Why, and how, to empower users on privacy

In the fight to determine who dicates online privacy standards, web users are like a child caught in between a bitter custody battle, or a chew toy at risk of being torn asunder by two competing dogs. But the best ones to decide who does what with personal data are the very users who are currently trapped between Google, Facebook and other websites on one side and lawmakers on the other.

My GigaOM colleague Mathew Ingram summed up the problem as it relates to Google and its ilk in a post Wednesday morning, based on reactions to Google’s new all-or-nothing privacy policy that integrates user data from across the company’s services. Essentially, Google claims it’s looking out for consumers by providing an experience that’s both personalized and social, while critics claim the new policy is lax on privacy safeguards and is little more than a ploy to raise more advertising revenue.

On the other side of the spectrum is the European Union, which Wednesday revealed a sweeping privacy proposal that would place heavy regulations — and steep fines — on companies that gather data on European consumers. Among the regulations are a “right to be forgotten” rule that requires companies to completely erase all data about a consumer upon request and a rule requiring formal consent by consumers if companies want to store their personal data. As proposed, violations could result in fines of up to 2 percent of the offending company’s annual European revenues.

Why the web is wrong

It’s no accident that the EU thinks such strict regulations are necessary, or that its counterparts in the U.S Congress, Federal Trade Commission and Department of Commerce, are considering regulations of their own. Users do want some semblance of privacy online, and most aren’t gullible enough to buy the explanations given by Google, Facebook, etc. that these companies’ ever-creepier uses of data are all about improving the user experience. They are to some degree, but they’re also about being able to provide more-targeted advertising so sites can sell more ads. It’s a dicey situation that Wired’s Tom Carmody summed up nicely:

I don’t think Google is evil, at least in the sense that Google (and we) thought of “evil” in the tech industry a decade ago. I think it’s become something else, something more than a little uncanny, something that despite conjecture, projections, fictions, and a combination of excitement and foreboding, we haven’t fully prepared ourselves to recognize yet.

But companies such as Google — and almost every company offering a service via the web — don’t help their cause with policies that might as well just read “It’s our way or the highway.” Google kindly explained its new policy in a blog post yesterday, giving users a month’s notice about the changes. The company even gives users the option to delete or export their account data and erase themselves from Google’s system, but I think those are essentially empty gestures.

One of the most spot-on tweets I saw on the matter read, “Am I the only one who assumed Google was already sharing user logs between its various services? New privacy policy won’t change my usage.” If you don’t consent, you miss out on everything Google, Facebook, Twitter, you name it have to offer. In a web-centric world, that’s not much of a choice at all.

Why the EU is wrong too

EU Justice Commissioner Viviane Reding

However, that doesn’t mean that what the EU is trying to do or what FTC has proposed is the right answer. Like it or not, web companies rely largely on advertising in order to keep their services free — and advertisers demand more bang for their bucks as platforms and data-analysis practices mature. It’s fine that governments are looking out for consumers when it comes to data being shared too widely, but users might not be too happy if their favorite services get around the need to court advertisers by simply charging a subscription fee.

And when it comes to stifling innovation, overly strict privacy regulations aren’t too different from the overly harsh intellectual-property regulations contained in legislation such as the Stop Online Piracy Act or the Protect IP Act. One great part about the web is that it’s software-based, and problematic features can be rolled back, often before any real damage takes place. But if doing business in Europe or elsewhere becomes too burdensome or too risky, some companies might never dare to or have the resources to reach their full potential, some companies might remain within U.S. borders, and some good ideas might never get off the ground.

I think it’s safe to say that users want a rich web experience as much as, if not more than, they want complete and total privacy, so cracking down on one at the expense of the other isn’t such a great idea. We might not always like how Google and Facebook use our data, but we certainly like the services they provide.

How to empower consumers

I think the answer lies somewhere in between the Hobson’s choice that web companies provide and the axe-like control mechanisms that government regulations seek to provide, in the form of creative solutions that help — or force — websites to compete on privacy.

Here are some rough ideas for how such solutions might look:

A paywall of sorts, similar to what the New York Times has in place, but users pay for privacy instead of access. Platform providers could perhaps offer an a la carte contract that lets users pick what features they want for free (i.e., what data they’re willing to hand over to advertisers) and what features they want to pay for (i.e., what data they want to keep private).
Third-party-run collectives that operate like insurance companies (or labor unions), only instead of dictating what they’ll pay to hospitals, they dictate what privacy requirements they’ll accept for their members. We have 400 million users signed up (the threat might be) and you’ll either give them these terms or we’ll find someone who will. Conventional wisdom suggests this should be a nonprofit operation, although users might be willing to pay a small premium for guaranteed results.
Monetary credits that reward users for sharing. In Facebook’s ongoing right-to-publicity lawsuit, for example, a major issue is how much more Facebook can charge for Sponsored Stories (i.e., ads that appear in a user’s news stream when a friend interacts with participating companies) than for regular ads. If users don’t want to pay for privacy, and if sites don’t want to stop using user data, perhaps the answer is to give users a piece of revenue pie that’s created by their data.

However, getting anything accomplished might require web users to revolt against Google, Facebook, Twitter et al, and demand meaningful change. As Nicholas Carr has suggested, the alternative really is letting governments implement privacy policies, and the millions of web users who backed their favorite sites in fighting SOPA might not be willing to do the same when it’s those users’ direct interests that are at play.