Last week the Electronic Privacy Information Center (EPIC) made an agenda-setting intervention on the newest dangers in digital privacy. EPIC is perhaps the worldâ€™s most influential privacy advocacy group, and presented its brief to a US Senate hearing looking into Googleâ€™s proposed acquisition of Doubleclick.
According to USA Today,
â€œThe Federal Trade Commission is already reviewing whether the Google-DoubleClick combination would violate antitrust law. Consumer groups are pressing the agency to also scrutinize Google's privacy practices. Marc Rotenberg, executive director of the Electronic Privacy Information Center, told the Senate committee that Google should be required to strengthen its privacy practices as a condition of the acquisition.â€
Marc Rotenberg and EPIC played a significant role in shaping the policies of the Federal Trade Commission to bring Microsoft to recognize â€“ and deal with – potential privacy issues with Passport back in 2001.
In hindsight I think that the FTC involvement ultimately brought about positive developments, reducing everyoneâ€™s risk, and helping the industry evolve toward a more grown-up, multi-centered, distributed approach to identity management.
To me it is self-evident that companies with the combined invasive power of Google and Doubleclick need to guarantee what Marc calls â€œsubstantial privacy safeguards.â€ (In fact all companies should guarantee such safeguards.)
In my view we should be listening to EPIC rather than dismissing their concerns the way Googleâ€™s executives seem unfortunately to have done in the Washington hearing. If we really â€œget with the programâ€ in terms of privacy, EPIC will have no need to call for proactive government intervention.
EPIC has been visionary in helping us recognize the potential dystopia that can be the product of identity misapplied in the digital world. It makes me cringe when I see privacy advocates being treated the way security advocates used to be: â€œSure, we hear you, now excuse us while we get back to business as usualâ€¦â€
We should want to â€“ and insist on â€“ building systems to the very highest privacy standards â€“ as EPIC is demanding. Everyone will benefit. It is a no-brainer. We will save ourselves, and fellow citizens, years of pain by doing so.
Itâ€™s enlightening to read Marcâ€™s description of what he calls, â€œThe Passport Caseâ€:
â€œWe expressed particular concern that Microsoft would become the sole gatekeeper for Internet access and we recommended that the development of multiple identity management systems that would respect privacy and promote innovation. Although the Passport case was not explicitly about a merger, the antitrust and competition implications were obviousâ€¦
â€œThe FTC order in the Passport case was significant because the FTC did not uncover any security breaches, but acted nonetheless based on the potential for a security problem and privacy harms. This action demonstrated that the FTC has the authority to protect online privacy prospectively, and that the Commission will hold companies to a very high standard in their representations to consumers about privacy policies.
â€œSince the FTC settlement of the EPIC complaint against Passport, industry groups have moved toward decentralized identity systems that are more robust, provide more security, and are better for privacy. Both Microsoft and the open source community now appear to agree that meta-identity systems are a better approach for identity management The Passport case demonstrates that effective action by the Commission will produce benefits for consumers and businesses and help spur innovation.”
I agree. And I'm very happy that the brief refers to Identityblog (citing The Laws ) and CardSpace in demonstrating this progress, as well as to open source contributors (EPIC explicitly cited OpenInfoCard, but there are many other contributors – from Bandit and Higgins to PamelaWare – all of whom deserve recognition in this initiative.) Still, it is impressive that EPIC has the kind of grasp it does of developments in our industry.