(image attribution, Frederic-Poirot)
(image attribution, Frederic-Poirot)

What the Internet companies don’t have they can’t give to the NSA

Consider two different types of privacy issues:

  1. privacy from governments, which is well regulated by law in both Europe and the United States
  2. privacy from corporations, which is well regulated by law in Europe, but not generally in the United States

The latest revelations of how the government accesses user data stored by corporations makes it clear that these two issues are closely related. In particular the vast stores of data that Internet and telecoms companies gather is a mother-lode that is just too tempting for governments to ignore. The more corporations know about us the more the government knows about us.

Of course corporations do not gather this data for the benefit of the government, rather they gather it because it is very valuable to the prevailing Internet business models enabled by advances in machine learning technology. Currently any U.S. corporations that tried to significantly increase the inherent privacy of its users would be at a business disadvantage relative to its competitors.

One way to avoid this race-to-the-bottom of privacy protection would be to have the U.S. companies subject to more stringent privacy protection regulation. By having privacy protection laws applied equally to all companies a single company would no longer be at a competitive disadvantage in protecting user privacy.

Then with our privacy better protected from corporations, our privacy would indirectly be better protected from the government.

How could this come about?

Citizen of the United States could push their government to adopt privacy legislation at least as strong as that of the European Union. The political culture in the U.S. has been to avoid such regulation of private businesses, but maybe now this can be regarded as a way to provide protection indirectly against government intrusion into privacy.

Citizen of European Union countries could push their governments to examine whether existing privacy laws are really being respected by U.S. corporations. For example they might consider whether the current “safe harbor” mechanism is a loophole for avoiding complying with European law. If U.S. companies were forced to behave like European companies, then not only would it enhance the privacy of European citizens, but it would tend to enhance the privacy of people worldwide.

A cynic might say that this will never happen, because it goes against the inherent interests of so many powerful corporations willing to spend a lot of money lobbying legislatures. However there is a techno-utopian undercurrent in Silicon valley that I think is shared by the people running the Internet companies. There is a widespread honest, idealistic belief that their technology can make the world a better place. And that could motivate them to accept policies that are not purely profit maximizing, including those that will help protect user privacy.

In the meantime, if you work for an Internet company, consider as you design your systems whether you can meet the requirements of your business model in a less privacy-intrusive way. Do you really need to store that piece of data? Maybe it can be stored encrypted with the key retained by the user? Maybe it can be stored only as a secure hash? Better still, try innovating on the business model to find ways of making money in new ways that do not involve collecting and storing large amounts of user data. Can you make your user your customer and not your product?