February 21, 2011

Location and Privacy. Say what you do and do what you say

by Cary J. Calderone

I had the pleasure of attending an event sponsored by the Churchill Club on Location and Privacy, Where Are We Headed? The panel members (listed below) represented a diverse group of very knowledgeable people connected to privacy law. They ranged from attorneys and privacy officers working for location based social networking companies, to a representative from the FTC concerned with regulating the players. After listening to the very interesting discussion can I provide a quick summary of the law for you? Not really. This is because the law is in flux and not very settled. Here is a video of part of the discussion on finding a balance between usefulness and safety.
Even the FTC has requested comments on its Proposed Framework for Businesses and Policymakers because they realize they may need more information to determine how technology can help or hurt their efforts to inform and protect consumers. With constant innovations to location-based technology, it will be even more challenging, but there are things you can do to be better prepared.

In trying to protect consumers, the policymakers and players are constantly struggling to "get it right." It is akin to the challenge of Goldilocks and the Three Bears; is the porridge too hot, too cold, or just right?  There is value to information collected around a consumer's location, but how dangerous might it be?  What about those who happen to be with the person who is posting pictures and checking in?  The "second-hand smoke" of privacy?  What about the risk faced by a potential criminal enterprise posing as a legitimate player in this space?  Now let's compound this challenge by the Catch 22 that the policymakers face.  The FTC has required more and more complete disclosure from companies whose websites collect information, but what are the odds the consumer will understand the disclosure, and be able to make an informed consent? This is a daunting challenge.  We lawyers are trained to be specific and thorough when we write. But, easy for consumers to understand?  Not so much.

The only downside of having a panel that is so well-informed and focused on the tricky details is that they did not mention a more mundane problem in this area.  I know first hand that many of the decision-makers at technology startups, do not understand even the basics of privacy law.  They do not know what information they want, need, or should avoid.  For example, when helping one company create a privacy policy, the client kept insisting I select, "what everyone else is doing," and give them a "standard" privacy policy for their website. This is an area where there is no "cookie-cutter" solution and yet many companies only know they need a privacy policy.  So, they publish one that "sounds good," even without understanding their new legal obligations. A good privacy policy depends on many factors like the business model, the targeted consumer, available technology, and their risk tolerance. Moreover, if the policy is not audited, there is a very strong likelihood that new technology will soon enable their website to track and collect data that has yet to be considered. The designer says, "now we can collect this information" and "do you want it?" They usually say "yes" without the slightest consideration that their new tool has potentially exceeded their stated privacy policy and they may be out of compliance and at risk.  On balance, educating businesses will be just as important a goal and outcome of the FTC Framework, as is educating consumers.

A related, and critical potential problem was illuminated by Laura Berger. She explained that she had been asked to review a privacy policy and determine whether it was acceptable. Unfortunately, she cannot judge whether it is acceptable, unless and until she determines that the company is actually following their privacy policy. It is a two-step process.  This is a theme that is common with DRED and other compliance projects. Policies can be well-reasoned, well-written and well-intended, but if nobody follows them? They will not help you!

The panel touched on another important issue that is caused by the fact that the location-based technology is evolving so quickly.  Definitions have to be specific and yet open to future innovations in technology.  For example, a company's policy may collect location based GPS information from a person who is aware of it. But what about recognizing that whenever somebody logs in from a computer, the header information and meta-data probably reveals more about the user's whereabouts than the user would ever believe? Does consenting to an obvious location based technology also include the less obvious technology utilized in the background? Or, what about the facial recognition capabilities that can find pictures of you in the background of pictures posted by complete strangers?  And the pictures may be geographically tagged, letting people know where you were on a certain date and time? Call in sick and head to a ball game? Not a good idea if your friend decides to memorialize your outing with status updates and pictures. Or, it may be that stranger sitting in front of you with a camera phone who likes to post pictures?  Or, how about the fact that your Smart Phone will send an email through a cell tower or Wi-Fi network that is at the ball park, and not your home or office?  That too can be tracked!  It really can start to sound scary. What information should remain private?

There were quite a few other interesting questions debated by the panel:
  • Will there be a "do not track" list similar to the "do not call" registry?
  • If you block all collection of data, do you effectively kill the value of the user's web experience?
  • Where is the line? How can people have access and still be protected?
The panel also weighed in with their 5 year predictions:

  • Laura Berger - There will be some established uniformity and consumer understanding of what happens to their data.

  • Jim Dempsey - We will have a Federal baseline privacy law with flexibility to support innovation (FTC and Commerce Dept. reports) because location technology is here to stay.

  • Brian Knapp - Business opportunities will abound like Virgin Airlines when it opened up routes to Cancun with a "Flash bomb" award of a companion ticket.  Hugely successful.

  • Brendon Lynch - Wow we will look back and think we were naive.  There will be RFD tags and ID addresses, or both, on everything! There will be a self-regulatory model that is tested, trusted and works.

  • Owen Tripp - 1) The company that wins in the next few years will have a better privacy model and use it as their competitive advantage 2) There will be a very large privacy company to manage these choices for consumers (multiple players).

  • For a blogger who has attended far too many legal seminars where the materials and the speakers can be rather dry, this was an especially enjoyable event.  The area is new and exciting and the speakers were passionate and entertaining.  I will look for more DRED related topics at the Churchill Club and keep you posted.

    Laura Berger, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission
    Jim Dempsey, Vice President for Public Policy, Center for Democracy & Technology
    Brian Knapp, Chief Operating Officer, Loopt
    Brendon Lynch, Chief Privacy Officer, Microsoft
    Owen Tripp, Chief Operating Officer, Reputation.com
    Moderator: Melissa Parrish, Research Analyst, Forrester Research

    No comments: