Person hiding head in the sandI keep getting asked about Cambridge Analytica and Facebook.  And no one seems to like my response – I’m frankly amazed that this all took so long to blow up.  How long?  How about since 1973.  That’s when the U.S. Department of Health, Education, and Welfare first articulated the Fair Information Practice Principles (FIPPs or FIPs) in its report Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data SystemsThe FIPPs went on to become bedrock global privacy principles, and central to them are the principles of notice and consent.

As the FTC later explained in Privacy Online: A Report to Congress:

1. NOTICE/AWARENESS
The most fundamental principle is notice. Consumers should be given notice of an entity’s
information practices before any personal information is collected from them….

2. CHOICE/CONSENT
The second widely-accepted core principle of fair information practice is consumer choice
or consent. At its simplest, choice means giving consumers options as to how any personal
information collected from them may be used….

These mechanisms – notice and consent – are what make a self-governing privacy system work.  If someone (such as Facebook) is going to obtain and use our personal data, they should first give us notice of how they will use it (such as provide or sell it to others), and then we make a choice – we either consent and provide our data, or we don’t.  The government may enforce these representations and choices under fair trade practices laws, such as FTC Act Section 5, but the rules themselves are made in the marketplace.

There has to be some source of governance.  The alternative to self-governance through notice and consent is governance by government, with legislators and regulators making the rules for how our data is handled.  There’s quite a bit of that in the EU and elsewhere, but in the United States, outside of specific sectors such as healthcare (HIPAA), education (FERPA), and financial services (GLBA & FCRA), there’s little such regulation here.  In the U.S. we’ve made a policy decision to largely self-govern the privacy of personal data.

Fast forward from 1973 and, especially in our Internet-driven, U.S. self-regulatory environment, we’ve got a large, smoking crater – precious little government regulation, and even less personal responsibility.  Let’s face it.  We don’t actually pay attention to privacy policies and terms of use, and we don’t actually make informed choices on our consent to data practices for our personal information.  Under our self-governing privacy system, look in the mirror.  The enemy is ourselves.

My favorite examples are in last year’s post Reading privacy policies to avoid surrendering your firstborn child:

WiFi provider Purple recently added a “Community Service Clause” to its usual terms and conditions for wireless service:

The user may be required, at Purple’s discretion, to carry out 1,000 hours of community service. This may include the following:

  • Cleansing local parks of animal waste
  • Providing hugs to stray cats and dogs
  • Manually relieving sewer blockages
  • Cleaning portable lavatories at local festivals and events
  • Painting snail shells to brighten up their existence
  • Scraping chewing gum off the streets

More than 22,000 people accepted these terms during Purple’s two-week-long T&C gambit, with only one attentive person claiming the prize Purple offered to anyone who noticed this silliness….

This phenomenon is well-documented.  In their 2016 research study The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking ServicesJonathan Obar and Anne Oeldorf-Hirsch found that study participants failed to carefully read the privacy policy and terms of service for a fictitious social networking site, NameDrop. Three quarters of participants used “quick join” to bypass the privacy notice altogether.  Those who “read” the notice took on average only 73 seconds, rather than the 30 minutes it would have taken at a normal reading pace. And 98 percent of participants totally missed NameDrop clauses that (1) allow data sharing with the NSA and employers, and (2) require providing a firstborn child as payment for service access.

Don’t get me wrong – if Facebook violated its privacy policies and terms of use, or violated its 2011 FTC consent agreement, it should, and will, be punished.  Hopefully vigorously, expensively, and persuasively.  But much of the “shock” in the air comes from folks who have voluntarily provided reams of their personal data for years to Facebook and other social media providers, without ever considering privacy settings, or even reading the rules.  Nor have such folks thought through that whenever a platform or app is “free,” then they are not the customer.  They’re the product.  Of course the app or platform is super-cool … just like the food is awesome for the goose, before the slaughter.

So yes, we all need to be more vigilant, actually stepping up to govern ourselves in making decisions about the privacy of our personal data.  But we’ve been at this for decades – arguably since 1973 – and forgive me for observing that our self-governing privacy system is broken.  Perhaps it’s time to consider that we in the U.S. need a bit more privacy governance by government, a set of regulatory privacy rules that at least provide a minimal safety net for how our personal data will be handled.  If not for us, for our firstborn children (unless we’ve already surrendered them in payment for NameDrop).