Interesting People mailing list archives
IP: privacy - a new approach to letting the market work
From: David Farber <farber () cis upenn edu>
Date: Mon, 17 Jan 2000 13:54:11 -0500
-----Original Message----- From: Esther Dyson [mailto:edyson () edventure com] Sent: Monday, January 17, 2000 12:02 PM To: farber () cis upenn edu Dave, this appeared in the Financial Times (London) today. Esther Disclose privacy practices to investors as well as to consumers, suggests Esther Dyson Data security is like public health: as an individual, you can do only so much to protect yourself. Your welfare also depends on people around you. Unfortunately, other people perhaps even you yourself are careless. Surveys of internet users tell us that people value privacy and security: but if you watch their behaviour, you come to the opposite conclusion. People use credit cards to buy things online, and send private e-mails trusting they will reach the right person and no one else. By and large, their behaviour makes sense for them as individuals. But collectively, we may be on the brink of a data disaster that only a little paranoia can avert. Attacks on privacy are emerging from two sides: from people who want to undermine privacy, and from companies and governments that are collecting too much information. These threats do not yet seem real because it is in most people's interests to keep quiet about them. Organisations that collect data would you rather you did not notice. Companies whose security is breached do not want to upset their customers, or alarm their insurers and investors. Even hackers, although they might like to brag, cannot talk too much for fear of getting caught. This has made for a state of blissful ignorance that cannot last. There have been small eruptions already, especially in the US where both Microsoft and RealNetworks have collected data on individuals without notifying them. Most people receive too much junk e-mail. More and more personal data are floating around, waiting to be taken and misused. But how can we change people's behaviour rather than their rhetoric? Let's face it, consumers are lazy and careless with their data; to put it politely, they have other priorities. And if consumers do not take the trouble to check on the data practices of the internet sites they use, why should the companies themselves care? Respect for privacy, although widely discussed, does not seem to confer a competitive advantage at the moment. Employees are careless with passwords, and their employers are careless with overall security. Insurance companies seem oblivious to the risks, and investors appear unconcerned whether companies follow good practices. The authorities say that something must be done, because security and privacy are matters of public interest. Unfortunately, they are not doing the right things. Direct government regulation of the kind that is emerging in Europe, and will probably be seen soon in the US, is the wrong approach. Aside from the threat to freedom that it poses, government regulation will always be a step behind developments in technology. It is bound to lag both corporate techniques for collecting data, and hackers' methods for overcoming security barriers. Regulation would give the appearance of solving problems, but allow them to continue unchecked in practice. Moreover, regulation is bound to be vary between countries. Breaches in privacy affect more than single individuals, or countries. This is not to say there is no role for government. However, governments need only set out the principle of individuals' legal right to control the use of their own data, rather than regulating directly. The point is that they cannot guarantee "privacy", because individuals have differing notions of what that is. What consumers need is the legal right to define and ensure it for themselves. Once such legal rights are recognised and enforced, differences between companies with respect to privacy and security will start to matter to investors. The US Federal Trade Commission is already saying clearly that individuals' control over their own data must be guaranteed one way or another. The EU has issued a privacy directive, although many of the new internet start-ups are unsure how it applies to them. And again, rules vary from country to country. The solution lies with financial markets, which already operate across borders in the same manner as the internet. Companies should be required to make disclosures of security and data practices to their investors and insurers, and not simply to consumers. Individuals may not be sufficiently motivated to consider privacy or security, but investors have good reason to pay attention: proper data policies will over time mean consumer satisfaction and commercial success. We will need rules on disclosure to help the markets work, and to help investors recognise the liabilities companies are incurring through sloppy practices. The beauty of this approach is that it works with the market, rather than against it. Companies would be given reasons to compete to improve their security, and offer useful, intelligible ways of handling consumers' data. In the world of the internet, there are a million ways to breach security: but the market can foster a million and one ways to protect it. The author is chairman of EDventure Holdings, publisher of the Release 1.0 newsletter about the computer industry. She invests in a variet of for-profit and not-for-profit organizations, for social and financial returns. Esther Dyson Always make new mistakes! chairman, EDventure Holdings chairman, Internet Corp. for Assigned Names & Numbers edyson () edventure com 1 (212) 924-8800 -- 1 (212) 924-0240 fax 104 Fifth Avenue (between 15th and 16th Streets; 20th floor) New York, NY 10011 USA http://www.edventure.com http://www.icann.org PC Forum: 12 to 15 March 2000, Scottsdale (Phoenix), Arizona Book: "Release 2.1: A design for living in the digital age" High-Tech Forum in Europe: October 2000 - probably Barcelona
Current thread:
- IP: privacy - a new approach to letting the market work David Farber (Jan 17)