Keep Privacy Policies Private

Keep Privacy Policies Private

December 10, 2010
Originally published in Forbes

Like the lame duck itself, the online privacy turkey waddles on this December. It's headed for January and the next Congress.

Along with proposed legislation, a current example is the new Federal Trade Commission report proposing a compulsory online "Do Not Track" mechanism to regulate business marketing practices. It is important, you see, given the recession and all, to encourage consumers to opt-out of free enterprise even further.

Meanwhile, Rep. Joe Barton, R-Texas, (occasionally my personal least objectionable legislator) thinks it "better late than never" that the Obama administration has proposed a privacy watchdog to protect us from the terrors of our Internet-saturated lives.

This is wishful thinking. My trips through the Thanksgiving TSA lines alone reminded me just how utterly true it is that Washington doesn't do privacy protection. "Not my department" is the entrenched governmental stance toward privacy, illustrated still further by periodic national ID schemes, the vulnerable stance of biometrics technologies and the hostility toward RFID tags.

So, please.

Since most business transactions occur between strangers and since most Web surfing is free (note to policymakers: Both are good things we want to keep. All together now: G-O-O-D), a "Do Not Track" to purposely undermine targeted advertising is a potential lobotomy plan for Internet commerce and an imaginary trajectory for improved privacy practices. Hampering marketing pleases some, but there's no reason for them to call the shots for anyone but themselves.

After all, privacy preferences are a private matter, not choices for others to make for us.

There is a gap in public policy: Politicians don't consistently express that while shareholder capitalism does create genuine privacy risks through information sharing, these risks and the interests of corporate control also propel the involved institutions. These include pressure from competitors, capital markets and business partners (like upstream suppliers and downstream customers) to keep information secure; also liability, insurance, new professional codes and contracted-for levels of privacy are emergent. These pressures are why the term "self-regulation," which the FTC report called "inadequate," is a misnomer: No business has that luxury in free enterprise. Further, bad FTC regulations and congressional legislation undermine these competitive pressures.

Even Republicans thought the government needed to regulate dinner-time telemarketing calls via the "Do Not Call" list now used to justify Do Not Track. If they don't believe competitive enterprise can handle mere phone calls, I'm not sure how they expect to be able to convince anyone that government need not manage health care or retirement--and of course, privacy more broadly. So they've got to get their message straight before January.

Like all other technologies, privacy, anonymity and security technologies benefit from competition. Likewise, services, from consulting to liability insurance to network monitoring, benefit from competition. Contracts to surf anonymously while paying a nominal fee to an ISP, a notion noted recently in a Wall Street Journal piece, is only one of numerous other possibilities. Interestingly enough, another mania, the Federal Communications Commission's manic push for so-called net neutrality, could undermine innovations in privacy and authentication networking as well.

Business should stop apologizing for advertising, be proud of that function and avoid deals with the privacy pressure groups that do not occupy moral high ground here.

I wish intervention were neutral, like, say, picking a State Bird. But FTC, congressional or "czar" meddling would be the antimatter version of privacy protection, disrupt innovation and function primarily as a locus of lobbying and special pleading and regulating, generating ineptitude and unpreparedness when it comes to real advances in privacy, risk management, and in turn, online wealth creation. Cyber-czar gestures and legislation cannot address the lack of authentication and inability to exclude bad actors at the root of today's problems. The criminals don't obey the law anyway and often strike from overseas.

Market mistakes happen; they can be corrected; regulation can become so entrenched that superior alternatives simply can't be adopted because nobody can move without permission. What only markets can cope with is the fact that optimal privacy resides on a continuum for individuals on any given product or service, and evolves as a relationship. Privacy, to be optimized, must remain a competitive feature, particularly as new technologies emerge.

Do Not Track? Let's have a "Do Not Regulate" list instead. Rather than knocking Internet companies, upcoming hearings should emphasize the problems with defining privacy politically and prepare reports on the hazards of inflexible regulation. No more reports on what the private sector gets wrong. Tomorrow's authentication technologies and privacy customization will be far more capable than those of today; the problem isn't that we need Washington to protect privacy--we need Washington to allow it.