Increased Integration of Platforms Keeps Privacy Issues Front and Center at CFA Forum

There is a privacy issue around companies, like Apple, that tie together all of a consumer’s data across all services, said Jules Polonetsky, director of the Future of Privacy Forum. “I think there is a privacy issue” featuring “a couple tech titans and privacy is the side show.” There’s a battle among these platforms and “each one wants to have all your data and be your portal to the world, so that you buy things,” said Polonetsky, former chief privacy officer at AOL. Those titans “either are going to empower us and make us get things better and make us do whatever we want from our devices across everything, or they're going to be profiling, tracking, narrowing and constraining us,” he said.

With consent decrees with companies like Google and Facebook, the FTC has been active in its enforcement procedures around privacy, experts said. The Electronic Privacy Information Center filed complaints against both companies, said David Jacobs, EPIC consumer protection fellow. Its Buzz complaint helped result in a settlement agreement that “created new protections for consumers,” he said. The group also filed a complaint against “unilateral privacy changes” made by Facebook, he added.

To address Facebook’s privacy practices, the FTC issued an order that addresses alleged deceptive practices exhibited in the December 2009 changes that rendered user information no longer subject to privacy controls (WID Nov 30 p1), said Cora Tung Han, FTC privacy and identity protection division attorney. The Facebook order hasn’t been finalized, she said. The Facebook and Google orders are focused on prohibiting misrepresentations and the companies have to maintain and implement privacy programs. The settlements also require “independent third-party audits of those programs every other year for a period of 20 years,” she said. A unique provision in the Facebook order requires the social network site “to come up with reasonable procedures that when you actually delete information from your account, Facebook renders that inaccessible within a reasonable frame of time, not to exceed 30 days,” Han added.

Google’s privacy policy update (WID Jan 26 p3), which went into effect this month, raised concerns among some lawmakers and groups, including EPIC. EPIC filed a lawsuit urging the FTC to act on the changes (WID Feb 9 p7). Even though Google already had consumer information, “aggregating data allows you to make accurate inferences about information that you did not already have,” Jacobs said. It seems as though Google “once again was taking information under a certain set of rules and changing the rules without seeking users’ affirmative consent.” It’s unclear whether there will be enforcement action, he said. However, the EU may be the first government to take action, he added.

The Association for Competitive Technology supports FTC enforcement, said Morgan Reed, executive director. Small businesses are worried that “your concern about Google’s consistent behavior is going to bleed down onto us when we haven’t actually screwed up yet.” FTC enforcement is “a way to curb a behavior in an industry that is massively growing and, more importantly, experimenting,” he said.

Sometimes changes to a service could better serve customers in ways they hadn’t perceived, said Polonetsky. The industry needs to “understand the kinds of goofy mistakes that even some sophisticated users are going to make” and at the same time figure out how to make changes that will allow them to do something different that could surprise and benefit people, he said.

There are privacy principles that don’t revolve around notice and choice, like access and purpose limitations, said Christopher Calabrese, ACLU legislative counsel. Those other principles “don’t exist in a lot of places,” and certainly not on the Web. Consumers are pretty sure that they don’t want information “that’s collected for one purpose to be used for a radically different purpose,” he said. The Electronic Communications Privacy Act hasn’t been updated since passage in 1986, he added: That’s “a long time in technology terms.” This causes an enormous amount of confusion about “what the standard is for when government can access things, especially things that are in a social media context,” he said.

Privacy challenges are beginning to surface as companies consider deployment of mobile payment, or “digital wallet” technologies, mobile banking professionals and others said on a later panel. The smartphone is a way of holding the account-access mechanism for pre-existing accounts, said Mike Altschul, CTIA senior vice president. The personally identifiable information is the account identifier “that would reside in the device.” Security on a digital wallet “can be greater with a customer’s consent than with other forms of payment,” he said. Some red flags go up if a mobile payment is done in a city or country outside of the user’s residence, he added.

Carriers need to ramp up consumers’ awareness of policies, said Suzanne Martindale, a Consumers Union attorney. “A lot of times consumers don’t know that the policies are there,” she said. Contracts don’t spell out what the consumer is supposed to do when something goes wrong, she said. Also, “there’s a clash of worlds between telecom and payment, and the government is trying to catch up to it.” Mandatory baseline protections are critical, Martindale said. They should have provisions that detail who consumers can complain to and who’s responsible for fixing problems, she said. She said protections should correspond with the kind of account, whether it’s a credit card or bank account, that is linked to the phone.