Privacy and Big Data by Mary E. Ludloff, Terence Craig

While there are all kinds of privacy players weighing in on whether one should be fearful or sanguine about the state of privacy today, they can be categorized into four distinct groups:

For each of these groups, the intrinsic value that our personal information represents may be quite different but in all cases, it is significant. Certainly, any company or person engaged in advertising would attest to that. But while advertising may be at the center of the privacy debate, there are all kinds of players who derive considerable value from our personal information. That being the case, online advertising has pushed the technology envelope for creating and maintaining detailed digital profiles (behavioral and otherwise) of each and every one of us.

Online advertising, although very different in terms of scope and types, follows the same business model as offline advertising. It is quite simple: “... consumers are paid with content and services to receive advertising messages and advertisers pay to send these messages.”^[29] Theoretically, any website delivers content and services in some form or another, so any website (and the company or individual behind it) could include paid advertising on its pages and profit from it. For advertisers, this represents a new frontier to explore with costs that are far less than traditional venues, along with the intriguing possibility of gathering much more information about their targeted audiences which translates into more effective advertising and ultimately, more sales.

It all began in 1994, when HotWired, the first commercial web magazine, displayed an AT&T banner ad which was the first of its kind. Until then, advertising was limited to offline publications, such as magazines and newspapers, store displays, product packaging, television, radio, telephone, and of course, the universally despised direct mail pieces that filled up all of our mailboxes. At that point, most of the web consisted of static content and was viewed as just another (new) advertising channel.

AT&T bought the ad based on the number of impressions (as in the number of individuals who viewed the ad). This quickly evolved into the cost per 1,000 views (CPM) and then in 1996, Proctor & Gamble negotiated a deal with Yahoo! where ads would be paid on a cost-per-click (CPC) basis. This is very similar to the payment method employed by direct marketing houses and telemarketing organizations. Up until 2008, this was the standard way in which online advertising fees were based.^[30]

Thus, a very large and profitable cottage industry was born, intent on creating and using technology to track (and record) how individuals navigated the web, what they looked at, and what they bought as well as a plethora of companies that operated on the publishing or advertising sides to facilitate the creation, placement, and tracking (including ROI) of ads based on targeted profiles. At the forefront of all of this was tracking technology (simple by today’s standards) designed to follow the user around and essentially, document his (or her) every digital move. Today, ETags, cookies, flash cookies, beacons, supercookies, and history stealing are all employed to track and collect what you do online from any device by the sites you visit and from unknown third parties (one step removed, such as an ad on a page that you visit). Location tracking, where geo-location data generated from cell phones can be used to triangulate your location at any given time, is also on the rise as is its use in targeted mobile advertising. All of this information can be tied directly back to you; the days of assuming anonymity on the web are over.

From an advertising perspective, the Internet is unique in the amount of information it can generate and collect about individuals and groups of individuals which leads to higher quality and more targeted segmentation (creating a target audience based on a selected set of variables). The key here is that the more you are able to accurately target a prospective buyer in terms of his behavior (i.e., behavioral advertising) the better your return (click through and conversion rates go up). Added to that, technology has advanced to such an extent that ads can be placed in near real-time. For example, if you are on an orthopedic site reading about a specific knee brace and then go to another website, a banner ad pops up with an ad for knee braces (just seconds later). Or you receive a 50 percent off coupon on your mobile device for the restaurant you are walking by. Finally, traditional offline advertising mediums are either dying (print magazines and newspapers) or waning (network television and radio) as consumers increasingly favor digital and streaming media as well as hanging out on social media sites, all premier publishing venues for advertisers.

From a publishing perspective, pretty much any site can incorporate advertising into its business model as a revenue channel. The rise of advertising intermediaries—those companies that broker ad buys or placements for a fee (from either the advertisers or publishers perspective) and networks that do the same but work at an aggregated level—have made it possible for even small businesses, organizations, and blogs to create a substantial advertising revenue stream. Of course, this entire ecosystem is supported by the data suppliers and markets that deliver detailed information about each one of us. It goes without saying (but we will) that their most important asset is everything they individually and collectively know about us.

However you cut it, online advertising (made up of search, banner and video ads, classifieds, rich media, lead generation, sponsorships, and email) is big business. A recent forecast, courtesy of eMarketer, estimates that online ad spending will reach $31.3 billion in 2011 (with Google taking the lion’s share), up 20 percent from last year, and is projected to reach $50 billion by 2015. It accounts for nearly 20 percent of the major media dollar spend in the U.S. this year and is expected to make up almost 28 percent of the total spend by 2015. So while Google, Twitter, Facebook, LinkedIn, Yahoo, and Foursquare may offer diverse services to their users, their revenue and valuations are driven by the data they collect and the multi-billion dollar value it represents to advertisers.

When it comes to advertising and privacy, it could be argued that advertisers don’t care about what we do or where we go, they do not act as moral arbiters on our lives. They are simply interested in one thing: getting us to buy what they’re selling. If a privacy debate is framed with this in mind, it is easy to say that the impact is rather benign: what are a few more targeted ads delivered to your mobile when you’re near a particular store or served up to you when you’re surfing for a specific item? What’s the harm in trading your information for a specific service? Here’s the rub: the information collected about us is not just used by advertisers to sell stuff to us. It’s used for myriad purposes, none of which we have control over.

While the advertising industry is interested in collecting data to get us to buy something, certain sectors heavily dependent on the protection of intellectual property (IP), like the recording, publishing, television, movie, and software industries, are far more interested in what we do with the items after we buy them. As we’ve said before, the digital age has been a disruptive force and while the advertising industry has leveraged it to vigorously pursue their business model, other industries have watched theirs crumble.

The free and easy digitization of all kinds of “property” whether it is music, movies, books, or video, has caused some powerful groups, like the Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA), and their counterparts in the EU, to advocate for technology that protects their merchandise which strikes at the heart of the privacy debate. Essentially, they want to monitor, control, and in some cases, remove or delete their products on any devices we own to protect their intellectual property rights. To do this, they are enlisting the support of other parties, including hardware manufacturers, Internet Service Providers, the legislature, and law enforcement agencies. Most disturbing for privacy advocates, almost all of their approaches require the ability to uniquely identify and associate digital devices and their uses with its owner. We don’t know about you, but we find this troubling at best and far more intrusive than anything the advertising industry has come up with. What exactly does purchasing and downloading, say an online book, really mean if someone can take it away from us without our permission?

Intellectual property law has been around, in some form or another, since the 1500’s and unlike privacy, is explicitly granted in the U.S. Constitution (Article 1, Section 8, Clause 8). It is designed to grant owners of intangible assets, like musical, literary, and artistic works, or discoveries and inventions, certain exclusive rights to that asset. In the U.S., there are laws and certain protections given to IP which can be broadly categorized into the following:

Essentially, intellectual property laws protect intangible assets from theft or piracy and certainly the digital age has brought into question just what those terms mean. The advent of file sharing, where music, video, movies, and documents are easily shared between devices, propelled by the rise (and then fall) of first generation peer-to-peer sharing networks, like Napster, Grokster, and Madster, as well as the continued success of BitTorrent-based sites like The Pirate Bay has brought two ideologies into direct conflict: those who want to protect IP at all costs versus those who argue that the Internet by definition is designed to easily facilitate the sharing (as well as copying) of information between users.

To protect their IP, the recording industry went after Napster and Grokster as well as all commercial peer-to-peer networks. In 2005, it won a significant round as the Supreme Court found that “...file-sharing networks that intentionally profited by illegal distribution of music could be held liable for their actions.”^[31] This ruling caused most peer-to-peer networks to shut down or work out some sort of legal distribution agreement (for example, Apple’s iTunes business model) with the record companies.

Of course, as in most things, money, specifically the perceived economic loss incurred by the sharing and copying of “pirated” files, formed the heart of this conflict. One of the more famous figures bandied about is “that 750,000 jobs and up to $250 billion a year could be lost in the U.S. economy thanks to IP infringement.”^[32] These statistics and others, like the Business Software Alliance’s estimate that the U.S. piracy rate for business software is 20 percent or $9 billion in 2008 and the Motion Picture Association’s estimate that its studios lost $6.1 billion to piracy in 2005, have been debunked by none other than the Government Accountability Office who came to this conclusion:

While estimates of the economic damage caused by piracy and counterfeiting were, and are, questionable, it did not stop these industries from lobbying and receiving legal digital copyright protection. The Digital Millennium Copyright Act (DMCA, 1998) and the European Union Copyright Directive (EUCD, 2001) implemented the World Intellectual Property Organization’s (WIPO) Copyright Treaty (1996) that specified the following:

The concept of digital rights management (DRM) is quite simple: it is technology used by IP holders (publishers, hardware and software manufacturers, etc.) to control access to their copyright materials on digital devices. Out of the desire for an advanced DRM system, Microsoft, Intel, IBM, HP, and AMD got together and formed the Trusted Computing Group (TCG). The goal of this group was to develop a standard for a more secure PC or as Ross Anderson puts it:

The TCG introduced the Trusted Platform Module (TPM—yes, we love acronyms as much as you do!) which is a specification and also a modifier for hardware that implements that specification, like the TPM chip. You may also know the chip by another name, the Fritz chip. It was named in honor of Senator Fritz Hollings of South Carolina who wanted the chip in pretty much every device we own:

The TCG, TPM, and Fritz chip have all been met with a great deal of controversy. Besides the concern that TPM and the chip (which is now used by almost all the notable PC and Notebook manufacturers) would cause consumers to lose all anonymity in online transactions, some have argued that the TCG members have, by virtue of their alliance, made themselves far more powerful to the point of monopolistic and unfair business practices. Others have pointed out that whoever controls the infrastructure becomes a single, powerful point of control. Anderson equates this to making everyone use the same bank, lawyer, or accountant.^[36] There is also the issue of remote censorship as digital objects can be easily removed from any device—without users’ permission. Amazon certainly illustrated the power of TPM when it removed two of George Orwell’s books, Animal Farm and 1984, from customers’ Kindles:

Outside of the monumental potential for abuse by large corporations and governments (and all of their agencies), when fully implemented, TPM essentially strips us of any expectation of privacy or anonymity. It uniquely identifies every device, ties that device to its owner(s), and then monitors and reports back on what is read, written, watched, or listened to. Do we really want any government or corporation to be able to easily monitor and decide what we should or should not be reading or what software we are allowed to use on our devices? Now, although the Fritz chip can be found in most PCs, it has been banned in China. For some odd reason, the Chinese have no interest in giving U.S. corporations (or their government) the ability to turn off the operating system for every computer connected to the Internet.

While the EU is pushing for a right to be forgotten, it appears that powerful IP players are pushing for the right to know everything about what we do with their IP. Historically, this has never been the intent of copyright law, as Marc Rotenberg noted in a Senate Subcommittee hearing way back in 1998:

Better yet, it appears that we no longer own our digital assets as copyright holders, or those acting in their interests, can remove it. Instead, we are merely renters but with far fewer rights than renters of physical property.

It is interesting to note that while individuals and their use of IP assets have been under tremendous scrutiny, a far more insidious threat has been, until recently, flying under the radar: the theft of patents, trade secrets, and copyright assets due to cyber attacks whose scope, sophistication, and targets suggest that this is the work of nation states, not individual hackers. A recent study by McAfee uncovered that the networks of “72 organizations including the United Nations, governments and companies around the world had been infiltrated”^[39] which is considered to be “... the biggest transfer of wealth in terms of intellectual property in history.”^[40] Our point is this: instead of focusing on individuals, perhaps the government, large IP holders, their assorted lobbyists, and industry groups should be turning their attention to this much larger threat to intellectual property.

While the IP stakeholders have been busy redefining “privacy” for their own ends, Google, Yahoo, Facebook, and others have been equally busy making billions of dollars collecting our data and using it for targeted advertising. Of course, any company or organization that collects data can offer it for sale or free. Certainly, federal and state agencies, in their move toward a more open and transparent government, have made many comprehensive data sets available for public use (ranging from census to weather to loan and property information). Sometimes this data is sold, as illustrated by the state of Florida who made $63 million dollars last year by selling DMV information (including name, date of birth, and type of vehicle driven) to companies like Lexus Nexus and Shadow Soft. Sometimes this data is made available due to state transparency laws, as illustrated by Florida’s public display of mug shots on government websites. This action formed the basis of several businesses, the most lucrative being one that helps you remove your arrest information from public websites.

It is, however, the big companies and their ecosystems that are most responsible for pushing the privacy envelope and most of them are involved, in one way or another, with social networking (like Google, Yahoo, Facebook, Twitter, Groupon, LinkedIn, and Zynga). These companies are in the primary business of data: collecting, sharing, and even selling users’ information. Most of them, unsurprisingly, have also pushed the privacy envelope:

These giants are the owners of a treasure trove of personal information. How did they collect it? Much of it was (and continues to be), given away by individuals in the course of interacting with each other on these sites. Some of it was obtained through the employment of digital tracking, known or not, as shown by the Wall Street Journal who conducted an experiment to explore the use of digital tracking. In this experiment, the Journal discovered that 50 of the most popular sites (representing 40 percent of all web pages viewed by Americans) placed a total of 3,180 tracking devices on the Journal’s test computer (in a simulation of a normal user surfing sites, buying goods, and interacting with others via social networks). Most of these devices were unknown to the user.^[42] Additionally, the Journal discovered that Flash cookies “... can also be used by data collectors to re-install regular cookies that a user has deleted. This can circumvent a user’s attempt to avoid being tracked online.”^[43] A Stanford study also found that half of the 64 online advertising companies (including Goggle, Yahoo, AOL, and Microsoft) it examined continued tracking even when do not track options were activated. So even if we, as users, are proactive about privacy it does not follow that the collectors will be prevented from gathering information about us.

Adherence to privacy policies and practices are also under fire. Facebook is well known for its questionable privacy policies which are based on defaulting user sharing to a public option (although Google’s launch of Google+, which defaults user sharing to a private option, has caused Facebook to change some of its practices). Last year, it was revealed that third party Facebook applications were able to collect personally identifiable information for Facebook users, specifically user ID numbers that could “...be used to look up the user’s real name and sometimes other information users have made public, and potentially tie it to their activity inside the apps.”^[44] This year Facebook renewed concerns about its privacy policies with the release of its Tag Suggestions feature based on facial recognition technology that would enable its users to more easily identify and label friends and acquaintances who appear in their posted photos. The reason for concern is that this feature was offered as an opt out, meaning that users would have to manually go into their settings and turn it off.

The issue of opting out versus opting in for any feature or service is central to the privacy debate. Proponents argue that the use of opt out erodes users’ privacy without their knowledge and enables collectors to collect even more personal information, pushing the privacy envelope even further. So what privacy concerns you might have had prior to the introduction of a new feature or service, becomes a social norm because “everyone is doing it.” Most collectors caught using opt out argue that the loss of privacy was accidental as there was no intent to invade one’s privacy but merely to make it easier to adopt a new great feature. In our view, that is a dubious claim at best given the clear economic benefits to the collector.

Should you think this type of behavior is limited to Facebook, think again. After going public, LinkedIn announced in its blog that it would allow advertisers to include us in ads if we recommended their product or service. Specifically, buried within each member’s account settings profile page it described its new service this way:

This feature was already turned on for all the LinkedIn members and required opting out to turn it off. More importantly, most members were unaware of this change until it was reported by the media. Groupon also recently announced a significant change in its privacy policy in an email to all its users. It will now be collecting more information about its users to share with partners and using geo-location information to market to them.

If your business model is predicated on the collection and ownership of personal information that results in a revenue stream worth billions of dollars, it stands to reason that you view this information as your property. As such, you can buy it, rent it, and sell it. It is also in your best interest to discover, via trackers, services, or new features, as much as you can about the people who use your site. After all, the more targeted the profile the more valuable it becomes to the advertiser. For these companies, stringent privacy regulations would curb their ability to make money and in their words, “deprive consumers from advertisers’ abilities to serve up more relevant ads.” This is certainly the case lobbyists are making for Google (spending $5.2 million in 2010), Yahoo ($2.2. million), Apple ($1.2 million) and Facebook ($350,000). While the first part of this argument makes economic sense, it is disingenuous to suggest that consumers, who have indicated through a number of surveys their growing disapproval (up to 86 percent) of tailored advertising, would feel deprived by less invasive advertising.

From a privacy point of view, data markets and aggregators follow the collectors’ play book. They also offer a treasure trove of personal information, but often on a much larger scale since they function as marketplace platforms where anyone can search and find data sets to fill almost any need while companies, organizations, and individuals can offer up their data sets for sale.

Data markets can be quite specific (focusing on a single market, for example), or quite broad (multiple subjects or audiences, sets of tracked behaviors or other variables, with historical performance and indicators, as examples). Thomson Reuters offers data about the risk of doing business with an individual or a company; InfoChimps offers a broad range of data sets; Gnip is focused on social media feeds; Microsoft Azure offers data sets and services oriented toward (and from) its customers and partners; and Neilsen offers data sets and services oriented towards the industries it covers (media and entertainment, consumer packaged goods and retail, and telecom). There are also data markets that specialize in advertisers’ interests, like Rapleaf, Acxiom, ChoicePoint (now Reed Elsevier), Quantcast, and BluKai, who provide targeted user profiles (including email addresses, resident addresses, names, income, social networks, and much more) through the aggregation of many data sets and the use of tracking devices. These are just a few of the markets out there: there are hundreds of companies that operate as middlemen for all kinds of data categories, many offering analytics and other services to help transform the data into information that can be acted upon (whether the action is to place an ad, determine the whereabouts of a person, ask for a charitable donation, predict where a crime may occur, or identify protestors in a march).

Just like the collectors, these players have little interest in comprehensive privacy regulations or guidelines as it does not serve their business models. For example, last year Rapleaf came under fire for linking user names and email addresses to specific social networking profiles and then selling that information to third parties. And, like Facebook, this was not the first time that Rapleaf was accused of privacy violations:

But with data markets, privacy violations are not always willful or known. The number of data sets available for purchase or free are growing as fast as the underlying data that drives them. The markets make it easy to find and buy any number of data sets, which sets in motion the leakage of private information, as evidenced by a recent AT&T Research study of 120 of the most popular Internet sites which found that:

In a previous study, AT&T Research looked at how third parties can link personally identifiable information (PII) that is leaked by social networks with other user actions on that site and on other sites.^[47] In other words, it is fairly easy to collect private information and link them to a specific individual as the study points out:

The emergence of new data analysis systems known collectively as “big data” have dramatically lowered the cost of merging and analyzing large data sets. These big data systems, including Hadoop, S4, CloudEra, StreamInsight, BackType (recently purchased by Twitter) and our own PatternBuilders Analytics Framework, make it relatively easy for companies and individuals to find, buy, and aggregate any number of data sets from any number of data markets, which, in turn, makes it that much easier to derive private information.

The more data you are able to collect and connect to other data sets, the easier it is to obtain what was thought to be private information and then tie that information to a specific individual. Once that link is made, you are then able to build a detailed profile, with multiple data sets providing you with more and more information. Certainly, a recent announcement by advertising giant WPP PLC about the launch of a new company, Xaxis, may give many privacy advocates pause (it certainly did us) as it will manage:

While WPP also points out that all this information is anonymous and that they will self-regulate, this much information about any one profile would make it fairly easy to attach a name, email address, and other personal identifiers.

In essence, data markets act as third party brokers of data sets. What happens after those sets are purchased and then used for any number of business or research purposes, is unknown. While the markets may be subject to ubiquitous privacy policies of the collectors and have their own privacy policies, it is not clear how data usage can be policed and enforced once the data changes hands. Anonymity may be promised, but as famously demonstrated by Netflix’s research contest, through big data it is often easily broken.

Much of the privacy debate focuses on the data, its collectors and markets. We are bombarded with information (as we have just shown) on how easy it is to track and collect data about us but equally important is the fact that, outside of advertising, there is a great deal unknown about how our data is, and could be, used. And while we understand what advertisers are doing with it, as Jeff Jonas said in a recent interview:

And there have been plenty of examples of the many ways in which our data is used—with or without our knowledge:

As shown in the preceding examples, it’s clear that various government agencies have taken a page or two out of advertising’s playbook, increasing their data collection efforts through collaboration with other agencies as well as third parties (commercial data collectors and markets), building large databases, and engaging in sophisticated data mining efforts. Some of these projects focus on operational efficiency (the Department of Veteran Affairs), others on fraud detection (Medicare and the IRS), criminal investigation (fusion centers), crime prevention, and counterterrorism. ^[54]

Certainly, various government agencies are intent on creating some very large databases:

Much of the efforts are focused, of course, on pulling together information from multiple data sources:

It’s clear that federal agencies are increasingly delving into “... the vast commercial market for consumer information, such as buying habits and financial records, ... tapping into data that would be difficult for the government to accumulate but that has become a booming business for private companies.”^[59]

However you may choose to characterize the U.S. privacy regulatory landscape, some effort has been, and is being, made to regulate privacy as it applies to the commercial sector. But our various government agencies are not held to those same regulatory standards as first shown by Miller v. United States:

Privacy advocates or not, all of us should be troubled by the lack of privacy protections afforded us by government agencies. They are the beneficiaries of large troves of valuable personal information and yet, are not subject to any regulations regarding the usage of it. How do we ensure that the regulators are in fact, subject to the same privacy policies and laws?

Once we give out personal information, it is out of our control; it can be collected, stored, sold, rented, used, and analyzed for any number of purposes. If we don’t know what will happen to our data as it passes through any number of hands, than how can we make any decision about what to give away and what to keep? Do we assume, as Danah Boyd recommended (see Chapter 2), that our online behavior is public by default and private by effort? Do we rely upon privacy watchdog groups, consumers, and the various regulatory agencies to monitor and identify the most egregious privacy violations to keep the collectors, markets, and applications providers (and users) honest? Do we lobby our legislature for more comprehensive privacy policies that apply to all government agencies? Some argue that privacy, as we knew it, no longer exists. But, throughout history (ours and the rest of the world’s), someone has always argued that very point. Perhaps we should say instead, that privacy must be redefined within the framework of our digital world.

While U.S. companies and various government agencies (ours and others around the world) are some of the largest collectors of personal information in the world, there are no comprehensive U.S. privacy regulations. Most privacy actions are handled in state courts via tort law where actual harm must be shown unlike the EU and other regions that have comprehensive privacy regulations and a very different view of privacy. As a result, much of U.S. privacy policing is accomplished through watchdog organizations, regulatory agencies (see Chapter 3), and industry self-regulatory agencies. And of course, blogs and the media can often be counted on to discover and report issues and violations.

There are a number of privacy organizations, like the Electronic Privacy Information Center (EPIC), American Civil Liberties Union (ALCU), and Electronic Frontier Foundation. These organizations cover privacy policy as it applies to children, smartphones, the government, social networks, and a host of others. They institute and/or cover legal privacy-related court cases, provide research and analysis, and give guidance on how to prevent privacy violations. For a comprehensive list of U.S. and international organizations and what they cover, go to EPIC’s^[61] online guide to privacy resources.

There are alliances and organizations, largely promoted by the advertising industry and data collectors in a bid to prevent more privacy legislation, which provide regulation guidelines and certify those companies that adhere to them. A coalition of trade groups recently announced the Digital Advertising Alliance, a program designed to self-regulate digital tracking practices and offer consumers who do not wish to be tracked an opt out icon. Participating companies include major advertisers, like AT&T, Verizon, Dell, and Bank of America, and major ad networks, like AOL, Google, Microsoft, and Yahoo. However, according to ComScore, of the top 200 advertisers, 181 are not taking part in this program.

The Network Advertising Alliance is an association of advertising networks, data exchanges, and marketing analytics services providers. It educates consumers on how they can protect themselves online, provides information on what is being tracked, and offers consumers a way to opt out of participating members behavioral advertising programs. There is also a Self-Regulatory Program for Online Behavioral Targeting, launched by some of the largest media and marketing associations (that represent more than 5,000 companies that advertise on the web). It features an Advertising Option Icon that alerts consumers if the site is engaged in behavioral advertising and offers an easy opt out.

As with any other part of the privacy landscape, the number of organizations that monitor various aspects of privacy as it applies to industries, topics, or issues, is vast. The cynics among us (and we are a part of this group) might be asking this question: if much of privacy enforcement happens after a violation, how many violations go unreported? In other words, how do we protect ourselves if we don’t know what we’re protecting ourselves from? Whenever there is a vacuum, something rushes to fill it up as evidenced by the number of companies offering consumers’ privacy solutions and providing businesses and organizations ways to certify that they meet privacy guidelines in the U.S. and abroad.

While the erosion of privacy may be big business, there are all kinds of companies rising to a different challenge: preserving, or often redefining, consumer privacy to better fit the digital framework in which we live. There are companies that help businesses and organizations certify they meet specific privacy standards. There are companies and a host of tools that help consumers block tracking and monitoring. There are companies that help consumers control their personal data in a number of new and interesting ways and there are movements intent on recasting privacy in the digital age.

Over the years, studies have shown that consumers are becoming more concerned about Internet privacy but, as a recent Harris Interactive Poll highlights, they are now also assuming responsibility for it: 92 percent indicating that they have some responsibility for protecting their data, a majority expecting organizations to assume responsibility, and 42 percent indicating that they trust themselves most to protect their privacy.^[62] They are also willing to pay for it. Recent research from Carnegie Mellon University indicates that privacy may very well be a key competitive advantage for companies in the digital age:

The success of online privacy solutions providers, such as TRUSTe, who has certified over 4,000 web properties, as well as the advertising industries focus on offering consumers tracking opt outs and more transparency on what is being tracked, certainly attest to an increasing focus on privacy from both a business and consumer perspective. Companies, like Google (via its Me on the Web and Ad Preferences tools) and RapLeaf (via its See Your Info page), are also providing information on what is being tracked as well as offering consumers the ability to edit information or opt out.

For savvy users, there are a host of tools available that block cookies, ensure email and file privacy, enable anonymous surfing, etc. For most, however, the sheer number of tools that may be employed for various aspects of privacy is daunting. But, just like antivirus software, it is likely that there will be privacy versions that combine these tools (or something like them) into one easy solution.

There are also new privacy business models that allow consumers to find out what information is available about them, repair false information, and even determine what information they wish to share with advertisers. MyPrivacy removes personal information from websites. MyReputation monitors your online presence and customizes it to present you or your business in the best possible light. SafetyWeb protects your child’s online reputation and privacy. Singly allows people to aggregate and own their personal data through digital lockers.

Privacy by Design (PbD), a framework for building privacy into products or services developed by Ann Cavoukian, Canada’s Information and Privacy Commissioner, is taking center stage as it forms the basis of the FTC’s proposed framework for businesses and policymakers. There is also a Silicon Valley trade group, the Personal Data Ecosystem Consortium which promotes and supports the idea that individual control their own data through the use of personal data stores and services as well as organizations, like the International Association of Privacy Professionals (iapp), focused on developing and supporting privacy professionals throughout the world.

There are many pundits who argue that privacy is dead but the desire for privacy certainly is not. While the emerging privacy ecosystem can help consumers regain some control over their personal information, they must do so within a digital framework. One way or another, a new era of privacy is upon us.

Our personal information is used to feed all kinds of business models. In fact, we are the fuel for what has become a multi-billion dollar economic engine. And once the data leaves collectors’ hands, we, the consumers, have absolutely no control over who uses it or for what purpose. Technology marches on—in the form of big data storage, access, and analytics, new and improved devices, embedded TPM chips, RFID tags on everything, the smart grid—and has made it possible to figure out who we are from three easily attained pieces of data: birth date, gender, and zip code. So where does this leave us?

Well, we’ve allowed our data to be collected in return for services that we value and the devices that we use. Perhaps we should ask ourselves this question again: how much privacy are we willing to give up for our online services and devices? If your answer is all of it, continue doing what you’re doing. If you find yourself wondering if this may be too high a price to pay, we don’t have any easy answers for you.

There’s an old saying: you can’t unring the bell. The data that we all put out there, knowingly or not, is out there. You cannot take it back. It travels through lots of hands, and is traded and copied. Although the EU is proposing a new law, the right to be forgotten (where websites may be compelled to delete all the data it has for a specific user), here is the unvarnished truth: that same information is most likely housed in databases all over the world. You will never be able to erase it.

So what can you do? Well, you can be more conscious of what you do online and understand that pretty much everything out there is public information and is for all practical purposes immortal. You can cull down the number of sites you belong to, put up fewer photos and videos, and understand that when you search for something it’s being tracked. You can use various tools to prevent tracking as well as monitor and ensure the security of your devices from malware. You can monitor the privacy websites and engage with your legislators on what can be done in terms of privacy regulations and policies.

But if you, like us, live in the industrialized world and desire a convenient and full life, your online privacy future is bleak. You can’t unring this bell, but you can reduce your exposure, keeping in mind that (similar to Las Vegas): “What happens on the Internet stays, on the Internet forever.” Our advice: your best bet for a semblance of digital privacy is to control how much information you put out there, keep yourself informed about how privacy impacts the technologies you use, and vote with your dollars against companies that abuse your trust.