So I'm still trying to wrap my head around the ZKS
business model.. There would seem to be two "threats" that
ZKS defends against: invasion of privacy by (a)
government and (b) by corporate interests.
That ZKS defends against the government intrusion is
boring.. There exist free, open-source projects (PGP,
remailers, FreeNet) that already address this issue --
in cyberspace, opposition to government censorship and
abuse has largely been grass-roots in nature, exactly
like it is in the real world... Also, its uncertain
that there's much of a business model in protecting
people from government tyranny..
So that leaves the economic angle: how to make money
helping people protect their personal information from
corporate interests. This is much more interesting,
since it involves money and since personal info is
worth BIG BIG bucks on the Internet. The fact that I
can't see how ZKS enables this "economic privacy" was
the subject of my first posting..
My thoughts on/definition of privacy is shaped in
large part by the Code of Fair Information Practices
(CFIP). The CFIP was drafted in the early 1970s by
Congressional commission headed up by Elliot
Richardson, the Sec of Health, Education and Welfare
under Nixon. It remains, arguably, the most profound
American thinking on the topic of computers and
privacy, and, ironically, has been largely ignored in
the current debate surrounding online privacy.
Code of Fair Information Practices (taken from
"Database Nation", by Simson Garfinkel):
(1) There must be no secret databases of personal
information
(2) There must be a way for individuals to determine
what personally identifying information (PII) has been
collected, and how it is being used
(3) There must be a way for individuals to prevent PII
collected for one purpose from being used for another
purpose, w/o the individuals consent
(4) There must be a way for individuals to audit and
correct collected PII
(5) Any organization storing, creating, maintaining
records of PII must take adequte security precautions
to protect the integrity of the data.
(Privada and ZKS score a glaring 0 out of 5 in terms
of enabling the CFIP (and hence, by corrolary,
privacy))
Taken literally, this means far more than a Web site
privacy policy. A Web site privacy policy might be the
"meta-information" that goes into the CFIP, but the
CFIP means consumers should have access to all the
"real" information in the databases... If ZKS enabled
the CFIP, then by installing a client, I should be
able to go to DoubleClick and magically see all the
personally identifying information they have on me; I
should be able to go Honda.com and see all the
personally identifying interactions the company had
with me leading up to my purchase of a new Accord; I
should be able to set limits on what these companies
can do w/ this personal info; I should be able to
audit the personal info and make sure its accurate..
this is the essence of online privacy and clearly ZKS
does not enable this -
While several people responded telling me that
ZKS/Privada are far less invasive than forcing
corporations to open their databases, it's not at all
clear to me that this is the case. Society is shaped
by more than just technology and laws (which seems to
be a meme that runs on cypherpunks). Market forces and
social norms are just as important, and I believe
there are some very powerful economic incentives
pushing companies to provide more open access to their
customer databases than before.
One obvious incentive is the tremdenous cost of
customer acquisition. The best direct-marketing
techniques only net roughly a 2% response rate. This
means 98% of the money companies earmark for direct
advertising is a waste. The Internet, a more "perfect"
communications medium, was supposed to fix this, and
allow advertisiers to target consumers better --
instead, only 0.5% of all surfers click on banner
ads.. even worse than in offline direct advertising
media --
Something went wrong, and privacy is probably near the
center of it --
It seems reasonable that by allowing consumers greater
control over their personal information stored in
corporate databases, companies would gain greater
knowledge of how and when and if consumers wish to be
contacted, as well as gaining more accurate
information about their consumers. (Forrester
estimates that 70% of all online forms are filled out
with false info). Companies have a powerful need to
reduce online acquisition costs, and this need acts as
a powerful economic vector pushing companies to
release more control of personal information assets to
the individuals to whom they belong - this same
economic vector pushes "against" business models like
ZKS..
It's difficult for me to imagine "privacy business
models" that don't include some notion of: (a)
monetizing the flow of personal information and (b) an
overall reduction in the amount of advertising seen by
the consumer (advertising, to me, is merely a measure
of how inefficient a particular market is...). Note
that both points present revenue opportunities for the
privacy company.. I don't see these features in ZKS..
Note that the CFIP makes NO mention of
anonymity/pseudomity. Anonymity is VERY IMPORTANT to
preserve in the online environment, mainly for reasons
that boil down to free speech (and, by corrolary,
protection against government censorship); however, if
all ZKS is is a free-speech machine, it's unclear to
me that there's much of a business model in that --
Ultimately, privacy comes down to an "ownership of
information" issue. Several people pointed out to me
that once a corporation collects personal information
on a consumer, that information is "theirs", and it
belongs to the corporation and the corporation
can/should do anything they want with it...
As a side note, it's interesting how OPPOSITE this is
to the view that the recording industry would like to
take of Napster. In the privacy case, a consumer
(entity A) transfers personal information to a
corporation (entity B), and now B owns that
information. In the Napster case, recording company
(entity A) transfers information to a consumer (entity
B), but entity A STILL owns the information. Both
cases involve the transfer of information from A to B,
only in one case, A still owns the information, and in
the other, B owns the information.
What's the difference? The difference is in how we
perceive (mainly through the filter of our existing
legal structures) the privitazation of information
assets. The analogy with copyright is instructive,
since our current legal system privatizes copyrighted
information assets through intellectual "property"
laws; i.e., literally treating the information asset
as a piece of "property"... i.e., the laws both (1)
create an incentive to produce the product and (2)
they protect the right of its possession (I would
argue that in cyberspace, copyright laws only need to
do (1), but that's outside this scope..)
In contrast, our current legal system regards personal
privacy through the lens of "liability" law - if you
invade someone's privacy, they can sue you and you
must pay. I wonder argue that "privacy" cannot really
be "solved" as an online issue until we migrate away
from thinking about privacy in terms liability, and
start thinking about it in terms of property law (much
like we currently think of copyright). This is b/c in
a property regime, the person who holds the property
right has all the power. In a property regime, there
can be holdouts (people who do not wish to release
personal information), there can be no holdouts in a
liability regime; in a property regime, individuals
have autonomy and control, this is not the case in a
liability regime.
Also, in a property regime, the property owner sets of
the price of the asset; in a liability regime, the
courts do -
Note that we don't NECESSARILY need new laws to
facilitate this shift in thinking about privacy; laws
are only important for protecting property when the
combination of code, market forces and social norms
don't protect the property ... through the correct
balance of the last three norms, privacy of personal
information could be "shifted" into a property regime
(I definately believe there are sufficient market
forces for this to happen - the code to do it is up to
the software engineers..)
What's nice about the CFIP is that it carries a very
yin-yang effect that mobilizes the economy in both
directions: consumers can protect thier privacy while
businesses have access to more accurate information
(or, put another way, you can have your privacy, but
you can't lie anymore!) -- it's a win-win for both
sides..
My concern is that in taking what are essentially
"free-speech" products, and marketing them as
"privacy" products, ZKS and Privada are misleading
thier users, and ultimately, the public at large,
about the true nature of online privacy and how
consumers can protect it ---
the ZKS economic vector points "exactly" the wrong way
- consumers should never have to pay to protect their
privacy - instead they should be paid for sharing
their personal information w/in the network.
Businesses, likewise, will always view
anonymity/pseudonymity as "information obfuscation"
and do everything in their power to route around it -
all in all, ZKS is a noble product - I admire what
they are doing.. I just seriously question the
economic viability of their direction, esp wrt being
an "all-encompassing" privacy product, which it
certainly isn't.. it seems this type of product would
work better as freeware, and would be better directed
as a free speech tool for political dissedents.. the
product doesn't enable the type of economic privacy
needed by American consumers right now...
The reason I had to get up and speak out was b/c of
these ads ZKS has been running recently, showing
people w/ tatooed bar codes and implying that ZKS is
this great panacea that will solve that problem - I
find these ads somewhat distasteful, all the more so
since ZKS can't come close to solving this problem..
"controlling" personal information (a la the CFIP)
would solve the problem - ZKS doesn't allow you to
control personal information, it merely allows you to
"hide" personal information - something completely different
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read
easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
