Data privacy has been a concern for many years now, even before social networking became the topic du jour in the mid 2000s. It seems that the public interest in protecting personal information online has evolved at a roughly equal yet laggard pace behind the general development of the World Wide Web and Web services and the general penetration of solid, always on Internet access into households both within the United States and worldwide.
If we look into the evolution of privacy awareness and later activism in the context of time, we can see three key areas emerge:
• The early formations of a sense that electronic privacy is different and should be handled differently and more sensitively than general privacy, in the early 1990s
• The realization that children required special protection online and thus the enactment of legislation especially and specifically protecting children, in the late 1990s
• The extension of such protections to adults as well as the provisions of privacy policies and disclosures of what services do with personally identifiable information, in the early 2000s
The growing sense that simple disclosure and a “take it or leave it” attitude with respect to privacy and protections was not enough and the move toward user control and enrollment and the Right to Be Forgotten in the late 2000s and early part of this decade.
Let’s take a look at this evolution in a little bit more detail.
Early 1990s: First True Acknowledgment of Online Privacy Issues
In the heady early days of the World Wide Web, Internet users had a decidedly advanced profile; the average home user did not have his own computer, had only dial-up Internet access, if at all, and spent an average measured in hours per month on the Internet. Those who were transacting consumers online were mainly advanced computer users who found the novelty of doing things online to be so fantastic that often keeping personal information guarded, publishing online personally identifiable data, and otherwise acknowledging that privacy might be an issue took a backseat. Additionally, the facilities available at the time to mainstream users—who overwhelmingly accessed the Internet through controlled portals like America Online (AOL) and The Microsoft Network (MSN)—often offered limited opportunity to share personal data in a way that could have become threatening. Finally, the technology available to neer-do-wells was simply not advanced enough to launch attacks to glean personal information from private businesses, regardless of whether such data was stored securely or insecurely. Simply put, privacy was just not a real priority, either for the consumer or for the business or provider.
That’s not to say privacy was completely ignored. As early as 1994, the Electronic Privacy Information Center, or OPIC, paved the way by establishing itself and its famous newsletter covering online privacy and civil liberties issues. The ACLU also took a stand, siding with small pockets of conspiracy theorists that assumed the US government and particularly the NSA was able to penetrate all communications on the Internet. But it is safe to classify privacy activism in the early 1990s as an afterthought, a minor issue, and not even a distraction.
Mid to Late 1990s: The Recognition of Children as an Unfortunate Target
As AOL subscriptions skyrocketed and the web became a central focus for all types of businesses, it became clear that there was also a seedy dark corner of the Internet that attempted to prey on those too young to know any better: children. It is in the intent to protect the world’s youth that we find the first serious efforts at legislating some type of privacy for Internet users.
In the mid to late 1990s, most online privacy protections were centered around the prevention of child pornography and its proliferation and also prohibiting the online exploitation of citizens under the age of consent. The Children’s Online Privacy Protection Act, or COPPA, was enacted on October 21, 1998 and set into motion several distinct tenets of child safety and anonymization on the Internet, primarily enforced by the US Federal Trade Commission:
• In the spring of 2000 the Act required commercial websites to obtain parental consent before collecting, using, or disclosing personal information from children under 13.
Early 2000s: Extending Privacy Controls and Disclosure to Adults, Too
Along with Web 2.0 and the ability of web browsers to do processing on their end as well as more powerful servers came a crop of social networks and, more importantly for our purposes, a new type of online product: the social network. Here users built profiles full of personal information and the networks themselves built a business on selling advertising to those users based on the demographic and personal information they uploaded. It was only after the launch and heyday of MySpace in 2003 that most social data privacy protections have come about. (While some believe Facebook was the first big social network, recall that membership in Facebook was closed off to all but those with an affiliation with an educational institution, a restriction that was only lifted in September of 2006.)
You’ll note the law’s very simple tenets: disclose to users their expectation of privacy, how their information is used, and how users can change their own information. That’s the extent of the control offered to users, at least until almost a decade later.
The 2010s: Explicit User Control and The Right to Be Forgotten
As disclosures about government monitoring made the news and as the capability of organizations to retain vast quantities of personal data and run analytics on it becomes clearer to users, the emphasis from an online privacy standpoint shifted to control. Users wanted to know exactly how sharing occurred and how to stop it. They wanted to know what websites were following their online moves via cookies and other trackers, and more importantly, they wanted the ability to stop it.
Again we see protecting children as a pioneering development in the evolution of social data privacy. In 2011, US Representatives Edward Markey and Joe Barton introduced an amendment to the Children’s Online Privacy Protection Act called “The Do Not Track Kids Act of 2011” that contained provisions requiring an owner of a digital service to delete from public view upon request content containing personal information about minors.
Recently, however, the Right to Be Forgotten has been a topic of exploration for legislators both in the United States, where individual state level lawmaking bodies have worked to pass laws, and in the European Union, where a continent-wide right to erase online footprints and data has been cemented.
Again we look to children’s protection as the canary in the coal mine. Taking effect just last month on January 1, 2015 was “The Eraser Bill.” The legislation was signed into law on September 23, 2013 and has two parts, the most relevant of which is the provision that requires owners of websites, online services and applications and mobile applications (each, a ‘digital service’), directed to or known to be used by California minors, to offer a process for California minors to remove (or have removed) their own posted content and information. While there is no federal level statute of this nature, one may well come soon.
In the European Union, the European Court of Justice ruling against Google in May 2014 set into motion the first manifestations of the Right to be Forgotten as Google itself was littered with 12,000 requests in just the first day to have personally identifiable information removed from its archives and search results display.
And that takes us to present day. Where do you think online privacy is going in 2015 and 2016? Do you think a Right to be Forgotten will be cemented in the United States? What are your biggest concerns around data privacy?