Goldilocks and Informed Consent

When you authenticate to a service, do you know what information about you is being communicated between the login page and the service provider? Are there distinctions among services, for example, Facebook or Google or Yahoo?  Does it make any difference whether the service is for consumers, or, in higher education, under an enterprise contract?  Is there a bridging authentication service, for example InCommon?  If so, what difference does that make in terms of the release of “attributes,” or pieces of information, about your identity?  If looked at by a human, would those attributes identify you as a distinct individual?  Or are they unidentifiable parts for a human reader, but easily mined and recombined in ways that even pedestrian software programs can (re)create your identity?  What do service providers do with that information?

A great deal. Information about you is a valuable commodity in our information economy. Illegally obtained, for example by a data breach, your personally identifiable information is sold on the black market to identity thieves who use it to commit fraud.  Legitimate data warehouses give criminals a run for their money, however.  They don’t need to obtain it illegally or take risks dealing on a black market.  And they don’t need to commit fraud in order to make money.  The U.S. marketplace, which to date has insured lax laws around the collection of personally identifiable information, opens the door to data collection, recombination in the form of extensive profiles on individuals, and then sale of that information and/or profiles to hoards of hungry buyers who use it for advertising, marketing and risk analysis for mortgages and loans to individuals.  The media has paid some attention to targeted advertising and consumers are increasingly aware that the pop-ups on their pages bear a striking resemblance to the terms of previous searches. But it is March 4, 2014.  Do you know where your data are?

Most people do not, and that is why I am beginning a deeper dive into this question with a focus on authentication.  In a document prepared by the company Cirrus Identity, Inc. on attribute release, a survey of what attributes Internet Titans such as Google, Facebook, and Twitter release in the authentication process reveals interesting variation among the companies relative to their Internet presence and core business models.  Overall observations: “There is no standard format across the providers in the case of the opaque unique ID, and email is not treated consistently across the providers either.”  The example the document gives is to contrast LinkedIn, for which email is only released if the user has set their profile to public, whereas WindowsLive gives up a number of attributes automatically.  The document states that most Internet companies pass a human readable unique ID, mostly email addresses, or, for Twitter, @username, rather than an opaque ID.  And finally, if I am reading this document correctly, among all of the companies studied, Google releases not only the Gmail address but also a link to the user’s Google profile.  (For more information on this survey, this link is a good start.)

What this means in English is that users first of all have no control in the attributes that Internet Titans release in authentication process.  Second, it would appear that each Titan makes attribute release decisions that reflect their brand, for example the Twitter use of @username, which is a distinctive “handle” of their company.  Third, attribute release bears some relationship to the business model of the company.  Google, for example, still primarily an advertising company, craves eyes on its pages to demonstrate its company’s value to advertisers.  Therefore, the release of not only gmail addresses but also profile links encourages more hits by offering the information freely.

Is this document a great smoking gun? No, most people would shrug to learn that service providers offer attributes such as the user’s email address in authentication processes. It is important to remember that data stores use incremental pieces of information in their larger sweep of information, and sophisticated software to recombine into detailed profiles about individual consumers purchasing habits, income, marital status, sexual preferences, number of children or dependents, travel patterns, etc. And so each piece needs to be understood as a part of this larger whole.  If we cannot control information about us that comes in pieces, we have no ability to control the whole profile, and its implications on privacy and personal autonomy that these whole profiles, bought and sold without our knowledge, have on our lives, choices and potentialities as individual persons.

But there are other reasons why I begin my deeper dive into the intersection of technology and law with authentication. First, it is critical that we open the proverbial kimono on technology processes of which most people are unaware. The point is that if the public is going to be able to discuss intelligently privacy in the information age, it must learn something about these basic processes. Second, whether a service provider releases a lot of attributes or none, human reader or opaque, the main point is that it is a decision that the company makes unilaterally. Depending on the business model, the company can decide to release more, i.e. Google, or none at all if the user chooses to restrict his or her profile, i.e. LinkedIn.  Note how technological practices that implicate privacy are woven into reputation and the service provided. Third, and most important, companies offer no informed consent to the user.

Informed consent bridges the flexibility that Internet companies need to be nimble in building their business model, i.e. unilateral decisions that they make regarding what attributes to release to identity providers in authentication given how those decisions map to business models, and the information that consumers require to make a choice about whether or not to accept those terms as the “cost” (not the only one, by the way, but one of the ones implicating privacy) of the service. No U.S. law requires that service providers offer either the information or consent, but in my opinion they should. Informed consent is consistent with the privacy laws and practices of all other developed countries except the United States.

As our colleges and universities become more “international,” it would seem to me not as a matter of compliance per se but recognition that the United States institutions want to treat the institutions in other countries as equal partners, we should adapt to those laws.  But compliance and partnership are part of the superstructure of reasons why implied consent matters. The principal reason is that it is truly the right thing to do. I understand that businesses emerging in this dynamic market require flexibility; I think it would inhibit the innovative relationship that exists between technology and the market for the law to require one, single practice.  But to allow Internet Titans flexibility and to leave consumers in the dark about the implications of those practices are separable issues. Rather than swinging the privacy pendulum all the way over to restricting businesses to a single practice, its seems eminently fair to simply offer consumers the information that they need in real time – and not in small print terms of use or privacy policies – so that they can make the decision to consent, or not, to the practice.  Informed consent is to consumer privacy practices what Goldilocks is to porridge!