Can there be security and privacy online after the fact? That was the question posed at a March 17th public roundtable on consumer privacy sponsored by the Federal Trade Commission. The roundtable brought together academics, industry experts and government officials to discuss the challenges of building a secure and authenticated layer for the Internet on top of the original open and trust-based structure.
In her opening remarks, outgoing FTC Commissioner Pamela Jones Harbour cited the recent launch of Google Buzz and Facebook’s rollout of its new privacy settings as well as the 2007 release of Facebook Beacon as examples of irresponsible conduct by technology companies with respect to consumer privacy. In those instances, consumers were automatically signed up for the rollouts or launches and had to opt-out after the fact. “Unlike a lot of tech products, consumer privacy cannot be run in beta. Once data is shared, control is lost forever,” Harbour said.
In its early days, the Internet was used to facilitate communication among a number of researchers at various universities around the country. It was a small, known, and trusted environment. However in the decades since, its nature has changed dramatically. An architectural layer was built on top, encompassing a complex commercial enterprise, social-networking, and search functionality. In time, a variety of popular services rose up, many of which to this day only employ encryption technology for initial log-in information, leaving all subsequent data sent unencrypted. Experts say this practice exposes consumers to significant risk when they connect to popular cloud-based services using public wireless networks in coffee shops, airports, and other public areas. Without encryption, hackers can easily intercept user data. As new technologies are continuously being developed and new business models are created, many experts are focused on how such privacy concerns and future privacy challenges can be met.
One of the most significant issues in online security is the lack of an authentication layer within the architecture of the web. The current and cumbersome system of using usernames, passwords, and shared secrets is continuously threatened by the possibility of phishing and identity theft. “Personally identifying information can be constructed from non-identifying information,” said John Clippinger, co-director of the Law Lab at Harvard University’s Berkman Center for Internet & Society. “You have to have a user-centric, interoperable system that allows people to control information about themselves and have a chain of trust that can be traced back to the individual.”
The panel encouraged the use of protocols that have already been developed like SSL encryption as a first step towards tackling current privacy issues. Looking towards the future, several panelists referred to the work being done to develop new types of authentication technology to address the usability of privacy. One such technology is the information card, which allows users to sign into hundreds of websites using the one card with no usernames or passwords. The underlying technology provides a different personal identifier to each website, ensuring that no correlatable identifier is being shared across all those sites. These new kinds of identifiers such as the I-Card will give consumers more control over their digital identities, allowing them to control what and how much of their information is shared with other parties while protecting their privacy.
Another issue of discussion was concern over the lack of a clear directive from any regulatory body to technology companies on consumer privacy protocol. Some panelists felt that technology companies are learning harmful lessons from each other’s attempts to push the envelope and are encouraging copycat behavior. With the emergence of business models based upon aggregating information and making it available, correct business incentives and audit mechanisms will play increasingly important roles. “There’s great wealth and opportunity and things that could happen when you use this information effectively, so you don’t want to sequester it. But at the same time, you want to have governance principles that are enforced quickly, transparently, and effectively that grow with the technology,” Clippinger added. “Otherwise, it will get co-opted.”
The event was the final of three public events sponsored by the FTC to explore the privacy challenges that are posed by technology and business practices that collect and use consumer data.
View the webcast here.
Zeba Khan is a social media consultant and writer.
Tags: big picture, Clippinger, events, privacy
