Privacy and the Dark Side of Control

Publication Type: 
Other Writing
Publication Date: 
September 4, 2017

To hear some in industry and government tell it, the answer to our modern privacy dilemma is simple: give users more control.  There is seemingly no privacy-relevant arena, from social media to big data to biometrics that cannot be remedied with a heaping dose of personal control. Facebook founder and CEO Mark Zuckerberg said “What people want isn’t complete privacy. It isn’t that they want secrecy. It’s that they want control over what they share and what they don’t.”[1] Microsoft CEO Satya Nadella summarized his company’s focus on user control by stating, “Microsoft experiences will be unique as they will…keep a user in control of their privacy”, adding that the company will “[a]dvocate laws and legal processes that keep people in control.”[2] Google asserts that it “builds simple, powerful privacy and security tools that keep your information safe and put you in control of it.”[3]

Privacy regulators love the concept of control, too. The Federal Trade Commission, one of the chief privacy enforcers in the US, adopted it as a regulatory beacon.[4] “Consent”—one form of effectuating control—is the centerpiece of the European Union’s entire General Data Protection Regulation.  It legitimizes all kinds of personal data practices.[5] A few foundational privacy theories hold that the essence of privacy is control over personal information. Privacy scholar Alan Westin defined privacy as “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”

It’s time to take a step back. It’s a mistake to assume control alone can solve the modern privacy dilemma. While control is vital, people can only do so much in a day. We are being stretched too thin and it is making us vulnerable. Companies use the appeal of personal control over data as a way to shift the risk of data collection and processing back onto data subjects. This is dangerous because people are not in the best position to understand the risk of harm from sharing personal information. Nor can people exert meaningful control over the vast, byzantine data ecosystem that can require thousands of ongoing decisions about how their data is collected, used, and shared. Control in excess of our abilities is broken. It’s time we treated an endless buffet of control over personal information as too much of a good thing.

Read the full essay at The Institute of Art and Ideas