Imagine an Internet in which every website that uses behavioral advertising has to get your up-front permission to do so—make that double for login-account-informed ads, and triple if the site sells your data to third-party applications.
You might think that something like this would be a pretty cool set up, privacy-wise. So does Congressmember Rick Boucher (D-VA), who has been talking about legislation in this area for almost a year now now.
"Consumers should be able to opt out of first party use of the information and for its use by third parties or subsidiaries who are part of the company's normal first party marketing operations," Boucher told the House Commerce committee's subcommittee on the Internet last June. "Consumers should be able to opt in to use of the information by third parties for those parties' own marketing purposes."
Great idea? Perhaps not for Google, two of whose top policy people just released a position paper warning of "opt-in dystopias"—environments in which cumbersome opt-in requirements could discourage users from engaging socially on useful sites, push service providers to over-collect user data at the point of consent, and turn the 'Net into landscapes of "walled gardens" in which consumers are reluctant and even afraid to explore new services. Such regulations could even help percolate the next extremist social moment.
"Opt-in is a rhetorical straw-man," these Googlists warn, "that cannot really be implemented by regulatory policies without creating a number of unintended side effects, many of which are suboptimal for individual privacy."
OK—we know what some of you are thinking (we're thinking it too). Here's a search engine giant that just loves collecting and making humongo-bucks off of user data, cranking out a laundry list of reasons why putting limits on its activities won't work. Heck, Google even bristles at the notion that it shouldn't keep that data forever.
Still, these are the arguments we'll be hearing as this debate heats up on Capitol Hill. Let's get Google's side of the story.
You don't know what you're missing
Google defines the opt-in/opt-out dichotomy as follows. Opt-in: "a proxy for gaining affirmative consent prior to the collection or use of information." Opt-out: "a proxy for collecting information without gaining prior consent."
One big problem with leaning heavily on the opt-in model, say these writers, is that it imposes two decision making costs on users. First, they have to decide whether they want to bother with the technical opt-in process. Second, they have to think through whether the service is worth the trouble. This will dissuade less "technology-literate" groups of people from contributing to sites that Google thinks have great social value, among them Google Flu Trends, which tracks global flu activity using Google search data.
"Many users who would otherwise have benefited from using services that collect information may be deterred simply by a subjective feeling or inability to evaluate the initial costs of the offer as it stands," Google warns. Or, conversely, they may become "desensitized" to the opt-in process, mindlessly agreeing to every user consent agreement page, as do consumers when it comes to software license agreement forms.
Get the consent while you can
Stricter opt-in requirements could also shunt aside more nuanced systems of data collection negotiated between service providers and consumers—layered systems that ask for various kinds of consent over time. If websites know that they have to get permission for all their possible user information collecting up front, they're likely to set up longer, ever more complex initial user agreements.
"In turn, users will face more complex decisions as they decide whether or not to participate," Google predicts. "The only possible limiting factor is the point at which large losses in participation occur; in other words, the bundle size will increase to the limit of what users can maximally tolerate."
Google also worries that preoccupation with this problem will accelerate the widespread adoption of "single identity" or "tethered identity" systems—sites that allows users to aggregate their personal data for use on a variety of federated content and social networking services. In this context, "the ease of executing an overly broad law enforcement request would be far greater than in a regime of fragmented and unauthenticated data collection," the position paper warns. "The degree of behavior upon which an advertisement might be targeted would also be far greater. And the threat of exposure posed by a security breach would also increase."
Worst case scenario
But the biggest potentially dystopian result of an overbearing opt-in policy, fears Google, would be the "balkanization" of the Web. As privacy rules become stricter, and social networks and content sharing sites become more authenticated, users could become reluctant to explore new services. Mobility will decrease. Consumers will stick with sites that they know and share with their friends.
"There may also be broader social consequences caused by this balkanisation," Google warns, even "grave" consequences, as users sequester themselves into communities of agreement.
"Research has shown, for example, that groups of likeminded people discussing divisive topics will arrive at more extreme views than groups of people with diverse views. If opt-in were to motivate the increased use of social networks for content distribution, society may become more extreme and less likely to reach community-based solutions to societal problems calmly."
Thus, badly deployed opt-in policies could presumably lead to more Weather Undergrounds, Birther rallies, or whatever far-left/far-right nutfest is making headlines this week. Clearly Google knows that its audience in Washington, D.C. is full of policy folk and sympathetic commentators who worry out loud about the "fragmentation" of politics on the 'Net.
As is so often the case with these industry driven policy briefs, there's a somewhat contradictory, everything-but-the-kitchen-sink quality to this one. Stronger opt-in rules could scare users away from big chunks of the Web, the document suggests. But one wonders if they could wind up exploring cyberspace more as they become "desensitized" to security protocols. Tougher requirements could also drive users into huge crackable or government-seizable central identity systems, Google warns. Yet the search engine giant doesn't see itself as one of these, at least not in this paper.
Even these Google analysts acknowledge at the end of their essay that "there may be contexts in which mandatory opt-in is the optimal policy for individual privacy as, for example, when the information in question is particularly sensitive." But "opt-in dystopias" makes a crucial point—the rapidly evolving Web isn't going to be easily reigned in by some simplistic online behavioral ad law. That could be a reason why it has taken Capitol Hill so long to come up with one.
reader comments
65