The Role of Privacy by Design in Protecting Consumer Privacy
1) What is Privacy by Design?
CDT has submitted comments to the Federal Trade Commission for the second in a series of public roundtable discussions the agency is sponsoring exploring the privacy challenges posed by 21st-century technology and business practices that involve the collection and use of consumer data. CDT views these roundtable sessions as a historic opportunity for the FTC to develop and announce a comprehensive privacy protection policy for the next decade.
As new technologies enable the collection of greater amounts of data online, it is essential that companies consider privacy at each stage of product development. "Privacy by Design," a concept prominently championed by Ontario’s Information and Privacy Commissioner Anne Cavoukian, presents a set of "foundational principles" to guide innovation in a manner that is consistent with Fair Information Practices (FIPs). Privacy by Design offers a roadmap to integrate privacy considerations into business models, product development cycle, and new technologies. We urge the FTC to encourage the integration of Privacy by Design into corporate practices and innovation.
As described by Cavoukian, "Privacy by Design asserts that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation." Privacy by Design presents a set of "foundational principles" that can help companies innovate in ways that are consistent with FIPs. These seven principles are:
- Proactive, not Reactive; Preventative, not Remedial
- Privacy as the Default
- Privacy Embedded into Design
- Full Functionality – Positive-Sum, not Zero-Sum
- End-to-End Lifecycle Protection
- Visibility and Transparency
- Respect for User Privacy
2) Privacy Enhancing Technologies or Privacy by Design?
Privacy by Design is often associated with Privacy Enhancing Technologies (PETs), such as encryption software, anonymizers, and browser extensions that provide granular data controls. While innovative PETs are an important component of Privacy by Design, when relegated to afterthoughts and product add-ons they do not fulfill the larger goal of crafting a set of consumer rights and company responsibilities that together fortify and protect the decisions that consumers make online. PETs are most useful for users who already understand online privacy risks. They are essential user empowerment tools, but they form only a single piece of a broader framework that should be considered when discussing how technology can be used in the service of protecting privacy.
Cavoukian has published the Privacy by Design Diagnostic Tool Workbook, which companies can use to determine whether and how they are complying with Privacy by Design principles. Meanwhile, many companies, including IBM, Sun Microsystems, Hewlett-Packard and Microsoft have already incorporated Privacy by Design into their product development processes and made strong statements about the important role that protecting privacy plays in their business models.
Anne Caovukian, Privacy Diagnostic Tool (PDT) Workbook, Version 1.0
3) Privacy by Design: Behavioral Advertising
Massive increases in data processing and storage capabilities have allowed advertisers to track, collect and aggregate information about consumers' Web browsing activities and to compile individual profiles that are used to match advertisements to consumers’ interests. All of this is happening in the context of an online environment where more data is collected – and retained for longer periods – than ever before.
Although privacy tools are now built into all of the major browsers and trade associations are beginning to offer opt-out tools, some companies have consistently sought to circumvent user control by relying on alternative technologies.
Re-spawning deleted cookies through the use of flash cookies and new efforts to access consumers' browser histories are just two examples of the many methods being used to circumvent consumer control. Internet users' browser histories are increasingly being viewed as valuable, despite the obvious privacy concerns raised by the practice of mining these histories. As companies have taken advantage of new technologies to develop new ways to circumvent user control, tools, practices, and regulations meant to protect consumer privacy have failed to keep up. There is no reason that this should be the case. Browser developers could have integrated flash controls into their cookie controls and protected histories by default in the releases after these problems became well known and should be encouraged to do so now.
More broadly, a commitment to Privacy by Design by trade associations and companies that play a role in the behavioral advertising ecosystem would prevent deceptive practices like re-spawning and spying on browser histories and help build a framework of trust that might make consumers more willing to share their data for the purposes of behavioral advertising: consumers who wish to avoid data collection would be able to do so and consumers who allow for collection could feel confident that information collected is transparent, limited in scope, secure, and accessible to them, not just to the companies that track them.
A commitment to Privacy by Design could yield marked improvements for privacy in the current ecosystem, one in which an extraordinary level of Internet savvy and detective work are necessary to determine which advertising networks are collecting data on any one Web site. A standard that required data-collecting objects be denoted by HTTP headers, for example, would make data collection more transparent and easier to control. The code for beacons and cookies could even include information about where to find the behavioral profiles being constructed about the consumer. Such a standard would enable browsers to act as a dashboard through which consumers could control the data collected about them and find the profiles being created around their data. Browsers could further implement the "privacy as a default" principle of Privacy by Design by encouraging consumers to work through a Privacy Wizard when they first install or update their browsers.
Outside of the browser, advertising networks should be encouraged to build data collection, transfer, and use architectures and best practices with privacy considerations in mind. Entities engaged in behavioral advertising should use threshold analyses and privacy impact assessments to determine the level of protection that the data they are collecting requires. Privacy impact assessments should link the amount of data collected to the purpose for which data is being used; limitation on data use and transfer should be set in the planning stages of any product. Protocols for storing, transferring, and deleting collected data should be part of product development.
Meanwhile, there is little reason that practices that are defined by technology should be monitored "by hand." Technological innovation to support industry compliance is needed as well. Multiple companies are typically involved in the targeting of a particular ad, including the advertiser in the case of retargeting, data aggregators providing data to the advertiser directly or through demand-side platforms or ad exchanges, and downstream ad networks that use behavioral data to optimize audiences as the ad is relayed to the consumer. Compliance throughout all of these data transfers should be far more automated than it is today, with compliance mechanisms built directly into ad delivery and targeting technologies. The FTC should encourage innovation that will help simplify compliance without lowering standards and, more generally, should be supportive of the development of protocols that will help enable Privacy by Design.
Center for Democracy and Technology, Online Behavioral Advertising: Industry’s Current Self-Regulatory Framework is Necessary, but Still Insufficient On Its Own to Protect Consumers
Soltani, Ashkan, Canty, Shannon, Mayo, Quentin, Thomas, Lauren and Hoofnagle, Chris Jay, Flash Cookies and Privacy
4) CDT’s Recommendations for FTC Action
The Internet, as well as e-commerce, are ultimately built on a framework of trust; as consumers become more aware of how their data is being collected and used online, a breach in the framework of trust is inevitable if regulation, industry practices, and technology fail to keep pace with consumer concerns. But if legislators, regulators, and innovators work together to buttress this framework with best practices that reflect Privacy by Design, then consumers and companies alike will discovery that privacy and innovation are not mutually exclusive, but that privacy is instead an essential element of the innovative Internet.
CDT urges the FTC to encourage business practices that are consistent with Privacy by Design by acting on the following recommendations:
- The FTC should release a set of recommendations outlining the role that Privacy by Design can play in implementing a new set of comprehensive FIPs. These recommendations should emphasize the role of privacy impact assessments, privacy threshold analyses, the integration of PETs into product development, end-to-end lifecycle protection for data, and privacy as the default or as a clear, easy-to-understand alternative.
- As location data becomes ubiquitous, the FTC should promote innovation in Privacy Enhancing Technologies and should help foster industry collaboration to ensure that location data receives the protections that such sensitive information requires.
- Through the release of rule-making or reports, the Commission should further seek to ensure that location data is being protected throughout its lifecycle and that companies and application builders alike are minimizing data collection, data use and retention, and maximizing transparency, individual participation, security, data quality, integrity, and accountability.
- The Commission should not shy away from bringing cases against bad actors that unfairly or deceptively collect location data or track consumers.
- In the behavioral advertising space, the FTC should support the development of protocols that will help enable Privacy by Design and encourage innovation that will help automate compliance.
Privacy by Design, while important, should be seen as one tool in a larger toolkit of policy approaches; it is insufficient to protect consumer privacy alone. Efforts to encourage a Privacy by Design approach to innovation should be supplemented by a rigorous mix of self-regulation, enforcement of existing law, and enactment of a new consumer privacy statute that establishes baseline protections and gives the FTC rulemaking authority.