Best Practices for Both Sides of the Privacy Divide

Experts agree that consumers and businesses could do a good deal more to make web privacy more workable for both parties. They offered these tips, first for consumers:

  • Sterling thinks Google’s Eric Schmidt was onto something when he said, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Sterling says, “He took a lot of flak for that, but there’s a kernel of truth there. I think people have to regard almost everything that they’re doing online as public information.” Europe has the right to be forgotten, which allows a person to request that personal data be removed from a search engine, but that privacy tool hasn’t made it across the pond, so it’s very hard to remove anything that you say online, Sterling says.
  • Use available privacy settings on all frequently used applications, especially on Facebook, in which people are more likely to post personal information. Current or future employers could be scouring sites and looking for information that may be sensitive, Sterling says.
  • Use a browser’s incognito mode. “Say I’m looking for an engagement ring,” says Jerome. “I would use a different browser for that than I would if I was just surfing Facebook. I don’t think that’s too overwhelming. It may not be necessarily intuitive.”

These are the tips for marketers:

  • Have a plain-language privacy policy. Sterling says that very few users actually read them, and even if they do, the verbiage is hard to decipher. He thinks users realize their data is being used for certain purposes-to display relevant ads, for example-but that they’d have fewer qualms about the use of the data if how it was being used was clearly explained. For instance, take apps. “It’s like you get an app, you download an app, and it immediately wants to send you notifications, like we want to use your location, all that stuff. ?Tell me why. Help me understand that kind of stuff,” Sterling says.
  • Practice “surprise minimization.” “In privacy now, increasingly, we talk not so much about collection limits or fair information practices but just using data in context,” Jerome says. “So companies and organizations need to be using information in ways that don’t surprise their consumers in ways that they wouldn’t want. The principle of surprise minimization was actually something that the California attorney general put forward in their mobile privacy best practice guidelines, and so that’s sort of something that we always are trying to tell companies to be mindful for. Don’t try and surprise your users, or if you’re going to surprise your users be really, really sure you’re going to surprise them in a way they want.”
  • The Future of Privacy Forum’s site has dozens of examples of best practices in categories including apps, social media, and texting.


Facial Recognition: Privacy’s Next Frontier?

Facial recognition could be the next skirmish in the privacy war. The National Telecommunications and Information Administration (NTIA) talks regarding the commercial use of facial recognition technology hit a snag in June when several privacy rights groups walked out, saying that “companies wouldn’t even agree to the most modest measures to protect privacy,” according to an Electronic Frontier Foundation (EFF) press release.

The battle over who owns your face has been playing out in hearing rooms and at tech companies such as Google and Facebook, which are already using the technology to sort photos that users upload, says Jerome. He says that this isn’t the type of facial recognition “that anyone is super concerned about,” because they’re doing it with user consent. Jerome thinks that “the NTIA may have been a little bit too ambitious tackling [facial recognition] as a second effort.”

He explains that building consensus around privacy issues such as facial recognition can be very difficult, “particularly when it’s a technology that hasn’t been around. Obviously, facial recognition is pretty sophisticated at this point, and a lot of folks are using it. But it’s not necessarily a mature technology, and it’s certainly not a technology that has really gotten into the public awareness.”

Carl Szabo, policy counsel at ?NetChoice, a group that is still involved in the NTIA talks, agrees that the marketplace needs to work out some of the technology’s kinks before regulation is imposed. “What I don’t want to see happen is fear about potential misuse leading into legislation that prevents really cool innovation. What we are doing and what we, as an industry, can do is create guidelines and rules of the road,” he says.

One person’s privacy is another person’s convenience, Szabo says. What if Target’s facial recognition system identified you as soon as you entered the store and recognized that you had a package to pick up-and an associate handed it to you? Is it creepy or convenient that you didn’t have to wait in line and show your driver’s license or credit card to get your package? “That’s the line we’re constantly trying to walk with technology,” says Szabo.

One of the many challenges that facial recognition presents is obtaining consent from users. Is a shopper consenting to facial recognition by walking into a Target? Jerome says it’s not clear that it’s illegal to use facial recognition in public spaces, as “it’s a First Amendment issue.” “So that’s what I think makes this NTIA process so difficult because you’re trying to get privacy advocates and industry to sort of go far above and beyond what would be legally required in a space where the rules just aren’t very clear,” he says.

The Future of Web Privacy

The murky state of web privacy is likely to get worse before it gets better, experts say, as it may take a major data breach or serious misuse of privacy by a major company before consumers and the federal government demand (and get) regulation. In lieu of that, issues will bubble up and be discussed.

Bryan Ford, an associate professor in the school of information and communications at Switzerland’s Federal Institute of Technology Lausanne, believes that the Internet of Things (IoT) will be the next privacy headache. “A ton of vendors are running headlong into adding internet connectivity features to their toasters and light switches-and everything they can possibly think of-and not even pretending to deal with the very difficult security problem this creates.”

Jerome agrees that the IoT is a future concern, adding that biometric data is “highly sensitive, highly personal, and who has access to them can be really important.” Passwords are difficult to remember, so using biometrics makes sense, but protecting that data could be problematic, he says.’s Neivert reminds consumers that they do have a good deal of control over their online privacy, if they choose to exercise it. “Think about who you are giving your information to. It does matter. Some companies are better than others. Certain companies, I know, it sounds a little weird, but if you think about it, Facebook and Google have never been breached,” he says.

Facial recognition, the IoT, online threats-there doesn’t seem to be a shortage of privacy concerns for consumers or businesses. It seems to be in the best interest for both sides of the privacy battle to reach a kind of détente, before the government steps in and legislates one.