Facebook this past month agreed to twenty years of independent audits of its privacy practices, joining Google which agreed earlier this year to similar audits following its breaches of user privacy when it introduced its aborted Buzz social network.
As this piece outlines, the audits should be moderately extensive in examining how consumers' personal information is being used internally at these companies -- how it's aggregated or repurposed -- and when it's being shared with third parties (such as advertisers). "Problems that come out in audits could be costly -- $16,000 per violation per day, if the FTC decided to pursue the fines in court."
So far all to the good, but the problem is in the "if" the Federal Trade Commission (FTC) decides to pursue the problems. Where will the public pressure be on the regulators to pursue problems? As we saw in the financial crisis, without pretty broad public scrutiny of the regulators themselves, you often don't get the vigilant regulation needed to restrain corporate malfeasance.
The Audits Won't be Fully Public: And here's the big problem with these privacy audits. When they were first being discussed, consumer groups like the Electronic Privacy Information Center (EPIC) asked that any audits be made public. The response from the Federal Trade Commission was not encouraging. They told the groups the audits would not be published but "the public may have access to the submissions required pursuant to the order" using tools like the Freedom Of Information Act (FOIA). Having to jump through bureaucratic hoops to get the information is bad enough, but the real kicker is in the "may" in that sentence, since the FTC writes:
In some cases, these documents may contain trade secrets or other confidential commercial or financial information, or information about consumers or other third parties, that would be exempt from public disclosure. Accordingly, as provided by statute, companies may request confidential treatment for these documents or portions of these documents under Commission procedures. Upon receipt of such a request, the Commission conducts a review to determine whether confidential treatment is warranted.
I'm sure that companies would love to deem a lot of financial information required in Securities Exchange Commission (SEC) filings to be "trade secrets" but thank god the SEC disclosure laws were written before companies had mastered the art of suppressing government information they don't want public.
Google's Track Record of Evading Public Accountability: This suppression of information companies don't want public, especially by tech companies like Google, has become all too common. A recent report by the Reporters Committee for Freedom of the Press, Uncivil Secrecy, detailed the rising problem of Google in particular getting information arising from litigation in the courts suppressed:
far from making its own legal documents "universally accessible," Google routinely uses overly broad requests to seal court filings, according to critics, in apparent contravention of its commitment to the public interest in the free flow of information...Google's use of sealing requests to suppress information contained in court documents it files is remarkable -- both in the frequency with which the company makes such requests and the material underlying them.
Allowing the FTC to leave potentially large portions of any privacy audits of Google and Facebook secret will similarly remove accountability not just for those companies but for the regulatory agencies themselves, since the public will not know whether lack of action is due to the agency finding no real privacy problems or because the agencies are too cozy with the companies they are regulating.
Ever Expanding Corporate Surveillance Requires Openness of Those Company's Privacy Policies: The need for publicly available audits of companies' privacy actions is becoming all the more important as those companies know almost everything about consumer activities. Just last week, Google announced it will soon start offering one-day shipping for merchants it works with on online commerce.
Taking control of a large portion of e-commerce delivery will allow Google to harvest a massive new amount of data about consumers to feed Google's datamining efforts and behavioral profiling of consumers. Google will be able to track consumers from initial search for an item to finding a merchant to deciding to purchase the item to where the item is delivered, how it is paid for and track an aggregation of all sales going through its system. Google will have data about the whole consumer cycle of consumerism -- the holy grail of the advertisers from which the company makes its money.
Whether consumers will ultimately benefit from such a move is an open question -- especially if it just reinforces Google's monopoly dominance in more sectors and undermines e-commerce innovation -- but the only way the public will have any clue whether company profits are just coming at the expense of their privacy is if the privacy audits of the company's actions are public available.
If Google wants to have the role of trustee of more information about more people than any other company and even more information in many areas than government has, then it should accept in turn public scrutiny of its actions as well.
Google and Facebook have both promoted the idea that society benefits from more openness and sharing. Sharing the full results of their privacy audits is a good way to practice what they preach about openness. More broadly, as the FTC and DOJ move forward on a range of privacy and antitrust investigations, we should expect far more public disclosure of their decision-making and what those investigations are revealing about consumer rights in the age of ever increasing corporate surveillance.
Follow Nathan Newman on Twitter: www.twitter.com/nathansnewman