Sunday, September 28, 2008

Why So Apathetic?

Every so often, I see expressions of frustration from identity theft professionals, or people who care about data privacy in general, that people are so inexplicably apathetic. For example, in the comments to a previous post, Jason Dickens at Prosperity Protection opined that "The general public just doesn’t take this stuff seriously." Similarly, my friend Jack Dunning temporarily shuttered his blog because of what he saw as public apathy (see here).

As I have noted before while consumers are, in fact, appallingly apathetic about their privacy, they are highly concerned about identity theft. In my previous post, I recommended that, if you want someone to care about privacy, you should try and explain that lack of privacy leads to a greater risk of identity theft. However, it occurs to me that there's more to it than just drawing the connection between privacy and identity theft. Consumers also need to know that what appears to be a common approach to trying to protect against identity theft - curtailing online shopping - isn't appropriate. A good example of this approach, and it's ineffectiveness, is provided by this article, which stated that, as a result of (then) recent data security breaches, some consumers were refusing to make credit or debit card purchases with online merchants they didn't know. Of course, even ceasing to do business over the internet entirely would do absolutely nothing to protect against something like the TJX breach, where thieves exploited vulnerabilities in network security at TJX's brick and mortar stores.

Once consumers have a more realistic understanding of the ways that identity theft actually takes place (and yes, obviously internet use is a part of it, as the continued popularity of phishing scams shows) I would think it would be substantially easier to convince them that they'd be better off paying attention to their privacy that they would retreating from the internet.

Monday, September 22, 2008

Self-Regulation by Advertisers

According to this article from Media Post the Interactive Advertising Bureau is pushing for the creation of an industry body to create non-governmental rules to protect consumer privacy online. The goal of this self-regulation, as is the case with most self-regulation, is to prevent actual regulations from being imposed by Congress. While generally, consumers appear apathetic about their privacy online, it appears that advertisers might have reason to worry. Specifically, Eileen Harrington deputy director of the Bureau of Consumer Protection, Federal Trade Commission has said that online privacy is a hot issue in Washington right now, and compared the situation of on-line advertisers to that of telemarketers before the government established the national Do-Not-Call-List. Given that kind of comparison, it makes sense that advertisers are thinking about regulating themselves, so they can convince Congress that regulation by government isn't necessary.

Of course, the elephant in this particular room is that it's too late - section 5 of the FTC act, which prohibits unfair or deceptive trade practices, already covers online advertisers. Moreover, the FTC already uses its authority under section 5 to prosecute online advertisers. For example, currently on the FTC's privacy site there's a link to an article about a 2.9 million dollar settlement which was wrung out of online advertiser ValueClick (link here so it isn't lost when the FTC's site is updated). While I can understand the IAB's desire to forestall more regulation, if their goal was to avoid any regulation, they're about 70 years too late.

Bonus non-legal observation: when you're making a comparison, do not say the following: "It's the same issue. What's really changed, really, is everything." It completely undermines whatever point you were trying to make by the comparison, and makes your reader/listener wonder why you drew the comparison between such dissimilar things in the first place.

Thursday, September 18, 2008

And Now for Something Completely Different (and totally surreal)

Question: What happens when a criminal forum is taken down?
Answer: The criminals who used said forum launch into an orgy of mewling self pity so miserable that even an attention whoring toddler whining about being sent to bed without dinner would consider it undignified.

A little background: What happened is that the forum DarkMarket, which was used by criminals to (among other things) swap stolen identities and tools for stealing more, was shut down. For most people, this is, of course, a happy event, though one which I think will likely have minimal long term significance in the overall world of identity theft. While clearly this is a setback to the criminals who used the forum, my expectation would have been that they'd slink away, perhaps to start up another forum to replace the one which had been closed. However, after reading this article about the closing of the site, it's clear that my expectation would have been wrong. Instead of slinking away, the criminals who used the forums started posting self-pitying screeds about how they were downtrodden victims, and lamenting the unfairness of it all. To me it's just nuts. What kind of a warped individual would respond to the closing of a criminal board by stating that "There must be another solution to the problem. Do we just let them win?"

Oh well, I suppose that's why I went into law, rather than turning to a life of crime.

Sunday, September 7, 2008

Perception of Privacy Policies

Here's some shocking news I learned via Bruce Schneier, apparently:

California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards.

(Bruce's blog post here).

The above quotation was taken from a paperentitled "What Californians Understand about Privacy Online." Because of the understanding which consumers (at least in California) have regarding the meaning of a "privacy policy," the authors conclude that "its use should be limited to contexts where
businesses provide a set of protections that meet consumersʼ expectations." The vehicle for that limitation could be section 5 of the FTC act, which prohibits unfair or deceptive trade practices, the argument being that, if consumers believe that "privacy policy" has a certain meaning, that it is deceptive/unfair for a web site to say that it has a privacy policy if the web site's privacy policy doesn't conform to consumers' preconceptions.

My opinion is that, while the impulse to prevent people from being deceived by the label "privacy policy" is certainly understandable, limiting the use of the term "privacy policy" to situations which conform to consumers' preconceptions isn't a workable solution. The biggest problem is that consumers' ideas of a "privacy policy" aren't necessarily uniform. The paper is based on a survey of California consumers, but California is known for being at the forefront of privacy protection in the United States. What should the FTC do about differences between the consumer understandings between California and the rest of the country? Since the FTC act is nationwide, it would seem most logical to have a nationwide standard. However, if that nationwide standard is lower than the standard expected by consumers in California, wouldn't those consumers still be deceived by the label "privacy policy"? To me it seems that a better idea would be to allow businesses flexibility to define their own policies. Businesses which wanted consumers to be aware of specific privacy protective practices (e.g., not selling to third parties, not storing personally identifiable data, etc) could advertise them, while businesses which didn't care could put their policies behind a "privacy policy" link. While that might not protect consumers who don't take the time to read a web site's privacy policy, it would allow privacy policies to be tailored as appropriate to particular situations (e.g., banks might have more stringent policies than search engines) and it wouldn't put the FTC in an untenable position of trying to find a standard which is both applicable and appropriate nationwide.