IU expert: White House consumer privacy plan ignores 'elephant in the room'
The Obama administration's call on Feb. 23 for a "Consumer Privacy Bill of Rights" is a noble effort, but one that will likely fail because it puts the power of consent into the hands of a public that, for the most part, doesn't know what to do with it and cannot use it effectively to protect privacy, according to Indiana University information security expert Fred H. Cate.
At the core of the legislative proposal is what the Obama administration calls the "Consumer Control Principle," which would give consumers the right to exercise control over what personal data is collected and how it is used. That is typically achieved through voluntary consent.
"More than 30 years of experience with control-based laws has demonstrated that they don't work and they don't protect consumer privacy," Cate said. "Individual choice is not the same thing as privacy protection, and merely providing choice does not necessarily enhance privacy protection."
Cate noted that most consumers overwhelmingly grant consent because they are focused more on the product or service rather than on making rational, thoughtful choices about data collection.
Remember signing up for Facebook, or installing the latest version of iTunes? Consumers, when faced with privacy policies dozens of pages long, can't skip to the end fast enough, Cate said.
"Consent shifts the burden for protecting privacy to the individual, yet few individuals have the time, knowledge or interest to make all of those choices about data collection and use," he said. "The control-based system of data protection is not working. The flurry of notices may give individuals some illusion of enhanced privacy, but the reality is far different. Today's announcement that the administration is focusing its new privacy protections on 'Consumer Control Principle' is disappointing."
Lastly, Cate said, the proposal does nothing to restrict government access to personal information.
"And that," he said, "may very well be the greatest and fastest-growing threat to personal liberty today."
Cate said the government doesn't ask for consent from consumers before intercepting telephone calls, email messages and other communications.
"So the government's proposed legislation entirely ignores the elephant in the room and proposes as a 'solution' to inadequate privacy protection the one step that has very little role in protecting privacy from government intrusions," he said.
Representatives from the Center for Applied Cybersecurity Research at Indiana University, which Cate directs, were invited to be present at Thursday's White House announcement.
Cate is the C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law and director of IU's Center for Law, Ethics and Applied Research in Health Information. He can be reached at firstname.lastname@example.org or 812-855-1161.
Originally published Feb. 24, 2012.