Exploring Data Privacy and Consent

Data Privacy and Consent | Fred Cate | TEDxIndianaUniversity

Estimated read time: 1:20

    Summary

    In this TEDx talk, Fred Cate dives into the complexities of data privacy and the role of consent in protecting personal data. He argues that the current emphasis on consent is impractical and, at times, ineffective in safeguarding privacy. Cate outlines several reasons why the focus on consent is flawed, such as the overwhelming complexity of privacy notices and the illusory nature of consent that often shifts liability to individuals. Instead, he suggests a shift towards data stewardship and more meaningful regulations. Through anecdotal examples, Cate emphasizes the need for clearer, more straightforward privacy protections that do not solely depend on user consent.

      Highlights

      • Fred Cate warns that current privacy consent systems are flawed. ⚠️
      • The complexity of privacy notices makes them ignored by most people. 🚫
      • Illusory consent shifts the burden of liability to individuals. 🧩
      • Proposes data stewardship as a solution for better privacy protection. ⚖️
      • Suggests meaningful and timely consent processes to improve privacy. ⏳

      Key Takeaways

      • Consent is not always effective in protecting our privacy due to overly complex notices. 📜
      • People often ignore privacy policies, rendering them ineffective. 🙈
      • Consent can sometimes be a burden, shifting liability to individuals. ⚖️
      • A focus on data stewardship could better protect privacy than consent alone. 🔒
      • Meaningful, clear consent processes are necessary for true privacy protection. 🚦

      Overview

      Fred Cate takes the stage with a bold assertion: our current approach to data privacy, overly dependent on user consent, is fundamentally flawed. Without audiovisual aids, Cate captivates the audience using his notes, humorously noting the organizers' initial concerns about his low-tech presentation style. He dives deep into how our volunteered data becomes uncontrollable and the illusion of control that consent presents in the realm of privacy protection.

        He criticizes the overwhelming complexity of privacy notices, comparing them to notoriously lengthy literary works like Shakespeare's plays. The audience chuckles at his amusing take on how privacy policies require Herculean efforts to read, yet they often mean little in terms of real consent. Cate shines a light on how consent burdens individuals rather than empowering them, often serving more as a legal shift of liability than an exercise of personal autonomy.

          Cate passionately advocates for a pivot towards data stewardship, where the responsibility of data protection does not rely on misleading consent but on holding companies accountable for their data handling practices. He suggests implementing more meaningful, timely consent prompts, illustrated by his mixed review of iPhone's location data prompt, showing that when designed correctly, consent can truly serve its purpose in protecting privacy.

            Chapters

            • 00:00 - 01:00: Introduction and Setup The speaker humorously warns the audience of the absence of audiovisuals due to a lack of trust in technology and states that they want the audience’s attention directed towards them. They reassure the audience by revealing that they have note cards, acknowledging the organizer's initial concern but assuring that the cards are only for lengthy parts of the presentation.
            • 01:00 - 02:00: Data and Entropy The chapter "Data and Entropy" discusses the overwhelming presence of data in our lives and its seeming loss of control. The speaker reflects on how data, often lost or stolen, creates a sense of entropy or disorder. This is compounded by the vast amounts of data volunteered by individuals and collected by corporations, leading to billions of bytes daily that contribute to this chaos.
            • 02:00 - 03:00: Privacy and Consent The chapter focuses on the growing challenge of personal data and privacy in the digital age. It highlights how individuals often volunteer their personal data through various online activities, such as posting pictures and engaging in digital communication. The narrative underscores the increasing complexity and deteriorating state of information privacy as people continue to share more of their personal lives online.
            • 03:00 - 04:00: Challenges with Data Consent In this chapter titled 'Challenges with Data Consent,' the discussion revolves around the massive scale at which images and videos are being posted today. This unprecedented volume makes traditional measures of data quantity, like petabytes and terabytes, feel abstract and almost meaningless. However, the core issue highlighted is the significant impact this trend has on privacy. The chapter emphasizes the challenges posed by the data we willingly share, underscoring the urgent need for discussing consent in this digital age.
            • 04:00 - 05:00: Historical Background of Privacy Laws The chapter introduces the concept of data privacy and the evolution of privacy laws. It highlights how data is not only collected about individuals but oftentimes computed or inferred for various purposes like determining credit risk or marketing opportunities. Intriguingly, some of this data might not even be actual personal data but rather constructed profiles and assumptions. The text references a 2017 New York Times report about an unnamed entity involved in 50 trillion personal data transactions, emphasizing the massive scale and sometimes obscured nature of these operations in the digital age.
            • 05:00 - 06:00: Global Privacy Regulations The chapter discusses the rapid pace at which personal data is being bought and sold, raising concerns about privacy violations. The text highlights the central role that consent plays in modern data protection laws. It notes that while these laws have evolved significantly since their academic inception in the 1960s, there remains a controversial debate around how consent is implemented in today's privacy regulations.
            • 06:00 - 07:00: Criticism of Consent in Privacy The chapter titled 'Criticism of Consent in Privacy' discusses the influence and impact of Dr. Alan Weston's work on the global understanding of privacy. Dr. Weston, associated with Columbia University, developed his doctoral dissertation into a book called 'Privacy and Freedom.' In this book, he defines privacy in a way that has been adopted worldwide. The core of this definition emphasizes the right of individuals, groups, or institutions to control when, how, and to what extent information about them is shared.
            • 07:00 - 08:00: Problems with Privacy Notices The chapter titled 'Problems with Privacy Notices' discusses the evolution of privacy laws and the importance of individual control over personal information. By the 1990s, countries globally recognized the need for laws to protect privacy. This perspective was echoed by notable figures like William Safire, who emphasized that information control should primarily lie with the individual, aside from legitimate law enforcement needs. This philosophy was upheld by the U.S. Supreme Court in the 1988 case, Department of Justice versus Rapporteur committee, which set the modern definition of informational privacy rights.
            • 08:00 - 09:00: Ineffectiveness of Consent The chapter discusses the limitations of consent in privacy law, particularly in the context of common law systems where an individual's control over personal information is a central tenet. It emphasizes that this issue is not unique to the United States, as Europe and Asia, among others, have also been developing regulations to address privacy concerns. The chapter specifically mentions Europe's enactment of the General Data Protection Regulation (GDPR) and notes that European countries are mindful of avoiding the same pitfalls as the US in their approach to data privacy.
            • 09:00 - 10:00: Illusory Consent and Burdens The chapter titled 'Illusory Consent and Burdens' explores the concept of consent within the context of privacy laws, particularly focusing on the California Consumer Privacy Act. This act, while giving individuals the right to consent to the use of their data collected online, raises questions about the effectiveness and authenticity of consent. Despite being a fundamental aspect of privacy that connects closely to personal self-identity, the chapter suggests that consent might be more illusory than it seems.
            • 10:00 - 11:00: Consent as a Disservice The chapter 'Consent as a Disservice' discusses the impracticality and undesirability of focusing on consent within privacy laws. The narrator begins by pointing out the complexity of privacy notices, noting that most people, except perhaps lawyers, ignore them. Examples include privacy notices encountered at the doctor's office or on websites.
            • 11:00 - 12:00: Improving Privacy Protection The chapter explores privacy protection, emphasizing its importance under European law. It highlights the extensive length of privacy notices by pointing out that PayPal's privacy notice contains over 36,000 words, surpassing the word count of Shakespeare's Hamlet. Similarly, iTunes' Privacy Policy is longer than Macbeth. A 2008 study is mentioned which calculated the time required to read the privacy policies of the world's top websites, stressing the overwhelming nature of current privacy policies.
            • 12:00 - 13:00: Focus on Data Stewardship The chapter discusses the annual burden of thirty full working days for individuals to manage complex and hard-to-understand notices. It highlights how these notices are often ignored due to their complexity and inaccessibility. The speaker gives an example of everyone having phones that can record despite signs asking not to record, questioning if proper notice was given.
            • 13:00 - 14:00: Agreed Data Uses and Redress The chapter discusses the complexities of consent in modern data environments, particularly in group settings or public areas where data collection occurs without direct individual consent. It highlights the ineffectiveness of conventional consent mechanisms, citing a quote from FTC Chairman Jon Leibowitz in 2009 to underscore this point.
            • 14:00 - 15:00: Meaningful Consent The chapter titled 'Meaningful Consent' discusses the role of the United States' largest privacy regulator in enforcing the adoption of privacy policies and the requirement for companies to obtain user consent. It highlights a remark from a past FTC chairman expressing concern over the effectiveness of privacy policies, acknowledging that consumers often do not read them. This reflects the ongoing challenges in ensuring meaningful consent in privacy practices.

            Data Privacy and Consent | Fred Cate | TEDxIndianaUniversity Transcription

            • 00:00 - 00:30 thank you I'm gonna warn you right now there no there no audiovisuals and part of that's because if you're looking at someone I want you to be looking at me and part of that's because after 30 years of working in technology I don't trust it but don't worry I have I have note cards and when I told the organizers this they look slightly chagrined but I said don't worry it's only for the long boring
            • 00:30 - 01:00 quote so I want to use and the statistics that I want to bore the audience with and that made them feel a great deal better so let me say when I heard the topic was entropy nothing came to mind faster to my mind than data because we are surrounded by data that seems to be falling out of control data being lost by corporations data being stolen from government agencies data that we are volunteering that's being collected about us billions of bytes a day that seems hopelessly out of control and
            • 01:00 - 01:30 just to continue the focus on entropy it seems to be getting worse so I thought what I might do this evening is talk about particularly the challenge of personal data and privacy so remember all of this data that we are talking about much of it we are volunteering we are posting those pictures of our delicious meals that we think our friends care about we are engaging in millions and millions of texts a second
            • 01:30 - 02:00 we are posting images and videos at a colossal rate at a rate that could not have been imagined it's become almost meaningless to talk about the volume because unless you're a computer scientists talking about things like petabytes and terabytes I just start starts to add up to the point it means nothing but it has a tremendous impact on our privacy it has a tremendous impact on this data that's being um that we are volunteering that's being
            • 02:00 - 02:30 collected about us in some cases it's being calculated or inferred about us are you a good credit risk should you be able to buy that car are you somebody that we want to market to these may not even be data that really exists about you but rather that are being created the New York Times reported in 2017 this begins the statistics that accompany you've never heard of not Facebook not Amazon not a company that trips off your tongue engages in 50 trillion personal data transactions a
            • 02:30 - 03:00 year that's buying and selling your data and mine every year it seems completely out of control and along with it our privacy there are many reasons for this but the one that I want to focus on which I think will be I hope of interest to you and I think is a tiny bit controversial is the role that consent plays in data protection and privacy today modern privacy law really came about in the 1960s and it came about from an academic
            • 03:00 - 03:30 study so this makes people who work in universities very happy dr. Alan Weston who was at Columbia University wrote his doctoral dissertation for which he later got funding to turn into a book this sounds familiar so far called privacy and freedom and in that book he defined privacy in a way that every country in the world now follows and that is and I quote the claim of individuals groups or institutions to determine for themselves when how and to what extent information
            • 03:30 - 04:00 about them is communicated to others right by the 1990s every country had followed suit in fact in the New York Times William Safire wrote accepting legitimate needs in law enforcement and public interest control of information must rest with the person himself now you might not care about Alan Weston or William Safire but the Supreme Court went along with this view as well and in 1988 and Department of Justice versus Rapporteur committee gave us the definition that we use today but the
            • 04:00 - 04:30 common law and the literal understandings of privacy encompass the individual's control of information concerning his or her person now just quickly unless you think this is just a u.s. phenomenon Europe and Asia and many other countries have followed suit Europe you may know enacted a new general data protection regulation it took effect May 18 months ago and that regulation although they're quick to say they've not made the mistake that the US has made and focus so much on
            • 04:30 - 05:00 consent they use the term 108 times it's still pretty important in California which has adopted our most recent privacy law the California consumer Privacy Act yet the law gives individuals the right to consent about uses of their data that are collected online well look this sounds like great I mean like who could be against consent in fact challenging consent seems totally counterintuitive in the world of privacy because privacy is after all so closely linked to ourselves and our
            • 05:00 - 05:30 autonomy but for seven quick reasons I want to outline I think it's both impractical and undesirable that we focus on consent and I think it explains why privacy law is in the dreadful state it is today okay first think of the complexity of privacy notices you see them all the time you probably ignore them that's okay almost everybody does unless you're a lawyer and get paid to read them but you go visit the doctor you get a privacy notice you log on to a website you get that little cookie
            • 05:30 - 06:00 privacy notice that's required by European law that's why you get it you know researchers like to count things and if you count for example PayPal's privacy notices thirty six thousand two hundred and seventy five words that's by the way longer than Hamlet iTunes Privacy Policy comes to nineteen thousand nine hundred and seventy two words just longer than Macbeth right one 2008 study calculated that to read the privacy policies of the forty or forty five most popular websites in the world
            • 06:00 - 06:30 would take an individual thirty full working days a year so these notices are complex because the things in Plex they are difficult to understand and we often just pass them by second they are often just inaccessible for example how many of you have phones ok everybody has a phone in this audience I'm gonna be willing to bet and every one of you could be recording right now despite that nice sign at the entrance that says please don't record did you give me a notice
            • 06:30 - 07:00 that I can send to that did we discuss that in other words how do you provide consent in environments in which you're in a group how about you walk down the streets of Bloomington's they're their cameras now you consent to that how do we manage consent in a world in which data is being inferred about you or collected as as part of a group a third reason is that consent is proven incredibly ineffective mainly because people just ignore it and I love this quote that's why I carry it with me the Federal Trade Commission Chairman Jon Leibowitz back in 2009 and remember the FTC is the
            • 07:00 - 07:30 United States largest privacy regulator they're the people who make the rest of us put notices and give consent he said we all agree that consumers don't read privacy policies little troubling from the guy who's done more than anyone else on earth to make us have them in fact his predecessor FTC chairman Timothy Morris commented at the end of 2001 about a new law that required more
            • 07:30 - 08:00 notices and consent opportunities in the financial services market and a chairman mirror said this acres of trees dyed to produce a blizzard of barely comprehensible privacy notices indeed this is a statute that only lawyers could love until they found out it applied to them too okay fourth what we often find out is that the consent we're giving is entirely illusory we have no choice try to update your iPhone right there's a new software it comes out
            • 08:00 - 08:30 every couple of weeks if you don't update it quickly you're prompted to update it then it starts blocking it then it starts saying we're gonna update it for you automatically then the phone stops working the first thing it does when you go to update it is it said here are the seventy four screens of our privacy policy you can download it you can email it you can agree to it but you cannot not agree to it and that's ilusory consent that's meaningless that may make lawyers feel better in fact Apple makes it pop up twice
            • 08:30 - 09:00 consent yes and then it says do you really consent right the alternative being would you like us to turn your very expensive phone into a brick which is the alternative if you say no okay fifth there's a huge burden on individuals of all of these consent opportunities and what consent is often talked about as a right sometimes even a human right it's realistically much more of a duty it's much more of a burden on individuals and remember when you make
            • 09:00 - 09:30 that choice it has the legal effect of shifting the liability from the from the the data processor to you right it's just like when you drive in the garage and you take that ticket and on the back of it it says we have no liability for anything we can crush and mount your car we can throw it out the the edge of the garage we're not liable for anything that that may look like a right to you like you got the right to consent to that by driving in the garage but realistically it was the imposition of a burden on you and on me and that burden
            • 09:30 - 10:00 is really quite significant at times because of the legal significance that can attach to those six choice often serves as an enormous disservice both to individuals and society think about press coverage right do we really want up the president to have a right to privacy right now that only his consent will allow coverage of what he's been up to fraud prevention crime detection do we want to wait till the criminals consent so that we can use their data so what we do in these cases is we override
            • 10:00 - 10:30 the consent we acknowledge the consent doesn't work research something close to my heart often depends on being able to use past data often in an anonymized fashion without going back and getting individual consent but finally and most importantly the real challenge about consent is it leads to lousy privacy protection it's not the same thing clicking I agree to I get privacy now you agree to terms that often eliminate
            • 10:30 - 11:00 your privacy you agree to broad terms that appear to have no limit we're being asked to do things that we could never be asked to do in other consumer protection settings right imagine a consumer protection law that said well you can always ask the consumer if it's okay to defraud them we don't allow that we set rules and then we hold people to it we don't allow you to consent them away its own tempted to end there but I won't I have four more things I want to say very quickly and that's because I
            • 11:00 - 11:30 want to say something positive I don't just want to be a drain on your otherwise stimulating evening so what my we do that would look differently right so one thing would be less focus on consent and more on stewardship of data if you collect my data if you use my data and something goes wrong that causes harm you should be liable for it you can't shift that liability by asking me to consent to take it myself you would be the steward for my data and that's the way we treat other things
            • 11:30 - 12:00 that's the way a lawyer is who acts on the best behalf of his or her client that's the way a banker is that's the way a doctor behaves why wouldn't we say if you're using my most personal information you should be held to the same requirements you should be a steward you should be acting in trust of the person whose data you're using second we might think more about what are the things we agree that can be done with data in normal circumstances and what shouldn't be done with it stalking is out fraud is out well but
            • 12:00 - 12:30 something should be in you know bill collection fraud detection maybe even research if you want to keep the vice president for research happy there's some things we might be able to slide over into the generally permitted category so long as you use good security and not have to burden people by telling them the bleeding obvious like if I if you give me your credit card I'm gonna use it to charge you money third we might think more about redress because no matter what happens something's gonna go wrong that's the one thing we know that's the one
            • 12:30 - 13:00 certainty in a world of entropy and right now we are often left in the cold when something does go wrong in fact we often learn about it from the newspaper and finally when we do ask for consent let's make it meaningful timely and effective and since I've criticized iPhone I'm gonna say something nice about them now you know that just in time message did you know this app was using your location data right now that's kind of a useful prompt it gives you a chance to say no I'm gonna go in
            • 13:00 - 13:30 and shut that off I don't like that but using consent in all of these other settings has the unintended effect of making us tend to ignore it when we could make meaningful effective choices that would protect our privacy thank you very much you