Why The FTC's Online Privacy Plan Won't Stop The Information Free-For-All
The Federal Trade Commission's new proposal to protect our privacy online should do little to assuage your fears of a know-it-all Web watching, tracking and responding to your activities on the Internet.
Last week, the Federal Trade Commission waded into the debate over online privacy, proposing a "do not track" system that would allow Internet users to keep online advertisers from monitoring their activities online.
Although it is still up for debate, this "do not track" mechanism might be built into browsers and used to alert sites whether a user had requested not to receive targeted advertisements, which can be based on previous searches, pages visited online and geography, among other information.
"Some in industry support what we're doing, but we know that others will claim we're going too far," FTC chairman Jon Leibowitz said in a statement about the agency's framework for protecting privacy in the digital age.
But there are those who admonish the FTC for not going far enough.
Even as the FTC's proposal signals an encouraging readiness to take a more active role in safeguarding our personal information online, some see its first step as a timid one that fails to account for a greater set of privacy incursions that are no longer hypothetical.
The limited scope of the agency's "do not track" proposal aside, it is heartening to see the government finally setting its sights on the personal information free-for-all online. Just this year, for example, consumers were spooked by a series of privacy debacles that included Google's admission that it "screwed up" in collecting individuals' emails via WiFi networks, and the revelation that a Google engineer was fired for snooping on underage teenagers' messages. In addition to the FTC's 79-page report on "Protecting Consumer Privacy in an Era of Rapid Change," the White House announced a new subcommittee focusing on privacy and Internet policy.
But the FTC's proposed course of action shines a harsh light on what the agency has so far chosen not to do: use its authority to crack down on offenders and develop a more holistic set of guidelines that spell out how our online data -- if it does indeed belong to us once we share it with the Web -- can and cannot be used.
"The FTC is focused on one important issue. There at least two dozen more it needs to consider," said Marc Rotenberg, president of the Electronic Privacy Information Center, in an email.
While the "do not track" system would give consumers the option to keep some data from being collected, the FTC's proposal fails to explicitly spell out guidelines for how companies should handle the vast reserves of personal information we voluntarily hand over.
"What the government ought to be doing is talking about extremely strict rules that limit its own powers to access data and also companies' data retention policies," said Larry Magid, a technology journalist who is also the founder of Internet safety organizations ConnectSafely and SafeKids.
Data on the links we click, search terms we key in and browsers we use pales in relation to what we actively share with online companies on a daily basis.
From telling Foursquare where we ate dinner last night to sharing with Microsoft's HealthVault our prescription medication or test results, once it appears online our information is no longer only ours.
The FTC's "do not track" legislation also seeks to arbitrate only a singular end-use for our data: advertising.
It is undeniable creepy to see a search engine serve up ads based on sensitive queries regarding medical concerns. And when an email exchange with a significant other yields a startlingly on-topic Gmail ad for a vacation destination with "secluded beaches, sultry sunsets, special moments for you & your love," it's difficult to shake the sense that Big Brother is watching.
But the thorny issue that the "do not track" system does not address is what we can do to prevent companies from using our data in ways that we might not yet be able to anticipate.
Some of the greatest privacy controversies in recent memory have arisen from instances in which websites chose to employ our personal information to offer new, unprecedented services -- without asking us.
When Google Buzz launched, for example, many were horrified to find that the social service publicized their most frequent contacts (Google recently settled a class action lawsuit involving Buzz). Facebook's Open Graph worried numerous others -- and set off a Facebook boycott -- when users discovered the site would begin publishing their activities on third-party websites. These surprises are not likely to stop: Google CEO Eric Schmidt has asserted Google's policy is to "get right up to the creepy line and not cross it."
"The FTC needs to think much more holistically about privacy," said Rotenberg. "It focuses on one particular problem -- online advertising -- and proposes one particular solution. The threats to online privacy, as well as the possible solutions, occupy many dimensions."
New legislation aside, Rotenberg also admonishes the agency for not having done more to crack down on companies that even the FTC recognizes as having "[crossed] the line with consumer data and violat[ed] consumers' privacy".
"By far the biggest question the FTC should address is why it has not used its current enforcement authority to take action on such matters as Google Buzz, Cloud Computing, and the changes in Facebook's Privacy Settings," says Rotenberg. "These are huge issues that the FTC could have pursued and chose not to."
As its report attests, the FTC is aware of these broader privacy issues, though it has not yet outlined specific ways these issues might be addressed. The privacy process will take time, notes Christopher Wolf, founder and co-chair of the Future of Privacy Forum, and it will likely be several years, if not longer, before meaningful enforcement is enacted.
"Just as the FTC report asks more questions than it answers, and appropriately so, this will be a continuing discussion and there will not be a set time when we can say, 'We've solved all the privacy issues facing us today,'" notes Wolf.
The FTC will be accepting comments on the "do not track" proposal, as well as its privacy report, through January 21, 2011. Learn more about filing a comment here.