A Primer for the Online Privacy Multistakeholder Process
Page Media
By Chris Calabrese
ACLU Washington Legislative Office
What the heck is a multistakeholder process (MSP)? The word multistakeholder is so obscure that my computer's spell check doesn't even recognize it, yet it's come to dominate the online privacy conversation in recent weeks. That discussion will begin in earnest today with a filing deadline for comments to the National Telecommunications and Information Administration describing how a process should work and what it should cover (the comments we submitted are here). So what's going on with this MSP and what's in it for consumers?
Let's start with recognition that it is hard to agree on new online privacy rules. Consumers realize that information about them is being voraciously collected by a wide range of entities, some they know and some they've never heard of. Worse, this information is compiled into detailed dossiers on their reading habits, interests, associations and other, very personal information. All of this is outside consumers' control, yet consumers love their digital lives — free ways to connect, learn and share. At the ACLU we routinely describe the Internet as one of the greatest tools ever for exercising our First Amendment rights.
How do we let consumers use the Internet without giving up their privacy? That's where the MSP comes in. Over the last several weeks and months, the president and the Federal Trade Commission have stated that the best way to protect consumers and innovation is to develop comprehensive new privacy rules through formal negotiations among industry, consumer groups and state and federal regulators. The working assumption right now is that these rules would start as codes of conduct for companies (enforced by the FTC) and then legal protections enacted by Congress (for more details see here and here).
Now it's time to settle down to deciding the nitty gritty of making this process work. First, it's got to be fair. The ACLU worked with other privacy and consumers groups to set out 10 principles to make that happen. The bedrock of those principles is transparency and consensus. In practice that means no backroom deals jammed through by majority stakeholder vote. Any privacy rules must be vetted and agreed to by a significant number of the participants.
In addition, Congress must be a key player. Codes of conduct will only regulate companies that agree to participate. The only way to get at bad practices that companies don't want to relinquish is through new laws. The most powerful incentive for a MSP to work is a fear that if they don't reach consensus, someone else will set the rules and lawmakers hold the ultimate big stick. (It's worth noting that worry over new laws already motivates many companies and the European Union is currently contemplating strict new privacy rules which industry would like to counter with more permissive U.S. rules.)
Now if we do get a good process, what should we do with it? In our comments, the ACLU outlines four suggestions:
- Regulate apps. Some apps seem completely unfamiliar with privacy norms, and many don't even have privacy policies. Adopting best practices for privacy will instill consumer confidence and allow this young industry to grow. Also because only a few entities control most app practices — namely the app stores — consensus may be more easily achieved.
- Shed light on the government — Google has been a leader in providing transparency about the total number of government information requests it receives. Similarly, Twitter has routinely notified individual users when it receives requests for their information. More companies need to follow their lead.
- Retention limits on search terms — A list of search terms can be startlingly close to mind reading revealing our hopes, fears and desires. Just three search providers dominate most of the market. They should agree to much shorter durations for keeping these searches (unless the consumer wants to keep them).
- Face recognition — Currently there are no rules for a technology that is beginning to unlock an entirely new realm of personal information. Face recognition allows consumers to be linked to embarrassing and revealing photos and videos. When it comes to leaked cell phone pictures, no one wants to be a celebrity (I'd provide a link here but they all seem to be NSFW).
No one knows if this MSP will succeed. However, given how much needs to be accomplished to protect consumer privacy, we believe it's incumbent upon us to try. If you want to encourage Congress to continue to focus on online privacy, please take action here.
CORRECTION: An earlier version of this post contained a typo in the third bullet regarding companies' retention limits on search terms. It has been amended to state: "They should agree to much shorter durations for keeping these searches (unless the consumer wants to keep them)."