The Obama Administration launched its "multistakeholder" privacy deliberations last week, but its difficult to see how there will be meaningful results unless Team Obama changes its tactics.
You'll remember that last February the White House released its landmark privacy report, Consumer Data Privacy in a Networked World that advocates a Consumer Privacy Bill of Rights. It called for baseline privacy legislation and gave the Department of Commerce's National Telecommunications and Information Agency (NTIA) the lead on privacy.
A key element of the plan is the development of "voluntary enforceable codes of conduct." The idea is that everybody concerned about privacy will meet together (a multistakeholders meeting), sing Kumbaya and write the codes, which industry will quickly adopt.
Once a company voluntarily agrees to honor the code, it would violate Section V of the Federal Trade Commission Act if the company's executives didn't keep their word. It would be an unfair and deceptive practice. Of course if they never promised to honor the "voluntary enforceable" privacy code, it wouldn't matter much what they did.
So, there I was last Thursday along with more than 200 other stakeholders packed into the Commerce Department Herbert C. Hoover Building's auditorium for the first meeting.
Now you'd think that a meeting that's been in the works since February might handle the basics appropriately. You'd be wrong. Maybe there would be a list of readings to ponder. Nope. Well, certainly the agenda would be distributed well in advance. Nope, again. It was sent out after the close of business the evening before.
And then there was the matter of the possibility meaningful remote participation, a point Consumer Watchdog and other public interest groups have been pressing for since February. Frankly many of us don't have the resources of industry and its trade groups to attend meetings in person.
NTIA finally figured out how to use a webcast and a telephone bridge to let participants call in from afar. Unfortunately NTIA didn't tell anybody about the ability to phone in to the meeting until the agenda was distributed late Wednesday evening.
The stated goal of the meeting was to promote a discussion among stakeholders concerning mobile app "transparency," one of the points in the Consumer Privacy Bill of Rights. It also was supposed to develop procedures for future meetings. NTIA hired a self-described "internationally recognized executive facilitator," Marc Paul Chinoy, president of the Regis Group, to run the sessions. While he may be an old hand at hammering out consensus in diverse groups, he didn't seem up to speed on basis privacy issues, which is what this supposed to be about. Consider this: The Regis Group website doesn't even have a privacy policy; it would be illegal under California law.
Consumer groups said the agenda was backwards. It made no sense to talk about substantive issues without having agreed on procedures. Moreover, focusing on transparency without considering all the Fair Information Practice principles is pointless.
Suppose I tell you I have a gun in my pocket, plan to take it out and shoot you in the head and then do so. I've been transparent, but what good has it done you? Similarly what's the benefit of simply listing the privacy invading practices of an app, but not regulating what can be done?
At the end of a messy process little was accomplished. Here's how veteran Washington observer and privacy consultant Robert Gellman summarized it:
So what really happened? The answer is still nothing, but the problem that Commerce faced was that it needed a way to start the MSP. It had gotten too much attention and attracted too many people for any hope of accomplishment at the first meeting. It had to have a cattle call because there was no way to invite some and not all to play.
So Commerce held a meeting, let everyone come, hired someone to lead a meaningless discussion to break the ice, and let people blather about the issues, wave their flags, and show off in front of clients. It had people "vote" on snippets of ill-defined issues identified by the crowd. Voting was an amazingly pointless exercise, but it was something to do to kill time.
In August, Commerce will likely do nearly the same thing all over again. The format may differ, but the show will be more or less the same, another opportunity for too many people to get together and blather more about the issue. Then Commerce will convene another meeting in September. This time, the crowd will be smaller, and it may be possible for the people participating to begin to figure out what to do. Most of the "tourists" – who came to the first meeting because they actually thought it was a real event – will be too bored or will have dismissed the process entirely to return.
What this multi-stakeholder process is all really about is trying the show Europe that we can deal with privacy issues in the United States so that U.S. companies can do business there under our "rules" rather than under strict European privacy protections. That's why the Commerce Department has the lead. It's not about protecting consumers at all.
If the Obama Administration is serious about protecting our privacy, it must do more than merely call for baseline privacy legislation. The Administration should draft legislation and show what it thinks a privacy law must include and then work to get it enacted.
