Should privacy technologies be built in?

While most attendees of the Computers, Freedom and Privacy (CFP) conference in San Francisco this week agreed that more needs to be done to protect consumers’ privacy against the onslaught of rapidly advancing technologies that track, store and share sensitive data, how that privacy should be guarded remained a subject of fiery discussion.

While some attendees took the “build-the-privacy-protecting-technologies-and-it-will come” position, others lobbied for legislative action, or a combination of privacy-enhancing technologies and law, arguing that large corporations would have little motivation to deploy the technologies otherwise.

“I don’t think vendors are going to build in privacy protections if there is no incentive for profit,” said Avi Rubin, principal researcher at AT&T Labs, who added that he would like to see a mix of technology and legislation that guard privacy.

However, relying too much on legislation to ensure privacy is also a sticky subject, according to Barry Steinhardt, associate director of the American Civil Liberties Union (ACLU).

“Technology is outpacing the law,” Steinhardt said.

Still, many privacy advocates like Rubin are trying to strike a balance between providing the public with privacy-protecting technologies and passing legislation to support the use of those technologies.

New online privacy legislation introduced Thursday by U.S. Senator Fritz Hollings appeared to have struck the right note with privacy groups attending CFP, as many voiced support for the proposed bill. The legislation introduced by the South Carolina Democrat, called the Online Personal Privacy Act, basically states that online companies have to obtain clear “opt-in” consent to collect personal information from consumers, and “opt-out” consent for non-sensitive information.

Ari Schwartz, associate director of the Center for Democracy and Technology (CDT), said that his organization supports the proposed bill because it puts the privacy issue back on the table.

“We think this bill raises some good issues,” said Schwartz.

But few think that legislation alone will solve the privacy issues generated by technologies such as Web-based single sign-on services, that collect and store consumer data, and biometric technologies, that monitor and read personal identifying information.

“New technologies threaten to create a surveillance society,” said Steinhardt.

To avoid such a society, a handful of companies are not waiting for privacy legislation, but are diligently working on privacy-enhancing technologies that can be used immediately.

The World Wide Web Consortium’s (W3C) official acceptance of the Platform for Privacy Preferences (P3P) 1.0 specification earlier this week is one example of how privacy proponents are moving ahead with stand-alone privacy-enhancing technologies. P3P is a technology that allows Web users to set their privacy standards and then alerts them when they are visiting a site that does not meet their requirements.

Although many have lauded the acceptance of P3P, whether it will be widely deployed is another issue. Some CFP attendees working on privacy-enhancing technologies doubted how aware the public at large is of technological privacy concerns.

“These (privacy-enhancing technologies) are built by geeks and only used by geeks. We have not conveyed their importance well to the general public,” said Lorrie Faith Cranor, principal technical staff member for AT&T Labs Research, who was on the W3’s P3P working group.

But the solution for some privacy advocates is not to spend a lot of effort communicating to consumers about privacy issues, but rather to give them the protection automatically.

“We need to design systems that protect consumer privacy before they ask for it at all,” said Brad Templeton, chairman of the board for the Electronic Frontier Foundation (EFF).

Many attendees agreed.

“Technology can solve a lot of problems that people think you need legislation for,” said Paul Syverson, who works on security and privacy protocols and systems at the Naval Research Lab. “You need both, but technology can do a lot.”