Data Portability Can Mitigate Privacy Issues
from the take-your-data-with-you dept
Ed Felten recently did an interesting series of posts on the challenges of holding companies accountable for respecting their customers' privacy. The fundamental problem is that even today's company executives want to commit to high standard of privacy protection, they may not have any way to credibly bind tomorrow's company executives to keep those promises. Even if the company signs a legally-enforceable contract promising not to violate customers' privacy, that might not be an effective deterrent, especially for a cash-strapped startup that has little to lose. When a startup goes belly-up, its assets -- including its databases -- often get sold off to the highest bidder, and it may or may not be possible to hold the new owner accountable to the same standards as the original firm.
Felten suggests a couple of possible approaches, including putting cash in escrow or putting the actual data in the hands of a trusted third party. Another approach that might help would be to guarantee the customer an exit option by providing the ability to export data to an open format at any time. This obviously isn't a perfect solution, because the company can still do unsavory things with the data it already has. But it would help to protect customer privacy in two important ways. First, because customers wouldn't be locked in, they could prevent the company from getting its hands on any more data. Second, it would give customers some real leverage. A site's customer base is one of its most important assets, so the threat of a significant number of them switching to a competing site would make it more sensitive to customer concerns. Eschewing customer lock-in is a good way for a company to commit in advance to be responsive to customer concerns.
Of course, the ultimate lesson here is that customers should be cautious about putting personal information online at all, because no matter what promises companies make (or what privacy laws Congress might enact), data leaks happen. Security problems, rogue employees, and less-than-anonymized datasets are facts of life in real companies. So while companies should certainly do what they can to respect their customers' privacy preferences, customers should also carefully limit which information they share online. Ultimately, the only real protection against online privacy violations is to not put your information online in the first place.