A quarter of a century ago, Scott McNealy, then chief executive of Sun Microsystems, famously dismissed consumer privacy in the internet age as an anachronistic distraction. “You have zero privacy anyway,” he said. “Get over it.” Judging by the way in which consumers have since posted details of their private lives all over social media and breezily ticked the intrusive terms and conditions boxes of many online companies, McNealy may have had a point.
But how we act and what we think can be two different things. Internet users do not appear to have “got over it” when it comes to privacy. Indeed, consumers are now telling pollsters that they increasingly worry about the misuse of their personal data and want stricter controls. A Pew Research poll in the US last year found that 81 per cent of respondents were concerned about how companies collected their data; 71 per cent expressed similar concerns about the government (compared with 64 per cent in 2019).
Such anxieties are all the more acute when it comes to highly sensitive personal information, such as genetic data, which not only affects one individual but all their relatives, too. When you spit into a tube and send it off for DNA testing, you are handing over unique data that cannot be anonymised. You are also sharing information about all your biological family, most likely without their consent. That makes it all the more critical that such data is secure.
In some cases, there are glaring concerns about who can access — or sell — that data. Several users of the London-based DNA testing company Atlas Biomed have recently expressed alarm about the security of their personal information. The business appears to be inactive — it is late filing its annual accounts and has not been active online. It reportedly did not respond to recent enquiries from the BBC and there has been speculation about its links with Russian business interests.
The Information Commissioner’s Office, which enforces Britain’s data privacy laws, also confirmed that it received a complaint about the company.
In the US, customers of the 23andMe DNA-testing service are also anxiously following the fate of the company, which this week admitted there was “substantial doubt” over its survival without the injection of fresh funds. Some 15mn people have used the service and around 80 per cent of them have agreed to share their data for scientific research.
Anne Wojcicki, 23andMe’s co-founder and chief executive, has said she intends to take the company private and will not consider a third-party takeover. “We are committed to protecting customer data and are consistently focused on maintaining the privacy of our customers. That will not change,” the company said in a statement to the FT.
But users are unlikely to be reassured. 23andMe’s genetic data is not covered by the US federal Health Insurance Portability and Accountability Act (HIPAA), which applies to most medical data. It also suffered a serious data breach last year in which 6.9mn user accounts were compromised. Wojcicki has fallen out with the rest of the board, who have resigned en masse. And it is not clear what would happen to 23andMe’s data if the company went bust.
“23andMe highlights very valid anxieties and fears people feel when they have given highly sensitive information to a company for a specific purpose,” says Sara Geoghegan, senior counsel at the Electronic Privacy Information Center in Washington DC. “Users deserve more than a pinky promise that their privacy wishes will be respected.” For more than 20 years, Epic has been campaigning for a federal privacy law that would protect users’ rights.
Such legislation seems unlikely given the anti-regulation stance of the incoming Trump administration — even if many Republicans are themselves concerned about data privacy. The only real alternative is for consumers to assert their power by wresting more control. They must press tech companies to minimise the data they collect, become more transparent about its use and ensure that user consent is voluntary and informed. “Even with the best possible laws, it will not be possible to stop criminals or foreign governments hacking into your data,” says Carissa Véliz, author of Privacy is Power. “Tech solutions are very important.”
Some digital services already offer privacy by design but there is currently little market incentive for their expansion. Users should contest McNealy’s fatalism and stimulate that consumer demand.
john.thornhill@ft.com
