I remembered that when I read Alistair Barr’s account of his attempt to delete his user data, under the auspices of California’s new Consumer Privacy Act. The process is so cumbersome – it takes more than two hours and requires uploading selfies and a photo ID – that it ends up having the opposite of the intended effect. Instead of granting consumer privacy, the act of submitting a data deletion request draws undue attention to those seeking anonymity.
This is where default options matter. If every browser window automatically opened in incognito mode, then it wouldn’t be considered incognito browsing, but regular web browsing. But if only outlaws take the time to safeguard their privacy, then privacy becomes a de facto outlaw product.
Many privacy products are already regarded this way. For example, Tor is a web browser that obscures a user’s internet activity by routing network data through a maze of relays. It’s useful if you’re a whistleblower trying to communicate with journalists, but it can also be used for illicit activity. In 2014, the Financial Crimes Enforcement Network found that a majority of suspicious activity reports filed by banks involved IP addresses associated with the Tor network. Today, many financial institutions preemptively block traffic that arrives through Tor. In some cases, banks automatically freeze a Tor user’s bank account. Virtual Private Networks, which hide a user’s activity from the internet service provider, are also frequently blocked. People who go to the effort of protecting their privacy inherently seems suspicious.
But what if we saw privacy protection as akin to a form of vaccination? When we get shots to immunize against mumps or measles, we not only protect ourselves; we protect society as a whole, particularly those individuals who can’t develop immunity. Vaccination is so important that it’s opt-out, not opt-in. Similarly, defaulting to stricter privacy settings would create a safer internet not only for those who adopt them, but for those who, for whatever reason, don’t.
On the internet, data brokers collect information on as many users as possible to generate detailed profiles based on demographics and affinity groups. The more people who cut off the data brokers, the less these companies can infer about any given user. When it comes to consumer privacy protection, setting privacy as the default option protects the most vulnerable members of society.
California’s new privacy law went into effect Jan 1, but will not be enforced until July 1. Compliance requirements are still unclear. The Wall Street Journal suggests that websites with third-party tracking must add a “Do Not Sell My Personal Information” button to their home page, a move that will likely be about as effective as placing your number on the National Do Not Call Registry, or pushing the “close door” button in an elevator.
The only way anyone can really have privacy protections is if everyone has privacy protections. Privacy laws are not helpful if users can only delete their data after wading through two hours of bureaucracy. Companies that profit from massive data collection are rightly optimistic that most users won’t bother with these steps.
Elaine Ou is a Bloomberg Opinion columnist. She is a blockchain engineer at Global Financial Access in San Francisco.