Paying for Privacy…

There’s a good article on cnet news, to co-incide with Data Privacy Day – thoughtful and though-provoking.

“It’s been 10 years: Why won’t people pay for privacy?”, by Declan McCullagh

I’ve left some feedback on it, but as I’m about 40th in the comment stack, I don’t imagine it will attract much attention there – so here it is:

“Congratulations on a well-timed article with a lot of thought behind it.

I’ve been working on digital ID and privacy for the last 7-8 years, and I suspect that, if you’re looking at the commercial aspects, there are two reasons why “privacy protection” has largely failed to offer a compelling value proposition. One is comparatively old, the other is a little newer.

The older reason is that “point” privacy protection products can usually do little or nothing about the elephant in the room… the vested and mostly-invisible commercial interests behind online advertising are so huge, so entrenched and so opaque to the user that it is all but impossible to change the balance of power between the ‘data subject’ and the ‘data gatherer’. As an example, look at the difficulty some very bright people have had with turning VRM from concept into reality. (VRM, or “Vendor Relationship Management” was coined as a flip-side to “Customer Relationship Management” – CRM – … the idea being that my interests would be better served if I took control of my data and used it as the leverage to change vendors’ behaviour). The idea, the principles and the technology might all be fine, but those factors are not enough to convince/persuade/force vendors to do things your way instead of theirs.

The second, and newer, reason has to do with the increasing ability of data-miners to build an extremely accurate model of you (and your behaviour and preferences) without needing to know exactly who you are.

And here’s the worrying point, in the light of that second reason. Most of us think we have a reasonable handle on what our privacy is, and what we might do to protect it. The problem is that most of us are still thinking in terms of the risks arising from reason number 1. Very few of us have any notion of what the risks are which arise from reason number 2, let alone how to mitigate them.”

It was a rather hastily sketched-out response, and probably raises more questions than answers – but I wanted to make it promptly, partly because I hope it will tie in nicely with some of the comments I’ll be blogging in due course about the CPDP conference I’ve just got back from. More later…