The national news headlines over the last two weeks have again heated up public discussion on the issue of when the collection of data about the activities of individuals considered necessary to identify criminal or terrorist threats crosses the line to become an invasion of privacy. This issue has become increasingly complicated as data collection, storage, and analytics have advanced and become less expensive, faster, and more sophisticated. At the same time, people are participating more in electronic communications, transactions, and activities creating additional electronic footprints that can be tracked and analyzed.
Many consumers don't seem to mind providing personal information to retailers if they in turn receive some sort of "members only" benefits in the way of rewards programs, preview ads, discount coupons, or other special offers. Many people also appear to be willing to provide individual and family information on social media sites, where it can be gathered by criminals or law enforcement agencies and used with the information that they collect from devices we can’t seem to live without—our mobile phones, our laptops, and so on—to establish profiles of certain behaviors.
I believe that most people in the security and IT industries have a good understanding of the data collection efforts that are under way, both in the public and private sectors. For them, the recent revelations came as no surprise. But I wonder how many consumers, when they click on the "Accept" button to indicate they agree to a site's terms and conditions, really understand what data are being collected or how those data are being used and by whom. This is a question that those in the public sector have debated for some time, as evidenced by the Cyber Intelligence Sharing and Protection Act (CISPA) that passed the House but stalled in the Senate in 2012 after major protests from the online community, which viewed the bill as a threat to individuals’ privacy.
Should there be improved transparency by the various companies that collect the data? Perhaps they could disclose in simple terms what information they collect, how they use it, whom they share it with, and how long they retain it. The fine print of those agreement blurbs may already contain much of this information, but would clearer disclosures make consumers more or less likely to agree to share their personal information and activities? And what about the option for the consumer to select the various types of information they would be willing to share instead of the “all or nothing” option they generally face today? We welcome your thoughts on this subject.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed