Documentary coverage of IGF-USA by the Imagining the Internet Center

Panelists shared their philosophical differences about online confidentiality and self-regulation in a discussion about privacy and security implications for Web 2.0 at the Internet Governance Forum-USA conference Oct. 2, 2009, in Washington, D.C.

All panelists agreed that online privacy remains an important issue, and that corporations have an ethical and legal responsibility to ensure that their consumers continue to enjoy some level of anonymity and confidentiality online. But they disagreed about whether self-regulation or government-enforced standards are the best method to achieve that end.

Ginger McCall, EPIC staff counsel, said companies’ privacy policies are often overwrought with technical and legal jargon, making them difficult for users to comprehend. They become too robust that users often click through them without much acknowledgement.

Privacy policies, in my experience, are generally just disclosure policies. They don’t exist to protect users’ privacy. They exist to protect companies from liability.   – Ginger McCall

McCall said an overriding concern is that the policies often allow companies to change their guidelines at any time often with no notice to the users.

A bigger problem, still, is that companies are able to collect information about users without ever providing them with the information they have gathered.

“One creative suggestion that I might make is that businesses just give consumers everything they know about them,” said Michelle Demooy, a senior associate of consumer-action.org. “If you’re not a bad actor, it can’t hurt you to give consumers everything you know about them. It can only strengthen your brand going forward.”

Both McCall and Demooy specifically expressed growing anxiety about cloud computing, which allows Web hosting services to house the documents and data of users on their corporate servers. (Think of Google Docs and Gmail, for example.) So what used to be on a person’s personal computer is now on a larger server.

“It’s great for information sharing and collaboration, but not for privacy,” McCall said. “But it allows companies or outsiders to create detailed profiles of users. We need to see a stronger security system and we need to see companies are following through. There needs to be a strong regulation of cloud computing. There should be binding legal standards, terms of services have to be revised and privacy policies must be more transparent.”

Kathryn D. Ratte, from the division of Privacy and Internet Protection of the Federal Trade Commission, said the FTC supports self-regulation not government directives. She says allowing technologies to emerge promotes innovation.

“Our policy has been to enforce self-regulation,” Ratte said. “We analyze what’s going on in the market and put forth standards to adhere to. The flexibility allows us in some ways to act more quickly. We can just address these issues as they raise issues for consumers.”

Jeff Brueggeman, vice president of public policy for AT&T, said the FTC has laid down an ample baseline for legal protection on the Internet that certainly needs continual monitoring but not government intervention.

The FTC is taking a proactive but engaged approach. We don’t give consumers enough credit for the value they place on their privacy. More and more privacy is going to be a marketing advantage that companies are going to assert on the Internet. What we want to have is competition to maintain and secure your privacy, as well.  – Jeff Brueggeman

McCall, though, said self-regulation is not a strong enough policy and that legislation with teeth is definitely possible.

“Self-regulation in the Internet context fails because there’s not really enough transparency about what’s going on and what harm is happening,” she said. “A lack of transparency allows companies to act in whatever manner it wants in the short term to make money. It also suffers from the problem in that it only allows for possible remedies after the fact. Having a real comprehensive regulatory system would allow companies to know what’s permissible and not permissible.”

Ratte said consumers do need assurances that their data will be securely protected, but the FTC has not taken a stance on comprehensive privacy policy legislation. Still, they do advocate that companies treat consumers fairly and honestly.

The FTC has come out strongly saying that the rules that apply at time of the collection of data have to continue to apply and if there’s a change. The company should go back to the customer and get opt-in consent.  – Kathryn D. Ratte

But McCall and Demooy both said vigorous legislation is possible, and if companies are acting in good faith and treating consumers with respect and responsibility, then they shouldn’t be worried about governmental regulations.

“Privacy policies have their place, but they aren’t really helping consumers,” Demooy said. “If they’re not working, let’s not bang our hammer against that stone. Let’s try to build something that does.”

-Colin Donohue, http://www.imaginingtheinternet.org