Protecting Online Privacy: Controlling the Collection, Use and Sharing of Personal Information

Related Articles

• The Complications of Email in an Increasingly Cloudy World
• User Education Key Element in Messaging Security Strategy
• Cyber Attacks and Safeguarding the Internet

Subscription Options

Subscribe Newswire

Widgets & RSS Feeds

Facebook has some new frienemies. In its latest approach to privacy even Facebook’s most diehard fan is left to wonder what is happening with the company’s privacy practices? For its part, Facebook relies on its Privacy Guide to lead users through 50 settings with more than 170 options for controlling the use of the data that appears on Facebook pages. The default setting on all of them is public, and this has many concerned and some even outraged.

In May, a complaint was jointly filed by 15 privacy protection groups to the Federal Trade Commission (FTC) detailing what they viewed as unfair and deceptive changes to privacy settings made by Facebook, noting that Facebook now discloses personal information to the public that users previously restricted. According to the Electronic Privacy Information Center (EPIC), one of the filing’s leaders, the complaint states that “changes to user profile information and the disclosure of user data to third-parties without consent violate user expectations, diminish user privacy, and contradict Facebook’s own representations.”

The Electronic Frontier Foundation (EFF), not one of the 15 FTC complaint filers, has its own concerns about the way Facebook privacy practices have evolved. Kurt Opsahl, EFF senior staff attorney, recently wrote an interesting opinion piece that “demonstrates the shift over the course of time from 2005 to the present” on how different the privacy policy is today. He notes that Facebook has evolved from a place of private communication with a group of choice to where much of the information is public by default. “Today, it has become a platform where you have no choice but to make certain information public, and this public information may be shared by Facebook with its partner websites and used to target ads.”

EPIC says that in April, Facebook made the following changes to the way a user’s personal profile information is classified and disclosed including, “users’ friends list, music preferences, affiliated organizations, employment information, educational institutions, film preferences, reading preferences, and other information.” According to the complaint made to the FTC: “If the user unchecked all of the boxes in an attempt to opt-out of the compelled disclosure of her profile information, another pop-up window appeared to inform the user that if no information is designated as ‘publicly available,’ then major sections of the user’s profile that were previously available on the user’s Facebook page will be deleted and left empty.” Further it states, “Facebook no longer permits users to provide “pure text” entries into fields for work and education, current city, hometown, and likes and interests. All entries into these fields must be ‘linked’.”

Ari Schwartz, vice president, Center for Democracy & Technology, points out that even if you do make privacy setting changes, Facebook can add new settings and not necessarily tell you about it, nor prompt you to go back and check your settings. “We keep seeing this happen again and again. That is why users are rightly concerned and continue to be outraged over it.” Schwartz comments that it will be interesting to see how Facebook responds. “So far they have a viewpoint to share more and more information. If it was done in a way where material changes were made and consumers did not expect them, I think we will see FTC action in this case.” Schwartz thinks the accumulation of recent changes have “pushed things over the edge to where Facebook seems to have taken a stance against privacy rather drastically.”

Online Privacy’s Evolution

The issue is not just with Facebook. Privacy and data sharing have a long history of being complex and relative to the interpreter. “Look at social networking sites, cloud computing and mobile collectively,” observes Craig Spiezle, executive director and president of the Online Trust Alliance (OTA). “All together they are making government and policy makers re-think what policy should be. Further it is forcing people to re-think what appropriate use of data is. The rules are evolving quickly. Facebook’s business actions have put a lot of wind in the sails of regulators that we need to make change and we need it now.”

Some in Congress believe that one way to promote the use of the Internet is to assure individuals a high degree of privacy protection, including transparency about the collection, use and sharing of information about them, and to give them control over that collection, use and sharing, both online and offline. One such effort, recently introduced for discussion, is a draft of the Boucher–Stearns consumer privacy bill.

“Right now there are two clear camps,” explains Spiezle. “The privacy zealots are saying it is not enough, they want to see more. Then you have the interactive advertisers that say this is going to be the demise of online advertising. We are kind-of in the middle. In some areas what the bill proposes is very vague and will create confusion and there are other areas that we think the bill is missing. Congressman Boucher has been very candid that they want to have a dialog with the stakeholders before it actually becomes a submitted bill, and that is a good thing.”

The draft bill defines information labeled as private to include: name, postal address, telephone and fax numbers, email address, unique biometric data (e.g. fingerprint, retina scan), social security number, passport numbers, credit card numbers, drivers license, and so on. The most interesting on the list is a person’s Internet Protocol (IP) address.

“These are complex issues and we are very encouraged by the inclusive and collaborative process the Congressmen have announced,” says Fran Maier, executive director and president of TRUSTe. “For a privacy bill of this magnitude, the expertise of the private sector cannot be overlooked and we encourage fellow privacy experts and players to critically analyze the bill and provide feedback as requested by the Congressmen.” The deadline to submit written comments is June 4.

“I’m amazed at the proliferations of categories for information,” continues Maier. “In this bill we have ‘Sensitive’ and ‘Covered.’ In the Facebook privacy policy there is ‘Public’ and ‘General’ info. For the good of the public, we’ve got to get to some common sense categories that cover both collection and use.”

Defining Privacy

The definition of privacy is a challenge. A year ago, Ian Glazer, senior analyst with Burton Group, published a whitepaper titled: Privacy. In it Glazer noted, “Privacy is not about data—it’s about people. Privacy is not secrecy, and it is not about hiding information. Privacy is concerned with the proper handling of personal information and with respecting the dignity of the individual to whom the information refers.” Glazer contends that it is the very contextual nature of privacy that makes it so difficult to pinpoint a definition.

Privacy does indeed mean different things to different people. “At my last count, there are 24 legal definitions of privacy around the world,” says Spiezle. “That is part of the challenge in the first place. I do think that privacy expectations are different. There are some who say with anything online, you should no longer have the expectation of privacy and you are just fooling yourself. I do not believe that.”

To Maier, expectations of privacy differ by individual and also by generation. “There is no question that most teens and twenty-somethings feel more comfortable sharing information about their lives than their parents do. That’s why we always talk in terms of transparency, choice and accountability. The challenge is finding ways to make privacy practices really clear and give consumers some control over what information is collected about them and how it is used, so that everybody feels comfortable.”

That comfort is at the root of privacy protection practices. “As a nation we have become more dependent on the Internet, not only for lifestyle and communication, but also for commerce. Reliability and trustworthiness are becoming more critical. Overlay that with the fact that major growth in commerce on the Internet is far outpacing non-Internet commerce growth, and the importance is even more magnified,” believes Spiezle.

What is a reasonable expectation of privacy? The Boucher–Stearns bill is trying to spell that out. While users should have control over their information the real question, Schwartz says, is how is that control granted? “Social networks have less of a sense of privacy than, for instance, a direct relationship with a business. With a retailer, you expect to have your information treated with respect as though they are your trusted agent. With a social network, the main goal is to share information, however, if you only want to share it with your friends, that’s different than wanting to publish it.”

Schwartz points out part of the issue for Facebook is that the expectation of privacy has changed. “In some ways I think people were concerned about privacy on Twitter, because so much of the information is public. But the expectation has been set on Twitter for the most part information is public, where as Facebook and others have taken more of a stance of starting with private conversations among friends and trying to make some of those conversations public, which has led to concerns.”

Facebook was recently given an opportunity to respond to some of the concerns via a blog in the New York Times, and answer reader submitted questions or in some cases accusations. Elliot Schrage, vice president for public policy at Facebook wrote: “It’s clear that despite our efforts, we are not doing a good enough job communicating the [privacy] changes that we’re making. Even worse, our extensive efforts to provide users greater control over what and how they share appear to be too confusing for some of our more than 400 million users. That’s not acceptable or sustainable. But it’s certainly fixable.”

Many like Spiezle would prefer to see more self-regulating and regularly calls on the industry to take privacy into account up front. “We talk about how it is everyone’s job to think about security. I would suggest that now everyone’s job is also privacy—you should not be relying on just your chief privacy officer. You need to be thinking about what are the implications of your business activity.It may have great revenue potential, but what is the implications of it.” Spiezle believes that businesses will be better off driving privacy practices “ourselves” than have it driven via legislation. “What we are advocating is restraint and self-governance. The last thing any of us want is more regulations. But the reality is, we will have more regulation.”

Schwartz agrees that the discussion before introducing the Boucher–Stearns bill is essential. “It has a tough road to pass congress, so it is important to get what is being introduced right. There is a lot of question about some of the way the provisions in the draft have been written and we need to go over those and see what a lot of different industries think about some of the issues that are involved.” Schwartz says this staff discussion draft is really a mechanism for feedback, before perhaps introducing the bill next year. He notes that the success of such a bill is hard to predict, and largely depends not only on the final language of the bill, but also Congress’ makeup after the next election and to see who is in charge of which committees. Schwartz has talked with Congressman Boucher and believes, “the real goal of the draft is to get the best bill out there on the table and have a discussion and try to build some consensus around privacy practices.”

Re-Thinking Privacy

Privacy as we have known it is outdated. “Our lives are becoming so digital, and everything is so accelerated because of it. It’s no surprise there are some trust issues. What I think privacy was in 1997, when TRUSTe was founded, almost seems quaint now,” observes Maier. “Especially when compared to the social networks, the search engines, and the like today. This privacy thing is something else lately! Today, our focus on privacy in this day and age is about giving people transparency and choices and accountability.”

Facebook is one of the first to play the choice-card. Schrage points out that “Everything is opt-in on Facebook. Participating in the service is a choice.” The complexity, he says is in the controls. “Unfortunately, there are two opposing forces here—simplicity and granularity. By definition, if you make content sharing simpler, you lose granularity and vice versa. To date, we’ve been criticized for making things too complicated when we provide granular controls and for not providing enough control when we make things simple. We do our best to balance these interests but recognize we can do even better and we will.”

While we struggle to define what privacy means, we have to take into account today’s technology. Spiezle believes that, “Data devices and the whole ecosystem is changing so quickly that we have to re-think yesterday’s rules, and yesterday’s business policies and ask ourselves: Are they appropriate for usage tomorrow? Today’s environment, whether it is Facebook, or Twitter or mobile, have so many different dimensions to look at. Those are the challenges that we have the responsibility and an opportunity to address.”