Smart products mean more data collection and opportunities for privacy violation. Participants in this year's Consumer Electronics Show in Las Vegas learned that the Internet is not just for smartphones and tablets anymore. This year's show had smart ovens, cars and crockpots; cameras that take pictures automatically; and devices that track anything from your heart rate to how well you brush your teeth. This is what the technology community calls "the Internet of Things," and many believe it is where consumer technology is headed. Google does, too. That's why it spent $3 billion to acquire Nest's smart thermostats.
These products have the potential to improve consumers' lives, but they rely on streams of sensitive data about health, habits and location of users, or even about unknowing bystanders. Companies can aggregate and analyze these data in any number of ways. The question is: Will consumers have any control over how companies use their data?
As we surge forward in developing uses for data, we are stuck in an outmoded past on how to protect it. For decades, a critical element of consumer privacy policy has been the idea that consumers must be told how a company plans to use their private data, and that companies cannot collect or use that information without the customer's consent. This informed consent model is simple and sensible. There are many reasons consumers might want to give a company their data. Or, at least, would be comfortable with giving it up because they get something in return.
The problem is that consent is not informed in any real way. Consumers are told about proposed collection and use of their data in "terms of service" and "privacy policies" that obscure more than they reveal. University of Nottingham researchers recently compared the terms of service for popular technology companies with established literary texts. The conclusion? They are harder to understand than the Old English standard Beowulf or Machiavelli's 16th century political treatise The Prince. That's funny, but significant. Average consumers simply do not know what it means when they hit "agree," even if they've bothered to try to read the fine print.
On top of that, companies often change their policies, sometimes with little notice. And then there are situations when even today's inadequate protections don't apply, for example, when a company collects data from those who respond to a customer's e-mail or when a cloud data firm pulls information on passersby from photographs others upload.
For those more concerned about government surveillance and its impact on their privacy, recall that the U.S. and other governments can use legal means — warrants and subpoenas — to obtain the data these companies collect. Even if there are reforms to surveillance authorities, this will continue to be true. The more that companies collect, aggregate and analyze sensitive data, the more potentially is available to the government.
Some government agencies, such as the Federal Trade Commission, are reacting to the failure of the informed consent model. In recent years, the commission has challenged companies for collecting information in unexpected ways, even if a privacy policy permitted the use.
But more is needed to make the principle of informed consent function once again. One way to do that might be to borrow from the FTC's approach and fo
cus on consumers' expectations. The less expected a proposed use of data is, the more clear a company must be about what it is planning.
How would this work? When consumers buy a device or download an app, they expect the company will use their data to improve the user experience. If they buy a smart thermostat, they will expect the device to use data about their habits to make their energy use more efficient. If this is all a company plans, it should have a relatively light burden in informing customers. Current practices would be fine.
But when companies plan to use their users' data for profit, selling to advertisers or other third parties, they must inform consumers directly and far more clearly. That means they cannot bury the notice and they must write it in readable language. (The Nottingham researchers used Fifty Shades of Grey as a model of readable language. We prefer, perhaps, Harry Potter.) The same would be true if a company changes its policy to authorize broader uses of data.
Finally, the highest standard should be for third-party data, information from bystanders who have no relationship with the company. In that case, companies should be required to go out and get positive consent before using the data.
This is one idea for how to make the principle of informed consent work even as we move from the smartphone to the smart house, car and clothes. Doubtless there are others. But as we discuss the ways in which government surveillance impacts the privacy of Americans and others around the world, we must pay attention to this issue as well.
Michael Chertoff, secretary of Homeland Security in the George W. Bush administration, is now chairman of The Chertoff Group, where Mary DeRosa, former deputy counsel to the president and National Security Council legal adviser in the Obama administration, is a senior adviser.