My Place in the Crowd

We are excited to announce that we have a new name, The Common Data Project. We’ve changed our name for a couple of reasons, to avoid confusion around our use of the words “trust” and “foundation.” As an organization trying to create a new kind of nonprofit institution, we were interested in using these words to help explain our work through analogies to existing institutions–a datatrust that holds an individual’s personal information like a personal financial account, an organization that provides “grants” of information to researchers and nonprofit organizations. But given the specific legal definitions of a financial “trust” and “foundation,” we’ve decided that it’s more important to avoid public confusion. After all, we’re very decidedly not an investment company nor a private foundation.

In any case, we like the immediacy of the word “project”! We’re excited about moving forward on our Project and we hope you’ll get involved with our Project as well.

Hot on the heels of the launch of Cuil and its no data collection policy, Yahoo announced recently that it would allow users to opt-out of targeted advertising on its own websites.

The new policy was announced in response to a letter sent by four members of the House of Representatives to 33 Internet and telecommunications companies. The first question of the letter was, “Has your company at any time tailored, or facilitated the tailoring of, Internet advertising based on consumers’ Internet search, surfing, or other use?” Ha!

In all fairness, I’m glad our elected officials are asking even simple questions. I just hope that they won’t be satisfied with overly simple responses. As many of the commenters to the Bits blog post pointed out, the issue is not so much whether the user is forced to view targeted ads, but what kind of data collection is done in order to send these users targeted ads. Chris Hoofnagle notes,

The problem with opt-out rights in the online advertising context is that it results in a worst case scenario for consumers: the opt out typically only applies to receiving targeted advertising, so the company still tracks the consumer’s behavior, but the consumer doesn’t enjoy the benefit of targeted ads.

This form of opt-out reflects a 20th century conception of privacy–privacy means not being contacted. In the 21st Century, we need to understand more subtle problems, such as the privacy risks from online advertisers mere collection and use of data.

Exactly. This is not about being put on the Internet equivalent of the “Do Not Call” registry. Does Yahoo think I would be okay with having data collected about me, as long as I never see the evidence they’re doing it?

P.S. Then again, there are certainly users like Commenter #8, whose vanity is hurt that Yahoo is sending her ads about reducing wrinkles. But deep down, even she seems to realize only her “sense” of privacy is being restored, not her privacy itself.

Cuil, the new search engine, launched with much fanfare this past week. It’s been blogged about all over the place already, so I’m not going to analyze how its results compare to Google’s. I’m more curious about its privacy policy, which trumpets that it collects NOTHING, nada, zip, zilch.

I found it sort of funny that the other big news in search engines recently was Google’s announcement that it was launching an updated version of Google Trends called Google Insights for Search. While one search engine bragged about its lack of data collection, the other was showing it off.

The two news items together highlight the problem at the heart of our ongoing search for more privacy online. Despite all the handwringing over online data collection, especially by big search engines, people love seeing the data that gets collected, even when they’re not advertisers. We want to see how often we’re mentioned in Twitter, or what parts of the world are searching for topics we blog about. It’s not hard to imagine more serious research and analysis being applied to this data and real social good coming out of it.

I’ve never found very compelling the National Rifle Association’s argument, “Guns don’t kill people; people kill people.” But I find myself wanting to say something similar about data collection: “Data collection doesn’t violate privacy; irresponsible people and laws violate privacy.” Shutting down data collection altogether can’t be the answer.

It’s great that Google is becoming more transparent about how they use your data to tailor your search results. It’s the kind of thing we’d like to see more of. However, is it enough to merely state the status quo? Or should we really be demanding not only transparency but control and ownership as well? Saul Hansell has it right, the data Google collects from you is *yours*, not theirs. So not only should we all get a better look at what Google is doing with “our” information, we need to be able to set some ground rules about what is used and how its used. And by “setting ground rules,” I don’t mean choosing between opt-in and opt-out radio buttons.

---

Today, privacy policies are meant more to protect companies from liability than protect individuals’ privacy rights. Even though a lot of people don’t fully understand how their information is being collected, we all know that it’s a one-way street. While businesses buy, sell, and share sensitive, personal information, we can’t even access our own information. More and more people are becoming wary of data collection in general, and as a result, the debate between privacy advocates and businesses has become framed as a conflict, privacy versus information. However, we as a society should seek solutions that promote both privacy and information.We at CDTF want to change the culture of data collection from one where one where businesses and other data collectors have all the control to one where individual users are secure enough in their privacy to become active participants and consumers of data. We’ll need new technologies, policies, and possibly legislation, but perhaps most crucial is our need to come to some consensus about how to balance individual privacy rights with our societal interest in information-sharing.We think an important first step is to develop new industry standards that describe what should be happening, not just what is happening in data collection. If more information-sharing is to happen, individual users have to become more confident about their privacy. So privacy standards have to be raised, not maintained.

For example, the first step in certification by privacy companies today is determining whether a company has a privacy policy. Although a company should certainly have a written policy, providing credit for merely having a written policy doesn’t raise the ante in any way.

Currently, many companies’ privacy policies don’t even cover all traffic to a website, as they disclaim responsibility for the practices of their partners and/or third-party advertisers. A standard that declares as a “best practice” the use of an all-inclusive privacy policy that covers all traffic to a site would certainly raise the bar.

Although few companies now would meet this standard, by declaring it to be a possibility, users would become better aware how most privacy policies are not all-inclusive, while companies willing to meet the standard would be able to signal more clearly how they are different from their competitors.

We think the bar should be raised on the following issues as well:

1. How much notice is required when the terms of a privacy policy change;
2. How changes in privacy policy apply to data collected under the previous policy;
3. How long data is stored;
4. How explicitly companies describe how data is used;
5. How data is secured and anonymized before it is shared with 3rd parties in order to provide an “appropriate” level of protection.

At the same time, user awareness of the potential benefits of multi-directional information-sharing, to both individuals and society as a whole, has to increase. We think new standards for user participation in the management of their data should be created around these issues:

1. User access to collected data;
2. User control over whether data is shared and for what purpose;
3. Use control over the “level of anonymization” applied to data before it is shared;
4. Availability of data for public secondary use.

We’re not here to say, “Ta-da! Here are the perfect standards for reconciling the goals of privacy and information-sharing.” Instead, we want to start a conversation on how such standards could be useful, how they could be developed, and how they could be promoted.