Robert H. Sloan and Richard Warner, Beyond Notice and Choice: Streetlights, Norms, and Online Consent
Comment by: Robert Gellman
Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2239099
Workshop draft abstract:
Informational privacy is the ability to determine for yourself when and how others may collect and use your information. We assume there is good reason to ensure adequate informational privacy. Adequate informational privacy requires a sufficiently broad ability to give or withhold free and informed consent to proposed uses; otherwise, you cannot determine for yourself how others use your information.
An unsympathetic but not entirely inapt analogy is the old joke about the drunk searching for his keys underneath the streetlight:
A policeman sees a drunken man searching for something under a streetlight and asks the drunk what he lost. He says he lost his keys and they both look under the streetlight together. After a few minutes the policeman asks if he is sure he lost them here, and the drunk replies, no, that he lost them in the park. “So, why are you looking under the streetlight?” asks the policeman, and the drunk replies, “This is where the light is.”
Policy makers and privacy advocates look under the streetlight of Notice and Choice even though it is clear that the consent is not there. Why don’t they search more broadly? Most likely, they see no need to do so. We find the critique of Notice and Choice conclusive, but our assessment is far from widely shared—and understandably so. Criticisms of Notice and Choice are scattered over several articles and books. No one has unified them and answered the obvious counterarguments. We do so in Section I. Making the critique plain, however, is not enough to ensure that policy makers turn from the “streetlight” to the “park.” The critiques are entirely negative; they do not offer any alternative to Notice and Choice. They do not direct us to a “park” in which to search for consent.
Drawing on Helen Nissenbaum’s work, we offer an alternative: informational norms. Informational norms are social norms that constrain the collection, use, and distribution of personal information. Such norms explain, for example, why your pharmacist may inquire about the drugs you are taking, but not about whether you are happy in your marriage. When appropriate informational norms govern online data collection and use, they ensure both that visitors give free and informed consent to those practices, and yield an acceptable overall tradeoff between protecting privacy and the benefits of processing information. A fundamental difficulty is the lack of norms. Rapid advances in information processing technology have fueled new business models, and the rapid development has outpaced the slow evolution of norms. Notice and Choice cannot be pressed into service to remedy this lack. It is necessary to develop new norms, and in later sections of the paper we discuss how to develop new norms.