Did you ever stop to think what your browsing reveals about you? You check out nearby pizza places, and your browser lets the search engine know your location (bet you didn't know that was happening while you were typing "great anchovy pizza"). Or you look up the evening's baseball scores, and the first links your browser returns are to the Red Sox -- because that's the team you always check. The trade we make for easily accessing the world's information ends up revealing loads of information about ourselves. It seems worth it until the moment you realize that while you've been looking at sites on unemployment benefits, you've been tracked. Suddenly the ease of finding stuff seems a lot less great, and you wonder who knows what about you.
The government also wonders. Usually the classic line, "I'm the government and I'm here to help you" elicits queasy laughter, but this time, that line is spot on. Since the 1990s the Federal Trade Commission (FTC) has gone after companies that break their online privacy promises. That might appear to be a weak strategy, but it works. A recent legal analysis indicates that the practice has been quite effective. No company wants to be on the front pages because they were caught violating consumer privacy.
But things are getting worse. New tools allow ads to track the user when cookies are disabled, and reveal location without any effort on the user's part. They have conspired to shift the privacy equation to the user's disadvantage. The question is what now.
In a preliminary report, the FTC made clear that it wants answers from those collecting consumer data. What is the purpose behind amassing this data? (Because it is available and cheap to store does not constitute an adequate response.) How long is the information being kept? ("Indefinitely" is not an answer.) How will the data be protected? (Clear, articulate technical responses are the only acceptable answers.) These are good questions and have been ignored for far too long. Poor data storage practices are the cause of many privacy and security breaches.
The FTC is taking a balanced approach, acknowledging that data collection helps drive innovative new products and services, and that early regulation may stifle innovation. So just as it did in the past, the agency is taking an evolving approach to privacy protection, emphasizing fundamental principles of incorporating privacy into the design of products and services (an emphasis that has been missing for far too long), simplifying decisions that consumers must make in order to protect their privacy, and providing greater transparency of data practices. This is an eminently sensible stance.
On the table is a "Do-Not-Track" proposal in which, like the highly successful Do-Not_Call registry, users could opt out of tracking. This one is complicated. Tracking users enables personally tailored ads. These in turn enable "free" provision of Internet services to users, services such as free content. How plausible is Do-Not_Track? There were few details how this might be done; the big issue is how would costs shift if such a mechanism were in place. Might users use two online identities, one where they read for free and get tracked, one where they pay and are anonymous?
In its new report, the FTC also dodged some issues. One is Deep Packet Inspection (DPI), in which ISPs may look into packets -- the basic unit of Internet communication -- to see what the user is actually doing. DPI is the Internet equivalent of eavesdropping. Such inspection is allowed for quality-control purposes, but some ISPs would like to do this for serving up the ads they would like to provide -- instead of having Google or Yahoo do so. Since your ISP knows everywhere you go on the network, such a use would be highly invasive. The FTC has punted this issue to the Federal Communications Commission, which is probably the right choice.
The FTC also largely ignored online social networks (OSNs) such as Facebook and MySpace. These sites hold the most private user information, and the fact that users willingly hand over the data does not substantively change the issue that the privacy threats from such sites are extremely high -- and the privacy protections often negligible. I was extremely disappointed by the FTC's lack of substantive response on OSNs.
Do-Not-Track will be a big deal if it comes to pass, and the present lack of specificity on implementation is currently reasonable. I would have liked to see the agency tougher on online social networks, so I rate this report a B+ on privacy protections. But implementations are all. The agency has done well before; let's see what the second round brings.