Privacy: Beating the Commitment Problem
Privacy: Beating the Commitment Problem - Via Freedom to Tinker:
I wrote yesterday about a market failure relating to privacy, in which a startup company can’t convincingly commit to honoring its customers’ privacy later, after the company is successful. If companies can’t commit to honoring privacy, then customers won’t be willing to pay for privacy promises — and the market will undersupply privacy.
Today I want to consider how to attack this problem. What can be done to enable stronger privacy commitments?
I was skeptical of legal commitments because, even though a company might make a contractual promise to honor some privacy rules, customers won’t have the time or training to verify that the promise is enforceable and free of loopholes.
One way to attack this problem is to use standardized contracts. A trusted public organization might design a privacy contract that companies could sign. Then if a customer knew that a company had signed the standard contract, and if the customer trusted the organization that wrote the contract, the customer could be confident that the contract was strong.
But even if the contract is legally bulletproof, the company might still violate it. This risk is especially acute with a cash-strapped startup, and even more so if the startup might be located offshore. Many startups will have shallow pockets and little presence in the user’s locality, so they won’t be deterred much by potential breach-of-contract lawsuits. If the startup succeeds, it will eventually have enough at stake that it will have to keep the promises that its early self made. But if it fails or is on the ropes, it will be strongly tempted to try cheating.
How can we keep a startup from cheating? One approach is to raise the stakes by asking the startup to escrow money against the possibility of a violation — this requirement could be build into the contract.
Another approach is to have the actual data held by a third party with deeper pockets — the startup would provide the code that implements its service, but the code would run on equipment managed by the third party. Outsourcing of technical infrastructure is increasingly common already, so the only difference from existing practice would be to build a stronger wall between the data stored on the server and the company providing the code that implements the service.
From a technical standpoint, this wall might be very difficult to build, depending on what exactly the service is supposed to do. For some services the wall might turn out to be impossible to build — there are some gnarly technical issues here.
There’s no easy way out of the privacy commitment problem. But we can probably do more to attack it than we do today. Many people seem to have given up on privacy online, which is a real shame.
(Read Original Article - Via Freedom to Tinker.)
Twitter
Digg
StumbleUpon
Technorati
del.icio.us
Facebook
Furl
LinkedIn
YahooRecent blog posts
- Undercover Feds on Social Networking Sites Raise Questions
- FBI Uses Fake Facebook Profiles To Spy On Suspects
- Lawrence Lessig: Citizens Unite
- Case Report – BCCA says aerial surveillance by telphoto zoom lens not a search
- Obama threatens to veto greater intelligence oversight
- EFF Asks Illinois Appellate Court to Block Unmasking of Anonymous Online Critic
- Who You Love Shouldn't Matter When You Serve
- EFF Posts Documents Detailing Law Enforcement Collection of Data From Social Media Sites
- Smackdown: Consumer Privacy vs. Advertiser Revenue
- Secret Document Calls Wikileaks ‘Threat’ to U.S. Army
