Chapell & Associates

Tuesday, May 02, 2006

Online Privacy: Nowhere to Run, Nowhere to Hide

CSO Magazine - April 2006
Consumers say they want privacy online although they often behave in ways that contradict those statements. Could it be that most of the complaints come from privacy advocates and not consumers at all? Debating online privacy isn't merely a philosophical exercise. Companies collect reams of information about visitors to their websites and about their customers'
Web-surfing ways.

In a recent forum at the Wharton School at the University of Pennsylvania, the panelists - who included Ravi Aron, Wharton professor of information management, Gil Brodnitz, a partner at Accenture, Bradley Horowitz, head of Technology Development for Yahoo's Search and Marketplace group, Steve Johnson, CEO of Choicestream, Declan McCullagh, a writer for CNET, and Brooklyn Law professor Wendy Seltzer - discussed consumer concern about online privacy, data protection laws, and privacy policies.

The Chapell View
The panel under review goes a little beyond what you often see at these sorts of events - instead of merely mentioning consumer concern about privacy, or taking it for granted, the panelists seemed interested in delving in a little deeper.

Their conclusions were, best I can tell, two-fold: 1) there's little guarantee that personal information provided to or collected by online businesses won't end up in the hands of the government, and 2) a lot the so-called consumer "concern" over privacy is overblown by consumer advocacy groups and politicians.

I think the panel is probably right on the first point. Notwithstanding that Google managed not to give the DOJ the keyword searches it requested (having won it's court case), as Professor Seltzer pointed out, they still did hand over a large number of URLs. Not to mention that in a separate case they were enjoined to provide the FTC with the entire contents of a Gmail account, and other search engines provided the DOJ with the requested keyword searches. "If we don't have a strong protection law, all we have is the company's word, and hype and fact don't always match," Seltzer said. "Anything that is collected in a regime of weak privacy laws is something that the government can get access to."

This is probably correct - and helps to explain why companies like Microsoft are getting behind national data protection and privacy legislation. At an event sponsored by the FTC and the BBB I attended this week, a few panelists noted that there isn't a federal requirement for websites. They echoed the Wharton speakers in arguing that this leaves the question of privacy promises between a business and a consumer in the hands of the market. Although there are good business reasons to write a solid privacy policy, it can mean that things are sometimes a little haphazard.

I'm less convinced, however, by the panel's second conclusion. McCullagh argued that it was "the privacy fundamentalists - the pro-regulation privacy groups" that were driving most of the debate about privacy, and that most consumers were perfectly happy giving up personal data if they think they're getting something in return.

Technically, consumer groups are the ones who get the press. But I do think that they sometimes do represent true consumer concern. And we can cite all we want - it doesn't mean that consumer aren't concerned, and aren't, as many studies have now shown, deleting cookies, scaling back their website purchases and increasingly downloading anti-spyware technology. Consumers are concerned because they often don't see the value that they are supposed be getting from giving up their data. Sure, when they do understand the bargain, they're much less concerned. But that's the fundamental problem: they often don't.

So until we make it clear to them what the trade-off is, their concern is going to remain quite real. Let's call a spade a spade here: if consumers don't have a reasonable expectation of privacy while they're online, then somebody (other than former SUN CEO Scott McNealy) should be telling them that. At the very least, shouldn't this be in a privacy statement?
posted by Isaac on Tuesday, May 02, 2006

© 2005 by Alan Chapell & Associates LLC