privacy matters

What is going on with Facebook’s constant gyrations about privacy policy?  Does anyone really care?

A little while ago I suggested that online privacy concerns are best addressed by free market solutions, not governmental regulation.  I’ve discussed the topic with quite a few entrepreneurs, investors and professional marketers, and the overwhelming view in that group is that regular consumers just don’t care about online privacy.  “They” say:

  • privacy is too complicated a topic for consumers to understand
  • no one reads privacy policies
  • consumers can be distracted from privacy concerns with the offer of just about any shiny object

Much of that might be true – but I also took the time to talk to a bunch of “regular” consumers.  And these things are definitely true:

  • consumers know that their privacy is being compromised by many online services
  • consumers do not like being taken for granted
  • consumers will avoid services that abuse their information, and will seek services that use their information properly

These two sets of “truths” are not mutually inconsistent.  To me, they add up to:   Online services can gain a competitive advantage by giving consumers the most sensible default choices along with the right advanced options for privacy – make it simple, but make it right.  I think Facebook believes this, and that’s why they keep tinkering with their policies.  They understand that a lot of their initial attraction was a result of making different privacy assumptions than more open services like FriendFeed and Twitter.  They know that even if no one ever reads their privacy policy, if they make the wrong choices about privacy, they will lose users.  As they saturate their available audience, they have to figure out how to strike the right balance among their different demographic bases, all the while competing with the advantages that more open services have.

These are extremely nuanced choices, but getting them right makes the barrier to competitive threat all the more defensible.  And these are product choices; this is something that many I’ve talked to misunderstand:  people think that this privacy stuff is just legal mumbo jumbo or regulatory mishmash.  That’s plain wrong – laws and regulations are just the cart behind the horse.  In a social product where community is paramount, policy choices are product choices.

losing my privacy

Another burst of news about privacy online, with Ars Technica explaining that removing personal information from data isn’t enough to protect anonymity, and The Monitor giving an overview of how we’re losing our privacy online.

But these people seem to talk on and on about privacy with some seriously flawed assumptions.  They assume that everyone agrees on what privacy is, and that everyone wants privacy in exactly the same way.

I’ve become enamored of the comparison between privacy and religion.  Even without being religious scholars, most people have a basic notion of what the word “religion” means.  And most everyone understands that different people can have very different views about how to practice their religion, or whether to practice any religion at all.

Privacy is the same way, isn’t it?  There is some shared understanding of what the term means, but the specifics of the meaning and practice of privacy can be very different among different people (especially across generations).  Some people don’t believe privacy is important at all, choosing to live without it.

Both religion and privacy deserve the protection of our laws, and for very much the same reason:  the practice of these matters according to one’s own belief is essential for building and maintaining a sense of meaning in life.  In simpler terms, a personal view of these things are required elements of the pursuit of happiness.

Our laws protect religion (and atheism) without saying that “religion” must include a single deity, or prayer at sunset, or robes or hats or ritual.  It’s a mistake to think we should protect privacy by defining exactly what data people should consider private.

Breaking my tradition of linking privacy posts to ’80s songs, because this early ’90s song has perfectly apt lyrics:

Every whisper
Of every waking hour I’m
Choosing my confessions
Trying to keep an eye on you
Like a hurt lost and blinded fool, fool
Oh no, I’ve said too much

I see you, you see me

Does anyone care about online privacy?

The New York Times thinks so:  just since I’ve been paying attention, I’ve noticed – 1 2 3 4 5 6 7 8 – eight articles about the threat to consumer privacy posed by increasingly effective online behavioral ad targeting.

Jeremy Liew is concerned that the recent public interest push for privacy regulation will threaten startup media companies, suggesting that the ad networks should band together to lobby against online privacy regulation.  He says “While it is always hard to argue against privacy, the impact of this level of restriction would be enormous for companies relying on online advertising.”

It’s not that hard to argue against privacy, it’s just . . . delicate.  And I think simply saying that a lot of money is at stake isn’t enough of an argument.  So I’ll try to make a better argument for why privacy legislation of online advertising is likely to cause more harm than good.

I’m actually a huge fan of the Electronic Frontier Foundation and Consumers Union, and I think their hearts are in the right place on this.  I’m generally in favor of legislation that protects consumers from predatory practices in the marketplace.  But although privacy is a special value, it is not something that is well served by detailed regulation.

The problem is that privacy means many different things to different people, so everybody’s expectations can be quite different in terms of both substance and process.

The substance of privacy is the content of what you want to keep private.  Some people don’t care if you know whether they are male or female, but they don’t want to reveal their age.  Some are ok with gender and age, but not job and income – etc, etc.

The process of privacy is about the availability, collection and use of the information.  Some people want to opt-in to every interaction, some prefer to have opt-out control.  Some are ok with information used in the aggregate but not the individual, or even vice versa.  Some are ok with information being used by private parties, but not the government, or for a day or a month, but not a year or a decade.  Etc ad nauseum.  Few of us are ever thinking about exactly the same thing when we think about privacy.

Privacy may be a fundamental right, but it’s more like the right to freedom of religion than the right to trial by jury.  The latter is a specific procedural right, which we want everyone to have in a very clearly defined way.  The former protects an abstract and highly personal set of values, which each person may regard in a different way.

In the US, we don’t protect religion by telling people what it means; we protect it by saying that the government won’t promote any particular form of religion, and people can exercise any form they choose.  The failing of the public interest proposal on online privacy is that it presumes to define privacy for everyone.  That’s a dangerously unsophisticated view of a standard that varies from person to person and evolves across generations.  A time-traveler from before the Internet would not recognize what the average Facebook user calls “privacy.”

So how do I think privacy concerns should be addressed?  Well, by the market, of course. Don’t get the wrong idea:  despite my love of entrepreneurism and therefore capitalism, I don’t believe that the market is infallible, nor do I believe a free market must be unregulated.  But where you have complex consumer preferences and an infinite variety of potential solutions, a market is often the best way to satisfy the most people.  Think again back to religion:  people basically make their religious choices in a free market as well.

Consumers should have a large variety of choices about how their personal marketing-relevant data is collected and used by advertisers.  The role of governmental regulation here should be limited to traditional consumer protections about clear and full disclosure, contracts of adhesion, and anti-competitive practices.

The government just needs to make a level playing field.  People do care about privacy, and companies that can address those concerns correctly and creatively will make a lot of money.   And that matters not just because it’s a lot of money, but because it’s a case where consumer interest and the pursuit of money can be aligned.

[Apparently I’ve decided that my posts on online privacy must be titled by reference to 80’s hits.]

somebody’s watching

There’s a certain techno-futurist vision of personalized advertising where constant surveillance leads to complete erosion of privacy, all in the service of targeting advertising to your behavior and tastes.  The most popular picture of this future was in the movie Minority Report, where talking ads creepily enveloped the hero in a wash of ad patter while he ran for his life.


Despite this dystopian vision, I think the current level of public concern about the privacy invasion of targeted advertising could be described as significantly beneath swine flu and slightly above Lyme-disease bearing ticks.

But this year, the largest online advertisers and ISPs have really begun to show their power over consumer behavioral data.  The New York Times has been utterly obsessed with this topic, to the point where it’s somehow news when a company decides not to use a targeted ad system.  (I wonder if it there could really be such a thing as behavioral tracking so creepy that even advertisers won’t use it.  The cynic in me says that the system probably just didn’t work well enough to justify the cost.)

Consumers who are asked about privacy generally want greater control over their marketing data, but don’t know how they can achieve it.  In sympathy to this consumer demand, the industry’s leading ad networks have banded together to establish best practices for use of consumer data.  (This sympathy was perhaps supplemented by the interested attention of the FTC.)

Industry self-regulation is a time-honored method of appeasing and forestalling government regulation.  There are areas where this works just fine (in terms of industry commercial interest, if not art) – comics, movies and video games – this tends to involve public morality.  And there are areas where greed and the public interest seem destined to cycles of boom and bust and bust – some industries just don’t seem capable of operating without eventual crisis in a deregulated environment.

So will the ad industry’s attempt self-regulation turn out more like the entertainment industry’s successes with the morality police, or the financial industry’s pathological self-destructiveness?

On the one hand, the dynamics of targeted advertising share some characteristics with complex financial instruments:  advanced algorithms, proprietary trading systems, a leveraged financial return from a slight mathematical edge.  On the other hand, consumers are not in bed with advertisers in the way that they were with their bankers and brokers and realtors.  A little willful blindness made everyone happy for a while in finance, but that same blindness in advertising only covers growing consumer unease.

There are startups that tried to give greater consumer control over marketing data, but none really got a lot of traction.  The problem may have been that the problem wasn’t big enough yet.  Until everyone’s singing like Rockwell, it could still be too early.