The Federal Trade Commission Monday issued a report citing proposed best practices for protecting American consumers and giving them greater control over the collection and use of their personal data. In response, several security and privacy experts offered several variations of "huh?"
At first glance, the FTC's guidelines regarding policy seem rather benign. They state that companies should build in privacy protection at every stage, including limited collection and retention of data, and procedures for protecting accuracy. Also recommended: Consumers should have a do-not-track option, and companies should disclose details about what data they are collecting, how they're using it, and provide customers with access to the data collected about them.
But security and privacy experts argue that the guidelines are not benign. Daniel Castro, senior analyst at the Information Technology and Innovation Foundation (ITIF), a Washington, D.C.-based think tank, issued a statement calling the recommendations "misguided," saying, "The new report shows the FTC still does not understand the fundamental economics of the Internet. Consumers should have options to protect their privacy, but there are important trade-offs and costs in creating those protections. The FTC's recommendations would create economic burdens that could stifle the efficiency and innovation that consumers also want from the Internet."
In an interview with PCWorld, Castro added, "They're a regulatory agency. That's their perspective. They think about regulation." But Castro believes the "do-not-track" legislation can limit choice for consumers. "With less-targeted advertising, some Web sides can't deliver ads very well. It limits innovation by requiring what ISPs can do with customer data. That limits the market for online advertising and innovative business models. That ultimately hurts consumer choice."
Security expert Dr. Larry Ponemon of the Ponemon Institute, concurs. "There's a big difference between a do-not-call list and a do-not-track list. People understand that getting a call at dinnertime from a telemarketer is annoying. But marketing rules and funds the Internet. If you strip out marketing and advertising from the Internet, nothing would be left."
Even worse, Ponemon says, his surveys show that consumers don't care about revealing their likes and dislikes. "We research this every year, and the level of concern that people have about privacy never goes above 10%, and even then we think that's an overestimate. Another 65% say they care, but not enough to change their behavior in terms of making information available about themselves. Another 25% say they just don't care one way or the other. We call them privacy complacent."
But the basic truth is that consumers understand that by supplying information about their likes and dislikes, they ultimately benefit. "People want to know more about things they're interested in. It's the extraneous stuff they don't want."
Policies Can Have Opposite Effect
Policies such as those the FTC is recommending will have exactly the opposite effect, and even one of the FTC commissioners understands that. According to the final report, Commissioner J. Thomas Rosch dissented from the results, with four major concerns:
The recommendations are based on "unfairness" rather than deception; The current state of "Do Not Track" still leaves unanswered many important questions; "Opt-in" will necessarily be selected as the de-facto method of consumer choice for a wide swath of entities; and Although characterized as only "best practices," the report's recommendations may be construed as federal requirements.
Ponemon adds, "I have a lot of respect for the FTC. It does a lot of good stuff, but on this particular issue, [its] policy is not representative of the population at large, and the cure is worse than the disease."