Guarding the Data Bank


privacy illustration
Illustration by Rob Dunlavey

In the age of Facebook, MySpace and Twitter, the notion of personal privacy seems as quaint as the typewriter. Millions of us lay out our lives on the Web in neon, sharing details that used to stay in the familiar light of friends and family. Online retailers monitor our shopping preferences down to the size, style and color of the clothes we buy. So-called “data aggregators” mine and sell information on individual real-estate transactions, credit histories, criminal records, purchasing behavior and insurance claims.

While personal data constitute a mother lode for the Web economy, legal loopholes pose privacy risks for consumers, such as identity theft, unwanted surveillance and computer spam. Nancy King, associate professor in the Oregon State University College of Business, is helping to define the legal landscape of online privacy. At stake, she says, is consumer trust in an expanding business model worth billions.

“The Professor”

Nancy King’s law career has led her from the boardroom to the factory to the classroom.

Read more…

The United States lacks the kind of broad privacy protections in existence elsewhere, King has shown. She argues that it is in the best interests of businesses to take strong voluntary steps to assure consumers that personal data will not be misused. Her analysis of privacy laws and the risks of new technologies comes as Congress, the Federal Trade Commission (FTC), consumer advocates and industry debate proposals for regulatory reform.

Among the issues are emerging mobile technologies that offer new business opportunities but carry additional privacy risks: cell phones equipped with a service provider’s “adware” and with radio frequency identification (RFID) tags that trigger ads based on a person’s location.

Surf at Your Own Risk

Nancy King
Nancy King, professor in the OSU College of Business

“I think as consumers, we just become used to whatever is happening to us,” King says. “We may not know everything that is going on, but over time, as we buy things online and we visit sites and we give a lot of information out, we become more accustomed to sharing that information. It doesn’t mean that it’s a secure, safe or good thing for us to do.”

Increasing consumer acceptance may help explain the growth in online business. In 2008, while the economic downturn led to a 2.3 percent decline in U.S. retail sales, online sales grew nearly 6 percent, reaching $134.8 billion, according to Citi Investment Research. Not surprisingly, businesses see an opportunity to ride a wave. Between 2004 and 2008, Internet advertising revenues rose 140 percent, from $9.6 billion to $23 billion, according to the Interactive Advertising Bureau, an industry trade group. Mobile advertising is close behind. In 2010, ads targeted at cell phones and other wireless devices are expected to generate revenues similar to what was spent on all Internet ads in 2004.

What online shopping makes possible is “behavioral advertising,” a practice that targets individuals through data on their purchases and Web browsing habits. Consumers could benefit by seeing ads tailored to their interests. And retailers could see a greater “conversion” (sales) rate. Still, says King, privacy could be compromised if consumers aren’t aware of what personal data businesses are collecting.

Fair Information Practices

Since mobile advertising and privacy are global concerns, King is helping to conduct an international evaluation of online privacy regulation. In collaboration with researchers at the Aarhus School of Business in Denmark, she is focusing on U.S. laws, starting with the basis for privacy protection in the Constitution. She is also advising an Aarhus graduate student, Evelyne Beatrix Cleff, in a study of mobile advertising practices in the European Union and the U.S.

American laws regulate privacy as it relates to such activities as telemarketing, computer spam and civil rights. But in contrast to Canada and the EU, where citizens have “broad-based privacy regulations that protect their privacy and personal data, no analogous broad-based consumer privacy regulations exist in the U.S.,” King wrote in a report published after a Fulbright–funded research sabbatical in 2008 at the Research Centre in IT and Law, University of Namur, Belgium.

“What is lacking in U.S. law is broad protection for personal data consistent with fair information practices that have been imposed elsewhere in the world where personal data is regarded as a fundamental human right,” she concluded.

While U.S. law does not significantly restrict businesses from collecting and selling personal data, other safeguards exist. Corporate privacy policies can impose tighter rules, and firms can be held liable for violating them. Moreover, companies that operate in global markets must follow more protective policies in places such as the European Union, says King.

A philosophical basis for an implied right to privacy exists in the U.S. Constitution, she adds, but the Supreme Court has not defined this right beyond narrow circumstances. For example, information about highly personal decisions (family relationships, birth control, child rearing and education) is protected from government data collectors, but such regulations do not apply to businesses. Moreover, the courts have ruled that government can intrude when a compelling public interest is at stake. And once government has made personal data part of a public record, with or without an individual’s permission or awareness, other people and businesses face few legal restrictions in getting access to it or using it.

Confident and Secure

To reduce risks to privacy, the FTC has proposed that businesses voluntarily adopt new data collection and behavioral advertising rules. While King sees a need for new government standards (“The FTC and the European Commission are strongly hinting that that’s where they’re heading”), she agrees that self-regulation could help business stave off onerous legal requirements.

Accordingly, King has worked with business associations on privacy policies that require consumer consent to receive mobile ads and to share personal data with other businesses. She has proposed notices that can be displayed clearly on cell-phone screens and include opportunities for consumers to opt in or out of data sharing arrangements.

The viability of this new model of commerce depends on consumer trust, she adds. “Consumers’ mobile phones are the portal for mobile commerce — a convenient new form of doing business anywhere and anytime. Mobile advertising is an important component of this new business environment that is expected to fuel the growth of m-commerce.”

Point and Click

Emerging cell-phone technology can do a lot more than send information and receive ads. Imagine walking down the street in an unfamiliar city and seeing a poster for a new movie. As you pass it, an ad appears on your phone and, in a few clicks, you order your ticket and download directions to the theater from your current location. And to save time, you make a reservation at a restaurant from a list that appears along with a map. Everything is charged to a credit card number on file in the phone’s database or listed on your phone bill.

By 2010, industry observers predict that nearly all new cell phones will be equipped with RFID tags to enable location-based services that link to personal profiles. But there’s a potential hitch. The technology can operate round-the-clock, whether or not the phone is on. Thus it could lead to constant surveillance and potential privacy intrusion, King has pointed out. She advises businesses to get ahead of these concerns by developing the devices and related privacy policies in ways that leave consumers in control.

Surveys suggest that consumers already have mixed feelings about mobile advertising and tracking. In its annual behavioral advertising survey TRUSTe, a Web-based privacy certification service, found that about half of 1,147 respondents were uncomfortable with businesses monitoring their behavior. Nevertheless, the survey concluded, “consumer discomfort with tracking has declined by six percent (sic) points year over year,” suggesting that “although consumers worry about protecting their private information online, they’re getting used to behavioral targeting.”

These new information technologies are well ahead of the law, says King. They present problems that did not exist when current policies were developed. Thus they challenge the legal and business communities to find solutions. When new issues arise, lawyers can’t “just go and look up statutes and say this is the rule,” she adds.

Giving consumers control over their personal data is necessary to avoid a world in which individual anonymity would be just another quaint tradition. “In fact,” says King, “it is very easy to pinpoint individuals even with data that is anonymous. You can categorize them to the point where you know who they are. It’s possible to be digitally tracked by computers with no human intervention at all. And that data can be kept indefinitely and combined with other data. Pretty soon you have no privacy, no space where you are free from tracking online.”

For more information,  see Researcher Studies Mobile Commerce, Recommends Privacy Enhancements, October 10, 2008

OSU news release, Dec. 6, 2010: Profiling based on mobile, online behavior: A privacy issue

See a Dec. 2, 2010 story about proposed Internet privacy regulations in The New York Times.

To support the OSU College of Business, contact the Oregon State University Foundation.