Raising privacy expectations by raising privacy standards
It's great that Google is becoming more transparent about how they use your data to tailor your search results. It's the kind of thing we'd like to see more of. However, is it enough to merely state the status quo? Or should we really be demanding not only transparency but control and ownership as well? Saul Hansell has it right, the data Google collects from you is *yours*, not theirs. So not only should we all get a better look at what Google is doing with "our" information, we need to be able to set some ground rules about what is used and how its used. And by "setting ground rules," I don't mean choosing between opt-in and opt-out radio buttons.
Today, privacy policies are meant more to protect companies from liability than protect individuals’ privacy rights. Even though a lot of people don’t fully understand how their information is being collected, we all know that it’s a one-way street. While businesses buy, sell, and share sensitive, personal information, we can’t even access our own information. More and more people are becoming wary of data collection in general, and as a result, the debate between privacy advocates and businesses has become framed as a conflict, privacy versus information. However, we as a society should seek solutions that promote both privacy and information.We at CDTF want to change the culture of data collection from one where one where businesses and other data collectors have all the control to one where individual users are secure enough in their privacy to become active participants and consumers of data. We’ll need new technologies, policies, and possibly legislation, but perhaps most crucial is our need to come to some consensus about how to balance individual privacy rights with our societal interest in information-sharing.We think an important first step is to develop new industry standards that describe what should be happening, not just what is happening in data collection. If more information-sharing is to happen, individual users have to become more confident about their privacy. So privacy standards have to be raised, not maintained.For example, the first step in certification by privacy companies today is determining whether a company has a privacy policy. Although a company should certainly have a written policy, providing credit for merely having a written policy doesn’t raise the ante in any way.Currently, many companies’ privacy policies don’t even cover all traffic to a website, as they disclaim responsibility for the practices of their partners and/or third-party advertisers. A standard that declares as a “best practice” the use of an all-inclusive privacy policy that covers all traffic to a site would certainly raise the bar.Although few companies now would meet this standard, by declaring it to be a possibility, users would become better aware how most privacy policies are not all-inclusive, while companies willing to meet the standard would be able to signal more clearly how they are different from their competitors.We think the bar should be raised on the following issues as well:1. How much notice is required when the terms of a privacy policy change;2. How changes in privacy policy apply to data collected under the previous policy;3. How long data is stored;4. How explicitly companies describe how data is used;5. How data is secured and anonymized before it is shared with 3rd parties in order to provide an “appropriate” level of protection.At the same time, user awareness of the potential benefits of multi-directional information-sharing, to both individuals and society as a whole, has to increase. We think new standards for user participation in the management of their data should be created around these issues:1. User access to collected data;2. User control over whether data is shared and for what purpose;3. Use control over the “level of anonymization” applied to data before it is shared;4. Availability of data for public secondary use.We're not here to say, “Ta-da! Here are the perfect standards for reconciling the goals of privacy and information-sharing.” Instead, we want to start a conversation on how such standards could be useful, how they could be developed, and how they could be promoted.