It used to be the case that every web site that held your data would post an elaborate privacy policy, telling the user how the company operating the site was going to protect your data and keep it away from prying eyes.  Not many people read these policies in detail, but it was supposed to be reassuring to know that the site had a policy and that they stated they were going to do the right thing in writing.

Then we heard the revelations about the NSA and Prism.

Now, we discover, all those privacy policy reassurances were worthless.  They were lies.  Your data was not protected and certainly not private.

Understandably, there has been a backlash and now companies like Microsoft and Google are issuing weasel worded statements denying complicity and claiming they had no choice but to follow orders.  They are issuing new privacy policies, with new, more rigorous promises in them, so that they can continue to operate in Europe.

The problem is that, like before, we only have their word for it.  We have to trust in their assurances.  Well, we took their word for it before, accepting their solemn oaths that they were protecting our data, but their word was no good.  Their word is no good now.  Their privacy policies hold no more weight today than they did before the truth was revealed.

The only kind of acceptable privacy policy is a verifiable one.  How are companies going to permit ordinary people to verify that their data is private and safe?  Therein lays the challenge to the entire industry.  How are they going to make it possible for plain folk to prove to themselves, by direct observation, that their data is safe?

Because that’s what they’re going to have to do.  The genie is out of the bottle.