- Category: August 2013 - Data Protection & Security
“Privacy by Default” is a software design concept that intends to prohibit the collection, display, or sharing of any personal data without explicit consent from the customer. More detailed definitions often include a requirement that privacy settings should be turned on by default to limit the sharing of personal data. For example, a social networking service would not make any information about customers publicly viewable until customers take affirmative steps to allow it.
Advocates for Privacy by Default claim that many people actually don’t know how to actively enable their privacy settings as the configuration is too complicated or tedious. And undeniably, today it takes a lot of expertise, experience, and continuous research to protect a computer or computer network. In the ubiquitous future everything will be connected and many subnets, objects and services will be under the control and accountability of completely inexperienced and ignorant users. Therefore, security and privacy must be accomplished easily and it simply can’t be that every user has to become a network administrator as known today.
However, there are a number of challenges to implement “Privacy by Default”. First, it’s problematic to create universally agreed upon settings that address all types of software and online resources. It’s also difficult to create and implement settings that satisfy the needs of a broad range of customers. Finally, Privacy by Default could result in software design that confuses and frustrates customers with repeated notices and warnings.
An effective approach, therefore, has to make sure that objects and services operate by default in a proper way that preserves the privacy of the individual user and that only the user’s deliberate statement to limit the privacy leads to an opening. As complex as the mechanisms may be, system settings have to be handled intuitively and not be cumbersome.
Microsoft, for instance, has taken all that to heart, when stating that they are aware of the fact that privacy settings play an important role in helping people protect their privacy online. The Internet pioneer explains on its website: “Consumers expect companies to create privacy settings that provide transparency and control over the ways that organizations collect, use, and store personal information”, and emphasizes that companies with online operations and services must develop privacy practices that meet these expectations.
The company is convinced that privacy regulations should meet certain fundamental requirements:
- Technology neutrality: Since there is no question that technology will continue its rapid change, any privacy regulation framework should avoid preferences for specific services, solutions, or mechanisms to provide notice, obtain choice, or protect consumer data. Preference for one privacy default over another, for example, could restrict innovation, because it might deter providers from developing alternative or improved protection methods for consumer data.
- Flexibility: Privacy regulation frameworks should be flexible enough to allow businesses to develop innovative privacy technologies and tools. Flexibility means that businesses can adapt their policies and practices to the contexts in which customer data is used and disclosed and to fit the relationship that a business has with its customers.
- Certainty: In addition to having flexible privacy regulation frameworks, businesses must ensure that their implementation of privacy settings meets international standards. Multiple default requirements that are contradictory or are not properly harmonized internationally will slow development and create uncertainty in the release of new products and services. Regulators should encourage innovators to assess the full spectrum of potential privacy risks and make appropriate decisions about privacy designs and settings.
The big question still remains, if consumers should insist on the fifth freedom of the Internet, meaning to have the option to decide which data is sent to which service to protect privacy.
They four freedoms (freedom of access, of information and expression, of collective action, or from freedom from fear) that the world’s citizens need if they are to use the internet to assert their rights and interests, are commonly provided. Unfortunately there is a lot of free software out there, which is violating this fifth freedom: software that is able to track you, that sends all your local search queries to third parties like Amazon or allows turning your smartphone into a surveillance utility.
Given that, the mentioned fifth freedom, which is directly derived from the four freedoms, requires every user to be aware always of which data is sent to where and has been highly inspired by the right for informational self-determination. By default no application may then send data to any service without the users consent.
Of course it doesn’t make sense to ask the user each time some software wants to connect to the Internet, but it needs to find a balance between a good usability and still protecting the most important private data. To no surprise, Privacy by Default is currently considered by a number of data protection authorities.
By Daniela La Marca