Behind the scenes: Privacy and data-mining

The EFF is particularly concerned about findings like those coming out of the Massachusetts Institute of Technology, which show that the “human mobility traces” created by smartphones are sufficient to overcome individual privacy and anonymity.

“The growth of mobile applications has raised the stakes in many minds, and well it should,” says Tien (below). “With smartphone traceability, we are seeing a qualitative jump in creepiness.”

In spite of the fact that the average online shopper or mobile app user has much less privacy today than a decade ago, most companies still either post simple statements about respecting users' privacy or direct users to multiple pages of dense legalese to explain what rights are being waived.

Neither does much to build confidence or promote transparency. As a result, governments have begun to look at implementing tougher guidelines.

“Regulators are becoming concerned,” says Gary Kibel, a lawyer at the New York City firm Davis and Gilbert. “While there are laws already in place in various jurisdictions, some say there is not enough transparency. The Federal Trade Commission is promoting just-in-time notices [an alert outside of a company's privacy policy] regarding consumer privacy, and some states are beginning to take action. In addition, cross-border usage presents a whole other set of questions.”

Kibel and others point to Google's admission in March that it had violated individuals' privacy with Street View – which collected street-level images from the company's fleet of cars loaded with cameras – as an indication that companies recognize it's time for a change. 

“There are only a small number of bad actors out there,” says Kibel, “and the Googles of the world realize that the honest brokers need to make it clear that they're the good guys.”

Tien agrees that things are changing. He says he has become a bit more optimistic in the past few months because of movement, such as Mozilla announcing it will block third-party cookies in a future version of Firefox. He points as well to content publishers, like ESPN, beginning to question the data-sharing policies of the Interactive Advertising Bureau. “It's not entirely clear what the model will be in terms of ensuring consumer privacy, but at least we are seeing recognition that the current state is predatory,” he says.

Dorman Bazzell, North American business intelligence and data warehouse practice lead for Capgemini, an IT services and business consultancy company, says there are a number of questions that organizations should be able to answer to demonstrate that they're safeguarding consumer data. “First, you have to know what customer data is available inside the organization, who has access to it, and how it's used,” he says. Next, users should know where it lives in the organization, and recognize when it needs to be destroyed. 

A major challenge is that there is no single standard for safeguarding privacy. “There are many different solutions,” Bazzell says. “They come in the form of databases, the network, the Obama administration's Consumer Privacy Bill of Rights, information security office (ISO) practices and data governance organizations, as well as security protocols, applications and processes.”

But, in many cases, these safeguards fall short, says Diaz. “Companies still don't have any economic incentive to follow them,” he says. “In fact, it's quite the opposite. What is obvious is that both laws and directives should be much clearer, and there should be a strong regulator to ensure that citizens' privacy is not compromised.”

Davis and Gilbert's Kibel agrees that the existing options sometimes conflict. Further, he says that finding an all-encompassing, absolute solution to protecting consumer privacy may not be possible. “For organizations, the best they can do is to do what makes sense,” he says. “Offer users the choice to opt out, and examine all parts of your workflow to ensure you're not putting personal information at risk.”

The EFF's position is that protecting privacy is everybody's responsibility, adds Tien. “At least as much as it can be when business is in the driver's seat. We think the solution will have to be cooperative. The risk of privacy compromise is a combination of government and business, so we believe each of the players must be a piece of the puzzle.”