What are the Obstacles for Privacy Engineering?
Author: Ethan Heilig
Users ought to have a say in the way their data is used and protected. The GDPR, CCPA, and New York Privacy bill attempts to improve transparency and give consumers a seat at the table. While these laws have good intentions, they do not address the incentives that make rigorous data transparency and the goals of a profit-maximizing company seemingly mutually exclusive. Companies not being transparent is not always malicious. Transparency involves “lifting the hood” to show consumers the mechanics of how companies collect, store, and protect data. These mechanisms are often complex and difficult to summarize in a way that the average consumer can understand. Transparency creates many challenges for businesses that can be broken down into three main topics.
The first challenge is what Daniel Susser and Kiel Brennan-Marquez of New York University School of Law call “technical and design considerations.” When a company is transparent about their privacy practice, and explain how their privacy mechanism works, it inherently makes the system more vulnerable to corruption or attack. Furthermore, according to Susser and Brennan-Marquez, nearly all major websites, including “Microsoft, Amazon, eBay, Etsy, Facebook, Google, and LinkedIn” use A/B testing to measure marginal user engagement of an added feature. As with any experiment, this tests a treatment group against a control group, a process that must be user blind to ensure accurate results. There is always more than one way to test for something, however. If transparency and the functionality of a program are genuinely incompatible, then companies must find a different way to arrive at the desired outcome. In the status quo, companies seem to think the cost of a lack of transparency is not significant enough to merit rethinking their procedure (A/B testing, for example). Unfortunately, that is not their decision to make as it is not the companies’ information being collected.
The second challenge is the legal obstacles and liability that transparency presents. According to Susser and Brennan-Marquez, “Another obstacle to transparency is that firms face potential liability for representations they make about information practices.” This liability is both formal and informal. Any statement a company makes about how they are using information opens the company up to formal misrepresentation lawsuits. Informally, a statement also leaves a company vulnerable to similar allegations from watchdog groups or government agencies. This liability creates a perverse incentive to either be as vague as possible in the privacy agreement or explicitly state how the company will deal with any eventuality, making the privacy agreement equally as incomprehensible. Susser and Brennan-Marquez recommend side-stepping liability risk by indicating “information about the system to users implicitly rather than [saying it] explicitly.” This risk means a company should make the digital program function as it would in physical life so that a user understands what is going on without the company having to explain it. For example, when the sound of a shutter click accompanies taking a picture on the phone, the company does not have to say “we will record what is on the screen when you press the button” because the user understands what action accompanies the click of a camera shutter.
The third obstacle transparency presents in privacy engineering is strategical and economical in nature. According to Susser and Brennan-Marquez, secrecy is baked into the culture of large internet companies: “a reflexive aversion to transparency, on economic grounds, operates as something of an industry norm.” The expectations of online privacy are changing. Since 2016 three of the world’s largest economies: the U.K., New York, and California, have all introduced online privacy laws. Online privacy is now salient and vital to consumers, so companies ought to embrace privacy regulation and advertise it or be left behind. A change as sweeping as a culture shift takes a long time to come to fruition. As an intermediate step, companies could give consumers a basic idea of what they are doing without explicitly stating everything they do to circumvent the economic obstacle.