Schneier on Security
A blog covering security and security technology.
« Verifying Elections Using Risk-Limiting Auditing |
| Yet Another Risk of Storing Everything in the Cloud »
August 7, 2012
Peter Swire Testifies on the Inadequacy of Privacy Self-Regulation
Ohio State University Law Professor Peter Swire testifies before Congress on the inadequacy of industry self-regulation to protect privacy.
Posted on August 7, 2012 at 1:45 PM
• 10 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Mr. Fox, welcome to the Hen House.
I found this testimony depressing. I certainly don't share Bruce's conclusion that Swire says self-regulation is inadequate; to me he seems to harp on it as if it's some kind of moral good.
He concludes "...personally I would not like to have an Internet where I believed that each moment of my browsing might be easily breached and shown to the entire world. ...That is not the experience we have today."
It sounds to me exactly like the current state of affairs: Swire's assessment, and his professed optimism, seem 20 years out of date. And this is the guy advocating *stronger* privacy protections?
Nowhere does he actually explain how he is able to decide what are the proper trade-offs that consumers and the industry should make, or why such trade-offs should be centralized and monopolized (a single approach forced on all).
The truth is that competitive forces and consumer choice allow features to evolve and better trade-offs to emerge. Privacy is just another feature which services compete on to respond to consumer preferences and demand. But central planners are eager to apply their own views and preferences, at the point of a gun if necessary (but it's for your own good).
I had a laugh at his first point "The threat of government regulation spurs the adoption of self-regulation."
Nobody would call industry regulation under threat of government action "self-regulation". It has nothing voluntary, the gun is simply in the back-pocket. I have experienced it firsthand on a few occasions and it is very clear that the decisions are geared towards would-be-regulators, not towards consumers (which is usually the focus).
"Privacy is just another feature which services compete on to respond to consumer preferences and demand. "
I do not know whether the business keeps my password in a plaintext or not. There is no way to know. I have no access to almost any information required to decide whether my data are safe or whether the company collects more than I would agree with.
There is no self regulation, because the customer is not in position to be able to decide these things.
Self-regulation is a myth. The 2007-2008 financial crisis is but one of the countless examples showing us time and time and again how well this works.
"For you and your families, it would reduce the quality of the Internet if you thought that any page you visited needed to be treated like something that might be released to the public. That is not the experience we have today."
Only because users are ignorant of what actually happens when they visit pages. If users were more familiar with what was actually happening then it would be the experience we'd have. It's certainly the experience _I_ have.
I agree when self-regulation is substitute for government regulation. You are right especially for banks.
For me it is like set up rules in the prison by inmates or set up rules in the mental hospital by patients.
That is what self-regulation is about when stands alone.
My vision is that minimum standards for consumer privacy protection in plain English should be set up and enforced by government (legislators or Agency like FCC/FTC). Then self regulation could only implement better protection than minimum government standard established. That will combine public and business interests for the sake of consumers (first), then service providers(second).
I've written a forthcoming book chapter on why self-regulation is unlikely to lead to "proper [privacy] trade-offs that consumers and the industry should make".
@abc says "I do not know whether the business keeps my password in a plaintext or not. There is no way to know."
True, just like I don't know whether a business encrypts my credit card on their server.
That is foreseeable and consumers can decide that they are not getting enough guarantees to earn their trust, and so abstain from using the product.
This is a problem for the producer to solve, as opposed to consumers.
As a business, you therefore have to come up with ways to signal that you are indeed doing the right thing. For example, you can offer guarantees (contract), commit publicly (put your reputation on the line), submit yourself to audits (trustEE, Underwriters Laboratory), or rely on other well-known provider (VISA certification).
If you want to give consumers confidence that you offer a high-security product, pay Schneier's company to do penetration testing, or offer a bounty for hackers to try and breach your systems.
Don't know where you live, Julien.
Where I live, corporations lie.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.