Privacy Update from Barcelona

I have just arrived in Barcelona for the Mobile World Congress.  More than 60,000 people focused on mobile technologies have converged at this annual event to hear and see the latest from carriers, device makers, platforms, app developers and more.  It is clear from the smart phones and tablets displayed on the show floor that the next generation of smart devices will be faster, more powerful and more integrated with consumers’ lives.  More than batteries or chips, our personal information is what truly powers these devices.  Our address books, location, network of friends, emails and text messages, when used wisely by these small computers, empower us to be smarter and to do more.  As additional sensors are added to capture new kinds of data and as the use of phones to make purchases spreads more widely, these machines will have more intimate data about us than any government or corporation ever did.

 

Who is the real custodian of these new rich data streams?  The ecosystem for the mobile consumer is quite complicated.  Mobile platforms, app developers, device makers, carriers, analytics companies, ad networks, social networks, chip companies and others are all part of the equation.  The battle between consumer tech titans like Google, Apple, Microsoft, Amazon and Facebook is being played out as each company seeks to link consumer identity and data across smartphones, desktops, search engines, email, social networks, ad networks, payment systems  and more.  Google’s privacy policy consolidation slated to become effective in a few days has captured the lion’s share of attention, but it is Apple that has been the most effective at linking consumer data across every aspect of its services.   European regulators have proposed a privacy law that seeks to put the data genie back in his bottle, but consumers have voted by expressing delight in Steve Jobs vision by making Apple the most valuable company in the world.  Yet at the same time, consumers continue to express alarm at the misbehavior of apps that grab too much information and many regularly clear cookies in the hope of protecting their privacy.

 

How can it be that consumers deeply love the brands that privacy critics single out for criticism?  Although Google now trails Apple in some measures of brand value, it too continues to be one of the handful of globally respected consumer brands.   Do the regulators and privacy advocates know something that consumers don’t?  Or do consumers value the benefits of these technologies and willingly make the privacy trade-off? I am looking forward to discussing this and more at my panel tomorrow.

— Jules Polonetsky

White House Announces New Privacy Framework Including Consumer Privacy Bill of Rights

Yesterday, the White House released its long-awaited Privacy “White Paper” that outlines the Obama Administration’s proposal for a new American privacy framework.  The more than year-long process that culminated in today’s release of the White Paper began in December 2010 when the Department of Commerce’s Internet Policy Task Force released a “Green Paper” entitled:  “Commercial Data Privacy and Innovation in the Internet Economy:  A Dynamic Policy Framework.”

 

The Internet Policy Task Force utilized a multi-stakeholder approach to create the policy paper, consulting with “stakeholders in industry, civil society, academia, and government” during the drafting process, as well as considering the numerous written responses it received pursuant to the publication of the Privacy and Innovation Notice of Inquiry.  The drafters stated that the majority of the written responses they received indicated that there is a “compelling need to ensure transparency and informed consent, to provide additional guidance to businesses, to establish a baseline commercial data privacy framework to afford protection for consumers, and to clarify the U.S. approach to commercial data privacy—all without compromising the current framework’s ability to accommodate customer service, innovation, and appropriate uses of new technologies.”  The earlier version of the paper included policy recommendations under four broad categories:

 

 

The White Paper released today by the Administration addressed many of the issues brought to light by and built on many of the recommendations set forth in the earlier version, the Green Paper, and the more than one hundred comments received in response to the publication of the Green Paper.  The Administration addressed those issues and recommendations by setting forth a new privacy framework that consists of four key elements:  (1) a Consumer Privacy Bill of Rights; (2) a multi-stakeholder process to determine how these rights will apply in specific business contexts; (3) an effective enforcement model; and (4) greater interoperability between the privacy frameworks of the United States and its international partners.

 

Consumer Privacy Bill of Rights

 

The cornerstone of the Administration’s privacy framework is the Consumer Privacy Bill of Rights, which adapts the decades-old Fair Information Practice Principles (FIPPs) to the interconnected and interactive world that we live in today.  The Privacy Bill of Rights applies to commercial uses of personal data and seeks to provide greater privacy protection for consumers and greater certainty for businesses.  There are seven core rights that comprise the Privacy Bill of Rights:

 

 

In a media teleconference about the White Paper, FPF’s Jules Polonetsky stated that a key point of framework is that the Administration calls on “consumer-facing companies [to] act as the stewards, as the ones responsible” for consumers’ privacy.  He noted that although this seems like a logical arrangement, it is not the way the online ecosystem has worked in the past.  By calling on consumer-facing companies to take responsibility for consumers’ privacy, the framework seeks to align business practices with consumers’ expectations about who will safeguard their privacy.

 

Multi-stakeholder Process

 

The Administration’s framework contemplates a multi-stakeholder approach that will produce enforceable codes of conduct that implement the Privacy Bill of Rights.  The multi-stakeholder approach is championed by the Administration due to the “flexibility, speed, and decentralization necessary to address Internet policy challenges.”  FPF’s other co-chair Chris Wolf, praised the Administration for eschewing a one-size-fits-all approach and instead opting for flexible codes of conduct, stating that “the call for enforceable codes of conduct is a sensible way to address privacy.”   In addition to flexibility, the speed with which the multi-stakeholder process can produce solutions—as compared to the regulatory or law making process—is also appealing due to the constantly-evolving nature of privacy issues.  Jules noted that “many [privacy] issues are moving so quickly that if you don’t achieve success in the short term, [they] can outrun you.”  The Administration has tasked the Commerce Department’s National Telecommunications and Information Administration (NTIA) with spearheading the multi-stakeholder process, and Polonetsky commented that he expects NTIA to start the process by releasing a Notice of Inquiry sooner rather than later, so that quick wins can be achieved.

 

Strengthening FTC Enforcement

 

In the White Paper, the Administration highlighted the importance of the FTC in maintaining a level playing field by ensuring that businesses adhere to their privacy commitments and punishing those that do not.  The Administration stated that a business’s commitment to adhere to a voluntary code of conduct will become enforceable under Section 5 of the FTC Act, analogizing the situation to the FTC’s power to enforce the promises and representations businesses make in their privacy policies.  However, the Administration also noted that one of the benefits of adhering to a code of conduct is that in “any enforcement action based on conduct covered by a code, the FTC will consider a company’s adherence to a code favorably.”

 

Promoting International Interoperability

 

Referring to the differences in national privacy laws that create challenges for businesses that wish to transfer data across national borders, the Administration stated that it is “critical to the continued growth of the digital economy that they strive to create interoperability between privacy regimes.”  The Administration expressed its desire to promote international interoperability by pursing mutual recognition of commercial privacy frameworks, international codes of conduct based on the multi-stakeholder process, and bilateral or multilateral enforcement cooperation.

 

Calls for Privacy Legislation

 

At the conclusion of the White Paper, the Administration called on Congress to adopt the Consumer Privacy Bill of Rights and provide the FTC and State Attorneys General with the power to enforce those rights.  However, Polonetsky pointed out that it is unlikely that Capitol Hill will act on this suggestion in the short term.

 

In addition, the Administration expressed support for creating a national standard for security breach notification, which would replace the state breach notification laws that are currently enacted in 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands.  The Administration noted that the “patchwork of State laws creates significant burdens for companies without much countervailing benefit for consumers.”

Feb. 23, 2012 – "Do Not Track" Web Button Part of Online Privacy Bill of Rights. Marketing Vox

FPF Issues Statement on California Mobile Application Agreement

Statement from Future of Privacy Forum Director Jules Polonetsky:

“We commend California Attorney General Kamala Harris and her staff for reaching this agreement among the major application platforms.

Apps can only provide innovative services to consumers if they use personal information responsibly.  If apps surprise consumers by grabbing information that isn’t needed or by surprising consumers, they risk losing access to user data. The California agreement will ensure that consumers are protected and that the app environment continues to flourish.

Providing a privacy policy is only the first step for app developers, however, it is an essential first step.  Unless an app company documents its practices and figures out how data is actually being used, its staff has no chance of complying with any set of rules.  Previous Future of Privacy Forum app privacy surveys have shown that only one third of apps today provide users with any type of privacy policy.

Although the primary responsibility for app privacy should be with the app companies themselves, app platforms can play a key role in helping engage and educate developers.  For a long time the developer excuse was that they didn’t have the resources, the legal support or the time.  Today, with resources like our site,  ApplicationPrivacy.org, and privacy policy generators provided by TRUSTe and PrivacyChoice.org, there is no excuse anymore for app developers not to provide consumers with privacy policies.

In December 2011 FPF together with CDT released a beta version of our “Best Practices for Mobile Application Developers”. The guidance seeks to serve as a primer for developers who are not necessarily privacy experts themselves.

On April 25, 2012 FPF together with the Application Developer Alliance (ADA) will host an App Developer Privacy Summit to discuss “The Complex App Ecosystem.” The event will examine the important privacy challenges and opportunities facing the app ecosystem and will include app developers, platforms, advertisers and privacy experts who will discuss how to ensure a trusted consumer environment for continued growth in the dynamic app market.”

Feb. 22, 2012 – Apple, Google, Microsoft Agree To California Mobile Privacy Protection Standards, CRN

Feb. 17, 2012 – FTC Slaps Apps For Lax Privacy Disclosures, MinOnline

West Coast App Developer Privacy Summit

Save the date!

FPF, in partnership with the Application Developers Alliance and the Stanford Law School Center for Internet and Society, will host the App Developer Privacy Summit on April 25, 2012.

The event will examine the important privacy challenges and opportunities facing the app ecosystem and will include app developers, platforms, advertisers and privacy experts who will discuss how to ensure a trusted consumer environment for continued growth in the dynamic app market.

The Application Developers Alliance serves developers of every type, across all languages and platforms. App devs have unique needs as business people and as innovators. Our members are developers of all languages committed to shaping the future of the development industry. Anyone who creates software or is invested in bringing great ideas to market can be a member of The Alliance.

The Future of Privacy Forum is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.

App Developers Privacy Summit

Where: Paul Brest Hall, Stanford University, Palo Alto, CA

When: Wednesday, April 25, 2012

To see the App Developers Privacy Summit flyer, please click here.

To RSVP, click here.

Please contact Carolyn at [email protected] for more information.

Media – Please contact Beth Sullivan at [email protected] or 202.550.4401 for more information and to register.

Feb. 14, 2012 – Online privacy real concern for 90% of US Internet users, BizReport

1.24.2012 “The Collection of Online Consumer Data: The Good, The Bad, and The Unknown.”

Jules Polonetsky moderated a panel called “The Collection of Online Consumer Data: The Good, The Bad, and The Unknown.”  The panel discussed multiple privacy related issues including the manner in which companies use data and protecting consumer data through privacy measures.

Feb. 10, 2012 – Senators Consider Banning Automatic Media Sharing on Facebook, Tech News Daily