The code of privacy

By now most of us are familiar with Larry Lessig’s seminal work Code and Other Laws of Cyberspace. In it, Lessig argues that technology creates its own form of law and that the nature of these “code laws” challenge our legacy approaches to public policy and managing important societal concerns such as privacy.

We are seeing an explosion of technological solutions that address privacy. These solutions have built within them significant public policy decisions that need to be understood. Perhaps the most timely and relevant example is Do Not Track (DNT). A consumer privacy mechanism, DNT is designed to allow browsers to indicate a preference not to be tracked online. Significantly, DNT focuses on online behavioral advertising but may expand more broadly than just that one practice.

DNT has engendered significant support across regulatory and legislative arenas. The US Federal Trade Commission, US Department of Commerce and European Union regulators all have indicated their strong encouragement for this tool to be developed by browser manufacturers and the market as a whole. Subsequently, the market has responded. Most of the major browser manufacturers—Microsoft, Mozilla, Google—have indicated some level of support or adoption of the idea of DNT. Further, the World Wide Web Consortium (W3C) has initiated a series of efforts designed to develop a voluntary standard to apply to all web interactions. But, as it is with many things, the devil is in the details.

DNT at a W3C level has moved slowly and may ultimately be a product of significant compromise among the participants. Further, the W3C proposal is voluntary, meaning that both browser manufacturers and those working with web companies that receive the DNT indicator may or may not be obligated to observe the DNT signal. Browser manufacturers themselves have found significant conflict or controversy in their DNT announcements. Notably, Microsoft has indicated that DNT will be switched on by default in their upcoming release. This announcement has been met with cries of protest from industry, privacy advocates and even some regulators.

It remains to be seen how DNT will affect the online marketplace. However, as a public policy tool, Lessig’s work seems to have been prescient. Code is law. However DNT is implemented, it will have the effect of public policy in the privacy space.

What does this mean for those trying to implement technologies and policies inside organizations? In a word: complexity. We will have much more complexity in our data-driven future. Companies on the web will be forced to pay attention, not only to the halls of power, but to those technologies through which our data is managed.

J. Trevor Hughes, CIPP

President and CEO, IAPP

We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.