Privacy is Brewing
May 14, 2010 4 Comments
People think about Mozilla mostly in the context of our major product, Firefox, but we’ve got lots of activities, both related to Firefox and beyond, that touch on issues of user control and privacy.
It’s an incredibly active area right now across the industry, and we’re finding ourselves more involved, so I wanted to start writing about these issues as they develop. What’s below is a bit of an effort to divine some meaning from what on its face, looks like a series of unrelated events; however, in aggregate, they suggest a bigger story is unfolding which is that users’ expectations about their ability to control their online information, at least for a growing segment, are not being satisfied.
In the last few months alone, Google Buzz and Facebook privacy practices have made the news more than once, resulting in inquires or complaints in both the EU and the US. The US Federal Trade Commission announced it is planning to create new guidelines for online privacy, and just last week, new online privacy draft legislation was introduced in Congress. (See Boucher bill is here) The US Department of Commerce has started an initiative to explore privacy and innovation, including a notice seeking public comments. Similarly, the EU Article 29 Data Protection scheme continues to evolve as the Working Party adopted its new Work Programme for 2010-2011 with a goal to “address challenges linked to new technological development” In this same period, there have been countless news stories, all of which say they are about “privacy” but -if you read them carefully- mainly appear to be about sharing and user control.
As the New York Times reported recently:
“Consumer groups have been fighting what they see as the prevalence of online tracking, companies like Google and Yahoo have adjusted their own privacy policies in response to consumer concern, and industry groups recently put forth self-governing principles while arguing that free Internet content depended on sophisticated advertising methods.”
Among many privacy thinkers (at least in the US) there is a view that the current “notice and consent” framework doesn’t work very well. Jonathan Zittrain has written much about this already, as well as many others. The online privacy environment is more complex than ever before in part because of:
- new ways to share, track, and analyze information (and accompanying new questions about the definition of “user information”);
- users who want to connect and share (Facebook didn’t get 400M users accidentally); and
- an increasing expectation that users, when they do intend to share, also expect some reasonable control of their information and information about them.
It’s unclear whether the critique of notice and consent is driven by the framework itself, the way it has been implemented (i.e. privacy policies tucked away in the footers), or because of the inherent generative nature of the web. It’s really hard to tell whether the idea is fundamentally bad when the implementation doesn’t work that well.
One alternative framework under discussion contemplates a model with few restrictions on what is collected, but significant and enumerated limits on how the collected information may be used. Others have observed that current models are insufficient because they don’t reflect the changing context of the transaction – meaning privacy norms and expectations change depending on what you’re doing. Helen Nissenbaum suggests a construct called contextual integrity that “ties adequate protection for privacy to norms of specific context.” The concept is developed more fully in her book, Privacy in Context: Technology, Policy and the Integrity of Social Life, which is worth the read.
Recently, we’ve also had the opportunity to share our experiences with some people in policy circles. These have included the FTC, congressional staffers, and the Commerce Department. The discussions have helped me better understand the landscape, and provided a chance to share how our products are designed to help users manage their interactions on the web and control the information that they share.
In future posts, I’ll try to provide a summary of some of the activities here at Mozilla in this area. In the interim, we’ll continue tracking and looking for ways to improve what we do.