This 2009 IGF-USA session description: This session is a discussion of the privacy and security implications of Web 2.0, including the potential influences of emerging technologies and applications such as social networks, cloud computing, online games and virtual worlds.
Katitza Rodriguez, director of the International Privacy Project for the Electronic Privacy Information Center, was the panel moderator. Participants on the panel included Jeff Brueggeman, vice president for public policy for AT&T; Michelle De Mooy, senior associate for Consumer-action.org; Ginger McCall, EPIC staff counsel; and Kathryn D. Ratté of the division of privacy and identity protection of the U.S. Federal Trade Commission.
View video excerpts from this session at the following link:
Online confidentiality and self-regulation among topics covered
Panelists shared their philosophical differences about online confidentiality and self-regulation in a discussion about privacy and security implications for Web 2.0 at the Internet Governance Forum-USA conference Oct. 2, 2009, in Washington, D.C.
All panelists agreed that online privacy remains an important issue, and that corporations have an ethical and legal responsibility to ensure that their consumers continue to enjoy some level of anonymity and confidentiality online. But they disagreed about whether self-regulation or government-enforced standards are the best method to achieve that end.
Ginger McCall, EPIC staff counsel, said companies’ privacy policies are often overwrought with technical and legal jargon, making them difficult for users to comprehend. They become too robust that users often click through them without much acknowledgement.
“Privacy policies, in my experience, are generally just disclosure policies,” McCall said. “They don’t exist to protect users’ privacy. They exist to protect companies from liability.”
McCall said an overriding concern is that the policies often allow companies to change their guidelines at any time often with no notice to the users.
A bigger problem, still, is that companies are able to collect information about users without ever providing them with the information they have gathered.
“One creative suggestion that I might make is that businesses just give consumers everything they know about them,” said Michelle De Mooy, a senior associate of consumer-action.org. “If you’re not a bad actor, it can’t hurt you to give consumers everything you know about them. It can only strengthen your brand going forward.”
Both McCall and De Mooy specifically expressed growing anxiety about cloud computing, which allows Web hosting services to house the documents and data of users on their corporate servers. (Think of Google Docs and Gmail, for example.) So what used to be on a person’s personal computer is now on a larger server.
“It’s great for information sharing and collaboration, but not for privacy,” McCall said. “But it allows companies or outsiders to create detailed profiles of users. We need to see a stronger security system and we need to see companies are following through. There needs to be a strong regulation of cloud computing. There should be binding legal standards, terms of services have to be revised and privacy policies must be more transparent.”
Kathryn D. Ratté, from the division of Privacy and Internet Protection of the Federal Trade Commission, said the FTC supports self-regulation not government directives. She says allowing technologies to emerge promotes innovation.
“Our policy has been to enforce self-regulation,” Ratté said. “We analyze what’s going on in the market and put forth standards to adhere to. The flexibility allows us in some ways to act more quickly. We can just address these issues as they raise issues for consumers.”
Jeff Brueggeman, vice president of public policy for AT&T, said the FTC has laid down an ample baseline for legal protection on the Internet that certainly needs continual monitoring but not government intervention.
“The FTC is taking a proactive but engaged approach,” he explained. “We don’t give consumers enough credit for the value they place on their privacy. More and more privacy is going to be a marketing advantage that companies are going to assert on the Internet. What we want to have is competition to maintain and secure your privacy, as well.”
McCall, though, said self-regulation is not a strong enough policy and that legislation with teeth is definitely possible.
“Self-regulation in the Internet context fails because there’s not really enough transparency about what’s going on and what harm is happening,” she said. “A lack of transparency allows companies to act in whatever manner it wants in the short term to make money. It also suffers from the problem in that it only allows for possible remedies after the fact. Having a real comprehensive regulatory system would allow companies to know what’s permissible and not permissible.”
“The FTC has come out strongly saying that the rules that apply at time of the collection of data have to continue to apply and if there’s a change,” she said. “The company should go back to the customer and get opt-in consent.”
But McCall and De Mooy both said vigorous legislation is possible, and if companies are acting in good faith and treating consumers with respect and responsibility, then they shouldn’t be worried about governmental regulations.
“Privacy policies have their place, but they aren’t really helping consumers,” De Mooy said. “If they’re not working, let’s not bang our hammer against that stone. Let’s try to build something that does.”
* To return to the homepage for Imagining the Internet’s coverage of IGF-USA 2009
MORE From IGF-USA in different formats
– TheWordPress blog includes comprehensive details from every session, written by Colin Donohue, Morgan Little and Janna Anderson, documentary journalists of the Imagining the Internet Center
– The real-time Twittertweets reported by Imagining the Internet documentary journalists are here
– The main site used by the organizers of the 2009 IGF-USA