Tuesday, June 18, 2013

Data in Confidence


Earlier today, I shared a CNN story detailing the reaction of major tech companies to the PRISM leak. I find it interesting that Google, Facebook, Apple, and Microsoft have all gone a pretty long way toward asserting that they protect user privacy. There is an obvious attempt here to win (or win back) the trust of their various communities of users.

All of these companies provide a set of valuable services, and they do so at the cost of our information. Just thinking about Google, the general service they provide can be understood as information management to promote convenience. Google's various products make our information more accessible to us and more easy to share with others. Google also turns our information into action through appointment notifications, editing documents, and maintaining our contact lists. In exchange for these services, we have to provide Google with our data.

On the surface, the users are supposed to get enough convenience to offset any recoil about giving a third party a window into communications, interests, and behavior. Here, I have to admit that as much as I like to maintain a strong wall of privacy, I've found Google's services too convenient to pass up, especially when it comes to keeping a handful of devices in sync. Still, convenience loses value when the security of our information is compromised.

Continuing the focus on Google, we can see that maintaining user privacy has always been a concern. All tech companies work to maintain the security of the data they hold, and we have indication that there is not a policy of blanket compliance with government requests. With the PRISM leak, we have another vivid reminder of the vulnerability of our data, and what our information-management-service providers do to keep it safe.

What I find so interesting is that there is a clear market motive, entirely independent of ideological commitments, to establish trust. In the long run, convenience isn't enough to maintain a community of users. If that convenience incurs the cost of losing privacy, users will tend to migrate away to more secure service-providers or learn to do without. The only way for a service-provider like Google to maintain its userbase is to establish itself as a steward of user data. Acting in the interest of the user in this case means acting in the overall interests of Google.

Given that established privacy law is still catching up to email let alone Google, there is a clear policy gap with regard to this kind of data-stewardship. I think this gap could be filled with by a confidentiality relationship similar to doctor-patient or legal counsel. At present, a firm like Google can build privacy guarantees into their user policies, but those policies are not consistent and not recognized beyond their nature as contracts. Instead, there should be an understanding that data handed over to a service-provider like Google maintains a reasonable expectation of privacy, just like anything you tell your doctor.

With a recognized Data Stewardship relation, users could have an increased trust in the privacy of their information and maintain the convenience of using services like Google. The standards for this relationship can be drawn from both established confidentiality relationships, industry standards in privacy polices, and privacy practices in Europe (where privacy issues are a big deal). Users would then know what to expect in terms of privacy and how their information will be used.

As we continue to move our lives online, these issues will only become more important.