Tuesday, September 27, 2011

If You're Not Paying For It, You're the Product.

I heard the above on a Wired Storybook Podcast interview with Ryan Singel, who is returning as an editor of Wired's Threat Level blog.  One origin for that insight into the price of online services is found here.

The knowledge that Facebook and Google and other companies gather and share information about individuals in exchange for their "free" services raises the question again of what kind of privacy we can expect or demand in the information age.

In the United States there is no general constitutional right to privacy for personal information. The federal (and to a lesser extent, state) statutory frameworks designed to protect personal information are largely industry-based. For example, HIPAA covers protected health information, Gramm-Leach-Bliley protects consumer financial information, and the Fair Credit Reporting Act and FACTA protect personal credit information.

The South Carolina General Assembly recently recognized the value of personal information by enacting the South Carolina Financial Identity Fraud and Identity Theft Protection Act.

So, although you may be able to prevent a business from sharing your information with others or disclosing that personal information without your consent, or exercise the right to correct inaccurate information about you, you don't have the right to demand that a company delete information about you.

By contrast, as Natasha Singer points out in a New York Times article "Just Give Me the Right to Be Forgotten" the European Union has a Data Protection Directive giving consumers the right to withdraw their permission for a company to store their data. 

Data breaches and our knowledge of the myriad ways in which information is being collected may push the U.S. in the direction of the E.U. notions of privacy.  The Federal Trade Commission, very active already in enforcing privacy rights, security obligations, and prohibitions against misleading advertising and marketing, has issued its initial staff report:  Protecting Consumer Privacy in an Era of Rapid Change.  The FTC proposes a "keep as needed and only for as long as necessary" approach, one that would minimize collection of personal information on the front end and give it a limited shelf life.

In the meantime the FTC counsels consumers to read the privacy policies of the sites they visit and the companies with whom they do business. However, privacy policies are not always straightforward, plain, or exciting reading, and most beome aware of the settings they've consented to well after sharing information. One recent example is the revelation that LinkedIn's default privacy settings authorized that company to use a subscriber's photos and other information for "social advertising."

Ultimately I tend to agree with Clive Thompson, who believes that the privacy nightmares (and a host of other problems with the online world) would be solved if these companies charged us a fair price for the things we want.

At the very least, under that model we would be customers and not products.