It’s Time For a New Privacy Model

The current raft of stories about privacy problems on Facebook and other high-profile sites is leading to a renewed consideration in some circles of whether there’s a need for tighter government regulation of sites’ privacy policies and user notifications. Regulation, experts say, may be the only real way to force sites to respect users’ privacy.

The current raft of stories about privacy problems on Facebook and other high-profile sites is leading to a renewed consideration in some circles of whether there’s a need for tighter government regulation of sites’ privacy policies and user notifications. Regulation, experts say, may be the only real way to force sites to respect users’ privacy.

This is by no means the first time that there has been a call for better regulation of privacy. There have been periodic uprisings on this issue for the last 10 years or so, generally coinciding with some major shift in the way people use the Web. The current outcry has been spurred mainly by the repeated privacy missteps of Facebook, which has been making a habit of annoying its users with constant changes and “improvements” to its privacy settings.

Users are justifiably angry about the inconsistency and constant change in the site’s privacy policy and settings, which make it difficult for the average user to understand exactly what she’s sharing and what’s private. As a result, Facebook has come under fire from not just its users, but from privacy advocates as well.

One prominent expert, Ed Felten of Princeton University, suggested in an op-ed piece in The New York Times Wednesday that it may be time for the government to take a hard look at regulating Facebook. He said that the current way Facebook–and many other sites–communicates with its users about privacy is essentially meaningless.

“The strongest argument for regulation is that the notice-and-consent
model, in which Facebook posts its policies on its site and users can
opt out by leaving, does not provide meaningful protection but instead
has become a kind of ‘privacy theater’ in which users pretend to read
privacy notices and sites pretend that users have made informed
decisions to accept the notices’ terms,” Felten wrote.

Felten’s is an authoritative voice on privacy and technology topics, and his point is well-taken. The notice-and-consent model of providing privacy policies to users is completely useless. No one, outside of attorneys and privacy advocates researching op-ed columns, reads them, and yet everyone is forced to affirm that they have read and understood the policies. It’s the same model that has protected software makers from lawsuits for all these years, and it’s time for it to go.

Like Felten, I’m not sure what the new model should look like, nor am I much interested in more government regulation. Perhaps there’s a way to develop user-defined privacy policies in which each user specifies the ways in which a given site can use her personal information and the site agrees to abide by that policy. This is the reverse of the way that policies are written and implemented now. Give the user control. The one-size-fits-all model is an abject failure.

That may be too unwieldy and difficult to implement, though. And anything that takes effort is likely to be rejected out of hand by site owners.

What I do know is that many sites have shown little regard for their users’ privacy and not much is being done about it. There have been some successful lawsuits over privacy violations in recent years, but they haven’t done much to change the way that companies do business or treat their customers.

If the government does indeed end up regulating Facebook and other similar sites–which seems unlikely at this point–it could serve as a wake-up call for other sites that haven’t been very careful with their users’ data.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.