Archives

Jules Polonetsky & Omer Tene, Privacy in the Age of Big Data: A Time for Big Decisions

Jules Polonetsky & Omer Tene, Privacy in the Age of Big Data: A Time for Big Decisions

Comment by: Ed Felten

PLSC 2012

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2149364

Workshop draft abstract:

We live in an age of “big data”. Data has become the raw material of production, a new source for immense economic and social value. Advances in data mining and analytics and the massive increase in computing power and data storage capacity have expanded by orders of magnitude the scope of information available for businesses, government and individuals.[1] In addition, the increasing number of people, devices, and sensors that are now connected by digital networks has revolutionized the ability to generate, communicate, share, and access data. Data creates enormous value for the world economy, driving innovation, productivity, efficiency and growth.[2] At the same time, the “data deluge” presents privacy concerns which could stir a regulatory backlash dampening the data economy and stifling innovation.

Privacy advocates and data regulators increasingly decry the era of big data as they observe the growing ubiquity of data collection and increasingly robust uses of data enabled by powerful processors and unlimited storage. Researchers, businesses and entrepreneurs equally vehemently point to concrete or anticipated innovations that may be dependent on the default collection of large data sets. In order to craft a balance between beneficial uses of data and individual privacy, policymakers must address some of the most fundamental concepts of privacy law, including the definition of “personally identifiable information”, the role of consent, and the principles of purpose limitation and data minimization.

In our paper we intend to develop a model where the benefits of data for businesses and researchers are balanced with individual privacy rights. Such a model would help determine whether processing could be based on legitimate business interest or subject to individual consent and whether consent must be structured as opt-in or opt-out. In doing so, we will address questions such as: Is informed consent always the right standard for data collection? How should law deal with uses of data that may be beneficial to society or to individuals when individuals may decline to consent to those uses? Are there uses that provide high value and minimal risk where the legitimacy of processing may be assumed? What formula determines whether data value trumps individual consent?

Our paper draws on literature discussing behavioral economics, de-identification techniques, and consent models, to seek a solution to the big data quandary. Such a solution must enable privacy law to adapt to the changing market and technological realities without dampening innovation or economic efficiency.


[1] Kenneth Cukier, Data, data everywhere, The Economist, February 25, 2010, http://www.economist.com/node/15557443.

[2] McKinsey, Big data: The next frontier for innovation, competition, and productivity, June 2011, http://www.mckinsey.com/Insights/MGI/Research/Technology_and_Innovation/Big_data_The_next_frontier_for_innovation.

 

Jules Polonetsky & Omer Tene, Advancing Transparency and Individual Control in the Use of Online Tracking Devices: A Response to Transatlantic Legal and Policy Developments

Jules Polonetsky & Omer Tene, Advancing Transparency and Individual Control in the Use of Online Tracking Devices: A Response to Transatlantic Legal and Policy Developments

Comment by: Catherine Dwyer

PLSC 2011

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1920505

Workshop draft abstract:

For over a decade, behavioral advertising has been a focus of privacy debates on both sides of the Atlantic. Industry actors maintain that targeted ads are essential to supporting the main business model online whereby users benefit from free content and services in return for being subjected to various advertisements. They assert that they do not cause any harm to users given that any data collected and used are anonymous and in compliance with data protection standards. Regulators and consumer advocates insist that many advertising or analytics companies are collecting and using personal data in a manner that does not comply with the principles of privacy laws. They maintain that the dignity of users is impacted by these hidden practices and questions about harm due to the use of data for purposes adverse to users remain unanswered.

The recent publication of the much anticipated FTC Staff Report on reform of the legal framework for privacy protection of consumers  and the Department of Commerce Green Paper on privacy and innovation in the Internet economy  has raised the stakes for both proponents and opponents of behavioral advertising and challenged the market to find solutions that are both privacy protective and commercially feasible. Moreover, the FTC’s proposal to implement a “do-not-track” mechanism echoes voices on the other side of the Atlantic calling for application of the e-Privacy Directive’s consent requirements through a browser based opt out.  Such similarities reinforce our conviction that user expectations, business requirements, and privacy regimes are converging all over the world.

Our paper will draw on literature discussing behavioral economics, privacy enhancing technologies and user-centric identity management to seek a solution to the behavioral advertising quandary. Such a solution must be acceptable by businesses, users and regulators on both sides of the Atlantic and be based on the premise that privacy regulation needs to adapt to the changing market and technological realities without dampening innovation or damaging the business model that makes the Internet thrive.

We will provide a taxonomy of the various mechanisms used by the online industry to track users (e.g., first and third party cookies; flash cookies; beacons; Stored Flash Objects; browser fingerprinting, deep packet inspection; and more); assess under legal, technical and business criteria the feasibility of existing and new proposals for compliance with the latest FTC and EU regulatory requirements; and explore various strategies for solutions such as browser defaults and add-ons, special marking of targeted ads, and short privacy policies.