Shoppers: “That’s Not What I Signed Up For!”Written by Mark Rasch
Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
Target’s ability to mine CRM data got some unwelcome exposure this week from a book excerpt in The New York Times Magazine (a Forbes blogger recapped the excerpt using the headline “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did,” which pretty much tells the story). But as retailers increasingly obtain personal data from consumers without their real knowledge—or any real ability to opt in or out—the legal implications get increasingly murky.
And although retailers are turning up customer characteristics that customers would never volunteer, some mobile payment systems are digging through a phone’s data to raise equally troublesome privacy issues.
In one such system, a Seattle payments firm wants to push for a “pay by device,” which would forgo a PIN number and instead authenticate an Android phone not only through the application itself but by scraping personal information from the phone itself.
Every device, once used, obtains personal characteristics. The names on your contact list, for example, or the applications you have downloaded, the frequency of use and the settings, each of which creates what amounts to a “digital signature” of the user. Thus, when you use a browser to go to a Web site, you are communicating not only your Internet protocol address, but what type of browser you’re using, what version, what settings, what font, what sites you have seen recently and a whole host of information that can be used to personally identify you.
Indeed, the Electronic Frontier Foundation has on its Web site a tool called Panopticlick that will predict, based upon your browser settings and other information automatically transmitted to a Web site, just how identifiable you are. More than 80 percent of several million visitors to the site were uniquely identifiable, just based on those settings.
Unfortunately, much like your actual DNA, you have very little ability to meaningfully change this. Sure, you can download a different browser, but all that does is give you a new signature that you have to worry about. So, in this age where data is collected and stored, cross-referenced and mined, is there any real meaning to the terms “opt in” or “opt out”?
In the United States, there is no general “privacy” law. Certain types of information, like financial information or medical information, is protected by specific statutes. Payment-card information is protected to some extent by the security provisions of the payment-card industry digital security standards, a contract between merchants and their financial institutions. But other than that, it’s really the wild, wild West out there. Thus, to protect privacy we tend to rely on the old standbys of contract law. Notice. Consent. An ability to opt in or opt out.
But in reality, what we have is a situation where thousands of companies post privacy policies knowing that consumers have neither the time nor the inclination to read them.