America’s for-profit private surveillance fiasco

Since former National Security Agency contractor-turned-whistleblower Edward Snowden lifted the curtain on the agency’s domestic surveillance program, Americans have justifiably become obsessed by the idea that Big Brother is watching them. On May 7 a federal appeals court ruled that the government's bulk collection of telephone metadata violates the Patriot Act, forcing Congress to take steps to put a formal end to the practice. On Wednesday, Sens. Rand Paul, R-Ky., and Ron Wyden, D-Ore., ended a 10-and-a-half-hour tag team filibuster aimed at drawing attention to much-needed reforms. The effects of government privacy intrusions, both real and imagined, have led to a groundswell of activism against all manner of official surveillance.

However, a far more acute threat to citizen privacy continues unabated within the private sector. The most comprehensive federal law governing consumer privacy in the United States was enacted in 1974 — three decades before the first iPhone hit market — and is now among the oldest in the world. According to Steve Wilson, a privacy analyst at the Silicon Valley firm Constellation Research, businesses are eagerly exploiting a lack of adequate oversight to dive deeper into our personal lives.

“In parallel with and well ahead of government spy programs, the big online social networks and search engine companies have been gathering breathtaking amounts of data in order to track people’s habits and preferences,” Wilson wrote, in a December report. “Most people remain blissfully ignorant of what’s being done with all that data.”

Privacy is a highly contentious political issue in the U.S. because of its tendency to pit our reverence for laissez-faire economics and civil liberties against one another. The protection of individual rights requires reining in the rights of free enterprise with new and strong regulations. However, instead of a unified legal framework to protect consumer privacy, the U.S. relies on a patchwork of narrow, mostly sector-specific laws governing industries such as health care and financial services.

The Federal Trade Commission (FTC) encourages self-regulation mostly through voluntary adherence to its Fair Information Practice Principles, limiting its ability to reprimand privacy violators. When companies do get a slap on the wrist for being cavalier with customer data, it’s usually for violating their own disclosure policies or for engaging in “unfair and deceptive” trade practices. A number of state laws have picked up where Washington has failed but their usefulness remains limited in an increasingly global market.  

Facebook, Microsoft, Google and most recently Uber have been embroiled in nefarious snooping scandals in recent years, but most corporate data collection flies under the radar, masquerading as a largely innocuous consequence of the expanding digital economy. Driven by the growth in mobile devices, advances in data science and the lure of advertising dollars, online platforms are turning to increasingly sophisticated technologies to unlock consumer behavioral patterns, which are often cross-referenced with GPS data to facilitate geographical targeting. (Law enforcement agencies need a warrant to do this.) 

A single Web page can host dozens of so-called data brokers that track the browsing habits of each visitor with an eye toward reselling the information to the highest bidder. In a report on data brokers published last year the FTC found (PDF) that some brokers were sorting consumers into categories based on such sensitive health information as “expectant parent,” “diabetes interest” and “cholesterol focus.” At least one of the companies studied had 3,000 data segments for nearly every U.S. consumer.

It's impossible to know the full extent or repercussions of corporate snooping, but to use just one example, in 2012 Target exposed a teenager's secret pregnancy to her father after her shopping patterns triggered an automatic coupon mailer to her house. A more consequential invasion of privacy can hardly be imagined.

Consumers aren’t the only ones finding themselves under the digital microscope.  For employees, the emerging “bring your own device” trend has shattered the rigid boundary that once stood between personal and work life. Companies are pretty much allowed to develop policies and practices governing employee devices and data. And, whether they are aware of it or not, workers frequently forfeit privacy rights. In the absence of clear legal guidelines, courts are now being tasked with wading through these uncharted waters.

Earlier this month Myrna Arias, a former sales executive at Intermex, a California-based money transfer company, filed suit against her former employer (PDF) after she was fired for deleting from her phone a mandatory workforce management application, which tracked employees even after work hours. Arias’ supervisor “admitted that employees would be monitored while off-duty and bragged that he knew how fast she was driving at specific moments ever since she had installed the app,” according to the complaint.

Other companies are also embracing the so-called user behavioral analytics (UBA), which is meant to identify rogue employees, detect insider threats and financial fraud. In April, HP entered the UBA market promising a solution that would allow firms to “actively and continuously monitor the actions of privileged users for risky or unusual activity.”

Legal experts advise that employees should probably forego any expectation of privacy in the workplace. But what happens in an age where employees are as likely to be working from home or on a mobile device as they are from an office computer? In 2015, the workplace is literally everyplace.

In February the White House announced a legislative proposal to strengthen consumer rights over private data. But critics say the legislation falls short of its stated mission and lacks meaningful protections for consumers. The Consumer Privacy Protection Act of 2015, introduced at the end of April by Senator Patrick Leahy (D-Vt.), includes strong new breach-notification mandates and has gained the support of consumer groups. But the legislation is more concerned with ensuring that consumer information is secure than in dictating how it may be used. As lawmakers consider these proposals, they should work closely with data and privacy experts to create a comprehensive legislation that makes citizens the masters of their own information and can stand the test of time.

On the surface, businesses appear to have a strong incentive to protect consumer privacy rights. A 2014 survey by the leading data privacy management firm, TRUSTe, found that 89 percent of consumers would avoid doing business with a company that doesn’t value their privacy.

But there are fortunes to be made in Big Data's Wild West, which Wilson equates to the 19th-century oil rush, and most people simply don't understand how their data is being stored and used. Market incentives have little sway where a majority of the participants are blindfolded.