In the age of big data and the constant and ubiquitous collection of personal information, traditional methods for protecting privacy online—methods that put the onus on users to understand how their data may be collected and used and to consent to those uses—are no longer effective, according to a cybersecurity professor at Worcester Polytechnic Institute (WPI).
In an essay to be published in the January 30, 2015, special issue of Science," Susan Landau, PhD, professor of cybersecurity policy at WPI, says the only way to effectively protect privacy is to control the use of data. "Controlling use is complex," Landau writes, "but combining technology, policy, and law is the best way to control incursions from business and government."
Landau says current approaches to privacy protection date to the rise of computerized data collection systems in the 1960s. Fair Information Practices (FIPs), developed initially in response to a report by the U.S. Department of Health, Information, and Welfare and updated in 1980 by the Organization of Economic Cooperation and Development, have been the foundation for national and international privacy protections for four decades.
FIPs are based on fundamental principles, of which the most important are notice and consent. The principle of notice, also called transparency, says that users should always be aware that their data is being collected and should be able to find out what information about them is on file and how it is being used. The principle of consent says that data collected for one purpose should not be used for other purposes without the user's permission. In 1998, the Federal Trade Commission said these are the most fundamental of "five core principles of privacy protection."
"Although FIPs made sense when an individual could discern and react to a data-collection event, this is no longer true," Landau writes in the Science essay. Today, she notes, "because data collection involves compilation of massive amounts of small bits of data, notice and consent are difficult for users to manage."
Notice and consent are typically negotiated through the use of privacy agreements, through which users click a box or button to grant permission for their data to be collected and used. But as the volume of data collection has grown, and as users are confronted regularly with requests for their consent, privacy agreements have become an ineffective means for accomplishing notice and consent, Landau writes. As the 2014 President's Committee on Science and Technology report on big data and privacy noted, "Only in some fantasy world do users actually read these notices and understand their implications before clicking their consent."
Landau notes that it is not only the collection of massive data sets that threatens privacy, but the ability to use the tools of big data to cross-reference information from various sources to find patterns that can lead to privacy violations. She cites the case of a retailer predicting a teenager's pregnancy based on her purchases and a ride-sharing app recognizing patterns in pick-up and drop-off data that hinted at one-night stands. The value of big data and predictive analytics will likely outweigh these risks, Landau says. "Massive amounts of data create such personal and societal benefits that collection is unlikely to stop."
Since widespread data collection will continue, and since notice and consent have become impractical as tools for protecting privacy, Landau argues that the burden for safeguarding privacy must shift from those who supply data to those to collect it. Directly controlling the use of data can be accomplished by using the tools of technology, policy, and law. It will be a complex and difficult challenge, she notes, but examples of successful data control efforts do exist:
• Privacy-protecting technologies such as Shibboleth, a software tool that enables users to access information without revealing their identity, are examples of technologies that enable the control of data usage.
• The federal government created the National Strategy for Trusted Identities in Cyberspace, which led to policies that prohibit identity providers from using tracking information from federal government websites for anything but authentication, audit, or complying with the law. "A signed-on user has greater privacy protection when visiting the National Cancer Institute website than when visiting the American Cancer Society site," Landau writes.
• The 1970 Fair Credit Reporting Act is an example of a law that focuses not on the collection of data, but on its use, Landau says. The law, which predated FIPs, strictly limits how someone's credit information can be accessed.
While notice and consent have little relevance with regard to the collection of data by the National Security Administration, Landau writes that the revelations of Edward Snowden focused public attention on the NSA's bulk collection of telephone metadata (even with no information about communications content, metadata about phone calls can be "remarkably revelatory," Landau notes).
Landau recently participated in a study funded by the National Academies that looked for technological alternatives to the controversial bulk metadata collection. The study concluded that there are no technical alternatives that can provide the same information as the bulk signals intelligence collection. But if the collection is to continue, the study said that the only way to assure the privacy of phone users is to carefully control the use of the metadata.
Landau concludes her essay by noting that while today's technologies (from Google searches to smartphone apps to networks of sensors that continually monitor the world we live in) have drastically increased the volume of personal data collection, the privacy issues those technologies raise are not new. She notes that Samuel Warren and Louis Brandeis identified "the right to privacy" in an 1890 essay in the Harvard Law Review, noting that the nature of privacy protections must evolve as technologies change.
"Today is such a time," Landau concludes. "The nature and extent of redefinition will be on control of use, and determining the right controls, and the right ways to exercise them, will be challenging—but that is what we must do."