Cory Doctorow: How Privacy Can Make Money

For businesses, privacy is pain in the posterior. Google’s feeling that pain right now over its privacy policy.

Privacy for businesses means having to spend money so they don’t breach any laws. It also stops them sharing as much data as they would like. That’s why some companies try and cover their tracks when they’re tracking others.

But it doesn’t have to be this way. Privacy can be a money maker. Cory Doctorow, science fiction writer, an Open Rights Group founder and co-editor of the Boing Boing blog, thinks businesses can help each other turn privacy into profit whilst keeping user data protected.

We caught up with Doctorow at the Technology Frontiers conference in London today to ask him how this can be done and whether law makers can help too.

A premium for privacy

What’s the business opportunity with privacy?
I think people would pay a premium for technologies that allow them to negotiate privacy bargains on an individual basis. There is this truism that if you’re not paying for the product you are the product. But often there isn’t a way to pay for it. Even when you do pay for it there is no guarantee you will cease to be the product.

What many of us are looking for are services that allow us to pay for them and then don’t treat us as though we’re products and return control of our browsers to us.

So you think companies who run on freemium models, like Facebook and Google, will be able to sell extra privacy features?
The only way that would ever work would be if the privacy you were getting was over and above the privacy you’d expect the technology to give you out of the box.

Once you have computers that only give up information that has to be disclosed, you solve some of the problem and I think there is a market for that operating system, that service and that support. Right now, there’s a thriving business in selling software to schools and parents to spy on children, but there’s no service to help children avoid being spied on.

There are lots of parents and schools who are and will come round to the idea that every bit as important as shielding your children from predators is teaching your children and giving your children the tools to stop themselves from being followed around.

It’s not the death of the ad supported model and it’s not the end of businesses related to this. Rather, it’s a market opportunity for people who provide tools that respond to users and for people who provide add ons that interact with those tools in a way that helps everyone win.

Cookie crumbling

What about legislation? Are these cookie laws asking for consent a good idea?
Consent isn’t going to work. Do you know what you’re going to get? A hundred ‘I Agrees’ the first time you visit the web page and then you’ll never see them again because that’s what people do. The more of those choices you ask people to make, the worse they get at making them.

So do we chuck a load of regulation at this, or do we let businesses sort it out?
The issue is when the regulation requires an enormous amount of secondary work in order to enforce it, in order to determine it is in place. You either create a situation in which the regulation is entirely ignored, or you get a situation where all anyone does is audit. Neither of those are good answers.

Sufficient technological infrastructure or a stratum beneath that would allow you to create much lighter regulation. For example, there’s a lot of cookies that a cookie manager wouldn’t stop, there’s flash cookies, HTML5 cookies. We don’t need a regulation that makes those illegal. Do you know what the model is for getting rid of them? There’s a researcher in America who publishes papers about them. Class action lawyers discover their existence, round up a bunch of people and reduce the companies that reduce them to smoking holes.

You don’t need a regulation, you don’t need inspectors, you don’t need anything. All you need is for it to be in a place where people can discover it, for browsers to respond to users who ask them what they are doing.

Once browsers respond to users who ask what they’re doing, technologically sophisticated users discover cookies, hand them over to class action lawyers, destroy the companies that do it. Job done!

With the right technical underpinning, the regulation becomes much lighter. Companies don’t have to spend as much money, they don’t have to do as much compliance, because you can just look at it, you can just tell from the outside whether it’s doing what it should or not.

How much do you know about security? Test yourself with our quiz.