Commentary
Privacy Baked In From The Beginning
- by Dave Morgan , Featured Contributor, August 12, 2010
Many in the industry have been taking a lot of reactive -- and appropriate - steps to deal with privacy issues as they surface. Many Web sites are improving their privacy notices, making them simpler and more prominent. Many ad networks have strengthened their anonymity and opt-out practices. Most important, the industry, through its trade associations -- including the Interactive Advertising Bureau, the 4As, the ANA and the DMA -- have begun implementing self-regulatory principles to ensure that companies provide a basic level of privacy protection to users.
advertisement
advertisement
But all this is not enough. It's time for online companies to get out in front of the privacy issue, and the chairman of the Federal Trade Commission has provided some great guidance.
In testimony before the Senate Commerce Committee just over a week ago, FTC chairman Jon Leibowitz offered up a new way for online companies to think about protecting privacy, right before suggesting that if the industry doesn't make a lot of progress on this issue, it could face everything from congressional action to a national do-not-track list (not unlike the do-not-call list). Leibowitz called for online companies to build their products and services with "privacy baked in from the beginning," making "privacy by design" an integral part of their businesses. Privacy by design is a very powerful concept. It recognizes that privacy is now a fundamental element of all online businesses, and that just retrofitting privacy protections will not be enough over the long term.
I really like this principle; I believe it's exactly how online companies need to be thinking today. Our more reactive efforts to "retrofit" strong privacy protections into our existing businesses are fine, and need to continue, but we also need to be thinking and acting in parallel to those efforts to make privacy protection a fundamental part of everything that we do going forward. Significant benefits await companies that do this well.
Just think about the emerging location-based services. The market for these Web services is still nascent, but many -- including me -- expect this to be a $10-billion to $20-billion market well before this decade is out. Privacy is certainly going to be a critical issue in the development of this market. Where people are at any moment is a very powerful social (and commercial) data point, but it is also one that is fraught with potential privacy issues. Now is the time for companies that are building this new marketplace, from big social media companies to location specialists, to get out in front of the privacy issue and "bake privacy in from the beginning" to their new products and services.
Location-based services have a chance to make privacy protection a basic and integral part of the fabric of digital location and become a very powerful accelerant to their businesses and the market's development. Doing this will not only help keep regulators around the world off their backs, but could significantly improve the level of trust that all users place in location-based services -- and, by extension, speed up their adoption.
What do you think? Is it time for online companies to "bake privacy in" from the beginning?
Everyone knew there was a creepy factor to BT and related technologies. Everyone knew the debate over "Data ownership" between advertisers and publishers was ridiculous, when the real ownership of one's data always resided with the end consumer being monitored. I'm just surprised that backlash took so long to arrive. Expect this storm to get a lot worse before it gets better.
Yes, "Privacy by Design", and building products with privacy in mind from the beginning is a great concept. The "beginning" in our industry was 20+ years ago though... we all should have been more vigilant all along rather than let pure commercial interest blur our vision. And so the pendulum swings...
I'm by no means a conspiracy theorist but I do believe that following the money leads to answers. Does anyone seem to note that the vast majority of these reports is coming from News Corp? And that News Corp has recently doubled down and made massive investments in putting up the wall again and valuing traditional media. I'm just not convinced that this is as much of an issue for people as it is for the WSJ.
What about the ooops factors? "Well, we thought we had all the privacy channels fully operational with requisite updates, but ooops, we got hacked." Not good enough. I do not want to be BT's (although I am to too many degrees) and I will not use location based services. Not only doesn't the world need to know where I am all the time, I don't need to know where everyone else is. Legally, whoa, that's even a bigger story. Personally, I have too much respect for people like you Dave, to follow you anywhere. If it is that important for me to know, you will let me know.
"Privacy by Design" sounds great in theory, but just what are the design principles, and why should we expect the outcome of "best practices" design principles to be any better than the attempts of government to regulate privacy?
We all know privacy is a complex concept, meaning different things to different people, and sometimes different things to the same people at different times. That's what makes it so difficult for government to regulate properly. There is no "one size fits all" concept that allows for sensible regulation that will satisfy all of the concerns of industry and consumers.
"Privacy by Design" implies that private industry is better at finding market solutions than government - which I agree with - but it also implies that there is a single, coherent concept of privacy to be designed for - which we've already seen is not the case.
But anyway, I'm openminded on this and would really like to see some design principles put forward. Who are the "privacy designers" that will take this on?
Dave - I like this slant (TagMan's offer some nice opt-out solutions that you can white label into your own data-driven product or advertiser's website. EG, help manage your data partners efficiently). My question is - what are the guidelines to what to build in? EG- What if you do this and then, someone once again moves the goalposts further from the spec you've invested in? My common response to all of these articles/opinion pieces that the WSJ have stirred up has been 'where do we all go to find the rules to adhere to?' Where should we all go to share knowledge and help to educate the .gov as well as .consumer? Where is the 'consolidated approach' between all of the industry to focus on 'what we can / cannot do'.
Chris, www.TagMan.com
It is heartening to see such discussion related to proactive privacy measures and a sense ofurgency from the online community.
I want to respond to those of you seeking "guidelines" and "principles" as a framework within which to move forward. Dr. Ann Cavoukian, Information & Privacy Commissioner of Ontario, Canada, first developed the concept of Privacy by Design (PbD) in the mid-90's, when it became clear to her that "the time was upon us when legislation and regulation would no longer be sufficient to safeguard privacy." PbD represents a paradignm for embedding privacy proactively into technology itself – "baking it in" and thereby making privacy the default.
Since that time, Commissioner Cavoukian has developed the 7 Foundational Principles of Privacy by Design, and work from the Commissioner's office delves further into the application of PbD to specific technologies, business operations, physical architectures and networked infrastructure. Recently, the PbD Principles have been mapped to Fair Information Practices and leveraged to generate best practices for embedding privacy within smart grid technologies, right from the outset.
I would encourage you to visit www.privacybydesign.ca to find all of the resources mentioned above, and engage further in the Privacy by Design discussion.