Charles Davis, associate professor, Missouri School of Journalism: More than 500 million people across the globe are now on Facebook, and Google has more than 1 million servers. The exchange of personal data around the world is unprecedented. Although the public expects a certain amount of privacy, many people today share everything online, from their contact information to their favorite stores. The EU Commission is working on provisions that will allow residents to exercise the “right to be forgotten” or to permanently remove personal data from the Internet. The new law on data protection would regulate how long information on Facebook could be stored online. Meanwhile, privacy advocates in the United States are also pushing for personal data regulations. Is the protection of personal data a fundamental right, as European Commissioner Viviane Reding says? Should Internet companies be able to pass on personal data to third parties without users’ knowledge? To discuss these questions, our guests are Tanzina Vega, media reporter at the New York Times; Richard Varn, president, RJIV Consulting, executive director, Coalition for Sensible Public Records Access, Des Moines, Iowa; Peter Swire, law professor, Ohio State University, Columbus; and Milo Yiannopoulos, technology columnist, UK Telegraph, in London. Tanzina, bring us up to speed on the Federal Trade Commission and the Commerce Department’s plans around the online privacy space.
Tanzina Vega, media reporter, New York Times: For a while now, everybody in online advertising has been waiting for the Federal Trade Commission (FTC) to issue a report proposing a new framework for data privacy. Recently the Commerce Department has weighed in on the debate, and they are going to issue a “green paper.” This was on the heels of the White House starting its own Internet privacy task group a couple weeks ago and an international conference on data privacy in Jerusalem a couple of weeks ago. So you suddenly have all these voices weighing in on the domestic debate on online privacy. Does it mean that the Commerce Department is attempting to take the mantle away from the FTC, or does it mean that businesses are starting to weigh in more heavily? A lot of consumer advocates are worried that the Commerce Department’s report might represent a more business-friendly approach and undermine what the FTC is trying to do in protecting consumer data privacy.
Davis: Professor Swire, you’ve done two stints in the White House, one as chief counsel for privacy under President Clinton. You also served as counselor to the new media team as it created the overhaul of WhiteHouse.gov. What is your take, and does this make you nostalgic for the inter-agency wrangling?
Peter Swire, law professor, Ohio State University, Columbus: The Federal Trade Commission is called an “independent agency,” so they don’t get involved in the inter-agency thing quite as much. It is a very normal part of the federal government for the different parts of the federal government to have an inter-agency process, for the president and his advisors to have some take on this and to have the Federal Trade Commission do enforcement.
Davis: Milo Yiannopoulos, the EU is looking hard at proposed privacy regulations. Can you give us a sense of those?
Milo Yiannopoulos, technology columnist, UK Telegraph, London: In Europe, nobody has ever done very much about privacy, so for the EU to consider this “Right to be Forgotten” is kind of interesting. They’re thinking about a law that would enable European citizens to enact a right to be forgotten which would require any companies holding personal data to shred it so you would be able to deploy your right to be forgotten at any time. It is a bit of a nuclear option as result of lack of regulation and rampant abuses by advertisers.
Davis: Richard, from your position as the guy who tries to keep information public as much as possible, how does the right to be forgotten strike you?
Richard Varn, president, RJIV Consulting, and executive director, Coalition for Sensible Public Records Access, Des Moines, Iowa: It is important in all these discussions about regulation to stay focused on the harm being done to people. My biggest problem with most of the regulations is not what they’re trying to aim at. Usually they’re aiming at legitimate harm and trying to solve a problem. What we’re finding with a lot of these other regulations is that they aim at one thing and they hit everything. So in something like a right to be forgotten, you end up limiting first access to certain personal information, crippling commerce, slowing transactions, and making people unable to get the service they want. The biggest problem we have is these unintended consequences that people engender when they go out to do a good thing and regulate a certain privacy harm.
Vega: Some of the ideas being looked at initially were a universal opt-in, and my sense is we’re sort of getting away from that. Every time some data would be collected, you’d have to agree to that, and most of the constituents in this debate are saying that it wouldn’t work and would just slow everything down. What is being looked at now is something similar, which is a “do not track” feature. It would be a signal sent through your web header, part of the meta-data on your computer that would say don’t collect personal information. And technologists whom we talked to say it is really not difficult to implement. But the argument we have been hearing is that at a technology level, it is almost impossible. That is holding up the policy issue in D.C. right now.
Davis: There would be a button on the website that you could just turn on and off?
Vega: What exists right now are plug-ins that are extra bits of code you can download to your computer, perhaps a huge button that says “do not track.” I’m staying away from that, and most people are staying away from that, because it is a little bit of a hot button. The form that it would take is still not clear. We’re looking at two things. One, opt-in every time, a pop-up that says, “Do you want your information collected?” That doesn’t seem like it is going to work. Second, a “do not track” option where you could turn it on through the browser’s privacy setting or download an extra bit of code that would signal to your web browser that you don’t want your information collected. That seems to be what is being looked at right now.
Davis: Peter Swire, there may be transactions in which it would be very helpful for me as a consumer to be tracked. Let’s say I’m shopping for something and I haven’t made the final purchase decision yet. I’m more than willing to have more consumer information sent to me. The New York Times did a story a few months ago about a woman who was looking for shoes and then the shoes followed her around the Internet. I read that story and thought as a consumer that is exactly what I would want to have happen. So how do you adapt to differing tastes, differing proclivities?
Swire: When polling people on privacy, there are three groups. Some people go on Oprah and tell everything, there are some people who want to be very private, and there are a lot of pragmatists who sometimes do and sometimes don’t. With “do not track,” if you don’t want to have some profile on you about every website you’ve looked at, is there some way you can manage that? How much do you push industry to give some commonsense options? How much do you write a rule or a law? Sometimes the risks of the rule of the law are that you sweep in a lot of people you didn’t realize. You were thinking about one kind of business model and it affects another model. One thing that happens a lot in the privacy area is industries get scared they’re going to get real rule and then they suddenly solve all the problems they couldn’t solve up until then and start to come up with options. For instance, in your browser now in Microsoft Windows, there is in-private browsing so that when you’re browsing inside that part of Windows, tracking isn’t happening. There are ways we can build these things in the software, but it takes some will power and some pressure on the companies.
Vega: There is also the question that some of these browser companies have very strong advertising units to them, so there may be a business conflict for some of the browser companies to implement more stringent privacy controls.
Davis: Milo, in one of your recent columns about data privacy you wrote, “Increasingly, online privacy norms — the limits of what can be acceptably done with our data – are being established not by law makers, nor by the public, whose data is a stake, but by precisely the companies who have the most interest in exploiting our personal information for profit.” Can you expand on that?
Yiannopoulos: Yes, the company I had in mind had a website that engineered its platform to be as addictive as possible. To keep you surfing around, it uses a lot of clever strategies, like suggest people you might know but also when you are browsing a photo album, it tries to suck you back into an unrelated photo album, perhaps with some nostalgic connections to the one you’re looking at. The issue with Facebook that I have is that lawmakers are not able to keep up with the pace of change on the Internet, so Facebook dictates privacy norms that no one has really decided on. I hear some very unsettling comments from time to time that “we decided these would be the privacy norms now,” which strike terror into anybody’s heart in any other industry. And the problem with Facebook is sometimes their target is very wrong, offensive, and inappropriate. For example, if you are a man who has indicated on Facebook that you are interested in other men, Facebook unfortunately will serve you up some very low-rent cheap ads for gay services. You never realize what sort of assumptions the system is making about you when you fill out some of these forms. The main problem is a lack of regulation and that governments just don’t have any idea how to approach this. We seem to be playing cat and mouse with the online companies, because there is no sense of anyone looking after consumer privacy interests.
Davis: Richard, I get the sense that we’re at a bit of a disconnect. On one hand, people are concerned about data privacy. At the same time, they are willingly and addictively submitting personal information about themselves to the world’s greatest social network.
Varn: People are still a bit schizophrenic about how they choose to deal with privacy. But it is also part about the way it is reported. Many times, people talk about the release of personal information. When you dig into what is being discussed, that private information is not very private—things like your name. A lot of the information and privacy issues revolve around things that have customarily been public. Like when you have someone come into your store regularly and you might know what they want, you say, “Hi, Mr. Jones. I’m glad to see you again. Do you need blah blah blah?” That’s considered good customer service, and it is things we knew as a community when we all lived in smaller towns and knew each other. So the definition of personal information gets overused in news stories quite a bit. And how is it being used to benefit you, and who really has a concern about how it is being used so much that they want to try to withdraw it? People don’t understand that if you restrict the flow of this information and you make services unavailable to you, people start saying, “Well, I want the ability to adjust this finely. I don’t want a hammer, a big button. I want something I can use at my discretion so I can reveal things when I want to and I can hide them when I don’t want them revealed.” That is what we’ve seen in the browser area. We’ve seen more subtle cookie tools, you have five or six settings on your cookie browser, third-party cookies, and first-party cookies. You’re going to have to be aware of these tools and be able to use them subtly. And that is not easy to develop those in the marketplace and deliver them and keep up with technology. That’s why we have a lack of regulation. Things move too fast and they’re too technical to be easily hit with a legislative hammer.
Davis: Professor Swire, do you think that reflects at least in part the gulf between the EU notions of privacy and the U.S. notions of privacy? It seems like Americans are more sanguine about sharing personal information with corporations.
Swire: The European Union has what it calls “data protection directive,” which says that it is a human right in the European view to have privacy. In the United States, it’s more about how do we make business work, how do we give people the kind of data they want to use? So the U.S. has a more practical approach. The Europeans often announce rights that sound very good, but they don’t know how to implement them in practice.
Vega: We haven’t touched on the issues of self-regulation and privacy policies. There is a disconnect between what people think they’re giving up, what they know they’re giving up, and how they’re giving it up. So far we have been working within the framework of what is called “notice and choice.” The Commerce Department and the FTC are taking a hard look at and determining whether or not that is effective. The privacy policies that you agree to explain in very great detail and lots of legalese how your data will be used and where it will be shared. So lots of folks do give up this information willingly, but they’re not sure what happens to that data once it is given up, how long it is stored, and what the implication are, and whether there are profiles being built about them. And then you have the issue of self- regulation. There has been lots of headway made in that realm with the Interactive Advertising Bureau in Washington, D.C., now setting out specific details of how they would like to approach self-regulation. They are working with all of the international advertising trade organizations to create icons, where you would be able to click on that ad and see how your data is being used and how you can opt out of that. That is the first step they they’ve taken recently to fend off any serious legislation coming down the pike.
Vega: What is interesting about the Google approach is the FTC decided they would halt their investigation because the steps that Google had taken — including putting someone at the head of their privacy division — were sufficient for them. So there was some internal debate in Washington, D.C., as to whether that was sufficient and now you’ve got this FCC investigation.
Varn: But there are four good models to follow. There are policies to make sure you can read them and understand them. There are standards that help people follow consistently across an industry. Then there is certification to show you are certified, examined by a third party to consistently keep up with these practices. Keep these choices in mind as we move through this, because they will help the private sector live up to self-regulation promise.
Davis: Richard, you said earlier that people’s experiences online are expanding their notions of what should be private information. What is to be done with that?
Varn: I think that identify theft and identify fraud has led people to be hypersensitive to the words “private or personal information,” and so we’ve gone down the path of trying to stop every bit of information that used to be public. On the social side, when you find somebody too far over the line on a practice and it really bothers people, that’s what drives journalism and drives people’s desire to regulate. The rest of the stuff people put up with. But with this mosaic approach to information, people have one more thing to be concerned about. That’s how all the little pieces add up to a profile of you, and does it say something about you that you didn’t intend? That is a new problem.
Davis: For better or worse, government, businesses, and even our friends and family have more access to our personal data than ever before. It has led to some complex legal and political questions forcing a serious discussion about privacy and access to information.
Producers of Global Journalist are MU journalism graduate students Ryan Kresse, Youn-Joo Park, Tim Wall, Rebecca Wolfson, and Kuba Wuls. The transcriber is Pat Kelley.