You no longer know where your data are going.
You can’t know.
Without dramatic changes to attitudes and policies, you may never know.
That’s the message three Carnegie Mellon University researchers sent with a Science magazine review published Thursday. It came out just a day after Federal Trade Commissioner Julie Brill spoke at CMU, urging passage of three ambitious new laws meant, in part, to address the Internet’s accelerating encroachment into our private lives.
Privacy "approaches that rely exclusively on informing or 'empowering' the individual are unlikely to provide adequate protection against the risks posed by recent information technologies," CMU’s Alessandro Acquisti, Laura Brandimarte and George Loewenstein wrote.
What are those emerging risks?
Ms. Brill, whose FTC punishes privacy violators for deceptive and unfair practices, said that Internet-connected appliances, cars and especially health monitors exemplify the trade-off: Industry provides new functionality, and consumers provide personal information.
She said that devices and apps that encourage consumers to supply information on diet, exercise, medicines and other health factors aren't covered by medical privacy laws. Some companies, she said, are selling that information "to third parties, such as advertising companies and analytics firms."
Those firms buy and aggregate data, creating and selling increasingly detailed profiles of nearly every consumer.
Why? “The more I know about you, the more I can influence you,” said Mr. Acquisti.
People “are easily influenced in what and how they disclose” through websites and social media, wrote Mr. Acquisti and Ms. Brandimarte, of CMU’s Heinz College for public affairs, and Mr. Loewenstein, of the Dietrich College of Social and Decision Sciences.
The researchers cited studies showing that people’s attitudes toward privacy change dramatically, depending on circumstances and the behaviors of others around them. Giving people choices about how their data is shared can, paradoxically, prompt them to let down their guard and reveal more.
Mr. Acquisti co-wrote the first scholarly paper about Facebook, and his subsequent research showed that when the social networking giant allowed users to better control others’ access to their information, they shared more. Of course, Facebook can access all of the shared information, and uses it to tailor its ads to the individual user’s interests.
Internet businesses have argued that they publish privacy policies to which users consent by accessing websites. That has been the heart of the prevailing “notice and consent” philosophy of Internet privacy.
However, almost nobody reads privacy policies, noted Lorrie Faith Cranor, at a panel discussion following Ms. Brill’s speech. Ms. Cranor and colleagues at CMU's CyLab Usable Privacy and Security Laboratory found that it would take the average Internet user 224 hours a year to read the privacy policies of all websites they access.
"Notice and consent, I believe, have been dead for a while,” as privacy protection, said Mr. Acquisti.
Systems set up to buttress “notice and consent” have also eroded.
TRUSTe Inc., for instance, was created as a nonprofit that would place its seal on websites that met privacy standards. In November, the FTC slapped it with an order and a $200,000 fine for failing to regularly review the websites, and for allowing others to portray it as a nonprofit after it switched to for-profit status.
How about AdChoices, the system by which consumers can tell participating companies not to feed them individually targeted ads? A study showed that only 27 percent of respondents knew how AdChoices worked, according to Ms. Cranor. Twice that number thought, mistakenly, that by clicking its icon, they would doom themselves to even more ads.
"I do think there's a place for industry self-regulation,” said Ms. Brill, adding that it has proved insufficient.
Technology is racing past privacy options that focus on controlling “cookies” — programs that the Internet places on computers so that websites can detect repeat users. The tracking industry is moving toward more precise digital “fingerprinting,” said Ms. Brill.
She would like to see passage of President Obama’s proposed consumer privacy bill of rights, plus limits on data brokers and tough data security laws.
"I do think that they are reasonably close, that data security can be passed this year. I do think there's a lot of interest in Congress,” Ms. Brill said. That’s driven in part by consumer concern with massive thefts of credit card data, but also by industry’s desire for one national law on breaches, rather than the current patchwork of state rules.
"I don't want to preempt the states unless we have a good, robust federal law,” she said.
How about the bill of rights and data broker limits? Ms. Brill noted diplomatically that Congress has a full plate.
"Congress has to this moment failed in providing comprehensive privacy legislation which guarantees a baseline level of privacy protection," said Mr. Acquisti.
That’s not to say Congress should rush in and write ill-considered law, he said.
What’s urgent is “changing the debate over privacy,” he said. He warned that an anti-privacy narrative has emerged, including arguments that privacy is an artificial concept that threatens to hold back human advancement.
“The available evidence suggests, instead,” he said, “that people care, that protection of privacy is possible, and that as a society we can enjoy the benefit of big data while simultaneously protecting privacy.”
First Published: February 2, 2015, 5:00 a.m.
