Trends > What's New

Protecting Customer Data

What YouTube can teach companies about privacy

When you think of threats to sensitive customer data, you might imagine a masked cat burglar cartwheeling past the sci-fi-blue lasers that surround your data fortress, an evil-genius hacker on your maintenance crew or a highway crash resulting in a roadside strewn with backup tapes.

But how about pinstripe-suited lawyers and robed judges? Last month, a federal judge ruled that YouTube should provide customer data, which some say could be personally identifiable, to Viacom as part of its ongoing, $1 billion lawsuit against the video-sharing site. The order included all viewer data on every video ever watched on YouTube. The data cache in question is remarkable not only for its immensity, but also because such demands are usually tailored to include only users suspected of wrongdoing. After a lashing from privacy-concerned Web users, Viacom volunteered to accept anonymized data and promised not to circumvent the protective encryption.

YouTube owner Google states in the privacy portion of its Web site that it recognizes “privacy is important,” and says it adheres to the U.S. safe-harbor privacy principles of notice, choice, onward transfer, security, data integrity, access and enforcement. That’s nice, and important, but how much does it matter how well any company protects consumer data if one lawsuit could propel millions of records into the hands of a third party? In this case, that third party has sworn that it won’t misuse the data, but is that what law-abiding YouTube visitors had in mind when they first shared their information?

According to Gregory Nojeim, senior counsel at the Center for Democracy and Technology, a nonprofit advocating privacy, two threats exist to safeguarded data on innocent customers: “unexpected law-enforcement requests or mandatory processes seeking the information, and also mandatory processes triggered from private parties, which is what happened in [the YouTube] case.”

As cases where government or private institutions seek stockpiles of consumer data have shown, the bigger the honey pot, the hungrier the bears. In this way, companies that keep detailed consumer data on hand walk a fine line between the desire to perform extensive (and lucrative) market research and provide impeccable customer service on one side, and exposure to name-tarnishing privacy infractions on the other. “A privacy violation — or even a perceived privacy violation — can have dramatic negative consequences for an entire product line. Those consequences have to be weighed when considering how much data to store,” Nojeim says.

Aside from the perils of exposure, each bit of private data carries with it sometimes-murky self-regulatory responsibilities that could soon become black-and-white legal imperatives. The Senate Commerce Committee held hearings in July in which big-name tech firms were among those calling for legislation protecting sensitive consumer information.

All of this might have companies’ compliance officers inching up the bar that data must clear to be considered worth collecting. But, as Wired senior writer Daniel Roth explained in a June lecture on privacy from a business perspective, detailed customer information is becoming more desirable even as risks attached to it grow. “There’s this movement towards companies embracing ‘free’ as a business model,” Roth told conference attendees. In exchange for free e-mail or other online services, customers give up personal data — the more specific, the better — that Web companies use to support the service by selling targeted ads. Roth predicts an information “arms race” in which companies compete for dollars by offering more and more detailed information.

So for businesses, the answer must lie somewhere between hoarding and purging sensitive data. Privacy best practices vary by industry, but Nojeim has three general suggestions for any organization looking to lighten its data load: “It can save less information and it can save information for shorter periods and in such deidentified forms that it can never be reidentified.”