Privacy as product differentiation - is it time?

By: Scott Bradner

One of the big problems standing in the way of getting anything that remotely resembles a concern among Internet companies for the privacy rights of their customers is that there has been no business reason for any such concern. That may be changing, but don't bet big on the possibility.

Other than some spotty, but quite good efforts, by the Federal Trade Commission (FTC) (http://www.ftc.gov/opa/reporter/privacy/privacypromises.shtml) there is little interest in Washington to force Internet companies to develop a concern for customer privacy. (http://www.networkworld.com/columnists/2013/020513-bradner.html) The FTC did come down on Facebook last fall. The FTC went after Facebook following "charges that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." The resulting settlement (http://www.ftc.gov/os/caselist/0923184/111129facebookagree.pdf) does have some teeth in that it, requiring, for example that Facebook retain an independent third party to review Facebook's privacy practices every 2 years for 20 years and provide a copy of the review to the FTC within 10 days of the report being finished. But such efforts are few and far between.

It would be far more effective if Internet companies saw privacy protection as a competitive advantage. There are some minor signs that some do. Microsoft has been blasting Google in a "scroogled" ad campaign over privacy invasions in gmail. (http://www.scroogled.com/) The scroogled website says ""Google goes through every Gmail that's sent or received, looking for keywords so they can target Gmail users with paid ads. And there's no way to opt out of this invasion of your privacy. Outlook.com is different—we don't go through your email to sell ads."

I will note that the scroogled website's privacy link points to an over 4,000 word Microsoft privacy policy. (http://privacy.microsoft.com/en-us/fullnotice.mspx) If a company actually had customer privacy as a primary concern it should be able to explain that in far less than 4,000 words.

Google, as one might expect, is not thrilled with this Microsoft ad campaign. During a panel session at the recent RSA Conference (http://www.rsaconference.com/) the chief privacy officers of Microsoft, Facebook and Mozilla, as well as the senior privacy counsel for Google talked about Internet privacy. (http://www.networkworld.com/news/2013/022813-rsa-chief-privacy-officers-267225.html) Keth Enright described the Microsoft scroogled effort as "misleading and intellectually dishonest". Enright said that Google had been working at simplifying their privacy policies. The current base policy (http://www.google.com/intl/en/policies/privacy/) is about half the length of Microsoft's but, while clearly written, is still far from terse. But, having the big Internet players arguing over who protects their customers privacy better is a very positive, but small, step.

Another topic discussed by the privacy officers at the RSA Conference panel was the Do Not Track option in most current web browsers. (http://donottrack.us/) This once looked like a good way for Internet users to tell web sites that they did not want their Internet usage to be tracked. But this has turned out to be, at best, a false hope. First a number of big ad companies maintain that "do not track" actually meant "track but do not use the information to serve ads". A strange way to read the English language. Then Microsoft decided to turn on the flag by default in IE. That sounds good unless one spends more than 3 nano seconds thinking about it. If the flag is turned on without the user making the decision to turn it on the ad companies can rightly say that the user is not expressing an opinion and be justified in ignoring the flag. Apparently many are silently doing so now. Some sites are quite in your face about ignoring user desires. (http://www.itif.org/publications/why-itif-rejects-your-do-not-track-request) Somehow the ITIF approach does not, to me, match their slogan of "smart ideas for the innovation economy".

Actual concern for the privacy of Internet users may possibly come at some point, but there is little evidence of any at this point.

disclaimer: Harvard has a comparatively terse privacy statement (http://www.harvard.edu/privacy-statement) but I had nothing to do with creating it nor have I heard the university express any view on Internet privacy so the above lament is mine alone.