I don’t expect that we’re going to see a stable interpretation of what constitutes either social or legal standards of behavior on the Internet during the next 20 years. We are in the midst of one of humanity’s grand experiments, and it is increasingly characterized by a struggle over the control of personal data.
Anticipating congressional action, the Federal Trade Commission has been holding hearings on related issues for over a year. Both the US House and Senate have had recent hearings on the Electronic Communications Privacy Act (ECPA), a 1986 regulation that is looking increasingly inadequate in the face of cloud services, social networking, and contextual computing that relies on privacy-relevent metadata such as location.
Indiana University PHd candidate Chris Soghoian points out ironically that current US regulations provide a higher level of protection for an unopened spam message than for a personal email that has been read and kept.
It seems like a strange world when the US Supreme Court has determined that corporations can anonymously pour unlimited amounts of money into political advertising (which all sides of the political spectrum took advantage of this fall), yet local courts are forcing Youtube to reveal the identity of anonymous posters. I’m certainly not supporting cyberbullying or libel, but maybe the rules haven’t been fully thought through if invidivuals actually do have less privacy than corporations.
This issue is not unique to the United States, but it is especially significant there for several reasons. Social networking services like Facebook, Myspace and LinkedIn are a phenomenon of US origin and concentration, as are cloud services such as Google Applications, and Salesforce.com. US-located Internet-based services arguably represent the largest collection of private and proprietary data in the world. In comparison to the rest of the OECD countries, the USA also has what are arguably the weakest privacy regulations.
In practice, virtually every country in the world actually does make Internet-based private data available to law enforcement. However, most countries prefer to be more discreet about such activities, in contrast to the US Congress, which proudly labeled a prominent regulation as The US Patriot Act. Every government conducts surveillance against their own citizens in the name of law enforcement, but most choose not to brag about it.
Google (which is always willing to provide as much information as possible about any institution other than itself) publishes statistics on the number of law enforcement requests it receives, reported on a per country basis. It may well be that 6.5 times as many terrorists prefer to host their data within Google.com as do within Google.de. It may also be the case that Canada actually has no criminals.
Individuals have legitimate disagreement over their expectations for personal and organizational privacy, and the role of their government in balancing privacy with protection, but two implications are difficult to argue against:
- Non-US corporations and individuals are increasingly reluctant to put their data in US-based services.
- The legal complexities confronting US-based services will continue to grow, raising costs and increasing the potential for
I hesitate to overuse trite terms like ‘paradigm shift’ (yes, I’ve read Kuhn), but this seems to be an instance in which the old rules are becoming increasingly unsuitable, and the new conventions don’t seem to be fully in synch with citizen expectations or competitive needs.