On Privacy & Data Subjects
You are terrified of your own children, since they are natives in a world where you will always be immigrants. Because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves.
John Perry Barlow may have made a name for himself as a lyricist for the Grateful Dead, but his legacy will ultimately be as a founding member of the Electronic Frontier Foundation and Freedom of the Press Foundation. That passage stems from his 1996 declaration of the independence of cyberspace for the EFF. While a lot of its message still holds true over two decades later, the “demographics” of cyberspace have certainly evolved.
As our workforce progresses through its generational transition, the bureaucracies are gradually embracing technological innovation. In keeping with the analogy, at some point, we will all be natives in a world originally designed by immigrants. Like any well-maintained piece of software, some functions can be gradually improved upon while others may need complete refactoring. While releases by the likes of WikiLeaks underscore the urgency with which we should address existing security issues within the public sector’s “firewall,” it’s imperative for us to build bridges with the private sector — a collaboration of sorts between our tech giants and the weary giants of flesh and steel, as Barlow puts it. This mentality should be applied equally when talking about privacy, security’s cousin of sorts.
It would have been much easier two decades ago to single out broadband providers as posing a greater threat to individual privacy than edge providers. After all, the likes of Comcast and Verizon play the role of gatekeepers to the internet for virtually the entire United States. However, one could argue that, nowadays, Facebook and Google pose the same — if not a greater — threat to our online privacy. As pointed out by Swire, et al., ISPs are no longer able to collect more consumer data than their advertising rivals.
There increasingly appears to be an important distinction in the kind of role consumers play as data subjects. At one extreme, consumers willingly participate in their own profiling and actively contribute to the cause, effectively acting as data providers or content creators. At the other extreme, consumers unknowingly become the product, unable to even access — much less control — the data collected about them. In theory, a pure market model could prove successful in a world dominated by the first extreme, what I call direct data subjects (suggested alternatives welcomed). Similarly, a pure enforcement model might effectively protect indirect data subjects, such as the 140+ million Equifax “customers” compromised last year. In practice, however, each model is undermined by market and government failures, respectively.
Social media users can be considered prime examples of direct data subjects in the current information economy. The likes of Facebook have been gradually decreasing the privacy costs originally imposed on its consumers, granting users a lot more granular control over features and, importantly, better educating its userbase. Counterintuitively, the market has not reacted positively to the adherence of industry best practices and additional privacy safeguards, since these long-term strategic actions are expected to have negative short-term effects on the bottom-line, which is overwhelmingly comprised of ad revenue. Heeding Swire’s tobacco story* as a warning, self-regulation may provide a viable alternative to potentially under-broad regulations aimed specifically at the Equifaxes of the world that profit off of indirect data subjects. Ultimately, though, community norms should end up driving the bulk of privacy protections.
* Excerpt from Peter Swire’s Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information
Industry has an incentive to use government rules as a shield to preempt any contrary laws. An example is the ability of the tobacco industry to preempt many lawsuits by complying with the warning requirements of a 1969 federal statute. If the federal statute did not exist, the tobacco industry would have been under greater pressure to regulate itself, and would have faced greater liability under evolving state statute and tort law. For privacy advocates, the tobacco story can serve as a warning against a too-ready conclusion that some mandatory regulation is better than none. At a minimum, such advocates should consider the effect that passage of mandatory regulation will have on how the field of law would otherwise develop.