Security news that informs and inspires

Privacy, Policy, and the Illusion of Control

These are strange times in Washington. Congress, which has spent decades conspicuously showing only the most passing interest in privacy, suddenly is awash in proposed privacy legislation and the calendars in both chambers are crowded with committee hearings on the topic. The unending string of breaches and data-misuse and abuse scandals, coupled with increasing consumer outrage, has apparently combined to accomplish that most difficult of tasks: convincing Congress to act.

But there’s a significant difference between knowing that something must be done and knowing what do. Right now, Congress seems to be stranded somewhere between those two mileposts, and a pair of hearings this week on Capitol Hill did not produce much evidence that is going to change soon.

The good news is that there seems to be a general sentiment in Washington that it’s time to pass a federal privacy law. The various state laws that exist now have laid the groundwork, holding companies accountable for lapses in privacy protection and loss of consumer data, and providing some expectation on the part of consumers that there will be consequences--however fleeting they may be--when these incidents occur. People have become much more conscious of and educated about the ways in which companies collect and use their data in the last few years, and expect that there will be legal and regulatory measures in place to keep those companies from going off the rails. While there is no federal privacy law at the moment, there are several bills at different stages of the legislative process right now, some of which would impose severe fines on companies for violations.

Both the House of Representatives and the Senate held hearings this week to discuss the need for a federal privacy measure, what that could look like, and what it might mean for data collectors as well as consumers. On Wednesday, the Senate Committee on Commerce, Science, and Transportation met to talk about the parameters of a federal policy framework, and members expressed an eagerness to improve the protections for consumers across the board.

“Congress need to develop a uniquely American data privacy framework. It is clear that we need a strong national data privacy law,” said committee Chairman Roger Wicker (R-Miss.).

A good portion of the Senate hearing focused on the concept of notice and consent, which involves showing people a privacy policy in some form and having them consent to whatever data collection and usage is specified in the policy. This method relies on the idea that people actually read privacy policies (they don’t) and understand the implications of the data collection and usage (they don’t). Which is why many in the privacy community have little use for notice and consent and consider it to be not much more than window dressing.

“I believe that notice and consent are no longer enough,” said Sen. Maria Cantwell (D-Wash.).

"Privacy is a broad concept that involves lots of different elements and shouldn’t be distilled down to just control.”

Notice and consent also has the effect of pushing much of the responsibility to consumers, an effect that’s magnified by the fact that many people don’t realize what they’re agreeing to when they click a box agreeing to a privacy policy or data collection. It’s simply an obstacle in their way. Woodrow Hartzog, a professor of law and computer science at Northeastern University, said in his written testimony for the Senate hearing that this model doesn’t work at any large scale.

“The problem with notice and choice models is that they create incentives for companies to both hide the risks in their data practices though manipulative design, vague abstractions, and excessive and complex words while at the same time shifting risk by engineering a system meant to expedite the transfer of rights and relinquishment of protections,” he said.

“People are gifted with a dizzying array of switches, delete buttons, and privacy settings. We are told that all is revealed in a company’s privacy policy, if only we would read it. After privacy harms, companies promise more and better controls. And if they happen again, the diagnosis is often that companies simply must have not added enough or improved dials and check boxes.”

There was plenty of discussion about what kinds of policies, controls, and incentives don’t work in protecting consumer data privacy, but not much in the way of concrete suggestions for what does work. That’s probably because both the House and Senate hearings were populated mainly by witnesses from advertising and technology industry associations and policy think tanks and neither included an actual privacy officer or practitioner. The committees would benefit from hearing from people who do this on a daily basis and have a clear sense of what actually works rather than falling back on concepts that are known to be insufficient, such as consumer control. As Hartzog pointed out, the idea of control is meaningless without other informative and protective elements to help people make proper decisions.

“The problem with thinking about privacy in terms of control is that it’s treated as though the mere gift of it is privacy in and of itself. In fact, it’s illusory,” he said. “Control ostensibly serves to give people autonomy. Privacy is a broad concept that involves lots of different elements and shouldn’t be distilled down to just control.”

Congress’s interest in meaningful federal data privacy legislation looks to be sincere, but any resulting laws will be diminished and less useful without meaningful input from privacy practitioners and advocates.