SAN FRANCISCO – People who interact with online services have mounting privacy expectations that run in parallel with their need for a full experience with the functionality central to those services. But can users have their privacy cake and eat it too?
That’s the challenging question facing technology companies, who said today at RSA Conference 2013 that privacy is being elevated to unprecedented levels inside their organizations. During a panel discussion between the chief privacy officers of some of the biggest handlers of user information—namely Facebook, Google, Mozilla and Microsoft—that balance between meeting internal business demands and the myriad privacy expectations of billions of global users is becoming daunting.
The panel connected on a host of regulatory and legal complexities, including the stalled Do Not Track standard and the potential landmine it may be for the online advertising industry, and also touched on how innovation, specifically location-based services, will impact privacy expectations.
“We want to support the same consistent experience online, even if it’s modified so that a person with elevated privacy concerns may participate too,” said Alex Fowler, chief privacy officer with Mozilla. “We don’t want to punish the user who cares about privacy so that the only choice is to give it all up or not participate. That’s not the right equation.”
DNT is a timely hot potato with Internet Explorer 10 shipping this week with Do Not Track turned on by default. What this means is that the activities of IE 10 users will not be tracked online by marketing firms who use this data to target advertising or messaging to particular users based on their supposed interests. Microsoft presents the user with a choice to turn DNT off during the Windows 8 Express Settings setup. Opponents say that because DNT is not an industry standard—it’s still under consideration by the W3C—that Microsoft’s setting will be ignored by most websites. The wrangling stems from the contention that Microsoft is counter to the specification’s intent, which is to put a privacy choice in the user’s hands. The Apache HTTP Server Project, for example, said in September that it would ignore the DNT setting in IE 10.
This comes in the same week when Mozilla announced that it would block third-party cookies in Firefox 22, which is expected to be released soon and is likely to set up another conflict between browser manufacturers and advertisers.
“People are concerned about privacy as technology intersects with their lives,” said Microsoft CPO Brendon Lynch said. “There’s more interest in privacy and pressure coming from that anvil. We wanted to respond to that; privacy is becoming a feature.”
As for Mozilla, Fowler relayed an experience he had recently visiting four different sites where he was tracked by 120 third parties which sent more than 300 cookies to his machine. Once the upcoming Firefox update was applied—it’s currently in an experimental build—none of the third-party cookies appeared and by comparison, 75 were dropped directly by the site.
“This is not as extreme as completely blocking cookies,” Fowler said, adding that this mirrors a similar approach in place in the Apple Safari browser. “We are seeing an expenditure of money and talent to optimize and refine the tracking ecosystem, but we’re not seeing the same investment in user controls. We can’t sit back and allow the industry to ignore a core component of the user’s experience online.”
“It’s about being sensitive to users and understand their priorities. One consistent theme is that users are concerned about financial fraud and identity theft,” Enright said. “We have applied SSL encryption across all services to empower customers and bridge the air gap between privacy and security to protect user privacy.”
Facebook is a lightning rod for privacy concerns. Not only are its users and their data the company’s principal product, but new features such as Facebook Graph Search which enables very narrow, plain English searches have security professionals nervous. Attackers, experts say, have yet another tool to mine social media and build victim profiles for phishing and spam campaigns, and ultimately targeted attacks.
Facebook CPO Erin Egan said her teams are involved from the ground up on product development, including cross-functional internal organizations that include information security and legal.
“We look at every product feature as a team and look at all of the complexities (regulatory and legal) and analyze them together,” Egan said. “The way to manage and understand all of those complexities is to bring in experts in each area to analyze each product and feature review.”
Yet with targeted advertising and even the constant threat of the implementation of location-based services, companies such as Facebook are examining the possibilities of contextual privacy interfaces.
“It will come down to contextual controls at the moment people are engaging with a service where they can determine what they want to share at that moment,” Egan said.
Innovation too such as location-based services and marketing is another privacy hotbed, where users could be fed automated marketing to a smartphone, for example, based on a physical location. Google’s Enright said there are ways to maintain a user’s expectation of privacy and still deliver on business goals.
“I do think there is a continuum of considerations with location-based services associated with anonymous identifier that are transient and could allow us to deliver services in a privacy sensitive way,” Enright said. “Other persistent anonymous identifier, meanwhile, can deliver more services and follow that same continuum where you are a logged in user and want location-based services optimized for you.
“It’s all about user expectations and building a product that’s useful for users that they want to engage with.”
_ *Alex Fowler image via mozillaeu‘s Flickr photostream._