Where does privacy figure into FTC data discussions?
- By Paul Rosenzweig
- Dec 04, 2012
When the Federal Trade Commission (FTC) hosts a workshop, titled "The Big Picture: Comprehensive Data Collection," on December 6, 2012, to explore the practices and privacy implications of the comprehensive collection of data about consumers' online activities, it should expand the scope of its examination. One topic germane to the workshop's consideration but seemingly not on the agenda is the adequacy of privacy protections for public sector consumers (including students and staff in educational institutions and employees of federal, state or local governments) who use cloud-based systems. It behooves the FTC to also include these consumers in its examination of the privacy implications of cloud services.
There are, of course, sound business reasons why cloud service providers aggregate data across multiple accounts and services: the results are extremely valuable. Seemingly unrelated personal data, when aggregated and mined at large scale, can provide immense value to advertisers, marketers, corporate sales forces, and others. The revenue generated by combining and monetizing such data -- by mining the mosaic -- is the reason "free" cloud services can afford to be free. But that, in turn, means that cloud services come with a hidden cost - because there really is no such thing as a free lunch. That hidden cost is the loss of privacy (and even, in extreme cases, the loss of security) that comes with a pervasive data aggregation and analysis regime.
The FTC is appropriately concerned with threats to individual privacy inherent in data-mining business models for the average private consumer. Less noticed but of equal concern, is the potential use of these same tools and techniques to aggregate and analyze information concerning public sector employees (who, after all, are also consumers) and, potentially, public sector institutions themselves such as government agencies. The privacy interests of public sector employees are no less important than those of private citizens and, to the extent that they are doing the public's business, they may perhaps be of even more importance to the commonwealth. For beyond the risks to individual privacy, regulators and government consumers also need to be aware of the risks to national security, government integrity, confidentiality of student information, and even personal safety that might result from the data mining of public sector data.
In general (and at the risk of oversimplifying), the current rule is that the use of data collected from public sector organizations by cloud service providers is governed by contract. If the contract does not prohibit data aggregation of user content, then the cloud provider is legally free to use the data in conformance with generally applicable privacy policies. Those policies, in turn, generally provide for the confidentiality of user data with respect to third parties, but often permit the cloud service provider to aggregate and analyze a users' data for its own purposes. These purposes can range from improvement of products and services to the marketing of consumer information. And that means that, in the absence of a contractual prohibition public sector consumers cannot be assured that aggregation of their data is not occurring. In many ways, the issues for public sector users replicate those under consideration by the FTC in the context of private sector consumers - both types of consumers are looking for greater transparency, the availability of opt-out provisions rules, and default settings that empower choice.
Likewise, public sector users are consumers of web-based information services. Here, too, their concerns mirror those of the private sector. Their search histories and patterns tell much about what they are interested in. And that, in turn, may reveal much about what the interests of the government are - a SEC employee's search history may identify the next regulatory initiative and a local county research history may presage a tax hike. To be sure, web sites often seek to avoid regulatory limitations by treating privacy regulations as restricting only certain uses of collected personal information, rather than as a limitation on collection itself. But that, too, is a fit subject for the FTC to examine.
Finally, data aggregation of government-originated data may pose governance problems for the public sector consumer. In the absence of a strong encryption policy or a confirmation that only US citizens are responsible for the security of government data, the move to cloud services raises distinct possibilities that governments may lose control of their information (and that of their employees as well as its citizens).
For these reasons the FTC's inquiry into privacy issues at their December 6 workshop should be undertaken while cognizant of the reality that much of its work on private consumer protection will have direct and indirect consequences for public sector consumers and, in the end, all public sector institutions, including government agencies, schools, and universities. Inasmuch as this particular perspective has often been absent from the current set of discussions, the Commission should seek to expand its consideration to include these concerns.
Paul Rosenzweig is a senior adviser to The Chertoff Group, a global security advisory firm. He formerly served as deputy assistant secretary for policy at the Department of Homeland Security.