We’re all concerned about privacy, but have a hard time separating hype from fact, hysteria from reasonable concerns, and peripheral from main issues. For insight into what’s really going on, I spoke with Jules Polonetsky, director and co-chair of the Future of Privacy Forum, a Washington, D.C.-based think tank that seeks to advance responsible data practices. His résumé includes a period of citizen advocacy, with Jules serving as legislative aide to Rep. Charles Schumer and as NYC consumer affairs commissioner under Mayor Rudolph Giuliani. Polonetsky has also worked in consumer advocacy for AOL.
Evan: Many headline-grabbing articles present privacy as a struggle between users who don’t want sensitive information to leave their computers and companies that exploit us when our guard is down. Is this really the big story?
Jules: In many ways the privacy challenge isn’t centered around how to be super private, how to be invisible, but rather how to make sure that your data is used on the terms that you choose. Most of us want to connect, to share, to communicate, but we don’t want to feel targeted, profiled, taken advantage of or embarrassed by the data we provide. Companies are increasingly providing controls and options, but they are too complicated for busy people who don’t want to have to read a manual to quickly do their business. Cookie controls, Facebook controls, Do Not Track, app permissions, location services—you have to be a full-time privacy expert just to navigate the options. I can rent a car model that I have never driven before, in a strange city—a machine that can kill people if I choose the wrong lever—but yet I can drive it safely without reading the manual. Why can’t my browser be as easy to use? We need to do the hard consumer work and testing to make the data options we deal with every day useable for the average person.
Evan: Is more government regulation needed to ensure privacy is protected? If so, what barriers stand in the way?
Jules: The Obama administration plan to bridge legislation and the flexibility of self-regulation makes sense. By establishing a base-line consumer privacy bill of rights that is high level and then having various sectors work with stakeholders to create legally enforceable codes of conduct, we could get the guidelines needed to establish clear rules for data use. The first of these “multi-stakeholder efforts,” focused on app privacy, kicked off July 12, so we will see whether the concept can work. But it will take compromise, and it’s not clear any of the parties want to compromise. Some consumer groups don’t trust the leading net companies, pointing to years of privacy missteps. And some in industry see privacy advocates as luddites who oppose anything ad supported. The Future of Privacy Forum will be seeking to bridge that divide.
But we think that app developers shouldn’t wait for the government to show up and tell them what to do. The developers have been the ones driving innovative uses of data, from valuable new location tools to addictive and mindless games. We have provided developers with all the privacy resources we could find at www.applicationprivacy.org and we are hoping that they will lead the way in showing that they can delight their users without being grabby about the data they want to use.
Evan: Are consumers with privacy concerns behaving responsibly? Or does their behavior need to change?
Jules: People who act irresponsibly—online or offline—bear responsibility for their actions. But people shouldn’t have to learn new ways of being simply to survive the new technologies of the day—the technology needs to serve us, with all our weaknesses. We don’t pay close attention to options, we can be in a rush, we can be absentminded, or we can have second thoughts. Developers need to account for that, as opposed to having a philosophy of—well, if you didn’t want all your friends to know that you were going to play that sexy video, you should have changed the default options before clicking play. Can you hear me, Socialcam?
Evan: Are the media doing a good job of covering privacy issues? What do they get right? Where is improvement needed?
Jules: Investigative reporters in the media have become the privacy police. They hire young technologists who find privacy technology flaws and write exposés that lead to class actions and government enforcement. Businesses who are developing hundreds of new products will never avoid all mistakes, without a lawyer over the shoulder of every developer. Maybe it’s time for companies to hire white-hat privacy hackers to identify flaws before they are embarrassed by them, the way security folks hire experts to test their defenses.
Evan: Can Americans learn anything from the European approach to privacy, and vice versa?
Jules: I think the approaches are converging. The conventional wisdom is that the EU countries look at privacy as a human right and the U.S. treats privacy like a consumer protection matter. The EU worries about your dignity and integrity, while the U.S. says “no monetary harm, no foul.” But in reality, we have been stretching consumer protection law to take broader action against practices that seem to be “unfair.” Although the courts are still looking for harm before a claim can prevail, companies that do anything creepy feel the immediate backlash.
Evan: In her book Privacy in Context, NYU professor Helen Nissenbaum appeals to the concept of “context” to differentiate appropriate from inappropriate ways of sharing information. What is her basic message and how does it relate to your own work?
This interview has been lightly edited and condensed.