The number of ways businesses track people has skyrocketed — and the increasing deployment of image recognition, machine learning, and data analytics has only accelerated the process. The result is a refocusing of attention on not just the security of the data which company's retain on people, but on whether privacy and technology can co-exist.
Last week, Clearview AI, for example, found itself the target in a class-action lawsuit for its technology that, the company says, uses more than 3 billion images scraped from websites and social media to train a machine-learning algorithm capable of identifying a person in a photo with 75% accuracy. This can be used to reportedly identify victims and suspects in criminal investigations.
Clearview has joined Google as a favorite resource of law enforcement. Google is regularly subpoenaed by international and federal authorities for information about the phones that may have been close to a specific location at the time of a crime.
With the annual January 28 marking of World Privacy Day, a gap has become apparent. While regulations, such as the European Union's General Data Protection Regulation (GDPR) and the Payment Card Industry's Data Security Standard (PCI-DSS), have forced companies to take data security more seriously, the more general policy concept of privacy has largely remained in limbo. The California Consumer Privacy Act (CCPA) addresses some of the privacy gap, but most businesses are more focused on keeping their data from leaking rather than structuring their services to promote privacy, says Ray Walsh, a data privacy advocate at ProPrivacy.com.
"While companies spend a lot of time talking about consumer privacy — and use 'privacy washing' as a way to gain PR credits with the public — the reality is that companies are primarily concerned with data security and the potential that a data breach could land them a hefty fine," he says.
Take Your Pick
Online citizens are largely left with a simple choice: Benefit from modern technologies and lose their privacy, or opt out of many of the technologies that have defined the past decade.
Posting a picture to social media? You've become part of Clearview AI's reverse look-up machine that uses facial recognition to find criminals and victims. Near a crime carrying your mobile phone? Law enforcement can subpoena records from Google's Sensorvault for every phone near a crime scene at a certain time. Use free antivirus? The company behind it may be selling your browsing data to marketers.
Ever since the beginning of the War on Terror in early 2001, privacy has taken a back seat to any technology that can help identify potential enemies. Originally, the administration of President George W. Bush had debated where to draw the line with online privacy — opt in or opt out. September 11 eliminated that, says John Ackerly, CEO of data-protection firm Virtru, who had been part of President Bush's National Economic Council in 2001.
"Privacy is one of the major pieces of collateral damage that no one talks about in our reaction to September 11," he says. "It set us on a path to use data and the Internet as a tool to combat terrorism, and I understand why, rather than really moving forward on where the President's instincts were on putting the consumer first."
For the past decade, companies have been focused on dodging online criminals — and then nation-state actors — intent on stealing data. With the passage of the GDPR, focusing on data security became a business imperative to avoid larger fines.
Yet the policy discussion and legal landscape have become more nuanced, says Ackerly. Companies are beginning to understand that customers want privacy, he says.
"I am optimistic as I've ever been on this journey that we will end up in a place where individuals will be able to take control over their data where ever it is shared," Ackerly says. "I think it is a combination of technology evolving and society just waking up to the trade-offs that we have made over the past 15 or 20 years."
The CCPA, which went into effect this month, has forced companies to be more responsive to consumers and change the way they do business. The legislation, while in effect only in California, will force companies to provide similar rights to most of their customers. Already, other states, such as Washington, are considering similar legislation, and the same grassroots effort behind the CCPA is developing a more stringent proposal for 2020.
"As a result, it will be much more difficult for companies to sell user data, especially without the user's knowledge," says Monique Becenti, channel and product specialist at Web security firm SiteLock. "Although California is leading the way in establishing and implementing this type of legislation, we expect to see other states follow suit given the number of companies that do business with California."
Yet, because data gives businesses a competitive edge, breaking companies' addiction to data will be difficult, ProPrivacy.com's Walsh says.
"Consumer data is going to remain a commodity that businesses will seek to profit from in any way they are legally permitted to," he says. "As long as the US government wants a piece of the pie, decisions like the one made in 2017 — when the Trump administration ruled that it was legally permissible for US ISPs to collect and sell user Web browsing habits to third parties — are going to keep placing consumer privacy at the bottom of the to-do list."
Greater Focus on Privacy Pays Off for Firms
Companies' 'Anonymized' Data May Violate GDPR, Privacy Regs
Britain Looks to Levy Record GDPR Fine Against British Airways
Consumers Urged to Secure Their Digital Lives
Benefiting from Data Privacy Investments