The Net's biggest balancing act yet

Privacy in the online era means big changes in all our thinking

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people," Facebook's CEO Mark Zuckerberg told an audience in January 2010. "That social norm is just something that has evolved over time."

Zuckerberg's comment came hot on the heels of another from Google's then CEO Eric Schmidt: "If you have something that you don’t want anyone to know," he said in response to privacy concerns over the information his company possesses, "maybe you shouldn’t be doing it in the first place."

For two companies that had found their way into millions of people's lives, these comments represented what they were seeing every day: literally millions of pieces of information freely provided by individuals from every corner of the globe. Facebook and Google's brilliance lies not just in gathering this vast quantity of information but in making sense of it and relaying it back to both individuals and advertisers alike. Personal information means personal service and everyone was thrilled with the results.

The response to these observations must have come as somewhat of a shock to Messrs Zuckerberg and Schmidt. "This sounds like something the Stasi or KGB would tell the public," the Wall Street Journal's John Dvorak said of Schmidt's comment. Other commentators, bloggers, tweeters and Facebookers were less kind.

Such words from the lead figures of the Internet's two biggest success stories also served as a wake-up call to legislators worldwide. While everyone loved the services these two American companies provided, their apparent attempt to redefine privacy for millions of people was a step too far.

Fast forward two years and privacy has become the Internet's biggest policy topic. It is likely to remain so for the next few years. Major pieces of legislation are planned in both the European Union and United States and everyone from big business to academia to civil society and civil servants is trying to make sense of what privacy looks like in a world where a picture can be taken, posted and seen by an unlimited number of people within seconds, and where people's identities, right down to their sexual preference, have become selection boxes for marketers.

New concepts and new laws

One of the first things that policy-makers have come to understand is that the Internet really has changed things. Much has been made of the fact that "digital natives" - that generation of people that has never not known a globally networked world - have a more relaxed sense of privacy and the provision of personally indentifying information. This is, of course, only partially true. As the negative impact of sharing information too widely is being felt over time, digital natives are becoming increasingly savvy about where and how their information is being used.

Europe as a continent has learnt the catastrophic downsides to being easily identified, and so after a few years of soul-searching has reached what it feels is the right balance between allowing people to freely choose what information they share with not having to live with the consequences of it for the rest of your life. The "right to be forgotten" forms a key part of legislation that aims to provide a trans-European law on privacy.

How that principle will work in reality is uncertain and it will be the cause of much discussion and argument as the legislation makes its way through the European Parliament and then Council. The law is expected to be in place within three to four years.

On the other side of the Atlantic, another new concept is taking root. A report from the Federal Trade Commission frequently references "privacy by design" in its template for new privacy rules and laws. The recognition is that the use of people's data is of such paramount importance that it needs to be written into every stage of product development.

While new concepts abound, so old ideas, some hard-coded into laws, have come under question. "Consent" is one such case. When people have no idea what they are agreeing to, and do not even have a realistic choice of disagreeing, the idea of consent loses all meaning. The problem is that despite the determined efforts of a large number of people, no one has yet uncovered a suitable replacement.

Some cold realities

As these efforts to devise new approaches and new laws progresses, the businesses behind a remarkable (and remarkably profitable) generation of products and services are rightly concerned.

If Facebook is not able to use the wealth of information it has on its users to produce highly targeted ads, it will not be able to provide 900 million people with a free service. Despite having become a household name, the company's fragility is there to see: the news that the company's ads are not performing as well on mobile phones as laptop screens was enough to ruin the company's initial public offering last week. Share prices continued to fall.

Likewise, the threat within EU legislation to fine companies up to two percent of their global revenue has got companies rattled. Companies like Google have been pushing at the envelope for a decade and taken fines and reprimands in its stride as it continues to produce such revolutionary products as Gmail and Street View. The cost of making mistakes is about to get a whole lot bigger.

Naturally enough companies that use personal data - and it's not just the Googles and Facebooks but also most online technology companies and the entire online advertising sector want to see self-regulation introduced ahead of legislation.

A public comment period recently held by the US Department of Commerce as a way of kickstarting the production of enforceable codes of conduct brought a number of topics to the fore. Self-regulation was one of them (see our comprehensive summary of all 80+ responses).

Unfortunately for business, it has already blown its chance. In the late 1990s, the FTC passed over legislation in order to give business an opportunity to regulate itself. The result was a wide range of new organizations created amid great fanfare but poorly resourced and ineffective. Many folded just a few years later when the political pressure was off.

The FTC and Department of Commerce (DoC), not to mention the White House appears determined not to make the same mistake again, although the European approach of broad-base legislation looks unreachable thanks to continued Congressional dysfunction.

The multistakeholder model

And this is where the most intriguing aspect of the privacy debate comes in. Seemingly faced with an intractable problem and no solution, the DoC with the backing of the FTC, has come up with a new approach to the problem, modeled partly on the "safe harbor" program it developed the last time privacy was causing problems, and partly on the systems that have been used to decide Internet technical issues for the past decade.

In what we will call the "multi-stakeholder sandwich", the DoC is hoping to find a hybrid solution to this highly complex problem. In the middle lies a policy-making process open to all, with the US government acting as convener, and the end goal of codes of conduct. At the front is the Consumer Privacy Bill of Rights - principles that will act as a guide. And at the back, the FTC - legally empowered (within the US at least) to enforce the codes of conduct.

Such a model, on paper at least, avoids many of the problems associated with self-regulation, as well as with legislation. It also makes use of a system of decision-making that has been used, with varying degrees of success but increasing sophistication by organizations such as ICANN, the IETF and the IGF.

Finding a workable solution to privacy issues on the Internet is going to be one of the greatest balancing acts of modern times, not least because the issues are so new, and the consequences so significant.

Whether the extraordinary communicative possibilities that the Internet makes possible will be used to reach a common end point, to encourage all parties to work in tandem to achieve a spectacular feat we will have to see. Such an approach requires all the actors to move outside of well-worn habits and put consensus above all else.

Regardless of the end result, what the US approach will provide is a fascinating parallel track to the traditional legislative approach that Europe has just embarked upon. By 2015, we should have a pretty good idea whether the decision-making systems used to build the Internet in a technical capacity will work as effectively in dealing with the social problems that it continues to generate.