The legal aftermath of a political battle fought 25 years ago has come back to raise privacy issues that have a decidedly contemporary twist. Netflix is pushing for a change in the Video Privacy Protection Act (VPPA), which prohibits release of an individual's video rental records without that person's written consent.
The law was passed in 1998, but it has its roots in the 1987 fight over Ronald Reagan's nomination of conservative jurist Robert Bork to the Supreme Court. The Senate turned him down after a fierce political battle. During the fight Bork's personal video rental records were obtained and published without his consent. This action eventually led to passage of the VPPA.
All this was long before the era of online social networking. But now Netflix wants to offer American users the option of displaying their video rentals on Facebook. Users abroad can already do so, but Netflex has not provided the option in the US due to concerns that the VPPA requires consent for sharing each individual video. The firm wants the VPPA amended to allow for blanket consent.
Here is where the going gets tough … and complicated. Why shouldn't people be able to let their friends know what videos they're renting? But will Netflix users understand that their consent applies to every video they rent – not just the ones they want to tell their Facebook friends about? And what happens if users later change their minds? In practice, as we know, once on the Internet, always on the Internet.
As attorney and legal writer Jon Epstein observes, "Social media networks can allow intentional or inadvertent invasive spotlights highlighting potentially sensitive, personal information."
As so often, privacy and security are closely interlinked. Social media firms are in the business of selling personal information to advertisers – or, really, anyone willing to pay for it. People often don't understand the full implications of exposing their personal information. And while Epstein advises reading legal consent forms in full, we know that few people actually do so.
In order to protect our security, personal and corporate, we also need to protect our privacy.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."