Here is her NYT piece, I’ll go through her four main solutions, breaking up, paragraph by paragraph, what is one unified discussion:
What would a genuine legislative remedy look like? First, personalized data collection would be allowed only through opt-in mechanisms that were clear, concise and transparent. There would be no more endless pages of legalese that nobody reads or can easily understand. The same would be true of any individualized targeting of users by companies or political campaigns — it should be clear, transparent and truly consensual.
Who can be against “clear, transparent and truly consensual?” But this reminds me of those conservatives who wish regulations would be shorter, simpler, easier to write — it’s not always that easy and wishing don’t make it so. (Try sitting down with someone in the immediate process of writing such a rule.) That said, let’s think about what maybe will happen. How about the United States adopting some version of the forthcoming EU GDPR? That might in fact be an OK outcome (NYT). But will that be clear and transparent? Is any EU regulation clear and transparent? Can anyone tell me, sitting in their seats right now, if it will outlaw the blockchain or not? Whether it outlaws the blockchain or not, could either of those outcomes be called “consensual”? I don’t think Tufekci has given an actual proposal yet.
Second, people would have access, if requested, to all the data a company has collected on them — including all forms of computational inference (how the company uses your data to make guesses about your tastes and preferences, your personal and medical history, your political allegiances and so forth).
This is not feasible, as computational inference is usually not transparent and often is understood by nobody. But even the simpler stuff — what exactly is the call here? That Facebook has to send you a big zip file? Is the goal to inform people in some meaningful way? Or simply to deter Facebook from having the information in the first place? If it’s the latter, let’s have a more explicit argument that people would prefer a Facebook they have to pay for. Personally, I don’t think they would prefer that and already have shown as such.
Third, the use of any data collected would be limited to specifically enumerated purposes, for a designed period of time — and then would expire. The current model of harvesting all data, with virtually no limit on how it is used and for how long, must stop.
“Must”? Not “should”? That is a classic example of trying to establish a conclusion simply by word usage. In this context, what does “enumerated” mean? Are we back to GDPR? Or they send you an email with a long list of what is going on? Or that information sits behind a home page somewhere? (So much for simple and transparent.) You have to opt in to each and every use of the data? So far it sounds like more bureaucracy and less transparency, and in fact this kind of demand is precisely the origin of those lengthy “opt in” statements that no one reads or understands.
Fourth, the aggregate use of data should be regulated. Merely saying that individuals own their data isn’t enough: Companies can and will persuade people to part with their data in ways that may seem to make sense at the individual level but that work at the aggregate level to create public harms. For example, collecting health information from individuals in return for a small compensation might seem beneficial to both parties — but a company that holds health information on a billion people can end up posing a threat to individuals in ways they could not have foreseen.
Maybe, but there is no example given of harm other than an unspecified speculation. It also seems to be saying I don’t have a First Amendment right to write personal information into a text box. And who here is to do the regulating? Government is one of the biggest violators of our privacy, and also a driving force behind electronic medical records, another massive medical privacy violator (for better or worse), most of all after they are hacked and those who have sought mental illness treatment have their identities put on Wikileaks. The governmental system of identity and privacy is based around the absurdity of using Social Security numbers. Government software is generations behind the cutting edge and OPM was hacked very badly, not to mention Snowden made away with all that information. And government is to be the new privacy guardian? This needs way, way more of an argument.
I do understand that the author had only a limited word count. But googling “Zeynep Tufekci Facebook” does not obviously bring us to a source where these proposals are laid out in more detail, nor is there any link in the on-line version of the article to anyone else’s proposal, much less hers. So I say this piece is overly confident and under-argued.
What instead? I would instead start with the sentence “Most Americans don’t value their privacy or the security of their personal data very much,” and then discuss all the ways that limits regulation, or lowers the value of regulation, or will lead many well-intended regulations to be circumvented. Next I would consider whether there are reasonable restrictions on social media that won’t just cement in the power of the big incumbents. Then I would ask an economist to estimate the costs of regulatory compliance from the numerous lesser-known web sites around the world. Without those issues front and center, I don’t think you’ve got much to say.