{"id":14702,"date":"2019-02-27T10:10:03","date_gmt":"2019-02-27T18:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/02\/27\/news-8451\/"},"modified":"2019-02-27T10:10:03","modified_gmt":"2019-02-27T18:10:03","slug":"news-8451","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/02\/27\/news-8451\/","title":{"rendered":"Will pay-for-privacy be the new normal?"},"content":{"rendered":"

Credit to Author: davidruiz| Date: Wed, 27 Feb 2019 17:04:22 +0000<\/strong><\/p>\n

Privacy is a human right, and online privacy should be no exception.<\/p>\n

Yet, as the US considers new laws to protect individuals\u2019 online data, at least two proposals\u2014one statewide law that can still be amended and one federal draft bill that has yet to be introduced\u2014include an unwelcome bargain: exchanging money for privacy.<\/p>\n

This framework, sometimes called \u201cpay-for-privacy,\u201d is plain wrong. It casts privacy as a commodity that individuals with the means can easily purchase. But a move in this direction could further deepen the separation between socioeconomic classes. The \u201chaves\u201d can operate online free from prying eyes. But the \u201chave nots\u201d must forfeit that right.<\/p>\n

Though this framework has been used by at least one major telecommunications company before, and there are no laws preventing its practice today, those in cybersecurity and the broader technology industry must put a stop to it. Before pay-for-privacy becomes law, privacy as a right should become industry practice.<\/p>\n

Data privacy laws prove popular, but flawed<\/strong><\/h3>\n

Last year, the European Union put into effect one of the most sweeping set of data privacy laws in the world. The General Data Protection Regulation, or GDPR, regulates how companies collect, store, share, and use EU citizens\u2019 data. The law has inspired countries everywhere to follow suit, with Italy issuing regulatory fines against Facebook<\/a>, Brazil passing a new data-protective bill<\/a>, and Chile amending its constitution to include data protection rights.<\/p>\n

The US is no exception<\/a> to this ripple effect.<\/p>\n

In the past year, Senators Ron Wyden of Oregon, Marco Rubio of Florida, Amy Klobuchar of Minnesota, and Brian Schatz, joined by 14 other senators as co-sponsors, of Hawaii, proposed separate federal bills to regulate how companies collect, use, and protect Americans\u2019 data.<\/p>\n

Sen. Rubio\u2019s bill asks the Federal Trade Commission to write its own set of rules<\/a>, which Congress would then vote on two years later. Sen. Klobuchar\u2019s bill would require companies to write clear terms of service agreements and to send users notifications about privacy violations within 72 hours. Sen. Schatz\u2019s bill introduces the idea that companies have a \u201cduty to care\u201d for consumers\u2019 data<\/a> by providing a \u201creasonable\u201d level of security.<\/p>\n

But it is Sen. Wyden\u2019s bill, the Consumer Data Protection Act, that stands out, and not for good reason. Hidden among several privacy-forward provisions, like stronger enforcement authority for the FTC and mandatory privacy reports for companies of a certain size, is a dangerous pay-for-privacy stipulation.<\/p>\n

According to the Consumer Data Protection Act, companies that require user consent for their services could charge users a fee if those users have opted out of online tracking.<\/p>\n

If passed, here\u2019s how the Consumer Data Protection Act would work:<\/p>\n

Say a user, Alice, no longer feels comfortable having companies collect, share, and sell her personal information to third parties for the purpose of targeted ads and increased corporate revenue. First, Alice would register with the Federal Trade Commission\u2019s \u201cDo Not Track\u201d website, where she would choose to opt-out of online tracking. Then, online companies with which Alice interacts would be required to check Alice\u2019s \u201cDo Not Track\u201d status.<\/p>\n

If a company sees that Alice has opted out of online tracking, that company is barred from sharing her information with third parties and from following her online to build and sell a profile of her Internet activity. Companies that are run almost entirely on user data\u2014including Facebook, Amazon, Google, Uber, Fitbit, Spotify, and Tinder\u2014would need to heed users\u2019 individual decisions. However, those same companies could present Alice with a difficult choice: She can continue to use their services, free of online tracking, so long as she pays a price.<\/p>\n

This represents a literal price for privacy.<\/p>\n

Electronic Frontier Foundation Senior Staff Attorney Adam Schwartz said his organization strongly opposes pay-for-privacy systems.<\/p>\n

\u201cPeople should be able to not just opt out, but not be opted in, to corporate surveillance,\u201d Schwartz said. \u201cAlso, when they choose to maintain their privacy, they shouldn\u2019t have to pay a higher price.\u201d<\/p>\n

Pay-for-privacy schemes can come in two varieties: individuals can be asked to pay more for more privacy, or they can pay a lower (discounted) amount and be given less privacy. Both options, Schwartz said, incentivize people not<\/em> to exercise their privacy rights, either because the cost is too high or because the monetary gain is too appealing.<\/p>\n

Both options also harm low-income communities, Schwartz said.<\/p>\n

\u201cPoor people are more likely to be coerced into giving up their privacy because they need the money,\u201d Schwartz said. \u201cWe could be heading into a world of the \u2018privacy-haves\u2019 and \u2018have-nots\u2019 that conforms to current economic statuses. It\u2019s hard enough for low-income individuals to live in California with its high cost-of-living. This would only further aggravate the quality of life.\u201d<\/p>\n

Unfortunately, a pay-for-privacy provision is also included in the California Consumer Privacy Act, which the state passed last year. Though the law includes a \u201cnon-discrimination\u201d clause meant to prevent just this type of practice, it also includes an exemption that allows companies to provide users with \u201cincentives\u201d to still collect and sell personal information.<\/p>\n

In a larger blog about ways to improve the law<\/a>, which was then a bill, Schwartz and other EFF attorneys wrote:<\/p>\n

\u201cFor example, if a service costs money, and a user of this service refuses to consent to collection and sale of their data, then the service may charge them more than it charges users that do consent.\u201d<\/p>\n

Real-world applications<\/strong><\/h3>\n

The alarm for pay-for-privacy isn\u2019t theoretical\u2014it has been implemented in the past, and there is no law stopping companies from doing it again.<\/p>\n

In 2015, AT&T offered broadband service for a $30-a-month discount if users agreed to have their Internet activity tracked. According to AT&T\u2019s own words, that Internet activity included the \u201cwebpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter<\/a>.\u201d<\/p>\n

Most of the time, paying for privacy isn\u2019t always so obvious, with real dollars coming out or going into a user\u2019s wallet or checking account. Instead, it happens behind the scenes, and it isn\u2019t the user getting richer\u2014it\u2019s the companies.<\/p>\n

Powered by mountains of user data for targeted ads, Google-parent Alphabet recorded $32.6 billion in advertising revenue in the last quarter of 2018 alone. In the same quarter, Twitter recorded $791 million in ad revenue. And, notable for its CEO\u2019s insistence that the company does not sell user data, Facebook\u2019s prior plans to do just that were revealed in documents posted this week<\/a>. Signing up for these services may be \u201cfree,\u201d but that\u2019s only because the product isn\u2019t the platform\u2014it\u2019s the user.<\/p>\n

A handful of companies currently reject this approach, though, refusing to sell or monetize users\u2019 private information.<\/p>\n

In 2014, CREDO Mobile separated itself from AT&T by promising users that their privacy \u201cis not for sale. Period.\u201d<\/a> (The company does admit in its privacy policy<\/a> that it may \u201csell or trade mailing lists\u201d containing users\u2019 names and street addresses, though.) ProtonMail, an encrypted email service, positions itself as a foil to Gmail<\/a> because it does not advertise on its site, and it promises that users’ encrypted emails will never be scanned, accessed, or read. In fact, the company claims it can\u2019t access these emails even if it wanted.<\/p>\n

As for Google\u2019s very first product\u2014online search\u2014 the clearest privacy alternative is DuckDuckGo. The privacy-focused service does not track users\u2019 searches, and it does not build individualized profiles of its users to deliver unique results.<\/p>\n

Even without monetizing users\u2019 data, DuckDuckGo has been profitable since 2014, said community manager Daniel Davis.<\/p>\n

\u201cAt DuckDuckGo, we’ve been able to do this with ads based on context (individual search queries) rather than personalization.\u201d<\/p>\n

Davis said that DuckDuckGo\u2019s decisions are steered by a long-held belief that privacy is a fundamental right. \u201cWhen it comes to the online world,\u201d Davis said, \u201cthings should be no different, and privacy by default should be the norm.\u201d<\/p>\n

It is time other companies follow suit, Davis said.<\/p>\n

\u201cControl of one’s own data should not come at a price, so it’s essential that [the] industry works harder to develop business models that don’t make privacy a luxury,\u201d Davis said. \u201cWe’re proof this is possible.\u201d<\/p>\n

Hopefully, other companies are listening, because it shouldn\u2019t matter whether pay-for-privacy is codified into law\u2014it should never be accepted as an industry practice.<\/p>\n

The post Will pay-for-privacy be the new normal?<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: davidruiz| Date: Wed, 27 Feb 2019 17:04:22 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
As the US considers new data privacy laws, at least two new proposals include calls to exchange money for privacy\u2014an unwelcome bargain for users. Before pay-for-privacy becomes law, privacy as a right should become industry practice.<\/p>\n

Categories: <\/p>\n