SCN: Privacy
Steve
steve at advocate.net
Wed May 31 07:03:47 PDT 2000
x-no-archive: yes
========================
Technology Will Solve Web Privacy Problems
by Lawrence Lessig, professor at Harvard Law School and author of
"Code and Other Laws of Cyberspace"
(Wall Street Journal)---The privacy showdown has come. After years
of waiting for the high-tech industry to voluntarily enforce "fair
information practices," the Federal Trade Commission's patience is
at an end. While the number of Web sites sporting privacy policies
has increased significantly, only 20% even partially implement the
fair-information recommendations. The FTC is now insisting that
Congress enforce compliance.
We are lucky the industry so far has ignored the FTC. And until the
agency's privacy recommendations change, Congress should turn a
cold shoulder as well.
The privacy problem in cyberspace has a very specific source --
how the Internet is designed. The code of cyberspace -- the software
and hardware that make up the Internet -- makes privacy a problem.
This code makes it extremely easy for data about individuals to be
collected and profiled; it makes it extremely difficult for individuals
to know that this profiling and tracking is taking place.
The solution to this problem with code is better code. Specifically,
we need code that helps consumers make more informed choices.
But so far the FTC has ignored code. It remains fixated on a
standard Washington strategy -- more privacy policies. More words
won't advance privacy in cyberspace. Consumers will simply ignore
the clutter.
The aim of the FTC's "fair information policy" is sensible enough. It
requires that sites give notice about information practices and offer
consumers a choice about how their information is used. It demands
consumer access to information the site has collected and adequate
protection of such data.
Many sites already comply. Hertz Rental is one example. A privacy
policy page on Hertz's Web site dutifully explains how an
individual's data will be used by Hertz (in short, to Hertz's maximal
commercial benefit); it explains that individuals can limit, to some
degree, how their data is used (you can, for example, stop the sale
of some data or halt junk mail to you); it explains that visitors have
the right to correct mistakes (call the local Hertz office; no number
provided); and it describes how data is kept safe (through a "Secure
Socket Layer"; don't worry, no one else understands, either).
In the FTC's eyes, Hertz is a success. It believes that if everyone
followed Hertz's example, privacy policies would flourish,
consumers would be informed, choice would be meaningful and
confidence would return. But to ordinary users the policies are
meaningless. Does anyone really believe that consumers have the
time to wade through privacy policies? Are we to build a chart
reminding us of how Yahoo's privacy policy differs from Excite's?
It's not enough for the government to identify the principles it wants
adopted. Rather, the law must be sensitive to how those principles
get implemented. The cost of processing words in cyberspace is
already too high. Multiplying legalese will increase these costs
without doing anything to improve consumer privacy.
The answer is better code. There have already been a flood of code-
based solutions to the problem of cyberspace privacy. The most
promising of these builds upon the work of the World Wide Web
Consortium's Platform for Privacy Preferences. P3P establishes a
framework for standardized, computer-readable privacy policies.
This framework would make it easy for companies to explain their
practices in a form that computers could read, and make it easy for
consumers to express their preferences in a way that computers
would automatically respect.
Companies such as PrivacyBot.com, for example, provide a $30 tool
that allows companies to make their Web sites P3P compliant.
Microsoft is creating similar tools and promises to integrate P3P
into its browser. Consumers would then tell the browser the level of
privacy they want, and the browser would automatically steer the
consumer away from privacy-abusing sites. Rather than consumers
reading Hertz's words, browsers would read the Hertz P3P code and
warn the consumer if the site fails to match consumer preferences.
P3P is neither perfect nor yet complete. Neither is it the only code-
based solution to the privacy problem, nor a substitute for strong
privacy legislation. But P3P is at least a step toward a world where
consumers make their own privacy choices at relatively low cost to
business.
The FTC, however, has said little about the potential of code-based
solutions. Instead, it has simply said the government should remain
"technologically neutral." But there is a big difference between being
neutral among different technological solutions and being neutral
about whether technology is part of a solution. Only technology can
lower the cost of expressing and enforcing privacy preferences.
Without that cost lowered, the principles the FTC promotes will
never effectively be realized.
There is a role for Congress in facilitating these code-based
solutions to Internet privacy. The invisible hand won't solve this
privacy gap any more than it led steel mills to scrub soot from their
smokestacks. But if the government created incentives for code-
based solutions -- by either subsidizing code or insisting that code
is part of any solution -- the market would quickly supply them.
Congress should embrace the FTC's principles, but insist on
compliance through code. Neither words nor code alone will solve
the problem of privacy in cyberspace. But at the moment we need
fewer words, and better code.
Copyright 2000 Dow Jones & Company, Inc.
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list