Monday, March 27, 2017

What you can do about your privacy when it is out of your control.


Unfortunately, the only real control you have over your information and privacy is when it is in your possession. After you have made an online purchase or even simply navigated to a Web page information about you is stored on the servers of your ISP and the company or organization with whom you have done business.  Trying to stay entirely off the grid is virtually impossible today, since every bill paid, every phone call made, and even pictures of your automobile license plate will result in digital records tied to you.

Common advice is to only work with reputable online businesses. This sounds good, but how does someone decide which businesses are reputable and which are not?  At some point there may be something like a ‘good housekeeping seal of approval’ that indicates that a company's systems and security measures have been audited and approved.  However, at the current time this is a difficult task.  One might have assumed that Target, TJ Max, and Home Depot are reputable businesses.  However, in hindsight all three had vulnerabilities that allowed hackers to compromise customer information.

In reality, the only protection you have once your information is out of your control is from laws and regulations.  As examples, HIPAA grants legal protection to healthcare records and FERPA grants legal protection to educational records.  But aside from a few laws governing special situations, there are no laws defining a level of due diligence for companies to protect customer data.

In fact, the situation seems to be evolving in a way that will actually lessen customer privacy controls. Just last week the US Senate voted to remove protections that would prevent ISPs from sharing your information.  This opens the door for ISPs to share your browsing history, and possibly intercept, and modify, your communications (such as inserting ads or tracking cookies).

So what can you do?  If your privacy is important to you, you should contact your State and Federal representatives.  In the case of Federal representatives, let them know that your privacy is important and demand that they strengthen, not weaken, privacy laws.  In the case of state representatives, let them know how important privacy is to you and urge them to pass state laws requiring compliance with stated rules of due diligence. Some states, such as Illinois, are already considering such laws. Your voice may be heard louder at the state level than at the Federal level.  However pressure needs to be applied in both places.

Please understand that privacy means different things to companies than it does to individuals. To a company, privacy means that it has the right to decide how information assets (customer information) are used.  To the individual, it means the right to control who has access to their information.  Because of these two views, the interests of the company will be at odds with the interests of the individual.  Only by having strongly-defined rules of due diligence under law will we be able to assure consumers that their information will be protected.  This allows for company ‘good faith’ use but also allows provides standard controls for what is now still a ‘wild west’ environment.

No comments:

Post a Comment