Before joining the privacy industry, I worked as a web designer and search optimizer. In that role, I counseled small business clients on the importance of brand management. If businesses didn’t manage their brand, someone else would—through search rankings, competitors, customer reviews and so on. Brand management was the opportunity for a business to tell its own story, in its best light possible.

Privacy obeys the same rule.

If individual consumers fail to manage their online identity, someone else will—advertisers, data brokers, insurers, etc. While the Snowden revelations greatly increased consumers’ awareness of data privacy, they did so in a security context. Unfortunately, framing the privacy discussion as “privacy vs. security” has stacked the cards against consumers, creating insurmountable obstacles and stifling broader adoption of meaningful privacy practices. Shifting away from the privacy-vs-security paradigm and towards a “privacy-as-identity-management” mentality would overcome many of these challenges, setting the stage for higher consumer engagement and better tools for privacy management.

Why Privacy vs. Security Hurts Consumers

Security is not a counter-argument to privacy; it’s a fact of life. National security and the imperfect nature of security will always trump individual privacy concerns. Suggesting consumers must choose between security and privacy frames privacy as an all-or-nothing state, obliterated the moment someone clicks an “I agree” button. From this perspective, the only protection available to consumers is going completely off the grid—unreasonable by any standard. This mentality has inspired sensationalist “privacy is dead” declarations from privacy fundamentalists and data-hungry businesses alike, further discouraging consumers from participating in their own privacy maintenance.

The security context devalues consumer data. To consumers, personal data represents more than a line in a database; it represents a personal story. Their hopes, dreams, friends, enemies, triumphs and failures are all stitched together to form an emotional quilt of personal value, meaning and purpose. Following a breach, consumers feel an intrusion upon a personal story, while the security context emphasizes intrusion upon a database. The security context assigns no value to the emotional weight consumers assign to their own information.

More importantly, it fails to address the most basic concern consumers have regarding privacy: meaningful control over their own data. When consumers feel privacy must be exchanged for security, it removes a sense of control over their own data. A defeatist malaise sets in, reducing engagement even among more privacy-savvy consumers.

Why “Privacy as Identity Management” Works

Approaching privacy as personal identity management addresses each of these concerns. Where security is preventative and defensive, identity management is active and constructive. Instead of sowing fear that someone may take personal data, it encourages users to shape their online identity as they see fit, recognizing their data is already out there. It shifts privacy from a futile winner-takes-all contest against an indomitable opponent to the familiar practice of tailoring situation-specific personas. We all have our manicured professional, friend and family personas, why not curate an online persona as well?

Privacy as identity management puts control back in the hands of consumers. Instead of hoping a business will sufficiently protect data from greedy third parties, it asks how businesses use data and what effect it will have on their personal identity. Will sharing data with this service change my online reputation? How will this service change my online experience? Unlike the security context, this allows consumers to mold their own identity and to subjectively value their data by building a story of who they are online—whether private, professional, socially active or a power consumer.

Focusing on the privacy-as-identity-management mentality also squares with the current legal landscape. Even the most egregious of data breaches fail to demonstrate sufficient harm for consumers to seek remedies in court. Yet Spokeo v. Robins has made it to the Supreme Court on the theory that inaccurate public data sufficiently harmed the plaintiff, by presenting an inaccurate online identity. State laws are limiting access to social media profiles by schools and employers, and the Right to be Forgotten centers around the right to remove information no longer relevant to someone’s identity.

The Missing Ingredient: Responsive Feedback

Many of these privacy-as-identity-management practices are already championed by privacy advocates. However, one key element is missing: Consumers need a consumer-facing tool showing the results of their identity management efforts. They need a mirror that shows them who they are in the eyes of data collectors. Most consumers do not interface with the analytics, charts and graphs businesses use to track their business story.

Consumers need a story.

They need characters, projecting their assigned traits and characteristics back at them, something to anchor personal story around. Without responsive feedback, privacy will remain a high anxiety, low engagement activity.

Moving beyond the fatalist privacy-vs-security mentality and towards a consumer-driven privacy-as-identity-management mentality will take time, new tools and a new level of consumer education to promote engagement. Either way, the onus still falls on consumers to manage their own online identity; if they don’t, someone else will.

photo credit: Somebody's looking via photopin (license)