Schneier on Security
A blog covering security and security technology.
« Twitter Users: Please Make Sure You're Following the Right Feed |
| HALLUXWATER: NSA Exploit of the Day »
January 8, 2014
The Failure of Privacy Notices and Consumer Choice
Paper from First Monday: "Transaction costs, privacy, and trust: The laudable goals and ultimate failure of notice and choice to respect privacy."
Abstract: The goal of this paper is to outline the laudable goals and ultimate failure of notice and choice to respect privacy online and suggest an alternative framework to manage and research privacy. This paper suggests that the online environment is not conducive to rely on explicit agreements to respect privacy. Current privacy concerns online are framed as a temporary market failure resolvable through two options: (a) ameliorating frictions within the current notice and choice governance structure or (b) focusing on brand name and reputation outside the current notice and choice mechanism. The shift from focusing on notice and choice governing simple market exchanges to credible contracting where identity, repeated transactions, and trust govern the information exchange rewards firms who build a reputation around respecting privacy expectations. Importantly for firms, the arguments herein shift the firm's responsibility from adequate notice to identifying and managing the privacy norms and expectations within a specific context.
Posted on January 8, 2014 at 8:07 AM
• 10 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Regarding Dave's comment above ("What's needed is proper government regulation of online privacy."):
Given how hard the government has worked to invade our personal privacy, do you really believe that they would respect any legislation intended to protect that same privacy that they themselves may pass?
I would like to believe that this would be the case, but precedent sadly prevents me from doing so.
Not to go too far into the weeds, the paper pretty thoroughly explains why the current approach to privacy and data use is absolutely hosed and inappropriate to the Internet. A dumb, boilerplate solution (notice and consent) to an infinite number of contextual privacy situations.
It's good that the author rejects government solutions to the web privacy problem. That would merely be a bigger, dumber, thicker kind of boilerplate fix. And so the author rightly points back to market approaches, using the diamond, rubber, rice, and other markets for comparison. (The web, on the other hand, is a completely unbalanced - you might say dysfunctional - transaction environment with a gross imbalance toward providers, not users.
I couldn't really get a good fix on the author's thinking about the actual economics of today's web, where users are consistently *undervaluing* their data and providing it to companies that understate the value of the transaction (simple math shows that Google alone shows a net profit of maybe $120.00 a year for each user's information).
It'll take a real market solution to solve this problem. I have no doubt that the founders of Google, Facebook, and the rest are wondering just when their gig will be up. I don't think that's too far off.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.