IP: privacy - a new approach to letting the market work

[David Farber <farber () cis upenn edu>]

-----Original Message-----
From: Esther Dyson [mailto:edyson () edventure com]
Sent: Monday, January 17, 2000 12:02 PM
To: farber () cis upenn edu


Dave, this appeared in the Financial Times (London) today.

Esther

Disclose privacy practices to investors as well as to consumers, suggests
Esther Dyson


Data security is like public health: as an individual, you can do only so
much to protect yourself. Your welfare also depends on people around you.
Unfortunately, other people  perhaps even you yourself  are careless.
   Surveys of internet users tell us that people value privacy and security:
but if you watch their behaviour, you come to the opposite conclusion.
People use credit cards to buy things online, and send private e-mails
trusting they will reach the right person and no one else. By and large,
their behaviour makes sense for them as individuals. But collectively, we
may be on the brink of a data disaster that only a little paranoia can
avert.
   Attacks on privacy are emerging from two sides: from people who want to
undermine privacy, and from companies and governments that are collecting
too much information. These threats do not yet seem real because it is in
most people's interests to keep quiet about them. Organisations that collect
data would you rather you did not notice. Companies whose security is
breached do not want to upset their customers, or alarm their insurers and
investors. Even hackers, although they might like to brag, cannot talk too
much for fear of getting caught.
   This has made for a state of blissful ignorance that cannot last. There
have been small eruptions already, especially in the US where both Microsoft
and RealNetworks have collected data on individuals without notifying them.
Most people receive too much junk e-mail. More and more personal data are
floating around, waiting to be taken and misused.
   But how can we change people's behaviour rather than their rhetoric?
Let's face it, consumers are lazy and careless with their data; to put it
politely, they have other priorities. And if consumers do not take the
trouble to check on the data practices of the internet sites they use, why
should the companies themselves care?   Respect for privacy, although widely
discussed, does not seem to confer a competitive advantage at the moment.
Employees are careless with passwords, and their employers are careless with
overall security. Insurance companies seem oblivious to the risks, and
investors appear unconcerned whether companies follow good practices.
   The authorities say that something must be done, because security and
privacy are matters of public interest. Unfortunately, they are not doing
the right things. Direct government regulation of the kind that is emerging
in Europe, and will probably be seen soon in the US, is the wrong approach.
   Aside from the threat to freedom that it poses, government regulation
will always be a step behind developments in technology. It is bound to lag
both corporate techniques for collecting data, and hackers' methods for
overcoming security barriers. Regulation would give the appearance of
solving problems, but allow them to continue unchecked in practice.
Moreover, regulation is bound to be vary between countries. Breaches in
privacy affect more than single individuals, or countries.
   This is not to say there is no role for government. However, governments
need only set out the principle of individuals' legal right to control the
use of their own data, rather than regulating directly. The point is that
they cannot guarantee "privacy", because individuals have differing notions
of what that is. What consumers need is the legal right to define and ensure
it for themselves. Once such legal rights are recognised and enforced,
differences between companies with respect to privacy and security will
start to matter to investors.
   The US Federal Trade Commission is already saying clearly that
individuals' control over their own data must be guaranteed one way or
another. The EU has issued a privacy directive, although many of the new
internet start-ups are unsure how it applies to them. And again, rules vary
from country to country.
   The solution lies with financial markets, which already operate across
borders in the same manner as the internet. Companies should be required to
make disclosures of security and data practices to their investors and
insurers, and not simply to consumers. Individuals may not be sufficiently
motivated to consider privacy or security, but investors have good reason to
pay attention: proper data policies will over time mean consumer
satisfaction and commercial success.
   We will need rules on disclosure to help the markets work, and to help
investors recognise the liabilities companies are incurring through sloppy
practices. The beauty of this approach is that it works with the market,
rather than against it. Companies would be given reasons to compete to
improve their security, and offer useful, intelligible ways of handling
consumers' data.
   In the world of the internet, there are a million ways to breach
security: but the market can foster a million and one ways to protect it.

The author is chairman of EDventure Holdings, publisher of the Release 1.0
newsletter about the computer industry.  She invests in a variet of
for-profit and not-for-profit organizations, for social and financial
returns.


Esther Dyson                    Always make new mistakes!
chairman, EDventure Holdings
chairman, Internet Corp. for Assigned Names & Numbers
edyson () edventure com
1 (212) 924-8800    --  1 (212) 924-0240 fax
104 Fifth Avenue (between 15th and 16th Streets; 20th floor)
New York, NY 10011 USA
http://www.edventure.com                    http://www.icann.org

PC Forum: 12 to 15 March 2000, Scottsdale (Phoenix), Arizona
Book:  "Release 2.1: A design for living in the digital age"
High-Tech Forum in Europe: October 2000 - probably Barcelona