A Web Certificate for Privacy?

Please! by Josh Hallett

Privacy is at the top of people’s online agenda. As an investor in businesses with specific offerings around people’s online data and digital data, not surprisingly it is at the top of my agenda too. I believe that the industry needs privacy definitions and principles that the average Internet user can understand, not shrouded in legal or technical jargon.

In my recent post on Privacy for a Facebook Generation I proposed that businesses should operate on six easy to understand levels of privacy:

  1. Me: what I keep totally to myself
  2. Family: what I share with family and close friends
  3. Friends: what I share with wider friends and acquaintances
  4. Business: what I share with a business, which is not shared onwards
  5. Business to Business: what I’ve shared with a business and that business then shares with other businesses
  6. Public: information in the public domain, found by anyone

and three core principles:

  • We are clearly told at what privacy level a service operates at
  • The privacy level cannot be changed on us without us knowing
  • We have an ability to have our information deleted should we so wish it

But even with such definitions and principles, I wonder if the online industry has an appetite for change and even if anything needs to change?

Taking the last point first - is there an issue that requires change? Privacy has many angles, but one of the key aspects is that we as individuals are putting our data 'out there' believing that we’re at a certain level of privacy. But in reality the data is more open than we are led to believe.

In the physical world we have protection on this front (in the UK, this takes the form of the Data Protection Act), but in the digital world there seems to be an attitude that such protections are not required "because the Internet is different".

I strongly believe that the Internet is not different. Indeed the harm from not understanding true privacy levels is real and unless the web community does something to qualify and certify itself then governments will step in to make rules. This would be a disastrous outcome, which will result in many of the benefits of a single world-spanning web being negated.

I think we all must accept that whether there is government regulation and / or social regulation (voluntary code, etc) there will always be those that circumvent or just outright ignore such regulations. However, what is particularly galling at the moment is clearly legitimate companies, which do not normally flaunt government rules or societal norms, are doing so with complete disregard to Internet privacy or ethics. In the face of this behaviour we do clearly need a mixture of both social regulation and governmental regulation.

With regard to social regulation, we can and should try to foster take up by the community for a voluntary code, with perhaps a seal or badge that websites can use to show they adhere to. Such a scheme could be similar to the SSL Web Certificates that exist and which are recognised by browsers today.

Photo (cc) Josh Hallett.