July 27, 2016

avatar

Privacy Theater

I have a piece in today’s NY Times “Room for Debate” feature, on whether the government should regulate Facebook. In writing the piece, I was looking for a pithy way to express the problems with today’s notice-and-consent model for online privacy. After some thought, I settled on “privacy theater”.

Bruce Schneier has popularized the term “security theater,” denoting security measures that look impressive but don’t actually protect us—they create the appearance of security but not the reality. When a security guard asks to see your ID but doesn’t do more than glance at it, that’s security theater. Much of what happens at airport checkpoints is security theater too.

Privacy theater is the same concept, applied to privacy. Facebook’s privacy policy runs to almost 6000 words of dense legalese. We are all supposed to have read it and agreed to accept its terms. But that’s just theater. Hardly any of us have actually read privacy policies, and even fewer consider carefully their provisions. As I wrote in the Times piece, we pretend to have read sites’ privacy policies, and the sites pretend that we have understood and consented to all of their terms. It’s privacy theater.

Worse yet. privacy policies are subject to change. When sites change their policies, we get another round of privacy theater, in which sites pretend to notify us of the changes, and we pretend to consider them before continuing our use of the site.

And yet, if we’re going to replace the notice-and-consent model, we need something else to put in its place. At this point, It’s hard to see what that might be. It might help to set up default rules, on the theory that a policy that states how it differs from the default might be shorter and simpler than a stand-alone policy, but that approach will only go so far.

In the end, we may be stuck with privacy theater, just as we’re often stuck with security theater. If we can’t provide the reality of privacy or security, we can settle for theater, which at least makes us feel a bit better about our vulnerability.

Comments

  1. Same old argument Ed: if we only had the right, smart person directing activities of the private sector then everything would be okay. This has never worked. Further, it trashes the private property rights of facebook, and ultimately inhibits the next facebook from entering the marketplace.

    You will likely argue that this has been done before, and you are right. But in those instances, it is also wrong and violates private property rights. As is so often the case, when the private sector messes up, we get more government, but when the government messes up we get yet more government. There is no end.

    Indeed, the best way to address any perceived privacy problems with facebook is to start a facebook-like company that respects personal privacy they way you would like to see it. If people want that, they will flock to facebook.

    • One problem with your counter-proposal is that it relies on a market in which all parties have perfect knowledge and act rationally. As Ed describes, consumers cannot be expected to read and comprehend these agreements, especially when they change repeatedly without notice. This problem is true across a variety of markets, including the more general arena of software licenses. I recommend Douglas Philips’ book The Software License Unveiled, and his corresponding CITP lecture (video available here). This is why we also have regulation of things like nutrition and safety information.

      With something like Facebook, there are additional problems like network effects and switching costs, which are unique to social platforms.

      In short, your general appeal to market forces assumes an idealized information environment and an outmoded commodity-based understanding of how markets work. This is why we have a concept of market failure. To rely on your justification for non-intervention would be to fall prey to free market theater.

      • Oh, I’m certainly willing to admit that imperfect information exists in the free market. We make decisions with whatever information we have available. However, even with the ‘better” information that is coming out about the facebook privacy issues, I’m not hearing about hordes of facebook users leaving and stomping their feet in indignation. How much more information would they need to achieve that? What are the missing that would tip the scales? The reason people stay is that the privacy issues are not at the heart of Facebook’s primary business proposition as a social media tool: privacy is ancillary.

        Indeed, I would rather be duped by the free market, where I could take my business elsewhere than by the government that holds the power to strip away my property and life by force with armed personnel if necessary. Believe me, I’m not lying awake at night worrying about seat belt laws, food labels, and privacy notices: these soft tyrannies are far eclipsed by the larger ones.

        And of course markets fail. They also correct themselves. Anybody who tells you they have an economic system that doesn’t fail is trying to sell you something :-)

        However, I would ask that you admit that government would also not have perfect information. Yet their decisions would dictate to the market behaviors that may not be in the best interests of their customers. Think about how Google Wave failed (mostly). People naturally were outraged by the problems that it had, and choose not to adopt it. No govt intervention necessary. Facebook will someday have a competitor that will force it change far better than any government regulation would.

        I don’t think that your positions are idealized or outmoded, and would never deign to call them such. I would just caution you against government regulation theater.

        BTW: I agree about Ed’s main point: click through licenses and privacy agreements are painfully difficult for even the most educated amongst us to interpret. I just don’t think the solutions is more government oversight.

        • So if food labels are a “soft tyranny” then what government regulation is not? Your position seems to leave no room for government regulation of anything, at all, ever.

          The reasons that people stay with Facebook are any combination of:
          a) they genuinely don’t care about the privacy issues
          b) they genuinely are unaware of the issues, but would care
          c) they know and care, but have no reasonable alternative, largely because of the unique properties of online social networks that exhibit network effects and lock-in

          I think when you said Google Wave you meant Google Buzz. Buzz is a useful case study, but not for the reason you state. It demonstrates an example where privacy threats were known at the time of launch of the product, made abundantly transparent, and the company was forced to change its product as a result. A notice-and-consent obligation for Facebook (and its competitors) could help produce the same type of outcome.

          Implementing information-enhancing regulations does not require that the government have perfect information, nor are such regulations necessarily overbearing or tyrannical.

          Your market theory seems to be closest to a Schumpeterian approach: although certain entities may temporarily capture the entire market, they will always be displaced by others who will provide a superior product or lower prices (ultimately leading to greater public welfare). Classic Schumpeterian economics doesn’t have a lot to say about switching costs, nor does it account for ephemeral but important aspects of a product like privacy.

          Ultimately, regulations requiring better disclosure and adherence to disclosed practices make whatever your market theory is work more efficiently and less tyrannically.

          • avatar Anonymous says:

            Why don’t we deregulate automobile driving “privileges”?

            Highways are so much safer when everyone just buys a 4×4, drives wherever they want, as fast as they want. Except, of course, on private property. Which will be everywhere, because we certainly don’t want a tyrannical government having the power to confiscate private land for right-of-ways for public roads. So have fun driving your 4×4 around in circles in your front-yard.

            After all, if you look at traffic highway fatality statistics, and, especially things like DUI recidivism rates, as examples; government regulation simply fails massively. Every time a cop pulls someone over for speeding, it’s really “highway safety theater”. Because traffic accidents are still one of the most common ways to die in this nation – a nation of speed limits, yellow lines, manufacturer’s safety standards, driving competency testing and licensing. People don’t actually READ AND UNDERSTAND the traffic code, even though when they get their driver’s license, they are effectively signing a legal agreement stating that they have done so.

            To draw out the automotive analogy further (which isn’t perfect in this case, but has some pretty good similarities in some areas): operating a motor vehicle is one of the simplest user interfaces in our modern world. Steering wheel. Brake. Gas pedal. Gear selector. It’s the same in every car, mostly. It’s been essentially the same since the dawn of the automotive age. Yet, we TRAIN our drivers how to operate it. We test them for capability, and competency. We refresh this training. We have a taxpayer-funded civilian task-force dedicated to ensuring people remain in compliance (Highway patrol, department of transportation, etc). It’s pretty blindingly obvious to anyone over the age of 18, that if we did not have this infrastructure in-place, there would be many, many more deaths. We also pretty much all implicitly understand how reliant. . . no, dependent we ALL are on transportation for our economy to function even in a basic sense.

            Compare that to computers, and not just facebook, not just social networking, but personal information security, and networking in general.
            We have a technology whose interface was born only 40 years ago, and which has evolved steadily, and I would even say, that it’s current paradigm of point-click, tabs, menus, buttons, and links, (with a network/web-cloud vs. local/file-system dichotomy), is probably as old as 7 years. There are no agreed upon standards for how basic navigational controls function. Every vendor sees this as a value-add opportunity. Maybe a risk/reward trigger that would drive innovation, as long as there’s the possibility that they could file a “one-click shopping” style patent, and cash-in. This interface is becoming increasingly vital for the future functioning of our economy. We do not train its users. Instead – we “hope” that we can keep our UI designs “intuitive” (FTW!). We do not license, test for competency, or compliance to any specification. We have only recently begun to look at standardizing capabilities for accommodating disabled persons, or native-speakers of any of the other 250 or so languages on our planet, which this network binds together.

            What do our “traffic fatalities” look like?
            Your mom gets her identity stolen, and her retirement accounts emptied. She’s now living in YOUR basement.
            Your niece is cyberstalked by a troubled kid at school, who uses the information to extort her into suicide.
            A friend of yours receives a sketchy advertisement on his Wall from a hotel booking agency, after “like”-ing his High School Reunion planning page on his social networking site, and ends up getting ripped off because the bundled airline tickets were not valid. . . even though he had set his privacy settings to not share his personal information, he had either missed a checkbox on a page that was named using terminology that wasn’t obvious to him, or his social network host changed their privacy policy surreptitiously, or there was a software bug. (no way of telling post-facto). He thinks about switching to a different provider, but all his photos, family, friends, videos, and other information are on THIS social network, and to change to another one would be basically the same as just quitting the internet altogether.
            A teller at your bank, has her desktop computer’s password compromised, and as a result, a Serbian Gangster now has all the money in your checking account, and the checking accounts of tens of thousands of other customers of your bank. As a result, the bank (who has kept the breach secret) and simply lowers payouts on CD’s or raises overdraft fees for a few months, to make up for lost revenue.

            But by all means, let’s have “freedom” so you can sleep at night knowing that jackbooted thugs aren’t kicking down your doors ready to drag you off to a labor camp somewhere in California. (maybe Napa?)

          • Well, let’s not be silly.

            Everything you’ve spoke about is perfectly able to be regulated under State governments. Indeed Federalist 45 tells us:

            The powers delegated by the proposed Constitution to the federal government are few and defined. Those which are to remain in the State governments are numerous and indefinite. The former will be exercised principally on external objects.

            What you’ve described Anonymous is neither Liberty nor Tyranny. Just Anarchy.

            To the later part of your post I would say this: your examples notwithstanding, these types of instances just aren’t very frequent. Beside commenting on great blogs like this one (and I mean this sincerely – Ed et al., great site!), I spend my time analyzing and quantifying risks and security for some of the biggest companies you’ve heard of. One of the things that I often encounter is entrenched thoughts about worst-case security scenarios. In my experience, and those of my colleagues and mentors, we’ve never seen security scenarios nearly as bad as they could have been.

            Indeed a common scenario now is for my colleagues and I to ask at security conferences for members of the audience to raise their hands if they’ve received a breach notice and changed their business relationship with that institution as a result. Hardy anybody raises their hands. It just isn’t happening in any great numbers to get concerned about.

            To bring this back to facebook, this is where my discussion with Steve has gone: I don’t think that privacy effects Facebook’s primary business proposition. This could be for any one of Steve’s choices above: a, b, c. I think its mostly a and b. c is interesting though…

          • avatar Anonymous says:

            >>So if food labels are a “soft tyranny” then what government regulation is not? Your position seems to leave no room for government regulation of anything, at all, ever.

            Mostly yes. I should clarify that I am speaking primarily about Federal not State governments. Although I may dislike the regulation at the State level, I certainly support it far greater than at the Federal level. And indeed, like most free-market capitalists I like no government interference except to outlaw and prosecute fraud and coercion. And I think your point is that this facebook issue is largely the former. Am I correct in this? If this is the case, then perhaps we are in violent agreement :-)

            BTW, soft tyranny is a de Tocqueville quote as I’m sure you know; and as I said previously, I don’t lie awake at night about food labels.

            >>I think when you said Google Wave you meant Google Buzz.

            Yes, thank you. And your analysis is interesting and more detailed than mine. I’d submit that most users fall under a and b, rather than c. However c provides the most interesting research opportunities vis-a-vis economic utility, etc. In other words, how many users are necessary to create a critical mass that would necessarily harm facebook, versus simply being an annoyance? There’s history of course (Google comes to mind) but that doesn’t account for switching costs (it’s easy to switch search engines). Makes me think about Albert-Laszlo Barabasi’s work on preferential attachment :-)

            >>Your market theory seems to be closest to a Schumpeterian approach
            I’m not familiar. But I will say this: my thoughts on economics are more akin to laissez-faire capitalism (see above).

            PS: I love our back and forth with the “theater” ;-)

          • Sorry, I forgot to sign the previous with my name.

          • Fair enough. I can respect the Federally minimalist position even if I think it’s impractical.

            I can think of little that is more fundamentally interstate than an online social network, Whether you call it fraud, unfair and deceptive business practices, or something else, it seems that there’s a real failure of market information. I don’t think it’s unreasonable to consider Federal-level remedies (especially those that simply introduce more transparency into the market).

            In any case, I agree that this is a productive conversation.

          • Hi Steve!

            Commerce Clause discussions get murky fast. Is it commerce broadly, or is it “trade” the way that Madison defined it. I think we should leave that alone for now as we’re probably off topic.

            I’ve always sympathized with business trying to comply with the myriad State privacy laws. Still, i think it is the State’s that should do it. They’re all mostly similar enough now to make it easy to comply (much to their outside counsel’s dismay). This is probably the way it should evolve –> enough States adopted the same laws to make a de facto national law (not federal though).

            Additionally, the FTC should still enforce privacy policies under unfair and deceptive business practices laws, which is likely no more than Ed was suggesting to begin with before I led us down this rabbit hole.

            :-)

    • In my Times piece, the only case for which I spoke clearly in favor of government action is where Facebook violates its own privacy policy and/or explicit promises to users. I assume that your notion of properly limited government allows the government to help enforce agreements between private parties.

      • Greetings Ed!

        Perhaps that wasn’t clear, or I didn’t read it well enough. In any case, yes, as in my post to Steve above, I would certainly like government to prosecute fraud and coercion.

  2. Why didn’t I think of that? Brilliant, just brilliant. Privacy theater – that one will reverberate for long, I think.

    Over the last 15 years or so we have seen a steady but persistent erosion of privacy, despite all the pretense that Human Rights actually count for something. Sure, you have rights, until they get in the way of good old profit – a bit like having a bank account and then find your money is gone because the bank did something that wasn’t exactly kosher, but hey, it was all for profit! Can’t argue with that (..contribution to my political campaign..).

    I’m not your average sandal wearing geek, which is how most people are painted the moment they dare speak up for their rights, but I find it fascinating that those who tell me I shouldn’t have anything to hide refuse to let me into their house (well, mansion) to take pictures of their kids, don’t want to tell me just how much they earn and where they keep it, and they don’t give mel the details about their friends either.

    Strangely enough, that “friends” thing is exactly what they ask *you* to do. Ever tagged anyone in a picture? Congratulations, you have just handed the company a picture of someone without them having an idea that that data exists – which conveniently side-steps even the harshest privacy laws out there. Forwarded something using a web form? Ditto. Joined Facebook and missed the fact that yo don’t actually HAVE to invite others to get past the welcome screen? Bingo again.

    That omission originally had a practical reason: it was to avoid burdening organisations with having to track down users when others provide data. It appears that gap may have been a mistake as it’s been happily abused ever since to get round the problem. After all, setting defaults so they are safe for the USERS would get in the way of profit.

    – Peter –

    PS 1: AFAIK it is well possible that Facebook may end up in trouble over its defaults. In countries where there IS a working privacy law, defaults must be set tsafe as opting in must be an EXPLICIT action, not an implicit one.

    PS 2: there are, of course, also rather extensive political reasons why privacy has been eroded, although most observers look at the wrong year to establish what was happening. As far as I can tell in, for instance, the UK, the aim wasn’t so much to use George Orwell’s book “1984” as a manual, it was to build a panopticon. And that idea stems from 1785 – 199 years earlier. But hey, I’m a cynic..

  3. avatar Stephen Purpura says:

    “And yet, if we’re going to replace the notice-and-consent model, we need something else to put in its place. At this point, It’s hard to see what that might be.”

    While we may not have a comprehensive national policy on Internet security, we already have a regulatory regime in place to control Facebook and other Internet sites, and the controls are not unprecedented. Right now, we just lack the will to recognize what is happening that is shady and take steps to curb it.

    The Office of the Comptroller of the Currency requires that banks use high grade SSL to protect sensitive customer data. It didn’t require a bill before Congress. It didn’t require the establishment of a new bureaucracy. It didn’t require a lot of public hand waving. It did require that someone with half a brain realize that easy repudiation of banking transactions would kill online banking and faith in the online banking system. Instead of reading about “the death of repudiation in banking transactions” as a headline, we force banks to pay a few extra bucks to eat the bandwidth and server costs of HTTPS transactions. Boo hoo for the banks.

    When the OCC put in place the rule that SSL was a requirement (1997ish), we didn’t take a poll to understand how many people in the United States supported that method of assisting with non-repudiation. We didn’t worry that, at the time, a SSL website loaded like frozen molasses pouring. It was done because it was obviously the correct thing to do in the short term (and it turns out for the long term).

    Fast forward to today. The problem with facebook isn’t so much about privacy as it is a problem of business practices. It is, I believe, using a pattern of bait-and-switch tactics to exploit its customer base. The FTC is already chartered with addressing businesses that exhibit this type of behavior. And, there is no reason they should not be encouraged to act to curb hyper-aggressive and malignant Internet behavior.

    Given the pattern of behavior, the head of the FTC could simply step in and say: “Look, we’re as concerned today about Facebook’s behavior with their business practices as we were a few years ago with Microsoft Passport’s business practices. If Mark Zuckerberg is right that most of his customers want all of their status updates, photos, group memberships and friendlists to be public, let’s let the customer flip the switch to do it. Until we see overwhelming data that the customers do actually want this because they’ve taken affirmative action, we’ll ask for this small simple change.”

    This isn’t about the Federalist papers. It’s about understanding that people don’t have time to worry about whether every component of every system is working reasonably all of the time. They have enough trouble just paying the bills, keeping ants out of the house, and trying to get their kids to do their homework. They don’t need toys with lead paint or Facebook taking advantage of them every few months. And, instead of searching for perfect, we should just encourage government to take small, infrequent, impactful and limited steps to curb companies that don’t seem to get that customers are not suckers waiting to be plucked.

    • It’s always about the Federalist Papers and the Constitution. As much as we think the Internet changes the basic precepts of our country, it doesn’t. But if we thought that it did, the founders were smart enough to include a way for us to change that (Amendments;; say the right to privacy) We’ve haven’t come to that point. I suspect this is because many feel it would just be easier to legislate around the pesky Constitution in the Legislative branch. But I digress again…

      There already exists a resource mechanism for wronged consumers to find redress: they could file lawsuits. Speaking as someone who spends a lot of time quantifying risk in terms of frequency and magnitude of loss, I’m not sure that the claimants would have a lot of compensatory damages. Which is really the point: tempest in a teakettle.

      What does the others think?

      • avatar Stephen Purpura says:

        Individual claimants have no capability to get a payday from privacy abuse. Initiating action with the FTC is the only realistic avenue. And, as I’ve pointed out in the FTC v. Microsoft Passport, the FTC has already asserted the unchallenged Federal right to control Internet companies when comparing privacy policies to business practices. And they should use it.

  4. I saw this and it reminded me of our discussions:

    http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/05/31/BUG91DMJC7.DTL

  5. avatar Curt Sampson says:

    Actually, this is not really a privacy issue, since it applies equally well to any “click-wrap” agreement, be it for an on-line web site, a purchased software program, or whatever.

    One of the issues is that there’s no penalty for companies creating long, complex agreements, nor incentive for them to create short ones that are easy to understand.

    I discuss this situation, and a possible solution, in a blog post entitled To What Did I Just Agree?