White House privacy rights bill is a beginning, not an end

Free at last? Not exactly. A consumer privacy bill of rights is long overdue, but anything real will require Congressional action -- an oxymoron if ever there was one.

At hastily arranged call-in conference last night, the Obama White House and the FTC announced something privacy advocates have demanded for decades: a declaration that we, the people, own the data that is collected about us.

The announcement was high on lofty goals and short on specifics. That’s fine – being too prescriptive, especially when it comes to technology, can be worse than doing nothing at all. But if anybody thinks this alone will snuff out all the privacy fires currently raging, they’re mistaken.

PCWorld’s John Mello has a good summary of the key bullet points. The big takeaway: Consumers should have a choice over what data is collected about them and how it is used; companies must take responsibility for the security of that data and use it in “reasonable” and expected ways. 

In addition, the leading lights of the ad industry have agreed to honor Do Not Track mechanisms in browsers, should consumers choose to implement them. That would presumably prevent the shenanigans pulled by Google and others to circumvent third-party cookie blocking, not to mention those nasty Flash Cookie Zombies that respawn after users have opted out.

To which I say: About damned time. Good for the White House for saying it, good for us if it really happens. And that’s the rub. This is just a blueprint. It’s no more real today than it was yesterday at this time.

Here are some of the problems the White House

“framework for protecting privacy and promoting innovation” [PDF]
does not solve. 

* Companies don’t actually have to follow the rules if they don’t want to. Per the blueprint:

“Private sector participation will be voluntary and companies ultimately will choose whether to adopt a given code of conduct.”

The Digital Advertising Alliance – the ad industry trade group that has been desperately trying to fend off Federal legislation of online tracking – has endorsed this plan. If you want to be a member in good standing of the DAA, you’ll have to follow the rules. That’s good. If you don’t, there’s nothing stopping you from continuing to operate as you please.

Of the nearly 800 tracking companies in Evidon’s database, 147 belong to the DAA. Many others belong to other industry groups, who presumably would also abide by the same principles. But hundreds of companies don’t belong to any. What happens to them?

* The FTC will play bad cop to enforce the rules, but only if Congress passes legislation empowering them to do so.

“As part of consumer data privacy legislation, the Administration encourages Congress to provide the FTC (and State Attorneys General) with specific authority to enforce the Consumer Privacy Bill of Rights.”

In other words, this is all moot without Congressional action – an oxymoron if there ever was one, and never moreso than in an election year.

[Update: A reader points out that the FTC already enforces rules forbidding alleged deception committed by advertising networks, as it did when it sanctioned Chitika last May and ScanScout (now Tremor Video) in December for providing bogus opt outs. But enforcing this Bill of Rights specifically will require intervention by Congress.] 

* The Internet does not end at US borders. Many tracking companies are not based in the US, and don’t have much to worry about from the FTC or state attorneys general. And while the framework states a worthy goal of “global interoperability,” getting there may be about as difficult as solving the debt crisis.

The European Union in particular has much stricter privacy rules than we do on this side of the pond. It’s unlikely US companies will agree to follow their rules; how likely are they to follow ours?

* What is tracking, really, and who gets to define it? In the phone conference, White House Deputy CTO Daniel Weitzner said any Do Not Track mechanism would carve out narrow exceptions for ad delivery reporting and fraud detection, as well as things like the Facebook “Like” button. At what point does allowing Facebook and Google to collect our Likes or +1s become a form of tracking?

The DAA’s commitment to honor on Do Not Track seeks to carve out its own exceptions. Its rules only apply when a consumer 

(1) has been provided language that describes to consumers the effect of exercising such choice including that some data may still be collected and (2) has affirmatively chosen to exercise a uniform choice with the browser based tool. The DAA standard will not apply in instances where (1) and (2) do not occur or where any entity or software or technology provider other than the user exercises such a choice.

To me this sounds like they’re making an exception for browsers like Safari, which blocks tracking cookies by default, and possibly tools like Abine’s Do Not Track Plus, which blocks tracking without notice from individual ad companies.

Carving out the exceptions could be the thing that stops Do Not Track in its tracks, so to speak.

Don’t get me wrong. We have needed a consumer privacy bill of rights for some time now, and I believe that industry self regulation alone is worthless. So these are steps in the right direction. But only baby steps. The real work is just getting started.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon