Given the almost daily news about a new security breach, it is impossible to conclude that the tech industry is doing enough to protect privacy.
That was the message from Democratic Federal Trade Commission member Rebecca Slaughter at a Chief Privacy Officer roundtable at CES 2020 in Las Vegas. She said it would not make much sense to draw that conclusion.
But while that general conclusion is pretty straightforward, Slaughter told her tech company audience, what to do about it can not be generalized. She said that is very company-specific and industry-specific and practice specific, and to protect not just from today's harms but ones that can be "downstream" but a result of current practices.
Jane Horvath, Apple's top privacy officer, agreed that the tech industry can never say that it is doing enough to protect privacy, but said that Apple was focused on privacy by design and had the buy in of its top management. "We should always be doing more," she said. "We always have to be pushing the envelope."
She said Apple was focused on putting consumers in control of their data.
Facebook chief privacy officer Erin Egan, whose company last fall agreed to pay $5 billion to settle an FTC complaint about handling of user data, said Apple's privacy-by-design approach resonated with how Facebook approached privacy, citing the built-in accountability in their FTC settlement order.
Egan said the key is what people "expect" about how their data is being collected and used. She said the heavy lifting will be making sure that people understand that.
She talked about the company's launch of a "privacy check-up" tool to help users know who is using the data, and why, and whether they are comfortable with that.
Slaughter pushed back on some of the "consumer in the driver" seat focus. She said consumer control is important, but that she is concerned about a universe in which "the entirety of the burden is to protect one's data lies with the consumer."
She said that even if consumers can "walk through a privacy checkup," the amount of info they would need to process to understand what is happening to their data is "untenable." She said she is pretty savvy about privacy and she can't possible figure out what is being done with all her info in first-party relationships, not to mention third-party sharing.
She said there also needed to be some burden shifting to the "collectors and stewards" of the data, for example to minimize the data collected so there is not an "endless trove" that can disappear into the ether.
Horvath said Facebook does use data minimization principles, including "differential privacy," which is giving consumers choice without their sacrificing privacy," and on-device privacy, so that the devices are "smart" and can see the info--like facial recognition--but Apple doesn't.
Egan agreed with Slaughter that the user should not be burdened, and pointed out that on the policy front, the legislative model is moving away from consent to responsibility, fiduciary obligations and accountability for the platforms, as well as de-identifying and differential privacy.
But she said while some smarts reside on the device, like an Oculus, but that it can't always stay there because people come to Facebook to share and connect. "That needs centralization." But she said that doesn't mean it is less privacy protected.
Egan said she thought privacy was protected today on Facebook. Slaughter said she did not want to talk about specific services, but said she did not think privacy was currently protected today "as a general matter."