Myth and Merriment

Now that the merriment of the holidays is almost over and all the new digital devices have been unwrapped, it's time for a digital privacy checkup.

Every time we hitch our lives to these digital wagons, we leave a trail of information that, for good or for ill, marks every twist and turn we take in the electronic frontier.

Although most would never think of leaving their private information lying around in the work-a-day world, people generally don't give a second thought to the privacy implications spilling from the convenience of our new digital technologies.

Some argue that people are apathetic about online privacy. But whenever a privacy "faux pas" occurs -- remember last year's brouhaha about Facebook's beacon program or the furor about the posting of AOL search terms -- it becomes clear that Americans care about online privacy.

We just don't know what we don't know.

What's worse, in place of facts, we've come to believe a number of myths about the protections of our personal information in an online world. Those myths may make us feel better, but they do nothing to guard our privacy.

So, follow along as together we bust some privacy myths in an effort to ensure maximum merriment and perhaps some caution for the year ahead.

Myth: Choosing to "opt out" of a program or service that gathers information on you immediately stops the practice and removes all your previously stored information.

Fact: Although your "opt out" decision may stop some programs or services from coming directly to you, the information-gathering process doesn't quit. For example, a company practicing behavioral advertising -- an advertising method that analyzes your online habits and sends you ads based on your likes, hobbies, favorite sports, etc. -- may stop sending car ads to your computer screen after you've opted out of its program, but that advertising company is still collecting your data to be used in any number of other ways.

Myth: As long as a Web site has a privacy policy all your data on that site is protected.

Fact: A privacy policy is not a guarantee of privacy protection. It spells out whether and how your data is protected. It may say that it will guard your privacy and not share your personal information, but it is just as likely to say: "Whatever information we glean from you while you're here is ours to do with what we will, including selling it or packaging it with other data so we can sell it."

Studies have shown that the mere presence of the words "privacy policy" on a Web site's home page is enough to convince a majority of people into thinking that their data carries some official privacy protections.

Myth: You "own" your e-mail and the government needs a judge's approval to read it.

Fact: Most people use Web-based e-mail services, which store all you have sent and received on huge servers controlled by the e-mail service provider. We can store years' worth of private messages and access them from any Internet-connected computer.

Unfortunately for privacy, current law provides a crazy quilt of standards for government access to your e-mail. Indeed, under statutes written before the World Wide Web existed, your older e-mail can be read by the government without a judge's approval and without your even knowing what is happening to your privacy.

Myth: Privacy laws protect all your online transactions from misuse by companies.

Fact: The United States has no uniform consumer privacy law. Using a Web-based travel site to plan a trip? None of your itinerary is privacy protected. Use a calendar to keep your appointments? Protections for that data are ambiguous at best. We have a patchwork of laws that protect certain information, such as personal financial data, but we have no comprehensive consumer privacy law that sets a baseline of fair information practices that apply across the board.

If a company fails to abide by its explicit privacy promises, it may get in trouble with the Federal Trade Commission, but it doesn't need to make those promises in the first place. Some companies abide by a well-designed, self-administered privacy code, an important step but not a replacement for a comprehensive privacy law.

Myth: All your location data -- from cell phones to GPS-enabled devices -- is protected by privacy laws.

Fact: Cell phones and devices enabled with a Global Positioning System are relentless tracking devices, mapping (whenever turned on) everywhere you've been. This data are collected and stored by cellular providers and other companies. Indeed, there is a blossoming of social networking applications and other services that record your movements.

While you might want your friends to know where you are Saturday, government agents have little to no trouble obtaining that information, too. In addition, the government gets tracking data with no judicial approval or without showing much real justification. And in terms of marketing, with the exception of the cell phone companies, there are few rules on how the businesses that access your location data can use it or disclose it.

Myth: If you remove all those embarrassing pictures of yourself from social media sites, like Facebook or MySpace, you have nothing to worry about.

Fact: If you're hastily scrubbing questionable photos from social media sites or other online venues in a quick effort to polish your image, cleaning up your tracks may be tougher than it seems. Although your actions may remove pictures (or ranting blog posts for that matter) from immediate access by others, Internet search engine companies may still be cataloging your information in the form of a "cache," something akin to a digital snapshot, where all information lives on for at least a short time, regardless if it has been deleted or not.

Parts of your social networking profile may be visible even if you restrict access to certain photos or postings. And there's nothing stopping others from downloading and recirculating embarrassing photos of you while they still exist online.

If you insist on having a photographic record of your extracurricular activities online for all to see, at least take advantage of the privacy controls built into sites like Facebook, and the cache options available through Google and Yahoo.

Privacy on the Horizon

OK, now that I have your attention, the next step is taking action.

We need a new comprehensive, federal consumer privacy law that gives us a solid framework for making decisions about these technologies as they become more entwined with our daily lives. And we need to update the laws that define how government gains access to our personal information so that our constitutional rights are secured.

But laws and regulations aren't the complete answer, so we need to encourage companies to compete on privacy and to develop and adhere to "best practices" that are transparent to regulators and build confidence in consumers. Recent announcements by major search engines to further cut the time that they hold on to personally identifiable search data are a step in the right direction.

Finally, consumers need to be in control of their personal information. Internet users must demand that companies develop new and expanded privacy controls for their products.

My organization recently released a report showing that browser developers are increasingly competing to offer better privacy controls. Such developments, however, are wasted if consumers don't learn to take control of their privacy, use existing methods to accomplish that task, and use marketplace demand to put pressure on developers to provide them with more robust and easier to use tools.

On Jan. 29, 2009, the United States, Canada and 27 European countries will celebrate International Data Privacy Day, intended to further discussion and education about privacy issues, particularly among teens. We should all observe that event by taking the time to learn about and use the privacy controls that are already available.

Leslie Harris is president and CEO of the Center for Democracy and Technology.