Getting Away With Privacy Murder
May 29, 2014 7:21 AM PT
Snapchat in May agreed to implement a comprehensive privacy program and be audited for the next 20 years to settle U.S. Federal Trade Commission charges that it had, among other things, lied to users when it said messages sent through its service would be erased after a designated period of time.
However, Snapchat's privacy violation is infinitesimally small compared to the repeated violations perpetrated by major players such as Facebook and Google.
Both companies repeatedly have flaunted privacy rules, including their own privacy policies, and both have changed their policies in ways that impacted users' privacy.
Privacy Crime and Punishment
"Facebook and Google have quite cheerfully taken actions that violate the privacy of their users, fight governments to a standstill and eventually pay a fine that -- compared with their revenue -- is negligible," remarked Justin Shepherd, an A.T. Kearney consultant who collaborated with the World Economic Forum on a personal data study. [*Correction - June 3, 2014]
"That's here in the U.S.," Shepherd continued. "The Europeans have a bit more teeth but not really that much more."
Spain last year hit Google for US$1.24 million over data privacy violations. France earlier this year fined Google more than $205,000 for breaching its data protection rules.
In the U.S., Google last year agreed to pay 37 states and the District of Columbia $17 million for circumventing privacy settings in the Safari browser between 2011 and 2012. It previously had paid a fine of $22.5 million to settle complaints from the U.S. Federal Trade Commission over the same issue.
In March, it agreed to pay $7 million to 37 states and the District of Columbia for improperly collecting data from unsecured wireless networks using its Street View vehicles, and it is fighting a class-action lawsuit over the issue. Google initially had claimed that it was not collecting the WiFi data.
Facebook frequently has been in hot water over its privacy policies as well. The FTC last fall reportedly was investigating the company's newly issued statement of rights and responsibilities to ensure its compliance with an FTC order issued as part of Facebook's 2011 settlement of the commission's charges that it deceived consumers over privacy.
Ireland's Office of the Data Protection Commissioner has made recommendations to Facebook that the company has implemented.
"We also continue to engage with Facebook Ireland on an ongoing basis about any developments in relation to how it processes personal data," ODPC spokesperson Ciara O'Sullivan told TechNewsWorld.
The Cost of Doing Business
Why is it that Google and Facebook can get away with murdering privacy?
For one thing, the multimillion-dollar penalties they face are no more than a minor inconvenience to them.
In Q1 2014, Google reported revenue of $15.4 billion, and GAAP net income of $3.45 billion.
Facebook reported Q1 2014 revenue of $2.5 billion, and GAAP net income of $642 million.
The revenues and profits of both companies are growing.
"It's really nothing more than a cost-benefit analysis," attorney Yasha Heidari, managing partner at Heidari Power Law Group, told TechNewsWorld. "When corporations see that the cost of committing a privacy violation does not exceed the benefit they receive, they have little incentive to prevent the violations from occurring."
Tech Constraints on Government Actions
It's easy enough to grumble that governments aren't doing enough to rein in companies like Google and Facebook, but their hands are tied to some extent.
"The first and most fundamental reason is that [governments] attempt to define acceptable usage at a fixed point in time -- the point of collection -- but the ways that data is used are constantly changing," Kearney's Shepherd told TechNewsWorld. [*Correction - June 3, 2014]
"Basically, they place a narrow definition on what's acceptable, and then technological change obviates that definition," Shepherd continued. For example, the amount of inferred data -- which is loosely derived from individuals' actions -- "was unimaginable 20 years ago."
The second major constraint is technological. "Regulators simply lack the means to identify who has what data and what they're doing with it," Shepherd said.
Other Possible Factors
When it comes to enforcing privacy rules, "it's not a matter of what governments can do, but what they want to do," Panagiota Kelali, associate director at the John Marshall Law School's Center For Intellectual Property, Information & Privacy Law, told TechNewsWorld.
"It depends on how seriously a given government takes privacy issues, concerns [of] and complaints by its citizens, and how each nation views privacy and data protection," Kelali said. EU nations consider the right to privacy a fundamental human right but "in the U.S., we ... treat personal information and privacy as commodities."
Insufficient user concern about privacy violations also could play a part in the attitude American companies adopt toward privacy, Heidari suggested.
"If people voluntarily use a private service or upload pictures to a public forum, do they truly have a right to complain about their privacy?" he asked. "It's hard to complain about privacy when you're walking down a public street naked."
Transparency Might Help
Regulators need to work with businesses to create solutions that protect privacy without impeding innovation, Shepherd said. [*Correction - June 3, 2014]
Meaningful transparency in data use is what's needed, he suggested.
This "denotes providing individuals with information that they can understand and have the capacity to act on," Shepherd explained. "It means communicating to them about the uses of data in a clear and straightforward way, and providing them with tools to express preferences for how their data is used."
*ECT News Network editor's note - June 3, 2014: Our original published version of this story incorrectly attributed the comments of Justin Shepherd, an A.T. Kearney consultant, to Naveen Menon, a partner at A.T. Kearney. Both Shepherd and Menon worked on the WEF's personal data study. We regret the error.