Privacy Bill of Rights Must Look Beyond the Symptoms of the Problem to the Root Cause

This week's Privacy Bill of Rights hearing and headlines are proof that the time has finally come to address consumer privacy. Unfortunately, the action thus far is not nearly enough. It may be tempting to say that the devil is in the details of the various bills, but the problem here isn't even in the details: it is that regulators and others are focusing on the symptoms rather than the ultimate causes of our failing online privacy.

Creepy behavioral advertising is the most visible symptom of our privacy-deficient society, but it is not the ultimate problem. Every overly-familiar advertisement ("how did it know that I've put on a few pounds recently?") is just a reminder that many companies will sell every bit of personal information they have about you in exchange for a few pennies of revenue. But the real problem is that there is such a marketplace in personal information at all, not just that it is exploited for advertising.

The drive to make money from your personal information is much larger than online advertising. Your data is packaged and sold to every bidder, not just those that use it to show ads in your browser. Legislation that papers over creepy online advertisements might make the problem less visible, but it won't make our privacy foundations solid. Unless we follow with comprehensive privacy reform, then headlines about "do-not-track" will only provide false hope.

Don't get me wrong. A well-implemented "do-not-track" law will improve privacy. Consumers deserve to how their browsing habits will be treated by the sites they visit. And a well-written "do-not-track" will give consumers meaningful control over how their browsing habits on one site (a glance at a recipe for low-calorie shrimp marinara) can be used by others (a week's worth of advertisements for weight-loss surgery). The law will have to be written carefully to allow legitimate innovation, including features such as Facebook's "Like" button (such as the one on this page): is "Like" a form of tracking, a useful feature, or both? But empowering legitimate innovation is a challenge that can be overcome.

What really scares me is that online advertising and behavioral tracking is only the tip of the data iceberg, both in terms of value and in terms of future danger. Everyone sees advertising, so everyone thinks about it all the time, but there is a massive and frightening economy in personal information that goes un-reported and un-legislated.

The biggest threat to privacy is the packaging and sale of private data that happens behind the scenes. The Internet has created a marketplace in all kinds of data for use and abuse by third parties like lenders, insurers, employers, health care providers, scammers, and peeping neighbors. These uses are largely unregulated today, and exist in a shadowy underworld of data sales. And most of this data doesn't come from online behavioral tracking; instead, it is compiled from everything from voter records to survey cards to social profiles. It is combined in ways that consumers don't anticipate, then sold off to every interested buyer.

Consumers often never know that their data is being packaged and sold by data brokers; they don't see evidence of this marketplace in private information every time they open a web browser, and it has thus far escaped attention on the Hill. But countless websites offer both wholesale and retail storefronts for your personal information. With just clicks, it is possible for anyone to go online and find your address, the names of your relatives, your creditworthiness, your occupation, and a street-level photograph of your house -- all neatly packaged into one convenient interface. Nosy neighbors can browse through profiles about anybody they want to snoop on, and marketers can download this information in bulk from, filling their computers with gigabytes of detailed personal information.

Most consumers don't realize that their data has been sold until it is too late: whey they are stalked, scammed, denied a job, or declined for health coverage. And consumers are powerless to correct this information when it's wrong; all too often, data brokers provide a dead-end to concerned consumers. It's all part of your permanent digital record, whether you like it or not.

This underground economy treats consumers as commodities and strip-mines their privacy for profit. Stopping behavioral tracking won't stop these abuses. Consumers deserve to know where and how all of their personal information is being used, not just by advertisers, and they deserve the right to control their digital privacy

Today's attention to Internet privacy is extremely promising. But we must be certain that we're driving meaningful reform, rather than just plastering over the most obvious symptoms. The way I see it, comprehensive Internet privacy reform requires giving individuals control and ownership over their data. Putting the brakes on advertisers with "do-not-track" is just the beginning.