PrivacyEmergence of the Internet of Things significantly weakens privacy protection

Researchers at Carnegie Mellon University (CMU) are urging consumers to take a proactive approach to ensure Internet privacy, particularly with companies that use and share Internet data to influence consumer behavior.In a recent Science magazine review, researchers Alessandro Acquisti and Laura Brandimarte of CMU’s Heinz College, and George Loewenstein of the Dietrich College of Social and Decision Sciences, also warn that privacy “approaches that rely exclusively on informing or ‘empowering’ the individual are unlikely to provide adequate protection against the risks posed by recent information technologies.”

Those emerging risks include information compiled by Internet-connected appliances, cars, and health monitors. Federal Trade Commissioner Julie Brill, speaking at a CMU event last Wednesday celebrating International Data Privacy Day, noted that new Internet-connected technologies exemplify the tradeoff: Industry provides new functionality, and consumers provide personal information. She warns that devices and applications that encourage consumers to provide information on diet, exercise, prescriptions, and other health factors are not covered by medical privacy laws. Some companies, she explained, sell that information “to third parties, such as advertising companies and analytics firms.”

Acquisiti further explained that companies buy and aggregate data to create detailed profiles of nearly every American consumer because “The more I know about you, the more I can influence you.” Consumers “are easily influenced in what and how they disclose” through Internet sites, the researchers wrote. They point to studies showing that consumers’ attitudes toward privacy change dramatically, depending on circumstances and the behaviors of their peers. The Pittsburgh Post-Gazette adds that giving consumers choices about how their data is shared can “paradoxically, prompt them to let down their guard and reveal more.”

Acqusiti, in an early scholarly research about Facebook, showed that when the social networking site allowed users to better control others’ access to their information, they shared more.

Internet businesses defend their practice arguing that they publish privacy policies to which users consent by accessing Web sites.

“Notice and consent, I believe, have been dead for a while,” as privacy protection, said Acquisti.

Lorrie Faith Cranor, director of CMU’s CyLab Usable Privacy and Security Laboratory, questions Internet companies’ “notice and consent” argument, noting that almost no one reads privacy policies. Cranor adds that it would take the average Internet user 224 hours a year to read the privacy policies of all Web sites they access.

The Post reports that systems designed to defend “notice and consent” have also weakened. TRUSTe Inc., created as a nonprofit which would place its seal on Web sites that met privacy standards, was fined $200,000 by the FTC for failing regularly to review the Web sites and for allowing others to portray it as a nonprofit after it switched to for-profit status.

AdChoices, the system that allows consumers to reject companies’ individually targeted ads, confuses many Internet users. According to Cranor, only 27 percent of respondents knew how AdChoices worked, and twice that number wrongly believed that by clicking the AdChoices icon, they would subject themselves to even more ads.

“I do think there’s a place for industry self-regulation,” said Brill, but it has proved insufficient.

Brill wants Congress to pass President Barack Obama’s proposed consumer privacy bill of rights, place limits on data brokers, and enforce tough data security laws. “I do think that they are reasonably close, that data security can be passed this year. I do think there’s a lot of interest in Congress,” Brill said. That interest is driven by consumers’ concern with data and financial fraud, and industry’s desire for a national law on data breaches rather than the current patchwork of state laws.

“Congress has to this moment failed in providing comprehensive privacy legislation which guarantees a baseline level of privacy protection” said Acquisti. Still, he does not want Congress to rush and pass an ill-considered law. Urgency lies in “changing the debate over privacy,” Acquisti said. He cautions that an anti-privacy narrative has emerged, based on arguments that privacy is an artificial concept that threatens to limit human advancement. “The available evidence suggests, instead,” he said, “that people care, that protection of privacy is possible, and that as a society we can enjoy the benefit of big data while simultaneously protecting privacy.”