Somebody's Watching Me (and I Have No Privacy): Professor Acquisti on the FCC, ISPs, and Why Privacy Is So Challenging

Apr 24, 2017

Image associated with the Somebody's Watching Me (and I Have No Privacy): Professor Acquisti on the FCC, ISPs, and Why Privacy Is So Challenging news item

By Scott Barsotti

Professor Alessandro Acquisti is a leading voice in information technology and Internet privacy. He is the director of the CMU Risk and Regulatory Services Innovation Center housed at Heinz College and sponsored by PwC, as well as the creator of the Privacy Economics Experiments (PEEX) Lab; Professor Acquisti is a member of other IT research institutes at CMU including CyLab and iLab.

The recent decision by Congress to roll back certain Federal Communications Commission (FCC) privacy protections has caused a lot of concern, and perhaps even more confusion. What does the decision really mean for consumers? Should we panic? Is it time to set up a virtual private network (VPN)? Is every device in our homes going to be spying on us?

Heinz College Professor Alessandro Acquisti is an expert on this subject, having published extensive research on the economics and behavioral economics of privacy, and privacy in online social networks.  And he was able to calm our nerves…somewhat.

First off, he notes that the new legislation doesn’t take away protections so much as prevent new rules from going into effect. The rules in question were young, put in place by the Obama administration’s FCC in October 2016, meaning we hadn’t really had time to appreciate the outcomes of those rules, for better or worse.

Acquisti's 2013 TEDTalk in Edinburgh, "What will a future without secrets look like?"

“But in general, this is not good news for consumer privacy,” said Acquisti. “Most companies will, and do, collect data to the maximum extent afforded to them by regulation—or, as it happens, absence of regulation. The rules that have been rolled back tried to do something about that.”

Where the Obama-era rules had sought to choke off certain latitudes for Internet service providers (ISPs) to monitor, track, and sell user behavior, the new legislation—signed into law by President Trump on April 3—makes all of that fair game again. These activities only stand to get more rampant and privacy-intrusive as technology continues to improve. In fact, Acquisti notes that advancements in technology have made it so cheap to collect and store users’ personal data and browsing history, that companies will collect that information even if its value is low (or at best unclear).

Companies seem to view consumers’ personal data the way a homeowner in a low-lying area might view flood insurance. Better to have it and not need it.

Still, it’s possible that some ISPs and web companies will refrain from abusing this right. Acquisti states that some firms may see privacy concerns as an opportunity to showcase their consumer-friendly bonafides. That may be easier if you’re Apple, or another company that relies on hardware rather than data sales for the majority of their revenue. Even then, as the advent of the Internet of Things promises more and more connected devices, hardware manufacturers have little incentive to consider privacy in design at present, facing greater pressure to be first to market than to be most secure. And regulation in this area is sorely lacking.

“The problem consumers face in managing their privacy online will be exacerbated by the Internet of Things, because of the ubiquity of the devices and lack of transparency regarding their data-handling policies,” said Acquisti. “Unlike websites you visit that have links to their privacy notices, you cannot easily ask your Amazon Echo or Nest thermostat to show their privacy policies on the spot. The interface does not permit it. Furthermore, end-users get easily habituated to these devices, and pay little attention to the fact that the devices continuously collect and transfer data about their users.”

Consumers have options…with tradeoffs

Someone who controls information about you gains some degree of power over you.

-- Alessandro Acquisti --

Acquisti Headshot

Even if companies don’t take steps to protect consumer privacy, there are things consumers can do to protect themselves. Acquisti mentioned that there are many tools, such as the anonymous browser Tor, for extremely privacy-conscious users. He also notes that VPNs—services that allow users to extend a private encrypted network over a less secure network—are realistic options.

“VPNs are, by now, mature and relatively common tools,” he said. He is quick to warn, however, that there are tradeoffs.

“One of the many paradoxes we face in the privacy realm is that the more advanced techniques you may use to protect your privacy, the more attention you may attract from intelligence agencies.”

And there’s the dilemma. Someone will likely be watching you, it’s just a matter of who.

“You may feel like you have nothing to hide as a law-abiding citizen, but information is power,” said Acquisti. “Someone who controls information about you gains some degree of power over you.”

He points to some less exotic privacy-centered apps as well, like the encrypted messaging service Signal. He says that these apps work on good principles from security research, and provide a modicum of privacy with little hassle, but that consumers must remember that protection tools may be bypassed by other users with whom they are sharing information. Also, encryption—effective in theory—can be broken if poorly implemented by designers or ineffectively employed by end-users. Thus, such services may not be sufficient to protect all data, and not from every potential snooper.

So, what gives? Is the World Wide Web just the Wild Wild West right now? What can be done?

The fact of the matter is that, in the short term, consumer privacy is a huge and complicated challenge, and an area largely untouched by the law. But it doesn’t have to stay that way.

Acquisti insists that progress can be made that will alleviate many of these concerns, but that this relies on society being able to come to some degree of collective choice as to whether or not we truly value privacy as much as we claim to. If we do, a broader effort is urgently needed that combines regulatory, technological, and policy solutions. Otherwise, consumers can hope for little more than to be virtual fish in a cyber barrel.

“We cannot rely merely on individual responsibility,” said Acquisti. “Individuals who, by themselves, try to use privacy-enhancing technologies are on the losing side of an arms race with privacy-invasive technologies, which always seem to be a step ahead.”

Watch a clip of Prof. Acquisti discussing privacy on "Through the Wormhole With Morgan Freeman" >>

Learn more about the PwC Risk and Regulatory Services Innovation Center >>

Learn more about PEEX Lab >>

Learn more about CyLab >>

-------------

Interested in supporting Heinz College students and initiatives like those featured in this story? Click here for more information.