Privacy Pretense

Last month, Silicon Valley purported to be shocked by revelations that the National Security Agency (NSA) has routinely accessed the servers of tech giants Google and Yahoo, which store data for hundreds of millions of users. In response, the companies pledged to step up privacy protections.

There is only one problem: Such protections run counter to the business model and public policy agenda that tech companies have pursued for decades. For years, U.S. information technology (IT) firms have actively backed weak privacy rules that let them collect massive amounts of personal data. The strategy enabled the companies to work their way into every corner of consumers’ lives and gave them a competitive edge internationally. Those same policies, however, have come back to haunt IT firms. Lax rules created fertile ground for NSA snooping. In the wake of the surveillance scandals, as consumer confidence plummets, technology companies’ economic futures are threatened.

Since the 1990s, companies from Google to Yahoo and Microsoft have done their best to ward off national privacy rules, calling instead for self-regulation. Early attempts to pass privacy laws, such as the Online Privacy Protection Act in 2000, died thanks to lobbying by the Direct Marketing Association and the Information Technology Association of America, which represent most of the country’s major information and communications technology firms. The firms have stood behind an older 1997 government framework, “Privacy and Self-Regulation in the Information Age,” which maintained that the best way to protect consumers was to let the technology market handle sensitive issues on its own.

More recent efforts at reform have stalled as well. Bills have included the Do Not Track Me Online Act of 2011, brought by Congresswoman Jackie Speier (D–Calif.), a new Commercial Privacy Bill of Rights of 2011, brought by then Senator John Kerry (D–Mass.) and Senator John McCain (R–Ariz.), and the Do Not Track Online Act of 2011, brought by Senator Jay Rockefeller (D–W. Va.). Each has faced stiff opposition from the IT industry. Linda Woolley, vice president of the Direct Marketing Association, has even gone so far as to argue that such legislation would “kill the Internet.” 

For its part, the Obama administration has seemed all too happy to go along with this self-regulatory agenda, recently putting forward a set of best practices known as a “privacy bill of rights.” The rights range from transparency about how data is used to better security for the data that is collected. Yet barring congressional action (which seems unlikely), these codes will never become mandatory. For now, they are simply another recommendation for companies to take under advisement as they build their own policies for personal-data management.

U.S. Internet companies have also backed lax privacy rules outside of the United States. Under the auspices of Asia-Pacific Economic Cooperation, a regional trade organization linking the economies of North America and Asia, Google has actively campaigned for a new privacy framework for all member countries. In contrast to Europe’s legally enforceable privacy rights for consumers, the APEC guidelines once again stress self-regulation and internal solutions, such as codes of conduct based on principles similar to those in the Obama privacy bill of rights. 

The APEC framework would allow companies to transfer personal information around the globe, following only their internal codes of conduct rather than national privacy legislation. Supporters of the APEC plan suggest that it could serve as an alternative to the European privacy rules, which impose strict legal restrictions on such international data transmissions. Meanwhile, Yahoo, Google, and Facebook have also lobbied heavily within Europe to weaken EU standards, specifically those relating to cross-border data transfers, transnational cloud computing, and data breaches. Their efforts have been so aggressive that a group of European nongovernmental organizations recently called on U.S. IT companies to stay out of EU legislative affairs. 

Until this year, the self-regulation strategy paid off: With their nearly unrestricted access to U.S. consumer data, IT companies were able to mine information in ways that many of their European competitors could never imagine. For example, Acxiom, one of the major direct marketing companies in online advertising, developed software called “Audience Operating System,” which allows companies such as Facebook to link consumers’ online and offline data -- from credit card purchases to web interests -- even when those consumers use different names for each activity. 

What has become all too clear, though, is that what was good for Google was also good for the NSA, which could use the lax rules and resulting hoards of data to its own advantage. The public is aware of that now, and it will be less trusting of IT giants in the future, especially as the companies develop technologies that increase the amount and types of personal information that they can collect. Take Google Glass, which will digitize our visual experiences, creating a whole new world of personal data based on what we are looking at in real time. 

To regain consumer confidence and ensure their economic fortunes, technology firms will have to transform the way they view the regulation of personal information. Self-regulation is necessary but not sufficient. A better privacy system would have four key parts. First, consumers need an advocate that can help them navigate the overly complex and technical world of information technology. Something like the European data privacy offices would be a good start. Independent agencies offer individuals a point of contact and help in responding to data breaches or abuses. They also focus on working with governments and industry to build technology that takes privacy and security into account. 

Second, Congress should pass national data-breach legislation. Such rules, which have already been passed in California, require companies to notify consumers when their data has been lost or stolen. By giving individuals notices when their data has been compromised -- and naming the companies responsible -- these rules raise awareness about the amount of information in circulation and the risks associated with its use. By mobilizing consumers, data-breach rules build a constituency that can push companies to take privacy and security seriously.

Third, much as energy companies have had to reconfigure their attitudes about natural resources, IT companies must change their attitudes toward consumer information. Far from a limitless good that can be exploited forever, personal data is precious and requires good husbandry. Firms, then, need to find ways to limit unnecessary data collection and integrate privacy and consumer stakeholders into their business models. Privacy by Design, an initiative that helps raise privacy concerns at each stage of a technology’s lifecycle, offers one concrete example of how firms might do this. Rather than thinking of themselves as data vacuums (as the NSA does), IT companies should build a system of data stewardship. Doing so will make good business sense: The trustworthy companies will sell more products.

Finally, U.S. IT firms need to play a constructive role in building a global framework for the protection of personal information. This model should not seek to undermine strong privacy rules, such as those in Europe, but extend the lessons learned from the best privacy policies around the globe. This approach would promote technological innovation over the long term: New products such as Google Glass will be better received if consumers do not think that they will misuse the data that they collect. In the end, constructing a better privacy system will not only help the IT sector grow, but it is also the right thing to do.