Last month the European Commission proposed adding a new "right to be forgotten" to privacy law. This deceptively simple idea is a ticking time-bomb in the booming internet economy. It is also essential – both for Europeans and Americans – to protect personal privacy in the age of pervasive social media and cloud computing.
The stakes are huge. Two weeks ago Facebook announced an initial public offering that could value the company at up to $100bn. Facebook is worth so much because of the data it holds on its 845m users. Yet it succeeds only to the extent it can monetise the data. If a sizeable fraction of users could easily compel Facebook to delete all their personal data, the company's value would be lower.
I learnt to appreciate the power of electronic data integration as a White House counterterrorism aide, working to enhance government electronic surveillance powers. But Google, by gaining the consent of its users in the form of a quick tick, has secured the power to build an electronic surveillance apparatus that far exceeds anything the Bush administration tried to do.
A right to be forgotten would make the counterterrorism mission harder. My support for it, however, comes from my recent experience as a parent. Last year my children's school shifted to a system called "Google Apps for Education". It works brilliantly, and cost the school little or nothing. But as Google's policy makes clear, even though the school retains ownership of the students' content and may demand its deletion, Google intends to integrate data derived from students' school activities with data from any of its other digital services – and use this to make money. Forever.
The potential is vast. For instance, Gmail has a contact-tracking feature, which integrates with Picasa, its free product for managing digital photographs. Picasa has a tagging feature that can tell Google where and when photographs were taken, and an advanced facial recognition feature that allows Google to identify individuals it has seen in one photo in any photo in the user's digital library. Integrating just these three services with Google's core search function could allow Google to locate individuals in virtually any digital photograph on the internet, and so derive where each user has been, when, with whom and doing what. Add YouTube to the mix, or Android smartphones, or whatever other database Google develops or buys – the implications are breathtaking.
So my children's school, like a growing number nationwide, bought its new email system with the currency of its students' future privacy. It was a rational decision. Like hundreds of millions of people worldwide, the school accepted the short-term value of a cloud-based information service subsidised by the long-term monetisation of user data.
Given this reality, the only answer is a fundamental change in national privacy laws. Individual users of cloud services should have a legal right to be forgotten that supersedes whatever authorisations they (or their surrogates) granted when they created their accounts. Users should, in other words, have the right to change their minds as they learn the implications of that little box they unthinkingly ticked while signing up for the latest, greatest, cheapest cloud-based information service.
The distinction between user content and the service provider's metadata is complex but central to whether a right to be forgotten will have teeth. A meaningful right to be forgotten should require companies to purge not just the content of an email or a photograph, but all the metadata associated with that user.
Establishing such a right would, however, impose uneven economic costs. Companies that depend on monetising user data, such as Google and Facebook, would be badly hit. Old-fashioned technology companies – those that charge for hardware, software or services – would suffer less. We can expect lobbying from both sides. The debate will be rich with irony because so many of the new companies posture as paladins of liberty and social progress.
The writer is an adjunct senior fellow at the Council on Foreign Relations and a principal of the Chertoff Group, which advises clients on cybersecurity.
This article appears in full on CFR.org by permission of its original publisher. It was originally available here.