Several months ago I blogged about the creation of Google’s new privacy policy. Now, regulators in Europe, led by the French CNIL, are challenging the implementation of the privacy policy, alleging both that Google gives insufficient notice to users about data collection practices, and that the scope of the data that is collected and combined across the various Google services raises significant privacy concerns. (For more context, see here and here.) The letter proposes several courses of action for Google, which boil down to increased transparency about data practices and giving increased control to users regarding how their data is shared. This is a positive step forward for giving internet users control over what happens to the data that they provide to internet services or that they generate through their browsing.
In this post, I want to make three points. First, that data privacy in the context of the private sector is an important issue for those concerned with civil liberties. Second, that progress on this front will require the involvement of internet companies, government regulators, and users acting individually and collectively. Third, that a workable solution involves neither capitulating to the regime of Big Data under terms set by large services, nor dismantling the possibility of tracking. There is a middle road that both protects and empowers users while keeping the value of the internet as a space for civic action and commercial activity.
On the importance of Big Data, civil libertarians may focus on the possibilities of state surveillance – but ubiquitous data collection also structures the ability of individuals to operate as individuals, deserving of basic dignity, within internet spaces of increasingly important civic and commercial activity. The danger is suggested in the recent Facebook-Datalogix agreement, which is intended to track the effectiveness of targeted advertisements by measuring a user’s purchases (as collected through the use of loyalty cards, for example) against the targeted ads. At issue is the basic proposition that individuals may wish to have a basic degree of control over the data that they generate as they go about their business. It is an issue of dignity—which, admittedly, is not generally considered a core American right, as it implies some kind of super-legal limitation on what we can do to those less powerful than ourselves. Tolerance, we grudgingly accept in a live-and-let-live sense, but dignity requires something more. And that’s not how we roll.
But maybe we should. Of course, the companies that supply valuable services have every right to earn a profit, and data collection involves a way of doing so without explicitly charging fees to users. But this simply masks the nature of the economic transactions going on. The user of the service provides a resource to the company (in the form of data obtained through tracking) without necessarily knowing it. A perspective on data collection that emphasizes dignity would bring the nature of these transactions into the open. Don’t track without fully informing the individuals – particularly as the volume of data gets to the point where individuals can be identified through the patterns in their data. But respect that the companies need some source of revenue – some system of fees or advertising may be necessary. The point is just that when this is all done secretly and without sufficient concern for the transactions that occur between parties who are all deserving of basic respect and dignity, everyone loses. There is an important space in this process for the state to intervene to prevent predatory practices and to enforce notice requirements.
To return to the way that Google’s policies fit into this framework: there are obvious potential problems with the continued concentration and aggregation of data across platforms. But the consolidated policy is not an unmitigated evil. A single policy provides the potential for clarity and transparency, even if that is not realized at this moment. Last year, I suggested that the fragmentation of privacy policies could be harmful by so multiplying the forms of privacy practices that regulation would be impossible. More fundamentally, however, the problem is not even data aggregation per se – but aggregation without transparency. The one party that does not directly benefit from the possibility of data aggregation is the individual whose data is being aggregated. People may actually benefit from knowing about their data habits – sites like Mint are based on bundling this data and presenting it to individuals as a form of empowerment. Tracking and aggregation are valuable because they reveal habits, connections, and patterns that go beyond what we can articulate. User-generated data is the basic resource fueling targeted advertising. Share the value of this resource with users who want it! There are options besides continuing the one-sided extraction of data and ignoring the possibilities of Big Data. We should be able to find a way to use these data processing capabilities in ways that treat individuals as more than just website users.