Advocates: Free market doesn't work for online privacy

Many Web users don't understand how much of their information is being collected, privacy advocates tell the FTC

Web and mobile device users have little understanding about how much of their personal data is collected online, making it difficult to rely on free-market competition for solutions to privacy concerns, privacy experts told the U.S. Federal Trade Commission Thursday.

The FTC or the U.S. Congress needs to set clear online privacy rules, said some speakers at an FTC workshop on comprehensive online data collection. Other speakers suggested that competition among Internet and device companies and privacy notification efforts by industry groups can work, even if some Web users don't seem to care or understand about data collection.

Some services, including search engines, browsers and social networks, are offering their products based on privacy tools or policies, Markham Erickson, general counsel for the trade group the Internet Association.

Consumers will punish companies with bad privacy practices, added Stuart Ingis, counsel for the Digital Advertising Alliance, another trade group. "The market reacts when they see a business practice they don't like," he said.

There's still an open question about the harm to consumers from data collection, some speakers said.

Harm to a consumer's reputation may be a factor, but "if you can't articulate what the harm is, you can't prevent it," said Howard Beales, a business professor at George Washington University and former director of the FTC's Bureau of Consumer Protection. "If the only harm we're worried about is speculative possibilities of what might happen at some point in the future, what we're likely to do is preclude a lot of really useful new services on the horizon that none of us has thought of yet."

But it's difficult for Web and mobile users to make informed decisions about Web-based products because much of the data collection happens behind the scenes, other speakers said. "It's hard to compete on something people don't know about," said Ashkan Soltani, an independent security researcher and consultant.

When researchers ask people about online data collection, many have little knowledge of the topic, said Lorrie Faith Cranor, a privacy researcher and computer science professor Carnegie Mellon University. Many people, when first learning about comprehensive data collection, find it "very creepy," although some people's opinions improve when learning the data collection is generally used to deliver targeted ads and customized services, she said.

"They also feel like, 'I seem to have given a blank check for these companies to collect my data and do whatever they want with it,'" she said.

Still, some Web users are acting in ways that suggest they understand data collection, Beales said. Many Web users are starting to use multiple networks, multiple devices and multiple browsers and are deploying encryption technologies, he said.

No online company has a "single, comprehensive view" of a Web user's personal data, Beales added. "Consumers really have diversified their risk," he said. "There's nobody that's sitting on a choke point that everything goes through and that has a comprehensive picture of what's going on.

Part of the focus at the FTC workshop was on deep-packet inspection, or DPI, a technology that can be used by ISPs and some other companies to inspect the content of packets as they travel across the Web. The problem, however, isn't with DPI, but with how it's used, Erickson said.

ISPs can use DPI for several good reasons, including preventing cyberattacks, Erickson said. But concerns about DPI have come up when it's used in real time to deliver targeted advertising, he noted.

Erickson and several other speakers cautioned the FTC and other policy makers to focus on bad uses of technology and not aim regulations at technologies. "We should be careful not to demonize the technology, but rather, go to the uses," he said.

Some speakers called on policy makers to trust the market to take care of online privacy problems, and allow vendors give consumers choices on when they are tracked, but others questioned that approach.

"Putting the industry who wants to track you in charge of opting out of tracking seems like putting the fox in the hen house," said Christopher Calabrese, legislative counsel for the American Civil Liberties Union. "How could I as a consumer trust you to opt me out when your entire business model is based on tracking?"

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags Howard Bealese-commerceStuart IngisMarkham EricksoninternetprivacyAshkan SoltaniCarnegie Mellon UniversityanalyticsLorrie Faith CranorInternet AssociationAmerican Civil Liberties UnionChristopher CalabresesecurityGeorge Washington UniversityDigital Advertising AlliancegovernmentadvertisingU.S. Federal Trade Commissionregulation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place