We are fast approaching a privacy crisis in the United States. Google, Facebook and other big Internet companies collect information about us, which they deploy in the service of advertisers. Big data brokers, like Acxiom, have developed sophisticated tools that allow them to know almost as much about us as we know about ourselves; they then sell that data to all kinds of companies that want to learn everything from our habits to our health, from our sexual orientation to our finances.
The digital age has made it easy to collect medical data, which is supposed to be protected under federal law. Huge data breaches at big retailers like Target have made it seem unsafe to use credit cards. And I haven't even mentioned the Edward Snowden revelations about the massive data collection by the National Security Agency.
"The United States," says Barry Steinhardt, the founder of Friends of Privacy USA, "is basically the Wild West of privacy."
As the New York Times noted in an editorial on Monday, it was two years ago that the Obama administration issued a report calling for a consumer privacy bill of rights. Although the report went nowhere, it was full of sound, broad principles: "a sensible framework that would help establish fairness and accountability for the collection and use of personal information," as a group of privacy advocates put it in a letter they sent to the president Monday.
The advocates called on President Barack Obama to work with Congress to finally pass privacy legislation. In that spirit, I thought it would be a useful exercise to call some privacy experts and ask them what should be in such a bill. Here's what they had to say.
; Regulate data brokers: Almost everyone I spoke to saw data brokers as a far bigger threat to privacy than, say, Facebook. These are companies that collect a hundred different data points, both offline and online, and create scores and profiles that they sell to anyone who wants to buy them. At a minimum, people should know what information of theirs is being compiled. Better yet, people should have a right to control what information of theirs gets sold and what remains private.
; Opt-in instead of opt-out: The typical terms of agreement that we check when we want to use the services of an Internet company invariably gives the company the right to redeploy our information for their own benefit. Some companies also give consumers the right to opt-out of that information-gathering, but it is usually a process that requires some effort. A far better approach would have customers opting in instead of opting out. This would also likely force companies to explain to their customers why they need the data and what they will use it for, which is another thing that should be included in any privacy bill.
; Give companies an incentive to prevent data breaches: One reason breaches like the recent Target disaster have taken place is that they bring with them very little consequence. But it would be easy enough to create consequences — a data breach could be treated like an oil spill, with fines attached. The government could also make it easier for people to sue. Lee Tien of the Electronic Frontier Foundation also says that companies should be doing far more encrypting than they do now. Privacy legislation could give them a push in that direction.