The Electronic Frontier Foundation was not shy in its criticism against Obama's proposed changes to reform the National Security Agency's SIGINT programs, most noteably: PRISM. However, I think they did their constituents a disservice by focusing so much of their feedback on user privacy, and not enough on the real issue: data ownership.
Let's start with the obvious objection to EFF's criticisms: there is no "right to privacy." There is only a right against unreasonable searches and seizures, which is in no way related to privacy. However, even if we assumed there was a "right to privacy" Smith V Maryland dispelled the "privacy" angle for metadata collection from a judicial point of view in 1979. However, when you consider the startling fact that data collection is doubling every couple of years with collection methods ranging from mobile applications to Disney's new smart bands, the concept of user privacy is in grave peril; something that the Federal Trade Commission has been aware of since 2009.
The distinction that's worth noting here is that the NSA is not collecting this information directly from persons, but from companies. Every datum that the government has collected has previously been collected by at least one company with our permission. Therefore, it does not follow from an purely logistic angle that our privacy is being violated - we had already released that information to an outside entity prior to the NSA's collection. Therefore, the victims (form a search/seizure standpoint) are not the people, but the companies.
Once we relinquish control of our data over to companies we are no longer the one in possession of said data. As a result, the only logical inference is that the possessions being searched and seized are being taken from the companies served with National Security Letters. So it follows that it is not our privacy that's besieged here, but rather a violation of the companies' fourth amendment rights (Marshall v. Barlow's, Inc (1978)).
Where consumer privacy comes into play is perceived privacy. With few exceptions, consumers are no longer concerned about the data known about them, but with whom the data is shared.
To put it another way, once a consumer trusts a company (any company will work, but we'll use Google) the amount of information Google knows about said consumer isn't as important as the decision to trust Google. Were Google to become untrustworthy after allegations of collaboration and selling of information to an untrusted agency (eg: the NSA or "the government"), then consumers become sensitive to the information that Google has on file. Understandably, this makes them less likely to share information critical to Google's business model.
This all-in trust model can be seen throughout all of our capitalistic tendencies. For example, very few LinkedIn mobile users are going to forgo updating their mobile application simply because it requests the ability to physically track your location. If we trust the recipient of some of our data, we often times trust them with almost all of our data (some exceptions: most people won't share their social security number with Popcap Games).
What we fail to realize is that we tend to trust companies with our information based on our trust in their products. Due to something known as the "Halo Effect," once we trust in a company's product, it's entirely probable that we will trust in their ability to safeguard our data; even though that assumption makes as much sense as assuming you can fly with an umbrella because you once flew in an airplane.
As a result, we pay a lot of lip service to privacy, but ultimately care very little about it. Unfortunately for privacy advocates, this means that fighting for traditional privacy is ultimately a loosing battle and a change in focus is required. After all, "privacy" is a pretty nebulous topic that means different things to different people - how can you legislate or even endorse one opinion out of so many?
The Privacy Act of 1974 gives us some guidance into the minimal definition of privacy, but only so far as to limit the use of government agencies such as the NSA. To wit, the NSA is not violating the Privacy Act in any measurable way (except not allowing people to view their records), and according to judicial measures are not acting in contrast to privacy interests. What the scandal represents is not a series of privacy violations against the consumer, but a deterioration of trust between the consumer and their corporate data warehouses.
For these reasons, the Electronic Frontier Foundation's assessment of the president's reform measures as being a 3.5/12 for "privacy" are idealistic and naive. Not only is the argument "for privacy" flawed, but the more important issue at stake is data ownership. As data explodes in our modern world, the issue of data ownership is becoming increasingly important. Who owns your e-mails? Your shopping history? Your financial history? Can we really sue Equifax, Facebook, or OkCupid for selling your information if they own the data that is in their possession? The FTC seems to think so:
"Engle, acting deputy director of the FTC's Bureau of Consumer Protection, said, 'if your advertising giveth and your EULA taketh away, don't be surprised if the FTC comes calling."
The issue of data ownership is the new calling card for privacy in the digital world and information age; the Electronic Frontier Foundation just doesn't appear to know it. Before we can clearly define the line between what is an is not acceptable for a company to share about their consumers, we must first clearly define what the company and consumer owns.