Recently, I clicked on a link offering a free computer-based assessment of the price of my house. Quickly, it became apparent I would be forced to register for an account before I could see the report.
A recent study found that the average US consumer now has over 120 online accounts and this number is forecast to rise to over 200 by 2020. We now live in a world where many services and transactions that used to be anonymous (e.g. buying a coffee or using a taxi) are now done via an app which insists we register personal details in order to use the service.
Growing risk to the individual consumer
Many privacy policies and collection statements I’ve seen are long, vague and sweeping – and generally give the organisation freedom to use personal information for a wide range of purposes and distribute the information to an unlimited number of ‘selected third-parties’. However, this growing proliferation of personal information across a complex ecosystem of organisations comes at a cost to the individual – as it directly increases the inherent risk of breach, identity fraud or mis-use.
Sir Tim Berners-Lee, inventor of the web, recently commented that: “We’ve lost control of our personal data. The current business model for many websites offers free content in exchange for personal data. Many of us agree to this – albeit often by accepting long and confusing terms and conditions documents – but fundamentally we do not mind some information being collected in exchange for free services. But, we’re missing a trick. As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data, and chose when and with whom to share it. What’s more, we often do not have any way of feeding back to companies what data we’d rather not share – especially with third parties – the T&Cs are all or nothing.”
The Right to Anonymity and Pseudonymity
One of the lesser known Australian Privacy Principles is number 2, which “provides that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter” – except in specific cases where identification is required by law (e.g. banking, applying for a passport).
Hence, in many use-cases, consumers have an enshrined right in Australia to interact with an organisation without identifying themselves – although this is an APP which has poor implementation, judging by the number of websites and apps which try to force registration and identification. Without change, consumers will exercise this right and ‘passively resist’ giving accurate information unless organisations change tact, and this will lead to more Homer Simpsons and Mickey Mouses in customer data sets.
Going forward, there needs to be a clear benefit associated with identifying oneself rather than this being taken for granted. Fundamentally, organisations need to focus on a number of things to make this benefit more compelling:
- Give customers the option of anonymity. Let customers perform simple tasks such as browsing for information or buying coffee without mandating identified registration.
- Provide registration as an option – but with a clear benefit to the customer. For example, a car rental company may use registration in a loyalty scheme to offer reduced queuing time for the customer at the point of collection.
- Minimise the amount of information that is collected as part of registration to where there is a clear justification.
- Building trust with customers, rather than demanding their personal information, should mean Homer Simpson doesn’t become the most popular customer in the database.
David Owen is a Partner, Cyber Security & Privacy Risk Advisory at Deloitte.