The Internet should hide your data, not share it
By Elaine Ou
BACK IN my days as a web developer, we did our development and testing in porn mode. Those outside the industry might refer to this as an 鈥渋ncognito window,鈥 but the phrase 鈥減orn mode鈥 is universally understood because usually no one opens an incognito window unless they鈥檙e about to load something unseemly.
I remembered that when I read Alistair Barr鈥檚 account of his attempt to delete his user data, under the auspices of California鈥檚 new Consumer Privacy Act. The process is so cumbersome — it takes more than two hours and requires uploading selfies and a photo ID — that it ends up having the opposite of the intended effect. Instead of granting consumer privacy, the act of submitting a data deletion request draws undue attention to those seeking anonymity.
This is where default options matter. If every browser window automatically opened in incognito mode, then it wouldn鈥檛 be considered incognito browsing, but regular web browsing. But if only outlaws take the time to safeguard their privacy, then privacy becomes a de facto outlaw product.
Many privacy products are already regarded this way. For example, Tor is a web browser that obscures a user鈥檚 internet activity by routing network data through a maze of relays. It鈥檚 useful if you鈥檙e a whistleblower trying to communicate with journalists, but it can also be used for illicit activity. In 2014, the Financial Crimes Enforcement Network found that a majority of suspicious activity reports filed by banks involved IP addresses associated with the Tor network. Today, many financial institutions preemptively block traffic that arrives through Tor. In some cases, banks automatically freeze a Tor user鈥檚 bank account. Virtual Private Networks, which hide a user鈥檚 activity from the internet service provider, are also frequently blocked. People who go to the effort of protecting their privacy inherently seems suspicious.
But what if we saw privacy protection as akin to a form of vaccination? When we get shots to immunize against mumps or measles, we not only protect ourselves; we protect society as a whole, particularly those individuals who can鈥檛 develop immunity. Vaccination is so important that it鈥檚 opt-out, not opt-in. Similarly, defaulting to stricter privacy settings would create a safer internet not only for those who adopt them, but for those who, for whatever reason, don鈥檛.
On the internet, data brokers collect information on as many users as possible to generate detailed profiles based on demographics and affinity groups. The more people who cut off the data brokers, the less these companies can infer about any given user. When it comes to consumer privacy protection, setting privacy as the default option protects the most vulnerable members of society.
California鈥檚 new privacy law went into effect Jan. 1, but will not be enforced until July 1. Compliance requirements are still unclear. The Wall Street Journal suggests that websites with third-party tracking must add a 鈥淒o Not Sell My Personal Information鈥 button to their home page, a move that will likely be about as effective as placing your number on the National Do Not Call Registry, or pushing the 鈥渃lose door鈥 button in an elevator.
The only way anyone can really have privacy protections is if everyone has privacy protections. Privacy laws are not helpful if users can only delete their data after wading through two hours of bureaucracy. Companies that profit from massive data collection are rightly optimistic that most users won鈥檛 bother with these steps.
BLOOMBERG OPINION
