Legislation, stealth technologies, and emerging data privacy markets are proving that the battle for our Internet privacy has only just begun
For more than a decade we've been hearing that privacy is dead, especially when it comes to online privacy. It's hard to argue with the evidence.
Law enforcement agencies routinely obtain location and call data from wireless carriers -- some 1.3 million times in 2011 alone, according to documents obtained by a U.S. Senate committee. Thanks to laws written when fax machines were considered high-tech, government agencies can access data from cloud storage with minimal judicial oversight. And with potential laws like the Cyber Intelligence Sharing and Protection Act (CISPA), Congress wants to enable private companies to share even more customer data with Uncle Sam.
[ Secure your privacy through obscurity by following these tips for covering your tracks online. | Verse yourself in 9 popular IT security practices that just don't work and 10 crazy security tricks that do. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
The government is not alone. Virtually every commercial website (including the one you are now reading) deposits cookies that track your movements online. The number of trackers has more than doubled in a year, while advertisers and advocates continue to argue over the definition of terms like "tracking" and "choice." When consumers try to block tracking, companies like Google manage to find ways around it.
Moreover, many of us share data promiscuously on Facebook, Twitter, Google Plus, and other social sites, only dimly aware our personal information is also being collected by both marketers and the government. There's an entire industry devoted to mining that data, matching it to real-life activities, and using it to decide whether you're likely to vote Democrat or Republican, if you're in the market for a car, if you're pregnant, and whether you're a good candidate for credit or a bad insurance risk.
Little wonder then that security expert Bruce Schneier recently authored an essay declaring that we're done:
Despite this gloomy assessment, all hope is not lost. While threats to our personal privacy expand daily, so do potential solutions -- whether it's new privacy legislation, enhanced regulation, stealth computing technology, or the emergence of a consumer-driven data economy.
Legislation: A powerful tool for online privacy, mired by politicsMost Americans would be surprised to learn how little privacy legislation exists at the national level. Aside from limited protections on the sharing of health and financial information (as well as video rental records), most privacy law is based on interpretations of the Fourth Amendment -- which only regulates intrusions by the government, not commercial entities -- and FTC Act provisions against unfair or deceptive practices.
There is, however, no dearth of proposed legislation attempting to treat our privacy ills. The Commercial Privacy Rights Act of 2011 (aka the Kerry-McCain bill) would limit the type of data companies could collect without permission and require opt-outs for the rest. The Do Not Track Online Act would require all online companies to honor do-not-track requests from Web surfers. There are bills aiming to limit how much data mobile apps can collect and what they can and can't do with location data.
But with Congress mired in seemingly perpetual gridlock, it's hard to find anyone who is optimistic about the future of these bills. However, we are likely to see a move to modernize laws that govern how law enforcement can access data stored online, says Justin Brookman, director of the Project on Consumer Privacy for the Center for Democracy and Technology.
For example, Congress is expected to modernize the Electronic Communications Privacy Act of 1986, increasing judicial oversight over law enforcement and treating data stored in the cloud the same as if it were stored on our personal computers.
"The ECPA should be updated," says Brookman. "Ultimately we need an overall privacy law built around Fair Information Practice Principles, one that provides for transparency in data collection, protections for sensitive data like health or location, and the right to control your information. In the short term, that's going to be a hard sell."
While the Obama Administration's proposed Consumer Privacy Bill of Rights is a good start, it's no closer to being law than when it was introduced more than a year ago, he adds. The White House has asked private companies to follow the principles outlined in the document, but they're under no obligation and will suffer no penalties if they don't.
Some privacy advocates look to Europe to lead the way. The European Union has traditionally taken a much tougher stance on information sharing than U.S. regulators, which in turn could force U.S. data collectors to choose between operating under two sets of rules or adopting the EU's more stringent guidelines.
"There is some cause for hope out of Europe," says Jonathan Mayer, a graduate student in computer science and law at Stanford University, whose research is focused on consumer privacy. "Some very high-level policy makers in EU member states really want to change the game when it comes to online privacy. We could become the beneficiaries of new EU privacy regulations, just as some scholars argue that Europeans have benefited from U.S. financial regulations."
Self-regulation: Moving beyond the minimum standard for privacySome argue the flip side: When it comes to data collection, the marketplace can do a better job of regulating privacy than technologically stagnant, one-size-fits-all legislation can. This system of self-regulation has largely ruled the Internet since it went commercial in the mid-1990s. Depending on your point of view it's been either a dismal failure or a raging success.
For example, efforts to reach a compromise over data collection have proved fruitless. More than two years ago the Federal Trade Commission asked advertisers, advocates, publishers, and technology companies to come up with a voluntary Do Not Track standard everyone could live with. After more than 50 meetings of the W3C Tracking Protection Working Group, they are no closer to a consensus, says Mayer, who has attended nearly every meeting. Meanwhile, the number of companies tracking consumers across the Web has grown from nearly 800 to more than 1,300 over the past year, according to Evidon's most recent Global Tracking Report.
When Microsoft announced last October that Internet Explorer 10 would ship with Do Not Track set as a default, the ad industry said it would refuse to recognize the setting within IE10 because it "does not represent user choice." That move raised concern among some privacy advocates who feared it would derail the Do Not Track process entirely. The ad industry sounded similar alarms when Mozilla announced it was considering automatic blocking of third-party cookies -- the core technology of most Web trackers -- in an upcoming version of Firefox.
While industry trade groups like the Network Advertising Initiative and the Digital Advertising Alliance offer opt-out mechanisms for consumers, these only curtail data collection related to the delivery of targeted ads.
"Self-regulation," says Mayer, "is an oxymoron."
Yet self-regulation combined with FTC oversight may be the most practical path forward, argues Marc Groman, executive director of the NAI and former chief privacy officer for the FTC.
"Companies that are good actors spend a shocking amount of time and resources reading the FTC tea leaves," says Groman. "And when companies go over the line, the FTC brings actions that help inform the entire ecosystem what practices are off limits."
The greatest potential harm from tracking comes not from delivering ads based on one's browsing history, says Groman, but from using that data to make other decisions about users -- such as their eligibility for insurance, credit, or employment. That's why trade groups like the NAI and the DAA prohibit their members from using data for this purpose, and both groups periodically monitor members for compliance.
Still, many tracking companies don't belong to any industry trade group and operate entirely without oversight. Of the 477 companies listed in Evidon's database of online trackers, roughly one-third have no group affiliations, and more than 800 tracking companies aren't listed at all.
"I don't think most companies are doing nefarious things with data," says Jules Polonetsky, director of the Future of Privacy Forum. "But they haven't done a good job convincing consumers they're using data to make their lives better. You can call it self-regulation, but that can't be the minimum standard. These companies need to commit to using our data only for good and engage in an honest debate over what uses of data we support and which ones should be curtailed."
Stealth computing: Technology for covering your tracks onlineWhen legislation and self-regulation fail, there's always technology. Today, anyone with decent computing skills can enjoy a relatively private Internet experience using off-the-shelf tools and services.
For example, Web surfers can use Abine's DoNotTrackMe, Evidon's Ghostery, or Disconnect to thwart Web trackers. Anonymous search engines like DuckDuckGo and Ixquick don't record IP addresses or other information that can be used to identify you. Services like PrivateProxy and HideMyAss can mask your IP address from the websites you visit. Tools such as Privacyscore and Priveazy help consumers make better decisions about what data to share, which sites to use, and what apps to install.
These free tools probably won't stop the NSA from spying on you, but they can help keep marketers and others from tracking your virtual movements and compiling profiles of your interests and habits.
The problem? These tools are at best inconvenient and at worst a total hassle. Many websites don't play nicely with them. Searching anonymously removes much of the personalization people have come to expect from Google and Bing. Surfing the Net via an IP proxy service can be painfully slow. And you'll have to set up these tools for every browser on every connected device you use -- desktop, laptop, tablet, and phone.
"What we need is a single download that lets you surf the Net in a more secure manner," says Gabriel Weinberg, founder of DuckDuckGo. "I don't think we have to get to 100 percent privacy. If we can get to 90 percent without sacrificing too much, that might be the sweet spot."
No company has yet to package all of these tools into a single platform that's simple enough for the average user, admits Andy Sudbury, CTO and co-founder of Abine. And the companies best positioned to build a privacy-by-design system -- Microsoft, Apple, and Google -- are all in the data collection business.
Still, he notes, privacy is going mainstream. Products like DoNotTrackMe are being bundled with security suites from companies like Avira and Checkpoint. Enhanced privacy is becoming the default setting in popular browsers like Internet Explorer, Mozilla Firefox, and Apple's Safari -- though not without a lot of pushback from the online advertising industry.
"Privacy today is similar to how security was in the late 1990s," Sudbury says. "In the old days setting up a firewall was pretty complicated. Then Zone Alarm came along. Now every user running a Windows machine has a firewall built in. I honestly believe that in five years we'll have more control over our personal information than we do today."
The personal data economy: Putting consumers in control of their privacyWhile dozens of small startups struggle to build a business out of privacy, big data collectors are discovering that it pays to offer consumers more control over how their information is used.
Within five to seven years, most consumers will be able to manage their own data, predicts Fatemeh Khatibloo, senior analyst at Forrester Research. They'll be able to log into their accounts, determine what information they're willing to share, who gets to see it, and what they'll get in return for it.
Khatibloo says data collectors and large enterprises will embrace PIDM (personal identity management) for a simple reason: It will save them money. Data breaches have cost companies such as Sony and Epsilon hundreds of millions of dollars. Companies are spending astronomical amounts of money gathering and storing data they don't know what to do with, don't really need, and struggle to keep secure, she says.
Customers in turn will embrace PIDM because it offers them control over their data and something of value in return -- such as targeted offers, free services, and freedom from having to provide the same personal information to dozens of sites.
In this scheme, consumers would store sensitive information in cloud-based data lockers; third parties would only be able to access information needed to offer a service or perform a transaction. The data-locker provider would be responsible for ensuring security; consumers would theoretically be more willing to share more information; and companies would get more accurate data without the liability, says Khatibloo.
The PIDM economy is already under way with companies like Enliken, which offers Web publishers the ability to negotiate with visitors by offering deals in exchange for their data, and OneID, which enables users to verify their identities online without necessarily revealing any personal information.
Earlier this month UnboundID announced a privacy suite that will allow enterprises to offer their customers more control over their personal data. At the moment the suite is still in trials with several telco and cloud service providers, who are weighing whether to embed the software in their user portals later this year, says Andy Land, vice president of marketing at UnboundID.
Of course, how much control each organization offers its users will vary, admits Land. Some may be reluctant to give up control. But he believes that will change over time.
"There will be a domino effect," he says. "A company will offer these controls to users, see results, and start touting them. Others will say, 'Wait a minute, they're offering something we don't; we're at a disadvantage'. But first you need someone to stand up and say, 'We're doing this because we think it's the right thing to do.' "
Data for the peopleWe are still in the very early days of the information economy, notes Trevor Hughes, CEO of the International Association of Privacy Professionals. As with the industrial revolution, the data revolution comes with its own share of strife and difficulty.
"But the industrial revolution ultimately resulted in things like the five-day work week and child labor laws," he says. "One of the first issues we have to grapple with in the information economy is privacy, but I expect there will be dozens more."
Hughes argues that the benefits we can glean from data collection -- from wearable health monitors like the Nike Fuel that track our workouts to smart meters that help conserve home-energy use to services like Mint.com that let us manage our personal finances from a single screen -- outweigh the risks.
"There's a sense out there that if you shut off the data you can shut off the abuses," adds Jim Adler, chief privacy officer and vice president of data systems at data broker Intelius. "That may be true, but then you also shut off all the benefits."
Adler acknowledges that for now data collectors have the upper hand, but believes that consumers will eventually achieve parity.
"Right now they know everything about us and we don't know anything about them," he says. "I think that will level out over time."
Hughes points to his own industry as proof that privacy is far from dead. Fifteen years ago, the privacy profession did not exist. Now there are more than 12,000 privacy professionals in 78 countries, trying to direct their companies to use data responsibly and safely.
"The job of the chief privacy officer is to figure out how society can extract the maximum value out of that data while at the same time protecting consumers from harmful uses," he says. "I want to live in a world where data works for us and delights us, and I think that will happen."
This story, "Our Internet privacy is at risk -- but not dead (yet)," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.
Read more about security in InfoWorld's Security Channel.
Copyright 2009 IDG Magazines Norge AS. All rights reserved
Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000
Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen