Fordham Law


Web Privacy Becomes a Business Imperative

Joel Reidenberg in The New York Times, March 03, 2013

Media Source

By SOMINI SENGUPTA

SAN FRANCISCO — Privacy is no longer just a regulatory headache. Increasingly, Internet companies are pushing each other to prove to consumers that their data is safe and in their control.

In some instances, established companies are trying to gain market advantage by casting themselves as more privacy-friendly than their rivals. For example, Mozilla, an underdog in the browser market, suggested last week that it would allow its users to disable third-party tracking software altogether.

At the same time, Web platform companies are setting limits on other companies with which they do business. Last year, for instance, Apple began requiring applications in its operating system to get permission from users before tracking their location or peering into calendars and contacts stored on an iPhone. Also, a host of companies big and small are offering a variety of privacy tools like ways to encode Facebook posts and ways to secure personal data stored in the cloud.

During a panel at the RSA Conference, a security-focused industry gathering here last week, Brendon Lynch, chief privacy officer at Microsoft, declared that companies like his had come to appreciate the “market forces at play with privacy.”

“It’s not just privacy advocates and regulators pushing,” Mr. Lynch said. “Increasingly, people are concerned more about privacy as technology intersects their life.”

That statement might sound somewhat odd to those who recall Microsoft’s troubles 10 years ago with European regulators. At that time, it was compelled to make substantial changes to how its online login system, .Net Passport, stored addresses, ages and other personal details.

Nonetheless, earlier this year, Microsoft, based in Redmond, Wash., signaled its sensitivity to user privacy by turning on, by default, an antitracking signal in its latest Internet Explorer browser. Microsoft also took aim at its rival Google with a marketing campaign declaring that consumers were being “scroogled” with targeted advertisements based on their e-mails and search histories.

Mr. Lynch’s counterpart at Google, Keith Enright, called that marketing campaign “intellectually dishonest.” At the RSA Conference, Mr. Enright said Google took pains to secure consumer information and simplify privacy settings.

Joel R. Reidenberg, a professor at Fordham Law School, said Microsoft had made a 180-degree turn in emphasizing consumer data protection. “You’re seeing more companies trying to do that — develop privacy protecting services,” said Professor Reidenberg, whose Center on Law and Information Policy at Fordham has received donations from both Microsoft and Google. “Platforms recognize they have to deal with privacy. They’re looking at how they can be competitive.”

To some degree, these developments signal that the industry is working hard to stave off government regulation, which is moving at a glacial pace anyway. There seems to be no movement on broad privacy legislation on Capitol Hill, and no consensus has been reached on standards for “Do Not Track,” a browser setting that would let Internet users indicate that they did not want their activity tracked by marketers.

Advertisers have said openly that they will not stop tracking just because a consumer sends a Do Not Track signal through his or her browser. Facebook has said it needs more clarity on whether a Do Not Track signal applies, for instance, to social plug-ins like the Facebook “like” button, which is integrated into millions of Web sites.

Still, companies are refining the controls users have over their data, on mobile devices as well as on desktop computers.

In addition to requiring applications to seek user permission before tracking location, Apple has included in its latest mobile operating system a way for users to disable or reset a series of digits that identify a particular device for tracking purposes. The Advertising Identifier, as it is called, replaces what was an immutable unique device identifier. It allows app developers to monitor user behavior, but it also gives consumers the option of turning it off.

Facebook requires applications in its App Center to offer customers a privacy policy, and last year it introduced privacy controls that let users fine-tune who sees which posts and pictures.

In 2011, Google sought to distinguish its social networking tool, Google Plus, as privacy-sensitive. It introduced the idea of “circles” as a way to limit sharing certain things with certain people.

Market rivalry does not mean that companies are not worried about regulatory scrutiny of their use of personal data. Facebook agreed to 20 years of audits by the Federal Trade Commission after the agency found that the company had deceived consumers by making data public that they had intended to be private. In a measure of change, Facebook began nudging its users to review their privacy settings before they could start using the new search tool the company introduced this year.

“What does privacy mean?” Facebook’s chief privacy officer, Erin Egan, asked at the RSA Conference. “It’s understanding what happens to your data and having the ability to control it.”

That very imperative seems to be buoying a cottage industry of privacy start-ups. A Boston-based company, Abine, is testing what is effectively the opposite of a Facebook single sign-in for the Web. Instead of exposing your Facebook login credentials to dozens of Web sites, the company offers a proxy e-mail address or phone number for every transaction. You sign in with the e-mail address and a password you remember; Abine creates one address for an e-commerce site you visit, another for a news site, another for a dating site.

Abine offers the basic service for free and plans to charge a monthly fee for more advanced features.

Another company, Wave Systems, showed off its new consumer privacy tool on the RSA exhibition floor last week. Named Scrambls, it encrypts a social network post or e-mail, effectively locking it, and lets the author choose who should have a key to read it. The company plans to market Scrambls to parents, among others, as “a seat belt” to protect their children on social media. For now, it is free.

Whether Internet users are ready to pay to protect their personal data is unclear, though surveys have repeatedly pointed to consumer anxiety.

In a national survey last year, Forrester Research found that one in three consumers were concerned about companies having access to their behavioral data. More than 40 percent said they had stopped short of completing a transaction on a Web site because of something they read in a privacy policy.

Consumer trust is an increasingly vital commodity for Web companies, said Fatemeh Khatibloo, a Forrester analyst. “There’s enough market traction and momentum from the consumer side and the business side to drive this forward,” Ms. Khatibloo said.

Mozilla, which makes the Firefox browser, ruffled the feathers of the online advertising industry when it announced that it was testing a new tool that blocked third-party tracking software, known as cookies. The company said it had not made a final decision on whether to incorporate the tool into its browser, though some version of it was likely to be included.

Already, said Alex Fowler, Mozilla’s chief privacy officer, nearly 12 percent of desktop users of Firefox and 14 percent of Firefox users on Google’s Android mobile operating system have turned on the Do Not Track signal. “They’re asking for a different level of privacy on your service,” he said. “You have to listen to that. It’s critical to your business.”