Reining in Data Collection
AS THE INTERNET continues to become more widely used for all aspects of work and play, Web surfers are virtually flying blind when it comes to the type of data that is collected about them for current and potential uses. That was the shared sentiment of many speakers on a few of the panels at a recent Federal Trade Commission (FTC)-sponsored conference in Washington, D.C.
Few Internet users understand the principles and evolving technological methods employed by Web companies to collect data about them for marketing and research, and more consumer protection is needed, said many of the experts present. But speakers disagreed on the merits of possible approaches which include beefed-up regulation, enforcement, stronger privacy and security tools, and more consumer education.
One reason consumers are in the dark on data collection is that virtually no one reads or can fully understand posted privacy policies, said several panelists. Similarly, few users understand data mining strategy and technology. Consumers often feel they are sharing “pieces of data,” said Pam Dixon, executive director of the World Privacy Forum. But with amalgamation and other techniques, “that’s simply not how data is dealt with these days.”
Another problem is that consumers interested in a Web site aren’t given the chance to negotiate, only to “take a service or leave it,” said Kathryn Montgomery, a professor at American University’s School of Communication.
The stakes of sharing seemingly innocuous data can be high, panelists noted. Damage can range from financial to reputational harm; in cases such as stalking, the availability of certain information can put users in physical danger.
Several panelists emphasized the importance of industry self-regulation. For example, industry groups tied to online advertising and identity management should strive for more robust rule-making and self-policing, said some speakers. Such groups should make more efforts to communicate with consumers and research their privacy preferences, said Dixon. Other panelists expressed skepticism that industry groups would sufficiently curb often-lucrative data mining.
A handful of panelists stressed a need for stronger government regulation. For example, partly due to the Internet’s highly complex nature, consumers could use more government guidance and protection, said Anita Allen, deputy dean and professor at the University of Pennsylvania. Greater government involvement would introduce needed “accountability,” said Montgomery.
Several panelists said enforcement models could be gleaned from the financial industry. In return for “following the rules,” financial organizations gain benefits from the Federal Deposit Insurance Corporation, including insurance and limits on liability, noted Ari Schwartz, vice president and chief operating officer at the Center for Democracy and Technology. A similar structure could help create an incentive for Web companies to respect user privacy, he said.
Additionally, panelists said laws such as the Fair Credit Reporting Act could provide a possible regulatory model; the act improves consumer control over personal data collection and accuracy.
Stronger government agency enforcement against companies that blatantly misuse consumer data was championed by some of the experts. For example, companies could be punished for misleading consumers about the use of Internet cookies, which are used to track surfing habits, said one panelist.
A major challenge for regulators, however, centers around the shifting nature of collection methods and the subjectivity of sensitive data. A seemingly harmless bit of information shared now can have big repercussions in the future.
It is commonplace, for example, for many Web sites to collect users’ Internet Protocol addresses, said Michelle Rosenthall, an attorney in the FTC’s Division of Privacy and Data Protection. In some cases, collecting such data can damage certain consumers, and it could eventually be combined with other data in other harmful ways. “It can be difficult [for regulators] to draw the line.”
Among the panelists were presenters who said that industry is already successfully regulating itself in certain areas, such as data gathering and marketing, because they recognize the business benefits of doing so.
“If companies’ tendency is to trick and track, it will be bad for business,” said John Clippinger, co-director of Harvard University’s Berkman Center for Internet and Society. “Trusted exchanges will be key to building brands.” Companies that are viewed as excessively intrusive or aggressive in their marketing risk warding off customers, added Schwartz.
There was also the view that consumers should take responsibility for protecting their interests. Though not always easy, Web users should educate themselves on the “risks and consequences” of Internet privacy, said Jim Harper, director of information policy studies at the Cato Institute. And they should adopt security solutions, which might even include providing Web companies with false information, said Schwartz.