On Wednesday, I was thrilled to take the stage alongside two longtime privacy heroes of mine, Pam Dixon and Peter Swire, and Bret Swanson at an AEI event discussing how stakeholders from industry, users, and privacy advocates can work together to craft rules that meaningfully protect individuals’ privacy while providing companies flexibility for future innovation. // Video starts at the beginning of the group panel.
My third guest spot on the Privacy Advisor Podcast was a quick turn around, as a sick version of myself joined Angelique Carson to discuss our impressions of back-to-back congressional hearings on federal privacy legislation:
On Capitol Hill this week, Congress held back-to-back hearings on a potential U.S. federal privacy bill. The aim was to gain insights from expert witnesses on what such a bill should contain. At the first hearing, at the House Committee on Energy and Commerce, industry and advocates debated how prescriptive a federal law should be. At Wednesday’s Senate Committee on Commerce, Science, and Transportation, lawmakers asked witnesses whether a U.S. law should model itself on the EU General Data Protection Regulation or perhaps the California Consumer Privacy Act. While industry didn’t like that idea, witnesses did agree that the CCPA should be the floor upon which a federal law is built. In this episode of The Privacy Advisor Podcast, the Center for Democracy and Technology’s Joe Jerome, CIPP/US, and host Angelique Carson, CIPP/US, recap the highlights from the hearings.
// Listen to the podcast here.
In my return to Angelique Carson’s Privacy Advisor Podcast, we further discuss my love of watermelons and where the federal privacy debate stands:
It’s clear at this point that the momentum has shifted in favor of a federal privacy bill in the U.S. The questions are: What will that bill look like, who will sponsor something both the tech community and advocates can live with, and will it actually happen this year? Joseph Jerome, CIPP/US, policy counsel at the Center for Democracy and Technology in Washington, has been dead center on the federal privacy bill debate for some time now and took a leading role at the CDT in drafting their own bill. In this episode of The Privacy Advisor Podcast, Jerome discusses the difficulties inherent in trying to pass a bill that pleases everybody — or at least one that the disparate and myriad stakeholders can live with.
// Listen to the podcast here.
In light of Congress’ decidedly tech-focused privacy hearings, I thought it important to elevate the surprising absent of data brokers to the conversation:
[D]ata brokers speak of “ethically sourced” data and “enhanced transparency“ through self-regulation. The reality is that while many companies now collect a whole lot of our information, there’s really only one industry that doesn’t want us to know much about it in exchange. Data brokers may know everything about you—but they still don’t want you to know about them.
// Read the piece at Slate here.
With the GDPR recently coming into effect, U.S. policymakers and industry players have found opportunities to critic the GDPR on the grounds that it will somehow harm health care. The U.S. secretary of commerce recently insisted without evidence that European law will stop lifesaving drugs from coming to market. Others with a stake in the industry have suggested that the GDPR’s limits on data sharing will actually hurt people seeking medical care. The attack on privacy laws for health information motivated me to draft an opinion piece for STAT.
// Read the full essay at STAT First Opinion.
In the panicked lead-up to the GDPR, I joined Joe Miller, host of the WashingTECH Policy Podcast, to give provide a brief overview of some of the requirements, interesting provisions, and potential consequences of the EU’s forthcoming big time privacy law.
// Give the episode a quick listen here.
I joined my friend Angelique Carson, host of the IAPP’s Privacy Advisor Podcast, to discuss my privacy passions:
In this episode of The Privacy Advisor Podcast, Joe Jerome, CIPP/US, talks about how growing up in the cornfields of Iowa helped shape his passion for privacy — specifically, his sense of autonomy. Privacy is a tool to push back at the world and its encroachment on our lives, Jerome says. His role as policy counsel at the Center for Democracy & Technology allows him to do the kind of work he feels is meaningful for the protection of our “digital selves” and for understanding how technology is impacting our values. Jerome also discusses the fact that it’s possible he’s a vampire, why robots might take over, and how the future of data transfers may, in fact, be via carrier pigeon unless the EU and U.S. can make nice.
// Listen to the podcast here.
I was looking for an excuse to doodle. My friend Grant Nelson from the Network Advertising Initiative was looking for an excuse to code. We decided to combine our interests by putting together Privacy Bingo, a collection of tropes and buzzwords that come up in seemingly every privacy panel and discussion. Attendees can play a web-only version of the game at the 2017 IAPP Global Privacy Summit.
// Check out Privacy Bingo! here (and be sure to read our privacy policy).
As I wrapped up my time at the Future of Privacy Forum, I prepared the following essay in advance of participating on a plenary discussion on the “future of privacy” at the Privacy & Access 20/20 conference in Vancouver on November 13, 2015 — my final outing in think tankery.
Alan Westin famously described privacy as the ability of individuals “to determine for themselves when, how, and to what extent information about them is communicated to others.” Today, the challenge of controlling let alone managing our information has strained this definition of privacy to the breaking point. As one former European consumer protection commissioner put it, personal information is not just “the new oil of the Internet” but is also “the new currency of the digital world.” Information, much of it personal and much of it sensitive, is now everywhere, and anyone’s individual ability to control it is limited.
Early debates over consumer privacy focused on the role of cookies and other identifiers on web browsers. Technologies that feature unique identifiers have since expanded to include wearable devices, home thermostats, smart lighting, and every type of device in the Internet of Things. As a result, digital data trails will feed from a broad range of sensors and will paint a more detailed portrait about users than previously imagined. If privacy was once about controlling who knew your home address and what you might be doing inside, our understanding of the word requires revision in a world where every device has a digital address and ceaselessly broadcasts information.
The complexity of our digital world makes a huge challenge out of explaining all of this data collection and sharing. Privacy policies must either be high level and generic or technical and detailed, each option proves of limited value to the average consumer. Many connected devices have little capacity to communicate anything to consumers or passersby. And without meaningful insight, it makes sense to argue that our activities are now subject to the determinations of a giant digital black box. We see privacy conversations increasingly shift to discussions about fairness, equity, power imbalances, and discrimination.
No one can put the data genie back in a bottle. No one would want to. At a recent convening of privacy advocates, folks discussed the social impact of being surrounded by an endless array of “always on” devices, yet no one was willing to silence their smartphones for even an hour. It has become difficult, if not impossible, to opt out of our digital world, so the challenge moving forward is how do we reconcile reality with Westin’s understanding of privacy.
Yes, consumers may grow more comfortable with our increasingly transparent society over time, but survey after survey suggest that the vast majority of consumers feel powerless when it comes to controlling their personal information. Moreover, they want to do more to protect their privacy. This dynamic must be viewed as an opportunity. Rather than dour information management, we need better ways to express our desire for privacy. It is true that “privacy management” and “user empowerment” have been at the heart of efforts to improve privacy for years. Many companies already offer consumers an array of helpful controls, but one would be hard-pressed to convince the average consumer of this. The proliferation of opt-outs and plug-ins has done little to actually provide consumers with any feeling of control.
The problem is few of these tools actually help individuals engage with their information in a practical, transparent, or easy way. The notion of privacy as clinging to control of our information against faceless entities leaves consumers feeling powerless and frustrated. Privacy needs some rebranding. Privacy must be “appified” and made more engaging. There is a business model to be made in finding a way to marry privacy and control in an experience that is simple and functional. Start-ups are working to answer that challenge, and the rise of ephemeral messaging apps are, if not perfect implementations, a sure sign that consumers want privacy, if they can get it easily. For Westin’s view of privacy to have a future, we need to do a better job of embracing creative, outside-the-box ways to get consumers thinking about and engaging with how their data is being used, secured, and ultimately kept private.
Location data is one of the most coveted and sensitive data points in the digital ecosystem, and combined with an array of new context-based services, it promises a future of ultra-personalization. In this post for Privacy Perspectives, I discuss the state of location information and the unclear rules and control around the collection and use of this information. As companies build more and more advertising and user-profiling on top of different types of location data, we need to provide more effective controls. // More on IAPP Privacy Perspectives.
As the election season gets into full swing, I teamed up with Evan Selinger to discuss some of the privacy challenges facing the campaigns. A recent study by the Online Trust Alliance found major failings’ with the campaigns’ privacy policies, and beyond the nuts and bolts of having an online privacy notice, political hunger for data presents very real challenges for voters and perhaps more provocatively, for democracy. // More at the Christian Science Monitor’s Passcode.
After doing a roundtable on cookie tracking, Justin Brookman, formerly of the Center for Democracy & Technology, suggested with the proliferation of privacy tools, good and bad, he’d love to see what he could really do to protect his privacy in an hour. Inspired by this, I put together a panel conversation with Meghan Land, Staff Attorney, Privacy Rights Clearinghouse; Rainey Reitman, Activism Director, EFF; and Jay Stanley, Senior Policy Analyst, ACLU.
My aim was to try and have a high-level conversation/debate about what average folks would reasonably do to protect their privacy. Coming up with a set of basic privacy (and security) is tough: encrypted email is probably too hard, having a complex password system is probably too annoying. For sixty minute, I provoked the panelists and the audience at Computers Freedom and Privacy 2015 as to what we what might actually suggest to consumers and citizens.
As part of the U.S. Chamber of Commerce’s “Internet of Everything” project, my boss and I co-authored a short essay on the growing need for company’s to have a “data ethics” policy:
Formalizing an ethical review process will give companies an outlet to weigh the benefits of data use against a larger array of risks. It provides a mechanism to formalize data stewardship and move away from a world where companies are largely forced to rely on the “gut instinct” of marketers or the C-Suite. By establishing an ethics policy, one can also capture issues that go beyond privacy issues and data protection, and ensure that the benefits of a future of smart devices outweigh any risks.
// Read more at the U.S. Chamber Foundation.
Playing around with Storify (and probably leaking data all over the place), but I wanted to highlight a much-needed conversation that’s beginning about economics and privacy at the Federal Trade Commission.
The line between monitoring consumer sentiment in general and tracking individual customers is unclear and ill-defined. Companies need to understand public perceptions about both different types of online tracking and different sorts of consumer concerns. Monitoring by schools appears to be even more complex. In an opinion piece in Education Week, Jules Polonetsky and I discuss the recent revelation that Pearson—the educational testing and publishing company—was monitoring social media for any discussion by students of a national standardized test it was charged with administering. // Read more on Education Week.
