The accumulation of personal data on the Internet and the protection of this data throughout a lifetime was the topic for ESOMAR’s second German World Research Roundtable. The roundtable Online Privacy: A Lifetime on the Internet, which took place on Wednesday, November 12 at the venerable Künstlerhaus am Lenbachplatz in Munich, was moderated by FOCUS Online editor Björn Sievers and featured an interdisciplinary panel of experts from Internet, government, science, civil rights, business and IT.
Concerns about online privacy have been the focus of public discourse in Germany throughout 2008, fed by numerous data protection scandals and attempts by companies such as Google and StudiVZ to ease the collection and aggregation of user data. At the same time, reports abounded about Internet users posting private information on the web, seemingly without regard for the fate of this data. Are these online citizens oblivious to the risks of data proliferation or do we simply lack the right tools to instigate a culture of personal data protection?
The Panel
A number of conferences and events have been held on the topic of Internet security and data protection, which positioned data privacy either as a challenge for companies and their IT departments, or as an issue concerning predominantly young internet users. The ESOMAR roundtable, on the other hand, put the consumer/user at the center of the debate and took into account the entire lifespan of the Internet experience. This broad viewpoint was echoed by a very diverse panel of members, which included Oliver Skopec, one of Europe’s youngest internet entrepreneurs and the former head of the high school student community schülerVZ; Marit Hansen, the Deputy Chief of Germany’s most prominent data protection agency, the Datenschutzzentrum Schleswig Holstein; Rena Tangens, a data protection activist and jury member of the Big Brother Awards Germany; Thomas Gross, the head of IBM’s Institute for Data Protection Research and an expert on privacy-enhancing technology; Dr. Werner Degenhardt, an expert on Internet psychology and usability and CIO at the Ludwigs-Maximilian-Universität Munich; and Hartmut Scheffler, the CEO of TNS Infratest GmbH & Co. KG and expert for online market research.
How privacy-savvy are today’s online citizens?
Moderator Björn Sievers approached the topic by discussing the current state of online privacy practice in social communities. The community expert Oliver Skopec conceded that young users were demonstrating a lack of life experience and a certain degree of naivety with regards to managing their personal data. At the same time, he observed that they were generally aware of the exposure that personal data receives once it is published in blogs and on video portals and that some of the horror scenarios related to online data abuse were less founded in reality than the media may indicate.
Marit Hansen from the Data Protection Authority in Schleswig-Holstein countered his view by giving examples of citizens who had experienced attacks on their privacy on the Internet, including a family which was heavily bad mouthed on a website called Rottenneighbor.com. Hansen pointed out how hard it was for consumers and legislators to remove negative statements from the Web, especially in cases where the website operator was located outside of national borders.
Dr. Degenhardt brought up the issue of controlling one’s personal contacts in social communities, where each user is linked to an infinite number of other users. According to the psychologist’s viewpoint, the human mind was designed to store and remember only limited numbers of contacts and unable to manage the thousands of friends and foreigners encountered on sites such as Myspace or Facebook. He contended that the evolution of the mind made humans more interested in interaction with others and less attuned to perceiving the risks associated with social networks.
According to civil rights activist Rena Tangens, consumers’ concern for data protection has risen considerably since the year 2000 and the aggregation of their data has become a key issue. “It is not the single data record that is dangerous, but the data that is collected over years and years of online activity.” By aggregating the content, companies would be able to recreate an encompassing image of the Internet user, his/her vacation plans, purchasing behavior, payment methods and other personal information. Oftentimes, users would be ranked according to this information and would receive less or more favorable treatment in the purchasing process without knowing the reason for it.
Who is responsible for protecting our data online?
There was broad consensus among the debate members that despite the popularity of social communities, blogs, and video portals, little has been done in German society to address the issue of data proliferation and the protection of Internet users’ personal data. Rena Tangens pointed out that the main threat to consumers arises from large databases created by business and government and that the management of these databases would provide them with a tremendous amount of power. She mentioned the recent telecom scandals, where employees had monitored calls made by journalists and union managers. In Tangens’ view, the users themselves were responsible for creating a counterbalance to this power, by becoming politically active and by using self protection.
Along similar lines, Marit Hansen contended that data protection agencies in Germany did not do enough to promote their services to consumers and businesses. As a consequence, few consumers were aware of their rights with regards to the protection of their personal data. Hansen insisted that consumers needed to be trained in using the Internet in a “safe and healthy way”. She saw a strong analogy to the early days of public hygiene, when people learned that not washing their hands could cause illness, even if they were not able to see the cause for this threat, i.e. the bacteria.
Dr. Werner Degenhardt, however, doubted the existence of mature, responsible citizens who would be able to practice self protection. He said that politics had not kept track with the technological evolution of social communities because there had not been any “corpses” yet.
Hartmut Scheffler from TNS Infratest stated that the market research industry, while often the subject of data privacy critique, had a clear set of rules in place regarding the collection and use of personal data. He quoted three principles as laid out by the industry codex: collection of data based upon scientific quality standards, anonymization of the data, and a strict ban on selling personal data to third parties.
According to Thomas Gross from IBM Research, managing one’s online privacy was a technical issue that required cooperation between research and Internet technology. For him, the ideal solution would be a system whereby users can stay anonymous when needed (e.g. when shopping) and reveal their true identities when the social context justifies such behavior, a compromise that he thought could be technically accomplished: “In a few years, we will be able to reveal our identity on the Web and stay anonymous at the same time.”
What needs to be done in order to improve online privacy?
The debate about potential solutions to the privacy dilemma oscillated between a call for co-regulation and better legislation. Hartmut Scheffler from TNS Infratest contended that German data protection legislation was already stricter than in other countries and that a stricter execution of these laws was required, not new laws: “Co-regulation, i.e., the solution of an issue before it is addressed by legislation, will be much more efficient in this context. The self-healing powers of the industries which are represented by the Internet, will provide the necessary steps toward a better online privacy practice.”
Oliver Skopec elaborated on this thought and suggested that social community operators were both willing and creative enough to improve the current system. He also showed examples of Internet security awareness campaigns and training offered by community operators such as schülerVZ.
For Rena Tangens, the educated and enlightened consumer was the key to improving privacy practice, along with a more encompassing legislation for operators of social communities and data collection organizations. She pointed out that data protection regulations were often too complicated and ambivalent to be understood by consumers and that users needed to be given the opportunity of an active “opt-in” with regards to the use of their data.
Examples of successful user education were provided by Marit Hansen, who presented the “Du bestemmer” (You are in charge) project, a campaign for safe Internet usage that was run successfully in schools across Norway. Hansen also suggested the introduction of a “clause of origin” into the new data protection law, which would allow the user to track the dissemination of his or her personal data by third parties.
The debate ended with a statement by Thomas Gross, who sketched out some of the future tools which will help to improve online privacy. One example is a search engine which examines the privacy policy of companies online and which allows internet users to decide whether they want to transmit their personal data to the respective company. Gross also opted for the introduction of open data protection standards as a means to promote consistent regulation for online privacy across the globe.