Consumer Profile Exchange could protect privacy

If Congress would get off its ass, that is

The IBM-backed, XML-based standard enabling companies to exchange consumer data conveniently over the Web called Customer Profile Exchange (CPE) may not be quite the threat imagined by worried US consumers and privacy advocates.

The scheme itself actually includes provisions for the responsible sharing of information, such as enabling one company to make data available only to others that agree to similar use restrictions, and enabling consumers to access and even control their data profiles while confronting a single, consistent format. These could be good things, or not, depending on how the technology is used.

The true danger here is the lack of any regulatory structure requiring companies to use it in a way that benefits, or at least doesn't threaten, consumers. Simply put, technical standards don't threaten people's privacy -- people threaten people's privacy.

"If you have a technology making it easier to exchange information between different databases, the question is whether companies will respect consumers," Centre for Technology and Democracy (CDT) Senior Policy Analyst Ari Schwartz told The Register. "Even a decent policy of industry self-regulation would be helpful here."

Unfortunately, there is little in place, either among industry groups in terms of self regulation, or nationally in terms of government regulation, to prevent something potentially useful like CPE from being abused.

Certainly individual companies can enter into contractual agreements governing the use of information they supply. "If a company were to go beyond what it has agreed to do with the data, that would be a contract violation which would land them in court," Schwartz pointed out.

The companies are protected from data misuse, but of course consumers have no rights whatever under such agreements. They're not even in a position to influence the sort of standards the better class of company might aspire to. There is virtually nothing under the law that one can use to control what is essentially an extremely valuable commodity belonging to oneself.

In terms of leverage, "you don't have anything," Schwartz observed.

So if the technology is hostile to consumers, it's only because the US regulatory environment is so palpably incommodious. If that were to improve significantly, CPE could become one of the best ways yet devised for consumers to stay on top of their profile information and control what can be shared, and with whom.

It would eliminate (among its subscribers, anyway) the need to deal with myriad privacy policies couched in paragraph after paragraph of misleading legalese, unique to every on-line company one deals with.

One could set one's own standards once, and be done with it. If only, that is, the US Congress would see fit to grant something like rights to consumers. This is not exactly a gimme, as the 107th will convene under a veritable avalanche of privacy proposals, the vast majority of which are pure rubbish.

In the highly rhetorical legal marketplace known as Capitol Hill, it's not hard to imagine a comprehensive and realistic opt-out proposal getting so badly stigmatised by privacy fundamentalists that a pathetically weak opt-in proposal would succeed in its place. It would sound good, but accomplish nothing -- exactly the sort of legislation our venerable representatives support most enthusiastically.

The best of all possible worlds would be a solid, comprehensive opt-in proposal, but we've been around the Hill long enough to know that the advertising and data-mining lobbies will ensure that no such monstrous thing happens.

The next best (and most realistic) thing would be an opt-out bill with real teeth, and there CPE could be a definite boon. In the right regulatory environment, it would make it easy to opt out, and convenient for a consumer to examine what his profile contains and just how it's being used. Combine that with granting him something like rights over a commodity which common sense tells us he owns outright, and we'd have a real winner coming out of conference committee for a change. ®

Sponsored: Designing and building an open ITOA architecture