Billions of connected devices, cheap computing and data storage, and sophisticated “big data” analysis techniques have made the issue of consumer privacy more complicated than ever. Companies are tracking the websites and apps you use, the stuff you purchase online, even the places you go, and combining this data with other publicly available information to build a detailed profile that helps them target advertisements. New techniques are also making it easier to determine your identity on the basis of data that in the past we didn’t categorize as personal information.
The Federal Trade Commission, the primary government agency in charge of protecting the privacy of your personal data, does this mainly through action against companies it deems to have engaged in “unfair or deceptive acts or practices.” This authority is limited to the commercial sphere, however, so the FTC does not police practices like the recently revealed government-directed e-mail scanning by Yahoo.
The commission has also called on companies to be transparent about how they are using their users’ data, to consider privacy when designing products and services, and to offer people simpler ways to decide whether to share their data and with whom.
Edith Ramirez, who has served on the commission since 2010 and as its chairwoman since 2013, spoke to MIT Technology Review about how she thinks companies could better protect consumers. What follows is an edited transcript.
The definition of privacy online is a tough one to nail down. How do you define it?
I wouldn’t define it in any single way. Our notions of privacy evolve over time. The way that I think of privacy is more in terms of certain protections that are important to have in place. Fundamentally, I think it’s important that we as consumers have control over how our data is used.
Achieving that will require that companies participate. Do you worry that consumers don’t care enough about privacy to compel them to do so?
The idea that consumers don’t care about privacy is one that I would very aggressively disagree with, because I don’t think the data supports that. If anything, I think that consumers are very concerned, especially since we are hearing about major data breaches with increasing frequency. I think everyone understands that protection of personal information is vital. In my mind privacy is something that companies have to take into account in a very serious way.
So what should the companies do in order to give their customers more agency over their data?
Too much of what goes on when it comes to the use of data takes place in a black box. We don’t understand fully what information is being collected, how that information is being shared with other entities, and how it’s being used. Companies should be more open and clear and transparent about their data practices so that consumers can understand them and exercise greater control.
A challenge is that data is being collected every time that I hop online and I conduct a search to purchase clothing or shoes. Every time I use my smartphone, every time that I use my tablet, and sometimes even when I walk into a retail store, I might be tracked. And now the tracking is taking place not only across websites but also across apps, and increasingly across devices. How does one provide appropriate notice in that complex environment, in a way that doesn’t overload a consumer? That is a legitimate question.
Recently, I’ve been trying to figure out how companies could use technology to give consumers more control. I want to urge companies to be thinking more creatively about how to tackle some of these challenges, as opposed to saying, “It’s too hard, we give up.” We can’t say that. It’s too important.
Does that mean we need new technologies for giving people proper notice about the data that is being collected?
As the products out there get more sophisticated, I would like to see companies use their ingenuity to come up with more sophisticated ways to help us. For instance, a “personal privacy assistant” that is being developed by researchers at Carnegie Mellon could be a possible way to help us deal with the challenge of notice and choice in today’s environment. It is software that can be used on a smartphone, and it can tell you that devices in a particular location, or even devices in your own home, are collecting XYZ information. And there might be a way, using machine learning, for you to choose certain parameters about your privacy preferences. That way a lot of these choices could be automated in the future. I want companies to start thinking along these lines.