Growing concerns over privacy with smartphone apps has gotten everyone from the courts to the federal government to industry leaders entering the debate, but a solution may still be a long time coming.
I love Consumer Reports. I rely on the magazine for top notch reviews. Their testing of consumer products is unbiased and invaluable to anyone who takes both price and value seriously. I am currently looking to purchase a quality home treadmill and was pleased to see that a recent issue included a detailed report based on hands on testing and detailed consumer surveys. But before I make a final decision, I will reach out to my Facebook social network friends for their input. Some of them will have personal experience researching this type of purchase, others will know me and my foibles and perhaps advise that I get one that works with the new fitness apps available or a longer track so I don’t fall off while multi-tasking.
Facebook and other social media tools have empowered consumers more than any other development in many years, except perhaps for the creation of Consumer Reports itself. Consumers have a megaphone to voice and spread their concerns about any business or product in a way that demands a reaction. Companies dedicate special teams to follow opinions about their brands on social media and employ specialists to respond to individual concerns.
Certainly social media has its downsides. Despite improvements in recent years, privacy controls are still not intuitive. For years, posting online was public while email and chat were private. Now, depending on our settings and which service we are using, our posts may be public, our pictures may be private and our location check-ins may be available to “friends of friends”. It can get very complicated.
What’s the point of sharing with a friend of a friend? The other day I was complaining on Facebook about a new airplane baggage fee when a friend responded to commiserate. But then she tagged her friend the travel agent who jumped in with great expert advice about how to avoid that fee. Privacy concerns about sharing my travel plans? In my neighborhood, folks on my block and friends of my kids know when we are on vacation. If I forget to stop the newspaper delivery, they pick it up for me. Don’t announce it to the general public, where some crook may scour public information for evil purposes. But online or offline, sharing with your friends or community does far more to empower most of us than it does to create any new risks.
I was surprised therefor to see the harshly negative general view Consumer Reports took towards Facebook in the issue released yesterday. I expected criticism of the usability of privacy controls or complaints about apps that ask consumers for more information than they need. Facebook is aware of those issues and is working with our think tank and others on the best ways to continue to make progress ensuring that the thousands of developers who create their own consumer apps use data responsibly. But Consumer Reports seems to be taking the view that social media sharing is by definition a bad idea, even when people are sharing with their own friends. True, things posted privately can be further shared, but that’s the case with much of what we do online and the price for convenience we make every day when we use email to send information around the world.
Consumer Reports notes with alarm that millions of people are publicly showing support for the battles against various illnesses by publicly “liking” pages dedicated to the diseases. I would like to urge more consumers to “like” the fights to cure and de-stigmatize disease. And I think it is preposterous to think that if I announce that I am attending a march to raise money to fund breast cancer research that an insurer will be able to use it against me. Are there any companies that are mistreating people for such activity? I would like Consumer Reports to find out, so I can denounce them on Facebook for my friends to read and pass on and on.
It was also surprising to see media reports alarmed at Consumer Reports finding that 13 million people were unfamiliar with Facebook privacy controls. With 188 million users in Facebook and Canada (the regions surveyed) this means that more than 90% of users say they are familiar with the controls. That is remarkably positive!
Certainly folks who post compromising pictures or comments, on Facebook or on blogs or anywhere public, should understand that friends, employers, colleges, prospective dates will judge you. Do a search using Google and see what shows up. You have a digital identity that is being used to assess you, just like the clothes you wear every day and the people you associate with form your public identity. As more is available online, Facebook, Google and others needs to help us shape that identity to put our best self forward to those who are interested in us. Which online services are doing the most to help consumers pro-actively shape their reputations and empower them to make smarter decisions? That’s the Consumer Reports study that I would like to see. But by applying a pessimistic eye towards social media in general as it conducted this survey, this month’s Consumer Reports magazine isn’t going to be a “best value” for today’s online consumer.
-Jules Polonetsky
TechAmerica hosted a Congressional Briefing, Big Data: What it Means and How it Drives Innovation, this week. The event’s distinguished panel included a variety of industry experts and focused on the meaning of “Big Data”, how data is being used in the market-place, government uses of “Big Data”, and the future of “Big Data”.
The panel explained that “Big Data” as a concept has existed for several years and is also referred to as “Data Mining”. The terms refer to the processing, or mining, of large raw data sets with the goal of establishing usable information. Often cited examples of Big Data use are identity verification, market research, and fraud protection.
Despite not being a new concept in itself, the evolution of technological capabilities is changing the way in which Big Data is used. Heightened data processing capabilities mean that analysis can be done with larger data sets and using fewer resources. Essentially, this is changing the way that companies analyze data and allowing them to develop a greater amount of insights through their analysis.
Bill Perlowitz, CTO of the Science Technology & Engineering Group at Wyle, illustrated the emerging form of data analysis as a shift from hypothetical research to data driven research. Rather than analyzing data to reach pre-determined information goals, actors can now process data to establish their goals and reach new factual assumptions. Big Data Research is no longer limited to what researchers can imagine.
This shift in analytical paradigms highlights two factors that could lead to privacy concerns. First, the new model relies on large amounts of data, which incentivizes companies to collect and retain data on a larger scale and for longer periods of time. This can potentially conflict with privacy practices such as data minimization and purpose limitation.
Second, the new data driven research model, which no longer necessarily relies on a pre-established research goal, maximizes the factual discoveries that are established in each analytic cycle. When the data is about individuals, insights gleaned can potentially be intrusive by nature.
The increased usability of Big Data is placing strain on companies that deal with personal information to maintain privacy practices. How can companies maintain privacy under these circumstances? For Nuala O’Connor, privacy lead at General Electric, industry actors should focus on good data stewardship and establishing best practices to keep data confidential. Ms. O’Connor indicated data de-identification as an example of a good privacy practice. However, though potentially mitigating privacy threats, de-identification is not a privacy ‘silver bullet’. Mainly, some data processors question whether de-identifying data could limit its usability and may therefore be reluctant to use the privacy practice.
As Big Data becomes increasingly accessible and usable, good privacy practices are also contingent on policy-makers and companies’ ability to balance privacy with the gains expected from data analysis. This involves making a value judgment regarding what appropriate data uses are. As indicated by Jules Polonetsky and Omer Tene, “It is doubtful that such a value choice has consciously been made”. Privacy leaders would do well to begin to consider both the tools that can promote privacy protections when data is used and the societal merits of the use of Big Data.
-Julian Flamant
On April 26, FPF Senior Fellow and Ohio State Professor Peter Swire gave a presentation to the Privacy Working Group based on his forthcoming article in the University of North Carolina Law Review, entitled “Social Networks, Privacy, and Freedom of Association: Data Empowerment vs. Data Protection.” The presentation focused on Swire’s new research exploring how social networks, such as Facebook and LinkedIn, are platforms for association, and Swire explored how to establish a legal framework regarding social networks.
Swire examined some of the complex benefits and risks of social networks. Social networks can inadvertently reveal very personal information about individuals and increase privacy concerns. On the other hand, social networks can be used for political mobilization and allow people to freely voice their opinions, such as during the Arab Spring or the 2008 presidential campaign. Indeed, social media has become increasingly essential to associational activity; Swire pointed out that virtually all charities in the U.S. use some form of social media and political campaigns are increasingly relying on social media, too. Social networks, therefore, are an important way people can exercise their First Amendment rights to freedom of association and speech.
Privacy, Swire pointed out, can both help and hinder freedom of association and speech on social networks. Privacy can be essential to protect politically unpopular organizations from harassment. For example, in 1957 the Supreme Court found that the NAACP did not have to divulge its membership lists to the state of Alabama as this would chill free speech. Conversely, privacy controls can make it very difficult for political organizations to find new members, for example by preventing them from easily contacting new potential members.
Swire also explored how the concepts of data empowerment and data protection impact social networks. In the U.S., the debate frequently centers around how to use data in innovative ways (data empowerment). Technology can consequently be used to empower the creation of new associations, a right enshrined in the first amendment. Meanwhile, in the E.U., the debate frequently focuses on how to protect privacy (data protection). Data protection implies that data is fundamentally risky, and that users’ rights frequently outweigh the utility of new uses for data. The tension between these two outlooks can lead to a conflict between rights: freedom to associate vs. privacy.
There are therefore a number of complex legal issues surrounding social networks that have yet to be decided. Swire’s presentation and research are an important step in determining what this framework should look like. However, the details of this legal framework will be very difficult to determine, and as Swire ironically pointed out, “this may turn out to be just as easy as campaign finance reform.”
-Steven Beale
Please find a link to the presentation here.
Thirteen million people do not use or pay attention to their privacy settings on Facebook, according to a study by Consumer Reports today.
On April 27th, the Future of Privacy Forum hosted a trans-Atlantic policy dialogue at Facebook’s headquarters in Menlo Park, CA. The participants included EU Data Protection Supervisor Peter Hustinx; Article 29 Working Party Chair Jacob Konstamm; Sjoera Nas from the Dutch Data Protection Authority; and Daniel Weitzner, the Deputy Chief Technology Officer in the White House Office of Science and Technology. Also attending were chief privacy officers from major technology and consumer-facing organizations and advocacy group representatives. Following an introduction by Facebook Vice President Elliot Shrage, FPF Senior Fellow Omer Tene and Co-Chairs Christopher Wolf and Jules Polonetsky led a conversation with the US and EU officials.
Steven Beale
Steven Beale was a Policy Analyst at the Future of Privacy Forum. His work focused mainly on encryption, government access to data, and the smart grid. Prior to joining FPF, Steven worked on Intel Corporation’s Security and Privacy Policy team and also served for a year with AmeriCorps in St. Louis. He graduated summa cum laude from Hamilton College and was elected to Phi Beta Kappa.
[imagebrowser id=4]
Joseph Jerome is a policy counsel at Future of Privacy Forum. At FPF, Joseph’s issue portfolio focuses on big data and the Internet of Things, where he works on de-identification standards and educational privacy questions. He is interested in questions around transparency and accountability mechanisms in data use. Prior to joining FPF, Joseph served as a national law fellow at the American Constitution Society, where he edited legal scholarship and organized programming addressing civil liberties and national security questions. He is a graduate of New York University School of Law, where he was an International Law and Human Rights Student Fellow in 2010.
Mobile payment systems are a relatively new technology that has sparked the interest of lawmakers, federal agencies, academics, and privacy advocates. The question they are all asking is why are Americans not taking advantage of a system that promises to significantly increase economic efficiency and convenience?
When it comes to mobile payment systems, the United States is lagging far behind in usage compared to Europe, Japan, and South Korea. A recent study conducted by the Federal Reserve revealed “perceptions of limited usefulness and concerns about security are holding back the adoption of mobile financial services,” with only 12 percent of mobile phone owners reporting that they made a mobile payment in the last year.
Electronic wallets serve a multifunctional purpose on a device that can fully emulate physical wallets retaining cash, transaction information, and identification and authentication information. They have the ability to capture and transmit data onto a device that can replace the need for loyalty cards, transit cards, movie tickets, parking tickets, keys, and ID cards. It is clear that both consumers and merchants alike stand to benefit significantly from the new mobile system. And yet, the Federal Reserve reported that more than a third of consumers that don’t use mobile payments either don’t see any benefit from using mobile payments or find it easier to pay with another, more traditional method.
Security
According to statistics published by the Federal Reserve, security concerns were the primary reason given for not using mobile payments (42 percent) and the second most common reason for not using mobile banking (48 percent). At the FTC’s Mobile Payment workshop on April 26, 2012, panelists convened to discuss the security and privacy implications if such a system were to be adopted on a larger scale. Bradley Greene, Senior Business Leader in the Mobile Products division at Visa, stated that mobile payment systems have the potential to add levels of security to consumers through distinct features including locked payment credentials with only the bank having access; dynamic authentication and data; and configuring the use of a passcode for transactions within the device.
As security practices have yet to be standardized, “mobile payments as related to security are the wild wild west,” said Paul Rasori, Senior Vice President of Marketing at VeriFone Systems. Ben Milne, CEO and Co-Founder at Dwolla, noted that security is a network architecture issue regarding mobile payments, raising the concern that personal information can be stolen from any number of service providers without the user’s knowledge. Yet when implemented correctly and with proper security measures in place, a mobile device should be more secure than a physical credit card, said Milne. As an additional security measure, companies should start from the assumption that “bad” data will be passing through systems. To that end, he suggested building procedures to discard of such data as well as data no longer needed for its intended purpose.
Privacy
The success of mobile payments hinges on establishing user trust through transparency, said Pat Walshe, Director of Privacy at the GSM Association. “Privacy by design is really the key for mobile payments,” said Harley Geiger, Policy Counsel at the Center of Democracy and Technology. According to Geiger, users should be provided with controls over the collection of information for the purpose of marketing, and not every purchase should be the equivalent of joining a loyalty program. Update: Geiger also wrote a detailed blog post explaining the privacy issues with mobile payments.
These principles are in line with the findings from a survey conducted by the Berkeley Center for Law and Technology, revealing that a majority of Americans objected to having their personal information shared at the point of sale. In particular, 65% stated that they would definitely not allow sharing their telephone number with a store where they purchase goods. Moreover, despite the fact that mobile payment systems can enable unique consumer information to be passed to the retailer, the authors suggest that retailers should be prohibited from obtaining this information automatically without the consumer’s consent. “An opt-in standard on a per-transaction basis could empower consumers to share where they find it appropriate but block this information collection and sharing by default.”
Others on the panel argued that the government should be careful not to anticipate unimagined advances in order to avoid speculative harms, particularly as this technology is just beginning to emerge. “A dozen years ago, the prospect that a company would know your reading habits and use that was something that seemed suspect. Today, personalized book recommendations on the Internet are an offering most couldn’t have envisioned and few would want to give up. With comfort the public often embraces change; the uncertain future becomes the popular now,” said Mallory Duncan, Senior Vice President and General Counsel at the National Retail Federation.
Looking to the Future
An effective mobile payment system must have the proper infrastructure in place with all the players working together, due to the intricate interdependent nature of this ecosystem. Currently, the two major competing mobile payment services are Isis, a joint venture formed by AT&T, T-Mobile, and Verizon and Google Wallet backed by Visa, American Express, Discover, MasterCard, Nexus, and Sprint. As these providers compete to bring these services to the market, the evidence is clear that privacy and security will play a key role in paving the path to consumer adoption.
-Lia Sheena