Control use of data to protect privacy
Massive data collection by businesses and governments calls into question traditional
methods for protecting privacy, underpinned by two core principles: (i) notice, that there
should be no data collection system whose existence is secret, and (ii) consent, that
data collected for one purpose not be used for another without user permission. But
notice, designated as a fundamental privacy principle in a different era, makes little sense
in situations where collection consists of lots and lots of small amounts of information,
whereas consent is no longer realistic, given the complexity and number of decisions
that must be made. Thus, efforts to protect privacy by controlling use of data are gaining
more attention. I discuss relevant technology, policy, and law, as well as some examples
that can illuminate the way.
We live in an era of an explosion of data. For a variety of reasons, including mas- sive collection by both the private sector and governments, as well as the ease of computing correlations—from which information can be derived even about people
whose data are not in the set—the old methods
for protecting privacy no longer work. An old
protection made new, managing use, now seems
the most appropriate way to secure privacy. Controlling use is complex, but combining technology,
policy, and law is the best way to control incursions from businesses and governments.
The principles governing data protection are
40 years old. The Fair Information Practices
(FIPs) were developed in response to the rise in
the 1960s of computerized data systems. Coming
originally from a report from the U.S. Department of Health, Education, and Welfare (1), the
FIPs were revised by the Organization of Economic Cooperation and Development (OECD)
(2). The more expansive OECD privacy principles
have been the basis for many national and international privacy regulations.
Notice, consent, context
User control sits at the heart of the FIPs. Transparency and/or notice says that there should be
no data collection system whose existence is
secret; access, that there should be a way for
the data subject to find out what information is
in her record and how it is used; consent—
sometimes called choice—that data collected for
one purpose not be used for another without
user permission; redress, that the data subject
must have the ability to correct inaccuracies;
and integrity and security, that the data collector
keeps reliable records and protects them. In
1998, the U.S. Federal Trade Commission (FTC)
identified these as the “five core principles of
privacy protection” and noted that notice was
fundamental, calling choice or consent the “
second widely accepted core principle” (3).
Whereas the U.S. and Europe have taken dif-
ferent routes to protecting privacy—the U.S. using
sector-specific protections (financial data, bank-
ing information, health records), Europe pursuing
broader data-protection schemes—both empha-
sized notice and consent. But, although the
FIPs made sense when an individual could dis-
cern and react to a data-collection event, this is
no longer true.
Consider data collection from a smart phone.
The combination of information from the user
and aggregated data from others can improve her
experience. For companies, such data promotes
faster, more-targeted services (and advertising),
ties the consumer more strongly to the business,
and boosts profits. For researchers, massive data
illuminates connections that might not have been
apparent and may uncover correlations that are
Because data collection involves compilation of
massive amounts of small bits of data, notice and
consent are difficult for users to manage. Should
collection of phone location data increase when a
traffic accident blocks a popular route? What if
the user is on a private assignation that day? That
a service that provides up-to-date route information also collects up-to-date location data is not
something all users realize (although they should).
Frequent queries about permission for collection
create a situation in which the user inattentively
clicks “Yes”—not exactly a win for privacy.
Notice simply doesn’t make much sense in a
situation where collection consists of lots and
lots of small amounts of information (Fig. 1).
Written to cover all contingencies, privacy notices
are not designed for human use. A 2008 study
showed that the average reader would need
244 hours simply to read the privacy policies
for all websites she accessed in a year (4).
Consent is often not an option. Almost a dec-
ade ago, Fred Cate noted, “If consent is required
as a condition for opening an account or obtain-
ing a service, a high response rate can always be
obtained” (5), whereas a 2014 President’s Advis-
ory Committee on Science and Technology (PCAST)
report on big data and privacy observed, “Only in
some fantasy world do users actually read these
notices and understand their implications before
clicking their consent.” (6).
Sometimes the user is not even given a choice
about consent. Because of overwhelming com-
plexity, Google, whose Android platform dominates
the consumer smart phone market (7), decided to
put permissions for information access into groups.
Thus, a user lacks the ability to conduct fine-
grained decisions on which information to permit
apps to access (8). The user moves on, rarely ex-
amining—or withdrawing—consent afterward.
A fundamental problem is that seemingly in-
nocuous data may trigger a privacy incident. Using
the history of buying patterns of other customers,
Target predicted a teenager’s pregnancy from her
vitamin purchases (9), and the ride-share firm
Uber claimed to be able to discern one-night
stands from the usage patterns of rider pick-up
and drop-off data (10). Solon Barocas and Helen
Nissenbaum noted, “The willingness of a few in-
dividuals to disclose information about them-
selves may implicate others who happen to share
the more easily observable traits that correlate
with the traits disclosed.” (11).
Context matters in privacy. That idea first espoused by Nissenbaum a decade ago (12) is gaining support in policy circles, including in the White
House Consumer Bill of Rights (13) and a recent
FTC report (14). Massive amounts of data create
such personal and societal benefits that collection is unlikely to stop.
The FIPs protected privacy through notice and
consent, but for reasons of complexity (too many
tiny collections, too many repurposings), those
are no longer effective. Nonetheless, notice and
consent provide benefits: notice, for transparency, and consent, for certain types of data or use,
as well as for controlling context (15). But the
value of big data means we must directly control
use rather than using notice and consent as proxies
(6). That is true no matter who the collector is.
This is easier said than done. Big data provides the patterns that allow us to use resources
efficiently. Determining how to continue to collect and use big data, but control its use, is complex. The tools are technology, policy, and law,
and there are some examples that can illuminate
Once the most solitary of activities, reading is
losing the privacy between the reader and the
page. Amazon and other purveyors of e-books
have discovered multiple ways of tracking activity: where readers start, what they reread, whether
they mark a passage, if they finish the text (16).
THE END OF PRIVACY
504 30 JANUARY 2015 • VOL 347 ISSUE 6221 sciencemag.org SCIENCE
Worcester Polytechnic Institute, Worcester, MA 01609, USA.
*Corresponding author. E-mail: firstname.lastname@example.org
“Controlling use is
complex, but combining
technology, policy, and
law is the best way to
control incursions from