoft, IBM, American Express, AT&T and Eastman Kodak, to name a few, have appointed CPOs who report directly to the CEO. There are now at least 100 privacy chiefs in the USA, on salaries of $125,000 to $175,000 a year. In addition, IBM has 650 consultants, architects, and other staff in its Global Trust and E-Commerce Services Unit. PricewaterhouseCoopers now produces privacy audits for corporate customers. Marc Rotenberg, head of the Electronic Privacy Information Centre, a policy group in Washington, sees businesses’ growing awareness of privacy as a significant development that ‘has become part of mainstream business culture’ (8).
The economic implications of security concerns online, and its negative impact on e-commerce, have also focused many business minds. Forrester, for example, calculates that over $3billion was lost in online retail sales in 1999 alone, and that today this lack of confidence costs e-commerce as much as $12.4billion in lost sales. A survey by American Express covering 10 countries including Britain, Sweden and Italy, found that 79 percent of the financial services company’s clients considered privacy and security major issues in online shopping. But these practical concerns are only one small part of companies’ concerns with privacy.
The unelected and thus unaccountable character of advocacy groups concerned with privacy means there is little recourse to challenge what are essentially very narrow preoccupations and prejudices. In order to gain as much profile and influence as possible, these groups need to exaggerate possible data abuses, and so on. Not only does this mean bad PR for companies that are less than cautious: the disproportionate influence that advocacy groups have over the public policy debate means that their narrow concerns can be swiftly translated into official regulation of companies’ activities.
After each scare story of data abuse is pumped and primed across the media, companies, put on the defensive, rush to regulate before the state gets in there first. And as governments seize upon the opportunity to connect with the broader public by addressing their online fears through data protection legislation, assumptions and regulatory frameworks are being established that are already curtailing the potential of the internet.
Look, for example, at the Directive of the European Parliament concerning the processing of personal data and the protection of privacy in the electronic communications sector. Despite the fact there have been no notable cases of privacy infringements in this area, this new directive threatens the future of innovation and development of new personalised services – for example, by lumping together location and traffic data.
In the electronic communications or mobile sector, traffic data and location data are intimately connected. Personal details, numbers used, the frequency of calls, as well as the location calls are made or received from, all add up to an enormous amount of information about an individual’s daily life. This data is an inevitable consequence of this technology and is necessary for a smooth-functioning mobile network.
However, location data adds a new dimension to privacy concerns because it locates and identifies the user in both time and space. While concerns abound about this being used in criminal cases (either as proof or disproof of an alibi, for example), the key point about this data is that it forms a vital point to the development of value-added mobile services.
Take a trivial example like targeted marketing, which reveals the potential of mobile services. Because you have subscribed to a music service in which you reveal your personal preferences as part of the service agreement, you may receive a text message as you are passing a music store alerting you to some special offers on the CDs of your choice. Unlike now, when such messaging is like a blunt instrument – informing you about musical bargains in a store in Wolverhampton while you live in London – this personalised service is premised on the basis of this data being surrendered to the mobile company. The directive, however, defines location data in such broad terms, suggesting these should be subject to the same regulations as positioning data, the possibility of delivering diverse, geographically located services is threatened.
The danger here is that the treatment of data in this undifferentiated way will prevent mobile companies from evolving more personalised (and value-added) services that the industry needs – if it is to generate the kinds of revenues that will enable it to innovate even more in the future.
By focusing on the relationship of the internet to consumer rights, the privacy debate has established a regulatory impulse that affects the whole internet. We should be clear that the problem is not the technology, but the narrow terms in which the debate about privacy is being conducted and is beginning to influence public policy.
While IT can provide effective technological solutions to online privacy (particularly if governments will allow effective encryption techniques to be used), such solutions would do nothing to tackle the wider assumptions within the privacy debate. The greatest check on invasions of our privacy lies in preventing any further encroachments by the state into our rights online – even when these encorachments are done in the name of protection. A staunch defence of freedom is the only condition that will allow the innovation and experimentation needed to realise the real potential of this technology.
When it comes to debating our liberties online, it might be worth moving away from the confused and abused term ‘privacy’ – and focusing instead on freedom.
Dr Norman Lewis is director of GAP21 and director of technology research at Freeserve.com plc
Human rights RIP, by Sandy Starr
Moving on, by Sandy Starr
spiked-seminars: Privacy from whom?, by Norman Lewis and Neil Barrett
(1) ‘Privacy battle looms online’, Stephanie Kirchgaessner and Peronet Despeignes, FT.com site, 28 February 2001
(2) ‘Online Privacy: Sites in Europe Failed to Give the “Opt Out” Choice’, Ben Vickers, The Wall Street Journal, 15 February 2001
(3) See Simon Davies ‘Reengineering the Right to Privacy: How Privacy has been transformed from a Right to a Commodity’, in Agre, PE & Rotenberg, M (eds) (1998) Technology and Privacy: The New Landscape, ,MIT Press, Cambridge Mass, p143
(4) ‘Privacy at Work? Be serious’, Jeffrey Benner, 1 March 2001, Wired News
(5) See Storm over Hailstorm
(6) See David Orenstein’s excellent piece, ‘Personalized or Private?’, 9 May 2001, on Business 2.0.com
(7) See the links on the Foundation for Information Policy Research website
(8) New York Times, 12 February 2001.
The following list is a small sample of the blossoming privacy and data protection industry.
The Electronic Privacy Information Centre: The Electronic Privacy Information Center (EPIC) is an independent non-profit corporation in Washington, DC. EPIC is a public interest research centre. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
The Office of the Information Commissioner (UK government): The Commissioner is an independent supervisory authority and has an international role as well as national role. The Commissioner has a range of duties, including the promotion of good information handling and the encouragement of codes of practice for data controllers, that is, anybody who decides how and why personal data (information about identifiable, living individuals) is processed.
Privacy International: Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance by governments and corporations. PI is based in London, England, and has an office in Washington, DC. It has conducted campaigns throughout the world on issues ranging from wiretapping and national security activities, to ID cards, video surveillance, data matching, police information systems, and medical privacy.
Media in the Information Society (European Commission): The Internal Market DG deals with media, commercial communications (advertising, sales promotions, sponsorship, direct marketing, etc) and information society services (electronic commerce). Its policy objective is to guarantee freedom of establishment and the free movement of services, and to offer European business and citizens the full benefit of the area without internal frontiers. Actions in media area: implementation of the Directive on the legal protection of services based on, or consisting of, conditional access, media ownership, cable access and other issues. For the information society services: implementation of the so-called transparency Directive, the Directive establishing a legal framework for the use of electronic signatures and negotiations in Council and EP of the proposal for a Directive on certain legal aspects of electronic commerce. In the commercial communications area, actions concern removing barriers created by rules on advertising, sales promotions, sponsorship, direct marketing, etc.
Electronic Frontier Foundation Privacy Now (EFF): EFF is a non-profit, non-partisan organisation working in the public interest to protect fundamental civil liberties, including privacy and freedom of expression in the arena of computers and the internet. EFF was founded in 1990, and is based in San Francisco, California, with a satellite office in Washington, DC.
Data Protection sources (EU):
General data protection directive (already in force)
The EU working party’s working document (.pdf format)
Privacy and telecommunications directive (specific to IT and Telecoms; comes into force 31 December 2001)
The Foundation for Information Policy Research: The Foundation is an independent body that studies the interaction between information technology and society. Its campaign against the RIP Bill was notable for the way it ensured this became a public debate in the UK.
Global Internet Liberty Campaign: a US and UK online privacy public organisation.
Internet Free Expression Alliance: an organisation to promote freedom of speech/access to information on the internet.
Trans Atlantic Consumer Dialogue: forum of US and EU consumer organisations, which develops consumer policy recommendations to governments.
Online Privacy Alliance: US-based corporations and associations that promote trust and privacy online.
Federal Trade Commission: US-based governmental body dealing with privacy legislation and reports.
UK Data Protection Forum: this group provides focus for exchange of information on data protection. It hopes to bring together companies, associations and organisations to create cooperation between public and private sector organisations.
To enquire about republishing spiked’s content, a right to reply or to request a correction, please contact the managing editor, Viv Regan.