On a typical day, users may face a multitude of privacy choices. From choosing to share their location with a mobile app to signing up for a new service, users are often asked to share information that may be sensitive when placed in different contexts. For example, a user who chooses to share their location data to enable navigation on their phone may not then wish to have that same data used to target advertisements to them.
As a privacy researcher, I spent the past few years examining how users make these decisions, and investigating tools and techniques to help make these decisions easier. In the process, I also examined how policy can shape the way privacy decisions are presented to users. Through this work, I developed an understanding of online privacy and decision making which I am now eager to apply to the policy process. TechCongress provides me with an ideal opportunity to do this, while allowing me to gain a comprehensive understanding of policy making.
One of the most well-known findings from the academic literature on privacy decision making is the current over-reliance on “notice and choice” as a primary means for protecting privacy. While giving users choices about how their data may be used is a good thing, they also need to be able to fully assess the potential risks of sharing data in order for these choices to be effective. Unfortunately, these choices can often be either difficult or impossible to make. In cases where data is shared with multiple third-parties, consumers would need to read the privacy policies of each third-party to assess potential risks. This is an unreasonable burden for many consumers as privacy policies are often lengthy and written in language that is difficult to understand. Furthermore, many privacy decisions only offer users the choice of whether to share their data, but offer less control over how their data may be later used. As pattern recognition techniques become more sophisticated, new inferences about users may be drawn from existing personal data that users may not have foreseen or consented to.
Despite these weaknesses, “notice and consent” continues to be the primary means by which regulation aims to protect privacy. I am excited to be entering Congress at a time where transformative ideas about privacy are being reconsidered and new regulation is under active discussion. I look forward to contributing to these conversations through my position as a TechCongress Fellow, where I may be able to have an impact by contributing a deeper understanding of how consumers approach privacy.
Logan is serving with Sen. Cynthia Lummis (R-WY) and supporting issues related to consumer privacy, and cybersecurity.