By Anna Chung, Dennis Jen, Jasmine McNealy, Stephanie Nguyen
The rise of data privacy breaches and a look into policies that address these challenges
"If a parent comes in and says, ‘Oh, I want to renew my son’s books,’ I can’t go on their son’s account without their son’s card. We never look at anyone’s reading history. We cannot tell someone what is on an account without a library card or ID. We protect everyone’s privacy that way. That is part of the foundation of using a public library.” — Janet Linder, a lawyer and legal writer, editor, and a children’s librarian in the Boston area.
Informational privacy, having the ability to manage access to information about oneself, has often been controlled by the powerful and designed by the minority, as demonstrated by the dominance of particular platforms and technology organizations. Today, in just 60 seconds, the world produces 4.5 million Google searches, 1.4 million Tinder swipes, and 277 thousand Instagram stories. Platform and organizational dominance, coupled with the massive volume of personal data used by businesses, government agencies, and civil society organizations, make individuals uniquely vulnerable to data collection, manipulation, and insecurity. For context, data breaches in 2019 exposed 4.1 billion records, including banking information, login credentials, and location data.
Members of Congress have responded by proposing several bills, many of which focus on limiting data collection and aggregation through system design features. The “like” button, for example, allows the individual to bookmark information or send a one-click response to a post. The simple tap of a “like” button gives companies data, allowing them to create inferences about a person’s affinities, including political affiliations , mood and emotions , and possible purchasing behavior . This information can then be used to create groups and subgroups of people, who could ultimately be influenced by tailor-made content. From personal advertisements to the kinds of posts platform users encounter, this content can persuade someone to spend more time on the platform, thereby disclosing more data.
Legislators have released data protection bills through the lens of highlighting potentially misleading design features embedded in these systems.Some policymakers might want consumers to regain control over their online experience by letting them opt out of the filter bubble created through Big Tech algorithms, as the Filter Bubble Transparency Act illustrates. Another bill (The Social Media Addiction Reduction Technology Act) focuses on more specific design elements by enforcing time limits and “neutral presentation” and banning dark patterns, infinite scroll, badges and awards linked to engagement or usage. In a similar vein, The Deceptive Experiences To Online Users Reduction (DETOUR) Act mandates no dark patterns, deceptive tricks, and no A/B testing without disclosure to users. More comprehensively, many privacy bills introduced between 2018–2020 include “right of access, deletion, portability, and transparent notice and consent,” which may also directly impact visual elements in platform interfaces.
While these bills are intended to protect people from harm resulting from data collection and use, some leave big gaps in implementation. For example, how do we ban filter bubbles for platforms that have thousands of filtering mechanisms? What does it look like to design an effective user experience that incorporates the right to data portability? There appears, then, to be a gap between policy and practice that needs to be remedied to make more adequate law. How might we bridge policy principles to implementation to meet the needs of people and communities they were intended for?
These challenges are not new. Several organizations have outlined ways to better bridge the gap between policy creation and implementation. For example, Design Delivery Policy describes the opportunity to better connect policymakers and government service delivery. “By tightly coupling policy and delivery, governments can use data about how people actually experience government services to narrow the implementation gap and help policies get the outcome they intend,” explains Code for America’s former Executive Director Jen Pahlka. Teams at Georgetown’s Beeck Center and Harvard Kennedy School and IDEO CoLab explored user-centered policymaking — creating tools, frameworks and materials to assist policymakers. “It is imperative that policy makers understand their role in implementation, and that implementers be at the table as policy is designed,” the Beeck Center team outlines.
There is no substitute for speaking with these communities who are often left out of decision-making processes. Alex Gaynor, Security Engineer and Chief Information Security Officer at Alloy, mentioned that “user research is necessary to understand what a term like duty of loyalty means in relation to individuals’ expectations” of some of the bill tenets. Advocacy organizations and human rights and civil rights related groups are closely aligned to protect human and consumer rights and would be helpful to gather their perspectives and feedback as well. Policymakers and industry practitioners could also “create easy channels for advocacy and [human] rights groups to provide feedback and publicly respond to such feedback,” explains Sage Cheng, Design Lead at Access Now.
“I think our whole model related to privacy is built on building relationships through trust,” Charyti Reiter, Director of Programs at On The Rise told us. “Particularly for people on the margins, they don’t have the time to manage sharing of information about themselves in ways that people who have access to other means do.”
Human-centered policymaking is needed alongside the processes used both in Congress to create strong policies and in industry to design privacy protecting features in tech. There must be tighter integration to link user needs to tech products and policymaking. Policymakers should build on existing resources to talk to stakeholders who may experience data-related harm and integrate this into their process. With this in mind, we created a Policy Prototyping Guide that provides a roadmap for the roles needed and the step-by-step process that lawmakers can follow to link bills to practice.