In the last week, we've learned that the National Security Agency has broad powers to track our online activities. Those revelations made big headlines, but we've known for years that private advertising companies are tracking our online activities to better target advertising to us. Is that a cause for concern? And if so what can be done about it? This morning, an ideologically-diverse panel of prominent figures debated the question.
Federal Trade Commissioner Julie Brill says that she'd like to see a "portal" that allows users to easily find a list of data brokers who might have their information. She envisions a way for users to click through to the websites of individual data brokers, see what information has been collected about them, and to opt out of tracking from each broker.
That sounds like a promising idea in theory but it's not likely to work well in practice. The sheer scale of online data collection—dozens of companies collecting hundreds or even thousands of data points—makes it impractical for consumers to carefully scrutinize each broker's data. And even users who do take the time to examine the data brokers are unlikely to find them comprehensible.
In short, this is a 20th-Century approach to a 21st-Century problem. Laws like the Fair Credit Reporting Act, which governs consumer credit agencies, work because there are only a handful of ratings agencies that collect a manageable amount of data. In contrast, web browsing generates reams of data every day. Any regulatory approach that expects users to scrutinize this raw stream of data is doomed to failure.
Rep. Hank Johnson (D-Georgia) is touting the APPS Act, which he introduced in May.
"The mobile app market enables this geo-location service to blossom and so it's predicting your behavior," Johnson says. "The customer should be able to opt in and opt out. There need to be some privacy rules."
"We need to know how that information is going to be used," he argues. "We need to know how it's going to be secured. And you also need to have the ability to opt out of the arrangement at any time."
"The reason I voted against the re-authorization of the patriot act is because it was so overbroad," says Rep. Hank Johnson (D-Georgia). He says he's not upset about the revelations because the NSA's eavesdropping programs are being overseen by the Foreign Intelligence Surveillance Court.
"They are collecting far too much data," he says. "We in Congress need to go back to the table and revisit the scope of the Patriot Act and whether or not we want to let it be as broad as it is, and we need to discuss the implications of what we do amongst ourselves so the people can decide."
A questioner asks the first panel to comment on why people are so much more outraged about government data collection than private data collection. Adam Thierer argues they're very different because the government has the power to take our life, liberty, and property, while private parties are just trying to offer us better products and services. But Peter Swire says that the PRISM revelations suggest that the line between the two is not so clear. Any information collected by private companies may eventually be disclosed to the feds.
Jerry Cerasale of the Direct Marketing Association argues that the advertising systems operated by his members are working pretty well. Many advertisers offer an "opt out" system where users can set a cookie on their browsers asking advertisers not to track them. Cerasale points out that more than a million people have taken advantage of this option.
But the panel's moderator, Mary Jordan, makes an important point: a million people is a small fraction of the hundreds of millions of people who use the Internet. More than 99 percent of Internet users don't opt out. It's possible that's because 99 percent of people are happy with being tracked online. But it's more likely that most people find the opt-out scheme too cumbersome to use, or they don't even know it exists.
The government has repeatedly emphasized that PRISM only targets foreigners. But Marc Rotenberg points out that most users of sites like Google and Facebook are located overseas. If US government policies don't do an adequate job of protecting the privacy of non-Americans, he warns, it might be difficult for these American firms to maintain their current popularity with foreign users.
Today's event began with a comment from Fred Humphries, an executive at Microsoft, which is the primary sponsor of today's conference. His remarks focused on Microsoft's commitment to privacy and the company's commitment to comprehensive federal privacy regulation. Microsoft has made privacy central to its marketing, touting Internet Explorer's adoption of the "Do Not Track" standard.
Unsurprisingly, Humphries did not mention the topic on everyone's mind: Microsoft's alleged participation in the NSA's PRISM program. Leaked documents suggest Microsoft was the first firm to sign up for PRISM. And while Humphries has touted the openness of today's discussion, there's been very little transparency about PRISM.