Apple exec explains privacy protections, while Facebook leader looks for loopholes
At CES 2020, Facebook privacy officer says new California law doesn’t apply because the company doesn’t sell data, only ads.
Based on a CES 2020 roundtable discussion among privacy officers, your opinion on data privacy depends almost entirely on where you work.
Privacy officers from Apple and Facebook both said that the companies use a “privacy by design” approach, but what that means is very different for each company.
For a consumer goods company like Procter & Gamble, protecting consumer privacy can be a competitive advantage because switching costs are so low in those markets.
From a regulatory perspective, there is little guidance for industry and few meaningful protections for consumers.
“What Consumers Want” was the title of the session, but the conversation centered on what companies would most like to happen with data privacy regulations.
Consumer bears the privacy burden
Rebecca Slaughter, a commissioner at the Federal Trade Commission, said the current privacy rules put too much burden on the consumer to defend individual data privacy.
“Today, even if consumers can walk through a privacy check up, the amount of information that you have to process to figure out what is happening with your data is untenable for most people,” Slaughter said. “I’m an educated person about data, and I can’t figure out what’s being done with my data and that’s just with the first-party companies I have a relationship with.”
Slaughter said that data collectors–like Facebook and Apple–should minimize the amount of data that is collected, retained, and shared. She also was careful to state that she was speaking on behalf of herself, not the FTC.
SEE: CES 2020: The big trends for business (ZDNet/TechRepublic special feature)
Jane Horvath, senior director of Global Privacy at Apple, had a few examples of specific decisions Apple has made to minimize data collection. Horvath said that the company uses differential privacy to inject noise into a dataset, which makes it harder to link a specific action to a specific user. She also said that some data processing is done at the device level, instead of on the cloud.
“Now you can build your models on your servers and send the models down to the phones, and you can sync the learning on one phone across an encrypted cloud across all devices,” she said.
She also added that all Siri and Map data are sent to the server identified with a random number, not a user’s Apple ID. Apple also limits location data collection based on the type of request.
“If you ask Siri about the weatherer, the phone only sends up city level data,” Horvath said. “If you ask where’s the nearest gas station, that is a time when you need lat and long.”
Which rules apply to Facebook?
Facebook’s representative on the panel took a different approach to discussing privacy by arguing that the company does not collect data and is instead a service provider–providing advertising to clients–not a data collector.
“You can offer a privacy-protected ad model, and we do,” said Erin Egan, vice president of public policy and chief privacy officer for policy for Facebook.
Later, Moderator Rajeev Chand asked how Facebook was going to comply with California’s new privacy law. Egan said that because Facebook was a service provider, the law didn’t apply to the company.
SEE: What businesses need to know about the California Consumer Privacy Act (CCPA) (TechRepublic Premium)
Randomly, Egan started her remarks earlier in the session with a plug for the Ring doorbell, an Amazon product that has been under a lot of scrutiny for its shady data sharing practices. The company announced tighter controls over access to the device’s video feed at CES 2020.
Limiting data collection
Slaughter pointed out that most of the time, a consumer doesn’t know when one company shares data with another and that de-identification is not a useful approach for data privacy.
“De-identified data is only meaningful if the data can’t be re-identified,” she said.
Slaughter also said that companies should define the minimum amount of data that can be collected, shared, and used so that consumers are not being harmed in the process.
“I think we operate in a universe where we ask those questions a little too late,” she said.
Slaughter used the example of a recent FTC settlement with Retina-X. The company built MobileSpy, PhoneSheriff, and TeenShield, apps that shared detailed information about call history, text messages, photos, GPS locations, and browser history without the phone user’s knowledge. Retina-X agreed to stop distributing the apps because they could not make sure purchasers were using the apps for legitimate purposes. Purchasers often had to jailbreak the phone to install the apps.
Chances for a federal data protection rule
Horvath from Apple said that the US should consider what happened in Europe when the European Union’s first approach to data privacy was to encourage each member state to pass its own law, and the result was a bunch of incompatible laws that made data sharing impossible.
“We should consider a strong privacy law that is consistent across all 50 states that provides all consumers, regardless of where they live, the same protections,” she said.
Slaughter agreed that a federal law would provide transparency and consistency for businesses but refused to predict when this law might be passed.
An audience member proposed a standard privacy label similar to the nutrition label–a consistent description of what data a consumer shares and what is provided in return.
Susan Shook, global privacy officer, The Procter & Gamble Company, said industries should collaborate to establish common data security standards.
“We’re not apples to apples right now on privacy policies because there are many ways to solve the privacy question,” she said.