Lex Indicium

The Noise About Privacy: Is Big Brother Watching, Or Is He Just the Most Compulsive Hoarder of ‘Random’ on the Planet?

On May 19, CNNMoney’s Jose Pagliery published a provocative piece: “What you really accept to when you click ‘accept’“–an exposé on the privacy policies of 18 of the most popular websites and mobile apps.  The article shines the klieg lights on one of the dirty little secrets of consumer internet usage– that online privacy policies are ephemeral, dense, rarely read, one-sided and, sometimes, over-reaching.  Pagliery infers from these conditions that most companies care little for a user’s privacy and want nothing more than to collect the maximum information and use it in any way that increases the bottom line.

At the risk of sounding defensive, I’d say that conclusion is largely unsupported and pretty far from accurate for most web-based companies.  In fact, the density and vagueness of privacy policies often is caused by a variety of competing pressures faced by online companies.  Varied international laws and regulatory schemes applicable in different jurisdictions to different kinds of data create part of the problem. There is no single or baseline set of standards for privacy protection and this creates a veritable briar patch of disclosure and processing obligations that can be just plain difficult to manage and articulate in a succinct online policy.  To wit, a dense policy is probably an indication that the company is at least trying to comply.

In addition, the constantly changing business models of any nimble online company can produce thick prose that attempts to cover a plethora of possible activities and a privacy policy that seems to change with the weather.

This circumstance is regrettable and perhaps confusing to consumers– but not necessarily attributable to bad intentions or poor privacy etiquette.

Without a doubt, consumer data is a valuable commodity and many bad actors (and some otherwise reputable companies) will do anything to get their hands on it and sell it or profit from it.  Furthermore, there are still too many companies that don’t adequately attend to data and system security. And, as the ACLU and others have pointed out, the onslaught of the internet of things also is overwhelming our ability to synthesize a regulatory model that will protect us from collection and misuse of personal data.

But there is a qualitative difference between the risk to user data caused by a hacker looking for credit card details, and the exposure to consumers caused by capturing consumer movements around the web and/or collecting anonymized data for analytics purposes.

That is, sometimes I think consumers and commentators confuse the need to keep sensitive information (like credit card data) protected, with the somewhat innocuous practice of using non-personally identifiable information for broader (and largely benign) analytics’ and marketing purposes.  Personal data, including my name, my credit card number, my contact details and my medical history —all of that needs to be inaccessible to hackers,  in my control and not shared unless I say so.

But anonymized data about my travels across the web that is only linked to my zip code or my IP address?  I don’t care.  I’m not sure why anyone should care about that and if it helps someone decide that we need a Starbucks in my neighborhood – PLEASE USE IT.   Ok. I’m kidding.  A little.  No doubt it is annoying- no disturbing – when I am searching for flashlights on Amazon and then click over to Facebook and I’m being shown ads for flashlights.  Is it worse than the sales person at The Gap asking me if I want to try those jeans in black or green in addition to the denim in my hand?

In fact, consumers and privacy commentators who bemoan the tracking of web use seem to forget that without these technologies, so much of what we take for granted on the web— for example, free access to billions of pages of content that we previously paid for in newspapers and other pubs— would cost us dearly.  If internet companies can’t watch what we are doing and then leverage the data (at least anonymously) our internet would look more like a movie theatre that we access for short periods in exchange for a ticket charge.

Personally, I’d prefer a free access internet even it means that someone knows that someone using my IP address left Amazon.com to buy dog food at Petco.  And frankly, in some ways, that use of electronic data is much less intrusive than being surveilled in the open market as I go from booth to booth or shop to shop in the traditional “agora” where anyone can watch me and my spending without any regulation.

In any event, users who are concerned about privacy (and companies trying to put together useful policies) should start by focusing on three pretty simple aspects of the privacy policy:

1. What exactly is being collected and stored about me: is it personal information that I really care about?
2. Are you transferring personal information about me to someone else, and if so why and how?
3. Is my personal information maintained in a secure way so that hackers and evil-doers don’t have easy access to it?

Once I know the answers to these questions, then I can decide, as a consumer, whether to do business with this company.  If the policy doesn’t provide answers to these questions, then I generally become dubious. And, if a company is only collecting my movements and my IP address, maybe I just don’t care.

It’s not simple.  And I’m not suggesting for a nanosecond that either consumers or regulators should become less vigilant or less attentive to privacy practices— especially when surveillance technologies and the internet of things threatens to overwhelm all rationality.  I’m only suggesting that absolute privacy protection may not be necessary or even attainable (nor has it been– ever).  Unless you are a hermit, true anonymity is a fallacy.  The better approach, therefore, may be to figure out (as a consumer) what you really want to protect and what (if anything) you’d trade for the continued freedom to use and travel the web for free— and then be prepared to read policies and use terms of use to your advantage.   Just my two cents.