Do We Need an FDA to Protect Our Data?

Monday Apr 20th 2009 by Joshua Greenbaum
Share:

It’s time we take data protection out of the realm of futility and treat our vital data like a food or a drug that needs serious oversight and safeguards.

There's a government agency you may have heard of, the Food and Drug Administration, that's charged with ensuring that the food and drugs you put in your body are safe to ingest. In general, most of us think the FDA isn’t just a good idea, but an absolute necessity in a rough and tumble commercial market with too many opportunities for misrepresentation, fraud, and life-threatening criminal activity.

Meanwhile, in cyberspace, the applications and services that make use of your data have no such regulatory agency overseeing their activities, despite being a rough and tumble commercial market with too many opportunities for misrepresentation, fraud, and life-threatening criminal activity.

So, in case you haven’t figured out where this is all leading, I pose the following question: is it time for a regulatory regime that makes sure that the myriad online uses for private data – from credit cards numbers to genealogies to our LinkedIn or Facebook profiles – are actually designed to ensure the safety of that data and us, the nominal owners of those data?

I ask this question in the face of the enormous growth in free online services that are effectively capturing individual data and… well, what they do next is the problem.

Let’s take my favorite, LinkedIn. LinkedIn is a member of an industry group called TRUSTe (no relation to Wall-E, apparently) that guarantees your privacy, and claims to give you, the consumer, a place to go to complain when something goes wrong with your privacy and its data. More on the wealth of claims TRUSTe has processed in a second.

I’ve always worried about the LinkedIns of the world, which are largely providing free services in the hopes of one day becoming a real company with real revenues and a real business model. This dose of reality is something that the investors could force on such a company at any time, particularly in a recession like this one: get me some revenue, or else.

And with “or else” being a potential asset sale, one guess which is the asset that the LinkedIns of the world have that’s really worth something. Try saying it with me: the data I gave them when I signed up for my free account.

Faced with the reality of someday having to make a buck, what I find intriguing is how much valuable information they are collecting about business contacts and business relationships, and how little any of us know about what they are doing with that information.

(To be fair, LinkedIn seems to be doing some very useful networking, and I am told its revenue-producing job postings are top notch. But the consensus seems to be that the revenues aren’t anywhere near what a company with almost $100 million in VC money needs to be generating to set it up for a decent exit for the investors.)

Like everyone else in the market that is collecting gobs of free data from customers – and that includes everything from Facebook to eBay to Craigslist – the protections for those data are suspect. Much of this has to do with very sketchy language in terms of service and privacy policies that seem to be written with the intent of driving a revenue train through a web full of gigantic loopholes.

To whit: LinkedIn’s privacy policy has some vague assurances about never copying “personally identifiable information,” without ever defining what that actually means.

Does it mean that any information about me that I post in LinkedIn is private? Probably. Does it mean that information about my contacts are private? Well….. Not sure, but a literal interpretation of the term makes it very easy to say that most if not all of my contact data is not “personally identifiable information, ” insofar as Steve Jobs’ private email address, were I to have it, doesn’t identify me in the least. Though it would really piss Steve off to have someone realize the commercial value of that email address in a service like LinkedIn.

I’ve re-read LinkedIn’s privacy policy about five times, and this distinction between “personally identifiable” and everything else isn’t clear. Nor is the issue of my social network and its connections. My name, rank and serial number are private, but is the graph of my LinkedIn network private too?

If you had an advertiser looking to target people with my demographic, could LinkedIn sell them my network graph, complete with contacts (unprotected by the privacy policy)? In other words, if you want to target people in Josh’s network, would that be legit as long as Josh’s “personally identifiable information” was protected? Not clear at all.

Wait, there’s more. Let’s look at the LinkedIn copyright policy, which seems to abrogate, or at least expand the loopholes, of the privacy policy. Because in the copyright policy we find that users grant LinkedIn a blanket release of copyright so that LinkedIn can:

reproduce, represent, adapt, translate, digitize, use for advertising purposes, whether commercial or non-commercial, to sublicense or to transfer the content concerning each User (including information, pictures, descriptions, search criteria, etc.) over all or part of the Services and/or in any mailings of LinkedIn and in general through any electronic communication media (email, SMS, MMS, WAP, Internet, CD Rom or DVD).

Anyone worried yet? Okay, if you’re not worried, at least admit that you’re confused.

My problem with LinkedIn, and every site that captures free data, and that includes the Craiglists and eBays and Facebooks, is not whether I am right or wrong, but that I can never tell if I’m actually protected or not, and won’t be able to tell until something horrible happens. Whereupon my recourse will be some ex-post facto remedy, which will only remedy things for the next guy, not me.

This brings us to an FDA for data. Most consumers of online services are as qualified to judge the safety of these services as most consumers of pistachios are qualified to judge if there is salmonella in their nuts. And, as new online services sprout minute by minute, promising free services, the danger that consumers will become the unwilling victims of fraud, deceit, and worse (much worse) grows exponentially.

Especially vulnerable to this data problem are children – who, not coincidentally, have a similar vulnerability to the kinds of problems in the food and medicine chain that the FDA is trying to wipe out.

Sexual predation, cyber-bullying, and assorted scams are all the more easier to perpetrate in places like Facebook precisely because its audience is young, naïve, and gullible, and doesn’t understand how to protect their data and themselves.

This lack of protection is even more scary when you talk to the kids on these services who have no concept of the need to be protected whatsoever – the parallels to the insouciance of teenagers about other risky behaviors makes me convinced they are, like most teens, assuming they are immortal until proven otherwise. And, as the grownups of the world, it’s our job to remind them that otherwise is unacceptable.

Now, in the spirit of the ‘90s, there is an industry group that purports to do that self-regulation that all industry groups do as a means to stave off the grim regulator. That would be the aforementioned TRUSTe.

Too bad this organization is just so much window-dressing: Its website proudly proclaims that it has logged and resolved privacy complaints numbering in the hundreds! Imagine the flood of complaints pouring in.

For anyone who knows the extent of cyber crime, cyber crime incidents – of which fraud related to privacy violations are a major component – number in the hundreds of thousands, and are growing steadily. So much for TRUSTe’s impact on the problem.

Also in the spirit of futility, there is a government agency called OnguardOnline.gov that attempts to inform the public about cyber-security.

It also points out, in an ironic style unique to the government (as in accidental), the problems with enforcing any of the zillions of crisscrossing regulations that attempt to make sense out of these issues. While the Federal Trade Commission actually maintains OnguardOnline, its “about us” page shows that, including the FTC, there are 10 agencies involved in dealing with these issues, not to mention the 16 or so non-governmental organizations that are also part of the OnguardOnline effort. (Of which, curiously, TRUSTe isn’t one.)

In other words, 26 different agencies and NGOs are there to make sure that no unified, coherent, and workable policy can ever emerge that will actually make laws and regulations, much less enforce them, in a unified and consistent way. So much for that solution.

Whereupon, in the spirit of Upton Sinclair, whose muckraking journalism helped create the public outcry that led to the formation of the FDA, I submit that it’s time we take data protection out of the realm of futility and treat our vital data like a food or a drug that, if used correctly, can provide huge, essential benefits. And if used incorrectly, can harm us and society in ways we are only just beginning to understand.

What I am particularly hopeful for is that such an agency would actually be able to enforce laws that make it a crime to misuse or abuse data and privacy.

Because right now, if you even are aware that the sanctity of your data has been breached, you have nowhere to go to resolve the problem: local police don’t care, the FBI doesn’t get out of bed for anything less than major crimes, and the various agencies mentioned in OnguardOnline are hardly set up to handle the literally hundreds of thousands of data breeches that take place each year.

I can’t guarantee this will work, but one thing I can guarantee is that whatever remedies we’re using to stave the bleeding aren’t helping. And the problem is only going to get worse, much worse. What are we waiting for?

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved