Online and IT privacy is a ripe issue for President Obama’s or McCain’s administration. It often takes a confluence of concerns and momentum to elevate an issue to the national forefront, and with privacy we have concerns related to targeted ads, ID theft, government snooping, electronic health records, and to be blunt — Google. There will be pressure for policymakers to enact a “comprehensive privacy policy” — but what does that mean?
I heard that question raised last week. Last Friday the Technology Policy Institute held an event that featured Peter Swire, Obama’s privacy/security advisor, and Orson Swindle, McCain’s privacy/security advisor.
Swindle downplayed the notion of “comprehensive” privacy, because the need for privacy is contextual. Sometimes you’ll want more, other times less. If Congress were to enact privacy legislation back in 2000, when concerns over “cookies” were raging, it would have stunted the growth of the Internet and new business models. What we have now isn’t perfect, he stressed, but regulation is even more imperfect.
Swire ducked the question about whether Obama would favor “comprehensive” privacy legislation. Obama has been silent on the issue, he said. He did discuss what he called “market failure” that occurs when new technologies pose new risks. He brought up electronic health records as an example…shouldn’t government help protect people’s medical information?
Swindle said that the FTC is in a perfect position to respond to the privacy challenges posed by new technology. Swire said that the FTC is necessary but not sufficient to get the job done.
My two cents, which I wrote in a recent paper on cyber security:
Where web service providers handle personally-identifiable information, the FTC should hold companies accountable to the privacy promises they made to users. That includes ensuring transparency and accountability as to how businesses retain and share information among multiple applications and advertising partners. Moreover, when a business collects payment information such as credit card numbers, government regulators can advocate higher standards of data security.
The confluence is coming. The storm is near. It’s going to take some acts of appeasement to stop the regulators. Industry needs to step up to the plate and be transparent, not totalitarian, when it comes to consumer privacy.