PRIVACY HANDBOOK Guidelines, Exposures, Policy Implementation, and International Issues ALBERT J. MARCELLA, JR., Ph.D., CISA CAROL STUCKI, CISA
John Wiley & Sons, Inc.
This book is printed on acid-free paper. Copyright © 2003 by John Wiley & Sons, Inc., Hoboken, New Jersey. All rights reserved. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail:
[email protected]. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com ISBN: 0-471-23209-2
Printed in the United States of America 10 9 8 7 6 5 4 3 2 1
CONTENTS
Preface
xi
Acknowledgments
xv
Disclaimer
xvii
Introduction
xix
Chapter 1
Privacy! Paradise Lost?
1
Chapter 2
Privacy Initiatives
24
Chapter 3
Privacy Advocates
53
Chapter 4
International Privacy Issues
70
Chapter 5
Privacy Legislation
132
Chapter 6
Personal Privacy and National Security
170
Chapter 7
Business Privacy Issues
197
Chapter 8
Personal Privacy Issues
221
Chapter 9
Privacy Tools
257
Chapter 10 Establishing Privacy Controls
273
Pulse Pieces
283
Glossary of Terms
320
Suggested Readings
329
Appendix A Executive Overview: Privacy Impact Assessment
332
Appendix B Privacy Impact Assessment (PIA) Tool
337 (Continued)
iii
URL CONTENTS www.wiley.com/go/privacy Appendix C Appendix D Appendix E Appendix F Appendix G Appendix H Appendix I Appendix J Appendix K Appendix L Appendix M Appendix N Appendix O Appendix P Appendix Q Appendix R Appendix S Appendix T Appendix U Appendix V Appendix W Appendix X Appendix Y Appendix Z Appendix AA Appendix BB Appendix CC Appendix DD Appendix EE Appendix FF Appendix GG Appendix HH Appendix II
Appendix JJ Appendix KK
Privacy Surveys (1979–2001) Office of Management and Budget Privacy Policies and Data Collection on Federal Web Sites as of June 2000 Office of Management and Budget Privacy Policies on Federal Web Sites as of June 1999 State of Washington Executive Order 00-03 Public Records Privacy Protections Securing Your Net Presence Who’s Who—Selling Personal Information Protecting Your Internet Privacy Protecting Private Consumer Credit Information Who’s Who—Compiling Personal Information Dossiers Electronic Profiling: You Are What You Surf Core Elements of an On-line Privacy Policy Securing Organizational Privacy—The Threat of Corporate Espionage Ethics and Technology—Securing Personal Privacy Consumer Sample Opt-Out Letter Mail Preference Service Opt-Out Letter Telephone Preference Service (TPS) Opt-Out Letter Protecting Your On-line Privacy Model E-Mail Policy Privacy Advocates Privacy Legislation Pending in the U.S. House of Representatives Privacy Legislation Pending in the Senate of the United States Recommendations for Protecting Your Identity Model Privacy Statement from TRUSTe Countries with Updated Laws to Prosecute Cyber-Crime Top Ten Ways to Protect Your Privacy On-line How to Protect Kids’ Privacy On-line How to Comply with the Children’s On-line Privacy Protection Rule Protecting Your Health Care Privacy General Tips on Protecting Your Privacy Violations of Patient Confidentiality and Consumer Attitudes about Health Privacy Controls for Handling Data Privacy Issues Privacy Policy Generator to Comply with the Gramm-Leach-Bliley (GLB) Act of 2000 Information Necessary to Comply with the Notice Portion of Both the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission COPPA Rule that Implements the Act EPIC Online Guide to Practical Privacy Tools A Checklist of Responsible Information-Handling Practices iv
ABOUT THE AUTHORS
Albert J. Marcella, Jr.,Ph.D., CQA, CCP, CFSA, CDP, CISA, is the president of Business Automation Consultants, a global information technology (IT) and managementconsulting firm. Dr. Marcella designs, implements, and conducts management consulting and IT audits for an international clientele. Prior to the formation of his own firm in 1984, Dr. Marcella was employed by the Dun & Bradstreet Corporation, where he established and formalized the IT Audit function. Dr. Marcella’s additional professional experiences include providing internal systems consulting services to the Hartford Insurance Group, and the design and execution of operational, financial, and information technology audits for the Uniroyal Corporation, both in the United States and abroad. Dr. Marcella researches and writes extensively in the information technologies field and has over 18 information technology/audit and security titles published to date. His dissertation research examined the relationship between Ethics and Auditor Judgment. Dr. Marcella is the Institute of Internal Auditors’ Leon R. Radde Educator of the Year, 2000, Award recipient, and is a Distinguished Adjunct Faculty Member of the Institute of Internal Auditors. Carol Stucki,CISA, is a Senior IT Auditor with the University of California. Prior to joining the Audit Department at the University of California, Carol provided management and IT audit consulting services, conducted technical audit reviews and held positions in IT project management. Prior to consulting, Carol worked as a Manager of Strategic Project Management, and as a Technical Producer for PurchasePro, an e-Commerce company. Carol Stucki’s additional professional experiences include providing internal systems consulting and auditing services to Perot Systems, both in the United States and abroad. Carol also designed and executed operational, financial, and information technology audits and managed software development projects for GTE, both in the United States and abroad. Carol Stucki holds a Bachelor of Business Administration in Computer Science from Angelo State University, in San Angelo, Texas.
v
DEDICATION “Because life is so brief, and time is a thief when you’re in love. . .”
Thank you, Diane, for sharing with me the gift of your love. For your support, strength, and willingness to live life to its fullest. For being my best friend, making each day an adventure, caring for our children and for saying “yes” when I asked you to be my life’s partner. For so much more, which can never be truly expressed in words alone. Diane, with all my heart, and all my love—thank you. Al
“The trouble is we spend too much time thinking about what is going to happen, and too little time making things happen.” This was advice from Gabriel Ross Perot to Ross when he was a boy. This is advice I have often followed myself that made a difference in my success. I dedicate this work to my husband Dale for being there to support me, guide me, and teach me the patience I needed to learn. Thanks for more than just entertaining me for a week! Carol
vi
PREFACE
TEXT TOPOGRAPHY This book contains a wealth of information on the very touchy, very personal, very elusive subject of privacy—what it is and what it is not. Where have we as a society come from and where are we currently heading in our abilities to keep our private lives and information private? This book is a reference source as well as a field manual for anyone concerned with promoting, protecting, and maintaining privacy, their own or that of a corporate entity. This book is not a panacea. It does not represent the silver bullet to gaining control over your individual privacy nor for preventing the loss of that privacy to unauthorized third parties or government agencies. This book will, however, provide the reader with tools, techniques, tips, and insights into reducing and minimizing the exposure to a potential loss of privacy and what both corporations and individuals can do to keep their private “data” and “lives” private. The reader will find this book of great value in understanding the current and emerging social and political forces shaping views and opinions of privacy both domestically (United States) and globally. These views and opinions will ultimately wind their way into public opinion and possibly into general or very specific legislation, which in the long run will have a dramatic impact on our global society. This text on privacy opens with a broad and general introduction to the terms, concepts, and issues central to the controversy of defining privacy, what’s private, what’s not, and how to determine this. Additionally, this introduction sets the stage for a more in-depth examination of privacy issues by reviewing the basic tenets of privacy, privacy survey results, the cost of achieving privacy, and generally addressing exposures and contact concerns surrounding the privacy issues. The reader, through Chapter 1, will be brought face-to-face with key topics and issues at the heart of the privacy debate. With the information and tools to take control, the reader will be empowered to become a proactive participant in securing and maintaining his/her own privacy, or the privacy of organizations for which he/she is responsible. Chapter 2, “Privacy Initiatives,” examines what is being done to address the issue of privacy (both personal and corporate) and by whom it is being done. The reader is presented, in Chapter 3, with a look at U.S. domestic privacy advocates. This is an examination of organizations, groups, associations, and resources aimed at tackling the varied issues surrounding emerging privacy concerns. Chapter 4, “International Privacy Issues,” is similar to Chapter 3; however, the focus is on international organizations, groups, associations, and resources and national government initiatives. U.S. privacy legislation is the primary focus of Chapter 5, with a review of significant legislation focused on addressing privacy. This chapter also examines the impact of these legislative Acts and laws on individuals and organizations. vii
viii
PREFACE
Chapter 6, “Personal Privacy and National Security,” examines very timely issues given recent world events. Chapter 6 takes the reader through a detailed examination of personal privacy and national security issues. Privacy issues directly related to corporations, associations, businesses, and the workplace are the focus of Chapter 7. Issues such as employee monitoring, technological surveillance, profiling, screen monitoring, opt-in/opt-out options, data sharing, and retention procedures are discussed along with establishing and enforcing privacy policies and procedures. Chapter 8, “Personal Privacy Issues,” provides the reader with an analysis and an examination of issues, concerns, as well as exposures that directly affect and impact the reader—on a very personal level. Critical and “hot” issues such as identity theft and pre-employment screening policies are discussed. In addition, recommendations for protecting the reader’s individual privacy are presented in a clear and, most importantly, useable format. An examination of the various “tools” (software and procedural) available to assist individuals in detecting and deterring unwanted, unsolicited privacy invasions, in a digital/virtual world, is the basis of Chapter 9, “Privacy Tools.” Chapter 10, “Establishing Privacy Controls,” concludes the core body of this book with an examination into establishing controls designed to verify a company’s proactive compliance with privacy policies and regulations, a critical chapter given the increasing concern of consumers over their personal privacy. The criticality increases exponentially when one considers the impact of existing, as well as pending, legislation aimed squarely at mandating and enforcing “privacy” in a twenty-first century society. Unique to both this text and the treatment of privacy is the section aptly entitled “Pulse Pieces,” where leading experts, their “fingers on the very pulse” of privacy, speak up and out on critical privacy issues as they see them. These privacy professionals discuss critical and timely issues, which every reader should be acutely aware of and have tightly focused on his/her personal radar screens. These are issues which will affect individuals and corporations alike. Heed their words well.
VALUE-ADDED APPENDICES Last but certainly not of lesser value are the multitude of appendices that provide value-added information to this text, which are available at no cost in PDF format on the book’s companion Web site at www.wiley.com/go/privacy. The reader is strongly encouraged to examine the various appendices available at this site. The reader will find an abundance of value-added resource material that could not have been logically embedded within the core of the text. In the appendices, critical supplemental/ supportive materials can be more fully detailed and examined. Each appendix has been compiled to provide value-added information to those individuals responsible for establishing, implementing, and attempting to maintain personal and/or corporate privacy initiatives. Of particular interest to the reader, however, will be Appendix A and B, which have been replicated here in the text. They contain specific and detailed information on developing and conducting an operational privacy audit. A value-added audit is designed to evaluate corporate compliance with existing, as well as pending, privacy legislation, while addressing client and consumer concerns regarding the privacy of information collection and retention by the corporation or its third-party partners. Appendix B contains the basic design of a Privacy Impact Assessment (PIA) tool—basic only because such a tool is never really finalized or completed. There are always modifications,
DISCLAIMER
ix
updates, and enhancements that can be made as both time and technology march forward. The PIA tool outlined in Appendix B is presented as a base layer. The tool has been developed with the intention that it will be used “as is” by readers who currently do not have such an assessment tool, and modified (customized) by those readers who wish to update or expand upon an existing assessment tool. Either utilization is acceptable. Rounding out these appendices are a host of valuable data, of use to both the corporate reader, as well as the individual interested in learning more about privacy issues and what can be done to preserve his/her own rapidly eroding personal privacy.
NOTE TO THE READER You are solely responsible for proactively taking appropriate action to protect and safeguard your personal privacy, and that of the organization that has entrusted its privacy issues to you. This book and the information it contains will set you on the right course to accomplishing this objective.
DISCLAIMER As always with any book of this nature, here is the disclaimer… The information contained within this book is intended to be used as a reference and not as an endorsement of the included providers, vendors, and informational resources. Reference herein to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by the authors or the publisher. As such, users of this information are advised and encouraged to confirm specific claims for product performance as necessary and appropriate. The legal/financial materials and information that are available for reference through this book are not intended as a substitute for legal/financial advice and representation obtained through legal/financial counsel. It is advisable to seek the advice and representation of legal/ financial counsel as may be appropriate for any matters to which the legal/financial materials and information may pertain. Web sites included in this manual are intended to provide current and accurate information; neither the authors, publisher, nor any of its employees, agencies, or officers can warranty the information contained on the sites and shall not be held liable for any losses caused by the reliance of information provided. Relying on information contained on these sites is done at one’s own risk. Use of such information is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Throughout this book, reference “links” to other Internet addresses have been included. Such external Internet addresses contain information created, published, maintained, and otherwise posted by institutions or organizations independent of the authors and the publisher. The authors and the publisher do not endorse, approve, certify, or control these external Internet addresses and do not guarantee the accuracy, completeness, efficacy, timeliness, or correct sequencing of information located at such addresses. Use of such information is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness.
ACKNOWLEDGMENTS
You are about to immerse yourself in the nebulous realm of what some have called an inalienable right, a belief, even a desire, the realm of a “state of being” called privacy. Is privacy something achieved by cloaking oneself in plain sight while moving openly and freely in a virtual society? Is privacy attained as a rite of passage, evolving from a privacy neophyte to a fullfledged privacy rights advocate? Is privacy to be fought for as passionately as liberty? Or is privacy reached by a means altogether different? Is a state of privacy ever really attained? Privacy, simply put, is keeping secrets secret, and keeping personal data, personal. Which, depending on how you look at it, may be one and the same. However, in an ironic way, in order to research and write a book on privacy, we have relied upon professionals from varied walks of life, sharing with us their knowledge, information, expertise, concerns, fears, experiences, and best practices. Without these resources, without the willingness of these individuals to share their secrets, sometimes private information, this book would not have met its objective. That objective aimed at providing a comprehensive examination and assessment of both personal and corporate privacy issues and the general issues related to achieving a privacy state of being and assessing privacy compliance in a technologically rich, virtual society. The following dedicated professionals, some of whom are personal contacts and colleagues, have provided the authors with a wealth of knowledge, the breadth and depth of their experience, even contributing specific content for inclusion in this book, and have unfailingly answered a barrage of questions. Each of the following individuals deserves our genuine and humblest thanks and deepest gratitude. Angela Choy, Health Privacy Project, Institute for Health Care Research and Policy Beth Givens, Director, Privacy Rights Clearinghouse Brent Weil, Communications Director, The Privacy Leadership Initiative Chris Slane, Privacy cartoonist extraordinaire Clay Ryder, VP and COO, The Sageza Group David Steer, Marketing Director, TRUSTe Guy Herriges, Manager, Information and Privacy, I&IT Strategy, Policy, Planning and Management Branch, Management Board Secretariat, Ontario Helena Plater-Zyberk, Director of Research, McConnell International Herman Collins, Chief Executive Officer, Privacy Leaders Jane Dargie, Senior Consultant, Secure e-Business group (Enterprise Risk Services Group), Deloitte and Touche, Canada x
ACKNOWLEDGEMENTS
xi
Jason Tolbert, Systems Analyst, AT&T Solutions Jim Kincaid, Colleague and longtime collaborator and coauthor Joe Rosenbaum, Partner and head of the New York City–based Electronic Commerce practice of Reed Smith LLP Julia Lavender, Manager, Finance, U.S. Postal Service, Suncoast District Karen Coyle, University of California, California Digital Library, Author and proactive member of Computer Professionals for Social Responsibility Lisa Brown Shosteck, Manager, Privacy Policy, Ethics & Consumer Affairs Department Matt Brosius, Head of Center for Marketing and Administration, Organization for Economic Cooperation and Development (OECD), Washington Center Michael Clark, Center for Democracy and Technology Rick Bonsall, Manager, Customer Loyalty, Xerox Corporation Robert Bennett, Senior Manager of Business, Washington Group International, Inc. Robert Ellis Smith, Publisher, Privacy Journal Robert Parker, Partner and Canadian National Privacy Service Line leader, Deloitte and Touche, Canada Roger Clarke, President, Xamax Consultancy Pty Ltd, Australia Tim Chander, Research and Issues Manager, Office of the Information and Privacy, Commissioner of Alberta William Sampias, Colleague and longtime collaborator and coauthor To the following organizations, we are also deeply appreciative: Aspen Publishers, Inc. (www.aspenpublishers.com) Atlantic Information Services, Inc. (www.AISHealth.com) Direct Marketing Association (www.the-dma.org) McConnell International (www.mcconnellinternational.com) The Privacy Foundation (www.privacyfoundation.org) The Privacy Rights Clearinghouse (www.privacyrights.org) The Sageza Group (www.sageza.com) Securities Industry Association (www.sia.com) TRUSTe (www.truste.org) Zer∅-Knowledge Systems (www.zeroknowledge.com) To each of these individuals and organizations, we thank you for your time, contributions, dedication, commitment, spirit, and support. This book is a better product as a result of your involvement.
INTRODUCTION Privacy in an Age of Vigilance
DEFINING PRIVACY Privacy and other aspects of trust are essential when it comes to maintaining good relationships with customers, employees, suppliers, and other business partners. The consequences of not doing so can be serious!! Privacy is a broad and elusive concept. It typically applies to the information-handling practices of an organization and the processing of personal information through all stages of its (the information’s) life cycle, including collection, recording, organization, storage, adaptation as alteration, retrieval, consultation and use, disclosure and dissemination, and erasure or destruction.1 Privacy can be both a constraint on how business is conducted and the way information is handled, or an enabler for information-rich business offerings. Personal information (i.e., name, address, phone number, social security number, etc.) allows you to contact, locate, and identify a specific individual. Tying those attributes together with related account, transaction, Web usage, financial, medical, and supposedly private communication information can elevate even the simplest data gathering efforts to sensitive and potentially risky levels. Included in this concern is the gathering and use of non-personal data which may be obtained by tracking or profiling customers’ behavior, such as Web sites visited, or purchases made at these sites. Business-to-business information exchange is also a critical privacy concern. Privacy reaches all facets of an organization’s business infrastructure, including: • • • • • •
Web sites Web-enabled services Back-end systems and databases Network connections with third parties Outside service providers Legacy systems
Critical questions, which should be asked and for which real answers are needed, include but most certainly are NOT limited to: • Does the organization’s information sharing activities follow some sort of enforceable code of conduct? • How would the organization demonstrate compliance with these policies and procedures, if it were required to do so? • Does the organization have in place a visible, up-to-date, enforceable privacy policy? xii
PRIVACY’S EARLIEST ROOTS
xiii
Privacy is especially difficult to define because it means different things to different people. Each of us has our own privacy needs. Women often have different privacy concerns than men; asking a 9-year-old child his age over the Net has different privacy implications from asking the same question of a middle-aged adult. A question that may not be seen as violating our privacy in one situation could have that appearance in another. Even being asked to define your privacy boundaries can be an invasion of privacy. By naming areas of your life that you wish to have kept private, you are in essence calling attention to some areas over others and revealing something about yourself that you might prefer not to reveal. The simple act of opting-in or opting-out is information about you. All of this makes it very difficult to codify privacy into laws and regulations.2 The privacy of your personal information depends on three distinct protections: privacy (when and with whom you share your personal information), confidentiality (when and with whom another person or organization shares your personal information), and security (how well your information is protected from unauthorized access, alteration, or destruction). You must be informed about and control each of these aspects if you are to maintain your privacy. This is especially important in the context of current “guarantees” being offered, some of which do not address one or more of these protections.3
PRIVACY’S EARLIEST ROOTS Privacy and data security have been important issues since the dawn of the computer age, but they did not originate with computers. Paper records and files can also threaten personal privacy or reveal confidential or sensitive information. Long before computers were invented, most organizations kept their critical files under lock and key and restricted access to them to maintain security. Computers made data more easily transportable, easier to copy, and far easier to manipulate. In the beginning, the computers were mainframes, residing in a central processing facility. Visitors could be logged in and out. But once desktop terminals and personal computers made it possible to use files without physically entering a central processing facility or requesting a printout, controlling access became much more difficult. Beginning in the late 1960s and continuing into the 1970s, the computer industry itself and most major users came to understand the problems created by the new technology. They developed their own privacy codes and data security systems to deal with them. The emergence and growth of the Internet, banking by computer, electronic commerce, and other forms of network computing have further changed the situation. In the new, massively interconnected environment, the number of users is growing at a geometric rate. The volume of information available through the system is already incomprehensibly large and increasing rapidly. Users worry appropriately that personal information will be collected and misused by unknown parties: credit card numbers, transaction data, preferences disclosed by the sites they choose to visit or the products they elect to buy, medical and insurance records, personnel files, even data kept on their personal computers. Organizations on the Internet, including corporations, governments, universities and other nonprofit institutions, worry appropriately that hackers or competitors or criminals will enter their systems. Once in, they may engage in fraudulent financial transactions, steal secrets, manipulate records, or sabotage the computer systems themselves.
xiv
INTRODUCTION
The quest to establish trust in the emerging system, on the part of individual users, service providers, retailers and, in fact, everyone who is or will be connected to the system, boils down to assuring the protection of personal privacy and data security.4
PRIVACY—A REASON FOR CONCERN A privacy policy is critical for face-to-face transactions with customers, call-center interactions, EC Web-based transactions, and any other means by which an organization may intend on interacting with people (customers or the public in general). A large part of succeeding in establishing and maintaining privacy is an organization’s ability to build, nurture, and maintain trust and confidence with its customers (traditional bricks and mortar, as well as on-line), business trading partners, employers, and other appropriate third parties. Establishing trust in virtual markets, and confidence and privacy in any marketplace, is not only critical, it is essential to developing customer loyalty, which in turn is critical to continued economic growth and stability. Enabling technologies while allowing organizations to reach new markets has also become an organization’s Achilles’ heel. For example: • Business partners want assurances that your organizational processes and supporting systems are secure. They want a high level of comfort that proper controls are in place. • Customers want to be certain some well-meaning but overzealous sales representative hasn’t seen (or created) an opportunity to share or broker private information to third parties. • Trading partners don’t want their pricing information, customer lists, or other strategically sensitive information being disclosed intentionally or accidentally to their competitors. Data privacy is highly coupled to the overarching idea of trust. Trust management is a critical business issue for most organizations. As professionals are tasked with establishing, ensuring, and maintaining privacy within an organization, questions regarding “trust” preparation should be investigated and answers sought. For example: • Does the organization have an established Trust Management Function? • What are the typical components, functions, actions, and activities of a Trust Management Function? Privacy issues can be complex and consequences for not addressing them properly and appropriately from the beginning can • • • •
Spell financial loss Lead to a loss of customer confidence Attract the ire of the organization and legal department Result in loss of market share, customer base, and competitive advantage
Compelling reasons exist to ensure that an organization’s information technology, and the data which is generated, are subject to solid, verifiable controls and that the organization actually practices these controls. Some of these compelling reasons include: • When you do not assure data privacy and the word gets out, your organization can come under closer scrutiny of privacy advocates and security analysts.
PRIVACY’S ECONOMIC IMPACT
xv
• When you are targeted and exposed, adverse publicity—not only in the trade press but also in the general news media—isn’t far behind. • The resulting loss of customer (and/or investor) confidence can mean serious financial loss and/or liability from which your organization may not be able to recover. • Restoration of the organization’s reputation with shareholders, trading partners, financial and lending institutions, and especially customers, may prove to be a difficult task, if it can be accomplished at all. A common pitfall is doing things you tell people you aren’t doing. See Exhibit I.1. Other breakdowns in trust and violation of the “say what you do, and do what you say” philosophy that most likely will place the organization in an unfavorable light include: • Financial account information being inappropriately supplied to telemarketers • Marketing personnel negotiating business alliances, which include the inappropriate exchange of customer information with undisclosed third parties • Customer service representatives disclosing information (intentionally or accidentally) with other customers or trading partners in telephone conversations • A firm announcing business deals that conflict with its published privacy statement and fair information practices • A hacker, or other unauthorized person, who exploits a system weakness, gaining access to a customer’s personally identifiable information • Inadvertently or intentionally collecting personally identifiable information directly from children under 13 in violation of the Children’s Online Privacy Protection Act Companies should begin to develop and implement, or already have, well-established policies that directly address each of these potential scenarios, and the general failure of the organization’s “trust system,” should such an action take place.
PRIVACY’S ECONOMIC IMPACT Information Services Executive Council (NYC) determined a preliminary estimate of the impact of a variety of opt-in requirements on the catalog and Internet apparel retailers could add $1 billion in costs to a $15 billion industry. The loss of data (from customers electing to opt out and not authorizing the sharing of their information) would be a blow to the organization’s efforts to establish databases of marketing information. The Federal Trade Commission’s (FTC) ongoing investigation audit, Operation Detect Pretext, identified 200 firms (175 of them on the Web) that offer to collect personal financial information and then sell it to third parties, in violation of federal law. The practice of obtaining data about people under false pretenses is called “pretexting.” Exhibit I.1.
What You Say Versus What You Do
What You Say We don’t use cookies. We don’t share information with third parties.
What You Do Cookie utility is left on when application is released into production, thus, cookies are active. “Data spills” occur when a Web site banner ad transparently sends personal and transactional information to a third party.
xv
xvi
INTRODUCTION
Establishing privacy, or better yet, attempting to become privacy compliant, carries with it a hefty price tag, one that many organizations may simply not be able to afford. Organizations and agencies are not the only victims of increasing privacy concerns and attempts to establish solid privacy controls and procedures. Individual consumers are also at risk from the very procedures and legislation designed to protect them. Privacy carries with it a fairly high price tag (see Exhibit I.2). Compliance with the specifics of the Health Insurance Portability and Accountability Act (HIPAA) legislation, for example, is not going to be a simple process, neither systematically nor financially. The U.S. government has estimated that the cost to an individual hospital, to bring its current practices into line and compliance with HIPAA, will average between $100,000 and $250,000. The Blue Cross/Blue Shield Association studied the same compliance issues and it has estimated that the cost to become compliant will range between $775,000 to $6 million for each hospital. Computerizing patients’ records should make it easier to meet the legislative requirements that give patients the right to know who has seen these records. However, it will also expose the same records to easier and broader access if proper and appropriate controls are not in place. Given the pending legislation and the estimated costs of complying to the HIPAA legislation, companies could be forced to: • Hire chief privacy officers or attorneys dedicated to privacy issues • Make privacy central to the business and dedicate increasingly more resources to privacy • Buy new hardware and software to protect privacy, authenticate users, and secure databases of personally identifiable information • Implement alternative policies and procedures in order to collect consumer information shared with internal departments and third parties • Develop systems, procedures, and applications that allow consumers to access data collected about them and where appropriate, modify that data Any of these steps could be costly, not only financially but also in the time required to get such programs and policies up-to-speed, time many organizations realistically do not have. Robert Hahn, director of the independent American Enterprise Institute-Brookings Joint Center for Regulatory Studies, a Washington think tank (www.aei.brookings.org), analyzed the potential labor and hardware costs to 17 firms in 10 states should they be required to meet several of the proposed [privacy] standards. He then based his findings on a fraction of companies with an on-line presence.5 Exhibit I.2.
The Cost of Compliance
Cost ($U.S.)
Effect
$17 million
Annual cost to consumers if financial services companies were not able to share information with affiliates and third parties (Ernst & Young). The cost to U.S. businesses for compliance with the Gramm-Leach-Bliley Act, which regulates privacy of financial information (Competitive Enterprise Institute). Cost consumers would bear because of the disruption of routine consumer information flow. Due to the restrictions on exchanging information, Internet and catalog apparel retailers’ prices could rise 3.5 percent to 11 percent (Direct Marketing Association). The yearly salary for a chief privacy officer (CPO) (Progress and Freedom Foundation).
$750 million to $1.25 billion per year $1 billion
$125,000 to $150,000
LEGISLATION
xvii
Hahn’s estimates indicate that companies would spend an average of $100,000 to make the necessary infrastructure changes. That would amount to $9 billion to $36 billion should just 5 to 10 percent of the current 3.6 million Web sites comply with the proposed standards. Fear of fines would prompt the other 90 percent to stop sharing consumer information, shut down, or find a less-expensive alternative to data collection. Hahn has been criticized for his methodology and study results, which are based on several bills, including the Consumer Internet Privacy Enhancement Act, cosponsored by Representatives Anna Eschoo (D—California) and Chris Cannon (R—Utah). The bill requires all commercial Web sites that collect personally identifiable information to define what information is collected and by whom; how it will be used; whether the information is required to use the site; and the methods used to secure personal information. It also requires sites to provide users with an option that limits the use and disclosure of their personal information in a “clear, conspicuous and easy manner to execute.” Several other House and Senate bills mirror this one.6 The calculation falls short in two ways according to Jane Black, an analyst at Business Week Online (www.businessweek.com). First, the study does not recognize savings that could result from companies learning better and more efficient ways to handle customer data. In the case of health-care portability, the Health & Human Services Department estimates that the new privacy regulations—more complex than anything currently proposed for Internet privacy—will cost $17.6 billion to implement. But the rules will produce a net savings of approximately $12.3 billion for the health-care industry by improving the way the system works and eliminating paper transactions. Second, Hahn’s study calculates the cost of implementing proposed legislation as if every Web site were starting from scratch. Yet he cites figures that seem to counter that in his own study. In 1998, the FTC reported that only 14 percent of 1,400 commercial Web sites sampled provided any notice about their information practices. By February 2000, 84 percent of the top 1,000 sites had a privacy policy.7 Bart Lazar, a partner with the Chicago-based law firm Seyfarth, Shaw, Fairweather & Geraldson, believes Hahn’s estimates may actually be conservative compared to actual costs, given that they are based on limited information. Not all respondents included the cost of consulting and legal services, software modifications, additional hardware, and privacy policy changes.8 Hahn admits that some of the study’s assumptions may be less than rock solid. And he encourages others to try to come up with estimates on what the ultimate bill for privacy could be. Whatever the final estimate (and it can only be an estimate), it will not be inexpensive. And compliance will not be an option—it will be a matter of survival. As dot-com companies morph into dot-bomb companies and as the economy weakens, forcing many companies to liquidate assets, a significantly critical question surfaces, “How does a company dispose of probably its most important asset—its data (e.g., customer lists)?” What once was touted as private and confidential is now up on the auction block, in bankruptcy court, or available on-line—organizations’ customer lists. See Exhibit I.3.
LEGISLATION The Gramm-Leach-Bliley (GLB) Act prohibits anyone from obtaining a customer’s information by using false representations, fictitious documents, or forgery. Violations may result in civil penalties of as much as $11,000 for each violation, as well as criminal penalties.
xviii
Exhibit I.3.
INTRODUCTION
Your Privacy for Sale
Company
What the company is selling (or has sold)
Boo.com
Sold its customer list to Bright Station, the technology group formerly known as the Dialog Corp. The company intended to sell its customer list in 2000, when it shut down, but gave up when confronted by the Texas Attorney General. The cost of litigation outweighed the customer list’s sale price, according to a company spokesperson. The Texas Attorney General asked a Delaware bankruptcy judge to prevent the failed toy company from selling its list of nearly three million customers. Sold its customer information to Burpee Holding Co., the parent company of W. Atlee Burpee & Co., giving customers the right to exclude their individual information. The Texas Attorney General sued the company to stop it from selling data about its 200,000 customers. A settlement permits the company to sell the data, if individual customers are first allowed to opt out. Sold its customer list to HealthCentral.com, but it first gave customers the chance to opt out of the sale. Sold its customer list for $50,000 to the Walt Disney Co., a majority owner, which agreed to destroy the records.
Craftshop.com
eToys Garden.com
Living.com
More.com Toysmart.com
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which took effect in April 2001, gave health-care industries two years to implement policies and procedures to keep patient information confidential (thus affecting 2,000 health plans, 7,000 hospitals, and 1.5 million health-care providers). HIPAA becomes law and fully enforceable on April 13, 2003. The Financial Service Modernization Act of 1999, effective as of June 30, 2001, in return for letting banks expand into new markets, requires that they protect the privacy of customer data and seek permission before sharing it with other businesses. In addition to fines for inadvertent disclosure of patient information, health-care professionals (employees) can go to jail for up to 10 years for deliberate malfeasance. Senator John McCain (R—Arizona) and Senator John Kerry (D—Massachusetts) have proposed legislation which would require Internet retailers to allow customers to get out of use or sale of their data. If passed, this legislation will require Internet retailers to develop more advanced systems of identifying and tracking exactly which customers have opted out and which ones have not. Seems a little ironic. Senator Ernest Hollings (D—South Carolina) has proposed an even more restrictive “opt-in” model that would require companies to get customer permission before any sale of identifiable data. Again, forcing companies to track (at least retain) customer identifiable data detailing customer name, account details, and possibly signature, in order to comply with the proposed opt-in model. These new rules (as well as others pending) will for example forbid banks from using an individual’s social security number as an ID number. This will require banks and presumably similar financial institutions to develop new “tracking” systems and ensure that all bank recordkeeping systems can use any new ID scheme which may eventually be developed.
SECURITY, PRIVACY, AND CITIZEN RIGHTS Polls taken since September 11 (2001) show that 86 percent of Americans are in favor of wider use of facial-recognition systems; 81 percent want closer monitoring of banking and credit card
SECURITY, PRIVACY, AND CITIZEN RIGHTS
xix
Exhibit I.4. Post–September 11, Americans Favor Expanding Government Surveillance Powers Favor (%) Use of facial-recognition technology to scan for suspected terrorists at various locations and public events Closer monitoring of banking and credit card transactions to trace funding sources Adoption of a national ID system for all U.S. citizens Expanded camera surveillance on streets and in public places Law-enforcement monitoring of Internet discussions in chat rooms and other forums Expanded government monitoring of cell phones and e-mail, to intercept communications
Oppose (%)
Not Sure/Decline to Answer (%)
86
11
2
81
17
2
68 63
28 35
4 2
63
32
5
54
41
4
Data Source: Harris Interactive (Poll of 1,012 adults surveyed by telephone between September 19 and 24).
transactions; and 68 percent support a national ID card (see Exhibit I.4). But the quest for safety is also going to come at an incalculable cost to personal privacy. Any tool that is powerful enough to strip away the anonymity of Khalid Al-Midhar—one dangerous traveler among millions of innocents—will do the same thing to ordinary citizens. Their faces will have to be scanned by the same cameras, their spending habits studied by the same computers. The war on terrorism still continues, and one thing is already clear: in the future, information about what you do, where you go, who you talk to, and how you spend your money is going to be far more available to the government, and perhaps businesses as well. “September 11 changed things,” says former Federal Trade Commissioner Robert Pitofsky, one of the most forceful privacy advocates in recent decades. “Terrorists swim in a society in which their privacy is protected. If some invasions of privacy are necessary to bring them out into the open, most people are going to say, O.K., go ahead.”9 Unlike facial surveillance, ID cards, or data-mining—which invade everybody’s privacy— the government’s new eavesdropping powers will primarily target known suspects, and therefore they do not raise as many issues for the public at large (or maybe that is what we would truly like to believe). There is one major exception: Carnivore, a technology the FBI uses to monitor e-mails, instant messages, and digital phone calls. Carnivore generated widespread controversy before September 11 for being too powerful. When installed on a suspect’s Internet service provider, it searched through not only the suspect’s Web and Internet activities but also those of people who used the same ISP. After privacy advocates complained, the FBI scaled back its deployment. Now, the brakes are off. There are widespread reports that the government has hooked up Carnivore to ISPs with minimal oversight. The government will probably soon demand that ISPs and digital wireless providers design networks to make them easier to tap. Just a few months ago, the FBI wouldn’t have dared to ask. Now, such a move would barely make the papers. Facial-recognition software. Data-mining. National ID cards. Carnivore. For the near future, these technologies are going to be deployed as stand-alone systems, if at all. But we live in a digital age. All of these technologies are built on ones and zeros. So it is possible to blend them together—just as TVs, computers, video games, and CD players are converging—into one monster snooping technology. In fact, linking them together makes each one exponentially more effective.10
xx
INTRODUCTION
HOMELAND SECURITY ACT OF 2002 On November 25, 2002, President George W. Bush created a new Department of Homeland Security (DHS) by signing into law H.R. 5005, more affectionately known as the Homeland Security Act of 2002, headed by the Secretary of Homeland Security. The new department’s mission is to analyze threats, guard domestic borders and airports, protect U.S. critical infrastructure, and coordinate the response of the United States for future emergencies. The Department of Homeland Security is mandated to focus its entire effort on protecting and ensuring the safety of the American people. Does this mandate, however, go too far? What rights to privacy has the nation lost in the name of security? By a single stroke of a pen, the Act establishes procedures for sharing data, information, and procedures, which reverses an age-old philosophy of keeping secrets secret and of not sharing such secrets with your political rivals. Sharing is good. It is good for the protection of citizens who may benefit from the crossreferencing of critical data and the matching of suspicious actions and activities with suspected criminals. But, it is not good when all of this is taking place without the underlining guiding principle of an ethical-use policy. The Act does not specifically nor formally address the ethical use of the data that is to be harvested, stored, and mined. The Act does provide, however, for the appointment of a Privacy Officer. The effectiveness of this position/person will most certainly have to be determined. The incumbent may never achieve complete independence or be fully capable of exercising the responsibilities and duties of the office. It remains to be seen if this individual will receive senior administrative support to override the requests of his/her direct and/or political supervisors when it comes to the use (ethical) of specific information gathered under the name of “the Act.” Of a larger, more critical concern, however, is what the Act does to erode and to finally lay to rest any remaining perceptions of individual privacy. The Act authorizes the creation of a “Total Information Awareness” (TIA) database. The Defense Advanced Research Projects Agency (DARPA) [the folks who brought us the Internet, albeit in embryonic form, not so many years ago, and who, by the way, are the research and development “subsidiary” of the Department of Defense (DoD)] will develop this database. The TIA database will be designed to track a wide variety of data regarding every American citizen (and who knows, maybe even foreign citizens). Once the design has been fleshed out, it would be very logical to entice other foreign governments into purchasing the application technology, first to be used internally to track its own citizens (a la the United States) and second to establish a global, linkable, accessible mega-database. Think Big Brother but now think globally and on steroids! The database will eventually gather data regarding such individual specifics as (but not limited to): • • • • • • •
Credit card purchases Telephone calls made Web sites visited Academic grades received Surveys taken Sweepstakes entered Property purchased
SUMMARY
• • • • • • •
xxi
Financial records Magazine subscriptions Medical procedures Travel data E-mails Pets owned, and Religious preferences
Basically every American’s move in a virtual, electronically dependent society will be eligible for capture and inclusion into personalized dossiers. However, it does not stop here. Eventually, all that data can and most logically will be linked with an individual’s biometric data such as digitized face-recognition data and digital fingerprints (taken, for example, from the California Law Enforcement Telecommunications System (CLETS), a repository for California motor vehicle records, rap sheets, and fingerprints). Once organized, mined, and formatted, the data can be further scrutinized using artificial intelligence/expert systems, and pattern-matching algorithms to detect patterns of suspected terrorist activity (or potentially any other type of activity). The results can be provided instantly via high-speed telecommunications to law enforcement (or military) personnel, whom we trust (currently, without an oversight mechanism in place) to use the information ethically in efforts to thwart terrorist actions before these actions can develop into actual threats against American citizens. Go to your local Home Depot, pick up this week’s special on sale, lawn and garden fertilizer, and rent the on-site Home Depot truck to take it all home (don’t want to dirty the BMW). You could find yourself explaining (in detail) your intentions to local, state, and even federal authorities, before you even get a chance to plant those tomato seeds. Buy a lottery ticket, pay for dinner, make a calling-card call, charge your next prescription, visit an on-line “chat” room—your life is no longer private. Any, if not all, of these “activities” or transactions can be captured, logged, and placed into your personal information dossier. The kicker is that you don’t even have to be suspected of any wrongdoing, you and your digital life will be swept up along with everyone else—innocent or not. Additional concerns and implications to issues of privacy include the fact that the Act is allembracing in its breadth and depth and will have tremendous consequences, both intended and unintended, on everything from the civil liberties of Americans (and potentially others) to due process for immigrants. No one (not at least your average citizen) will be exempt from the potentially very long and very technical arm of the government. What right to privacy has the individual, the American citizen (or anyone) living in a democratic society, lost in the name of security?
SUMMARY On-line “netizens” have grown increasingly concerned about on-line privacy. As more and more information becomes available on-line, the easier it becomes for personal information to be distributed to others. Privacy concerns can be categorized in roughly three ways: 1. Nuisance concerns. Consumers fear marketers will use personal information gathered at Web sites to initiate unsolicited marketing activities. Examples include unsolicited credit card offers, unsolicited telemarketing, and unsolicited “spam” mail.
xxii
INTRODUCTION
2. Discriminatory concerns. These concerns come from the possibility that personal information can be used to disadvantage or discriminate against someone in society. For example, imagine that a company found out one of their employees was researching HIV on the Web and subsequently discriminated against that employee, assuming he or she was HIV positive. Could personal “off-duty” Web-browsing habits play a part in someone’s job? Could insurance companies use information collected on the Web to deny claims? 3. Malicious concerns. These concerns address the possibility that those with evil intentions could harm someone’s life, family, or property. Pedophiles could, for example, gather information from children’s Web sites in an attempt to identify their next target. On-line banking and credit card information could be used to steal money. Stalkers could find detailed personal information of their victims. Both government and industry leaders are responding to pressure to do something about these issues. The U.S. government has responded by passing many laws to bolster on-line privacy. The Children’s Online Protection Act of 1999 seeks to protect children from damaging Web content, and misuse of the private information of a minor. Senator Paul S. Sarbanes has introduced the Financial Information Privacy Protection Act of 2001 to protect private financial information on-line. Within the provisions of this Act, consumers could demand that financial institutions not share personal information with other institutions. Banks would have to possess positive consent, as opposed to the usual practice of assuming “yes” unless the customer speaks up. This act would allow customers to see their information and make corrections.11 Representatives Joe Barton and Edward Markey are introducing similar legislation to keep financial institutions from hiding behind the fine print of their privacy policies. The Gramm-Leach-Bliley Act went into effect July 1, 2001. This act requires that financial institutions provide users a written privacy notice, describe the information they have retained about customers, and explain how they obtained that information. (This is why many people have received special privacy notice mailings.)12 The Health Insurance Portability and Accountability Act (HIPAA) contains provisions for the secure transmission of electronic patient medical records. Before President Clinton left office, he extended HIPAA to cover even oral and paper medical information. Violations can result in fines up to $250,000 and up to 10 years in prison. Some of the other provisions of HIPAA include: • Patients can easily obtain and correct medical records. • Health care information can be used for health purposes only (e.g., not for the job interview—employers cannot do “health screening” to lower insurance plan costs). • Health care organizations must update electronic medical record transmission systems to provide auditing and tracking capabilities. • Databases must have security features such as encryption, digital signatures, and personal authentication technology.13 Not only is there new legislation to protect privacy, but the U.S. government has much older legislation to lean on in its fight against the on-line privacy issue. Some examples include: • • • •
The Cable Act of 1984 (cable television) The Video Privacy Protection Act of 1988 (video rental records) The Electronic Communications Privacy Act of 1998 (electronic mail) The Polygraph Protection Act of 1988 (lie detectors)
HOMELAND SECURITY ACT OF 2002
xxiii
• The Telephone Consumer Protection Act of 1991 (auto-dialers and junk faxes) (2001, Congressional Testimony) The courts, in light of technological changes, are reinterpreting some older legislation. For example: • How does wiretapping apply to Internet phone calls? • Should cable legislation or Internet legislation, or both, control Internet service over cable lines? • Does the Video Privacy Protection Act, which protects an individual’s private renting habits, also work for satellite “pay per view”? • What about “digitized movies” that can be downloaded from the Web? The following should cause the reader to pause and to reflect for a moment on the potential privacy exposures that exist even in systems and procedures that the user believes to be secured. To those affected, becoming HIPAA compliant will pose new and sometimes unique challenges to establishing both comprehensive security and privacy policies and procedures. HIPAA mandates that all protected patient information is secured from unauthorized access: a database and network security issue. But red flags are also going up over the risks of transmitting data over the Internet in insecure ways. Although a medical provider’s internal database may be secured, what about the Internet over which data enters and leaves such a repository? For example, a patient’s MRI may be conducted at an imaging center and e-mailed to his/her family doctor, who then sends the images and report to a neurologist for consultation and to the hospital for treatment. Even though each of these individual locations are HIPAA-compliant and the patient’s information is protected while it rests in their hands, what protects this data while it travels digitally from one office to another? This could be a major loophole in the law and many may want to know what the medical industry is doing to protect the Internet that it uses to transport patient information. Meanwhile, low-tech machine-to-machine fax—the kind that doesn’t store documents on a LAN or Internet-accessible server—plays well into a stopgap role.14 The reader is advised to examine all aspects of data storage, retrieval, and transmission with respect to privacy implications, regardless of how insignificant these interrelationships may appear on the surface. These have become major issues in court, and the rulings are having significant impact on privacy protection. For example, a U.S. District Court ruled that Cablevision would have to allow federal agents to monitor a suspect’s Internet-over-cable communications without notifying the suspect. This seems to conflict with the U.S. federal law which states that no one can seek information concerning a cable subscriber without first notifying that subscriber. The court ruled that the law only covers cable TV, and not Internet service via cable. Thus, law enforcement is allowed to conduct secret “wiretapping” on Internet communications as they do with telephone communications (regardless of whether the Internet service is over cable or any other medium).15 In contrast with the U.S. government, industry leaders have done relatively little to bolster on-line privacy. Conflicting pressures have put industry, as a whole, in a dilemma. On one hand, there is increasing pressure from consumers about securing and maintaining individual privacy. On the other hand, corporations feel the pressure to maximize the revenue potential of the information they have.
xxiv
INTRODUCTION
For example, Time Warner used to market Sports Illustrated for Kids on their Web site by automatically sending kids “risk-free” subscriptions (kids could cancel if they did not want the magazine). Time Warner received relatively few cancellations and few complaints. When Time Warner switched their policy to one that required written parental consent before they sent out the magazine, the subscription rate dropped 90 percent! This is why many Web sites will have in fine print, privacy “legalese,” which most consumers will not bother to read. Usually, this policy allows the company to share information unless explicitly prohibited by the customer in writing. However, there has been some movement within industry to increase an individual’s privacy. Most notably is the Platform for Privacy Preferences Project (P3P), a standard developed by the World Wide Web Consortium (W3C). P3P technology is designed to encode privacy policies in machine-readable form. A user with a P3P compatible browser will receive a warning when he/she visits sites that do not meet his/her preset privacy preferences. What would motivate a company to convert to P3P if additional privacy could impede marketing goals? Realistically, users wielding P3P browsers could potentially reject non-compliant Web sites, which could translate into substantial lost sales to a competitor who is P3P compatible. P3P is of special concern with the advent of Windows XP and Internet Explorer 6.0. Microsoft has embedded P3P into their products, which will soon make P3P-compatible browsers the norm. Unfortunately, P3P falls short of true privacy enforcement. Nothing will force companies to code their privacy information correctly or completely, as long as they have a legal text posting which meets the federal requirements for privacy disclosure. Moreover, this new technology does not force companies who are not privacy “compliant” to change. In addition, to complicate matters, consumers may become even more frustrated by the constant privacy warnings sent back from their browser, as they try to visit sites that do not meet their privacy criteria. Sadly, the efforts of the U.S. government and industry in general have fallen far short of what is needed to adequately protect “netizens.” Ultimately, the responsibility lies with the consumer. The old adage “Let the buyer beware” applies to virtual markets, too. Just because they exist in a virtual marketplace and everything in this virtual world is on-line does not mean netizens can let their guard down. Unfortunately, most people do not take the threat of a loss of privacy while on-line seriously. What is the current state of on-line privacy? What does this mean for you and me? Indeed, privacy on the Web is a misnomer. Privacy is often discussed along with accompanying regulation, but the two concepts, privacy and the Web, really do not go together. Most people would like to maintain their privacy, and some even go to extraordinary lengths to protect it, but once they get on the Web, most of their privacy concerns seem to go out the window. As Joshua Quittner, news director for Pathfinder, Time Inc.’s mega-infomall, points out, “For the longest time, I couldn’t get worked up about privacy: my right to it; how it’s dying; how we’re headed for an even more wired, under-regulated, over-intrusive, privacy-deprived planet.” Typically, it takes an act of some sort to get people worked up over their privacy. Mr. Quittner relates that he did not take his privacy seriously until someone forwarded his “home telephone number to an out-of-state answering machine, where unsuspecting callers trying to reach me heard a male voice identify himself as me and say some extremely rude things.”16 As Ian Goldberg, David Wagner, and Eric Brewer write in their paper “Privacy-enhancing technologies for the Internet,” New users of the Internet generally do not realize that every post they make to a newsgroup, every piece of email they send, every World Wide Web page they access, and every item
ENDNOTES
xxv
they purchase online could be monitored or logged by some unseen third party. The impact on personal privacy is enormous; already we are seeing many different databases of all types, selling or giving away collections of personal data, and this practice will only become more common as the demand for this information grows.17
What can we do about our privacy on the Web? Ironically, you often have to turn to a third party for help. Many software developers are producing products that help provide anonymity, such as Lucent Technologies Personalized Web Assistant (LPWA). “LPWA acts as an anonymous proxy server, handling HTTP requests between a user and a Web site so that the user remains anonymous.” Mr. Alain Mayer, one of the developers of LPWA, points out that LPWA “…filters the HTTP protocol so that no unwanted information goes out from the user.” AT&T has developed a Web browsing tool called Crowds which attempts to obscure your identity while you surf the Net. “The system works by pulling its users into ‘crowds.’Any request made by a member is randomly forwarded to someone in the crowd, so that the target server cannot tell if the requesting party is in fact the originator of that request.”18 While products such as these help to provide anonymity to Web surfers, they also provide anonymity to those who would use the Net for illicit purposes. Controlling abuse, as pointed out by Goldberg, and others, is one of the greatest challenges faced by researchers in Internet privacy technology.19 Individuals will now have to take responsibility to ensure that the information they post on the Net is sanitized to the state where they feel safe. As stated before, one never knows who is collecting and storing personally identifiable information, which may be used against them at some unforeseen time in the future.20 The authors implore you, the reader, to question all the answers, to ask “why?” when asked to divulge confidential, personally identifiable information, and to feverishly guard your privacy with all your resolve.
ENDNOTES 1. Tretick, B., “Can you keep a secret?” Intelligent Enterprise (January 1, 2001), 68. 2. Coyle, K., www.kcoyle.net/privacy, from a presentation at SHARE, San Francisco, February, 1999. Accessed March 2002. 3. Goldhamer, D., http://home.uchicago.edu/~dhgo/privacy-intro/dsld02.html, from a presentation to Computer Professionals for Social Responsibility, July 2000. 4. Reproduced by permission from www.ibm.com/ibm/publicaffairs/asci_ file/02protec.txt, © 1999 by International Business Machines Corporation. 5. Hahn, Robert, Director of the Independent American Enterprise Institute-Brookings Joint Center for Regulatory Studies, www.aei.brookings.org. 6. Saita, A., “Privacy’s pretty penny,” Information Security, July 2001, 24. 7. Black, J., “What Price Privacy? Companies should stop wielding scary numbers and help design a law that will protect consumers—and make business more efficient,” BusinessWeek Online (June 7, 2001), www.businessweek.com/bwdaily/dnflash/jun2001/nf2001067_517.htm. 8. See note 6. 9. Curran, K., “War on Terror Worries Privacy Advocates,” NewsMax.com, (October 31, 2001), www.newsmax.com/cgi-bin/printer_ friendly.pl. 10. France, M. et al., “Privacy in an Age of Terror,” BusinessWeek Online (November 5, 2001), www.businessweek.com/magazine/content/01_45/b3756001.htm. 11. Capitol Hill Press (author not available), Sarbanes Spearheads Financial Privacy Legislation as Priority in New Congress, Capitol Hill Press Releases (January 23, 2001).
xxvi
INTRODUCTION
12. McNeil, M., “Protect Consumer Information,” Ward’s Dealer Business (August 1, 2001), 44. 13. Fonseca, B., “Top of the News: A Health Care Y2K Is Starting to Hit Home,” InfoWorld (January 8, 2001), 45. 14. Grigonis, R., “The Many Faces of Fax Personalities,” Communications Convergence (December 4, 2002), www.cConvergence.com/article/CTM20021202S0003. 15. Berkowitz, H., “Ruling Limits Online Privacy/Cablevision Must Disclose Customer Info.,” Newsday (August 24, 2001), A08. 16. Quittner, J., “Invasion of Privacy” (2001), www.time.com/time/reports/privacy/cover1.html. 17. Goldberg, I., et al. “Privacy-Enhancing Technologies for the Internet,” University of California, Berkeley (2001), www.cs.berkeley.edu/~daw/papers/privacy-compcon97-www/privacyhtml.html. 18. Stutz, M., “Covering Your Tracks via a Helping Hand,” Wired News (June 10, 1997), www.wired.com/news/technology/1,1282,4375,00.html. 19. See note 17. 20. Bennett, R., Tolbert, J., “Online Personal Privacy—What is Being Done to Protect an Individual’s Privacy in Today’s Virtual Community?” Thesis, Webster University, 2001. The authors wish to thank Mr. Bennett and Mr. Tolbert for permission to use their material as the summary to this Introduction. Used with permission, amended, modified, and updated by the authors, March 2002.
There is growing concern that computers now constitute, or will soon constitute, a dangerous threat to individual privacy. Since many computers contain personal data and are accessible from distant terminals, they are viewed as an unexcelled means of assembling large amounts of information about an individual or a group. It is asserted that it will soon be feasible to compile dossiers in depth on an entire citizenry, where until recently the material for such dossiers was scattered in many separate locations under widely diverse jurisdictions.
Feistel, H., “Cryptography and Computer Privacy,” Scientific American 228, no.5 (1973): 15–23.
1 PRIVACY! PARADISE LOST?
Introduction Ethics—The Foundation We Need The Importance of Privacy Privacy—Does it Really Matter? Reassessing Our Demand for Privacy USA Patriot Act—A Wolf in Sheep’s Clothing? Data Sharing and Privacy—Why Are We Concerned? Privacy and the Long Arm of the Law Privacy and Self-Regulation Privacy Concerns: Citizens and the Internet Privacy versus Security? Summary
Those that would sacrifice their freedom for safety will find they inherit neither.
—Ben Franklin
INTRODUCTION What is privacy? When most of us think about privacy, if we do at all, we think about closed doors and drawn shades or hiding our actions from others. We must change the way we think about privacy. Perhaps we need a better word. If anything, privacy is more about the right to remain anonymous. It’s the right to know we are not being watched as we walk down the street or attend a public meeting. It’s the right to know that facts about our personal lives are revealed only as we decide to release them and that those facts are correct. Privacy is about massive databases, identity theft, and the access to information.1 Ultimately, it is the need of individuals to feel safe and secure in their lives and the belief that those activities that they hold to be personal remain so—the ability to determine for one’s self which data you disclose and to whom. Privacy—how do you define it? Given society as it has evolved so far today, can we really expect to be in control of our own privacy? Living in an information-rich, information-dependent society and operating at Internet speed with archives of information at our electronic fingertips, can we be happy settling for anything less than full disclosure? 1
2
PRIVACY! PARADISE LOST?
How many of us would take our automobile to a mechanic without first obtaining some information or recommendation, or investigating for ourselves the individual’s ability and reputation? Very few marriages are undertaken without both parties having learned a great deal about each other. You won’t receive that new bank card without someone taking a long look into your financial history. Where do we get the information we use to make these major decisions as well as the countless minor ones we make daily? Information abounds, much of it available publicly or through specialty companies who sell it for a fee. Do you really know who knows what about you, how they obtained the data, or if that data is even accurate? Do you care? You should! Privacy, or our right (it is a right—isn’t it?) to keep our lives, activities, and personal information secure, safe and away from undesirable sources, is not a constitutionally provided or protected right. Of all of our inalienable rights put down by our forefathers, privacy, or our right to privacy, was (is) not one of them. The next time you have a moment, take a quick look at the U.S. Constitution (okay, scan it electronically). Do a key word search for the word “privacy.” You won’t find it. The U.S. Constitution does not guarantee U.S. citizens any right to privacy. What’s a person to do? We are told (more frequently these past many months) that as U.S. citizens we live in a free and open society. One must stop and wonder at times, how open and free? Open and free enough that anyone who wishes, with enough incentive, some discretionary funds, access to the Internet, good social engineering skills, and a little luck, can get almost any piece of information about our personal lives that they desire. Is this what we are willing to sacrifice for living in a free and open society? Sometimes we cannot truly value something we have (or even perceive to have) until it is lost. Do we value our individual privacy? Do we truly value it? We stand on the brink of losing something we all (I believe we all) hold dear—our privacy. Many actually go on with their daily lives oblivious to this fact or with their heads in the sand. What exactly is privacy? We’ve provided the classical definition, yet ask an average citizen, your co-worker, your daughter’s soccer coach, to define privacy and see what type of response you get, if you get one at all. Blank stares maybe, shoulders shrugged, mumbled phrases, generic slogans, but no concrete answer. Why? Can we really formulate a universally acceptable, workable, visible definition of privacy? Probably not. Why? For every person in society, for every position, belief, role or responsibility, each will have his, her, their own view or perception of what is and what should be private and what privacy (or the concept of privacy) means to them. Maybe privacy, or attempting to define privacy, could be approached by looking at privacy’s “component parts.” How do we achieve privacy? It can be said that privacy is made up of equal parts trust and security. Trust, the idea/concept one has or places in another, to act in a manner acceptable to both parties, with no resultant harm or adverse outcomes to either party. Do we “trust” an individual, a company, to use our information in a manner only related to the nature of our intended relationship, be it personal or business? How does one define trust? Can you touch it? See it? Hold it in your hand? Exactly what is trust? If we have difficulty defining, identifying, even establishing trust, how then can we do the same for privacy? Security, in its broadest form, simply means being safe, keeping safe, and ensuring safety. How do we keep information, data, our personal data, safe and secure, away from prying eyes, unauthorized users, out of unsavory hands, away from companies who desire to use it for unrelated transactions? Part of ensuring our privacy requires a mechanism to be in place which will, as much as possible, guarantee the safety of our most personal data. Security may be easier to
ETHICS––THE FOUNDATION WE NEED
3
identify, to see, even to touch; yet many times it remains as elusive as trust. One breach of either and you have lost both! Ask anyone you know who has been a victim of an unauthorized use of his or her personal information and you can be sure that the word “violated” will come up during the conversation. Loss of privacy, especially one’s personal privacy, leaves the victim feeling violated, vulnerable, and exposed. We would be remiss in our examination of privacy if we were to limit the building blocks of privacy to trust and security alone, regardless of their contribution and significance. There is an additional component essential to establishing privacy, as elusive as trust and to some degree security, that is the concept of ethics.
ETHICS—THE FOUNDATION WE NEED Although laws are important to protect privacy, they need to be built upon a foundation. Ethics is the foundation suggested by some. Ethics is defined as a system or set of moral principles. The idea is that an ethical standard must be developed. The ethical standard will give strength to whatever laws are written. If this approach is taken, the first step is to establish ethical decision making. Ethical decision making will put legislators on the path to writing the type of laws that truly protect privacy. This approach of determining what is ethical and then developing a law to support that moral principle may prevent anyone from having to say in the future that a specific action was legal but not ethical. The first step is to establish guidelines on what is ethical. There are some informal guidelines that many have heard since their childhood, which still hold true. Here are five common guidelines that can help a person test to see if an ethical dilemma exists. 1. Shushers. This is a situation where a person says, “Don’t say anything.” The person feels something unethical has happened but it should be kept a secret. Being shushed should trigger an internal moral alarm. 2. The Mom test. This is where you ask, “Would I tell my mother what I did?” Or, would you like it if your mother did what you did? Obviously, the Mom test uses a personal reaction as the first indicator that something is not right. 3. The TV test. This is where you ask yourself if you’d like to see what you did on national TV or in the New York Times. How would the public react to your story? 4. The market test. This approach is a little different from the others. The first three looked at the negative effect. The market test has you look at the positive effect. Would you publicize your behavior and use your action as a marketing tool? 5. The smell test. This is more or less a test of your gut feeling. Your unease may not be specific but you know in your bones that something is just not right. There are formal guidelines that can be followed as well. Formal guidelines are generally a series of questions that must be answered and worked through in order to determine if an ethical dilemma exists. The following are some examples: • Does this violate corporate policy? • Does the action violate professional codes of conduct? • Does the act violate the Golden Rule of “Do unto others, as you would have them do unto you”?
4
PRIVACY! PARADISE LOST?
The informal and formal guideline approach can be built upon by using ethical principles. Principles go a little further than guidelines. Guidelines help people sense that a problem exists. Principles provide reasons for ethical behavior. There are three basic principles that can be utilized: deontology, teleology, and Kant’s categorical imperative. Deontology is the theory or study of moral obligation. This principle focuses on responsibility, and rights and duties. Rights are universal privileges that people consider inherent because of nature, tradition, or law. Information Technology generally involves discussions about three rights: the right to know, the right to privacy, and the right to property. The right to know must be tempered by questions such as to what extent we have this right. The right to privacy cuts both ways. People have their right to privacy concerning their personal information. Individuals must also realize that other people’s personal information that they have access to through databases is subject to privacy, too. The right to property can be related to our Information Technology hardware and software. Rules or controls are established to protect our Information Technology resources from misuse and abuse. So, although we have inherent rights, we must understand that with these rights comes responsibility. Therefore, we cannot use these rights as a bulldozer that buries the rights of others. Duty is driven by the feeling that people are compelled by a moral obligation to do a specific action. Also, by accepting certain rights people incur corresponding duties. Here are some samples of what moralists consider personal duty. People have the duty to foster trust, to act with integrity, to do justice, to practice beneficence, to act with appropriate gratitude and make appropriate reparations, and to work toward self-improvement. Essentially, the premise behind acknowledging and accepting these duties is that we assume responsibility for our actions; consequently, those actions will be ethical. This concept can be brought down to earth a little by looking at it in a slightly different way. Each person has professional relationships. These relationships are with employers, customers, employees, co-workers, and so on. In their relationship with their customers people have the responsibility to provide the product or service the customer requested or contracted. The customer has the responsibility to pay the negotiated price at the specified time. This thought process can be extended to privacy. People provide information to companies for their use in marketing their products, developing marketing strategies, and determining where to allocate their resources. People in turn expect that information to be used for its intended purpose and not be sold to others without their consent. In review, it is clear that rights and duties are related. If a person has and accepts a specific right, then that person incurs and must accept its related duty. This is fundamentally the definition of responsibility.2 Teleology is the next principle to discuss. A more common term for teleology is consequentialism. This concept looks at judging whether an action is right or wrong by its outcome. The focus is on the outcome resulting in the least harm to the many. Again, to restate this concept, teleology concentrates on considering the greater good. For the purpose of selecting a principle to guide us along the path of respecting privacy, there is a subset of consequentialism called utilitarianism. The principle of utilitarianism is group-centered, not self-centered. A key point here is that the individual is part of the group, and therefore benefits as well. Using this principle as a guideline for decision making should result in ethical decisions. This principle puts one in the realm of operating in the public interest. Therefore, people can evaluate such issues as personal privacy in terms of everyone involved.
THE IMPORTANCE OF PRIVACY
5
The third principle is Kant’s categorical imperative. Immanuel Kant, an eighteenth-century philosopher, formulated the categorical imperative, which contains two principles he named: consistency and respect. The principle of consistency goes beyond the basic concept of treating everyone equally. It demands that people refuse to act if harm will result. The principle of respect requires that people treat each other with dignity. This principle means people do not use other people. This can be extrapolated to mean that people will not use another person’s personal information without his or her consent (i.e., they will not invade another person’s privacy)3 and thus, forms the basis for the ethical use of data, and the ethical treatment of personal information by companies and individuals with access to these data. The attainment of privacy in a virtual society is possible only when its basic components (trust, security, and ethics) are brought together and made to function in harmony and unison (see Exhibit 1.1).
THE IMPORTANCE OF PRIVACY Exactly how important is our privacy, the perception of privacy, and the need for corporations to protect confidential, private consumer (and trading partner) data? Read on. Privacy concerns remain high when it comes to shopping on-line. A vast majority of survey respondents from a PricewaterhouseCoopers survey (see Exhibit 1.2) think Web sites are responsible for asking individuals about sharing personal information, yet more than 40 percent believe they do not seek permission. Exhibit 1.3 illustrates how consumers think an Internet company should be punished if it violated its stated privacy policy and used personal information in ways that it said it would not. The world has changed significantly since September 11, 2001, or at least many individuals’ view of a previously safe and secure world has changed. Many private, public, and governmental organizations are debating the pros/cons and the benefits/risks of national ID cards, biometric recognition technology and the granting of access to sensitive personal data in the name of national security. These actions may finally awaken individuals to more closely question and investigate the privacy policies (or lack thereof) of companies they do business with. Given this environment and social perception, companies may have to
TRUST
SECURITY
ETHICS
Exhibit 1.1.
Privacy’s Component Infrastructure
6
PRIVACY! PARADISE LOST?
re-think their privacy strategies and redefine the role they see privacy playing in their relationships with their customers. Analysts say e-commerce companies lose business when consumers don’t trust that personal information will be carefully guarded. Forrester Research, Inc., in Cambridge, Massachusetts, estimates that total on-line spending in 2001 of $46.7 billion would have been $15 billion higher had it not been for consumer privacy concerns.4 Retail Web sites are responsible for asking me before sharing any personal information with other companies.
97% Retail Web sites are responsible for asking me before using any of my personal information.
95% It concerns me that retail Web sites store my credit card information online for future use.
65% I shop from few retail Web sites to minimize overall access to my personal information.
48% Retail Web sites do not ask my permission before sharing personal information with other firms.
44% Retail Web sites do not ask my permission before using my personal information.
42% I always turn cookies off.
29% I prefer to pay for online purchases via an 800 number rather than entering credit card information online.
28% Exhibit 1.2.
On-line Privacy Survey
Source: www.internetworld.com, “Fast Forward,” PricewaterhouseCoopers (January 1, 2001) 30. The site should be placed on a list of fraudulent Web sites.
30% The site owners should be fined.
27% The site should be shut down.
26% Company’s owners should be sent to prison!
11% Exhibit 1.3.
How Privacy Policy Violators Should be Punished
Source: The Pew Internet and American Life Project, “Trust and Privacy Online: Why Americans Want to Rewrite the Rules” (August 20, 2000), www.pewinternet.org/reports/toc.asp?Report⫽19, Section Three: A Punishing Mood.
THE IMPORTANCE OF PRIVACY
7
In a report by the Sageza Groups (formerly Zona Research) published prior to the September 11, 2001, terrorist attacks, 100 security professionals stated that their companies were not very concerned about offering Web customers an opportunity to get out of sharing their personal identifying information with third parties.5 Top priority concerns by the survey respondents were protecting access to customer data that had already been collected, and ensuring that the data could not be accessed or used by unauthorized third parties (see Exhibit 1.4). Additional findings of interest from the Sageza survey include: • Survey respondents indicated that their organizations had only a passing concern for liability issues related to practices involving customer data collection. • Although more than half of the companies responding have privacy policies and note the same on Web pages, fewer than half disclose to customers what they do with the data they collect. • Greater than half (58 percent) of those responding agreed that the government should require Web sites that collect identifiable personal information to comply with minimal privacy guidelines. Sageza Group’s findings confirm those reported by Cutter Consortium. In Cutter Consortium’s E-Business Trends, Strategies and Technologies report released in 2000, e-businesses placed privacy low on their list of priorities, behind hackers (security), cost, overall reliability, user connection speed, and a lack of standards. Of those responding, slightly over half (53 percent) had any formal privacy policy. Examining the results and numbers differently raises some concern for both users and organizations alike.
Use of opt-in vs. opt-out solutions on company Web-site Liability of customer data collection practices Other companies accessing your Intranet Protecting electronically stored employee data
Protecting electronically gathered and stored customer data
1 Not concerned
2
3
4
5 Extremely concerned
Exhibit 1.4. Privacy Hot Spots: How Concerned Is Your Company About These Privacy Issues? Source: The Sageza Group, Inc., Mountain View, CA. Internet Study of 100 Security Professionals (multiple responses allowed), March 2002.
8
PRIVACY! PARADISE LOST?
Given the results of the survey, 47 percent of e-businesses operating in virtual markets have no privacy policy, formal or not. This raises concern, or at least it should, with consumers as to what is being done with the data collected by these businesses and with whom they are sharing it.6 A more recent Information Week study of 300 information technology (IT) professionals asked the question: “Is government intervention necessary to ensure adequate privacy protection for users of the Internet?” The response is in Exhibit 1.5. While it appears that public opinion still favors non-interference by government factions, the events of September 11, 2001, and the subsequent months have begun to change public opinion and spur the U.S. government into further action.
PRIVACY—DOES IT REALLY MATTER? The privacy issue can be an emotional one and therefore the amount of press given it may be disproportionate to its actual significance. An effort must be made then to quantify the need for privacy. Is privacy the big issue many believe it is or is it a non-issue? There have been several surveys conducted in the last 23 years that address the importance of privacy. The surveys focused on information privacy and assessing individual opinions regarding privacy. One survey was conducted in 1989 among four separate companies.7 The companies were assigned generic names at their request; the survey distribution is shown in Exhibit 1.6. The first three questions of this survey help answer how important an issue privacy is for people. Question one was “Compared with other subjects on your mind, how important is personal privacy?” The respondents were given four choices: very important, somewhat important, not too important, and not important at all. Sixtythree percent said it was very important and another 30 percent said it was somewhat important. The second question was “How concerned are you about the invasion of personal privacy in the United States today?” Again, the respondents were given four choices: very concerned, somewhat concerned, only a little concerned, and not concerned at all. Forty-five percent said they were
Exhibit 1.5.
Is Government Intervention Necessary for Adequate Privacy Protection?
Yes No Don’t Know
2001
2000
31% 64% 5%
29% 71%
Source: InformationWeek Research’s Outlook for 2001 Study of 300 IT executives, www.informationweek.com/bizint/biz819/quality.htm#story5, InformationWeek Research (January 8, 2001).
Exhibit 1.6.
1989 Survey Distribution
Site Bank A Life Insurance Credit Card Health Insurance
Number of surveys distributed
Number of surveys returned
Response rate
373 100 180 450
213 68 121 302
57.1% 68.0% 67.2% 67.1%
Source: H. J. Smith, Managing Privacy: Information Technology and Corporate America, University of North Carolina Press (1994). Reprinted with permission.
PRIVACY––DOES IT REALLY MATTER?
9
very concerned and 44 percent said they were somewhat concerned. The third question is rather lengthy but narrows the focus significantly. Question three was “As computer usage increases in business and the general society, more and more information on individual consumers is being acquired and stored in various computers. How serious a threat to personal privacy is this development?” Again four choices were given: very serious threat, somewhat serious threat, only a slightly serious threat, and not a serious threat at all. Approximately 30 percent said it is a very serious threat. Forty-eight percent said it is a somewhat serious threat. The results of this first survey support the conclusion that privacy is a big issue. Over 90 percent of the respondents felt privacy was at least somewhat important; 89 percent were concerned about invasion of personal privacy; and at least 78 percent saw the accumulation of information on consumers as a threat to personal privacy. The second survey is an opinion poll (see Exhibit 1.7) and the source of the information is from Equifax, Inc.8 The question this survey focused on was “How concerned are you about threats to your personal privacy in America today?” This question was asked in 1978, 1983, 1990, 1991, and 1992 polls. The percentage of people very concerned or somewhat concerned went from about 65 percent in 1978 to about 78 percent in 1983. In each of the three survey years in the 1990s the results were in the 80 percentile. This second survey covers a longer period and a broader audience than the first. Although its numbers are a little lower than the first survey, the number of people concerned about threats to their personal privacy is significant and increasing. The third survey was conducted via telephone from September 7 through September 10, 2000, by the Seattle Times and Northwest Cable News. The telephone interviews were conducted with 400 adults over the age of 18; all respondents had access to the Internet. The survey was conducted in Washington and Oregon and had an overall margin of sampling error of ⫾5.0%. The results of this survey give mixed signals concerning privacy.
Percentage of very or somewhat concerned
90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 1978
Exhibit 1.7.
1983
1990
1991
1992
Level of Concern over Personal Property
Source: The Equifax Report on Consumers in the Information Age, conducted by Louis Harris & Associates and Dr. Alan F. Westin (1990); Equifax-Harris Consumer Privacy Survey, Equifax Inc., Atlanta, Georgia, and Louis Harris & Associates, New York (1992).
10
PRIVACY! PARADISE LOST?
When asked how confident the person felt about the security and privacy of his or her financial transactions on the Internet, 56 percent answered very confident or somewhat confident. However, when asked if they were concerned about the question of privacy on-line, 71 percent said they were very concerned or somewhat concerned about privacy on-line. This appears contradictory. The answer may be that people feel that financial transactions are protected and that non-financial events are not protected. USO Software, Inc., conducted a survey in October 2001. This survey was conducted with 500 Internet users to determine the effect of real and perceived privacy violations on consumer retail expenditures. The survey results exposed a broad range of privacy concerns. Eighty-nine percent believe those companies sharing credit card information without permission committed a privacy violation; 83 percent felt companies sharing names and home addresses without permission perpetrated a privacy violation. The analysis completed by USO Software, Inc., indicated that these privacy concerns cost retailers $6.2 billion in lost business. Overall, it appears safe to state that privacy is a significant issue in the United States.9
REASSESSING OUR DEMAND FOR PRIVACY When the numbers are examined, one feature stands out—public opinion about threats to personal privacy peaked in the 1990s and remains high. There appear to be two major forces driving this increased focus on privacy. The first driving force is technological. One technological driver is that information is readily available in a computerized format rather than a paper format. This makes information easier to access and easier to transfer, and privacy harder to protect. The reason is the effort effect. Under a manual system, or even using pre-1980s technology, it took considerable effort to manipulate data into a meaningful form. Generally, access to data required multiple people. Consequently, although access was not denied, privacy was guaranteed mainly because misconduct required too much effort. A second technological driver is the ability to join data items from multiple sources and draw inferences. Relational databases have given companies the power to pull data from both internal and external sources to create powerful information packages on anyone and everyone. This heightens concerns about the threat to privacy because these informational packages paint a more complete picture, and therefore seem more invasive. A third related technological driver is the advent of the wide area network (WAN). WANs enhance inter-company interaction and information sharing. This high-speed information highway linking both private and public organizations makes information sharing very easy. Clearly there is a sense that control over personal data is much more difficult, and potential problems with data errors are quickly exacerbated. The final technological driver is the downsizing of companies’ computing capabilities. Where most data were stored on mainframe computers, much of this information is now on personal computers. When data were centrally controlled, privacy safeguards were easier to establish. Now that control of data is decentralized, there are significant challenges concerning the safeguarding of personal privacy. The second factor driving the focus on privacy is the increasing value of information. The marketing community is changing from a one-to-many marketing approach to a one-on-one marketing approach. This micro-marketing approach requires much more personal data on each individual. Information equals dollars and this equation has created an industry of its own.
USA PATRIOT ACT––A WOLF IN SHEEP’S CLOTHING?
11
Now that the threat to our privacy has been established as an important issue, the task is to locate the smoking gun. Is the computer the culprit? One way to answer this question is to borrow a concept from the gun control issue. Guns don’t kill people; people kill people. Computers don’t invade our privacy; people invade our privacy. Arthur Miller said “the computer is capable of immense social good, or monumental harm, depending upon how human beings decide to use it.”10 The computer, or in a broader sense, Information Technology, is merely a tool. Information Technology is a tool with no mind of its own. Information Technology has no conscience. Information Technology has no independent capability to invade our privacy. What must be the concern and what must be dealt with is how people use and misuse the tool.11 The impact of the brutal terrorist attack on the World Trade Center has heightened dataprivacy concerns not only in the United States, but globally. In the wake of the attacks, in the United Kingdom for example, the National Hi-Tech Crime Unit (NHTCU) had asked telecommunication carriers and Internet service providers (ISPs) to preserve their data logs from September 11. Such requests tend to put pressure on existing privacy legislation and sometimes force it to be re-evaluated in ways which might contravene the privacy-protection legislation itself. The actions of NHTCU in the United Kingdom tests the tenets of the United Kingdom’s Data Protection Act, while falling under the oversight of the Regulation of Investigatory Powers (RIP) Act. Legal and governmental powers around the globe are acting to address the need to access data, while at the same time, attempting to ensure the privacy of a free and open citizen population. Just how far can legislation go? Do governments have a right (possibly a responsibility) to suspend privacy laws in an effort to secure and ensure national security? If these rights are suspended or investigative powers increased, how will they be reversed and returned to preterrorist levels when the necessary data has been obtained? Can they ever be? Will the guise of national security and a hunt for terrorists return our nation (or any nation) to an era of McCarthyism, this time fueled by the full power of technology? Will security and a perceived sense of safety trump privacy? According to Gaylyn Cummins, a San Diego–based constitutional law attorney with Gray Cary Ware and Freidenrich, “Security concerns overwhelm privacy protection. Everything has changed.”12 This has become the mantra among legislators and industry PACs (political action committees), all seeking to gain a foothold into the cracking fortress of privacy concerns once defended so viciously by consumers. Privacy obsessions have gone into a hasty hibernation. Some issues, like the fervor over cookies that allow Web surfing habits to be monitored, seem small when viewed through the lens of September 11, 2001.13
USA PATRIOT ACT—A WOLF IN SHEEP’S CLOTHING? On October 25, 2001, President Bush signed into law the USA Patriot Act. This single piece of legislation may be destined to forever change the world of privacy and our ability to move about in that world. The Act allows U.S. police (and associated colleagues) the right to browse educational, library, and medical data, as well as travel, credit, and immigration records, all in the name of tracking down possible terrorists in the hopes of preventing future attacks. The Act expands the use of wiretapping and Internet monitoring, giving the government access to personal data records and allowing for secret searches. Some laws expire after four years
12
PRIVACY! PARADISE LOST?
unless renewed; others remain in force unless amended.14 Does the Act go too far? Some privacy groups and civil liberty critics say, yes! The individuals who represent these groups say that the Act violates the civil liberties of U.S. citizens by giving the federal government too much access to personal, individualized data which may exist on-line, or in massive company databases. The Act, along with associated legislation, may indeed foreshadow a decline in individual privacy rights and greater government intrusion into our personal lives than many individuals have witnessed before. Is this so bad? If you have nothing to hide, why worry? Would you be willing to give up or trade off some of your rights to personal privacy for a more secure society, for the “feeling” of being safer? This is the argument often used by those who support more federal government access to personal, private data. But, how does one go about measuring the “feeling” of increased security? Can we ever feel completely secure? Does giving up my right to privacy ensure my improved safety and security? How can I prove this? Can I see improved safety? How do I know I am secure? I can quantify and tangibly identify when I am asked to provide personal data, or when my privacy may be challenged either directly or indirectly. Scarier, however, is my total lack of knowledge of the times my personal, confidential, and private data is accessed, reviewed, analyzed, cross-referenced and mixed, without my knowledge and/or consent. Some critics of the Act state that such legislation strips authority from judicial authorities at a time of crisis and throws the nation back to a darker time. A time of the Alien and Sedition Acts of 1798, criminal restrictions on free speech during World War I, and the ever-present domestic spying rampant during the Cold War. Upon closer examination, the details of the Act shift the legal balance in favor of police powers, with hopes of early identification of potential terrorist activities aimed at U.S. infrastructure and citizens. In doing so, however, this same legislation, if not held to its strictest interpretation, could also weaken existing rights which currently exist to protect racial minorities, immigrants, prisoners, and students. Current laws restrict the gathering of data for one purpose and using the same data for a second unrelated, yet potentially connected, purpose. The Patriot Act could markedly change that. Sharing data and making logical links, which may correlate seemingly unrelated data, is critical. This point could not be proven more correct given the events and aftermath of September 11. At what point, however, does sharing data go beyond the need for maintaining national security and invade privacy, which so many citizens have grown to believe is an inalienable right? Lest we feel that the encroachment of government into our private lives is solely an American issue, the aftermath of September 11 has prompted governments globally to re-access and rewrite a broad range of legislation aimed at accessing data (of all types) in the face of (or in the name of) national security. The European Union already permits its member governments to bypass existing privacy laws when national security is threatened. Following the terrorist attacks in America, the European Union moved ahead with a bevy of legislative measures designed to combat terrorism and terrorist acts, tougher laws addressing money laundering, and an EU-wide search and arrest warrant.
DATA SHARING AND PRIVACY—WHY ARE WE CONCERNED? Another question to address is: When did the invasion of personal privacy start? Is this concern an issue born in the 1990s or has it been around longer? Concern for personal privacy and an uneasiness with general privacy issues have appeared in surveys conducted throughout the
DATA SHARING AND PRIVACY––WHY ARE WE CONCERNED?
13
1970s, 1980s, and 1990s. Threats to personal privacy go back to the first time someone decided to borrow money. Myron Brenton, author of The Privacy Invaders, suggests that a creditor will lend the money only after “as much of your personal and financial history has been unearthed as he deems necessary.”15 The gathering of information to determine one’s ability to repay a loan seems a reasonable activity. Most people willingly disclose substantial amounts of personal information in order to secure loans. The personal information provided is generally supplemented by data on personal payment habits, and so forth. However, one might feel the credit bureau is stretching its information gathering “right” when it begins to ask neighbors, employers, and landlords about you the person. The major concern is that this hearsay is recorded along with your income and other factual information. Once information is recorded it is difficult to distinguish fiction or hearsay from fact. Credit checks are one common source of invasion of privacy but clearly not the only one. The national census asks a series of personal questions every 10 years. While many may agree that determining where people live is essential to helping determine the number of congressional seats for a district, many of the questions asked have no relationship to this fundamental requirement. For example, the 2000 census form asks, “How well does this person speak English?” Another question is, “What time did this person usually leave home for work last week?” Many people questioned the need to provide answers to these types of questions. A third question on the census form asked what one’s wages, salary, and commissions were for 1999. The government already has this information on file with the Internal Revenue Service, so why ask for it again? A fourth example is the question about whether the person ever served in the military. Again, this information is on file with the Department of Defense; why have it in the census form? Another tool used to invade our privacy is the Freedom of Information Act (FOIA). This Act permits the release of personal information gathered by the government to almost anyone who requests it. Title III of the Crime Control Act of 1968 gives law enforcement the statutory authority to wiretap and intercept certain communications. These authorities are augmented further through the passing of the Patriot Act. Whether one sees this as a necessary evil in order to combat crime is neither here nor there. The point is that this Act (FOIA) permits invasion of privacy under specified conditions. The First Amendment is another tool that can be used to invade our privacy. The press has often printed personal information about celebrities and others. Their “right” to do this has been upheld by the courts under the First Amendment—freedom of speech. This brief analysis illustrates that information technology isn’t the culprit. People are asking the probing questions, not information technology. Laws currently exist that sustain the violation of one’s privacy. People, not information technology, write these laws. Big business is also invading employees’ privacy. The American Management Association (AMA) conducts an annual survey called Workplace Monitoring and Surveillance. The AMA started this survey in 1997 and now has five years of data; the results are shown in Exhibit 1.8.16 The alarming fact is that each year the amount of monitoring by employers has increased. Review of e-mail messages has increased from 14.9 percent (1997) to 46.5 percent (2001). Review of computer files has increased from 13.7 percent (1997) to 36.1 percent (2001). Clearly, Big Brother along with Big Business is watching! The sharing of information between and among federal government agencies (as well as with corporations) can help, as supporters argue, to increase efficiency and reduce overhead expenses. However, these actions also directly threaten the anonymity of sensitive data and
14
Exhibit 1.8.
PRIVACY! PARADISE LOST?
Workplace Monitoring and Surveillance
Recording and reviewing of telephone conversations Storage and review of voice-mail messages Storage and review of computer files Storage and review of e-mail messages
1997
1998
1999
2000
2001
10.4% 5.3% 13.7% 14.9%
11.2% 5.3% 19.6% 20.2%
10.6% 5.8% 21.4% 27.0%
11.5% 6.8% 30.8% 38.1%
11.9% 7.8% 36.1% 46.5%
Source: 2001 AMA Survey Workplace Monitoring and Surveillance, www.amanet.org/research/pdfs/ ems_short2001.pdf, American Management Association, adapted with permission.
expose (or disclose) the identity of individuals linked to that data. Such action thus presents new privacy concerns for U.S. citizens, and individuals in general, who may not be citizens but either living or working in the United States. In a 172-page report entitled, “Record Linkage and Privacy: Issues in Creating New Federal Research and Statistical Information,” the General Accounting Office (GAO) explains that the increasingly common practice of linking data sets from several different agencies often creates new information about citizens (see Exhibit 1.9).17 That new data can in turn be used to unwittingly or maliciously identify citizens whose identity was previously masked by the separation of that data. The sharing of information between agencies can benefit citizens. However, if this information is misused, it can be a nightmare with the potential of disclosing previously confidential and private information (see Exhibit 1.10). The increasing sophistication of computer technology has enabled “interlopers,” hackers, and data thieves to identify individuals by combining fragments of data (e.g., age, gender, ethnic background, zip codes, etc.). Given the ease with which data can be obtained for one reason and used for a second, unrelated purpose, controls should be established within organizations to prevent or seriously restrict the ability to combine and share data without the consent of the data owner.
IRS
Social Security Administration
Names, Birthdates, Social Security Numbers, Consumer tax status, etc.
Coordinated Social Security Tax Collection
Exhibit 1.9.
Linking Personal Data from Separate Government Agencies
Source: Newsbytes, Staff, “Linking of Federal Documents Raises Privacy Fears,” www.infowar.com/ class_1/01/class1_040201e_j.shmtl (April 20, 2001).
DATA SHARING AND PRIVACY––WHY ARE WE CONCERNED?
15
Organizations seeking to establish a better “customer image” in emerging virtual markets would benefit from establishing proactive data sharing and data disclosure policies. First examine existing practices. Does your organization share customer data with subsidiaries, third parties, mail houses, and so on? Do your clients/customers know you do this? If they found out, would they approve? Do system controls exist that prevent disclosure of private, confidential data to unauthorized third parties? Has your organization identified and secured private, personal, and confidential data residing on its computer systems? If you are unable to answer each of these questions in the positive, your organization may be faced with financial liability and exposure (and potential federal investigation) for the disclosure of such data, some of which may even be protected by existing (or newly enacted) federal legislation. Taking a page from the GAO study mentioned earlier, organizations (as well as agencies) may wish to consider implementing one or more of the GAO’s recommendations: • Obtain signed consent forms from clients, customers, and citizens prior to, and in order to, join their public data with more sensitive, confidential data. • Obtain data from secure data centers, and known, reputable sites, where data can be used and analyzed under controlled conditions. • To potentially “disguise” sensitive data, consider adding “random” distracting data in order to mask the identity of the data owners. • Consider allowing an independent contractor to combine the data, stripping out all identifying data elements prior to turning the data over to or selling the data to a third party. Large differences and serious concerns exist between consumers and business groups over the question of the sharing of consumer data between businesses, and this serious concern has kept many consumers from using the Internet as a means of commerce. Jason Catlett, President of Junkbusters.com, said consumers should be given the opportunity to learn how information is being collected and shared about them, and that they should be able to choose whether they wish to allow the process to continue.18
Department of Health and Human Services
Census Bureau
Names, addresses, occupations, birthdates, etc.
Identify disease-causing substances by linking illness records to chemical exposures, to area of residence.
Exhibit 1.10. Example of Possible Benefit of Information Sharing Among Government Agencies
16
PRIVACY! PARADISE LOST?
At a forum hosted by the Federal Trade Commission (FTC), Commissioner Orson Swindle said that a “trust gap” exists between businesses and consumers. Catlett countered that if a trust gap truly exists, the best way to bridge this gap is to create greater transparency in the right for (of) consumers to see what is going on with their data. To further cloud and confuse the issue, government agencies are no better protected or poised to protect or prevent the disclosure of sensitive data. In a report released by Privacilla.org (www.privacilla.com), the company found 47 specific instances where federal agencies announced their intent to exchange personal data and combine this data into their own databases. As the U.S. Congress continues to introduce new legislation and debate existing bills designed to protect consumer privacy, the issue of consumer data-sharing promises to complicate organizational efforts to establish viable, working privacy policies and to effectively monitor those policies.
PRIVACY AND THE LONG ARM OF THE LAW We can see that some laws seem to encourage invasion of privacy. Are there laws that protect the American people from this threat? The answer is a resounding maybe. There are laws on the books that address certain issues. However, these measures have been industry or product/ service specific. The laws concerning privacy in the information technology environment have been reactive versus proactive. Legislators have targeted specific problems. However, this approach has done little to develop a national policy supported by law. “For example, in 1988 Congress was outraged to find that a Supreme Court nominee’s video rental records were legally released to a newspaper reporter.”19 Addressing this situation, they quickly passed the Video Privacy Protection Act. While this was well and good it was too specific, leaving large gaps in general privacy protection. What is extremely interesting about existing legislation is that it often exempts direct marketers’ collection and transfer of consumer information. The Video Privacy Protection Act is one example where this clause is present. It specifically states that “materials may be disclosed if the disclosure is for the exclusive use of marketing goods and services to the consumer.”20 In 1994 a similar loophole was written into the Driver’s Privacy Protection Act. This Act limited the release of Department of Motor Vehicle (DMV) registration information but provided exceptions for journalists conducting research. One’s video records and our DMV records are now partially safe, but what about the records of one’s other purchases such as computer software, clothes, food, beverages, and so on? The good news is that there is some method to the madness in establishing legislative protection. There are two primary goals or concepts associated with the legislative effort to protect consumer privacy. The challenge faced by legislators who are attempting to achieve these goals is protecting consumer privacy while avoiding hurting the marketing industry’s efficiency. The first concept is the mechanism of effective notice. This approach requires that the consumer be given an informed opt-in or opt-out choice. Essentially you are warned prior to providing any personal data and given the opportunity to exit the process. The second goal is to put limitations in place and control the use of consumers’ personal data. From a practical standpoint, these two concepts are generally blended together to help ensure privacy protection. Opt-in schemes guarantee that personal data will not be used for purposes other than what it was originally collected for without consent. The problem with this approach is that once the information has been col-
PRIVACY AND THE LONG ARM OF THE LAW
17
lected it is difficult, if not impossible, for consumers to change their mind, thus stopping the transfer of this data. The opt-out method allows consumers to remove their name from marketing lists. The problem with the opt-out list approach is that it is an all-or-nothing proposition. The consumer could be removed from all marketing lists, essentially taking the consumer out of the marketing loop completely. One alternative that may bridge the gap between the opt-in and opt-out schemes is a mandatory flagging scheme. This method allows the consumers’ information to be flagged, thus indicating that they do not wish to participate in a specific product or service marketing campaign. The tragedy of September 11, 2001 has sparked a renewed interest in Internet surveillance and laws to expand the government’s powers. The Patriot Act has broadened the government’s “investigative” powers. Many Americans feel that cyber-crime and cyber-terrorism are on the rise. Eighty-seven percent are worried about on-line credit card theft; 82 percent are apprehensive about terrorists using the Internet to inflict chaos; 80 percent are worried that the Internet can be used for widespread fraud; and 76 percent to 78 percent are concerned about hackers getting into business or government networks.21 However, despite this growing concern, not all Americans are ready to abandon their right to privacy. Sixty percent are extremely or very concerned about law enforcement obtaining increased access to their e-mail. Over 60 percent are extremely or very concerned about law enforcement gaining expanded authority to track their Web habits. Finally, 70 percent are extremely or very concerned about law enforcement acquiring more access to their financial records. Thus the answer to an earlier question, “Are there laws that protect us from this threat?”, is still a resounding maybe!22 Organizations and government agencies are not alone under the privacy microscope. Legislation enacted by the U.S. Senate (Senate bill S290) requires academic institutions to obtain parental consent before collecting personal information from students for commercial use. The Student Privacy Protection Act requires academic institutions to give parents advanced notification of potential data collection within schools by corporations or other groups. The Act also stipulates that parents are to be advised as to how the collected data will be used, whom it will be shared with or given to, and how much class time any information gathering would take. Academic institutions would also be required to notify parents of any changes to their policies. Enactment and passing of the Student Privacy Protection Act was prompted by a GAO report which disclosed that academic institutions across the country were engaging in a variety of activities with third-party marketers and companies, in exchange for subsidies for funding of new technology, school initiatives, and extracurricular activities. Adding further measures to protect the children and youth of our emerging virtual communities, federal legislation exists which requires child-oriented Web sites to tailor their parental consent practices to the nature of their information-gathering practices. Under the existing federal law, youth-oriented Web sites must obtain parental consent before collecting any personal data from children younger than 13. Verification of parental consent is allowed via e-mail between parent and Web site, if the information being collected is only to be used internally by the Web site. By April of 2002, this sliding-scale model was set to terminate, requiring all childrenoriented Web sites to obtain a more verifiable form of consent (i.e., digital parental signature, or a printed and mailed form from a parent approving the gathering of information), regardless of their information-gathering methods. However, the FTC pushed to keep the slidingscale model in place through 2004, stating that digital signature technology hasn’t advanced as rapidly as expected.
18
PRIVACY! PARADISE LOST?
In a survey conducted by the nonprofit organization Pew Internet and American Life Project, the results disclosed that 68 percent of Internet users who were surveyed worried that malicious hackers might steal their credit card information. However, a substantial margin (86 percent) believed that on-line companies should ask permission of individuals first, before using their personal information.23 Member companies of the high-tech community are pressing a different tack—wanting lawmakers to leave industry alone to solve its own problems, both through self-regulation and technology. One such means is through the adoption and incorporation of a technology referred to as “Platform for Privacy Preferences” (P3P). P3P relies on HTML-like code embedded in Web sites, which allow browsers to evaluate whether a site uses cookies or tracks usage once visitors have left a site. In theory, P3P would alert users when they visit a Web site if it does not meet their personal privacy standards.24 Although privacy legislation will be addressed in much more detail in later chapters, it is worth noting here two pieces of legislation which tend to be recognizable bellwether legislative actions related to privacy. The first, Senate bill S.2606, introduced by Ernest Hollings (D—South Carolina) of the Senate Commerce Committee, would require Web sites to obtain consumers expressed consent before they are able to collect personal and identifiable data. Hollings’s proposed legislation also would create a private right of action against Web sites which violate their posted privacy policies. This would ultimately require companies to track consumer preferences on allowable data collection authorization, to verify a Web site’s compliance to the legislation and as a defense in the event of a lawsuit.25 A second piece of legislation, this one introduced by John McCain (R—Arizona), the Senate Commerce Committee Chairman, would allow consumers to get out of the data collected or proposed to be collected by Web sites but would also force Web sites to clearly state how the personal data is collected and how this data will be used once collected.26 In a study funded by the Association for Competitive Technology (ACT), a group founded by Microsoft Corporation, two specific objectives were set:27 1. Determine a cost for making commercial Web sites compliant with the provision which allows individuals to access the information collected about them, and 2. Determine a cost to develop the tracking databases necessary to establish compliance if a firm was threatened by a lawsuit or government enforcement actions. The results of this study may speak volumes and be a predictor of the eventual fate of privacy legislation coming from the federal sector. The study placed a price tag of approximately $100,000 per Web site as the cost of compliance. If we were to extrapolate this figure, using the FTC’s estimate that some 3.6 million Web sites currently collect personally identifiable information, the study concluded that if only a minimum percentage of Web sites attempted to bring their practices into compliance of the proposed legislation, the eventual price tag could be in the billions of dollars. Given the expense, which is expected to be shouldered by the Web site owners individually, the likelihood that such legislation will meet stiff lobbying efforts from Web companies is highly probable. Consumers may ultimately have to rely on a Web company’s moral compass pointing it in the right direction, and their own self-preservation “street-smarts,” when visiting and shopping at on-line Web sites, and not on federal legislation to protect their privacy.
PRIVACY CONCERNS: CITIZENS AND THE INTERNET
19
PRIVACY AND SELF-REGULATION As numerous pieces of legislation wind their way through the various branches of the U.S. government, lawmakers are debating whether to require companies to make available to consumers an opt-in or at least an opt-out choice prior to collecting, selling, or using consumers’ personal data and records. Many organizations, including such industry heavyweights as the Direct Marketing Association, oppose the new laws, instead favoring industry self-regulation. This movement toward embracing a self-regulation position is gaining momentum as evidenced by the following examples: • More e-commerce companies are requesting consumer permission for some or all e-mail promotions, including CDnow, Homestore.com, Women.com, OfficeMax, and Gateway. • Some 84 percent of top Web sites post privacy policies and now at least give consumers the chance to opt out of having their information used or shared by others. Still, few have more stringent opt-in standards.28 • More than 100 on-line companies have hired chief privacy officers (CPOs) to oversee customer privacy issues.29 These examples are coming from organizations that realize that just because they build it, consumers will not necessarily come. Forrester Research recently unveiled survey findings that disclose that two-thirds of consumers responding to their survey worry about misuse of personal data given on-line. As a result of this worry, American consumers spent an estimated $12 billion less on-line last year than they might have otherwise.
PRIVACY CONCERNS: CITIZENS AND THE INTERNET According to a survey conducted by Forrester Research in March 2001, consumer fears about loss of personal privacy are mounting directly in response to increases in technological innovation and a lack of industry initiative in addressing this privacy issue.30 As technology increases, the methods and means of poking and peeking into an individual’s privacy continue to multiply. Consider that companies can (and do) employ • • • • • • • • •
Cookies Chat-room tracking Net mikes E-mail and workplace monitoring Webcams Keystroke monitoring Customer management software Smartcards with ID chips Biometric software that can track finger- or palmprints and perform signature, voice return, or facial recognition • Fee-paid search engines with access to public record databases, and access to not-sopublic databases
20
PRIVACY! PARADISE LOST?
How secure and safe do you feel about your privacy now? Threats to personal privacy, once the basis for science fiction, have been forced onto the front pages of today’s daily newspapers. Burying one’s head in the sand and pretending that the problem, the risk, and exposure will go away, never did, and no longer will, solve the problem or reduce the risk/exposure. Individuals are on notice: a proactive response requiring immediate and decisive action is mandatory. Only by taking appropriate measures, implementing appropriate safeguards, and remaining alert to the changes taking place technologically, can citizens begin to protect their privacy. The personal privacy we all hold so dear and sacred, a right we have for so long taken for granted, a right which has all but disappeared, may never again be fully reclaimed. A conflict, or maybe more appropriately, a dilemma arises when a society is forced to choose between increasing its quality of life and maintaining the privacy of that life. As technology has enabled individuals to enjoy an easier life than their ancestors, it has also opened their lives to examination and scrutiny by others. Information about your daily habits, likes, dislikes, movements about town, purchases, marriages, and donations have been available since written records of such data have been kept. Such data, even in written form, were dispersed in multiple locations, filed and retrieved manually, and typically required physically traveling to the location of the data/document to see it, or copy it (which early on required actually making a second, physical, duplicate copy of an original document—actually resulting in a second original). The necessity to physically request and travel to retrieve data added a layer of security to the process. The document holder could always request and verify the identity of the data requester and determine if the requester had either authorization or a legitimate right to have access to the data/documents. The document holder could easily deny the requester access to the data. The same information is available today, however, access to it can be accomplished while sitting in one’s living room. Located, identified, retrieved, paid for, and shipped—all via electronic interaction between the record holder and the requester, with neither party ever meeting. The ability of technology (and those who own the technology) to gather incredible amounts of information and misuse it is one of the fastest growing fears among individuals living in today’s virtual societies. Protecting one’s personal, private data has become a paramount concern of all global citizens. Informed consent is the buzzword among regulators debating new privacy policies. How informed remains the center of dispute. U.S. data marketing policies offer legalese and fine print that leaves most consumers baffled. Consumers may be given the option of opting out of providing personal details, but few take up such offers.31 It would be a misstatement of fact if the reader is left with the impression that concern over one’s privacy is a domestic, U.S.-based concern. In reality, fear over the loss of one’s privacy is a global concern. Citizens of industrially and technologically advanced and emerging nations are awakening to the realization that there are no more assurances of personal privacy and only they themselves can take actions necessary to protect what little information remains private from the prying eyes of commercial third parties and government agencies. In a March 2001 survey of Canadian Internet users, conducted by the Columbus Group/ Ipsos Reid, 82 percent of the respondents stated that they have shared some personally identifiable information through a Web site. Eighteen percent felt that the information they submitted was used in ways they would consider to be a breach of their personal privacy. Of this 18 percent, 86 percent were automatically (and without their permission) subscribed to unwanted e-mail marketing and 43 percent stated that their data had been “sold or transferred” to an unauthorized third party.32
SUMMARY
21
PRIVACY
SECURITY
SECURITY
PRIVACY
Exhibit 1.11.
Twenty-First-Century Paradox
PRIVACY VERSUS SECURITY? In a world now and forevermore defined as being “post-9/11,” can individuals truly believe we can live in a world where we can have both personal privacy and security? Will we ever again be able to say these two words in the same sentence without a chuckle, or a laugh of despair, without an internal knowing that the innocence has truly been lost? As society moves forward, the challenge will be to develop policies, procedures, systems, and ideals which will provide for and establish both privacy and security, without limiting or weakening either. Only time will tell, however, whether the age-old question of the chicken and the egg may be replaced with a twenty-first-century paradox of privacy and security (see Exhibit 1.11). Do the concepts of privacy and security have to exist in conflict or will society find a way for both to coexist? Can we truly have both, in the deepest meaning of each? Months after the worst terrorist attack on American soil, many are reassessing their views of the trade-off between privacy and security. And rightly so! Will all of the intrusive probing into our personal lives (surveillance cameras, metal detectors, scanners, searches, etc.), which we once found to be a violation of our “person,” now be readily accepted? How willing are we to give up some personal freedoms, privacy being one of them, for a sense of security? And that’s all it can be, a sense of security. For no individual, no government, and no technology can, with any degree of ethics or certainty, guarantee absolute security of anything to anyone. Will individual rights be trampled upon in the frenzy to establish, in an almost “half-crazed” knee-jerk reaction, a secure “trusting” environment? Identifying such an environment, which has yet to be fully defined or identified, could be the most difficult task. Even then, such an environment may logically be impossible to secure, at levels most citizens would find acceptable—for the amount of privacy they would be willing to relinquish.
SUMMARY Could our pursuit of maintaining our personal privacy be the downfall of our own personal security? Or will the (not necessarily our own personal) pursuit of security be done at the expense of an individual’s (or group of individuals’) privacy?
22
PRIVACY! PARADISE LOST?
What roles will technology and government legislation play in this eventual and possibly ultimate power struggle? What will (or should be) the individual’s role and responsibility in working toward and establishing an environment where both privacy and security can be achieved, and live in harmony? What is the role and responsibility of organizations for identifying, developing, implementing, and maintaining privacy rights for their clients and trading partners? The following chapters in this text, and the sharply focused “pulse pieces” written by recognized leaders in the privacy field, take a long, hard look at these and many other issues regarding privacy. Issues our global society will face in the coming years as governments, corporations, and individuals come to grips with the new hot zone for the twenty-first century— privacy. In 1971 Arthur Raphael Miller wrote in Assault on Privacy: As recently as a decade ago we could smugly treat [Aldous] Huxley’s Brave New World and [George] Orwell’s 1984 as exaggerated science fiction having no relevance to us or to life in this country. But widespread public disclosures during the past few years about the new breed of information practices have stripped away this comforting but self-delusive mantle. . . apprehension over the computer’s threat to personal privacy seems particularly warranted when one begins to consider the possibility of using the new technology to further various private and governmental surveillance activities. One obvious use of the computer’s storage and retrieval capacity along these lines is the development of a ‘record prison’ by the continuous accumulation of dossier-type material on people over a long period of time…constructing a sophisticated data center capable of generating a comprehensive womb-to-tomb dossier on every individual and transmitting it to a wide range of data users over a[n inter-]national network is one of the most disturbing threats of the cybernetic revolution.33
ENDNOTES 1. Wright, E. S., “Privacy: the ugly truth” (August 7, 2001), www.infowar.com/class_1/ 01/class1_080901a_ j.shtml, special to ZDNet. 2. Grillo, J. P. and E. A. Kallman, Ethical Decision Making and Information Technology (New York: Irwin McGraw-Hill, 1996). 3. Bonsall, William R., “Privacy, Does It Really Matter?” (Thesis, Webster University, 2001). 4. Thibodeau, P., “Profitable Privacy,” Computerworld (February 18, 2002), 46. 5. The Sageza Group, Inc., Mountain View, CA, March 2002. 6. Id. 7. Smith, H. F., Managing Privacy: Information Technology and Corporate America (Chapel Hill: The University of North Carolina Press, 1994). 8. Equifax Inc. and Louis Harris and Associates, The Equifax Report on Consumers in the Information Age, Equifax-Harris Consumer Privacy Survey, 1992. 9. See note 3. 10. Miller, A. R., The Assault on Privacy: Computers, Databanks, and Dossiers (Ann Arbor: The University of Michigan Press, 1971). 11. See note 3. 12. Auchard, E., “Security trumps privacy, online and off,” (November 12, 2001), www. infowar.com/class_1/01/class1_111201a_ j.shmtl. 13. Id. 14. Id.
ENDNOTES
23
15. See note 10. 16. 2001 AMA Survey, Workplace Monitoring and Surveillance (2001, April 18) http://www. privacyexchange.org. 17. Newsbytes, “Linking of federal documents raises privacy fears,” (April 20, 2001) www. infowar.com/class_1/01/class1_042001e_ j.shmtl. 18. Krebs, B., “Privacy groups clash over consumer data trading,” Newsbytes, (March 14, 2001) www.infowar.com/class_1/01/class1_031401a_ j.shmtl. 19. See note 7. 20. Video Privacy Protection Act, 18 U.S.C. § 2710 et seq., Section 2710 Wrongful disclosure of video tape rental or sale records. www.accessreports.com/statutes/VIDEO1.htm. 21. Harris Interactive on behalf of Privacy & American Business, “Privacy On and Off the Internet: What Consumers Want,” Sponsored by Ernst & Young LLP and the American Institute of Certified Public Accountants (AICPA), (February 20, 2002) www.harrisinteractive.com/news/allnewsbydate.asp?NewsID⫽429. 22. See note 3. 23. See note 18. 24. Id. 25. Id. 26. Id. 27. Id. 28. Davidson, P., “Marketing gurus clash on Internet Privacy rules Opt in or Opt out? Experts differ on best way to sell,” USA TODAY (April 27, 2001), B01, www.infowar.com/class_1/ 01/class1_042701a_ j.shtml. 29. Id. 30. McGuire, D., “Firms Must Tackle Consumers’ Privacy Anxieties-Forrester,” Newsbytes (March 5, 2001) www.infowar.com/survey/01/survey03051a_ j.shtml. 31. Auchard, E. “Consumer privacy, dark side of Internet age” (April 17, 2001a) www. infowar.com/class_1/01/class1_041701b_ j.shmtl. 32. “Privacy Policies Critical to Online Consumer Trust” (February 2001) www.ipsosreid. com/media/dsp_displaypr_cdn.cfm?id_to_view⫽1171 “Canadian Interactive Reid Report”, Ipsos-Reid.com and Columbus Group, www.columbusgroup.com. 33. Miller, Arthur Raphael, The Assault on Privacy: Computers, DataBanks, and Dossiers (University of Michigan Press, 1971).
2 PRIVACY INITIATIVES
Introduction Tracking Technology on the Internet Privacy and the Internet Federal Reports on Internet User Tracking Technology and Privacy Privacy Requirements Privacy and State Government Private Sector Privacy Concerns Security New Technology Impact of September 11 Summary
INTRODUCTION The incredible growth of electronic commerce and the trend toward electronic government provide many opportunities, as well as many challenges. In today’s highly computerized, fastpaced environment, citizens are beginning to realize that vast amounts of personal information are stored, maintained, and distributed. The accessibility, speed, and storage capacity of computers provides a mechanism to combine data into usable information sources for the conduct of marketing and sales campaigns. However, as citizens gain an awareness of these practices, they are beginning to demand that basic expectations to the rights of privacy be met. As a result, government and private organizations are trying to develop methods to safeguard personal information while retaining the benefits derived from computerization and information sharing. A major issue facing the public and private sector revolves around how they deal with the privacy challenges presented by digital technologies. This will be exacerbated by the increase in use of digital technology in our routine and daily tasks and the perceived need for enhancements to homeland security after the events of September 11, 2001. There is always the chance that personal information you disclose will end up in the wrong hands. This risk is everywhere, whether buying dinner at a restaurant, ordering clothes over the phone, responding to a survey, or browsing Web sites. Once your private information has been disclosed to a third party, you no longer have control of, nor reasonable expectations to your privacy. The Internet has brought the privacy issue to the forefront; however, in reality there are tighter standards for protecting data collected on-line than there are for data collected off-line. For years, companies and even governments have sold or rented personal information without the knowledge of consumers (i.e., sale of driver’s license information to insurance companies). 24
INTRODUCTION
25
In the Internet world, the presence of a privacy policy does not mean that a company won’t collect or sell your personal data; it only outlines what a company is going to do. In fact, large companies with multiple subsidiaries will freely exchange data between these associated but separate companies. Another issue that has arisen is the value of customer data for sale or bankruptcy purposes. A company in financial trouble may no longer honor its privacy commitments if doing so will impact the viability or sale of the company. This fear came to fruition when Toysmart attempted to sell its customer list as part of a bankruptcy settlement. Companies are beginning to realize that strong privacy policies can enhance their reputation, increase sales, and reduce the risk of future liabilities. The growing emphasis on privacy has led to the creation of a new market. Vendors ranging from software, hardware, professional organizations, and consulting are marketing solutions to manage the retention and use of personal data. The following excerpt of remarks given by Federal Trade Commission (FTC) Chairman Timothy J. Muris outlines some of the concerns and resolutions regarding privacy.1 The FTC plays a vital role in protecting consumer privacy, a role I propose to increase. I will outline the FTC’s current and future privacy initiatives, and finally, my thoughts on Internet privacy legislation. There is no question that consumers are deeply concerned about the privacy of their personal information. There is no question that a lot of information is being collected. There are a lot of questions about how it is being used . . . and who is using it. In my work with the Administration and with outside groups, I have been impressed by the importance of privacy issues for both President Bush and for the American people. Privacy has become a large and central part of the FTC’s consumer protection mission. Our economy generates an enormous amount of data. What I personally find most astounding is what occurs all over America at auto dealers every day. If consumers have good credit, they can borrow $10,000 or more from a complete stranger, and actually drive away in a new car in an hour or less. I call this the “miracle of instant credit.” I am told this cannot rightly be called a “miracle” because miracles require a “higher authority” than a credit manager. When you think about it, however, this event is extraordinary. This “miracle” is only possible because of our credit reporting system. The system works because, without anybody’s consent, very sensitive information about a person’s credit history is given to the credit reporting agencies. If consent were required, and consumers could decide—on a creditor-by-creditor basis—whether they wanted their information reported, the system would collapse. Credit histories are one of our most sensitive pieces of information. Their use is, and should be, restricted and protected. The Fair Credit Reporting Act provides such protections. Despite the benefits of information sharing, concerns about privacy are real and legitimate. Many consumers are troubled by the extent to which their information is collected and used. Some feel that they have lost control over their own information. If you probe further, what probably worries consumers most are the significant consequences that can result when their personal information is misused. First, and most serious, are risks to physical security. Parents do not want information on the whereabouts of their children to be freely available. Women may not want their address known for fear of stalkers. Many prefer to list their telephone number using just their first initial and last name. Someone browsing through the phone book will then not know if the person listed at that address is male or female. Millions of people pay not to be listed in the phone book at all.
26
PRIVACY INITIATIVES
Second is the risk of economic injury. The fear of identity theft plagues the information age. No other practice so vividly captures the fears many consumers have about their privacy. It strikes randomly, leaving lives in shambles. Identity theft can range from unauthorized use of your credit card to someone creating a “duplicate” you. Consumers’ third concern is with practices that are unwanted intrusions in our daily lives. Unwanted phone calls disrupt our dinner, and our computers are littered with spam. We will also enforce privacy promises. One of the agency’s successes has been encouraging Internet sites to post privacy notices. In 1998, only 2 percent of all sites had some form of privacy notices. By 2000, virtually all of the most popular sites had privacy notices. Industry’s significant response to consumer concerns about privacy has been impressive. From my many meetings with business community members, it is clear that industry will continue to make privacy a priority. Having encouraged commercial Web sites to post these notices, the FTC needs to ensure compliance. Privacy promises made off-line should be held to the same standard. The FTC has brought several cases challenging violations of promises made in on-line privacy policies such as the disclosure of information to third parties and the collection of personally identifiable information from children. We will expand our review of privacy policies and make it more systematic. We will seed lists with names to ensure that restrictions on disclosures to third parties are honored. We will also work with seal programs and others to get referrals of possible privacy violations. Finally, we will improve our own complaint handling system to target cases more effectively. Problems that arise in bankruptcy or reorganization are of particular concern. Companies that promise confidentiality may decide to sell or transfer personal information they have collected. If confidentiality promises are to be meaningful, then they must survive when the company is sold or reorganized. We will also increase our scrutiny of information practices that involve deceptive or unfair uses of sensitive data—such as medical or financial information or data involving children. Moreover, we will keep a close eye on claims touting the privacy or security features of various products or services. When companies deliberately market a product as one that enhances privacy or security, they are targeting consumers who not only care about these protections but are also willing to pay for them. We will ensure that sellers deliver on those promises. Perhaps most importantly, I think there is a great deal we can do under existing laws to protect consumer privacy. That is what this privacy agenda is all about. At this time, we need more law enforcement, not more laws. Whether we ultimately need more laws requires further study. We will enforce current laws vigorously, using more of the FTC’s resources.
TRACKING TECHNOLOGY ON THE INTERNET Web sites use various types of technology to track and collect information on Web site users and activity. Web sites use several different types of technology to collect information on Web site usage and activity. These technologies include user or Web logs, session cookies, persistent cookies, and Web bugs.
TRACKING TECHNOLOGY ON THE INTERNET
27
User or Web Logs User or Web logs generally list all requests for individual Web pages that have been requested from a Web site. The raw log data is retained and can be analyzed and summarized by other software programs. Some of the data retained in these logs include: • The Internet Protocol (IP) address and domain name used. The IP address is an identifier for a computer or device. The domain name identifies one or more IP addresses. For example, in the URL http://www.gao.gov/reports, the domain name is gao.gov. • The type of browser and operating system used and the connection speed. The browser is software on the user’s computer that provides a way to look at and interact with all the information on the World Wide Web. The two most common browsers are Netscape Navigator and Microsoft Internet Explorer. • The date and time the site was accessed • The Web pages or services accessed at this site These logs are analyzed to provide the following types of information: • Number of visitors to a home page • Origin of visitors in terms of their associated server’s domain name (i.e., whether the user came from an educational, governmental, or commercial server) • Number of requests for individual Web pages • Usage patterns based on time of day, day of week, season, etc.
Cookies A cookie, which is a short string of text, is established when the user accesses a Web page using cookie technology. The information stored in a cookie includes, among other things, the name of the cookie, its unique identification number, its expiration date, IP (Internet Protocol) address, type of browser used (such as Netscape Navigator or Microsoft Internet Explorer), and its domain (such as www.gao.gov). When the Web page is first accessed, the Web server sends a cookie back to the user’s computer. When the user’s computer requests a page from the Web server that sent it a cookie, the user’s computer sends a copy of that cookie back to the server. Cookies may be classified as either session or persistent. Session cookies expire when the user exits the Internet and closes the browser. Session cookies are generally limited to generic information such as the user’s IP address, browser software, date and time of visit, and pages accessed on the site. Session cookies can allow server operators to track user movements through a site and allows site operators to obtain a clearer picture of how users navigate through a site. A cookie provides the navigation information in a format that is easier to analyze than log files. Persistent cookies have unique identifiers associated with them and, unlike the session cookie, do not expire when the user exits from the Internet, but rather remain on the user’s computer for an extended period of time. When a user revisits the Web site that sent the persistent cookie, the user’s computer sends a copy of the cookie back to the server. The information in the persistent cookie allows the server to recognize returning users, track on-line purchases, or
28
PRIVACY INITIATIVES
maintain and serve customized Web pages. This information is then stored in the server’s log files. The cookie itself does not provide the server with any additional personal information but may make it easier for the server to track users’ browsing habits.
Web Bugs A Web bug is a widely used, yet virtually undetectable, means of tracking people’s Internet surfing habits. Like cookies, Web bugs are electronic tags that help Web sites and advertisers track visitors’ whereabouts in cyberspace. However, Web bugs are invisible on the page and are much smaller, about the size of the period at the end of this sentence. Most computers have cookies, which are placed on a person’s hard drive when a banner ad is displayed or a person signs up for an on-line service. Experienced Internet users are aware of cookies and the means to detect and prevent them; however, users can’t see Web bugs, and anti-cookie filters won’t catch them. As a result, Web bugs wind up tracking surfers in areas on-line where banner ads are not present or on sites where people may not expect to be tracked.
PRIVACY AND THE INTERNET Two types of privacy concerns have been raised concerning the use of Internet Web sites. The first is using technology to track where individuals go over the Internet. While user logs and cookies generally do not collect personally identifiable information (such as name, social security number, or e-mail address), the information that is collected could be combined with personally identifiable information provided by the user, and ultimately, could be used to track the individual’s movements. Persistent cookies create the most concern because they have a unique identifier assigned to them and remain on the user’s computer for an extended period of time. Consequently, if the persistent cookie is linked to other personal identifying information submitted by the user, then the user’s identity can be ascertained and his or her movements over certain Web sites can be tracked. The following excerpt is taken from the federal Office of Management and Budget policy memorandum for federal Web sites2: Particular privacy concerns may be raised when uses of Web technology can track the activities of users over time and across different Web sites. These concerns are especially great where individuals who have come to government Web sites do not have clear and conspicuous notice of any tracking activities. “Cookies”—small bits of software that are placed on a Web user’s hard drive—are a principal example of current Web technology that can be used in this way.
The second privacy concern is the safeguarding of personal information individuals provide to entities over Web sites. The Internet allows users to send a great amount of personal information to Web sites. These include name, address, social security number, credit card number, and e-mail address. Concerns regarding the use of personal information include with whom the information might be shared as well as whether the security over the personal information is adequate. The issue of privacy and the handling of personal information obtained from Internet users is further complicated for government agencies. On one hand, government agencies may have an obligation to protect the individual privacy rights of users. On the other hand, state agencies need to fulfill obligations under the Freedom of Information Act which gives the public access,
FEDERAL REPORTS ON INTERNET USER TRACKING TECHNOLOGY AND PRIVACY
29
with certain exceptions, to public records, including information submitted via the Internet. Consequently, it is important that government agencies provide clear and adequate notice to users as to how personal information they submit over the Internet will be handled. The following excerpt from a privacy notification on a government agency Web site illustrates how agencies need to balance the privacy rights of individuals with the rights of the public to obtain information about the operations of government: We collect no personal information about you unless you voluntarily participate in an activity that asks for information (e.g., sending an e-mail or participating in a survey). If personal information is requested on the Web site or volunteered by the user, state law and the federal Privacy Act of 1974 may protect it. However, this information is a public record once you provide it, and may be subject to public inspection and copying if not protected by federal or state law.3
FEDERAL REPORTS ON INTERNET USER TRACKING TECHNOLOGY AND PRIVACY The General Accounting Office (GAO) produced several reports pertaining to Tracking Technology used by federal agencies and Internet privacy. One report, issued in April 2000, Internet Privacy: Implementation of Federal Guidance for Agency Use of “Cookies,” 4 reviewed whether selected federal Web sites’ use of cookies was consistent with guidance established by the Office of Management and Budget (OMB). The GAO reviewed 65 federal Web sites. Of the 65 federal sites, eight used persistent cookies. Four of the eight did not disclose such use in their privacy policies as required by OMB, while the other four did provide disclosure but did not meet OMB’s other conditions for using cookies. Out of the 57 sites that did not use persistent cookies, four of them did not post privacy policies on their home pages. In a September 2000 report, Internet Privacy: Comparison of Federal Agency Practices with FTC’s Fair Information Principles,5 the GAO was asked to determine how federal Web sites fared when measured against the Federal Trade Commission’s (FTC) fair information principles for commercial Web sites, and the extent to which these sites allowed the placement of thirdparty cookies. The GAO reviewed 65 federal Web sites for the collection of personal identifying information and disclosure indicating that they meet the four fair information principles: Notice, Choice, Access, and Security. All 65 federal Web sites reviewed collected personal identifying information with 85 percent of them posting privacy notices. Out of the 65 sites reviewed: • • • • •
69 percent met FTC’s criteria for Notice 45 percent met FTC’s criteria for Choice 17 percent met FTC’s criteria for Access 23 percent met FTC’s criteria for Security 3 percent implemented all four elements
In a third report, also issued in September 2000, Internet Privacy: Agencies’Efforts to Implement OMB’s Privacy Policy,6 the GAO was asked to determine: • If agencies have clearly labeled and easily accessed privacy policies posted on their principal Web sites
30
PRIVACY INITIATIVES
• If agencies’ privacy policies posted on their principal Web sites inform visitors about what information an agency collects, why the agency collects it, and how the agency will use the information • How selected agencies have interpreted the requirements to post privacy policies at major entry points • If selected agencies have posted privacy policies on Web pages where the agency collects “substantial” personal information or, when applicable, notices that refer to the Privacy Act of 1974 The GAO found 67 of 70 agencies’ Web sites had clearly labeled and easily accessible privacy policies. Sixty-three of the 70 sites had privacy policies that addressed the automatic collection of information, and 67 had privacy policies and procedures that addressed whether or not they collect information that visitors voluntarily provide. These policies and procedures stated what information was being collected, why the agency was collecting it, and how they planned to use it. To determine what qualified as personal information, the GAO set the criteria to include information that contained the individual’s (1) name, (2) e-mail address, (3) postal address, (4) telephone number, (5) social security number, or (6) credit card number. The GAO reviewed 101 on-line forms that collected “substantial” personal information. Forty-four of these forms did not have privacy policies posted.
PRIVACY REQUIREMENTS At the federal level, the Privacy Act of 1974 requires federal agencies to protect the individual’s right to privacy when personal information is collected. Also, the federal Children’s Online Privacy Protection Act of 1998 (effective April 21, 2000) requires anyone who operates a Web site directed to children or who has actual knowledge that the person from whom they seek information is a child to comply with certain requirements on collection, use, and disposition of children’s personal information. State agency Web sites that collect personally identifiable information from children (or collect non-individually identifiable information that is then combined with an identifier) would need to comply with the Children’s Online Privacy Protection Act. In June 1999, federal agencies were first required to post privacy notices on their Web sites. The Office of Management and Budget (OMB) issued Memorandum M-99-18, which required that privacy notices be posted on the agency’s principal Web site by September 1, 1999. The OMB further required that, by December 1, 1999, privacy policies need to be added to any other known, major entry points to agency Web sites as well as any Web page where they collected substantial personal information from the public. The Memorandum went on to require7: Each policy must clearly and concisely inform visitors to the site what information the agency collects about individuals, why the agency collects it, and how the agency will use it. Privacy policies must be clearly labeled and easily accessed when someone visits a Web site.
The Memorandum noted that posting a privacy policy helps ensure that individuals have notice and choice about, and thus confidence in, how their personal information is handled when they use the Internet. It further noted that every federal Web site must include a privacy policy statement, even if the site does not collect any information that results in creating a Privacy Act record. Finally, it laid out model language for federal Web site policies.
PRIVACY REQUIREMENTS
31
The OMB directive also addressed the use of cookies. The directive stated that cookies were not to be used at federal sites unless, in addition to clear and conspicuous notice, the following conditions were met: • A compelling need to gather the data on the site • Appropriate and publicly disclosed privacy safeguards for handling of information derived from cookies • Personal approval by the head of the agency While the use of cookies has been the subject of several lawsuits in the United States, there are currently no laws that specifically address the use of cookies. Other laws, such as the federal Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the Wiretap Act have been cited in complaints. The National Electronic Commerce Coordinating Council (NECCC) is an alliance of national state government associations dedicated to the advancement of electronic government within the states. On December 2000 it released a publication, Privacy Policies—Are You Prepared? A Guidebook for State and Local Government. The Introduction of the Guidebook contains the following text8: For nearly half a century, the “Big Brother” syndrome of George Orwell’s chilling classic 1984, has created a concern that governments are constantly amassing information on its citizens for “nefarious” purposes. Cold War, East Bloc nations did in fact suffer abuses of state-sponsored “information gathering”—an episode in history that reaffirmed Orwellian predictions. In extreme contrast, the United States has led the charge to protect the privacy rights of citizens through legislation such as the Freedom of Information Act. We are one of the few nations in the world that does not have “national identity cards.” Today, however, “information privacy” is being threatened by technology advancing so rapidly, legislators can scarcely keep pace. Right now, any individual or group can essentially invade and examine databases containing personal information that most Internet-users believe is privately held. As the ability to retrieve information electronically is becoming easier, new security concerns are arising such as the potential for personal information to not only be accessed, but mined and distributed, as well. The world’s citizens are no longer in fear of a governmental “Big Brother,” but now face a global “Virtual Big Brother.” Over the past few years, the changing nature of privacy as a result of the World Wide Web has incited much debate over the precautionary measures needed to safeguard the individual’s right to privacy. Much progress has been made nationally and internationally to adopt guidelines that protect privacy, yet remain flexible enough to allow for the continued growth and development of the Internet. However, in the rush to adopt e-commerce applications on the state and local government level, the privacy debate has received minimal attention despite citizen concerns to the contrary. The National Electronic Commerce Coordinating Council (NECCC) believes it is crucially important to raise awareness and foster discussion on the issue of on-line privacy due to the unique role states and localities play in collecting, maintaining and disseminating constituent data. The emerging networked world provides opportunities for government leaders to offer improved services while saving taxpayer dollars. Most citizens are embracing these revolutionary changes and are petitioning for even more government services to be available on-line. However, herein this citizen campaign lays the privacy paradox.
32
PRIVACY INITIATIVES
The NECCC has taken the initiative to create this guidebook to serve as a resource for state and local government officials so they may more fully understand the need to proactively address this issue. The purpose of the guidebook is to reinforce the importance of privacy policies and explain the components necessary to create an effective document. Additionally, the “Privacy Policies Guidebook” is intended to help officials to avoid potential pitfalls and hurdles by providing resources, references and other support.
The NECCC encourages states to pursue policies for protecting individually identifiable information on all of their portals, Web pages, and other sites of entry on the World Wide Web. The content of such policies should at a minimum address the following five points: 1. Adoption of a privacy policy. Each state and local government should adopt a privacy policy and take responsibility for enforcing it among its divisions and departments. Thoughtful consideration should be given to the parameters of the policy as well as its legal implications before it is posted. 2. Notice and disclosure. A privacy policy must be easy to find, read, and understand. The policy should inform the constituent that when personal information is collected, there will be a limited way that information will be used, possible third-party distribution of that information, and the choices available regarding collection, use, and distribution of the collected information. 3. Opt-in/opt-out clauses. Many consumer protection groups have advocated for opt-in or opt-out clauses. These groups, along with many individuals in the public and private sector, believe that citizens should be given the opportunity to choose how their personally identifiable information collected from them on-line is used when it is unrelated to the purpose for which it was provided. The growing belief is that one of the best ways to protect privacy on the Internet is to combine the elements of opt-in and opt-out clauses. (Note: Some state freedom of information laws preclude an agency from offering an optin or opt-out clause. Based on these state laws, information that is collected is classified as a record and must be treated in a manner consistent with their state laws.) 4. Data security. State entities and their affiliated agencies that collect data on-line have a unique responsibility to their constituents to ensure that the individually identifiable information collected is protected from loss, misuse, inaccuracies, and alteration. Reasonable steps should be taken to ensure that third parties who receive information are aware of these security practices and that those parties are also taking precautions to safeguard any transferred information. 5. Data access. Organizations creating, maintaining, using, or disseminating individually identifiable information should take precautions to assure that the data is accurate, complete and timely for the purposes for which it is to be used. States should develop mechanisms so that inaccuracies in data, such as contact information, may be easily corrected. These processes need to be simple, easy to use, and provide verification to the citizen that the inaccuracies have been corrected. Procedures should also be implemented to protect against accidental or unauthorized alteration of one’s information. The NECCC report concluded that a privacy policy should be published on every government Web site, even if the site does not create records of the information collected. A privacy statement should explain how information is managed. Because state agency Web sites have many different purposes, the privacy policies found on these sites should also be diverse and specific to the visited site. A “one size fits all” approach to developing a privacy policy will not
PRIVACY AND STATE GOVERNMENT
33
effectively or accurately reflect the information gathered by individual agencies or how they process and store this information. Specific Web-based forms that require personal information should post a privacy policy, or a link to the policy, on the page/form indicating how the information will be used and under what conditions the information may be shared or released to another party. The form may include a provision for the individual to opt out of sharing the information with another party, or a warning that the information may be a public record and subject to an open records request. Web pages designed for children must comply with all applicable federal (i.e., Children’s Online Privacy Protection Act) and state laws intended to protect minors. Finally, the NECCC Guidebook notes that: In the course of operating a Web site, certain information may be collected automatically in logs or cookies. Some agencies may be able to collect a great deal of information, but, according to policy, choose to collect only limited information. In some instances, agencies may have the technical ability to collect information and later take additional steps to identify people, such as looking up static Internet Protocol addresses that can be linked to specific individuals. Regardless of an agency’s decision to collect this type of information or take further steps to gather more information, the privacy statement must clearly denote the policy. It is imperative to ensure these policies are consistent with the state’s Freedom of Information or Open Records laws.
PRIVACY AND STATE GOVERNMENT State governments need to examine how long they are keeping records of individuals’ personal information, who they are sharing the information with and under what circumstances, how the information is being used, and what the penalties are for misuse. For example, some states have been aggressive in giving law enforcement personnel access to databases during 2001. These states include Colorado, Delaware, Illinois, New Jersey, Ohio, and Georgia; however, none of those states has enacted privacy laws detailing how the information may be used. As of December 2001, only eight states had passed laws regarding government use of private information, though many states have been examining whether they should update their laws to reflect the impact of digital technology. States that have passed privacy laws include Arkansas, Arizona, Massachusetts, Montana, Nevada, New York, Texas, and Utah. In addition, only 15 states have passed financial privacy laws since the enactment of a 1999 federal law that enables states to pass tougher laws. However, states may not need to resolve this issue if the federal government enacts a bill that supersedes all state laws on privacy that set guidelines on government use of private information that is collected electronically.9 Several state Web sites were accessed in late 2001 and early 2002 and the privacy policies varied significantly between states. It appeared that some states did not require or have a statewide privacy policy. Two states, Texas and Washington, had detailed policies as a result of government mandates. Texas had an administrative rule that requires that the home pages of all state government Web sites and key entry points must include privacy policies that address the following: • Use of server logs and cookies • Information collected by other technologies and processes
34
PRIVACY INITIATIVES
Information collected via e-mail and Web-based forms shall post a link to the privacy policy. The form may include a provision for the user to opt out of sharing information with another party or a warning that the information may be a public record and therefore subject to the Texas Public Information Act. On January 6, 2002, the authors accessed the Texas Web site (www.state.tx.us) and found the following privacy policy. Privacy Policy Notice10 August 15, 1999 The State Technology Assessment Center (STAC) of the Department of Information Resources (DIR) maintains the State of Texas Web site as a public service. The following is the privacy policy for this site (all pages starting with www.state.tx.us): 1. We do not use cookies to collect information. Note: A cookie file contains unique information a Web site can use to track such things as passwords, lists of pages you’ve visited, and the date when you last looked at a specific page, or to identify your session at a particular Web site. A cookie is often used in commercial sites to identify the items selected for a specific shopping cart application. 2. If you send us an electronic mail message with a question or comment that contains personally identifying information, or fill out a form that e-mails us this information, we will only use the personally-identifiable information to respond to your request and analyze trends. We may redirect your message to another government agency or person who is in a better position to answer your question. 3. For site management functions, information is collected for analysis and statistical purposes. This information is not reported or used in any manner that would reveal personally identifiable information, and will not be released to any outside parties unless legally required to do so in connection with law enforcement investigations or other legal proceedings. We use Log analysis tools to create summary statistics, which are used for purposes such as assessing what information is of most interest, determining technical design specifications, and identifying system performance or problem areas. The following information is collected for this analysis: • User Client hostname. The hostname (or IP address if DNS is disabled) of the user/client requesting access. • HTTP header, “user-agent.” The user-agent information includes the type of browser, its version, and the operating system it’s running on. • HTTP header, “referer.” The referer specifies the page from which the client accessed the current page. • System date. The date and time of the user/client request. • Full request. The exact request the user/client made. • Status. The status code the server returned to the user/client. • Content length. The content length, in bytes, of the document sent to the user/client. • Method. The request method used. • Universal Resource Identifier (URI). The location of a resource on the server. • Query string of the URI. Anything after the question mark in a URI. • Protocol. The transport protocol and version used.
PRIVACY AND STATE GOVERNMENT
35
Washington State Executive Order 00–03, “Public Records Privacy Protections,” attempts to balance confidentiality with the state’s public disclosure and open government laws: • Agencies that operate Internet Web sites must have privacy policies that are prominently displayed on their home pages. The policies must be consistent with the Model Privacy Notice developed by the Department of Information Services. • Agencies must establish procedures and practices for handling and disposing records that contain confidential personal information. • Personal information must not be sold, and lists of individuals must not be released for commercial purposes. The collection of personal data should be limited to that which is needed for legitimate public purposes and retained only as long as necessary. • Agencies that enter into contracts or agreements for sharing personal information with other entities must have contractual requirements that protect the information from inappropriate uses. • When personal information about citizens is collected, they should be notified that the law may require it to be disclosed as a public record. People should be informed about how they can review their personal information and recommend corrections if it is inaccurate or incomplete. • Agencies must have contact persons to handle privacy complaints and questions from the public. On January 6, 2002, the authors accessed the state of Washington’s Web site (http://access.wa.gov) and found the following privacy policy. Washington11 Privacy Notice Information Thank you for visiting Access Washington and reviewing our Privacy Notice. This notice addresses collection, use and security of and access to information that may be obtained through use of Access Washington. This notice covers the following topics: • • • • • • • •
Information Collected and How It Is Used Personal Information and Choice Public Disclosure Access and Correction of Personal Information Cookies Security Disclaimer Contact Information
Information Collected and How It Is Used If you do nothing during your visit to Access Washington but browse or download information, we automatically collect and store the following information about your visit: • The Internet Protocol Address and domain name used but not the email address. The Internet Protocol address is a numerical identifier assigned either to your Internet service provider or directly to your computer. We use the Internet Protocol Address to direct Internet traffic to you.
36
PRIVACY INITIATIVES
• • • •
The type of browser and operating system you used The date and time you visited this site The Web pages or services you accessed at this site The Web site you visited prior to coming to this Web site
The information we automatically collect or store is used to improve the content of our Web services and to help us understand how people are using our services. Access Washington analyzes our Web site logs to continually improve the value of the materials available on our site. Our Web site logs are not personally identifiable, and we make no attempt to link them with the individuals that browse Access Washington. If during your visit to Access Washington you participate in a survey or send an e-mail, the following additional information will be collected: • The e-mail address and contents of the e-mail • Information volunteered in response to a survey The information collected is not limited to text characters and may include audio, video, and graphic information formats you send us. The information is retained in accordance with Chapter 40.14 RCW, Preservation and Destruction of Public Records. We use your email to respond appropriately. This may be to respond to you, to address issues you identify, to further improve our Web site, or to forward the email to another agency for appropriate action. Survey information is used for the purpose designated. Personal Information and Choice “Personal information” is information about a natural person that is readily identifiable to that specific individual. Personal information includes such things as an individual’s name, address, and phone number. A domain name or Internet Protocol address is not considered personal information. We collect no personal information about you unless you voluntarily participate in an activity that asks for information (i.e. sending an email or participating in a survey). If you choose not to participate in these activities, your choice will in no way affect your ability to use any other feature of Access Washington. If personal information is requested on the Web site or volunteered by the user, state law and the federal Privacy Act of 1974 may protect it. However, this information is a public record once you provide it, and may be subject to public inspection and copying if not protected by federal or state law. Users are cautioned that the collection of personal information requested from or volunteered by children on-line or by email will be treated the same as information given by an adult, and may be subject to public access. Public Disclosure In the State of Washington, laws exist to ensure that government is open and that the public has a right to access appropriate records and information possessed by state government. At the same time, there are exceptions to the public’s right to access public records that serve various needs including the privacy of individuals. Exceptions are provided by both state and federal laws. All information collected at this site becomes public records that may be subject to inspection and copying by the public, unless an exemption in law exists. RCW 42.17.260(1) states that:
PRIVACY AND STATE GOVERNMENT
Each agency, in accordance with published rules, shall make available for public inspection and copying all public records, unless the record falls within the specific exemptions of subsection (6) of this section [RCW 42.17.260(6)], RCW 42.17.310, 42.17.315, or other statute which exempts or prohibits disclosure of specific information or records. To the extent required to prevent an unreasonable invasion of personal privacy interests protected by RCW 42.17.310 and 42.17.315, an agency shall delete identifying details in a manner consistent with RCW 42.17.310 and 42.17.315 when it makes available or publishes any public record; however, in each case, the justification for the deletion shall be explained fully in writing. In the event of a conflict between this Privacy Notice and the Public Records Act or other law governing the disclosure of records, the Public Records Act or other applicable law will control. Access and Correction of Personal Information You can review any personal information we collect about you. You may recommend changes to your personal information you believe in error by submitting a written request that credibly shows the error. If you believe that your personal information is being used for a purpose other than what was intended when submitted, you may contact us. In all cases, we will take reasonable steps to verify your identity before granting access or making corrections. See Contact Information section. Cookies To better serve our users we are now using “cookies” to customize your browsing experience with Access Washington. Cookies are simple text files stored on your computer by your Web browser. They provide a method of distinguishing among visitors to Access Washington. Cookies created on your computer by using this Web site do not contain personally identifying information and do not compromise your privacy or security. We use the cookie feature only to store a randomly generated identifying tag on your computer. You can refuse the cookie or delete the cookie file from your computer by using any of the widely available methods. Security The Department of Information Services, as developer and manager of Access Washington, has taken several steps to safeguard the integrity of its telecommunications and computing infrastructure, including but not limited to authentication, monitoring, auditing, and encryption. Security measures have been integrated into the design, implementation and dayto-day practices of the entire DIS operating environment as part of its continuing commitment to risk management. This information should not be construed in any way as giving business, legal, or other advice, or warranting as fail proof, the security of information provided via DIS supported Web sites. Disclaimer Access Washington has links to other Web sites. These include links to Web sites operated by other government agencies, nonprofit organizations, and private businesses. When you link to another site, you are no longer on Access Washington and this Privacy Notice will not apply. When you link to another Web site, you are subject to the privacy policy of that new site.
37
38
PRIVACY INITIATIVES
Neither the State of Washington, nor any agency, officer, or employee of the State of Washington warrants the accuracy, reliability or timeliness of any information published by this system, nor endorses any content, viewpoints, products, or services linked from this system, and shall not be held liable for any losses caused by reliance on the accuracy, reliability or timeliness of such information. Portions of such information may be incorrect or not current. Any person or entity that relies on any information obtained from this system does so at his or her own risk. Access Washington Contact Information To access your personally identifiable information we collect, if any, or request correction of factual errors in your personally identifiable information, contact the Department of Information Services Public Disclosure Officer at 1110 Jefferson Street SE, PO Box 42445, Olympia, Washington 98504-2445 or telephone (360) 902-3550, or email
[email protected]. To offer comments about Access Washington, or about the information presented in this Privacy Notice, contact: Access Washington - Manager, Digital Government Web Properties: By Fax: (360) 586-3595 By Mail: Access Washington Digital Government Web Properties PO Box 42445 Olympia, WA 98504-2445
PRIVATE SECTOR PRIVACY CONCERNS Privacy issues and concerns are not limited to government organizations. The increased privacy awareness of consumers has prompted consumers to question the practices of the businesses they use. If business does not move swiftly enough to address privacy concerns, the government may take action. For example a comprehensive data privacy bill may be introduced in the U.S. House that will apply to on-line and off-line practices, affecting virtually every company that does business in the United States. The possible legislation will set baseline standards on privacy, requiring clear and conspicuous data privacy notices. It will also give consumers the capability to prevent a company from selling their personal information and require a statement explaining what security precautions a company has taken to protect private information. However, there may be some business support for this legislation since privacy concerns are hurting electronic commerce as privacy is the number-one reason why people don’t shop on-line. Some key provisions for the potential new privacy rules include: • Federal preemption. The legislation will prevent states from adopting tougher privacy rules on their own. • Liability limits. Restrictions will be set on class-action lawsuits filed against privacy violators. • Opt-out. If on-line, a user may have to uncheck a box to be excluded from data sharing. • Privacy notices. Web sites will be required to have clear and conspicuous privacy notices.
PRIVATE SECTOR PRIVACY CONCERNS
39
• Safe harbor provision. A company would be considered in compliance with the federal baseline rules if it belonged to a private certification program. • Enforcement agency. Federal Trade Commission12 One example of a new privacy issue was the announcement by AOL in late 2001 that it would use Web bugs and cookies for advertisements in the future. AOL is the largest Internet provider in the United States with 30 million members. Prior to the announcement, AOL had promoted their practice of not using cookies or Web bugs for marketing purposes. The change would allow AOL to track advertisements and retain information on which users responded to advertisements. This change was disclosed in the AOL privacy statement, which stated that the information would not be used to track members’ Web-surfing habits and would not be linked to personally identifiable information about members, unless members voluntarily provided such information. Another example is the use of customer relationship management (CRM) software by casinos to create detailed customer profiles. Casinos gather a great deal of information from credit cards and loyalty cards and match this information with other data to create detailed user profiles. This allows the casinos to develop individualized marketing strategies to attract and retain customers with individualized treatments from accommodations, to beverages, food, entertainment, and even the delivery of specific flowers to a room. Although casinos refrain from selling this information (it is too valuable), the potential exists for the sale of detailed personal information without the knowledge or consent of the consumer.13 On a related note, on January 24, 2002, Sears announced a multi-million-dollar investment for enhancements to its CRM system. Although Sears could track the sales of any item in all or any of its stores, the addition of 95 terabytes of disk storage will allow them to perform additional analysis. For example, Sears wanted to be able to see if a particular customer purchased a cocktail dress and swimsuit on the same day, indicating she might be going on vacation, which would prompt the retailer to mail her a flier on sunglasses.14 In a third example, Toysrus.com agreed to pay the state of New Jersey $50,000 to develop educational programs on Internet privacy issues. The privately held subsidiary of Toys R Us, Inc., had been sued for allegedly sharing customers’ personal information gleaned from tracking Internet users’ movements on the retailer’s Web sites. Although Toysrus.com admitted no wrongdoing, they now prominently display a privacy policy on their Web sites.15 In a report16 by the Sageza Group, 100 security professionals stated that their companies are not very concerned about providing Web customers the opportunity to opt out of sharing personal information with third parties (see Exhibit 2.1). The companies were working to ensure that the personal information they maintain was adequately secured from unauthorized access. Over half of the companies surveyed had privacy notices on their Web site; however, less than half described what they do with the data they collect. Interestingly enough, almost 60 percent of the respondents were in favor of the government requiring Web sites that collect personal information to comply with minimal privacy guidelines. In the same Sageza Group report, an assessment of privacy solutions indicated that authentication technologies were widely used; however, consulting services and content technologies lagged behind (see Exhibit 2.2). An InformationWeek article17 outlined concerns from the Privacy Foundation, a nonprofit agency, that alleged that the Monster.com job-search site doesn’t disclose its informationsharing practices with users. Some issues cited included the sharing of information with partner AOL Time Warner and requesting information related to ethnic origin.
40
PRIVACY INITIATIVES
Use of opt-in vs. opt-out solutions on company Web-site Liability of customer data collection practices Other companies accessing your Intranet Protecting electronically stored employee data
Protecting electronically gathered and stored customer data
1
2
3
4
5
Not concerned
Exhibit 2.1.
Extremely concerned
Privacy Hotspots: How Concerned Is Your Company About These Privacy Issues?
Source: The Sageza Group, Inc., Mountain View, CA. Internet Study of 100 Security Professionals (multiple responses allowed), March 2002.
Authentication technologies Filters Audit Controls Custom-tailored software Professional consulting services Permission-based content technologies 0
Exhibit 2.2.
10
20
30 40 % of respondents
50
60
Technology Directives: Which Privacy Solutions Does Your Company Use?
Source: The Sageza Group, Inc., Mountain View, CA. Internet Study of 100 Security Professionals (multiple responses allowed), March 2002.
The Federal Trade Commission (FTC) has been very active in the development of privacy initiatives. The following information on privacy initiatives was included on the FTC Web site www.ftc.gov. Advances in computer technology have made it possible for detailed information about people to be compiled and shared more easily and cheaply than ever. That’s good for society as a whole and individual consumers. For example, it is easier for law enforcement to track down crimi-
PRIVATE SECTOR PRIVACY CONCERNS
41
nals, for banks to prevent fraud, and for consumers to learn about new products and services, allowing them to make better-informed purchasing decisions. At the same time, as personal information becomes more accessible, each of us—companies, associations, government agencies, and consumers—must take precautions to protect against the misuse of that information. The Federal Trade Commission is educating consumers and businesses about the importance of personal information privacy.18 Read more about our efforts, what we’ve learned, and what you can do to protect the privacy of your personal information.
Three on-line privacy reports are available on the FTC Web site that are worthy of review. 1. Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress (May 2000) 2. Self-Regulation and Privacy Online: A Federal Trade Commission Report to Congress (July 1999) 3. Online Privacy: A Report to Congress (June 1998) The Executive Summary from the Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress19 follows: The online consumer marketplace is growing at an exponential rate. At the same time, technology has enhanced the capacity of online companies to collect, store, transfer, and analyze vast amounts of data from and about the consumers who visit their Web sites. This increase in the collection and use of data has raised public awareness and consumer concerns about online privacy. To ensure consumer confidence in this new marketplace and its continued growth, consumer concerns about privacy must be addressed. The Federal Trade Commission has been studying online privacy issues since 1995. This is the Commission’s third report to Congress examining the state of online privacy and the efficacy of industry self-regulation. It presents the results of the Commission’s 2000 Online Privacy Survey (the “Survey”), which reviewed the nature and substance of U.S. commercial Web sites’ privacy disclosures, and assesses the effectiveness of self-regulation. The Report also considers the recommendations of the Commission-appointed Advisory Committee on Online Access and Security. Finally, the Report sets forth the Commission’s conclusion that legislation is necessary to ensure further implementation of fair information practices online and recommends the framework for such legislation. In its 1998 report, Privacy Online: A Report to Congress (“1998 Report”), the Commission described the widely-accepted fair information practice principles of Notice, Choice, Access, and Security. The Commission also identified Enforcement—the use of a reliable mechanism to provide sanctions for noncompliance—as a critical component of any governmental or self-regulatory program to protect privacy online. In addition, the 1998 Report presented the results of the Commission’s first online privacy survey of commercial Web sites. While almost all Web sites (92% of the comprehensive random sample) were collecting great amounts of personal information from consumers, few (14%) disclosed anything at all about their information practices. Last year, Georgetown University Professor Mary Culnan conducted a survey of a random sample drawn from the most-heavily trafficked sites on the World Wide Web and a survey of the busiest 100 sites. The former, known as the Georgetown Internet Privacy Policy Survey, found significant improvement in the frequency of privacy disclosures, but also that only 10% of the sites posted disclosures that even touched on all four fair information practice principles. Based in part on these results, a majority of the Commission recommended
42
PRIVACY INITIATIVES
in its 1999 report to Congress, Self-Regulation and Privacy Online, that self-regulation be given more time, but called for further industry efforts to implement the fair information practice principles. In February and March 2000, the Commission conducted another survey of commercial sites’ information practices, using a list of the busiest U.S. commercial sites on the World Wide Web. Two groups of sites were studied: (1) a random sample of 335 Web sites (the “Random Sample”) and (2) 91 of the 100 busiest sites (the “Most Popular Group”). As was true in 1998, the 2000 Survey results show that Web sites collect a vast amount of personal information from and about consumers. Almost all sites (97% in the Random Sample, and 99% in the Most Popular Group) collect an email address or some other type of personal identifying information. The 2000 Survey results show that there has been continued improvement in the percent of Web sites that post at least one privacy disclosure (88% in the Random Sample and 100% in the Most Popular Group). The Commission’s 2000 Survey went beyond the mere counting of disclosures, however, and analyzed the nature and substance of these privacy disclosures in light of the fair information practice principles of Notice, Choice, Access, and Security. It found that only 20% of Web sites in the Random Sample that collect personal identifying information implement, at least in part, all four fair information practice principles (42% in the Most Popular Group). While these numbers are higher than similar figures obtained in Professor Culnan’s studies, the percentage of Web sites that state they are providing protection in the core areas remains low. Further, recognizing the complexity of implementing Access and Security as discussed in the Advisory Committee report, the Commission also examined the data to determine whether Web sites are implementing Notice and Choice only. The data showed that only 41% of sites in the Random Sample and 60% of sites in the Most Popular Group meet the basic Notice and Choice standards. The 2000 Survey also examined the extent to which industry’s primary self-regulatory enforcement initiatives—online privacy seal programs—have been adopted. These programs, which require companies to implement certain fair information practices and monitor their compliance, promise an efficient way to implement privacy protection. However, the 2000 Survey revealed that although the number of sites enrolled in these programs has increased over the past year, the seal programs have yet to establish a significant presence on the Web. The Survey found that less than one-tenth, or approximately 8%, of sites in the Random Sample, and 45% of sites in the Most Popular Group, display a privacy seal. Based on the past years of work addressing Internet privacy issues, including examination of prior surveys and workshops with consumers and industry, it is evident that online privacy continues to present an enormous public policy challenge. The Commission applauds the significant efforts of the private sector and commends industry leaders in developing self-regulatory initiatives. The 2000 Survey, however, demonstrates that industry efforts alone have not been sufficient. Because self-regulatory initiatives to date fall far short of broad-based implementation of effective self-regulatory programs, the Commission has concluded that such efforts alone cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders. While there will continue to be a major role for industry self-regulation in the future, the Commission recommends that Congress enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online. The legislation recommended by the Commission would set forth a basic level of privacy protection for consumer-oriented commercial Web sites. It would establish basic standards
PRIVATE SECTOR PRIVACY CONCERNS
43
of practice for the collection of information online, and provide an implementing agency with the authority to promulgate more detailed standards pursuant to the Administrative Procedure Act. Consumer-oriented commercial Web sites that collect personal identifying information from or about consumers online would be required to comply with the four widely-accepted fair information practices: 1. Notice. Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through non-obvious means such as cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose the information collected to other entities, and whether other entities are collecting information through the site. 2. Choice. Web sites would be required to offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice would encompass both internal secondary uses (such as marketing back to consumers) and external secondary uses (such as disclosing data to other entities). 3. Access. Web sites would be required to offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information. 4. Security. Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers. The Commission recognizes that the implementation of these practices may vary with the nature of the information collected and the uses to which it is put, as well as with technological developments. For this reason, the Commission recommends that any legislation be phrased in general terms and be technologically neutral. Thus, the definitions of fair information practices set forth in the statute should be broad enough to provide flexibility to the implementing agency in promulgating its rules or regulations. As noted above, industry self-regulatory programs would continue to play an essential role under such a statutory structure, as they have in other contexts. The Commission hopes and expects that industry and consumers would participate actively in developing regulations under the new legislation and that industry would continue its self-regulatory initiatives. The Commission also recognizes that effective and widely-adopted seal programs could be an important component of that effort. For all of these reasons, the Commission believes that its proposed legislation, in conjunction with self-regulation, will ensure important protections for consumer privacy at a critical time in the development of the online marketplace. Without such protections, electronic commerce will not reach its full potential and consumers will not gain the confidence they need in order to participate fully in the electronic marketplace.
Although related, and often combined, there are distinct differences between privacy and security concerns. In 2001, KPMG, LLP released a whitepaper on privacy20 with the following statement: Privacy is defined as the protection of the collection, storage, processing, dissemination, and destruction of personal information. “Personal information is defined as any information relating to an identified or identifiable individual [or institution, in some cases]. Such information includes, but is not limited to, the customer’s name, address, telephone number, social security/insurance or other government identification numbers, employer, credit card numbers, personal or family financial information, personal or family medical infor-
44
PRIVACY INITIATIVES
mation, employment history, history of purchases or other transactions, credit records, and similar information. Sensitive information is defined as personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sexual preferences, or information related to offenses or criminal convictions.” Security, on the other hand, focuses on ensuring that information is conveyed where it is intended, as it is intended. An information systems security architecture enables information and transactions to stay private. An organization can have security without privacy, but privacy is impossible without security.
The whitepaper concluded that a review of privacy risk management provides organizations with an opportunity to build their perceived value with customers by communicating their privacy policies. If appropriate information is disclosed, a covenant of trust may be created that leads to a competitive advantage. Companies that limit their review of privacy practices to comply with legislation and regulations may not be proactive enough. More importantly, these companies may be neglecting an opportunity to use their privacy practices as a tool for building customer relationships. An example of a current debate that involves privacy and security is the call for a national ID system. Proponents of the system argue that a national ID would make it difficult for terrorists to move undetected in the United States, protecting the country and citizens. Opponents believe that a national ID would open the door for abuses of confidentiality and privacy. There has been some discussion about using driver’s license information to develop a national database that supports biometrics to ensure validity. The use of a biometric device would be extremely costly and difficult to implement; however, it may be needed to provide the required validation. However, it was disclosed in an audit that California issues 100,000 fraudulent licenses a year even though California has been collecting thumbprints from license applicants for over 20 years.21 The debate of security versus privacy will continue as long as we continue to have security breaches and privacy scandals. In all likelihood, public opinion will sway in concurrence with the publication of security breaches or privacy scandals.
SECURITY There is a close relationship between privacy and security in the electronic age. One may say that you can’t ensure privacy unless security issues have been adequately addressed. This section presents an overview of some challenges faced by the security community. There are five basic security goals: availability, authentication and identification, confidentiality, integrity, and non-repudiation. They are defined as follows: 1. Availability. Timely, reliable access to data and services for authorized users. This includes the restoration of services after an interruption. 2. Identification and authentication. Identification is the process an information system uses to recognize an entity. Authentication establishes the validity of a transmission, message, or originator, and verifies authorization for the user to receive specific categories of information. 3. Confidentiality. Assurance that information is not disclosed to unauthorized persons, processes, or devices.
SECURITY
45
4. Integrity. Protection against unauthorized modification or destruction of information. 5. Non-repudiation. Provides the sender with proof of delivery and the recipient with proof of the sender’s identity, so neither can later deny having processed the data. Since confidentiality is the primary privacy concern, emphasis will be placed on that issue. Confidentiality is becoming an increasingly significant issue for Web-based information services. In this context, meeting the goal of confidentiality entails ensuring that any information collected from the consumer in the course of a Web site visit is kept confidential. One situation where this security goal may be important is the case of medical information. For example, researchers may not mind if they are observed gathering data from a disease information Web site. However, individuals with the disease may be very interested in ensuring their anonymity. When information is read or copied by someone not authorized to do so, this constitutes a loss of confidentiality. A loss of confidentiality is particularly important with certain data such as research data, medical and insurance records, tax records, new product specifications, and corporate investment strategies. As mentioned previously, all of the specific measures taken to ensure confidentiality, privacy, and the proper use of information presume an adequate security program. Unfortunately, it appears that some organizations are focusing their efforts on the development of privacy statements and policies while forgoing the process of identifying and controlling the specific threats to information. Even if an organization attempts to develop processes to protect information, they may not have the personnel resources or expertise to adequately secure the information. In these cases, particularly for smaller organizations, they may need to rely on outside expertise to perform the security assessments. Security is a concern for both the public and private sector. Given the increased dependence that government agencies place on their electronic information systems, and the proliferation of non-secured networks, such as the Internet, adequate security is essential to citizen confidence and trust. In December 2000, the NECCC published a “Risk Assessment Guide to e-Commerce/e-Government.”22 The Guide identifies the following security risks: • • • • • • • •
Frauds such as identity theft occur. Proper authentication of parties may not exist. Denial of participation in transactions may occur. Threats exist such as viruses and hacker attacks. Access to data may be inappropriately granted or refused. Programs or data may be introduced, modified, or deleted without authorization. Sensitive information may be disclosed without authorization. System availability may be hampered.
Effective security management starts with defining our information assets and concludes with monitoring and audit: • Define assets. The process of defining “what” within the organization we need to protect • Risk analysis. The process of determining the value of the assets and the business impact of potential loss, manipulation, or compromise—included in this analysis is identification of potential vulnerabilities and threats • Policy and procedures. Policies define “what” needs to be controlled, whereas procedures define “how to” control the environment. Policies generally define the expected behav-
46
PRIVACY INITIATIVES
ior, while procedures provide the steps of implementation to ensure consistent application across the organization. • Security design. The process of designing the security infrastructure to ensure compliance with published security policies • Security administration. The process of administering various security policies in the area of access control and security configuration policies for hardware components • Audit and monitoring. The process that ensures compliance to security policy and procedures; monitoring can also include activities that detect unauthorized activities in a timely fashion through the review of current information such as daily log files.23 The General Accounting Office has continually identified security deficiencies through its audit process. In an effort to provide assistance to agencies to address these deficiencies, the GAO studied how other organizations were addressing these issues. The following information is excerpted from the “Executive Guide Information Security Management Learning From Leading Organizations.”24 Increased computer interconnectivity and the popularity of the Internet are offering organizations of all types unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information. However, the success of many of these efforts depends, in part, on an organization’s ability to protect the integrity, confidentiality, and availability of the data and systems it relies on. Deficiencies in federal information security are a growing concern. Audit reports have continued to identify widespread information security weaknesses that place critical federal operations and assets at risk. Although many factors contribute to these weaknesses, audits by GAO and Inspectors General have found that an underlying cause is poor security program management. To help identify solutions to this problem, the GAO studied organizations with superior security programs to identify management practices that could benefit federal agencies. This guide outlines the results of that study. It is intended to assist federal officials in strengthening their security programs, and we are pleased that it has been endorsed by the federal Chief Information Officers Council. This Guide illustrates how leading organizations are successfully addressing the challenges of fulfilling that goal. These organizations establish a central management focal point, promote awareness, link policies to business risks, and develop practical risk assessment procedures that link security to business needs. This latter point—the need to link security to business requirements—is particularly important, and is illustrated in a statement of a security manager quoted in the guide: “Because every control has some cost associated with it, every control needs a business reason to be put in place.” The GAO identified the following: Sixteen Practices Employed By Leading Organizations to Implement the Risk Management Cycle Assess Risk and Determine Needs • Recognize information resources as essential organizational assets • Develop practical risk assessment procedures that link security to business needs • Hold program and business managers accountable • Manage risk on a continuing basis Establish a Central Management Focal Point • Designate a central group to carry out key activities
SECURITY
47
• Provide the central group ready and independent access to senior executives • Designate dedicated funding and staff • Enhance staff professionalism and technical skills Implement Appropriate Policies and Related Controls • Link policies to business risks • Distinguish between policies and guidelines • Support policies through central security group Promote Awareness • Continually educate users and others on risks and related policies • Use attention-getting and user-friendly techniques Monitor and Evaluate Policy and Control Effectiveness • Monitor factors that affect risk and indicate security effectiveness • Use results to direct future efforts and hold managers accountable • Be alert to new monitoring tools and techniques
An example of an organization that is required to continually address privacy concerns and ensure that information is adequately secured is the Internal Revenue Service (IRS). The following text includes excerpts from a document titled, “Best Practices: Privacy, Internal Revenue Service Model Information Technology Privacy Impact Assessment.”25 As outlined in the text, the IRS is attempting to take a proactive approach by conducting privacy impact assessments in the systems development process to ensure that data is effectively controlled. Privacy and Systems Development Rapid advancements in computer technology make it possible to store and retrieve vast amounts of data of all kinds quickly and efficiently. These advancements have raised concerns about the impact of large computerized information systems on the privacy of data subjects. Public concerns about highly integrated information systems operated by the government make it imperative to commit to a positive and aggressive approach to protecting individual privacy. What Is a Privacy Impact Assessment? The Privacy Impact Assessment (PIA) has been instituted in order to ensure that the systems the IRS develops protect individuals’ privacy. The PIA incorporates privacy into the development life cycle so that all system development initiatives can appropriately consider privacy issues from the earliest stages of design. The Privacy Impact Assessment is a process used to evaluate privacy in information systems. The process is designed to guide system owners and developers in assessing privacy through the early stages of development. When Is a PIA Done? The PIA is to be initiated in the early stages of the development of a system and completed as part of the required System Life Cycle (SLC) reviews. Privacy must be considered when requirements are being analyzed and decisions are being made about data usage and system design. Who Completes the PIA? Both the system owner and system developers must work together to complete the PIA. System owners must address what data is to be used, how the data is to be used, and who will use the data. The system developers must address whether the implementation of the owner’s requirements presents any threats to privacy.
48
PRIVACY INITIATIVES
What Systems Have to Complete a PIA? New systems, systems under development, or systems undergoing major modifications are required to complete a PIA. The Privacy Advocate does reserve the right to request that a PIA be completed on any system that may have privacy risks. More specifically: • New systems and systems under development or undergoing major modifications are required to complete a PIA. • Legacy systems, as they exist today, do not have to complete a PIA. However, if the automation or upgrading of these systems puts the data at risk, a PIA may be requested by the Privacy Advocate. • Currently operational systems are not required to complete a PIA. However, if privacy is a concern for a system the Privacy Advocate can request that a PIA be completed. If a potential problem is identified concerning a currently operational system, the Service will use best, or all reasonable, efforts to remedy the problem. Information and Privacy To fulfill the commitment of the IRS to protect taxpayer data, several issues must be addressed with respect to privacy. The use of information must be controlled. Information may be used only for a necessary and lawful purpose. Individuals must be informed in writing of the principal purpose and routine uses of the information being collected from them. Information collected for a particular purpose should not be used for another purpose without the data subject’s consent unless such other uses are specifically authorized or mandated by law. Any information used must be sufficiently accurate, relevant, timely, and complete to assure fair treatment of the individual. Given the availability of vast amounts of stored information and the expanded capabilities of information systems to process the information, it is foreseeable that there will be increased requests, from both inside and outside the IRS, to share that information. With the potential expanded uses of data in automated systems, it is important to remember that information can only be used for the purpose for which it was collected unless other uses are specifically authorized or mandated by law. If the data is to be used for other purposes, then the public must be provided notice of those other uses. These procedures do not in themselves create any legal rights, but are intended to express the full and sincere commitment of the Service to the laws which protect taxpayer and employee privacy rights and which provide redress for violations of those rights. Data in the System The sources of the information in the system are an important privacy consideration if the data is gathered from other than IRS records. Information collected from non-IRS sources should be verified, to the extent practicable, for accuracy, that the information is current, and the information is complete. Access to the Data Who has access to the data in a system must be defined and documented. Users of the data can be individuals, other systems, and other agencies. Individuals who have access to the data can be system users, system administrators, system owners, managers, and developers. When individuals are granted access to a system, their access should be limited, where possible, to only that data needed to perform their assigned duties. If individuals are granted access to all of the data in a system, procedures need to be in place to deter and detect browsing and unauthorized access. Other systems are any programs or projects that interface with the system and have access to the data.
SECURITY
Attributes of the Data When requirements for the data to be used in the system are being determined, those requirements must include the privacy attributes of the data. The privacy attributes are derived from the legal requirements imposed by the Privacy Act of 1974. First, the data must be relevant and necessary to accomplish the purpose of the system. Second, the data must be complete, accurate, and timely. It is important to ensure the data has these privacy attributes in order to assure fairness to the individual in making decisions based on the data. Maintenance of Administrative Controls Automation of systems can lead to the consolidation of processes, data, and the controls in place to protect the data. When administrative controls are consolidated, they should be evaluated so that all necessary controls remain in place to the degree necessary to continue to control access to and use of the data. Data retention procedures should be documented. Data retention procedures require review to ensure they meet statutory and/or IRM requirements. Precise rules must be established for the length of time information is kept and for assuring that it is properly eliminated at the end of that time. The intended and potential monitoring capabilities of a system must be defined and safeguards must be installed to ensure the privacy of taxpayers and prevent unnecessary intrusion. The use of monitoring capabilities should be limited, at a minimum, to some judicially ascertainable standard of reasonableness in light of the statutory mission of the IRS and other authorized governmental users of the system. IRS Declaration of Privacy Principles The privacy principles set forth in this declaration are based on the ethical and legal obligations of the Internal Revenue Service to the taxpaying public and are the responsibility of all IRS employees to recognize and treat their office as a public trust. The obligation to protect taxpayer privacy and to safeguard the information taxpayers entrust to us is a fundamental part of the Service’s mission to administer the tax law fairly and efficiently. Taxpayers have the right to expect that the information they provide will be safeguarded and used only in accordance with law. In recognition of these obligations, policies and procedures must clearly state who should have access to what information and for what purposes. In addition, appropriate limitations must be placed on the collection, use, and dissemination of taxpayers’ personal and financial information and sufficient technological and administrative measures must be implemented to ensure the security of IRS data systems, processes, and facilities. All IRS employees are required to exhibit individual performance that reflects a commitment to dealing with every taxpayer fairly and honestly and to respect the taxpayers’ right to feel secure that their personal information is protected. To promote and maintain taxpayers’ confidence in the privacy, confidentiality, and security protections provided by the IRS, the Service will be guided by the following Privacy Principles: • Principle 1: Protecting taxpayer privacy and safeguarding confidential taxpayer information is a public trust. • Principle 2: No information will be collected or used with respect to taxpayers that is not necessary and relevant for tax administration and other legally mandated or authorized purposes. • Principle 3: Information will be collected, to the greatest extent practicable, directly from the taxpayer to whom it relates. • Principle 4: Information about taxpayers collected from third parties will be verified to the greatest extent practicable with the taxpayers themselves before action is taken against them.
49
50
PRIVACY INITIATIVES
• Principle 5: Personally identifiable taxpayer information will be used only for the purpose for which it was collected, unless other uses are specifically authorized or mandated by law. • Principle 6: Personally identifiable taxpayer information will be disposed of at the end of the retention period required by law or regulation. • Principle 7: Taxpayer information will be kept confidential and will not be discussed with, nor disclosed to, any person within or outside the IRS other than as authorized by law and in the performance of official duties. • Principle 8: Browsing, or any unauthorized access of taxpayer information by any IRS employee, constitutes a serious breach of the confidentiality of that information and will not be tolerated. • Principle 9: Requirements governing the accuracy, reliability, completeness, and timeliness of taxpayer information will be such as to ensure fair treatment of all taxpayers. • Principle 10: The privacy rights of taxpayers will be respected at all times and every taxpayer will be treated honestly, fairly, and respectfully. The Declaration does not, in itself, create any legal rights for taxpayers, but it is intended to express the full and sincere commitment of the Service and its employees to the laws which protect taxpayer privacy rights and which provide redress for violations of those rights.
NEW TECHNOLOGY One of the difficulties in ensuring privacy and using laws to protect it is the continual development of new privacy issues that result from technological advances. In the 1970s, nobody could have envisioned the far-reaching impact of the Internet on our economy, culture, or individual privacy. Today, new advancements in technology create new privacy concerns. Following are three examples illustrating technological advancements that will continually influence the privacy debate.
Facial Recognition This technology uses a camera system and debuted at the 2001 Superbowl in Tampa, Florida. It takes pictures and searches a database for matches. Some proposed uses include the identification of wanted criminals and potential terrorists. There are some major concerns regarding personal privacy and in its current state, the technology lacks the accuracy to be implemented on any large scale.
Carnivore or DCS 1000 An FBI-developed software program that monitors all of the network traffic of an Internet Service Provider (ISP). Although it has the capability to limit its monitoring to court-ordered surveillance activities, it is able to monitor all traffic. It is controversial due to its potential scope and its Web-browsing tracking capability.
ENDNOTES
51
Webcams We have all seen the cameras set in public places that display images on the Web. Initially a nice marketing tool to show the weather conditions and beautiful surroundings, there are now concerns about invasion of privacy, because people have not consented to their images being transmitted via the camera.
IMPACT OF SEPTEMBER 11 As with many issues, the “pendulum is continually swinging” between privacy and safety concerns. The events of September 11th swayed the pendulum toward safety concerns as America dealt with the tragic loss of life and property. There was swift movement to promote the use of any means possible to protect America from attack, even if it meant the loss of some privacy rights. For example, the FBI was developing a program called “Magic Lantern,” designed to capture keystrokes on target computers to get computer and encryption keys. In addition, the Justice Department was calling for increased use of electronic surveillance (including Internet tools) to identify suspected terrorists. As expected, civil liberty groups objected to these proposals. The “Patriot bill” (HR2975), signed into law on October 26, 2001, lets the United States arrest and charge a hacker, even if the hacker’s Internet traffic merely passes through U.S. computers. Since it is estimated that over 80 percent of Internet traffic passes through the United States, this bill could have far-reaching impact.26 Another current debate is the voluntary sharing of security threat information between the federal government and the private sector. Proposed legislation that would exempt this shared information from Freedom of Information Act disclosure is a necessary component to compel private sector companies to share information on security breaches. If there is the possibility that shared information could be used to “attack” private sector sites, information will not be shared. The Securities and Exchange Commission (SEC) is also considering mandating a disclosure of cyber-security readiness. The theory behind the disclosure is that secrecy is bad for security and business would enhance security if they had to disclose weak practices to stockholders.
SUMMARY As more and more “personal” information is maintained electronically, there will be concerns about the protection of individual rights to privacy. Although these same issues have been present for years, the vast reach of the Internet and the capability to disseminate information instantaneously exacerbates the situation. Although a great deal of legislation has been passed and more is proposed, the debate will continue until consumers believe that their “private” information is being maintained in an appropriate manner to ensure confidentiality.
ENDNOTES 1. FTC Chairman Timothy J. Muris, “Protecting Consumers’ Privacy: 2002 and Beyond,” Remarks at the Privacy 2001 Conference, Cleveland, Ohio, October 4, 2001. 2. OMB Memorandum 00–13, June 22, 2000.
52
PRIVACY INITIATIVES
3. Washington State, Digital Best Practices, Digital WA, Privacy Notice Information, http://digitalwa.statelib.wa.gov/newsite/privacy1.htm. 4. General Accounting Office, Internet Privacy: Implementation of Federal Guidance for Agency Use of “Cookies” (Washington, D.C.: GAO, 2000), GAO-01-424. 5. General Accounting Office, Internet Privacy: Comparison of Federal Agency Practices with FTC’s Fair Information Principles (Washington, D.C.: GAO, 2000), GAO/AIMD-00296R. 6. General Accounting Office, Internet Privacy: Agencies’ Efforts to Implement OMB’s Privacy Policy (Washington, D.C.: GAO, 2000), GAO/GGD-00-191. 7. OMB Memorandum 99-18, September 1, 1999. 8. National Electronic Commerce Coordinating Council (NECCC), “Privacy Policies—Are You Prepared? A Guidebook for State and Local Government,” December 2002. 9. Vaida, Bara, “Move to digital government sparks state privacy concerns,” National Journal’s Technology Daily (January 3, 2002) http://www.govexec.com/dailyfed/0102/010302td1.htm. 10. Privacy Policy Notice, State of Texas Web site, http://www.state.tx.us/Siteinfo/privpol.html. Accessed January 6, 2002. 11. Privacy Notice Information, State of Washington Web site, http://access.wa.gov/siteinfo/ pdpnotice.asp. Accessed January 6, 2002. 12. “Proposed Federal Privacy Would Override States,” Computerworld (October 22, 2001), 9. 13. “Casinos Hit Jackpot With Customer Data,” Computerworld (July 3, 2001), http:// www.computerworld.com. 14. Mearian, Lucas, “Sears to Build a Huge Storage Network for CRM,” Computerworld (January 24, 2002), http://www.computerworld.com. 15. “TOYSRUS.COM Pays $50K to Settle Privacy Case,” Security Wire Digest 4, no. 2 (January 10, 2002). 16. “Privacy Practices Are Worth Another Look,” InformationWeek.com (October 29, 2001), 83. 17. “Privacy Group Alleges Monster-ous Breach,” InformationWeek.com (September 10, 2001), http://www.informationweek.com/story/IWK20010907S0013. 18. Statement on Federal Trade Commission Web site, http://www.ftc.gov/privacy/index.html, Accessed January 19, 2002. 19. Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace, A Federal Trade Commission Report to Congress, May 2000. 20. A New Covenant With Stakeholders: Managing Privacy As A Competitive Advantage, KPMG, LLP, 2001, www.kpmg.com. 21. Rendleman, John, “Security vs. Privacy,” InformationWeek.com (January 14, 2002). 22. “Risk Assessment Guide to e-Commerce/e-Government,” National Electronic Commerce Coordinating Council, December 2000. 23. Farrar, William, “Security Awareness Starts in IT,” SANS Institute (September 10, 2001), http://rr.sans.org/aware/IT.php. 24. General Accounting Office, Executive Guide Information Security Management Learning From Leading Organizations, GAO/AIMD-98-68 Information Security Management, May 1999. 25. “Best Practices: Privacy, Internal Revenue Service Model Information Technology Privacy Impact Assessment,” recommended by the CIO Council Sub-Committee on Privacy, adopted: February 25, 2000, http://www.cio.gov. 26. “Antiterrorism Law Targets Hackers Around the World,” InformationWeek.com (December 3, 2001), 22.
3 PRIVACY ADVOCATES
Introduction Privacy Protection Personal Privacy Protection The “Mining” of Data, the Loss of Privacy Controlling Data Mining’s Dark Side Privacy and “Data about Data” Privacy Advocates Privacy Resources
INTRODUCTION People often think of privacy as a right. Unfortunately, the concept of a “right” is a problematical way to start, because a right seems to be some kind of absolute standard. What’s worse, it’s very easy to get confused between legal rights, on the one hand, and natural or moral rights, on the other. It turns out to be much more useful to think about privacy as one kind of thing (among many kinds of things) that people like to have lots of. Privacy is the interest that individuals have in sustaining a “personal space,” free from interference by other people and organizations. Drilling down to a deeper level, privacy is not a single interest, but rather has several dimensions: • Privacy of the person. Sometimes referred to as “bodily privacy,” this is concerned with the integrity of the individual’s body. Issues include compulsory immunization, blood transfusion without consent, compulsory provision of samples of body fluids and body tissue, and compulsory sterilization. • Privacy of personal behavior. This relates to all aspects of behavior, but especially to sensitive matters, such as sexual preferences and habits, political activities and religious practices, both in private and in public places. It includes what is sometimes referred to as “media privacy.” • Privacy of personal communications. Individuals claim an interest in being able to communicate among themselves, using various media, without routine monitoring of their communications by other persons or organizations. This includes what is sometimes referred to as “interception privacy.” • Privacy of personal data. Individuals claim that data about themselves should not be automatically available to other individuals and organizations, and that, even where another party possesses data, the individual must be able to exercise a substantial degree 53
54
PRIVACY ADVOCATES
of control over that data and its use. This is sometimes referred to as “data privacy” or “information privacy.” With the close coupling that has occurred between computing and communications, particularly since the 1980s, the last two aspects have become closely linked. It is useful to use the term “information privacy” to refer to the combination of communications privacy and data privacy. An important implication of the definition of privacy as an interest is that it has to be balanced against many other, often-competing interests. For example: • The privacy interests of one person or category of people may conflict with some other interests of their own, and the two may have to be traded off (e.g., privacy against access to credit, or quality of health care). • The privacy interest of one person or category of people may conflict with the privacy interests of another person, or another category of people (e.g., health care information that is relevant to multiple members of a family). • The privacy interest of one person or category of people may conflict with other interests of another person, category of people, organization, or society as a whole (e.g., creditors, an insurer, and protection of the public against serious diseases). Privacy protection, therefore, is a process of finding appropriate balances between privacy and multiple competing interests. Because there are so many dimensions of the privacy interest, and so many competing interests, at so many levels of society, the formulation of detailed, operational rules about privacy protection is a difficult exercise. The most constructive approach is to:1 • • • •
Establish general principles. Apply the principles to all organizations. Create effective sanctions against noncompliance. Develop operational codes of practice consistent with the principles that apply to specific industry sectors and to particular applications of technology. • Establish dispute-resolution procedures at the levels of individual organizations and industry sectors. • Bind the framework together by making the principles, codes, and sanctions enforceable through quasi-judicial (tribunal) and court procedures.
PRIVACY PROTECTION We are all eager to see our privacy protected, and policies and procedures are all well and good, but who is really in charge and responsible for ensuring our privacy? Believe it or not, the one and ONLY one who can totally be relied upon to ensure your privacy is YOU! Each of us is totally and solely responsible for ensuring that our private information and lives are indeed kept private. But what can an individual do to help keep his or her private lives private, in a world growing increasingly dependent upon technology, wireless communications, and instantaneous connections to global services? All sorts of unsavory “operators” lurking behind every connection and in the dark corners of the Net lie in wait for the opportunity to obtain, collect, store, use, or sell information. Information that each of us leaves behind intentionally, accidentally, or unintentionally as we go
PERSONAL PRIVACY PROTECTION
55
about our lives in the virtual communities of the 21st century. Many individuals are oblivious to the types and amounts of personal data they leave behind or what is available on-line about them and their activities. Victims of home invasions and burglaries have reported a sense of feeling “violated” upon returning to their home to find that someone has broken into their sanctuary, breached their “safe haven.” The same can be said about individuals who have had their privacy invaded, breached or “stolen.” Ask anyone you know who has either personally or knows of a family member who has been the victim of identity theft. The sad difference, however, is that if you are a victim of a burglary, you unfortunately know it immediately upon discovering the evidence of a break-in. Not so, however, if an unsavory individual collects, steals, or unlawfully obtains your personal information from an on-line source or by other not-so-legal means. You may not know that your private life (and all of your subsequent/relative and associative personal data) has been exposed and is available to hordes of unsavory individuals, until it is far too late. There are very real reasons to be both concerned and cautious about your movements both on- and off-line! These issues should not be taken lightly or ignored. There are a variety of tools, both soft- and hardware based, organizations, and techniques available to individuals and designed to assist in protecting one’s privacy. The following pages provide the reader with further insight and explanation of the many ways to protect individual privacy as well as identify organizations that assist in the quest for privacy.
PERSONAL PRIVACY PROTECTION Protecting consumer privacy is becoming increasingly critical, and is laying the foundation for Web-based marketing strategies. In what has become a trend among large, profitable Internet companies, Yahoo announced (April 2002) that it was resetting consumer privacy preferences so that they could market their personal information, including selling telephone numbers and e-mail addresses to telemarketers and other marketing firms. Consumers would have 60 days to overturn Yahoo’s preferences. There was widespread protest from consumers regarding this change. Consider the negative consumer response (and ultimate financial backlash) created by the following examples: • DoubleClick Inc. (www.doubleclick.com) announced (April 2002) that it would pay $1.8 million and implement consumer protections to settle several class-action lawsuits alleging that the company violated privacy laws by collecting information on Internet users. As part of the settlement, the New York-based Internet advertising company agreed that it would no longer combine personal information about computer users with data on their Internet use that could be used to market to individual consumers. DoubleClick also agreed to give consumers clear notice and choice of any data-collection practices within its privacy policy. The settlement also required DoubleClick to obtain permission from consumers before combining any personally identifiable data with Web-surfing history.2 • Toysrus.com (Summer 2001) was hit with several class-action lawsuits that charged the company with violating its privacy policy by sending personal information collected from on-line shoppers to Coremetrics Inc., a San Francisco–based company that provides data analysis services.3
56
PRIVACY ADVOCATES
• Kaiser Permanente, (www.kaiserpermanente.org), one of the largest health insurers, accidentally compromised the confidentiality of members who used its Web site by sending 858 e-mail messages to the wrong Kaiser members (August 2000). Some of the e-mails contained health information deemed “sensitive.” Some of the mis-sent messages contained the full names, home phone numbers, and medical account numbers of the Kaiser members. In total, 19 Kaiser customers received e-mails intended for others. Kaiser officials cited “human error” and a “technological glitch” that occurred during a Web site upgrade.4 • The State of Minnesota sued U.S. Bank (May 2000), alleging that the bank disclosed the names, phone numbers, social security numbers, account balances, and credit limits of almost one million of its customers after telling its customers that “all personal information you supply to us will be considered confidential.” The bank settled the case by agreeing not to disclose private information to non-affiliated third parties for purposes of marketing non-financial products and services. As a result, U.S. Bank is now ahead of many of the large national banks for respecting customer privacy. Unfortunately, a multitude of financial institutions throughout the country continue to violate their customers’ trust by disclosing private information with outside telemarketers. What is even more unfortunate is that the recently-enacted federal Gramm-Leach-Bliley legislation does nothing but encourage this sort of activity.5 • Lexis-Nexis (www.lexis-nexis.com) in 1996 released a service called P-Trak Personal Locator containing information on about 300 million people, including telephone numbers, addresses, and social security numbers. The company was flooded with e-mail requests from consumers requesting their information be removed from the database. Lexis-Nexis complied, removing social security numbers from the database.6 • In 1995, Metromail Corporation (www.metromail.com), a subsidiary of the R. R. Donnelly and Sons, Co., involved in direct mailing, created a database of information detailing the hobbies, addresses, preferences, and health of 1.3 million children in California. Public outcry and negative reaction/publicity over the potential for pedophiles using the database to target children forced Metromail’s chairman and CEO to retire and R. R. Donnelly to relinquish control of Metromail when it went public in 1996 (Bresnahan, 1997).7 • In 1990, Lotus Development Corporation (www.lotus.com) developed and sold a CDROM-based product called Marketplace. The product contained individual names, addresses, and phone numbers. After receiving nearly 800 phone calls per day from consumers reacting negatively to the ease at which their personal data could be accessed, Lotus sold off the product in 1991.8 • Microsoft Corporation’s (www.microsoft.com) use of “stealth software” caused consumers to rally against the software giant. The software code embedded in the company’s Windows 95 on-line registration wizard inventoried users’ PCs and all major software products running on their systems. In the face of negative customer reaction this automatic collecting of information about customers’ systems, without their knowledge or permission, was abandoned by Microsoft.9 • CVS Pharmacy and Giant Food supermarket chains hit the front pages of most business (and local) publications when they were discovered selling medical information gleaned from prescriptions to Elensys, a marketing company. Elensys used the data to market other drugs for the same conditions.10 • The Vons chain of supermarkets in Los Angeles felt the heat of unwanted public spotlight when the organization allegedly used data contained in its storecard database to under-
THE “MINING” OF DATA, THE LOSS OF PRIVACY
57
mine a damages claim from a shopper. The shopper claimed that he slipped on spilt yogurt in the store, shattering his kneecap, but said that when he filed a suit for damages, he was advised by the store’s mediator that his club card records showed him to be a frequent buyer of alcohol.11 The rub here is that much of the data drawn together for these databases/products is publicly available. Yet it is in separate locations and not compiled into a nice, easy-to-access, electronically packaged CD-ROM. Calming consumer fears over the access, use, and distribution of these data will continue to be an organization’s greatest ongoing challenge in the emerging field of virtual marketplaces.12
THE “MINING” OF DATA, THE LOSS OF PRIVACY The increasing prevalence of the Internet and the rise of e-commerce have led to a massive boom in data collection during the past couple of years. Companies are frantically amassing extensive databases of customer data, sometimes through clandestine means, in a bid to realize the utopia of close customer relationships and one-to-one marketing. But while a data warehouse can be a highly potent marketing tool, it is also vulnerable to abuse if the data it contains is used in an inappropriate way or sold to disreputable sources. Unless companies can prove that they have the will to stem the data deluge, the dream of forging ever-closer customer relationships could easily be snuffed out.13 A few tools currently available go beyond basic retrieval and organization of data and straight into the realm of analysis. These tools not only pull information together, but can discover relationships and display them together in graphs and maps. Many of these tools can handle freely formatted questions, making their use easier and accessible to a broader audience.14 Data mining can be valuable for a variety of business purposes, including direct marketing and determining creditworthiness. It may be used, for example, to identify individuals who are most likely to buy a product or respond to a vendor’s offer. Data mining may also be used in credit scoring; in identifying patterns in criminal behavior (for example, determining how many murders involve strangers versus relatives); and in finding patterns in medical histories, thereby identifying groups at higher risk for certain diseases. It is also a powerful tool for scientific research. Sounds like a pretty useful technology, so what’s the problem? The problem is the potential for ethical abuses of information. Data mining is beginning to raise some ethical concerns, most of which have to do with privacy.15 Using “cookies” for example, companies can employ “click-stream” monitoring—the page-by-page tracking of people as they weave their way through the Web, signposting their interests and tastes. By combining that click-stream analysis with collaborative filtering software, they can then make educated inferences about customer likes and dislikes by comparing a user profile with others in the database. The result is a potent marketing tool—and one open to obvious abuse if that data is used in an inappropriate way or sold to disreputable sources.16 If polled, most citizens would hold to the belief that they have the right to be informed about the identity of organizations intending to collect and/or process data about them and the primary reason(s) for such collection and processing. We as citizens also believe that we have the right to access such data, to know where it originated, to have inaccurate data rectified, and to withhold permission to use data in certain circumstances. Data mining appears to violate this
58
PRIVACY ADVOCATES
principle, since the purpose of this technology is to glean new information from data collected for a different purpose. People think they are giving out one kind of information for a specific use, but data-mining tools combine it with other data to come up with completely new information that is intended to be used for a completely different purpose. In addition to this loss of control over information, two other important concerns have been expressed about data mining. The first has to do with the use of categories and stereotypes that can result from data mining. The second has to do with creating a surveillance society. Data mining can examine patterns of behavior in groups, which can be useful for marketing purposes. However, individuals are sometimes grouped into sensitive categories. For example, data mining can reveal the correlation between, say, individual buying habits and ethnic background, gender, or age. Even when the correlation is accurate, use of these categories tends to reinforce stereotypes—the very thing our society is trying to counteract with its laws and policies against racial, gender, and age discrimination. The other aspect of data mining that concerns people is that it is part of a trend toward more surveillance. Americans have always been wary of the government collecting information about them.17
CONTROLLING DATA MINING’S DARK SIDE Dr. Deborah G. Johnson, Professor of Philosophy at the School of Public Policy at the Georgia Institute of Technology in Atlanta, and author of Computer Ethics, recommends that those responsible for computer policy, data management, audit, security, and legal issues within their organizations review the following with respect to corporate data-mining practices: • The first thing to do is find out what data is being mined in your company and how it is being used. The area you should check most thoroughly is sensitive data. • Find out if your company is using any type of information (in a manner not originally conveyed to the customers) that your customers would be shocked or angered to learn about. • What kinds of patterns and correlations are being sought? Pay particular attention to how race, gender, and age are being used. • Would any of these uses make your company susceptible to a discrimination lawsuit? • Would any of the labels being used embarrass your firm if revealed to the public? • How is the data being mined originally obtained? • What were the circumstances under which the original data was collected? • Do customers and other concerned parties know how the data you collected from them is being used? • To ensure compliance, your company should have clear, comprehensive data collection and privacy policies that are distributed to employees and made available to customers and others affected by those policies. • Finally, a good test is to ask yourself how you would feel if information about you or your family were being used in your enterprise’s data-mining activities. Would you be comfortable with the categories being used and the information being uncovered? If the answer is no, then it’s time to re-think your company’s policies on data mining.18
PRIVACY AND “DATA ABOUT DATA”
59
PRIVACY AND “DATA ABOUT DATA” The most common definition of the term “metadata” is data about data—information that describes other information. A typical Web server captures information every time it serves a page, but basic data about individual visitors is pretty sparse. What information is left behind is typically a user’s browser version, OS, domain, and IP address. If your organization has implemented cookies and the user has not deactivated them in his/her browser, you will receive the cookie values. A common cookie that many applications use is the globally unique identifier (GUID). The best way to identify visitors is to require authenticated login to the site. The problem, of course, is that people are suspicious of providing information, and many may provide false information. When visitors are identified, the first piece of information you will want to determine is, exactly what are they doing when they reach your site? For every page served by your Web server, logs can provide the page URL, referrer URL, time stamp of the request, server response code, and number of bytes transferred. Web servers also log information about banner ads, including impressions (the number of times that an advertisement is shown) and click throughs (the number of times a banner link is followed). If you implement tools that gather data from server middleware, you may be able to track additional information such as transaction time. You won’t receive notification about hits to your site when they’re served by a proxy cache that’s local to the visitor.19 So, this all sounds technical and not too threatening, especially to my privacy, you say. Knowing what types of data can be gleaned from a simple Web session, let us look at what can be done with that data. The devil is in the details, as the saying goes, and the analysis of these details can raise some interesting questions, such as: • • • • • • • • • • •
How many distinct people visit my Web site? How often do they visit? From what sites do they come? What browser do they use? Where do they visit within my site once they are “in”? What’s the last page they see? How many ads do visitors see and click through? What paths and with what frequency do visitors follow through my site? Have use patterns changed since we last revamped our site? Which content areas received more traffic prior to the restructuring, post-restructuring? How many individual and unique pages do visitors examine while at my site?
On the surface, there is nothing immediately wrong with compiling this data; in fact it is probably very useful to an organization in its attempts to be more customer-focused and more competitive. Things turn ugly, however, when the technology and all it has to offer blinds the organization, and clouds management’s decisions as to the ethical use of this data. Web privacy has become a hot-button topic for politicians and consumer advocates— and there you are, collecting a lot of private customer information, without asking or telling. Customer data can go stale, and a lot of rotting information could really stink up your company’s on-line marketing efforts. It gets worse. The data that organizations are stockpiling
60
PRIVACY ADVOCATES
and not using is marketing data—a snapshot of customer whims in narrow slices of time. But those snapshots may not remain valid. Customers change—their minds, their buying habits, and their preferences. Six months from now, a customer may decide she hates the product she’s raving about today. Another customer may lose interest in whatever fad compelled him to buy an item in the first place. That means your stale data may not just be useless once you finally tap it. It may also irritate customers if you try pushing their no-longer favorites on them, or even drive them away. What data stays, what data goes? How will the data be used, and by whom? Who will control access to the data? When will the data be purged? Answers to these and many more questions need to be answered by management. You’ve got to get serious answers from your marketing department about plans for using customer data internally. Do they want to mine the data off-line, or use it for one-to-one marketing in real time? There are technical issues, budget issues, strategic issues. The decisions are hard. But they’ve got to be made soon. Do you have an Internet privacy and data-use policy? Is it published? Should it be? That’s your legal department’s bailiwick. Make sure they understand that both Congress and the Commerce Department are geared up for enforcement of Web privacy regulations. They need to act now. And if your company plans to sell or swap customer data with anyone else, that decision must be kicked way upstairs. That’s a corporate policy issue, and management must sign off on it. There are many risks associated with this policy decision, and management must be made aware of these risks.20 Knowing how to protect one’s privacy is a skill not to be underrated nor taken lightly. Be ever-vigilant and always question to whom and why you are disclosing personal (or corporate) information. What once has been disclosed is impossible to conceal. Where does one turn, though, for assistance when all prudent efforts fail and the privacy, which we all hold dear, has been threatened or worse, taken away? The following pages identify and highlight groups, organizations, and associations whose passion is the advocacy of privacy rights. Be those the rights of individuals or organizations. Within the law, every person, every corporate entity, has the right to ensure that its private information is maintained as private. The following information will help the reader achieve this goal.
PRIVACY ADVOCATES It has become a common practice for data to be collected from Web site visitors. Some companies take it a step further and create agreements with sites allowing them to gather visitor demographics and track user activity without the visitor’s knowledge. Keeping track of who these third parties are and what their privacy obligations are in relation to the customer data they collect is one segment of a growing concern about the potential demise of personal privacy.21 Given this increased concern and interest in their personal privacy, consumers and customers are beginning to ask serious and tough questions of companies about their practices regarding the protection of personal, private data. Companies that come up short or cannot adequately and fully respond to customer/client/consumer inquiries are likely to find themselves the focus of unwanted public scrutiny, disfavor, and possibly outright public anger, not to mention a potential target of a government investigation or stakeholder lawsuit. Addressing and protecting the privacy of end-user data has become (some say “finally”) a central issue for corporations today.
PRIVACY RESOURCES
61
In response to increasing concerns and possibly even increasing corporate awareness of potentially looming liability, proactive organizations have created a new senior executive position called “chief privacy officer” (CPO). As the chief privacy advocate for the organization, the CPO is expected to take a broad, long-range view of the organization’s objectives and how those objectives are to be achieved without compromising “corporate behavior.” The CPO’s advocacy is to ensure that the desire for short-term economic gains does not tarnish the long-term corporate profile and that the decisions made by the organization remain ethical and trustworthy for the long haul. Readers interested in learning more about the essential skills and qualities of a CPO, and exactly “what” a CPO is, should read the “Pulse Piece” written by Herman Collins of Privacy Leaders, which appears later in this book. In today’s marketplace and tomorrow’s emerging virtual markets and communities, an organization’s most valuable asset may not be its intellectual capital, market presence, or its talented employees; it may not even be physical or tangible. An organization’s most valuable asset may simply be trust—the trust that it generates and which is held by its customers, clients, stakeholders, and the industry in general. Critical, not only for CPOs but for organizations in general, will be to formulate a strategy to answer the pivotal question, “How do we establish trust in the markets of the twenty-first century?” Readers interested in seeking the answer to this question are referred to the following book: Establishing Trust in Virtual Markets by Albert Marcella. The concept of privacy, to a large degree, is culturally determined. There are aspects of life that a person is prepared to publish widely and still other aspects that a person is not prepared to share at all. The boundaries between these, however, vary among societies and change over time.22 How your organization is prepared to function in the consumer-aware, privacyconscious world of the twenty-first century could be a very defining factor in your organization’s ability to survive and prosper in the twenty-first century. As IBM chairman and CEO, Lou Gerstner stated, “At its core, privacy is not a technology issue, it is a policy issue. The policy framework that is needed here must involve the information technology industry, the private sector in general, and public officials.” Following is an abridged list of privacy advocate organizations, agencies, and associations. Readers interested in learning more about any single organization need simply use the URL included with each entry. Almost every association, organization, and agency identified by the authors has a companion Web site. In an effort to provide the reader with as much value-added information and insight into privacy and those who strive to protect it, the reader is directed to Appendix U on this text’s companion Web site (www.wiley.com/go/privacy), which contains an additional and more extensive listing of privacy advocates and their contact information.
PRIVACY RESOURCES On-line Privacy Oversight Programs TRUSTe (www.truste.org)
This is the leading on-line privacy “seal” program. The TRUSTe Web site offers the latest advice and information about on-line privacy. The TRUSTe Privacy Seal, or “Trustmark” program, awards seals to responsible Web sites that meet stringent privacy policy requirements and
62
PRIVACY ADVOCATES
enforcement criteria. Licensed Web sites are required to post privacy statements that give full disclosure, meaningful choice, reasonable access, and security.23 CPA WEBTRUST (www.cpawebtrust.org)
Here, CPA firms verify security systems of participating Web sites every 90 days and award icons of approval.
Advocacy Organizations American Civil Liberties Union (ACLU) (www.aclu.org)
The American Civil Liberties Union advocates individual rights by litigating, legislating, and educating the public on a broad array of issues affecting individual freedom in the United States. They are a founding member of the Global Internet Liberty Campaign (GILC), an international coalition of organizations dedicated to protecting freedom of speech and the right to privacy in cyberspace. Their Web site provides useful tips and tools for consumers. Consumer @ction (www.consumer-action.org)
Consumer Action is a non-profit, membership-based organization that was founded in San Francisco in 1971. Throughout its 32 years, Consumer Action has continued to serve consumers nationwide by advancing consumer rights, referring consumers to complaint-handling agencies through its free hotline, publishing multilingual educational materials, and advocating for consumers in the media and before lawmakers. Computer Professionals for Social Responsibility (CPSR) (www.cpsr.org)
This is a national membership organization of people concerned about the impact of technology on society. CPSR sponsors an annual conference, maintains numerous mailing lists on computer-related issues and a large Internet site of information, and publishes a quarterly newsletter. It has 24 local chapters across the United States and several international affiliates. CPSR sponsors working groups on civil liberties, working in the computer industry, and others. Contact: PO Box 717, Palo Alto, CA 94302; Tel: (650) 322-3778; Fax: (650) 322-4748 Consumer Project on Technology (CPT) (www.cptech.org)
The CPT was created by Ralph Nader in 1995 to focus on a variety of issues including telecommunications regulation; pricing of ISDN services; fair use under the copyright law; issues relating to the pricing, ownership, and development of pharmaceutical drugs; and the impact of technology on personal privacy. The CPT is currently focusing on intellectual property rights, health care, and electronic commerce ad competition policy. Contact: Box 19367, Washington, DC 20036; Tel: (202) 387-8030; Fax: (202) 234-5176 Center for Democracy and Technology (CDT) (www.cdt.org)
The Center for Democracy and Technology works to promote democratic values and constitutional liberties in the digital age. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in global communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media. CDT also offers its “Operation Opt-Out,” which allows users to easily generate form letters to take themselves out of mailing lists.
PRIVACY RESOURCES
63
Electronic Privacy Information Center (EPIC) (www.epic.org)
This nonprofit organization was established to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. On the Web site, consumers can subscribe to the EPIC Alert newsletter and get the history behind the government regulation debate. Electronic Frontier Foundation (EFF) (www.eff.org)
This nonprofit organization works to guarantee that all civil liberties are protected on the Internet and in all digital communication arenas. EFF provides a free telephone hotline for questions regarding legal rights, and will answer your technical (e.g., “How do I connect to the Internet?”) and legal (e.g., “Does my boss have the right to read my e-mail?”) questions via telephone, snail mail, or e-mail. Cypherpunks (ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html)
This informal group develops technological solutions to protect privacy. The Cypherpunks write cryptography and other programs, set up anonymous remailers, and discuss political and technical issues. Meetings are also regularly held in California and other states. E-mail:
[email protected] National Fraud Information Center (NFIC) (www.fraud.org)
This is a nationwide toll-free hotline for advice on telephone solicitations and how to report telemarketing fraud. The Internet Fraud Watch section provides tips, articles, bulletins, and other information on how to avoid fraud, protect your privacy, and surf the Internet safely and enjoyably. Privacy Rights Clearinghouse (PRC) (www.privacyrights.org)
PRC publications give you in-depth information on a broad range of privacy issues. Included is a section on identity theft resources. Privacy International (PI) (www.privacyinternational.org)
An international human rights group based in London, England, Privacy International has offices in Washington, DC, and Sydney, Australia. With members in over 40 countries, PI has led campaigns against national ID cards, video surveillance, and other privacy violations in numerous countries including Australia, New Zealand, the United Kingdom, and the Philippines. PI sponsors yearly international conferences on privacy issues. Contact: Privacy International, 1718 Connecticut Avenue, NW, Suite 200, Washington, DC 20009; E-mail:
[email protected] U.S. Privacy Council (USPC)
This coalition of U.S. privacy groups and individuals was founded in 1991 to deal with privacy issues in the United States. USPC works in Washington monitoring legislation and the activities of government agencies. USPC works closely with other groups on privacy issues, including national ID cards, reforming credit reporting, caller ID, and international issues. E-mail:
[email protected]; Tel: (202) 829-3660 U.S. Public Interest Research Group (PIRG) (www.pirg.org)
The State Public Interest Research Groups (PIRGs) are non-profit, non-partisan consumer and environmental watchdog groups. They advocate for better consumer privacy laws, preventing identity theft, and correcting credit reports. Fact sheets and reports are available on the Web. For
64
PRIVACY ADVOCATES
general information, E-mail:
[email protected]; Tel: 1-800-838-6554. To contact DC Office (U.S. PIRG), E-mail:
[email protected]; Tel: (202) 546-9707; Fax: (202) 546-2461; Contact: 218 D Street, SE, Washington, DC 20003
Business Watch Organizations Better Business Bureau (BBB) (www.bbb.org)
BBBOnLine is an authenticated and verified “seal” program that helps consumers find reliable companies that pledge to meet tough advertising and dispute-settlement standards, including responsible advertising to children.
Credit Reports and Credit Cards Equifax (www.equifax.com)
Equifax is one of the three major national credit-reporting agencies. You can order a copy of your credit report on-line or off, read fraud FAQs, and find out how to report credit card misuse or remove your name from pre-approved credit-card-offer mailing lists. Experian (formerly TRW) (www.experian.com)
Experian is one of the three major national credit-reporting agencies. You can order a copy of your credit report on-line or off, and find out how to report credit card misuse or remove your name from pre-approved credit-card-offer mailing lists. They also offer a comprehensive look at direct-mail marketing. Federal Trade Commission’s Sample Opt-Out Letter (www.ftc.gov/privacy/cred-ltr.htm)
This is a downloadable form that speaks to the three national credit-reporting agencies (Equifax, Experian, and Trans Union). Use it to request that your personal credit report information not be shared with third parties. Trans Union Corporation (www.tuc.com)
Trans Union Corporation is one of the three major national credit-reporting agencies. You can order a copy of your credit report on-line or off, and find out how to report credit card misuse or remove your name from pre-approved credit-card-offer mailing lists. Their Fraud Victim page has information on credit card scams and the Marketing List Opt-Out section tells you how to delete your name from junk mail lists.
Fraud and Identity Theft Internet Fraud Watch (www.fraud.org)
A special branch of the National Fraud Information Center Web site, Internet Fraud provides tips, articles, bulletins, and information on how to avoid fraud, protect your privacy, and surf the Internet safely and enjoyably.
PRIVACY RESOURCES
65
Hotlines Call for Action (www.callforaction.org)
This international network of free consumer hotlines assists in resolving and mediating consumer fraud and privacy disputes.
Junk E-mail Junkbusters (www.junkbusters.com)
Their mission is to “free the world from junk communications.” The site includes an array of information, resources, and publication links as well as actionable tips and on-line tools to help you rid yourself of junk e-mail, telemarketing calls, and other kinds of unwanted solicitations. Mailshell (www.mailshell.com)
This patent-pending technology acts as an e-mail address escrow service to prevent junk e-mail. Mailshell users can find and subscribe to more than 100,000 free services, easily manage commercial e-mail, and take control of unsolicited e-mail and spam. The company’s advanced filtering technology allows users to instantly and permanently stop any e-mail they do not want. In an effort to promote a sustainable infrastructure for commercial e-mail, Mailshell created and advocates ten “mailrights” designed to balance the needs of e-mail users and marketers. For more information, see www.mailshell.com/mail/client/visitortour.html/ step/rights. The Spamex Disposable E-mail Address (www.spamex.com)
This service allows users to identify the sources of and stop non-permission use (spam, UCE, UBE, etc.) of their e-mail addresses. The Service works by providing users with Disposable E-mail Addresses (“DEAs”) that forward e-mail to their real e-mail address. If non-permission use e-mail is received, the DEA that was used can be instantly identified and turned off.
Opting Out Direct Marketing Association (DMA) (www.the-dma.org)
DMA offers information on on-line marketing protections and advice on getting rid of unsolicited commercial e-mail. The consumer section tells you how to delete your name from e-mail marketing lists and includes downloadable forms. A peer review process acts on consumer complaints about DMA members and non-members. Operation Opt-Out (www.opt-out.cdt.org)
An initiative launched by the Center for Democracy and Technology, Operation Opt-Out offers downloadable opt out forms, links to companies that allow you to opt out on-line, and an overview of specific business practices such as those of portals and on-line profilers.
66
PRIVACY ADVOCATES
Parents and Children America Links Up (www.americalinksup.org)
This public awareness and education campaign is sponsored by a broad-based coalition of nonprofits, education groups, and corporations concerned with providing children with a safe and rewarding experience on-line. This site contains a number of valuable resources for parents and kids, and offers a way for individuals and groups to get involved nationwide by planning or attending teach-ins. Center for Media Education (CME) (www.cme.org)
This non-profit organization is dedicated to improving the quality of electronic media, especially on behalf of children and families. The Center for Media Education is involved in investigating the children’s on-line marketplace. Their Web site includes information about “Interactions: CME’s research initiative on children and new media.” Children’s Advertising Review Unit (CARU) (www.bbb.org/advertising/childrensmonitor.asp)
A unit of the Council of Better Business Bureaus, CARU was the first organization to develop self-regulatory guidelines for businesses advertising to children on-line. Intended to provide voluntary standards for the protection of children under the age of 12, CARU’s guidelines include the disclosure of what information is being collected and its intended uses, and the opportunity for the consumer to withhold consent for information collection for marketing purposes. The Federal Trade Commission’s Kidz Privacy Site (www.ftc.gov/bcp/conline/edcams/kidzprivacy/index.html)
An educational Web site produced by the FTC surrounding the enactment of the Children’s Online Privacy Protection Act, this site offers guidance to parents and children, as well as Web site operators, on the dos and don’ts of children’s on-line privacy. GetNetWise (www.getnetwise.org)
GetNetWise is a resource for families and caregivers to help kids have safe, educational, and entertaining on-line experiences. The Web site includes a glossary of Internet terms, a guide to on-line safety, directions for reporting on-line trouble, a directory of on-line safety tools, and a listing of great sites for kids to visit. Media Awareness Network (www.media-awareness.ca)
Media Awareness Network is a Canadian-based on-line resource for media and Web literacy. MNet provides industry on-line privacy information for parents, educators, and youth. Privacy Playground, an interactive children’s game on safe surfing, is available at the Web site. Online Public Education Network (Project OPEN) (www.internetalliance.org/projectopen/about.html )
Founded in 1996 as a partnership of the Internet Alliance, the National Consumers League, and leading Internet companies, Project OPEN helps consumers get the most out of going on-line. Two guides, “How to Get the Most Out of Going Online” and “Child Safety on the Information Highway,” are particularly helpful for on-line novices with specific tips about parental empowerment.
PRIVACY RESOURCES
67
Wired Kids (www.wiredkids.org)
This is the official North American site of UNESCO’s Innocence in Danger program. The site is under the direction of Internet lawyer and children’s advocate Parry Aftab. The site’s mission is to allow children to enjoy the vast benefits of the Internet while at the same time protecting them from cyber-criminals. The Web site will soon host a parent registry, allowing for quickly accessible verifiable parental consent. CyberAngels (www.cyberangels.org)
CyberAngels describes itself as “your cyber-neighborhood watch.” The organization finds and reports illegal material on-line, educates families about on-line safety, works with schools and libraries, and shares basic Internet tips and help resources. While CyberAngels does not advocate censorship or regulation of the Internet, the organization does support the COPPA rules.
Government Resources Federal Trade Commission (FTC) (www.ftc.gov)
The FTC provides a wealth of information on current privacy legislation and related government news. Several sections of the site are especially relevant to on-line users. On-line Category of Publications Consumer and Business Education (www.ftc.gov/privacy/ con-ed.htm)
This is a list of FTC publications that address personal information collection, on-line activities, and other consumer protection issues. National Telecommunications & Information Administration (NTIA) (www.ntia.doc.gov)
An agency of the U.S. Department of Commerce, this is a primary source for domestic and international telecommunications and information technology issues, including the scoop on federal Privacy Protection Acts. Includes a listing of links to a range of privacy-related institutions and organizations. U.S. Consumer Gateway (www.consumer.gov)
A “one-stop” consumer site for a wide variety of federal information resources on-line, arranged by category such as product safety, food, health, and money. An FTC-sponsored section is devoted to privacy, with guidance on how to prohibit companies from using your credit records for direct marketing and removing your name from direct-mail and telemarketing lists.
Trade Organizations Association for Interactive Media (AIM) (www.interactivehq.org)
AIM is the non-profit trade association for business users of the Internet. Its members are companies that are committed to maximizing the value of the Net to businesses and consumers. AIM’s mission centers on three important areas: defending the industry in Washington, promoting consumer confidence, and providing business-to-business networking opportunities.
68
PRIVACY ADVOCATES
Online Privacy Alliance (www.privacyalliance.org)
The Online Privacy Alliance is a diverse group of corporations and associations who have come together to introduce and promote business-wide actions that create an environment of trust and foster the protection of individuals’ privacy on-line. NetCoalition (www.netcoalition.com)
NetCoalition brings together many of the world’s leading Internet companies and serves as a unified public policy voice on Internet issues. NetCoalition is committed to building user confidence in the Internet through responsible market-driven policies; preserving the open and competitive environment that has allowed the Internet to flourish; and ensuring the continued vitality of the Internet through active dialogue with policymakers.
Privacy Enhancing Technologies (PETs) Privaseek (www.privaseek.com)
Founded in 1998, PrivaSeek designs, builds, and manages systems and services that bring businesses and consumers together in a mutually beneficial, permission-based environment. PrivaSeek’s primary technology, Persona&trade, is a control tool that enables consumers to automatically safeguard and gain value from the use of personal information. Persona acts as a buffer between consumers and Web sites, allowing users to decide which information can be shared. Persona also allows you to store that information for use on the Web safely and securely. Zero-Knowledge Systems (www.zeroknowledge.com)
Zero-Knowledge Systems designs tools and strategies to protect the privacy of Internet users in order to lay the foundations for trust and commerce between individuals and the companies, governments, and organizations they interact with on-line. Zero-Knowledge creates simple, easy-to-use software and services that integrate advanced mathematics, cryptography, and source code. The company’s Freedom software allows users to surf the Web anonymously and has been engineered so that no one, including Zero-Knowledge, can readily ascertain a Freedom user’s true identity or decrypt their communications. Hush Communications (www.hush.com)
Hush was founded to develop and distribute encryption technology over the Internet. Hush’s mission is to provide Internet users with secure Internet communications worldwide. HushMail.com and HushMail Private Label allow users to protect the privacy of their e-mail and Web site traffic. Lumeria (www.lumeria.com)
Lumeria’s technology allows people to organize, securely access, and selectively share their information from any personal electronic device or computer that is connected to the Net. Lumeria’s Personal Knowledge Management products help individuals securely organize their information and knowledge. The company’s Identity Management products help individuals maintain one or more identities privately and securely that they can access from any device connected to the Net. PrivacyX (www.privacyx.com)
PrivacyX is an Internet privacy solution that helps Internet users take control of their on-line privacy. Currently the company has a free, anonymous encrypted e-mail service that is available to users. The service allows users to send and receive e-mail with complete privacy and security.
ENDNOTES
69
ENDNOTES 1. Clarke, R., Introduction to Dataveillance and Information Privacy, and Definitions of Terms, www.anu.edu.au/people/Roger.Clarke/DV/Intro.html, January 2002, used and reprinted with permission, personal communiqué with the author. 2. Thibodeau, P., “DoubleClick paying $1.8 million to settle privacy suits,” Computerworld (April 1, 2002), www.idg.net/go.cgi?id⫽689436. 3. Rosencrance, L., “Toysrus.com faces online privacy inquiry,” CNN.com (Summer 2001), www.cnn.com/2000/TECH/computing/12/14/toysrus.privacy.inquiry.idg/toysrus.privacy. inquiry.htm. 4. Brubaker, B., “Sensitive Kaiser E-Mails Go Astray,” Washington Post (August 10, 2000), E-01. 5. “Hatch sues U.S. Bank for selling out customers to telemarketers,” Minnesota Attorney General’s Consumer Assistance Hotline (651) 296-3353 (June 9, 1999), www.ag.state.mn.us/ consumer/privacy/pr/pr%Fusbank1%5F06091999.html, also at United States District Court of Minnesota, Court File No. 99-872 adm/ajb. 6. “Congress Requests Federal Reserve Study in Response to P-Trak Controversy,” The Center for Democracy and Technology, Washington, DC (November 5, 1996), www.cdt.org/privacy/960920_Lexis.html. 7. Bresnahan J., “Up Close and Personal,” CIO Magazine (May 15, 1997), 63–74, www.cio.com/ archive/051597/ethics.html. 8. Id. 9. Id. 10. Anonymous v. CVS Corporation, 188 Misc. 2d 616, 728 N.Y.S. 2d 333 (2001), http://80web.lexis-nexis.com.library3. 11. Glave, J., “The Safeway to Shop” (October 8, 1999), www.wired.com/news/print/ 0,1294,31791,00.html. 12. Marcella, A., www.STOPTHIEF.net: Protecting Your Identity on the Web, (The Institute of Internal Auditors, Altamonte Springs, FL, 1999). 13. Mancey, J., “Dangerous Data,” Global Technology Business (August, 1999), 26. 14. Anthes, G., “Cyberspook toolbox,” Computerworld (July 6, 1998), 63. 15. See note 12. 16. See note 13. 17. Johnson, D., “Is Anything Wrong With Mining Data?” Beyond Computing (June, 1999), 16–17, www.beyondcomputingmag.com. 18. See note 12. 19. Mundy, J., “Trapping the Web Site Data Mine,” Intelligent Enterprise Magazine (August, 1999), www.iemagazine.com/9811/onlinel.shtml. 20. Hayes, F., “Dangerous Web Data,” Computerworld (October 12, 1998), 12. 21. Parkinson, M., “CPO position joins executive ranks,” Information Systems and Control Journal, Volume 3 (2001), 53–55. 22. Id. 23. Truste, 2002. Material for this section was taken, with permission, in part, from www.truste. org/education/users_privacy_links.html#Online. Contact Truste at (408) 494-4950 or fax them at (408) 494-4960. You may write to Truste at: TRUSTe, 1180 Coleman Avenue, Suite 202, San Jose, CA 95110.
4 INTERNATIONAL PRIVACY ISSUES
Introduction The Beginning of Data Protection Models of Privacy Protection Rationales for Adopting Comprehensive Laws The Major Global Directives and Organizations Transborder Data Flows Oversight Which Countries Are Playing by the Rules? Trends in International Privacy Country-by-Country Summary
INTRODUCTION The world has privacy issues just as the United States does. Each country is concerned with protecting its citizens’ rights to privacy and the data about those citizens. The greatest concern for a given country that interacts for business with other countries, is how their citizen’s data and privacy is going to be protected by another country. With the disparity in the type of protection and enforcement of privacy in each country, there is a need for international privacy policies and enforcement. In this chapter we discuss what countries and organizations are doing to protect and enforce privacy today throughout the world. Although the idea of the right to privacy—the right to be let alone—hails from America, it is Europe that is now at the forefront in addressing the privacy worries created by new technologies such as the Internet. Privacy is a fundamental human right recognized in all major international treaties and agreements on human rights. Nearly every country in the world recognizes privacy as a fundamental human right in its constitution, either explicitly or implicitly. The most recently drafted constitutions include specific rights to access and control one’s personal information. Nearly all industrialized countries support comprehensive privacy and data protection acts and nearly fifty countries and jurisdictions have, or are in the process of, enacting such laws. In the past year, over a dozen countries have enacted new laws or updated previous acts. Countries are adopting these laws in many cases to address past governmental abuses, to promote electronic commerce, or to ensure compatibility with international standards developed by the European Union, the Council of Europe, and the Organization for Economic Cooperation and Development. In this chapter we discuss these standards and how they impact international business. 70
MODELS OF PRIVACY PROTECTION
71
THE BEGINNING OF DATA PROTECTION Interest in the right of privacy increased in the 1960s and 1970s with the advent of information technology. The surveillance potential of powerful computer systems prompted demand for specific rules governing the collection and handling of personal information. The genesis of modern legislation in this area can be traced to the first data protection law in the world enacted in the Land of Hesse in Germany in 1970. This was followed by national laws in Sweden (1973), the United States (1974), Germany (1977), and France (1978).1 Two crucial international instruments evolved from these laws. The Council of Europe’s 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data and the Organization for Economic Cooperation and Development’s (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data set out specific rules covering the handling of electronic data. These rules describe personal information as data that are afforded protection at every step, from collection to storage and dissemination. The expression of data protection in various declarations and laws varies. All require that personal information must be: • • • • • • •
Obtained fairly and lawfully Used only for the original specified purpose Adequate, relevant, and not excessive to purpose Accurate and up to date Accessible to the subject Kept secure Destroyed after its purpose is completed
The Council of Europe (COE) and the Organization for Economic Cooperation and Development’s (OECD) Guidelines have had a profound effect on the enactment of laws around the world. Nearly thirty countries have signed the COE convention and several others are planning to do so shortly. The OECD guidelines have also been widely used in national legislation, even outside the OECD member countries.2
MODELS OF PRIVACY PROTECTION There are four major models for privacy protection. Depending on their application, these models can be complementary or contradictory. In most countries reviewed in this chapter, several models are used simultaneously. In the countries that protect privacy most effectively, all of the models work together to ensure privacy protection.3, 4
Comprehensive Laws In many countries around the world there is a general law that governs the collection, use, and dissemination of personal information by both the public and private sectors. An oversight body then ensures compliance. This is the preferred model for most countries adopting data protection
72
INTERNATIONAL PRIVACY ISSUES
laws and was adopted by the EU to ensure compliance with its data protection regime. A variation of these laws, which is described as a co-regulatory model, was adopted in Canada and is pending in Australia. Under this approach, industry develops rules for the protection of privacy, which are enforced by the industry and overseen by the privacy agency.
Sectoral Laws Some countries, such as the United States, have avoided enacting general data protection rules in favor of specific sectoral laws governing, for example, video rental records and financial privacy. In such cases, enforcement is achieved through a range of mechanisms. A major drawback with this approach is that it requires that new legislation be introduced with each new technology, so protections frequently lag behind. The lack of legal protections for medical and genetic information in the United States is a striking example of the limitations of sectoral laws. There is also the problem of a lack of an oversight agency. In many countries, sectoral laws are used to complement comprehensive legislation by providing more detailed protections for certain categories of information, such as telecommunications, police files, or consumer credit records.
Self-Regulation Data protection can also be achieved—at least in theory—through various forms of self-regulation in which companies and industry bodies establish codes of practice and engage in self-policing. However, in many countries, especially the United States, these efforts have been disappointing with little evidence that the aims of the codes are regularly fulfilled. Adequacy and enforcement are the major problem with these approaches. Industry codes in many countries have tended to provide only weak protections and lack enforcement. This is currently the policy promoted by the governments of the United States, Japan, and Singapore.
Technologies of Privacy With the recent development of commercially available technology-based systems, privacy protection has also moved into the hands of individual users. Users of the Internet and of some physical applications can employ a range of programs and systems that provide varying degrees of privacy and security of communications. These include encryption, anonymous re-mailers, proxy servers, digital cash, and smart cards. Questions remain about the security and trustworthiness of these systems.
RATIONALES FOR ADOPTING COMPREHENSIVE LAWS There are three major reasons for the movement towards comprehensive privacy and data protection laws. Many countries are adopting these laws for one or more reasons. 1. Remedy past injustices. Many countries, especially in Central Europe, South America, and South Africa, are adopting laws to remedy privacy violations that occurred under previous authoritarian regimes.
THE MAJOR GLOBAL DIRECTIVES AND ORGANIZATIONS
73
2. Promote electronic commerce. Many countries, especially in Asia, have developed or are currently developing laws in an effort to promote electronic commerce. These countries recognize that consumers are uneasy with their personal information being sent worldwide. Privacy laws are being introduced as part of a package of laws intended to facilitate electronic commerce by setting up uniform rules. 3. Ensure laws are consistent with Pan-European laws. Most countries in Central and Eastern Europe are adopting new laws based on the Council of Europe Convention and the European Union Data Protection Directive. Many of these countries hope to join the European Union in the near future. Countries in other regions, such as Canada, are adopting new laws to ensure that trade will not be affected by the requirements of the EU Directive. The Directive imposes an obligation on member states to ensure that the personal information relating to European citizens has the same level of protection when it is exported to, and processed in, countries outside the EU. This requirement has resulted in growing pressure outside Europe for the passage of privacy laws. Those countries that refuse to adopt meaningful privacy laws may find themselves unable to conduct certain types of information flows with Europe, particularly if they involve sensitive data.
THE MAJOR GLOBAL DIRECTIVES AND ORGANIZATIONS Previously we discussed the evolution of data protection. Now we will detail the major global organizations and directives that are currently working to set global standards for privacy protection. The four main organizations include the European Union (EU), the Organization for Economic Cooperation and Development (OECD), the International Chamber of Commerce (ICC), and the Privacy Exchange. In addition to these organizations, we will discuss the agreements and directives that they and other major countries have entered into for the purpose of protecting individual consumer privacy, for example, the EU-U.S. Safe Harbor agreement.5
European Union Data Protection Directive Adopted in 1995, the European Union Data Protection Directive called for implementation by October 24, 1998. The Directive is intended to standardize the protection of data privacy for European Union citizens, while allowing for the free flow of information between member states.6 Many companies based outside the European Union now find themselves scrambling to understand the implications of the Directive for their business operation. Impact will vary depending on a company’s involvement and presence in a member state. After two years of negotiation, the European Union and the U.S. Department of Commerce have finally hammered out an agreement that will determine how U.S. companies may collect personal information from European citizens. That agreement proposes that American companies that gather personal information from Europeans join “safe-harbor” programs to assure their adherence to certain privacy principles. U.S. companies that comply with the voluntary pact will be protected from prosecution or lawsuits by EU governments.
74
INTERNATIONAL PRIVACY ISSUES
The Organization for Economic Cooperation and Development A Paris-based intergovernmental organization made up of 29 member countries, the Organization for Economic Cooperation and Development, or OECD, is a forum in which governments can compare their experiences, discuss the problems they share, and seek solutions, which can then be applied within their own national contexts. OECD’s Web site offers numerous publications on e-commerce in a global marketplace.7 OECD, membership of which includes many European countries, the United States, Australia, New Zealand, and Japan, is primarily concerned with the economic development of its member states. In an effort to reconcile fundamental but competing values, such as privacy and the free flow of information, OECD recommended in September 1980 that member countries take into account in their domestic regulation the principles concerning the protection of privacy and individual liberties set forth in a set of guidelines governing the protection of privacy and transborder flow of personal data. Within these guidelines are eight basic principles in the protection of information privacy. These principles, and variations thereof, have been the universal basis for the formulation of national legislation in privacy and personal data protection in many countries.
The International Chamber of Commerce The International Chamber of Commerce (ICC) is a business organization representing enterprises from all sectors throughout the world. Founded in 1919, the ICC promotes international trade, investment, and the market economy system, and creates codes of conduct that govern business across borders. ICC’s Web site can help keep you up-to-date on the international business stance on issues of trade, investment, and technical policy.8
PrivacyExchange The PrivacyExchange is an on-line global resource for privacy and data protection laws, practices, issues, trends, and developments worldwide. The transborder section of their site contains both analyses of the laws impacting transborder data flow, and the actual experiences of companies transferring data under these laws. There are country-by-country summaries of legal requirements in the “Current National Law Requirements” section. Also included are model contracts and clauses for the protection of personal data in transborder data flow. The Global Privacy Dialogue area of the site is a guide to worldwide resources on consumer privacy and data protection.9
EU-U.S. Safe Harbor The United States strongly lobbied the EU and member countries to find the U.S. system adequate. In 1998, the United States began negotiating a “Safe Harbor” agreement with the EU in order to ensure the continued trans-border flows of personal data. The idea of the “Safe Harbor” was that U.S. companies would voluntarily self-certify to adhere to a set of privacy principles
TRANSBORDER DATA FLOWS
75
worked out by the U.S. Department of Commerce and the Internal Market Directorate of the European Commission. These companies would then have a presumption of adequacy and could continue to receive personal data from the European Union.10 The following list summarizes the seven principles of the Safe Harbor agreement between the United States and the EU: 1. Notice. Tell individuals what information is being collected about them and why. 2. Choice. Offer a way for individuals to opt out of having personal information collected or shared with other companies. 3. Onward transfer. Ensure that e-business partners follow the Safe Harbor principles or agree to offer the same level of data protection. 4. Access. Provide individuals a way to access their personal information. 5. Security. Protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. 6. Data integrity. Collect only relevant personal information and ensure it is reliable. 7. Enforcement. Develop procedures to verify compliance and for dispute resolution and remedies. The European Commission agreed at the end of 2000 to give U.S. companies six months to study and comply with the Safe Harbor rules. Although the EU is playing down the threat to U.S. companies, experts believe European states will soon begin cracking down. It is expected that EU countries review how companies that aren’t on the Safe Harbor list handle European consumer data. There is a precedent for such illegal action. In 1999, Microsoft paid $60,000 to settle charges brought by Spain that Microsoft didn’t “clearly and conspicuously” disclose to Spanish consumers what happens to personal data when they register for Windows. A Reuters survey of 75 U.S. corporate Web sites released early in August 2001 found that none measured up to the set of international standards for ensuring privacy of customers’ personal information.11 While many of the Web sites surveyed were found to provide adequate data privacy in one or two areas, none met all seven privacy guidelines developed between the United States and the EU, and only two met five principles. Eight companies met only the minimum standards for one principle.
TRANSBORDER DATA FLOWS The ease with which electronic data flows across borders has led to a concern that data protection laws could be circumvented by simply transferring personal information to a third country where the law didn’t apply. The data could then be processed in that country, frequently called a “data haven,” without any limitations. For this reason, most data protection laws include restrictions on the transfer of information to third countries, unless the information is protected in the destination country. A European Directive imposes an obligation on member states to ensure that any personal information relating to European citizens is protected by law when it is exported to, and processed in, countries outside Europe. It states: The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if…the third country in question ensures an adequate level of protection.12
76
INTERNATIONAL PRIVACY ISSUES
OVERSIGHT An essential aspect of any privacy protection regime is oversight. In most countries with an omnibus data protection or privacy act, there is also an official or agency that oversees enforcement of the act. The powers of these officials—Commissioner, Ombudsman, or Registrar— vary widely by country. A number of countries, including Germany and Canada, also have officials or offices on a state or provincial level. Many countries that do not have a comprehensive act still have a commissioner. These include Australia, Thailand, and Canada. A major power of these officials is to focus public attention on problem areas, even when they do not have any authority to fix the problem. They do this by promoting codes of practice and encouraging industry associations to adopt them. They also use their annual reports to point out problems. For example, in Canada, the Federal Privacy Commissioner announced in his 2000 report the existence of an extensive database maintained by the federal government. Once the issue became public, the Ministry disbanded the database.13 In a number of countries, the official also serves as the enforcer of the jurisdiction’s Freedom of Information Act. These include Hungary and Thailand. The pending U.K. Freedom of Information Bill will make the Data Protection Commissioner also the Information Commissioner. On the sub-national level, many of the German Lund Commissioners have recently been given the power of Information Commissioner, and most of the Canadian provincial agencies handle both data protection and freedom of information. A major problem with many agencies around the world is a lack of resources to adequately conduct oversight and enforcement. Many are burdened with licensing systems, which use much of their resources. Others have large backlogs of complaints or are unable to conduct a significant number of investigations. In some countries that do not have a separate office, the role of investigating and enforcing the laws is done by a human rights ombudsman or by a parliamentary official.
WHICH COUNTRIES ARE PLAYING BY THE RULES? Even with the adoption of legal and other protections, violations of privacy remain a concern. In many countries, laws have not kept up with the technology, leaving significant gaps in protections. In other countries, law enforcement and intelligence agencies have been given significant exemptions. Finally, without adequate oversight and enforcement, the mere presence of a law may not provide adequate protection. There are widespread violations of laws relating to surveillance of communications, even in the most democratic of countries. The U.S. State Department’s annual review of human rights violations finds that over 90 countries illegally monitor the communications of political opponents, human rights workers, journalists, and labor organizers. In 1996, a French government commission estimated that there were over 100,000 illegal wiretaps conducted by private parties, many on behalf of government agencies. There were protests in Ireland after it was revealed that the United Kingdom was monitoring all UK/Ireland communications from a base in Northern England. In Japan, police were fined 2.5 million yen for illegally wiretapping members of the Communist Party. The Echelon system is used by the United States, the United Kingdom, Australia, Canada, and New Zealand to monitor communications worldwide.14
TRENDS IN INTERNATIONAL PRIVACY
77
Police services, even in countries with strong privacy laws, still maintain extensive files on citizens for political purposes, despite their not being accused or even suspected of any crime. Recently, investigations were held in Denmark, Sweden, and Norway, countries with long histories of privacy protection, to investigate illegal spying by intelligence and police officials. In Switzerland, a scandal over secret police spying led to the enactment of a data protection act. In many former Eastern Bloc countries there are still controversies over the disposition of the files of the secret police. Companies regularly flaunt the laws, collecting and disseminating personal information. In the United States, even with the long-standing existence of a law on consumer credit information, companies still make extensive use of such information for marketing purposes and banks sell customer information to marketers. In many countries, inadequate security has resulted in the accidental disclosure of thousands of customers’ records. And, while the United States has opted for a softer approach in which different industries police their own privacy policies, Europeans are using their long-standing legislative tradition. Today, the 15 nations that make up the European Union boast the most comprehensive protection against the unlawful handling of personal data, and they would like other countries, especially the United States, to follow their approach. The EU member countries are not without reproach however. The countries that have implemented the EU rules have done so unevenly. In Italy, deemed the strictest of all the EU states, it is almost impossible to transfer any kind of data without prior consent, and misuse could get you up to two years in jail. This law is much stricter than the EU directive. However, at the other end of the scale there are countries that have not yet transposed the directive into national law.15 Furthermore, a recent study by the International Consumers’ Organization shows that despite tight data privacy law, many European sites still fail to comply with the existing regulations regarding privacy policies.
TRENDS IN INTERNATIONAL PRIVACY It is now common wisdom that the power, capacity, and speed of information technology are accelerating rapidly. The extent of privacy invasion—or certainly the potential to invade privacy—increases correspondingly.16 The increasing sophistication of information technology, with its capacity to collect, analyze, and disseminate information on individuals, has created a sense of urgency in the demand for privacy legislation. Furthermore, new developments in medical research and care, telecommunications, advanced transportation systems, and financial transfers have dramatically increased the level of information generated by each individual. Computers linked together by high-speed networks with advanced processing systems can create comprehensive dossiers on any person without the need for a single central computer system. New technologies developed by the defense industry are spreading into law enforcement, civilian agencies, and private companies. Beyond these obvious aspects of capacity and cost, there are a number of important trends that contribute to privacy invasion: • Globalization removes geographical limitations to the flow of data. The development of the Internet is perhaps the best-known example of a global technology.
78
INTERNATIONAL PRIVACY ISSUES
• Convergence is leading to the elimination of technological barriers between systems. Modern information systems are increasingly inter-operable with other systems, and can mutually exchange and process different forms of data. • Multi-media fuses many forms of transmission and expression of data and images so that information gathered in a certain form can be easily translated into other forms. These macro-trends have had particular effect on surveillance in developing nations. In the field of information and communications technology, the speed of policy convergence is compressed. Across the surveillance spectrum—wiretapping, personal ID systems, data mining, censorship, and encryption controls—it is the industrialized countries that invariably set the rules for the rest of the world. Governments and citizens alike may benefit from the plethora of IT schemes being implemented by the private and public sectors. New “smart card” projects, in which client information is placed on a chip in a card, may streamline complex transactions. The Internet will revolutionize access to basic information on government services. Encryption can provide security and privacy for all parties. These initiatives will require a bold, forward-looking legislative framework. Whether governments can deliver this framework will depend on their willingness to listen to the pulse of the emerging global digital economy and to recognize the need for strong protection of privacy.
COUNTRY-BY-COUNTRY SUMMARY In summary, we have collected information on 53 countries and their data privacy laws. Each entry includes: Country Name, Chief Privacy Officer/Minister (if one exists), Political System, Web URL of the Privacy Office or Government, Description of Legislation, and Miscellaneous Information about the country’s privacy laws and any membership to privacy organizations. This is not an all-inclusive list, and while this information collective will give the reader a good overview of what to expect, detailed up-to-date information should be obtained directly from a given country’s government.17, 18
Argentina Chief Privacy Officer/Minister Political System Web URL
N/A Republic www.gobiernoelectronico.ar
Description of Legislation
Argentine Constitution–Articles 18 & 19. “The home is inviolable as is personal correspondence and private papers; the law will determine what cases and what justifications may be relevant to their search or confiscation. The private actions of men that in no way offend order nor public morals, nor prejudice a third party, are reserved only to God’s judgment, and are free from judicial authority. No inhabitant of the Nation will be obligated to do that which is not required by law, nor be deprived of what is not prohibited.”
Habeas Data Bill (effective September 14, 2000). “Every person may file an action to obtain knowledge of the data about them and its purpose, whether contained in public or private registries or databases intended to provide information; and in the case of false data or dis-
COUNTRY-BY-COUNTRY SUMMARY
79
crimination, to suppress, rectify, make confidential, or update the data. The privacy of news information sources may not be affected.”
Civil Code. Prohibits “that which arbitrarily interferes in another person’s life: publishing photos, divulging correspondence, mortifying another’s customs or sentiments or disturbing his privacy by whatever means.” This article has been applied widely to protect the privacy of the home, private letters, and a number of situations involving intrusive telephone calls, and neighbors’ intrusions into another’s private life.
Credit Card Act (effective 1998). Regulates credit card contracts between consumers and financial institutions and specifically the interest rates that banks charge to consumer credit cards. Article 53 restricts the possibility of transferring information from banks or credit card companies to credit reporting agencies. There is also a specific right of access to personal data of a financial character. Miscellaneous Information
In 1984, Argentina adopted the American Convention on Human Rights into domestic law. In 1994 the Convention was “constitutionalized” and is used by the Argentine Supreme Court to determine domestic cases. No one official or office oversees privacy issue not specific to any computer data and gathering or transfer of data.
Australia Chief Privacy Officer/Minister Political System Web URL
Privacy Commissioner Republic within Commonwealth of British Columbia www.privacy.gov.au
Description of Legislation
Privacy Act of 1988. Creates a set of eleven Information Privacy Principles (IPPs), based on those in the OECD Guidelines, that apply to the activities of most federal government agencies. A separate set of rules about the handling of consumer credit information, added to the law in 1989, applies to all private and public sector organizations. The third area of coverage is the use of the government issued Tax File Number (TFN), where the entire community is subject to Guidelines issued by the Privacy Commissioner, which take effect as subordinate legislation. The re-elected conservative government introduced legislation to extend privacy protection to the private sector in April 2000. The Privacy Amendment (Private Sector) Bill 2000 applies a set of National Privacy Principles developed by the Privacy Commissioner during 1997 and 1998, originally as a self-regulatory substitute for legislation.
The Telecommunications Act of 1979 (amended in 2000; effective June 7, 2000). Regulates the interception of telecommunications. A warrant is required under the Act, which also provides for detailed monitoring and reporting, but in 1997 the authority for issuing warrants was extended from federal court judges to designated members of the Administrative Appeals Tribunal, who are on term appointments rather than tenured. The Act places obligations on
80
INTERNATIONAL PRIVACY ISSUES
telecommunications providers to provide an interception capability and to positively assist law enforcement agencies with interception. AMENDMENT: The legislation will allow for the issuing of “named person” warrants based on a name of person only, not specifying the location of the tap to allow for the interception of multiple services without a new warrant. The bill also expands the use of wiretap information in other proceedings. Intelligence agencies can get a “foreign communications warrant” to “enable ASIO, operating ‘within Australia,’ to intercept communications ‘sent or received outside Australia’ for the purposes of collecting foreign intelligence.”
Australian Security Intelligence Organisation Legislation Amendment Act 1999 (effective November 1999). The Act gives ASIO new powers to access e-mails and data inside computers, use tracking devices on vehicles, obtain tax and cash transaction information, and intercept mail items carried by couriers. ASIO is authorized to modify private computer files as long as there is reasonable cause to believe that it is relevant to a security matter.
The Crimes Act. Covers offenses relating to unauthorized access to computers, unauthorized interception of mail and telecommunications, and the unauthorized disclosure of Commonwealth government information.
The Federal Freedom of Information Act of 1982. Provides for access to government records. Privacy Amendment (private sector) Bill (effective January 2002). Extends privacy protections to the private sector. The EC expressed concern that the law would not be adequate for transborder data flows. Miscellaneous Information
The National Principles impose a lower standard of protection in several areas than the EU Directive. For example, organizations are required to obtain consent from customers for secondary use of their personal information for marketing purposes where it is “practicable”; otherwise, they can initiate direct marketing contact, providing they give the individual the choice to opt out of further communications. Controls on the transfer of personal information overseas are also limited, requiring only that the organization takes “reasonable steps” to ensure personal information will be protected, or “reasonably believes” that the information will be subject to similar protection as applied in the Australian law. Nevertheless, the Bill includes an innovative principle of anonymity. Principle 8 states that: “Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation.”
Austria Chief Privacy Officer/Minister Political System Web URL
Data Protection Commission Federal Republic www.austria.gv.at/e/
Description of Legislation
Datenschutzgesetz 2000. Data protection law that incorporates the EU Directive into Austrian law. Some sections of the data protection law (Datenschutzgesetz—DSG) have constitutional status. These rights may only be restricted under the conditions of Article 8 of the
COUNTRY-BY-COUNTRY SUMMARY
81
European Convention of Human Rights (ECHR). The entire ECHR has constitutional status and Article 8 is often cited by the constitutional court in privacy matters.
Code of Criminal Procedure. Wiretapping, electronic eavesdropping, and computer searches are regulated by the code of criminal procedure. Telephone wiretapping is permitted if it is needed for investigating a crime punishable by more than one year in prison. Electronic eavesdropping and computer searches are allowed if they are needed to investigate criminal organizations or crimes punishable by more than ten years in prison. The provision concerning electronic eavesdropping and computer searches became effective between October 1, 1997, and July 1, 1998. Due to long and intensive discussion, the provisions are in effect only until December 31, 2001. The Auskunftspflichtgesetz. A Freedom of Information law that obliges federal authorities to answer questions regarding their areas of responsibility. However, it does not permit citizens to access documents, just to receive answers from the government on the content of information. Miscellaneous Information
Austria is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Belgium Chief Privacy Officer/Minister Political System Web URL
President—Consultative Commission for Protection of Privacy Federal Parliamentary Democracy under Constitutional Monarchy www.fgov.be
Description of Legislation
Belgian Constitution. Recognizes the right of privacy and private communications. Article 22 states, “Everyone has the right to the respect of his private and family life, except in the cases and conditions determined by law…The laws, decrees, and rulings alluded to in Article 134 guarantee the protection of this right.” Article 29 states, “The confidentiality of letters is inviolable…The law determines which nominated representatives can violate the confidentiality of letters entrusted to the postal service.” Article 22 was added to the Belgian Constitution in 1994. Prior to the constitutional amendment, the Cour de Cassation ruled that Article 8 of the European Convention applied directly to the law and prohibited government infringement on the private life of individuals.
Data Protection Act of 1992. The processing and use of personal information is governed by the Data Protection Act of 1992. Amending legislation to update this Act and make it consistent with the EU Directive was approved by the Parliament in December 1998. A Royal Decree to implement the Act was approved in July 2000.
82
INTERNATIONAL PRIVACY ISSUES
Criminal Procedure Code (effective 2nd quarter 2000). Gives the Juge d’Instruction the authority to request the cooperation of experts or network managers to help decrypt telecommunications messages which have been intercepted. The experts or network managers may not refuse providing cooperation; criminal sanctions are possible in cases of refusal. The bill also requires that Internet Service Providers retain records for law enforcement purposes. Miscellaneous Information
Belgium is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Brazil Chief Privacy Officer/Minister Political System Web URL
N/A Federal Republic www.brazilsf.org/gov.htm
Description of Legislation
Article 5 of the 1988 Constitution of Brazil. Provides that, in part: “the privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages resulting from the violation thereof is ensured…the home is the inviolable asylum of the individual, and no one may enter it without the dweller’s consent, save in the case of ‘in flagrante delicto’ or disaster, or to give help, or, during the day, by court order…the secrecy of correspondence and of telegraphic, data and telephone communications is inviolable, except, in the latter case, by court order, in the events and in the manner established by the law for purposes of criminal investigation or criminal procedural discovery…access to information is ensured to everyone and confidentiality of the source is protected whenever necessary for the professional activity.
1990 Code of Consumer Protection and Defense. Allows all consumers to “access any information derived from personal and consumer data stored in files, archives, registries, and databases, as well as to access their respective sources. Consumer files and data shall be objective, clear, true, and written in a manner easily understood, and shall not contain derogatory information for a period over five years.” Informatics Law of 1984. Protects the confidentiality of stored, processed, and disclosed data, and the privacy and security of physical, legal, public, and private entities. Citizens are entitled to access and correct their personal information in private or public databases.
Wiretapping. In 1996, a law regulating wiretapping was enacted. Official wiretaps are permitted for 15 days, renewable on a judge’s order for another 15 days, and can only be resorted to in cases where police suspect serious crimes punishable by imprisonment, such as drug smuggling, corruption, contraband smuggling, murder, and kidnapping.
COUNTRY-BY-COUNTRY SUMMARY
83
Computer Crimes Act (approved in July 2000). This act amends a 1940 law to update it to include computer crimes descriptions and penalties for such crimes. Miscellaneous Information
Brazil signed the American Convention on Human Rights on September 25, 1992. Individuals have a constitutional right of Habeas Data which has been adopted into law to access information about themselves held by public agencies.
Bulgaria Chief Privacy Officer/Minister Political System Web URL
State Commission for the Protection of Personal Data Parliamentary Democracy www.government.bg
Description of Legislation
Bulgarian Constitution of 1991. The Constitution recognizes rights of privacy, secrecy of communications, and access to information. Article 32 states, “(1) The privacy of citizens shall be inviolable. Everyone shall be entitled to protection against any illegal interference in his private or family affairs and against encroachments on his honor, dignity and reputation. (2) No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law.” Article 33 states, “(1) The home shall be inviolable. No one shall enter or stay inside a home without its occupant’s consent, except in the cases expressly stipulated by law. (2) Entry into, or staying inside, a home without the consent of its occupant or without the judicial authorities’ permission shall be allowed only for the purposes of preventing an immediately impending crime or a crime in progress, for the capture of a criminal, or in extreme necessity.” Article 34 states, “(1) The freedom and confidentiality of correspondence and all other communications shall be inviolable. (2) Exceptions to this provision shall be allowed only with the permission of the judicial authorities for the purpose of discovering or preventing a grave crime.” Article 41 states, “(1) Everyone shall be entitled to seek, obtain and disseminate information. This right shall not be exercised to the detriment of the rights and reputation of others, or to the detriment of national security, public order, public health and morality. (2) Citizens shall be entitled to obtain information from state bodies and agencies on any matter of legitimate interest to them which is not a state or other secret prescribed by law and does not affect the rights of others.
Personal Data Protection Act (effective 1997). The government began developing data protection legislation in preparation for integration into the EU Internal Market under the Treaty for Association of Bulgaria to the EU. Data protection is also a key element of the information legislation which is a priority in the National Assembly’s legislative activities. The draft Personal Data Protection Act closely follows the EU Data Protection Directive. It sets rules on the fair and responsible handling of personal information by the public and private sector. Entities collecting personal information must do the following: inform people why their personal information is being collected and what it is to be used for; allow people reasonable access to information about themselves and the right to correct it if it is wrong; ensure that the information is
84
INTERNATIONAL PRIVACY ISSUES
securely held and cannot be tampered with, stolen, or improperly used; and limit the use of personal information for purposes other than the original purpose, without the consent of the person affected, or in certain other circumstances.
The 1997 Special Surveillance Means Act. Electronic surveillance used in criminal investigations is regulated by the criminal code and requires a court order. The Telecommunications Law also requires that agencies ensure the secrecy of communications. The 1997 Special Surveillance Means Act regulates the use of surveillance techniques by the Interior Ministry for investigating crime but also for loosely defined national security reasons. A court order is generally required, but in cases of emergency, an order from the Interior Minister is sufficient.
The Law for Access to Information. Enacted in June 2000 and put into force in July, the law allows for access to government records except in cases of state security or personal privacy. Miscellaneous Information
Bulgaria is a member of the Council of Europe and has signed but not ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Canada Chief Privacy Officer/Minister Political System Web URL
Federal Privacy Commissioner— Bureau for Data Protection/Privacy Confederation with Parliamentary Democracy www.privecom.gc.ca
Description of Legislation
Personal Information Protection and Electronic Documents Act (effective April 2000). The Act adopts the CSA International Privacy Code (a national standard: CAN/CSA-Q830-96) into law for enterprises that process personal information “in the course of a commercial activity,” and for federally regulated employers with respect to their employees. It does not apply to information collected for personal, journalistic, artistic, literary, or non-commercial purposes. The law went into effect for companies that are under federal regulation, such as banks, telecommunications, transportation, and businesses that trade data interprovincially and internationally in January 2001, except with respect to medical records, which were exempted from the new law until 2002.
The Federal Privacy Act. Provides individuals with a right of access to personal information held by the federal public sector. In addition, the Privacy Act contains provisions regulating the confidentiality, collection, correction, disclosure, retention, and use of personal information. Individuals may request records directly from the institution that has the custody of the information. The Act establishes a code of fair information practices that apply to government handling of personal records.
Part VI of Canada’s Criminal Code. Makes the unlawful interception of private communications a criminal offense. Police are required to obtain a court order.
COUNTRY-BY-COUNTRY SUMMARY
85
The Canadian Security Intelligence Service Act. Authorizes the interception of communications for national security reasons. A federal court in Ottawa ruled in 1997 that the Canadian Security Intelligence Service was required to obtain a warrant in all cases. In October 1998, Industry Minister John Manley announced a new liberal government policy for encryption that allows for broad development, use, and dissemination of encryption products.
The Telecommunications Act. Has provisions to protect the privacy of individuals, including the regulation of unsolicited communications. The Federal Access to Information Act. Provides individuals with a right of access to information held by the federal public sector. The Act gives Canadians and other individuals and corporations present in Canada the right to apply for and obtain copies of federal government records. “Records” include letters, memos, reports, photographs, films, microforms, plans, drawings, diagrams, maps, sound and video recordings, and machine-readable or computer files. Dismantling of Longitudinal Labour Force Database (effective May 29, 2001). Human Resources Development Canada announced that it was dismantling the Longitudinal Labour Force File, which contains over 2,000 pieces of information on each Canadian. The agency said it was scrapping the software that allowed sharing with other agencies and returning the information. The move was welcomed by the Privacy Commissioner. Miscellaneous Information
Each of the provinces also has a Freedom of Information Law. A new coalition formed in March 2000 to promote freedom of information in Canada.
Chile Chief Privacy Officer/Minister Political System Web URL
N/A Republic www.gobiernodechile.cl/
Description of Legislation
Article 19 of Chile’s Constitution. Secures for all persons: “Respect and protection for public and private life, the honor of a person and his family. The inviolability of the home and of all forms of private communication. The home may be invaded and private communications and documents intercepted, opened, or inspected only in cases and manners determined by law.”
Law for the Protection of Private Life (Act number 19628; effective October 28, 1999). The law has 24 articles covering processing and use of personal data in the public and private sector and the rights of individuals (to access, correction, and judicial control). The law contains a chapter dedicated to the use of financial, commercial, and banking data, and specific rules addressing the use of information by government agencies. Miscellaneous Information
Chile signed the American Convention on Human Rights on August 20, 1990. There is no data protection authority, and enforcement of the law is done individually by each affected person.
86
INTERNATIONAL PRIVACY ISSUES
China Chief Privacy Officer/Minister Political System Web URL
N/A Communist State www.gov.cn/
Description of Legislation
Chinese Constitution. Article 37 provides that the “freedom of the person of citizens of the People’s Republic of China is inviolable,” and Article 40 states: “Freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law. No organization or individual may, on any ground, infringe on citizens’ freedom of privacy of correspondence, except in cases where to meet the needs of state security or of criminal investigation, public security or prosecutorial organs are permitted to censor correspondence in accordance with procedures prescribed by law.”
Computer Information Network and Internet Security, Protection and Management Regulations (effective February 2000). “The freedom and privacy of network users is protected by law. No unit or individual may, in violation of these regulations, use the Internet to violate the freedom and privacy of network users.” Article 8 states that “units and individuals engaged in Internet business must accept the security supervision, inspection, and guidance of the public security organization. This includes providing to the public security organization information, materials and digital documents, and assisting the public security organization to discover and properly handle incidents involving law violations and criminal activities involving computer information networks.” Articles 10 and 13 stipulate that Internet account holders must be registered with the public security organization and lending or transferring of accounts is strictly prohibited. It requires individuals and companies to disclose what types of security and encryption systems they are using and apply for permission. The order sets up a State Encryption Management Commission to enforce the regulations. Publishing unauthorized news is also prohibited.
Criminal Code. Sections 285 to 287 of the Criminal Code prohibit intrusions into computer systems and punish violations of the regulations. In August of 1999, under orders from China’s Ministry of Information and Industry, Intel agreed to disable the “Processor Serial Number” function of its Pentium III chips, which makes it possible to identify and track Internet users as they engage in e-commerce.
Guidelines for Telecom Services (effective January 18, 2000). Ministry of Information Industry (MII) issued a set of Guidelines for Telecom services. These stipulated that telecom operators should provide detailed lists of long distance calls, mobile phones, and information services for customers, and protect the rights and privacy of its customers. Miscellaneous Information
There is no general data protection law in China and few laws that limit government interference with privacy. China has a long-standing policy on keeping close track of its citizens. The secrecy of communications is cited in the constitution and in law, but apparently with little effect. In practice, authorities often monitor telephone conversations, fax transmissions, electronic mail, and Internet communications of foreign visitors, businessmen, diplomats, and journalists, as well as Chinese dissidents, activists, and others.
COUNTRY-BY-COUNTRY SUMMARY
87
Czech Republic Chief Privacy Officer/Minister Political System Web URL
Office for Personal Data Protection Parliamentary Democracy www.vlada.cz/1250/eng/
Description of Legislation
The 1993 Charter of Fundamental Rights and Freedoms. Provides for extensive privacy rights. Article 7 states, “Inviolability of the person and of privacy is guaranteed. It may be limited only in cases specified by law.” Article 10 states, “(1) Everybody is entitled to protection of his or her human dignity, personal integrity, good reputation, and his or her name. (2) Everybody is entitled to protection against unauthorized interference in his or her personal and family life. (3) Everybody is entitled to protection against unauthorized gathering, publication or other misuse of his or her personal data.” Article 13 states, “Nobody may violate secrecy of letters and other papers and records whether privately kept or sent by post or in another manner, except in cases and in a manner specified by law. Similar protection is extended to messages communicated by telephone, telegraph or other such facilities.”
Personal Data Protection (effective June 1, 2000). The new law is based on the EU Data Protection Directive as part of the Czech Republic’s efforts for accession into the EU. It implements the basic requirements of the Directive, but the police and intelligence services are exempt from many of the key provisions.
Criminal Process Law. Wiretapping is regulated under the criminal process law. Police must obtain permission from a judge to conduct a wiretap. The judge can approve an initial order for up to six months.
The Penal Code. Covers the infringement of the right to privacy in the definitions of criminal acts of infringement of the home, slander, and infringement of the confidentiality of mail. There are also sectoral acts concerning statistics, medical personal data, banking law, taxation, social security, and police data. Unauthorized use of personal data systems is considered a crime. Freedom of Information Law (effective May 1999). The law is based on the U.S. FOIA and provides for citizens’ access to all government records held by State bodies, local selfgoverning authorities, and certain other official institutions, such as the Chamber of Lawyers or the Chamber of Doctors, except for classified information, trade secrets, or personal data. A 1998 act governs access to environmental information. Miscellaneous Information
The Czech Republic is a member of the Council of Europe but has not signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). In May 2000, the cabinet approved a proposal to sign and ratify the Convention. The Czech Republic has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
88
INTERNATIONAL PRIVACY ISSUES
Denmark Chief Privacy Officer/Minister Political System Web URL
Registerilsynet—Danish Data Protection Agency Constitutional Monarchy www.datatilsynet.dk
Description of Legislation
The Danish Constitution of 1953. Contains two provisions relating to privacy and data protection. Section 71 provides for the inviolability of personal liberty. Section 72 states, “The dwelling shall be inviolable. House searching, seizure, and examination of letters and other papers as well as any breach of the secrecy to be observed in postal, telegraph, and telephone matters shall take place only under a judicial order unless particular exception is warranted by Statute.” The Act on Processing of Personal Data (effective July 1, 2000). The act implements the EU Data Protection into Danish law. The new act replaces the Private Registers Act of 1978, which governed the private sector, and the Public Authorities’ Registers Act of 1978, which governed the public sector.
The Penal Code. Wiretapping is regulated by the Penal Code. Other pieces of legislation with rules relating to privacy and data protection include the Criminal Code of 1930, Act on Video Surveillance, the Administrative Procedures Act of 1985, the Payment Cards Act of 1994, and the Access to Health Information Act of 1993. All citizens in Denmark are provided with a Central Personal Registration (CPR) number that is used to identify them in public registers.
The Access to Information Act and the Access to Public Administration Files Act. Govern access to government records. Miscellaneous Information
Denmark is a member of the Council of Europe and has signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Greenland. The original unamended Danish Public and Private Registers Acts of 1979 continues to apply within Greenland, a self-governing territory. The 1988 amendments that brought Denmark into compliance with the Council of Europe’s Convention 108 do not apply to Greenland. Greenland is not part of the European Union and therefore has not adopted the EU Privacy Directive. Greenland’s data protection requirements are much less stringent than those of Denmark and the other nations of the EU.
Estonia Chief Privacy Officer/Minister Political System Web URL
Data Protection Inspectorate Parliamentary Democracy www.dp.gov.ee/eng/
COUNTRY-BY-COUNTRY SUMMARY
89
Description of Legislation
The 1992 Estonia Constitution. The Constitution recognizes the right of privacy, secrecy of communications, and data protection. Article 42 states, “No state or local government authority or their officials may collect or store information on the persuasions of any Estonian citizen against his or her free will.” Article 43 states, “Everyone shall be entitled to secrecy of messages transmitted by him or to him by post, telegram, telephone or other generally used means. Exceptions may be made on authorization by a court, in cases and in accordance with procedures determined by law in order to prevent a criminal act or for the purpose of establishing facts in a criminal investigation.” Article 44 (3) states, “Estonian citizens shall have the right to become acquainted with information about themselves held by state and local government authorities and in state and local government archives, in accordance with procedures determined by law. This right may be restricted by law in order to protect the rights and liberties of other persons, and the secrecy of children’s ancestry, as well as to prevent a crime, or in the interests of apprehending a criminal or to clarify the truth for a court case.”
Personal Data Protection Act (effective June 1996). The Act protects the fundamental rights and freedoms of persons with respect to the processing of personal data and in accordance with the right of individuals to obtain freely any information which is disseminated for public use. The Personal Data Protection Act divides personal data into two groups—nonsensitive and sensitive personal data. Sensitive personal data are data which reveal political opinions, religious or philosophical beliefs, ethnic or racial origin, health, sexual life, criminal convictions, legal punishments, and involvement in criminal proceedings. Processing of non-sensitive personal data is permitted without the consent of the respective individual if it occurs under the terms that are set out in the Personal Data Protection Act. Processed personal data are protected by organizational and technical measures that must be documented. Chief processors must register the processing of sensitive personal data with the data protection supervision authority.
Databases Act (effective April 1997). The Databases Act is a procedural law for the establishment of national databases. The law sets out the general principles for the maintenance of databases, prescribes requirements and protection measures for data processing, and unifies the terminology to be used in the maintenance of databases. Pursuant to the Databases Act, the statutes of state registers or databases that were created before the law took effect must be brought into line with the Act within two years. The Databases Act also mandates the establishment of a state register of databases that registers state and local government databases, as well as databases containing sensitive personal data which are maintained by persons in private law. The Digital Signatures Act (approved March 2000). This Act provides the necessary conditions for using digital signatures and the procedure for exercising supervision over the provision of certification services and time-stamping services.
1994 Surveillance Act. Regulates the interception of communications, covert surveillance, undercover informants, and police and intelligence databases. Surveillance can be approved by a “reasoned decision made by the head of a surveillance agency.” “Exceptional surveillance” requires the permission of a judge in the Tallinn Administrative Court for serious crimes.
90
INTERNATIONAL PRIVACY ISSUES
Telecommunications Act (effective February 2000). Surveillance agencies can obtain information on the sender and receiver of messages by written or oral request. Telecommunications providers are also required to delete data within one year and prevent unauthorized disclosure of users’ information. Miscellaneous Information
Estonia is a member of the Council of Europe and signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) on January 21, 2000. Estonia has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Finland Chief Privacy Officer/Minister Political System Web URL
Data Protection Ombudsman—Data Protection Commission for Finland Republic www.tietosuoja.fi
Description of Legislation
The Constitution Act of Finland. “The private life, honor and home of every person shall be secured. More detailed provisions on the protection of personal data shall be prescribed by Act of Parliament. The secrecy of correspondence and of telephone and other confidential communications shall be inviolable. Measures impinging on the sphere of the home which are necessary for the protection of fundamental rights or the detection of crime may be prescribed by Act of Parliament. Necessary restrictions on the secrecy of communications may also be provided by Act of Parliament in the investigation of offenses which endanger the security of society or of the individual or which disturb domestic peace, in legal proceedings and security checks as well as during deprivation of liberty.”
The Personal Data Protection Act 1999. The law replaced the 1987 Personal Data File Act to make Finnish law consistent with the EU Data Protection Directive. Coercive Criminal Investigations Means Act. Electronic surveillance and telephone tapping are governed by the Criminal Law. A judge can give permission to tap the telephone lines of a suspect if the suspect is liable for a jail sentence for crimes that are exhaustively listed in the Coercive Criminal Investigations Means Act. Electronic surveillance is possible, with the permission of the judge, if the suspect is accused of a drug related crime or a crime that can be punished with more than four years in jail. The Publicity (of Public Actions) Act (effective 1999). Replaces the Publicity of Official Documents Act of 1951. It provides for a general right to access any document created by a government agency, or sent or received by a government agency, including electronic records. Finland is a country that has traditionally adhered to the Nordic tradition of open access to government files. Miscellaneous Information
Finland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). Finland has signed and ratified the European Convention for the Protection of Human
COUNTRY-BY-COUNTRY SUMMARY
91
Rights and Fundamental Freedoms. Finland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
France Chief Privacy Officer/Minister
Political System Web URL
President—National Commission for Freedom of Information (The Commission Nationale de L’informatique et des Libertés (CNIL)) Republic www.cnil.fr
Description of Legislation
The Data Protection Act (effective 1978). The Act covers personal information held by government agencies and private entities. Anyone wishing to process personal data must register and obtain permission in many cases relating to processing by public bodies and for medical research. Individuals must be informed of the reasons for collection of information and may object to its processing either before or after it is collected. Individuals have rights to access information being kept about them and to demand the correction and, in some cases, the deletion of this data. Fines and imprisonment can be imposed for violations. Electronic Surveillance. Electronic surveillance is regulated by a 1991 law that requires permission of an investigating judge before a wiretap is installed. The duration of the tap is limited to four months and can be renewed.
The French Liberty of Communication Act (effective June 28, 2000). The Act requires all persons wishing to post content on the Internet to identify themselves, either to the public, by publishing their name and address on their Web site (in the case of a business) or to their host provider (in the case of a private individual). Earlier provisions, which would have imposed large penalties and jail sentences on anybody violating this requirement and required Internet Service Providers (ISPs) to check the accuracy of the personal details given to them, were dropped in the final version of the legislation. The law requires ISPs to keep logs of all data which could be used to identify a content provider in the case of later legal proceedings. ISPs are subject to the “professional secret” rule regarding this data, meaning that they cannot disclose it to anyone except a judge. Miscellaneous Information
France is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Germany Chief Privacy Officer/Minister Political System Web URL
German Federal Privacy Commissioner (Bundesbeauftragte für den Datenschutz) Federal Republic www.bfd.bund.de
92
INTERNATIONAL PRIVACY ISSUES
Description of Legislation
Article 10 of the Basic Law. “(1) Privacy of letters, posts, and telecommunications shall be inviolable. (2) Restrictions may only be ordered pursuant to a statute. Where a restriction serves to protect the free democratic basic order or the existence or security of the Federation, the statute may stipulate that the person affected shall not be informed of such restriction and that recourse to the courts shall be replaced by a review of the case by bodies and auxiliary bodies appointed by Parliament.” Attempts to amend the Basic Law to include a right to data protection were discussed after reunification when the constitution was revised and were successfully opposed by the then-conservative political majority.
Federal Data Protection Law. The world’s first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Law followed, which was reviewed in 1990. The general purpose of this law is “to protect the individual against violations of his personal right (Persönlichkeitsrecht) by handling person-related data.” The law covers collection, processing and use of personal data collected by public, federal, and state authorities (as long as there is no state regulation), and of non-public offices, as long as they process and use data for commercial or professional aims. “G10-Law.” Wiretapping is regulated by the “G10-Law” and requires a court order for criminal cases. In July 1999, the Constitutional Court issued a decision on a 1994 law which authorizes warrantless automated wiretaps (screening method) of international communications by the intelligence service (BND) for purposes of preventing terrorism and the illegal trade in drugs and weapons. The court ruled that the procedure did violate privacy rights protected by the Basic Law but that screening could continue as long as the intelligence service did not pass on the information to the local police and the Parliament must enact new rules by June 2001. The Telecommunications Carriers Data Protection Ordinance of 1996. The Ordinance protects privacy of telecommunications information.
The Information and Communication Services (Multimedia) Act of 1997. The Act sets protections for information used in computer networks. The Act also sets out the legal requirements for digital signatures. Miscellaneous Information
Germany is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Germany has been slow to update its law to make it consistent with the EU Directive. The European Commission announced in January 2000 that it was going to take Germany to court for failure to implement the directive. The Government on June 14 approved a draft bill.
COUNTRY-BY-COUNTRY SUMMARY
93
Greece Chief Privacy Officer/Minister Political System Web URL
The Protection of Personal Data Authority Parliamentary Democracy www.dpa.gr/
Description of Legislation
The Constitution of Greece. The Constitution recognizes the rights of privacy and secrecy of communications. Article 9 states, “(1) Each man’s home is inviolable. A person’s personal and family life is inviolable. No house searches shall be made except when and as the law directs, and always in the presence of representatives of the judicial authorities. (2) Offenders against the foregoing provision shall be punished for forced entry into a private house and abuse of power, and shall be obliged to indemnify in full the injured party as the law provides.” Article 19 states, “The privacy of correspondence and any other form of communication is absolutely inviolable. The law shall determine the guarantees under which the judicial authority is released from the obligation to observe the above-mentioned right, for reasons of national security or for the investigation of particularly serious crimes.”
The Law on the Protection of Individuals. The Law with regard to the Processing of Personal Data was approved in 1997.
Article 5 of the Greek Code of Administrative Procedure. The Article is a new Freedom of Information Act that provides citizens the right to access administrative documents created by government agencies. It replaces Law 1599/1986. Miscellaneous Information
Greece is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). Greece has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Greece is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Greece was the last member of the European Union to adopt a data protection law and its law was written to directly apply the EU Directive into Greek law.
Hong Kong Chief Privacy Officer/Minister Political System Web URL
Privacy Commissioner—Office of the Privacy Commissioner for Personal Data (PCO) Special Administrative Region of China www.pco.org.hk
Description of Legislation
Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China. Following the People’s Republic of China’s resumption of sovereignty over Hong
94
INTERNATIONAL PRIVACY ISSUES
Kong on July 1, 1997, the constitutional protections of privacy are contained in the Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China. Article 29 provides “The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident’s home or other premises shall be prohibited.” Article 30 provides, “The freedom and privacy of communications of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communications of residents except that the relevant authorities may inspect communications in accordance with legal procedures to meet the needs of public security or of investigation into criminal offenses.” Also relevant is Article 17 of the International Covenant on Civil and Political Rights, which was incorporated into Hong Kong’s domestic law with the enactment of the Bill of Rights Ordinance. Article 39 of the Basic Law provides that the Covenant as applied to Hong Kong shall remain in force and implemented through the laws of Hong Kong.
Personal Data (Privacy) Ordinance (effective December 1996). The statutory provisions adopt features of a variety of existing data protection laws and the draft version of the EU Directive is also reflected in several provisions. It sets six principles to regulate the collection, accuracy, use, and security of personal data as well as requiring data users to be open about data processing and conferring on data subjects the right to be provided a copy of their personal data and to effect corrections. The Ordinance does not differentiate between the public and private sectors, although many of the exemptions will more readily apply to the former. A broad definition of “personal data” is adopted so as to encompass all readily retrievable data recorded in all media that relates to an identifiable individual. It does not attempt to differentiate personal data according to its sensitivity. The Ordinance imposes additional restrictions on certain processing, namely data matching, transborder data transfers, and direct marketing. Data matching requires the prior approval of the Privacy Commissioner. The transfer of data to other jurisdictions is subject to restrictions that mirror those of the EU Directive. Also based on the directive is the requirement that upon first use of personal data for direct marketing purposes, a data user must inform the data subject of the opportunity to opt out from further approaches. The Personal Data (Privacy) Ordinance (enacted September 1995) covers both the public and private sectors, and the processing of both automated and manual data. It also creates an independent supervisory body with significant enforcement powers.
Telecommunications Ordinance and the Post Office Ordinance. The interception of communications is presently regulated by the Telecommunications Ordinance and the Post Office Ordinance. These enactments provide sweeping powers of interception upon public interest grounds. The vagueness of the powers and the lack of procedural safeguards are inconsistent with the International Covenant of Civil and Political Rights. The Basic Law permits postal staff to examine, on the spot, the contents of non-letter postal materials. Mail handed in or posted by users must be in accordance with the stipulations concerning the content allowed to be posted; postal enterprises and their branch offices have the right to request users to take out the contents for examination, when necessary. Miscellaneous Information
“Privacy.SAFE”—a privacy compliance self-assessment kit, to assist organizations in assessing whether their personal data management practices and procedures meet with the requirements of the Ordinance.
COUNTRY-BY-COUNTRY SUMMARY
95
Data Protection Principle 1 states that personal data shall be collected by means which are lawful and fair in the circumstances of the case, and that the data subject is explicitly or implicitly informed, on or before collecting the data, of whether it is obligatory or voluntary for him to supply the data, and the data collected are adequate but not excessive in relation to the purpose of collection. Data Protection Principle 2 requires that all practical steps shall be taken to ensure that personal data are accurate and personal data shall not be kept longer than is necessary for the fulfillment of the purpose. “Inaccurate data” are defined in the law as data which are “incorrect, misleading, incomplete or obsolete.” Data Protection Principle 1 states that the data subject is explicitly informed, on or before collecting the data, of the purpose for which the data are to be used. Data Protection Principle 3 requires prescribed consent from the data subject before personal data can be used for a different purpose from the one specified at the time of collection. There are exemptions to this principle, as defined in the Ordinance which takes into account the authority of law. Prescribed consent is required and there are specific conditions for change of use without consent from the data subject (e.g., national defense, prevention of crime, taxation assessment, health, etc.). Data Protection Principle 4 requires all practical steps shall be taken to ensure personal data held by a data user are protected against unauthorized access, processing, erasure, or other uses, with particular regard to physical location, data sensitivity, automatic systems security, data integrity, and people competence and data transmission.
Hungary Chief Privacy Officer/Minister Political System Web URL
The Parliamentary Commissioner for Data Protection and Freedom of Information Parliamentary Democracy www.obh.hu/
Description of Legislation
Constitution of the Republic of Hungary. “Everyone in the Republic of Hungary shall have the right to good reputation, the inviolability of the privacy of his home and correspondence, and the protection of his personal data.” In 1991, the Supreme Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy.
Protection of Personal Data and Disclosure of Data of Public Interest. This legislation covers the collection and use of personal information in both the public sector and private sector. It is a combined Data Protection and Freedom of Information Act. Its basic principle is informational self-determination.
Telecommunications and a Government decree. In April 1998, the government issued a decree ordering phone companies that offer cellular service to modify their systems to ensure that they could be intercepted. The cost was estimated to be HUF10 billion. Miscellaneous Information
Hungary is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No.
96
INTERNATIONAL PRIVACY ISSUES
108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Iceland Chief Privacy Officer/Minister Political System Web URL
Icelandic Data Protection Commission (Datatilsynet) Republic www.iceland.org
Description of Legislation
Constitution. “The dwelling shall be inviolable. House searching, seizure, and examination of letters and other papers as well as any breach of the secrecy to be observed in postal, telegraph, and telephone matters shall take place only under a judicial order unless particular exception is warranted by Statute.”
The Act on Protection of Individuals with regard to the Processing of Personal Data. This Act is the new law on the processing of personal information for government agencies and corporation enacted to ensure compliance with the EU Directive. The act covers both automated and manual processing of personal information. It also covers video surveillance and limits the use of National Identification Numbers. The Statistical Bureau of Iceland shall maintain a registry of individuals not willing to allow the use of their names in product marketing. It replaces the 1979 Act on the Registration and Handling on Personal Data.
Law on Criminal Procedure. This law on wiretapping, tape recording, or photographing without consent requires a court order and must be limited to a short period of time. After the recording is complete, the target must be informed and the recordings must be destroyed after they are no longer needed. The Freedom of Information Act of 1996 (Upplysingalög). This Act governs the release of records. Under the Act, individuals (including non-residents) and legal entities have a legal right to documents without having to show a reason for the document. There are exceptions for national security, commercial, and personal information. Copyrighted material can be provided to requestors but it is then their responsibility if they republish the materials in a manner inconsistent with the copyright. Denials can be appealed to the Information Committee. Miscellaneous Information
Iceland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Iceland is not an EU member state but has been granted associate status.
COUNTRY-BY-COUNTRY SUMMARY
97
India Chief Privacy Officer/Minister Political System Web URL
Cyber Appellate Tribunal Federal Republic www.mit.gov.in/
Description of Legislation
The Constitution. Supreme Court first recognized in 1964 that there is a right of privacy implicit in the Constitution under Article 21 of the Constitution, which states, “No person shall be deprived of his life or personal liberty except according to procedure established by law.” Information Technology Act (effective May 2000). This Act is a set of laws intended to provide a comprehensive regulatory environment for electronic commerce. Chapter III of the bill gives electronic records and digital signatures legal recognition, and Chapter X creates a Cyber Appellate Tribunal to oversee adjudication of cybercrimes such as damage to computer systems (Section 43) and breach of confidentiality (Section 72). After strong criticism, sections requiring cybercafes to record detailed information about users were dropped. The legislation gives broad discretion to government law enforcers through a number of provisions—Section 69 allows for interception of any computer resource and requires that users disclose encryption keys or face a jail sentence up to seven years. Section 80 allows deputy superintendents of police to conduct searches and seize suspects without a warrant; Section 44 imposes stiff penalties on anyone who fails to provide requested information to authorities; and Section 67 imposes strict penalties for involvement in the publishing of materials deemed obscene in electronic form.
Indian Telegraph Act of 1885. Wiretapping is regulated under the Indian Telegraph Act of 1885. An order for a tap can be issued only by the Union home secretary or his counterparts in the states. A copy of the order must be sent to a review committee established by the high court. Tapped phone calls are not accepted as primary evidence in India’s courts. Miscellaneous Information
A draft Freedom of Information Act was introduced into the Parliament in July 2000. The bill would provide a general right to access information and create a National Council for Freedom of Information and State Councils. It contains seven broad categories of exemptions. The draft was heavily criticized by campaigners who said that the bill provided only limited access to government records. ISPs are barred from violating the privacy rights of their subscribers by virtue of the license to operate they are granted by the Department of Telecommunications.
Ireland Chief Privacy Officer/Minister Political System Web URL
Data Protection Commissioner Republic www.irlgov.ie
Description of Legislation
Irish Constitution. Although there is not an express reference to a right to privacy in the Irish Constitution, the Supreme Court has ruled an individual may invoke the personal rights
98
INTERNATIONAL PRIVACY ISSUES
provision in Article 40.3.1 to establish an implied right to privacy. This article provides that “The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizens.” It was first used to establish an implied constitutional right in the case of McGee v. Attorney General, which recognized the right to marital privacy. This case has been followed by others such as Norris v. Attorney General and Kennedy and Arnold v. Ireland. In the latter case the Supreme Court ruled that the illegal wiretapping of two journalists was a violation of the constitution, stating: “The right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State…The nature of the right to privacy is such that it must ensure the dignity and freedom of the individual in a democratic society. This can not be insured if his private communications, whether written or telephonic, are deliberately and unjustifiably interfered with.”
Data Protection Act (effective 1988). The Data Protection Act was passed in order to implement the 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. The Act regulates the collection, processing, keeping, use, and disclosure of personal information processed by both the private and public sectors, but it only covers information which is automatically processed. Individuals have a right to access and correct inaccurate information. Information can only be used for specified and lawful purposes and cannot be improperly used or disclosed. Additional protections can be ordered for sensitive data. Criminal penalties can be imposed for violations. There are broad exemptions for national security, tax, and criminal purposes. Misuse of data is also criminalized by the Criminal Damage Act 1991. Interception of Postal Packets and Telecommunications Messages (Regulation) Act. Wiretapping and electronic surveillance is regulated under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act. The Act followed a 1987 decision of the Supreme Court ruling that wiretaps of journalists violated the constitution.
The Freedom of Information Act (effective April 1988). The Act creates a presumption that the public can access documents created by government agencies and requires that government agencies make internal information on their rules and activities available. The Office of the Information Commissioner enforces the act. Data Protection Order for Registration (effective January 9, 2001). The Data Protection Commission issued an order ordering telecommunications companies and Internet Service Providers to register their databases of customer information under the Data Protection Act of 1988. Miscellaneous Information
Ireland has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Ireland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It is also a member of the Council of Europe and as mentioned, it introduced the 1988 Data Protection Act to give effect to Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).
COUNTRY-BY-COUNTRY SUMMARY
99
Isle of Man, Territory of United Kingdom Chief Privacy Officer/Minister Political System
Data Protection Registrar Parliamentary Democracy British Columbia Dependent www.odpr.org
Web URL Description of Legislation
The Isle of Man Data Protection Act of 1986. This Act is based on the 1984 UK Data Protection Act. A Data Protection (Amendment) Bill is expected to be introduced in the 1999/2000 legislative programme. The Act is enforced by the Office of the Data Protection Registrar.
Israel Chief Privacy Officer/Minister Political System Web URL
Registrar of Databases Parliamentary Democracy www.israel.org
Description of Legislation
Section 7 of The Basic Law: Human Dignity and Freedom (1992). “(a) All persons have the right to privacy and to intimacy. (b) There shall be no entry into the private premises of a person who has not consented thereto. (c) No search shall be conducted on the private premises or body of a person, nor in the body or belongings of a person. (d) There shall be no violation of the secrecy of the spoken utterances, writings or records of a person.” According to Supreme Court Justice Mishael Cheshin, this elevated the right of privacy to the level of a basic right.
The Protection of Privacy Law. Regulates the processing of personal information in computer data banks. The law set out 11 types of activities that violate the law and could subject violators to criminal or civil penalties. Holders of data banks of over 10,000 names must register. Information in the database is limited to purposes for which it was intended and must provide access to the subject. There are broad exceptions for police and security services. It also sets up basic privacy laws relating to surveillance, publication of photographs, and other traditional privacy features. The law was amended in 1996 to broaden the databases covered to include such as those used for direct marketing purposes, and also to increase penalties.
Secret Monitoring Law of 1979. Amended in 1995 to tighten procedures and to cover new technologies such as cellular phones and e-mail. It also increased penalties for illegal taps and allowed interception of privileged communications such as those with a lawyer or doctor. The police must receive permission from the President of the District Court in order to intercept any form of wire or electronic communications or to plant microphones for a period up to three months, which can be renewed. Intelligence agencies may wiretap people suspected of endangering national security, after receiving written permission from the Prime Minister or Defense Minister.
1995 Computer Law. Unauthorized access to computers is punished by the 1995 Computer Law. The Postal and Telegraph Censor, which operates as a civil department within the Ministry of Defense, has the power to open any postal letter or package to prevent harm to state security or public order.
100
INTERNATIONAL PRIVACY ISSUES
The Freedom of Information Law (effective May 1998). Provides for broad access to records held by government offices, local councils, and government-owned corporations. Requests for information must be processed within 30 days. A court can review decisions to withhold information. A Jerusalem Post survey in June 1999 found that many agencies had not begun to prepare for the law. According to the ACLI, there have now been several court decisions on the new law, which is being used “effectively.”
Italy Chief Privacy Officer/Minister Political System Web URL
Supervisory Authority (“Garante”) for Personal Data Protection Republic www.governo.it
Description of Legislation
The 1948 Constitution. The Constitution has several limited provisions relating to privacy. Article 14 states, “(1) Personal domicile is inviolable. (2) Inspection and search may not be carried out save in cases and in the manner laid down by law in conformity with guarantees prescribed for safeguarding personal freedom. (3) Special laws regulate verifications and inspections for reasons of public health and safety, or for economic and fiscal purposes.” Article 15 states, “(1) The liberty and secrecy of correspondence and of every form of communication are inviolable. (2) Limitations upon them may only be enforced by decision, for which motives must be given, of the judicial authorities with the guarantees laid down by law.” The Italian Data Protection Act. The Data Protection Act was enacted in 1996 after twenty years of debate. The Act is intended to fully implement the EU Data Protection Directive. It covers both electronic and manual files, for both government agencies and the private sector. There have also been decrees approved relating to processing of personal information for journalistic purposes, for scientific or research purposes, health, and processing by public bodies. http://www.privacy.it/dl1998171.html.
Articles 266–271 of the penal procedure code. Wiretapping is regulated by articles 266–271 of the penal procedure code and may only be authorized in the case of legal proceedings. Government interceptions of telephone and all other forms of communications, must be approved by a court order. The law on computer crime includes penalties on interception of electronic communications. Interception orders are granted for 15 days at a time and can be extended for the same length of time by a judge. The judge also monitors procedures for storing recordings and transcripts. Any recordings or transcripts which are not used must be destroyed. The conversations of religious ministers, lawyers, doctors, or others subject to professional confidentiality rules can not be intercepted. EU Telecommunications Privacy Directive. In March 1998, the Parliament issued a legislative decree adopting the provisions of the EU Telecommunications Privacy Directive. Miscellaneous Information
Italy is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).
COUNTRY-BY-COUNTRY SUMMARY
101
It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The Garante ruled in October 1998 that phone companies need not mask the phone numbers on bills and that phone companies should allow for anonymous phone cards to protect privacy. The Garante has also held investigations into the Echelon surveillance system. There are also sectoral laws relating to workplace surveillance, statistical information, and electronic files and digital signatures. The Workers Charter prohibits employers from investigating the political, religious, or trade union opinions of their workers, and in general, any matter which is irrelevant for the purposes of assessing their professional skills and aptitudes. The 1993 computer crime law prohibits unlawfully using a computer system and intercepting computer communications.
Japan Chief Privacy Officer/Minister Political System Web URL
Government Information Systems Planning Division of the Management and Coordination Agency Constitutional Monarchy N/A
Description of Legislation
Article 21 of the 1946 Constitution. “Freedom of assembly and association as well as speech, press and all other forms of expression are guaranteed. 2) No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.” Article 35 states, “The right of all persons to be secure in their homes, papers and effects against entries, searches and seizures shall not be impaired except upon warrant issued for adequate cause and particularly describing the place to be searched and things to be seized…2) Each search or seizure shall be made upon separate warrant issued by a competent judicial officer.”
The 1988 Act for the Protection of Computer Processed Personal Data Held by Administrative Organs (enacted December 1988). This Act governs the use of personal information in computerized files held by government agencies. It is based on the OECD guidelines and imposes duties of security, access, and correction. Agencies must limit their collection to relevant information and publish a public notice listing their files systems. Information collected for one purpose cannot be used for a purpose “other than the file holding purpose.” The Act only covers the federal agencies, and only computer processing systems with personal data.
Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector. On March 4, 1997, the Ministry of International Trade and Industry (MITI) issued Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector.
The Law Concerning Access to Information Held by Administrative Organs. This law was approved by the Diet in May 1999 after 20 years of debate. The law allows any individual or company to request government information in electronic or printed form.
102
INTERNATIONAL PRIVACY ISSUES
Miscellaneous Information
Wiretapping is considered a violation of the Constitution’s right of privacy and has been authorized only a few times. Basic Resident Registers Law, granting Tokyo the authority to issue a 10-digit number to every Japanese citizen and resident alien, and requiring all citizens and resident aliens to provide basic information—name, date of birth, sex, and address—to the local police. Due to privacy concerns, the bill will be put into effect within three years of its passage on the condition that new privacy-protection legislation is enacted. The Ministry of Transportation announced in June 1999 a plan to issue “Smart Plates” license plates with embedded IC chips by 2001. The chips will contain driver and vehicle information and be used for road tolls and traffic control. In February 1998, MITI established a Supervisory Authority for the Protection of Personal Data to monitor a new system for the granting of “privacy marks” to businesses committing to the handling of the personal data in accordance with the MITI guidelines, and to promote awareness of privacy protection for consumers. The “privacy mark” system is administered by the Japan Information Processing Development Center (JIPDEC)—a joint public/private agency. Companies that do not comply with the industry guidelines will be excluded from relevant industry bodies and not granted the privacy protection mark. It is assumed that they will then be penalized by market forces. Japan is a member of the Organization for Economic Cooperation and Development and a signatory to the OECD Guidelines on Privacy and Transborder Dataflows.
Latvia Chief Privacy Officer/Minister Political System Web URL
Data Protection Inspectorate Parliamentary Democracy www.mk.gov.lv/eng/
Description of Legislation
Constitutional Law on Rights and Obligations of a Citizen and a Person. “(1) The State guarantees the confidentiality of correspondence, telephone conversations, telegraph and other communications. (2) These rights may be restricted by a judge’s order for the investigation of serious crimes.”
The Law on Personal Data Protection (effective March 23, 2000). The law is based on the EU Data Directive and the Council of Europe Convention No. 108. The bill will also create a Data Protection Inspectorate. The approval follows several years of EU pressure to adopt the law.
The Law on Freedom of Information (effective November 1998). Guarantees public access to all information in “any technically feasible form” not specifically restricted by law. Individuals may use it to obtain their own records. Information can only be limited if there is a law authorizing the withholding, or if the information is for the internal use of an institution, constitutes trade secrets, or concerns the private life of an individual.
Penal Code. The Penal Code states that it is unlawful to interfere with correspondence. Wiretapping or interception of postal communications requires the permission of a court.
COUNTRY-BY-COUNTRY SUMMARY
103
Miscellaneous Information
Latvia is a member of the Council of Europe and signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) on February 11, 2000. It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Lithuania Chief Privacy Officer/Minister Political System Web URL
The State Data Protection Inspectorate Parliamentary Democracy www.lrvk.lt
Description of Legislation
Article 22 of the Constitution. “The private life of an individual shall be inviolable. Personal correspondence, telephone conversations, telegraph messages, and other intercommunications shall be inviolable. Information concerning the private life of an individual may be collected only upon a justified court order and in accordance with the law. The law and the court shall protect individuals from arbitrary or unlawful interference in their private or family life, and from encroachment upon their honor and dignity.” Law on Legal Protection of Personal Data (effective 1996, amended March 1998). This law was amended in March 1998 to extend it to computerized information held by private controllers. The Law regulates the processing of all types of personal data, not just in state information systems. It defines the time and the general means of protecting personal data and sets rights of access and correction. It also sets rules on the collecting, processing, transferring, and using of data. The Administrative Code defines various monetary penalties in cases of the infringement of the processing and use of data.
The Penal Code of the Republic of Lithuania. There are specific privacy protections in laws relating to telecommunications, radio communications, statistics, the population register, and health information. The Penal Code of the Republic of Lithuania provides for criminal responsibility for violations of the inviolability of a residence, infringement on secrecy of correspondence and telegram contents, on privacy of telephone conversations, persecution for criticism, secrecy of adoption, slander, desecration of graves, and impact on computer information. Wiretapping requires a warrant issued by the Prosecutor General.
The 1996 Law on the Provision of Information to the Public. This Law provides for a limited right of access to official documents and to documents held by political parties, political and public organizations, trade unions, and other entities. Miscellaneous Information
Lithuania is in the process of preparing for membership in the EU and has a National Program for the Adoption of EU Regulations. It is a member of the Council of Europe but has not yet signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.
104
INTERNATIONAL PRIVACY ISSUES
Luxembourg Chief Privacy Officer/Minister
The Commission à la Protection des Données Nominatives Constitutional Monarchy www.gouvernement.lu/gouv/fr/gouv/
Political System Web URL Description of Legislation
Article 28 of the Constitution. “(1) The secrecy of correspondence is inviolable. The law determines the agents responsible for the violation of the secrecy of correspondence entrusted to the postal services. (2) The law determines the guarantee to be afforded to the secrecy of telegrams.”
Act Concerning the Use of Nominal Data in Computer Processing (effective 1979). The law pertains to individually identifiable data in both public and private computer files. It also requires licensing of systems used for the processing of personal data. The law considers all personal data to be sensitive, although special provisions may be applied to medical and criminal information. For personal data processing by the private sector, an application must first be made to the Minister for Justice who thereafter issues an authorization for such processing to take place.
Articles 88-1 and 88-2 of the Criminal Code. Telephone tapping is regulated by articles 88-1 and 88-2 of the Criminal Code. Judicial wiretaps are authorized if it can be shown: that a serious crime or infringement, punishable by two or more years imprisonment, is involved; that there is sufficient evidence to suspect that the subject of the interception order committed or participated in the crime or received or transmitted information to/from or concerning the accused; and that ordinary investigative techniques would be inadequate under the circumstances. Miscellaneous Information
There is no general freedom of information law in Luxembourg. Under the 1960 decree on state archives, the archives are to be open to the public, but citizens must make a written request explaining why they want access and ministers have broad discretion to deny requests. The government announced in August 1999 that it was planning to develop a new press bill including a right to access records. Luxembourg is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Malaysia Chief Privacy Officer/Minister Political System Web URL
N/A Constitutional Monarchy www.smpke.jpm.my
COUNTRY-BY-COUNTRY SUMMARY
105
Description of Legislation
Communications and Multimedia Act (effective 1998). This Act has several sections on telecommunications privacy. Section 234 prohibits unlawful interception of communications. Section 249 sets rules for searches of computers and includes access to encryption keys. Section 252 authorizes police to intercept communications without a warrant if a public prosecutor considers that a communication is likely to contain information that is relevant to an investigation.
The Digital Signature Act of 1997 and the Computer Crime Act of 1997. Section 8 of the Computer Crime Act allows police to inspect and seize computing equipment of suspects without a warrant or any notice. The suspect is also required to turn over all encryption keys for any encrypted data on his equipment. The act also outlaws eavesdropping, tampering with or falsifying data, sabotage through computer viruses or worms, among a host of cybercrimes.
National Registration Department Voluntary Smart Cards for Infants (effective March 15, 2001). The Malaysian National Registration Department announced that it would issue voluntary chip-based ID cards to all newborn children. It would include number, name, parents’ names, address, and citizenship status. It will later include the blood group of the child and other health information. The card would be used to identify children registering for school and for medical care. Miscellaneous Information
The Ministry of Energy, Communications, and Multimedia is drafting a Personal Data Protection Act that will create legal protections for personal data as part of the “National Electronic Commerce Master Plan.” Secretary-General Datuk Nuraizah Abdul Hamid said the purpose of the Bill was to ensure secrecy and integrity in the collection, processing, and utilization of data transmitted through the electronic network. The Ministry is looking at the OECD Guidelines, EU Data Directive and the UK, Hong Kong, and New Zealand legislation as models for the act. The bill has been delayed for several years as the Ministry has watched international developments such as the U.S./EU Safe Harbor negotiations.
Mexico Chief Privacy Officer/Minister Political System Web URL
N/A Federal Republic www.presidencia.gob.mx
Description of Legislation
Article 16 of the 1917 Mexican Constitution. “One’s person, family, home, papers or possessions may not be molested, except by virtue of a written order by a proper authority, based on and motivated by legal proceedings. The administrative authority may make home visits only to certify compliance with sanitary and police rules; the presentation of books and papers indispensable to verify compliance with the fiscal laws may be required in compliance with the respective laws and the formalities proscribed for their inspection. Correspondence, under the protective circle of the mail, will be free from all inspection, and its violation will be punishable by law.”
106
INTERNATIONAL PRIVACY ISSUES
Mexican E-Commerce Act (effective June 7, 2000). The law amends the Civil Code, the Commercial Code, the Rules of Civil Procedure and the Consumer Protection Act. It covers consumer protection, privacy, and digital signatures and electronic documents. It includes a new article in the Federal Consumer Protection Act giving authority to the government “to provide for the effective protection of the consumer in electronic transactions or concluded by any other means, and the adequate use of the data provided by the consumer” (Art. 1.VIII); and also to coordinate the use of Code of Ethics by providers including the principles of this law. The law also creates a new chapter in the Consumer Law titled: “Rights of Consumers in electronic transactions and transactions by any other means.” The new article 76 now provides, “This article will be applied to the relation between providers and consumers in transactions effectuated by electronic means. The following principles must be observed: I. Providers shall use information provided by consumers in a confidential manner, and shall not be able to transfer it to third parties, unless there is express consent from the consumer or a requirement from a public authority…II. Providers must use technical measures to provide security and confidentiality to the information submitted by the consumer, and notify the consumer, before the transaction, of the characteristics of the system…VI. Providers must respect consumer decisions not to receive commercial solicitations…”
Chapter 6 of Mexico’s Postal Code. The Postal code recognizes the inviolability of correspondence and guarantees the privacy of correspondence. The 1939 General Communication Law provides penalties for interrupting communications and divulging secrets. The Law Against Organized Crime (effective November 1996). This law allows for electronic surveillance with a judicial order. The law prohibits electronic surveillance in cases of electoral, civil, commercial, labor, or administrative matters and expands protection against unauthorized surveillance to cover all private means of communications, not merely telephone calls. Miscellaneous Information
Mexico is a member of the Organization for Economic Cooperation and Development, but does not appear to have adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Mexico has also signed the American Convention on Human Rights.
Netherlands Chief Privacy Officer/Minister Political System Web URL
Registratiekamer; The Registration Chamber Constitutional Monarchy www.registratiekamer.nl
Description of Legislation
The Constitution. The Constitution grants citizens an explicit right to privacy. Article 10 states, “(1) Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by or pursuant to Act of Parliament. (2) Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data. (3) Rules concerning the rights of persons to be informed of data recorded concerning them and of the use that is made thereof, and to have such data corrected shall be laid down by
COUNTRY-BY-COUNTRY SUMMARY
107
Act of Parliament.” Article 13 states, “(1) The privacy of correspondence shall not be violated except, in the cases laid down by Act of Parliament, by order of the courts. (2) The privacy of the telephone and telegraph shall not be violated except, in the cases laid down by Act of Parliament, by or with the authorization of those designated for the purpose by Act of Parliament.”
The Personal Data Protection Act of 2000. This bill is a revised and expanded version of the 1988 Data Registration Act and brings Dutch law in line with the European Data Protection Directive and regulates the disclosure of personal data to countries outside of the European Union. The Act replaces the Data Registration Act of 1988. The new law went into effect in January 2001.
Criminal code. Interception of communications is regulated by the criminal code and requires a court order.
Telecommunications Act (effective December 1998). This Act requires that Internet Service Providers have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months. The bill was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. The Dutch Forensics Institute has developed a so-called “black-box” that is used to intercept Internet traffic at an ISP. The black box is under control of the ISP and is turned on after receiving a court order. The box is believed to look at authentication traffic of the person to wiretap and divert the person’s traffic to law enforcement if that person is on-line. The new Telecommunications Act also implements the EU Telecommunications Privacy Directive. The Special Investigation Powers Act of 2000 regulates the use of bugging devices and directional microphones by law enforcement. The Intelligence services do not need a court order for interception, but obtain their authorization from the responsible minister.
The Government Information (Public Access) Act of 1991. This Act is based on the constitutional right of access to information. It creates a presumption that documents created by a public agency should be available to everyone. Information can be withheld if it relates to international relations of the state, the “economic or financial interest of the state,” investigation of criminal offenses, inspections by public authorities, or personal privacy. However, these exemptions must be balanced against the importance of the disclosure. Requestors can appeal denials to an administrative court which renders the final decision. Miscellaneous Information
The Netherlands is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
New Zealand Chief Privacy Officer/Minister Political System Web URL
Privacy Commissioner—Data Protection/privacy commission for New Zealand Parliamentary Democracy www.privacy.org.nz
108
INTERNATIONAL PRIVACY ISSUES
Description of Legislation
Article 21 of the Bill of Rights Act 1990. “Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise.” The Human Rights Act 1994 prohibits discrimination.
New Zealand’s Privacy Act. This Act regulates the collection, use, and dissemination of personal information in both the public and private sectors. It also grants to individuals the right to have access to personal information held about them by any agency. The Privacy Act applies to “personal information,” which is any information about an identifiable individual, whether automatically or manually processed. Recent case law has held that the definition also applies to mentally processed information. The news media are exempt from the Privacy Act in relation to their news activities. The Act creates twelve Information Privacy Principles generally based on the 1980 OECD guidelines and the information privacy principles in Australia’s Privacy Act 1988.
The New Zealand Crimes Act and Misuse of Drugs Act. These Acts govern the use of evidence obtained by listening devices. Judicial warrants may be granted for bugging premises or interception of communications. Emergency permits may be granted for the bugging of premises and, following the 1997 repeal of a prohibition, for telephonic interceptions. New Zealand Security Intelligence Service Act of 1969. The New Zealand Security Intelligence Service (NZSIS) is also permitted to carry out electronic interceptions under the New Zealand Security Intelligence Service Act of 1969. Miscellaneous Information
New Zealand is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. New Zealand is one of six countries involved in a European Commission study of methods of assessing whether laws of “third countries” meet the provisions of the EU data protection directive.
Norway Chief Privacy Officer/Minister Political System Web URL
Datatilsynet—The Data Inspectorate Constitutional Monarchy www.datatilsynet.no
Description of Legislation
General Legal Protection of “Personality.” The Norwegian Supreme Court has held that there exists in Norwegian law a general legal protection of “personality” which embraces a right to privacy. This protection of personality exists independently of statutory authority but helps form the basis of the latter (including data protection legislation), and can be applied by the courts on a case-by-case basis. This protection was first recognized in 1952.
The Personal Data Registers Act of 2000 (effective April 14, 2000). It is designed to update Norwegian law and closely follows the EU Directive, even though Norway is not a member of the EU. The new law also sets specific rules on video surveillance and biometrics. It replaces the Personal Data Registers Act of 1978.
COUNTRY-BY-COUNTRY SUMMARY
109
The Telecommunications Act. This Act imposes a duty of confidentiality on telecommunications providers. However, the Telecommunications Authority can demand information for investigations. The Norwegian police in January 2000 called for new laws requiring telecommunications providers and Internet Service Providers keep extensive logs of usage for six months to one year.
The Public Access to Documents in the (Public) Administration. This Act provides for public access to government records. Under the Act, there is a broad right of access to records. The Act has been in effect since 1971. The Act does not apply to records held by the Storting (Parliament), the Office of the Auditor General, the Storting’s Ombudsman for Public Administration, or other institutions of the Storting. There are exemptions for internal documents; information that “could be detrimental to the security of the realm, national defense or relations with foreign states or international organizations”; subject to a duty of secrecy; “in the interests of proper execution of the financial, pay or personnel management”; the minutes of the Council of State, photographs of persons entered in a personal data register; complaints, reports, and other documents concerning breaches of the law; answers to examinations or similar tests; and documents prepared by a ministry in connection with annual fiscal budgets. The King can make a determination that historical documents in the archive that are otherwise exempted can be publicly released. If access is denied, individuals can appeal to a higher authority under the act and then to a court. Miscellaneous Information
Wiretapping requires the permission of a tribunal and is initially limited to four weeks. Norway is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Norway is a party to the 1992 Agreement on the European Economic Area (EEA). As such, it is required to comply with the EU Directive before it is formally incorporated into the EEA.
Paraguay Chief Privacy Officer/Minister Political System Web URL
N/A Republic www.paraguaygobierno.gov.py
Description of Legislation
Data Protection Act (effective December 28, 2000). Processing of sensitive information is not permitted, and information about economic status requires prior written approval of the individual. The courts will be able to apply fines and sanctions.
Peru Chief Privacy Officer/Minister Political System Web URL
N/A Republic www.rcp.net.pe
110
INTERNATIONAL PRIVACY ISSUES
Description of Legislation
The 1993 Constitution. The Constitution sets out extensive privacy, data protection, and freedom of information rights. Article 2 states, “Every person has the right: To solicit information that one needs without disclosing the reason, and to receive that information from any public entity within the period specified by law, at a reasonable cost. Information that affects personal intimacy and that is expressly excluded by law or for reasons of national security is not subject to disclosure. Secret bank information or tax information can be accessed by judicial order, the National Prosecutor, or a Congressional investigative commission, in accordance with law and only insofar as it relates to a case under investigation. V. To be assured that information services, whether computerized or not, public or private, do not provide information that affects personal and family intimacy. VI. To honor and good reputation, to personal and family intimacy, both as to voice and image. Every person affected by untrue or inexact statements or aggrieved by any medium of social communication has the right to free, immediate and proportional rectification, without prejudice to responsibilities imposed by law. . .IX. To secrecy and the inviolability of communications and private documents. Communications, telecommunications or instruments of communication may be opened, seized, intercepted or inspected only under judicial authorization and with the protections specified by law. All matters unconnected with the fact that motivates the examination are to be guarded from disclosure. Private documents obtained in violation of this precept have no legal effect. Books, ledgers, and accounting and administrative documents are subject to inspection or investigation by the competent authority in conformity with law. Actions taken in this respect may not include withdrawal or seizure, except by judicial order.” Freedom of information is constitutionally protected under the right of habeas data.
Penal Code. Article 154 of the Penal Code states that “a person who violates personal or family privacy, whether by watching, listening to or recording an act, a word, a piece of writing or an image using technical instruments or processes and other means, shall be punished with imprisonment for not more than two years.” Article 151 of the Penal Code states “that a person who unlawfully opens a letter, document, telegram, radiotelegram, telephone message or other document of a similar nature that is not addressed to him, or unlawfully takes possession of any such document even if it is open, shall be liable to imprisonment of not more than 2 years and to 60 to 90 days’ fine.”
Telecommunications and Wiretapping Law (effective July 12, 2001). Law gives government sweeping powers to monitor private telephone calls. The state through Osiptel (Peru’s largest telephone provider) can know who called, with whom they spoke, when they spoke, and from where they spoke. Miscellaneous Information
Peru signed the American Convention on Human Rights on July 28, 1978, but withdrew from the jurisdiction of the American Court of Human Rights in July 1999.
Philippines Chief Privacy Officer/Minister Political System Web URL
N/A Republic www.gov.ph
COUNTRY-BY-COUNTRY SUMMARY
111
Description of Legislation
The 1987 Constitution. Article III of the 1987 Constitution protects the right of privacy. Section 2 states, “The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.” Section 3 states, “(1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law. (2) Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding.” Section 7 states, “The right of the people to information on matters of public concern shall be recognized. Access to official records, and to documents and papers pertaining to official acts, transactions, or decisions, as well as to government research data used as basis for policy development, shall be afforded the citizen, subject to such limitations as may be provided by law.”
1998 Access Devices Regulation Act. In May 2000, the ILOVEYOU e-mail virus was traced to a hacker in the Philippines, focusing international attention on the country’s cyberlaw regime. The lack of any Internet-specific laws frustrated investigation efforts, and prosecutors finally were able to gain a warrant under the 1998 Access Devices Regulation Act, a law intended to punish credit card fraud that outlaws the use of unauthorized access devices to obtain goods or services broadly.
Republic Act 8972, the Electronic Commerce Act of 2000. Sections 8, 9, and 10 of the law give legal status to data messages, electronic writing, and digital signatures, making them admissible in court. Section 23 mandates a minimum fine of PP100,000 and a prison term of 6 months to 3 years for unlawful and unauthorized access to computer systems, and extends the consumer act, RA7394, to transactions using data messages. Section 21 of the Act requires the government to transact business with citizens through the Web. President Estrada signed the Implementing Rules and Regulations for the Act in July of 2000.
The Anti-Wiretapping Law. This law requires a court order to obtain a telephone tap. The court order is to be awarded only if: 1) the wiretap is used to pursue the commission of certain crimes including treason, espionage, or sedition, 2) there are reasonable grounds to believe that evidence gained will be essential to conviction, and 3) there are no other means of obtaining the evidence. Miscellaneous Information
There is no general data protection law but there is a recognized right of privacy in civil law. The Civil Code also states that “[e]very person shall respect the dignity, personality, privacy, and peace of mind of his neighbors and other persons,” and punishes acts that violate privacy by private citizens, public officers, or employees of private companies.
Poland Chief Privacy Officer/Minister Political System Web URL
Bureau of Inspector General for the Protection of Personal Data Republic www.giodo.gov.pl
112
INTERNATIONAL PRIVACY ISSUES
Description of Legislation
The Polish Constitution. Article 47 states, “Everyone shall have the right to legal protection of his private and family life, of his honor and good reputation and to make decisions about his personal life.” Article 51 states, “(1) No one may be obliged, except on the basis of statute, to disclose information concerning his person. (2) Public authorities shall not acquire, collect nor make accessible information on citizens other than that which is necessary in a democratic state ruled by law. (3) Everyone shall have a right of access to official documents and data collections concerning himself. Limitations upon such rights may be established by statute. (4) Everyone shall have the right to demand the correction or deletion of untrue or incomplete information, or information acquired by means contrary to statute. (5) Principles and procedures for collection of and access to information shall be specified by statute.”
The Law on the Protection of Personal Data Protection (effective April 1998). The law is based on the European Union Data Protection Directive. Under the Law, personal information may only be processed with the consent of the individual. Everyone has the right to verify his or her personal records held by government agencies or private companies. Every citizen has the right to be informed whether such databases exist and who administers them; queries should be answered within 30 days. Upon finding out that data is incorrect, inaccurate, outdated, or collected in a way that constitutes a violation of the Act, citizens have the right to request that the data be corrected, filled in, or withheld from processing. Personal information cannot generally be transferred outside of Poland unless the country has “comparable” protections. A 1998 regulation from the Minister of Internal Affairs and Administration sets out standards for the security of information systems that contain personal information. Code of Penal Procedure (effective September 1998). The Procedures state telephones can be tapped only after the person in charge of the investigation has obtained permission from a court. In special instances, the prosecutor has the right to authorize a wiretap, but the decision must be confirmed by a court within five days. The law specifies for which cases the interception of communications may be authorized. Classified Information Protection Act (effective January 1999). This Act was adopted as a condition to entering NATO. The act covers classified information or information collected by government agencies that disclosure “might damage interests of the state, public interests, or lawfully protected interests of citizens or of an organization.”
Access to Information Act (effective July 26, 2001). Provides for access to records held by government agency and private actors performing public duties. Agencies will be required to post public information in the Public Information Bulletin. Miscellaneous Information
There is no general freedom of information act in Poland. Poland is a member of the Council of Europe and signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in April 1999 but has not yet ratified it. Poland has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Poland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
COUNTRY-BY-COUNTRY SUMMARY
113
Portugal Chief Privacy Officer/Minister
Political System Web URL
National Data Protection Commission (Comissão Nacional de Protecção de Dados - CNPD) Parliamentary Democracy www.cnpd.pt
Description of Legislation
Portuguese Constitution. Article 26 states, “(1) Everyone’s right to his or her personal identity, civil capacity, citizenship, good name and reputation, image, the right to speak out, and the right to the protection of the intimacy of his or her private and family life is recognized. (2) The law establishes effective safeguards against the abusive use, or any use that is contrary to human dignity, of information concerning persons and families. (3) A person may be deprived of citizenship or subjected to restrictions on his or her civil capacity only in cases and under conditions laid down by law, and never on political grounds.” Article 34 states, “(1) The individual’s home and the privacy of his correspondence and other means of private communication are inviolable. (2) A citizen’s home may not be entered against his will, except by order of the competent judicial authority and in the cases and according to the forms laid down by law. (3) No one may enter the home of any person at night without his consent. (4) Any interference by public authority with correspondence or telecommunications, apart from the cases laid down by law in connection with criminal procedure, are prohibited.” In 1997, Article 35 of the Constitution was amended to give citizens a right to data protection. The new Article 35 states, “1. All citizens have the right of access to any computerised data relating to them and the right to be informed of the use for which the data is intended, under the law; they are entitled to require that the contents of the files and records be corrected and brought up to date. 2. The law shall determine what is personal data as well as the conditions applicable to automatic processing, connection, transmission and use thereof, and shall guarantee its protection by means of an independent administrative body. 3. Computerised storage shall not be used for information concerning a person’s ideological or political convictions, party or trade union affiliations, religious beliefs, private life or ethnic origin, except where there is express consent from the data subject, authorisation provided for under the law with guarantees of non-discrimination or, in the case of data, for statistical purposes, that does not identify individuals. 4. Access to personal data of third parties is prohibited, except in exceptional cases as prescribed by law. 5. Citizens shall not be given an allpurpose national identity number. 6. Everyone shall be guaranteed free access to public information networks and the law shall define the regulations applicable to the transnational data flows and the adequate norms of protection for personal data and for data that should be safeguarded in the national interest. 7. Personal data kept on manual files shall benefit from protection identical to that provided for in the above articles, in accordance with the law.” The 1998 Act on the Protection of Personal Data. This Act adopts the EU Data Protection requirements into Portuguese law. It limits the collection, use, and dissemination of personal information in manual or electronic form. It also applies to video surveillance or “other forms of capture, processing and dissemination of sound and images.” It replaces the 1991 Act on the Protection of Personal Data with Regard to Automatic Processing.
114
INTERNATIONAL PRIVACY ISSUES
Penal Code. Provisions against unlawful surveillance and interference with privacy. Evidence obtained by any violation of privacy, the home, correspondence, or telecommunications without the consent of the interested party is null and void.
Law n° 65/93, of 26 August 1993. This law provides for access to government records in any form by any person. Documents can be withheld for “internal or external security,” secrecy of justice, and personal privacy. Miscellaneous Information
Portugal is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Russia Chief Privacy Officer/Minister Political System Web URL
N/A Republic www.government.gov.ru/english
Description of Legislation
The Constitution of the Russian Federation. The Constitution recognizes rights of privacy, data protection, and secrecy of communications. Article 23 states, “1. Everyone shall have the right to privacy, to personal and family secrets, and to protection of one’s honor and good name. 2. Everyone shall have the right to privacy of correspondence, telephone communications, mail, cables and other communications. Any restriction of this right shall be allowed only under an order of a court of law.” Article 24 states, “1. It shall be forbidden to gather, store, use and disseminate information on the private life of any person without his/her consent. 2. The bodies of state authority and the bodies of local self-government and the officials thereof shall provide to each citizen access to any documents and materials directly affecting his/her rights and liberties unless otherwise stipulated under the law.” Article 25 states, “The home shall be inviolable. No one shall have the right to enter the home against the will of persons residing in it except in cases stipulated by the federal law or under an order of a court of law.” The Russian Supreme Court ruled in 1998 that regulations requiring individuals to register and obtain permission from local officials before they could live in Moscow violated the Constitution. Russian Federation on Information, Informatization, and Information Protection (effective January 1995). The Duma approved the Law of the Russian Federation on Information, Informatization, and Information Protection in January 1995. The law covers both the government and private sectors and licenses the processing of personal information by the private sector. It imposes a code of fair information practices on the processing of personal information. It prohibits the use of personal information to “inflict economic or moral damage on citizens.” The use of sensitive information (social origin, race, nationality, language, religion, or party membership) is also prohibited. Citizens and organizations have the right of access to the documented information about them, to correct it, and supplement it.
COUNTRY-BY-COUNTRY SUMMARY
115
Law of the Russian Federation on Information, Informatization, and Information Protection also serves as a Freedom of Information law.
1995 Communications Act. Secrecy of communications is protected by the 1995 Communications Act. The tapping of telephone conversations, scrutiny of electric-communications messages, delay, inspection, and seizure of postal mailings and documentary correspondence, receipt of information therein, and other restriction of communications secrets are allowed only on the basis of a court order.
System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2). In 1998, the FSB issued a secret ministerial act named the System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2) that would require Internet Service Providers to install surveillance devices and high speed links to the FSB which would allow the FSB direct access to the communications of Internet users without a warrant. ISPs would be required to pay for the costs of installing and maintaining the devices. Most ISPs have not publicly resisted the FSB demands to install the devices but one ISP in Volgograd, Bayard Slavia Communication, challenged the FSB demands to install the system. The local FSB and Ministry of Communication attempted to have their license revoked but backed off after the ISP challenged their decision in court. A lawyer in Irkutsk sued, challenging the legality of the declaration and the Supreme Court ruled in May 2000 that the SORM-2 was not a valid ministerial act because it failed several procedural requirements. The case is now pending before a trial court. Miscellaneous Information
The Russian law does not establish a central regulatory body for data protection and it is not clear that it has been effective. Its application to the Internet has also been limited. The law specifies that responsibility for data protection rests with the data controllers. The law is overseen by the Committee of the State Duma on Information and Informatization and the State Committee on Information and Informatization under the Russian President Authority. Russia is a member of the Council of Europe but has not signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Singapore Chief Privacy Officer/Minister Political System Web URL
N/A Parliamentary Republic www.ida.gov.sg
Description of Legislation
“E-Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce.” In September 1998, the National Internet Advisory Board released an industry-based self-regulatory “E-Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce.” The code encourages providers to ensure the confidentiality of business records and personal information of users,
116
INTERNATIONAL PRIVACY ISSUES
including details of usage or transactions, would prohibit the disclosure of personal information, and would require providers not to intercept communications unless required by law. The code would also limit collection and prohibit disclosure of personal information without informing the consumer and giving them an option to stop the transfer, ensure accuracy of records and provide a right to correct or delete data. According to the Singapore Broadcast Authority, in 1999, the Code was adopted by CaseTrust and incorporated into its Code of Practice as part of an accreditation scheme promoting good business practices among store-based and Web-based retailers. CaseTrust is a joint project operated by the Consumers Association of Singapore, CommerceNet Singapore Limited and the Retail Promotion Centre in Singapore. The Infocomm Development Authority announced in March 2000 that it would endorse the TRUSTe system as “an industry ‘trustmark’seal.”
Computer Misuse (Amendment) Act, the Electronic Transactions Act and the National Computer Board (Amendment) Act (effective July 1998). The CMA prohibits the unauthorized interception of computer communications. The CMA also provides the police with additional powers of investigations. Under the amended Act, it is now an offense to refuse to assist the police in an investigation. Amendments also widened the provisions allowing the police lawful access to data and encrypted material in their investigations of offenses under the CMA as well as other offenses disclosed in the course of their investigations. Such power of access requires the consent of the Public Prosecutor. The Electronic Transactions Act imposes a duty of confidentiality on records obtained under the act and imposes a maximum SG$10,000 fine and 12 month jail sentence for disclosing those records without authorization. Police have broad powers to search any computer and to require disclosure of documents for an offense related to the act without a warrant.
Guidelines Regulating Scanning of Computers by ISPs (effective January 7, 2001). The infocomm Development Authority of Singapore issued guidelines regulating the scanning of computers by ISPs. The guidelines were issued following a controversial scanning of 200,000 SingNet user’s computers by the Ministry of Home Affairs. Miscellaneous Information
The Singapore Constitution is based on the British system and does not contain any explicit right to privacy. The High Court has ruled that personal information may be protected from disclosure under a duty of confidences. There is no general data protection or privacy law in Singapore. All of the Internet Services Providers are operated by government-owned or governmentcontrolled companies.
Slovakia Chief Privacy Officer/Minister Political System Web URL
Commissioner for the Protection of Personal Data in Information Systems Parliamentary Democracy www.government.gov.sk
Description of Legislation
The 1992 Constitution. The Constitution provides for protections for privacy, data protection, and secrecy of communications. Article 16 states, “(1) The inviolability of the person and
COUNTRY-BY-COUNTRY SUMMARY
117
its privacy is guaranteed. It can be limited only in cases defined by law.” Article 19 states, “(1) Everyone has the right to the preservation of his human dignity and personal honor, and the protection of his good name. (2) Everyone has the right to protection against unwarranted interference in his private and family life. (3) Everyone has the right to protection against the unwarranted collection, publication, or other illicit use of his personal data.” Article 22 states “(1) The privacy of correspondence and secrecy of mailed messages and other written documents and the protection of personal data are guaranteed. (2) No one must violate the privacy of correspondence and the secrecy of other written documents and records, whether they are kept in private or sent by mail or in another way, with the exception of cases to be set out in a law. Equally guaranteed is the secrecy of messages conveyed by telephone, telegraph, or other similar means.”
The Act on Protection of Personal Data in Information Systems (effective March 1998). The Act replaces the previous 1992 Czechoslovakian legislation. The new act closely tracks the EU Data Protection Directive and limits the collection, disclosure, and use of personal information by government agencies and private enterprises either in electronic or manual form. It creates duties of access, accuracy and correction, security, and confidentiality on the data processor. Processing of information on racial, ethnic, political opinions, religion, philosophical beliefs, trade union membership, health, and sexuality is forbidden. Transfers to other countries are limited unless the country has “adequate” protection. All systems are required to be registered with the Statistical Office of the Slovak Republic.
Code of Criminal Procedure. The police are required to obtain permission from a court or prosecutor before undertaking any telephone tapping.
Article 11 of the Civil Code. Per this Article “everyone shall have the right to be free from unjustified interference in his or her privacy and family life.” There are also computer-related offenses linked with the protection of a person (unjustified treatment of a personal data). The Slovak Constitutional Court ruled in March 1998 that the law allowing public prosecutors to demand to see the files or private correspondence of political parties, private citizens, trade union organizations and churches, even when not necessary for prosecution, was unconstitutional. Court chairman Milan Cic said this was “not only not usual, but opens the door to widespread violation of peoples’ basic rights and their right to privacy.”
The Act on Free Access to Information (effective May 2000). It sets broad rules on disclosure of information held by the government. There are limitations on information that is classified, a trade secret, would violate privacy, was obtained “from a person not required by law to provide information, who upon notification of the Obligee instructed the Obligee in writing not to disclose information,” or “concerns the decision-making power of the courts and law enforcement bodies.” Miscellaneous Information
Slovakia is a member of the Council of Europe and signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in April 2000. It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.
118
INTERNATIONAL PRIVACY ISSUES
Slovenia Chief Privacy Officer/Minister Political System Web URL
Inspectorate Parliamentary Democratic Republic www.sigov.si
Description of Legislation
The 1991 Constitution. Article 35 on the Protection of the Right to Privacy and of Personal Rights states, “The physical and mental integrity of each person shall be guaranteed, as shall be his right to privacy and his other personal rights.” Article 37 on the Protection of Privacy of Post and Other Means of Communication states, “The privacy of the post and of other means of communication shall be guaranteed. In accordance with statute, a court may authorize action infringing on the privacy of the post or of other means of communication, or on the inviolability of individual privacy, where such actions are deemed necessary for the institution or continuance of criminal proceedings or for reasons of national security.” Article 38 on the Protection of Personal Data states, “The protection of personal data relating to an individual shall be guaranteed. Any use of personal data shall be forbidden where that use conflicts with the original purpose for which it was collected. The collection, processing and the end-use of such data, as well as the supervision and protection of the confidentiality of such data, shall be regulated by statute. Each person has the right to be informed of the personal data relating to him which has been collected and has the right to legal remedy in the event of any misuse of same.” Law on Personal Data Protection (effective August 1999). The new law is based on the EU Data Protection Directive and the COE Convention No. 108. It replaces the 1990 act. The new act will create an “Inspectorate” to supervise and enforce. The previous law had a limited oversight of personal data protection practices. However, the Human Rights Ombudsman had issued numerous decisions on data protection. The Law on National Statistics. This law regulates the privacy of information collected for statistical purposes.
The Law on Telecommunications. This law requires telecommunications service providers to “guarantee the confidentiality of transmitted messages and of personal and non-personal data known only to them.”
The Electronic Commerce and Electronic Signature Act. This Act, approved in June 2000, regulates electronic commerce, which includes commerce in the electronic form on distance by the use of information and communication technology and use of electronic signature in legal affairs, including electronic commerce in judicial, administrative and other similar procedures, unless provided otherwise by law.
Miscellaneous Information. Slovenia is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.
COUNTRY-BY-COUNTRY SUMMARY
119
South Africa Chief Privacy Officer/Minister Political System Web URL
Human Rights Commission Republic www.gov.za
Description of Legislation
Section 14 of the South African Constitution of 1996. “Everyone has the right to privacy, which includes the right not to have—(a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed.” Section 32 states, “(1) Everyone has the right of access to—(a) any information held by the state, and; (b) any information that is held by another person and that is required for the exercise or protection of any rights; (2) National legislation must be enacted to give effect to this right, and may provide for reasonable measures to alleviate the administrative and financial burden on the state.” The interim Constitution contained an essentially similar provision to Section 14, in Section 13. It is clear that both sections are written in a way that directly responds to the experiences during the apartheid era of gross interferences with peoples’ right to privacy. The South African Constitutional Court has delivered a number of judgments on the right to privacy relating to the possession of indecent or obscene photographs, the scope of privacy in society, and searches. All the judgments were delivered under the provisions of the Interim Constitution as the causes of action arose prior to the enactment of the Final Constitution. However, as there is no substantive difference between the privacy provisions in the Interim and Final Constitutions, the principles remain authoritative for future application.
The Access to Information Act (effective February 2000). The bill covers both public and private sector entities and allows for access, rights of correction, and limitations on disclosure of information. Originally introduced as the Open Democracy Bill, the proposed legislation also included comprehensive data protection provisions. However, those provisions were removed by the Parliamentary committee in November 1999. The Committee wrote that, “it would be dealing with the right to privacy in section 14 of the Constitution in an ad hoc and undesirable manner…it is intended that South Africa, in following the international trend, should enact separate privacy legislation. The Committee, therefore, requests the Minister for Justice and Constitutional Development to introduce Privacy and Data Protection legislation, after thorough research on the matter, as soon as reasonably possible.” The Privacy and Data Protection Bill is still in its early stages of development.
The Interception and Monitoring Act of 1992. This Act regulates the interception of communications. This Act prohibits the interception of certain and monitoring of communications and also provides for the interception of postal articles and communications and for the monitoring of conversations in the case of a serious offense, or if the security of the country is threatened. As of August 12, 2001, Parliament is reviewing this act as it allows for widespread surveillance in the name of protecting national security, does not require a court order to monitor user’s Web browsing, and mobile phone location and prohibits communications technologies that are not wiretap capable.
120
INTERNATIONAL PRIVACY ISSUES
Miscellaneous Information
South Africa does not have a privacy commission but has a Human Rights Commission which was established under Chapter 9 of the Constitution and whose mandate is to investigate infringements on and to protect the fundamental rights guaranteed in the Bill of Rights, and to take steps to secure appropriate redress where human rights have been violated. The Commission has limited powers to enforce the Access to Information Act.
South Korea Chief Privacy Officer/Minister Political System Web URL
Minister of Government Administration Republic www.korea.net
Description of Legislation
The Constitution. The Constitution provides for protection of privacy and secrecy of communications. Article 16 states, “All citizens are free from intrusion into their place of residence. In case of search or seizure in a residence, a warrant issued by a judge upon request of a prosecutor has to be presented.” Article 17 states, “The privacy of no citizen may be infringed.” Article 18 states, “The privacy of correspondence of no citizen shall be infringed.”
The Act on the Protection of Personal Information Managed by Public Agencies of 1994. This Act sets rules for the management of computer-based personal information held by government agencies and is based on the OECD privacy guidelines. Under the Act, government agencies must limit data collected, ensure their accuracy, keep a public register of files, ensure the security of the information, and limit its use to the purposes for which it was collected. The Act is enforced by the Minister of Government Administration.
The Basic Act on Electronic Commerce (effective January 1999). Chapter III of the Act requires that “electronic traders shall not use, nor provide to any third party, the personal information collected through electronic commerce beyond the alleged purpose for collection thereof without prior consent of the person of such information or except as specifically provided in any other law.” Individuals also have rights of access, correction, and deletion and data holders have a duty of security.
Law on Protection of Communications Secrecy Act. Wiretapping is regulated by the Law on Protection of Communications Secrecy Act. It requires a court order to place a tap. Intelligence agencies are required to obtain permission from the Chief Judge of the High Court or approval from the President for national security cases.
Article 54 of the Telecommunication Business Act. This Act prohibits persons who are (or have been) engaged in telecommunication services from releasing private correspondence.
Act Relating to Use and Protection of Credit Information of 1995. Credit reports are protected by the Act Relating to Use and Protection of Credit Information of 1995. Postal Services Act. Postal privacy is protected by the Postal Services Act.
COUNTRY-BY-COUNTRY SUMMARY
121
The Act on Disclosure of Information by Public Agencies. This Act is a freedom of information act that allows Koreans to demand access to government records. It was enacted in 1996 and went into effect in 1998. The Supreme Court ruled in 1989 that there is a constitutional right to information “as an aspect of the right of freedom of expression, and specific implementing legislation to define the contours of the right was not a prerequisite to its enforcement.” Miscellaneous Information
The Ministry of Information and Communication (MIC) set up a Cyber Privacy Center in April 2000. The Ministry issued guidelines in May 2000 on privacy. The guidelines require consent before collecting “sensitive information” such as political orientation, birthplace, and sexual orientation, and ISPs wishing to collect information about users under 14 must obtain parental consent. ISPs must display their privacy policies and establish security policies. The Ministry said it was planning to develop legislation in late 2000 that would incorporate the guidelines. A study by the Korea Information Security Agency in November 1999 found that most sites were collecting information but were lacking adequate privacy policies. The existing national ID card number is widely used on the Internet by e-commerce sites and free Web sites. South Korea is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Spain Chief Privacy Officer/Minister Political System Web URL
Agencia de Protection de Datos— Data protection commission for Spain Parliamentary Monarchy www.ag-protecciondatos.es
Description of Legislation
The Constitution. The Constitution recognizes the right to privacy, secrecy of communications, and data protection. Article 18 states, “(1) The right of honor, personal, and family privacy and identity is guaranteed. (2) The home is inviolable. No entry or search may be made without legal authority except with the express consent of the owners or in the case of a flagrante delicto. (3) Secrecy of communications, particularly regarding postal, telegraphic, and telephone communication, is guaranteed, except for infractions by judicial order. (4) The law shall limit the use of information, to guarantee personal and family honor, the privacy of citizens, and the full exercise of their rights.” The Spanish Data Protection Act (LORTAD). This Act was enacted in 1992 and amended in December 1999 to implement the EU Data Protection Directive. It covers files held by the public and private sector. The law establishes the right of citizens to know what personal data is contained in computer files and the right to correct or delete incorrect or false data. Personal information may only be used or disclosed to a third party with the consent of the individual and only for the purpose for which it was collected.
The 1997 Telecommunications Act. Interception of communications requires a court order. The 1997 Telecommunications Act amended the law and restricts the use of cryptography but that provision has not been enforced.
122
INTERNATIONAL PRIVACY ISSUES
Miscellaneous Information
There are also additional laws in the penal code, and relating to credit information, video surveillance, and automatic tellers. The government issued a decree on digital signatures in September 1999. Spain is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Sweden Chief Privacy Officer/Minister Political System Web URL
Datainspektionen—Data protection commission for Sweden Constitutional Monarchy www.din.se
Description of Legislation
Sweden’s Constitution. The Constitution, which consists of several different legal documents, contains several provisions which are relevant to data protection. Section 2 of the Instrument of Government Act of 1974 provides, inter alia, for the protection of individual privacy. Section 13 of Chapter 2 of the same instrument states also that freedom of expression and information—which are constitutionally protected pursuant to the Freedom of the Press Act of 1949—can be limited with respect to the “sanctity of private life.” Moreover, Section 3 of the same chapter provides for a right to protection of personal integrity in relation to automatic data processing. The same article also prohibits non-consensual registration of persons purely on the basis of their political opinion. It is also important to note that the European Convention on Human Rights has been incorporated into Swedish law as of 1994. The ECHR is not formally part of the Swedish Constitution but has, in effect, similar status.
Personal Data Act of 1998 (amended in January 2000). Sweden enacted the Personal Data Act of 1998 to bring Swedish law into conformity with the requirements of the EC Directive on data protection. The new Act essentially adopts the EU Data Protection Directive into Swedish law. It regulates the establishment and use, in both public and private sectors, of automated data files on physical/natural persons. The Act replaced the Data Act of 1973, which was the first comprehensive national act on privacy in the world. The 1973 Act shall continue to apply until October 2001 with respect to processing of personal data which is initiated prior to October 24, 1998. Section 33 of the Act was amended in 1999 to adopt the EU Directive standards on the transfer of personal data to a third country. According to the Data Inspection Board, the amendment will facilitate transfer of data through international communication networks, such as the Internet. There may be situations where a third country—despite not having any data protection rules at all—still can be considered having an adequate level of protection. This would be depending on the other circumstances. It is also possible that the level of protection in a third country may be assessed as adequate in some areas but not in others. The amendment entered into force in January 2000.
COUNTRY-BY-COUNTRY SUMMARY
123
Freedom of the Press Act of 1766. Sweden is a country that has traditionally adhered to the Nordic tradition of open access to government files. The world’s first freedom of information act was the Riksdag’s (Swedish Parliament) “Freedom of the Press Act of 1766.” The Act required that official documents should “upon request immediately be made available to anyone making a request” at no charge. The Freedom of the Press Act is now part of the Constitution and decrees that “every Swedish citizen shall have free access to official documents.” Miscellaneous Information
A court order is required to obtain a wiretap. The law was amended in 1996 to facilitate surveillance of new technologies. Sweden is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Switzerland Chief Privacy Officer/Minister Political System Web URL
Data Protection Commission—Data protection/ privacy commission for Switzerland Federal Republic www.edsb.ch
Description of Legislation
Article 36(4) of the 1874 Constitution. The Constitution guaranteed, “the inviolability of the secrecy of letters and telegrams.” This Constitution was repealed and replaced by public referendum in April 1999. The new constitution, which entered into force on January 1, 2000, greatly expanded the older privacy protection provision. Article 13 of the Constitution now states: “All persons have the right to receive respect for their private and family life, home, mail and telecommunications. All persons have the right to be protected against abuse of their personal data.”
The Federal Act of Data Protection of 1992. This Act regulates personal information held by government and private bodies. The Act requires that information must be legally and fairly collected and places limits on its use and disclosure to third parties. Private companies must register if they regularly process sensitive data or transfer the data to third parties. Transfers to other nations must be registered and the recipient nation must have equivalent laws. Individuals have a right of access to correct inaccurate information. Federal agencies must register their databases. There are criminal penalties for violations. There are also separate data protection acts for the Cantons (states).
Penal Code and Penal Procedure Code amended by the 1997 Telecommunication Act. Telephone tapping is governed by the Penal Code and Penal Procedure Code amended by the 1997 Telecommunication Act that came into effect on January 1, 1998. This Act established a
124
INTERNATIONAL PRIVACY ISSUES
specialized agency, Le Service des Taches Speciales (STS), within the Department of the Environment, Transport, Energy and Communications to administer wiretaps. A court order is required for every wiretap. In the spring of 2000, the Conseil des Etats amended the proposal to directly include surveillance of cellular telephone and prepaid calling card users. Miscellaneous Information
Besides the Data Protection Act, there are also legal protections for privacy in the Civil Code and Penal Code, and special rules relating to workers’ privacy from surveillance, telecommunications information, health care statistics, professional confidentiality including medical and legal information, medical research, police files, and identity cards. Switzerland is a member of the Council of Europe and signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in 1997. Switzerland has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Switzerland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Switzerland is not an EU member state but has been granted associate status.
Taiwan Chief Privacy Officer/Minister Political System Web URL
The Ministry of Justice Multiparty Democratic Regime www.gio.gov.tw
Description of Legislation
Article 12 of the 1994 Taiwanese Constitution. “The people shall have freedom of privacy of correspondence.”
The Computer-Processed Personal Data Protection Law (effective August 1995). The Act governs the collection and use of personally identifiable information by government agencies and many areas of the private sector. The Act requires that “The collection or utilization of personal data shall respect the rights and interests of the principal and such personal data shall be handled in accordance with the principles of honesty and credibility so as not to exceed the scope of the specific purpose.” Individuals have a right of access and correction, the ability to request cessation of computerized processing and use, and the ability to request deletion of data. Data flows to countries without privacy laws can be prohibited. Law Governing Protection of Personal Data Processed by Computers (enacted July 1995) covers both the public and private sectors, but only computer processing systems with personal data.
Communication Protection and Surveillance Act (effective June 1999). This Act was to impose stricter guidelines on when and how wiretaps can be used. However taps can still be approved for broad reasons such as “national security” and “social order.” It also requires telecommunications providers to assist law enforcement and sets technical requirements for interception, which is being opposed by mobile phone providers. The Act replaces the martial law–era Telecommunications Surveillance Act. Article 315 of Taiwan’s Criminal Code states that a person who, without reason, opens or conceals a sealed letter or other sealed document belonging
COUNTRY-BY-COUNTRY SUMMARY
125
to another will be punishable under the law. The 1996 Telecommunications Law states “Unauthorized third parties shall not receive, record or use other illegal means to infringe upon the secrets of telecommunications enterprises and telecommunications messages. A telecommunications enterprise should take proper and necessary measures to protect its telecommunications security.” The Act was amended in October 1999 to increase penalties for illegal telephone taps to NT1.5 million and up to five years in prison. In 1998, the Supreme Court ruled that evidence obtained through illegal wiretaps was not admissible in a criminal trial.
Thailand Chief Privacy Officer/Minister Political System Web URL
The Official Information Commission Constitutional Monarchy www.oic.thaigov.go.th/
Description of Legislation
Section 34 of the 1997 Constitution. “A person’s family rights, dignity, reputation or the right of privacy shall be protected. The assertion or circulation of a statement or picture in any manner whatsoever to the public, which violates or affects a person’s family rights, dignity, reputation or the right of privacy, shall not be made except for the case which is beneficial to the public.” Section 37 states, “Persons have the freedom to communication with one another by lawful means. Search, detention or exposure of lawful communication materials between and among persons, as well as actions by other means so as to snoop into the contents of the communications materials between and among persons, is prohibited unless it is done by virtue of the power vested in a provision of the law specifically for the purpose of maintaining national security or for the purpose of maintaining peace and order or good public morality.” Section 58 states, “A person shall have the right to get access to public information in possession of a State agency, State enterprise or local government organization, unless the disclosure of such information shall affect the security of the State, public safety or interests of other persons which shall be protected as provided by law.”
A combined electronic commerce and digital signature law was approved by the Cabinet in July 2000. The National Information Technology Committee (NITC) approved plans in February 1998 for a series of information technology (IT) laws. Six sub-committees under the National Electronics and Computer Technology Centre (Nectec) were set up to draft the following bills: E-Commerce Law, EDI Law, Privacy Data Protection Law, Computer Crime Law, Electronics Digital Signature Law, Electronics Fund Transfer Law and Universal Access Law. All six bills were reportedly submitted to the Cabinet in January 2000. A combined electronic commerce and digital signature law was approved by the Cabinet in July 2000 and is expected to be approved by the Parliament this year. The rest of the bills, including the data protection act, are still awaiting Cabinet approval. The Association of Thai Computer Industry (ATCI) called on the government in May 2000 to adopt the data protection law to promote trust in e-commerce.
The Official Information Act (effective 1997). The Act sets a code of information practices on personal information systems run by state agencies. The agency: must ensure that the system is relevant to and necessary for the achievement of the objectives of the operation of the
126
INTERNATIONAL PRIVACY ISSUES
State agency; make efforts to collect information directly from the subject; publish material about its use in the Government Gazette; provide for an appropriate security system; notify such person if information is collected about them from a third party; not disclose personal information in its control to other State agencies or other persons without prior or immediate consent given in writing by the person except in limited circumstances; and provide rights of access, correction, and deletion. The Official Information Act allows for citizens to obtain government information such as the result of a consideration or a decision which has a direct effect on a private individual, workplan, project and annual expenditure estimates, and manuals or order relating to work procedure of State officials which affects the rights and duties of private individuals.
1934 Telegraph and Telephone Act. Phone tapping is a criminal offense under the 1934 Telegraph and Telephone Act. Wiretaps can be conducted for security reasons.
Turkey Chief Privacy Officer/Minister Political System Web URL
N/A Republican Parliamentary Democracy www.mfa.gov.tr
Description of Legislation
Section Five of the 1982 Turkish Constitution. “Privacy and Protection of Private Life.” Article 20 of the Turkish constitution deals with “Privacy of the Individual’s Life,” and it states, “Everyone has the right to demand respect for his private and family life. Privacy of individual and family life cannot be violated. Exceptions necessitated by judiciary investigation and prosecution are reserved. Unless there exists a decision duly passed by a judge in cases explicitly defined by law, and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial, neither the person nor the private papers, nor belongings of an individual shall be searched nor shall they be seized.” Article 22 states, “Secrecy of communication is fundamental. Communication shall not be impeded nor its secrecy be violated, unless there exists a decision duly passed by a judge in cases explicitly defined by law, and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial. Public establishments or institutions where exceptions to the above may be applied will be defined by law.”
Article 24 of the Civil Code. An individual whose personal rights are violated unjustly may request protection against the violation from the judge. Individuals can bring action for violation of their private rights. However, there is no criminal liability for such violations of personal rights and currently there is no protection for personal data (through data protection laws or any other laws) under the current Turkish Criminal Code.
Articles 195–200 of the Turkish Criminal Code. Govern communication through letters, parcels, telegram, and telephone. Despite the existing laws and regulations, the right to privacy and to private communications seem to be rather problematic in Turkey. There is widespread illegal wiretapping by the government. According to acting Security Director Kemal Celik, all telephones in Turkey are bugged.
COUNTRY-BY-COUNTRY SUMMARY
127
Miscellaneous Information
A new bill to set up a “Council for the Security of National Information and its duties” is pending in the Parliament. Turkey is a member of the Council of Europe and has accepted the Council’s monitoring mechanism. It signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in 1981 but has not ratified the act. It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Turkey has also been a member of the Organization for Economic Co-operation and Development since 1961.
Ukraine Chief Privacy Officer/Minister Political System Web URL
State Committee of Communications and Computerization Republic www.kmw.gov.ua
Description of Legislation
The Constitution of Ukraine. The Constitution guarantees the right of privacy and data protection. Article 31 states, “Everyone is guaranteed privacy of mail, telephone conversations, telegraph and other correspondence. Exceptions shall be established only by a court in cases envisaged by law, with the purpose of preventing crime or ascertaining the truth in the course of the investigation of a criminal case, if it is not possible to obtain information by other means.” Article 32 states “No one shall be subject to interference in his or her personal and family life, except in cases envisaged by the Constitution of Ukraine. The collection, storage, use and dissemination of confidential information about a person without his or her consent shall not be permitted, except in cases determined by law, and only in the interests of national security, economic welfare and human rights. Every citizen has the right to examine information about himself or herself, that is not a state secret or other secret protected by law, at the bodies of state power, bodies of local self-government, institutions and organizations. Everyone is guaranteed judicial protection of the right to rectify incorrect information about himself or herself and members of his or her family, and of the right to demand that any type of information be expunged, and also the right to compensation for material and moral damages inflicted by the collection, storage, use and dissemination of such incorrect information.” There is also a limited right of freedom of information. Article 50 states, “Everyone is guaranteed the right of free access to information about the environmental situation, the quality of food and consumer goods, and also the right to disseminate such information. No one shall make such information secret.”
April 2000 Presidential Order. The Department of Special Telecommunication Systems and Information Safeguarding of the Security Service of Ukraine is authorized under an April 2000 Presidential Order to adopt regulations on the protection of information in data transmitting networks, as well as to establish the “application of the tools for the protection of state information resources.” In July 2000, President Kuchma signed a decree on “development of national content of the global informational network (Internet) and wide access to this network in Ukraine.” It sets rules on digital signatures, information security, and protection of information “which can not be published according to the law.”
128
INTERNATIONAL PRIVACY ISSUES
The 1992 Act on Information. This Act provides a right of access to government records. Article 21 sets out methods for making official information public, including disclosing it to interested persons orally, in writing, or in other ways. Article 29 of the Statute prohibits the limitation of the right to obtain non-covert information. Article 37 sets out a long list of exceptions. The author of a rejected or postponed request has a right to appeal the decision to a higher echelon or court (Article 34). There is limited access to the files of the former secret police under the Act “on rehabilitation of victims of political repressions,” which gives the rehabilitated citizen or his heirs the right to read his personal file kept in the KGB archives. Miscellaneous Information
Ukraine is a member of the Council of Europe but has not signed or ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.
United Kingdom Chief Privacy Officer/Minister Political System Web URL
Data Protection Registrar—United Kingdom’s Data Protection registry Constitutional Monarchy www.open.gov.uk
Description of Legislation
Human Rights Act (effective October 2, 2000). The United Kingdom does not have a written constitution. In 1998, the Parliament approved the Human Rights Act that will incorporate the European Convention on Human Rights into domestic law, a process which will establish an enforceable right of privacy.
Data Protection Act (1998). The legislation, which came into force on March 1, 2000, updates the 1984 Data Protection Act in accordance with the requirements of the European Union’s Data Protection Directive. The Act covers records held by government agencies and private entities. It provides for limitations on the use of personal information, access to records, and requires that entities that maintain records register with the Data Protection Commissioner. It now covers all manual and electronic records.
The Regulation of Investigatory Powers Act 2000 (effective July 2000). It provides powers for the Home Secretary to warrant interception of communications and to require Communications Service Providers to provide a “reasonable interception capability” in their networks. It further allows any public authority designated by the Home Secretary to access “communications data.” This data includes the source, destination, and type of any communication, such as mobile phone location information. Finally, powers are provided for senior members of the civilian and military police, Customs, and members of the judiciary to require the plaintext of encrypted material, or in certain circumstances decryption keys themselves. It replaces the Interception of Communications Act of 1985. It also sets rules on other types of investigatory powers that had not been previously regulated under UK law. Many legal experts, including the
COUNTRY-BY-COUNTRY SUMMARY
129
Data Protection Commissioner, believe that many of the provisions violate the European Convention on Human Rights and a legal challenge is likely. Requires ISPs to facilitate wiretapping and makes users disclose encryption keys or face jail.
Freedom of Information Act 2000. Approved December 2000, Opposition offered 118 amendments to improve the act, but it passed as is. Miscellaneous Information
The United Kingdom is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) along with the European Convention for the Protection of Human Rights and Fundamental Freedoms. In addition to these commitments, the United Kingdom is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
United States of America Chief Privacy Officer/Minister
Political System Web URL
There is no independent privacy oversight agency in the United States. The Office of Management and Budget plays a limited role in setting policy for federal agencies under the Privacy Act. Federal Republic www.ftc.org www.doj.org
Description of Legislation
Bill of Rights. The Supreme Court has ruled that there is a limited constitutional right of privacy based on a number of provisions in the Bill of Rights. This includes a right to privacy from government surveillance into an area where a person has a “reasonable expectation of privacy” and also in matters relating to marriage, procreation, contraception, family relationships, child rearing, and education. However, records held by third parties, such as financial records or telephone calling records, are generally not protected unless a legislature has enacted a specific law. The Court has also recognized a right of anonymity and the right of political groups to prevent disclosure of their members’ names to government agencies. In January 2000, the Supreme Court heard Reno v. Condon, a case addressing the constitutionality of the Drivers Privacy Protection Act (DPPA), a 1994 law that protects drivers’ records held by state motor vehicle agencies. In a unanimous decision, the Court found that the information was “an article of commerce” and can be regulated by the federal government.
The Privacy Act of 1974. This Act protects records held by U.S. Government agencies and requires agencies to apply basic fair information practices. Its effectiveness is significantly weakened by administrative interpretations of a provision allowing for disclosure of personal information for a “routine use” compatible with the purpose for which the information was originally collected. Limits on the use of the Social Security Number have also been undercut in recent years for a number of purposes.
130
INTERNATIONAL PRIVACY ISSUES
Omnibus Safe Streets and Crime Control Act of 1968 and the Electronic Communications Privacy Act of 1986. Surveillance of wire, oral, and electronic communications for criminal investigations is governed by the Omnibus Safe Streets and Crime Control Act of 1968 and the Electronic Communications Privacy Act of 1986. Police are required to obtain a court order based on a number of legal requirements. Surveillance for national security purposes is governed by the Foreign Intelligence Surveillance Act that has less rigorous requirements.
Safe Harbor. The U.S. Department of Commerce and the European Commission in June 2000 announced that they had reached an agreement on the Safe Harbor negotiations which would allow U.S. companies to continue to receive data from Europe. The European Parliament adopted a resolution in early July seeking greater privacy protections from the arrangement. The Commission announced that it was going to continue with the agreement without changes.
The Freedom of Information Act (enacted in 1966). This Act has been amended several times. It allows for access to federal government records by any requestor, except those held by the courts or the White House.
Electronic Freedom of Information Act (effective 1996). This Act amended the Freedom of Information Act of 1966 to specifically provide access to records in electronic form. There are also laws in all states on providing access to government records. Supreme Court Ruling on Wiretapping (effective June 11, 2001). The U.S. Supreme Court ruled that the use of infrared technology to search homes for evidence of criminal activity requires a court order. Miscellaneous Information
The Federal Trade Commission has oversight and enforcement powers for the laws protecting children’s on-line privacy, consumer credit information, and fair trading practices but has no general authority to enforce privacy rights. The United States has no comprehensive privacy protection law for the private sector. A patchwork of federal laws covers some specific categories of personal information. These include financial records, credit reports, video rentals, cable television, children’s (under age 13) on-line activities, educational records, motor vehicle registrations, and telephone records. However, such activities as the selling of medical records and bank records, monitoring of workers, and video surveillance of individuals are currently not prohibited under federal law. There is also a variety of sectoral legislation on the state level that may give additional protections to citizens of individual states. The tort of privacy was first adopted in 1905 and all but two of the 50 states recognize a civil right of action for invasion of privacy in their laws. The United States is a member of the Organization for Economic Cooperation and Development but has not implemented the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in many sectors, including the financial sector and the medical sector. The 150 U.S. companies that signed the OECD Guidelines in 1981 did not appear to keep their promises to enforce fair information practices once the threat of legislation faded in the early 1980s. Many are currently actively lobbying against privacy laws.
ENDNOTES
131
ENDNOTES 1. Banisar, D., “Privacy and Human Rights Overview 2000,” www.privacyinternational.org/ survey/phr2000/overview.html#fn31. 2. Banisar, D. (The Electronic Privacy Information Center) and Davies, S. (Privacy International) in cooperation with The Organization for Economic Cooperation and Development (OECD), “Privacy and Human Rights: An International Survey of Privacy Laws and Practice,” www.gilc.org/privacy/survey/intro.html. 3. See note 1. 4. Banisar, D., “Privacy and Human Rights Overview 2000: Survey of Countries Privacy Policies and Laws,” www.privacyinternational.org/survey/phr2000/overview.html. 5. U.S. Department of Commerce, in consultation with the European Commission, www. export.gov/safeharbor. 6. Gold, S., “European Privacy Groups Lobby EU on Privacy Issues” (September 21, 2001), Newsbytes, London, England, www.newsbytes.com/news/01/170377.html. 7. See note 2. 8. See note 5. 9. TRUSTe, International Privacy Policy Activities, www.truste.org/bus/pub_global.html, a discussion of the PrivacyExchange at www.privacyexchange.org. 10. Hicks, M., “Passing the Safe Harbor By” (June 11, 2001), eWEEK, www.eweek.com/ article2/0,3959,220471,00.asp. 11. Reuters, “Study: Web Sites Fail Global Privacy Standards” (August 16, 2001), www. infowar.com/survey/01/survey_81601d_ j.shtml. 12. Directive 94/ /EC of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data. Directixwve 95/ /EC of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data. European Union, The Council, Brussels (2 February, 1995) 12003/1/95. European Community Directive on Data Protection, Chapter IV—“Transfer of Personal Data to Third Countries,” Article 25, www.ils.unc.edu/~lawsk/policypaper.html. 13. See note 11. 14. See note 1. 15. Jucca, L., “Europe Leads Drive for Online Privacy” (May 5, 2001), www.infowar. com/class_1/01/class1_51501a_ j.shtml. 16. Banisar, D. and Davies, S., “Global Trends In Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments” (Fall 1999), The John Marshall Journal of Computer & Information Law, 18 J. Marshall J. Computer & Info. L. 1, EE2001-JGM, P., http://debate.uvm.edu/handbookfile/pubpriv/347.html. 17. See note 1. 18. Clarke, R., Privacy Laws Web site, www.anu.edu.au/people/Roger.Clarke/DV/PrivacyLaws. html#Ctry. See also EPIC, 2001, Online Guide to Privacy Resources, www.epic.org/ privacy/privacy_resources_ faq.html#International_Sites; International Constitutional Law Web site, www.uni-wuerzburg.de/law/; Privacy International (PI), The International Privacy Newswire 2002, www.privacyinternational.org/parts/index.html; U.S. Department of Commerce, www.export.gov/safeharbor.
5 PRIVACY LEGISLATION
Introduction Existing Privacy Legislation Pending Federal Legislation Summary
INTRODUCTION Internet usage continues to expand rapidly, beyond anyone’s imagination. This expansion continues to surface issues in its wake that must be addressed in order to ensure that the Internet is a viable, long-term strategic tool for government and industry. To bridge the legal gap that has emerged as a result of the dynamic growth of the Internet, the United States Congress has begun to address issues such as access to information and the unauthorized use of personal data. Though the issues themselves are not new, the amount of information and the rapidity of transfer of that information have been greatly expanded by the use of the Internet.1 The extent to which organizations will self-govern the need to maintain confidentiality over information varies and therefore regulatory bodies have begun to immerse themselves in the Internet privacy issue. That is not to say that organizations have not recognized or even ignored the safeguarding of information received from customers. While many different forms of personal information have traditionally remained in the public domain, increasingly easy access to such data, spurred on by new technologies and the Internet, are raising privacy concerns from consumers and public policymakers. This, in turn, has led to increased calls for government regulation. Federal privacy legislation currently includes the following:2 • Providing individuals with notice at the time of information collection • Ensuring consumer choice for opting out of use or disclosure of personally identifiable information • Ensuring national standards for public policies related to Internet privacy • Not discriminating against the Internet by placing unique regulatory burdens on Webbased activities • Utilizing existing authority to enforce the mandate of federal legislation without creating new private rights of action • Avoiding conflicting or duplicative standards in cases where more than one government agency seeks to regulate 132
EXISTING PRIVACY LEGISLATION
Exhibit 5.1.
133
Most Recently Enacted Privacy Legislation
Title
Effective Year
Fair Credit Reporting Act Privacy Act of 1974 Family Education Rights and Privacy Act Right to Financial Privacy Act Privacy Protection Act of 1980 (PPA) Cable Communications Policy Act of 1984 The Electronic Communications Privacy Act Computer Fraud and Abuse Act (CFAA) Computer Security Act Video Privacy Protection Act of 1988 Telephone Consumer Protection Act of 1991 (TCPA) Driver’s Privacy Protection Act of 1994 Communications Assistance for Law Enforcement Act of 1994 (CALEA) Telecommunications Act of 1996 Health Insurance Portability and Accountability Act of 1996 (HIPAA) Children’s Online Privacy Protection Act of 1998 (COPPA) Gramm-Leach-Bliley Act of 1999 Patriot Act of 2001
1970 1974 1974 1978 1980 1984 1986 1986 1987 1988 1991 1994 1994 1996 1996 1998 1999 2001
There have been 18 separate pieces of legislation affecting privacy made into law over the past 20 years (see Exhibit 5.1, Most Recently Enacted Privacy Legislation). Both key and critical existing and proposed legislation will be discussed in depth in this chapter. Chapter 7 examines distinct pieces of privacy legislation that have become law in the United States and how these privacy laws have impacted businesses, generally and specifically.3
EXISTING PRIVACY LEGISLATION Fair Credit Reporting Act (1970) Congress enacted the Fair Credit Reporting Act (FCRA) to protect consumers from the disclosure of inaccurate and arbitrary personal information held by consumer reporting agencies. It enables individuals to have access to their own data profile. Individuals have a right to learn who has accessed their files. While the FCRA regulates the disclosure of personal information, it does not restrict the amount or type of information that can be collected. Under the FCRA, consumer reporting agencies may only disclose personal information to third parties under specified conditions. Additionally, information may be released to a third party with the written consent of the subject of the report or when the reporting agency has reason to believe the requesting party intends to use the information:4 • For a credit, employment, or insurance evaluation • In connection with the grant of a license or other government benefit • For another “legitimate business need” involving the consumer
134
PRIVACY LEGISLATION
Privacy Act of 1974 The Privacy Act of 1974 was designed to protect individuals from an increasingly powerful and potentially intrusive federal government. The Privacy Act incorporates the Code of Fair Information Practices recommended by the Department of Health, Education, and Welfare and empowers individuals to control the federal government’s collection, use, and dissemination of sensitive personal information. The Act prohibits agencies from disclosing records to third parties or other agencies without the consent of the individual to whom the record pertains.5 The Code emphasized five principles: 1. There should be no records whose very existence is private. 2. An individual must be able to discover what information is contained in his or her record and how it is used. 3. An individual must be able to prevent information collected for one purpose from being used for another purpose without consent. 4. An individual must be able to correct or amend erroneous information. 5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for its intended purpose and must take precautions to prevent misuse.
Family Education Rights and Privacy Act (1974) Congress passed the Family Educational Rights and Privacy Act (also known as the Buckley Amendment) to protect the accuracy and confidentiality of student records; it applies to all schools receiving federal funding. The Act prevents educational institutions from disclosing student records or personally identifiable information to third parties without consent, but does not restrict the collection or use of information by schools. The statute also requires educational institutions to give students and their parents’ access to school records and an opportunity to challenge the content of records they believe to be inaccurate or misleading.6
Right to Financial Privacy Act (1978) The Right to Financial Privacy Act was designed to protect the confidentiality of personal financial records by creating a statutory Fourth Amendment protection for bank records. The Right to Financial Privacy Act states that “no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and at least one of the following applies:7 • • • • •
The customer authorizes access. There is an appropriate administrative subpoena or summons. There is a qualified search warrant. There is an appropriate judicial subpoena. There is an appropriate written request from an authorized government authority.
EXISTING PRIVACY LEGISLATION
135
The statute prevents banks from requiring customers to authorize the release of financial records as a condition of doing business and states that customers have a right to access a record of all disclosures.
Privacy Protection Act of 1980 Congress enacted the Privacy Protection Act (“PPA”) to reduce the effect of law enforcement searches and seizures on publishers. The PPA prohibits government officials searching or seizing any work, product, or documentary materials held by a “person believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or similar form of public communication,” unless there is probable cause to believe the publisher has committed or is committing a criminal offense to which the materials relate. The PPA effectively forces law enforcement to use subpoenas or voluntary cooperation to obtain evidence from those engaged in First Amendment activities.8
Cable Communications Policy Act of 1984 Congress passed the Cable Communications Policy Act (“1984 Cable Act” or “Cable Act”) to amend the Communications Act of 1934. The Cable Act establishes a comprehensive legislation for cable regulation and sets forth strong protections for subscriber privacy by restricting the collection, maintenance, and dissemination of subscriber data. The Act prohibits cable providers from using the cable system to collect “personally identifiable information” concerning any subscriber without prior consent, unless the information is necessary to render service or detect reception. The Act also prohibits operators from disclosing personally identifiable data to third parties without consent, unless the disclosure is either necessary to render a service provided by the cable operator to the subscriber or if it is made to a government entity pursuant to a court order.9 The Patriot Act of 2001, in section 211, addressed the question of whether this Act covers data collection by cable companies that offer cable modems and Internet Service Provider services. The Patriot Act allows cable operators to disclose any personal information, including that transmitted through cable modems, to law enforcement agents without consent of the subscriber. See more detail on the Patriot Act later in this chapter.
The Electronic Communications Privacy Act (1986) Congress passed the Electronic Communications Privacy Act (“ECPA”) to expand the scope of existing federal wiretap laws, such as the Wiretap Act, to include protection for electronic communications. ECPA expands the privacy protections of the Wiretap Act in five significant ways: 1. ECPA broadens the scope of privileged communications to include all forms of electronic transmissions, including video, text, audio, and data. 2. ECPA eliminates the requirement that communications be transmitted via common carrier to receive legal protection.
136
PRIVACY LEGISLATION
3. ECPA maintains restrictions on the interception of messages in transmission and adds a prohibition on access to stored electronic communications. 4. ECPA responds to the Supreme Court’s ruling in Smith v. Maryland that telephone toll records are not private and restricts law enforcement access to transactional information pertaining to users of electronic communication services. 5. ECPA broadens the reach of the Wiretap Act by restricting both government and private access to communications. Virtually all on-line services offer some sort of “private” activity, which allows subscribers to send personal e-mail messages to others. The federal Electronic Communications Privacy Act (ECPA) makes it unlawful for anyone to read or disclose the contents of an electronic communication. This law applies to e-mail messages.10 However, there are three important exceptions to the ECPA: 1. The on-line service may view private e-mail if it suspects the sender is attempting to damage the system or harm another user. However, random monitoring of e-mail is prohibited. 2. The service may legally view and disclose private e-mail if either the sender or the recipient of the message consents to the inspection or disclosure. Many commercial services require a consent agreement from new members when signing up for the service. 3. If an employer owns the e-mail system, the employer may inspect the contents of employee e-mail on the system. Therefore, any e-mail sent from a business location is probably not private. Several court cases have determined that employers have a right to monitor e-mail messages of their employees. Law enforcement officials may access or disclose electronic communications only after receiving a court-ordered search warrant. The Patriot Act of 2001 amended the ECPA. See sections 209, 211, 212, and 815 of the Patriot Act, listed in this chapter, for those amendments.11
Computer Fraud and Abuse Act (CFAA) of 1986 This Act was amended in 1994 and 1996 and again in 2001 via the Patriot Act. The Computer Fraud and Abuse Act of 1986 was signed into law in order to clarify definitions of criminal fraud and abuse for federal computer crimes and to remove the legal ambiguities and obstacles to prosecuting these crimes. The Act established two new felony offenses for the unauthorized access of “federal interest” computers and a misdemeanor for unauthorized trafficking in computer passwords. The Act enhanced and strengthened an intermediate Fraud and Abuse act established in 1984. It also complemented the Electronic Communications Privacy Act of 1986, which outlawed the unauthorized interception of digital communications and had just recently been passed.12 One of the felony offenses was established to address the unauthorized access of a federal interest computer with the intention to commit fraudulent theft. The other felony was established to address “malicious damage,” which involves altering information in, or preventing the use of, a federal interest computer. A malicious damage violation would have to result in a loss to the victim of $1,000 or more, except in cases involving the alteration of medical records.
EXISTING PRIVACY LEGISLATION
137
The legislation was carefully designed to address only federal and interstate computer crimes because of concern that the Act could infringe on individual states’ rights and computer crime laws. A federal interest computer, according to the Act, is “exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government, and the conduct constituting the offense affects such use, or which is one of two or more computers used in committing the offense, not all of which are located in the same State.” Financial institutions covered by the Act specifically include federally insured banks, thrifts and credit unions; registered securities brokers; members of the Federal Home Loan Bank System, the Farm Credit Administration, and the Federal Reserve System. A felony conviction under the Computer Fraud and Abuse Act could result in a prison term of five years for a first offense and ten years for a second offense. The Act also established as a federal misdemeanor trafficking in computer passwords with the intent to commit fraud that affects interstate commerce. This provision was meant to cover the creation, maintenance, and use of “pirate bulletin boards” where confidential computer passwords are revealed. The legislation applied to anyone who “knowingly and with the intent to defraud, traffics, transfers, or otherwise disposes of, to another, or obtains control of, with intent to transfer or dispose of in any password through which a computer may be accessed without authorization, if such trafficking affects interstate or foreign commerce or such computer is used by or for the Government of the United States.” The Computer Security Act of 1987 was enacted to mandate that federal agencies like the Federal Reserve and the Treasury Department take extra measures to prevent unauthorized access to computers holding sensitive information. The Computer Abuse Amendments Act of 1994 expanded the 1986 Act to address the transmission of viruses and other harmful code. The Patriot Act of 2001 also amended the CFAA. See section 814 of the Patriot Act, listed in this chapter, for the amendment.13
Computer Security Act of 1987 This Act assigns the National Bureau of Standards responsibility for developing standards and guidelines for the security of Federal computer systems, drawing upon technical guidelines developed by the National Security Agency, when such guidelines are consistent with the requirements for protecting sensitive information. H.R. 145 also provides for a Computer Systems Advisory Board to identify emerging Federal computer security and privacy issues, advise NBS on these issues, report its findings to the Office of Management and Budget (OMB), NSA, and Congress. The bill also would amend the Brooks Act of 1965 by updating the term “computer”; require establishment of security plans by all operators of Federal computer systems that contain sensitive information; and require mandatory periodic training for all persons involved in management, use, or operation of Federal computer systems that contain sensitive information.14 The purpose of H.R. 145, the Computer Security Act of 1987, as amended, is to improve the security and privacy of sensitive information in Federal computer systems. It achieves this purpose through improved training, aimed at raising the awareness of Federal workers about computer system security, by establishing a focal point within the government for developing computer system security standards and guidelines to protect sensitive information, and by requiring agencies to establish computer system security plans.
138
PRIVACY LEGISLATION
Video Privacy Protection Act of 1988 Congress passed the Video Privacy Protection Act in response to controversy surrounding the release of Judge Robert Bork’s video rental records during his failed Supreme Court nomination. The Act prohibits videotape service providers from disclosing customer rental records without the informed, written consent of the consumer. Furthermore, the Act requires video service providers to destroy personally identifiable customer information within a year of the date it is no longer necessary for the purpose for which it was collected. The Act contains several exceptions and limitations.15
Telephone Consumer Protection Act of 1991 The Telephone Consumer Protection Act of 1991 (TCPA) was enacted in response to consumer complaints about the proliferation of intrusive telemarketing practices and concerns about such practices on consumer privacy. The Act amends Title II of the Communications Act of 1934 and requires that the Federal Communications Commission (FCC or Commission) promulgate rules “to protect residential telephone subscribers’ privacy rights.” In response to TCPA, the FCC issued a Report and Order requiring any person or entity engaged in telemarketing to maintain a list of consumers who request not to be called.16
Driver’s Privacy Protection Act of 1994 Congress passed the Driver’s Privacy Protection Act as an amendment to the Omnibus Crime Act of 1994; it restricts the public disclosure of personal information contained in state department motor vehicle (DMV) records. While the Driver’s Privacy Protection Act generally prohibits DMV officials from knowingly disclosing personally identifiable information contained in records, it delineates several broad exceptions. In January of 2000, the Supreme Court unanimously upheld the Act. The Court held that personal, identifying information from drivers’ licenses and motor vehicle registrations is a “thing in interstate commerce” that can be regulated by Congress like any other commodity.17
Communications Assistance for Law Enforcement Act of 1994 Congress passed the Communications Assistance for Law Enforcement Act (CALEA, also commonly known as the Digital Telephony Act) to preserve the Government’s ability, pursuant to court order or other lawful authorization, to intercept communications over digital networks. The Act requires phone companies to modify their networks to ensure government access to all wire and electronic communications as well as to call-identifying information. Privacy advocates were able to remove provisions from earlier drafts of the legislation that would have required on-line service providers to modify their equipment to ensure government access. The law also included several provisions enhancing privacy, including a section that increased the standard for government access to transactional data.18
EXISTING PRIVACY LEGISLATION
139
Telecommunications Act of 1996 In the massive Telecommunications Act of 1996, Congress included a provision addressing widespread concern over telephone companies’ misuse of personal records, requiring telephone companies to obtain the approval of customers before using information about users’ calling patterns (or CPNI) to market new services. While the statute requires telephone companies to obtain approval before using customers’ information, Congress did not specify how companies should obtain such approval. Responding to several requests from the telecommunications industry for guidance, the FCC issued an order interpreting the “approval” requirements in February of 1998. Under the FCC’s rule, telephone companies must give customers explicit notice of their right to control the use of their CPNI and obtain express written, oral, or electronic approval for its use.19 Health Insurance Portability and Accountability Act of 1996
Congress created the first guarantee of a federal policy to govern the privacy of health information in electronic form by passing the Kennedy-Kassebaum Health Insurance Portability and Accountability Act. The Act contains a section known as “Administrative Simplification,” which mandates the development and adoption of standards for electronic exchanges of health information. It also requires that Congress or the Secretary of Health and Human Services develop privacy rules to govern such electronic exchanges; these rules, however, may not be in place before the electronic system is implemented. Provisions of the Act mandating the speedy development and adoption of standards for electronic exchanges of health information are troublesome given the lack of strong, enforceable laws protecting patient privacy; the Act required either the Congress or the Executive Branch to enact privacy rules before August 21, 1999. In October of 1999, after Congress failed to meet its self-imposed deadline, the Clinton administration issued the first set of federal privacy rules to protect medical information. The proposal, known as the Clinton-Gore initiative, aims to require consumer consent before companies share medical data or detailed information about consumer spending habits. The proposal also requires companies to disclose their privacy policies prior to engaging in data transactions with users.20 The rules mandate the following: • Patients must get a clear, written explanation of how information is used, kept, and disclosed. • Patients must be able to get copies of their records and request amendments. • Patients must give authorization before information is disclosed and can request restrictions on disclosure. • Providers and health plans cannot demand a patient’s blanket approval to disclosure before giving treatment. • Health information can be used for health purposes only, with few exceptions. • Providers and health plans must adopt written privacy procedures, train employees, and designate a privacy officer. The standards also specify civil penalties of up to $25,000 per person and criminal penalties of up to $250,000 and 10 years in prison for improper use or disclosure of health information. This Act decrees that medium to large businesses must be in compliance, with the HIPAA rules in place, by October 2002 and small businesses by October 2003.
140
PRIVACY LEGISLATION
Children’s Online Privacy Protection Act (COPPA) of 1998 Congress passed COPPA to protect children’s personal information from its collection and misuse by commercial Web sites. On October 20, 1999, the Federal Trade Commission issued a Final Rule implementing the Act, which went into effect on April 21, 2000. COPPA requires commercial Web sites and other on-line services directed at children 12 and under, or which collect information regarding users’ age, to provide parents with notice of their information practices and obtain parental consent prior to the collection of personal information from children. The Act further requires such sites to provide parents with the ability to review and correct information about their children collected by such services. COPPA was designed to ensure that children’s ability to speak, seek out information, and publish would not be adversely affected.21 This means that operators have to: • • • • •
Post their privacy policy Get parental consent Get new consent when information practices change in a material way Allow parents to review personal information collected from their children Allow parents to revoke their consent, and delete information collected from their children at the parents’ request
Gramm-Leach-Bliley Act of 1999 President Clinton signed the Gramm-Leach-Bliley Act into law in November 1999. It is a comprehensive piece of legislation affecting all financial institutions. One of the sections entitled “Obligations with respect to disclosures of personal information” is garnering a great deal of attention. This provision prompted the notices from banks, brokerage firms, and insurance companies explaining their position on privacy as it relates to your personal information. Although many people paid little attention to the notices, the law provides that financial institutions allow for an “opt-out” provision for consumers. However, often, in order to opt out of information sharing you must either sign and return something, or call them. If you do not opt out using one of the proscribed methods, they can use your private information in any way they see fit.22 Another section, entitled “Protection of nonpublic personal information,” mandates that financial institutions implement “administrative, technical and physical safeguards” for customer records and information. Specifically, these safeguards are designed to: • Insure the security and confidentiality of customer records and information • Protect against any anticipated threats or hazards to the security and integrity of such records • Protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer The Gramm-Leach-Bliley Act states that any financial institution that provides financial products or services to consumers must comply with the privacy provisions of Subtitle A of Title V of the Gramm-Leach-Bliley Act (“GLB Act”) and the Privacy Rule. You have consumers if you provide your financial products or services to individuals, not businesses, to be used primarily for their personal, family, or household purposes. However, this act applies to only financial institutions.
EXISTING PRIVACY LEGISLATION
141
The Patriot Act of 2001 The Patriot Act was the first direct change to a law as a result of the terrorist attacks on 9/11. This Act is also referred to as the “Anti-terrorism Surveillance Legislation.” The Patriot Act is 342 pages long and makes changes to over 15 different statutes. Items changed include: electronic surveillance, search warrants, funding of investigative taskforces, money laundering, financial records, seizure of funds, counterfeiting, protecting the borders, immigrant status and detentions, benefits for immigrants, authority to pay rewards for information, providing for victims of terrorism, information sharing between agencies, strengthening criminal laws against terrorism, and improving intelligence. Most of the provisions that have been expanded to grant law enforcement agencies more power will expire in four years (12/31/2005).23 As this book is focused on privacy that is affected or impacted via technology (i.e., computerization), this chapter discusses the specific legislation that affects computers, end users, and electronic privacy. Although electronic surveillance was already an integral part of law enforcement’s arsenal of investigative tools, the Patriot Act expands the use of wiretapping and surveillance tools, and clarifies definitions and use of information obtained via this surveillance. Via the Patriot Act, there are 11 amendments to previous laws that relate to Computer Crime and Electronic Evidence. Section 202, Authority to Intercept Voice Communications in Computer Hacking Investigations
Previous law. Investigators could not obtain a wiretap order to intercept wire communications (those involving the human voice) for violations of the Computer Fraud and Abuse Act. Example, in several investigations, hackers have stolen teleconferencing services from a telephone company and used it to plan and execute hacking attacks. Amendment. Amends sections that list those crimes for which investigators may obtain a wiretap order for wire communications. This provision will sunset December 31, 2005. Section 209, Obtaining Voice Mail and Other Stored Voice Communications
Previous law. The Electronics Communications Privacy Act governed law enforcement access to stored electronic communications (such as e-mail), but not stored wire communications (such as voice mail). The statute governed such access because the definition of “wire communication” included stored communications, requiring law enforcement to use a wiretap order (rather than a search warrant) to obtain unopened voice mails. Thus, authorities used a wiretap order to obtain voice communications stored with a third-party provider but could use a search warrant if that same information were stored on an answering machine inside a suspect’s home. Furthermore, with new technology the original statute did not foresee that an e-mail could contain an attachment that was voice. Thus, the search warrant would not cover these attachments and required a separate wiretap order. Amendment. Deletes “electronic storage” of wire communications from the definition of “wire communication” and insert language to ensure that stored wire communications are covered under the same rules as stored electronic communications. Thus, law enforcement can now obtain such communications using the procedures (such as a search warrant), rather than those in the wiretap statute (such as a wiretap order). This provision will sunset December 31, 2005.
142
PRIVACY LEGISLATION
Section 210, Scope of Subpoena for Electronic Evidence
Previous law. Allows the government to use a subpoena to compel a limited class of information, such as the customer’s name, address, length of service, and means of payment. The list of records that investigators could obtain with a subpoena did not include certain records (such as credit card number or other form of payment for the communication service) relevant to determining a customer’s true identity. In many cases, users register with Internet service providers using false names. In order to hold these individuals responsible for criminal acts committed on-line, the method of payment is an essential means of determining true identity. Moreover, many of the definitions were technology-specific, relating primarily to telephone communications. For example, the list included “local and long distance telephone toll billing records,” but did not include parallel terms for communications on computer networks, such as “records of session times and durations.” Similarly, the previous list allowed the government to use a subpoena to obtain the customer’s “telephone number or other subscriber number or identity,” but did not define what that phrase meant in the context of Internet communications. Amendment. Updates and expands the narrow list of records that law enforcement authorities may obtain with a subpoena. The new subsection includes “records of session times and durations,” as well as “any temporarily assigned network address.” In the Internet context, such records include the Internet Protocol (IP) address assigned by the provider to the customer or subscriber for a particular session, as well as the remote IP address from which a customer connects to the provider. Obtaining such records will make the process of identifying computer criminals and tracing their Internet communications faster and easier. Moreover, the amendments clarify that investigators may use a subpoena to obtain the “means and source of payment” that a customer uses to pay for his or her account with a communications provider, “including any credit card or bank account number.” While generally helpful, this information will prove particularly valuable in identifying the users of Internet services where a company does not verify its users’ biographical information. (This section is not subject to the sunset provision of the Act.) Section 211, Clarify the Scope of the Cable Act
Previous law. The law contains two different sets of rules regarding privacy protection of communications and their disclosure to law enforcement: one governing cable service (the “Cable Act”), and the other applying to the use of telephone service and Internet access (the wiretap statute, and the pen register and trap and trace statute (the “pen/trap” statute). The Cable Act set out an extremely restrictive system of rules governing law enforcement access to most records possessed by a cable company. For example, the Cable Act did not allow the use of subpoenas or even search warrants to obtain such records. Instead, the cable company had to provide prior notice to the customer (even if he or she were the target of the investigation), and the government had to allow the customer to appear in court with an attorney and then justify to the court the investigative need to obtain the records. The court could then order disclosure of the records only if it found by “clear and convincing evidence”—a standard greater than probable cause or even a preponderance of the evidence—that the subscriber was “reasonably suspected” of
EXISTING PRIVACY LEGISLATION
143
engaging in criminal activity. This procedure was completely unworkable for virtually any criminal investigation. The legal regime created by the Cable Act caused grave difficulties in criminal investigations because today, unlike in 1984 when Congress passed the Cable Act, many cable companies offer not only traditional cable programming services but also Internet access and telephone service. In recent years, some cable companies have refused to accept subpoenas and court orders pursuant to the pen/trap statute and ECPA, noting the seeming inconsistency of these statutes with the Cable Act’s harsh restrictions. Amendment. Clarifies that ECPA, the wiretap statute, and the trap and trace statute govern disclosures by cable companies that relate to the provision of communication services— such as telephone and Internet services. The amendment preserves, however, the Cable Act’s primacy with respect to records revealing what ordinary cable television programming a customer chooses to purchase, such as particular premium channels or “pay per view” shows. Thus, in a case where a customer receives both Internet access and conventional cable television service from a single cable provider, a government entity can use legal process under ECPA to compel the provider to disclose only those customer records relating to Internet service. (This section is not subject to the sunset provision.) Section 212, Emergency Disclosures by Communications Providers
Previous law. The law relating to voluntary disclosures by communication service providers was inadequate in two respects. First, it contained no special provision allowing providers to disclose customer records or communications in emergencies. If, for example, an Internet service provider (ISP) independently learned that one of its customers was part of a conspiracy to commit an imminent terrorist attack, prompt disclosure of the account information to law enforcement could save lives. Since providing this information did not fall within one of the statutory exceptions, however, an ISP making such a disclosure could be sued civilly. Second, prior to the Act, the law did not expressly permit a provider to voluntarily disclose non-content records (such as a subscriber’s login records) to law enforcement for purposes of self-protection, even though providers could disclose the content of communications for this reason. Yet the right to disclose the content of communications necessarily implies the less intrusive ability to disclose non-content records. Moreover, as a practical matter, providers must have the right to disclose to law enforcement the facts surrounding attacks on their systems. For example, when an ISP’s customer hacks into the ISP’s network, gains complete control over an e-mail server, and reads or modifies the e-mail of other customers; the provider must have the legal ability to report the complete details of the crime to law enforcement. Amendment. Corrects both of these inadequacies in previous law. Amends subsection to permit, but not require, a service provider to disclose to law enforcement either content or non-content customer records in emergencies involving an immediate risk of death or serious physical injury to any person. This voluntary disclosure, however, does not create an affirmative obligation to review customer communications in search of such imminent dangers. The amendments also change ECPA to allow providers to disclose information to protect their rights and property. It accomplishes this change by two related sets of amendments.
144
PRIVACY LEGISLATION
First, the amendments simplify the treatment of voluntary disclosures by providers (of content and non-content records alike). Second, an amendment to new subsection clarifies that service providers do have the statutory authority to disclose non-content records to protect their rights and property. All of these changes will sunset December 31, 2005. Section 216, Pen Register and Trap and Trace Statute
The pen register and trap and trace statute (the “pen/trap” statute) governs the prospective collection of non-content traffic information associated with communications, such as the phone numbers dialed by a particular telephone. Section 216 updates the pen/trap statute in three important ways: (1) the amendments clarify that law enforcement may use pen/trap orders to trace communications on the Internet and other computer networks; (2) pen/trap orders issued by federal courts now have nationwide effect; and (3) law enforcement authorities must file a special report with the court whenever they use a pen/trap order to install their own monitoring device (such as the FBI’s DCS1000, otherwise known as Carnivore) on computers belonging to a public provider. The following sections discuss these provisions in greater detail. (This section is not subject to the sunset provision.)
Using Pen/Trap Orders to Trace Communications on Computer Networks. Previous law. When Congress enacted the pen/trap statute in 1986, it could not anticipate the dramatic expansion in electronic communications that would occur in the following fifteen years. Thus, the statute contained certain language that appeared to apply to telephone communications and that did not unambiguously encompass communications over computer networks. Although numerous courts across the country have applied the pen/trap statute to communications on computer networks, no federal district or appellate court has explicitly ruled on its propriety. Moreover, certain private litigants have challenged the application of the pen/trap statute to such electronic communications based on the statute’s telephone-specific language. Amendment. Clarifies that the pen/trap statute applies to a broad variety of communications technologies. References to the target “line,” for example, are revised to encompass a “line or other facility.” Such a facility might include, for example, a cellular telephone number; a specific cellular telephone identified by its electronic serial number; an Internet user account or e-mail address; or an Internet Protocol address, port number, or similar computer network address or range of addresses. In addition, because the statute takes into account a wide variety of such facilities, amendments now allow applicants for pen/trap orders to submit a description of the communications to be traced using any of these or other identifiers. Moreover, the amendments clarify that orders for the installation of pen register and trap and trace devices may obtain any non-content information—all “dialing, routing, addressing, and signaling information”—utilized in the processing and transmitting of wire and electronic communications. Such information includes IP addresses and port numbers, as well as the “To” and “From” information contained in an e-mail header. Pen/trap orders cannot, however, authorize the interception of the content of a communication, such as words in the “subject line” or the body of an e-mail. Further, because the pen register or trap and trace “device” often cannot be physically “attached” to the target facility, Section 216 makes two other related changes. First, in recognition of the fact that such functions are commonly performed today by software
EXISTING PRIVACY LEGISLATION
145
instead of physical mechanisms, the amended statute allows the pen register or trap and trace device to be “attached or applied” to the target facility. Likewise, Section 216 revises the definitions of “pen register” and “trap and trace device” in section 3127 to include an intangible “process” (such as a software routine) which collects the same information as a physical device.
Nationwide Effect of Pen/Trap Orders. Previous law. Under previous law, a court could only authorize the installation of a pen/trap device “within the jurisdiction of the court.” Because of deregulation in the telecommunications industry, however, many providers may carry a single communication. For example, a telephone call may be carried by a competitive local exchange carrier, which passes it to a local phone company, which passes it to a long distance carrier, which hands it to a local exchange carrier elsewhere in the United States, which in turn may finally hand it to a cellular carrier. If these carriers do not pass source information with each call, identifying that source may require compelling information from a string of providers located throughout the country—each requiring a separate order. Moreover, since, under previous law, a court could only authorize the installation of a pen/trap device within its own jurisdiction, when one provider indicated that the source of a communication was a different carrier in another district, a second order in the new district became necessary. This order had to be acquired by a supporting prosecutor in the new district from a local federal judge—neither of whom had any other interest in the case. Indeed, in one case investigators needed three separate orders to trace a hacker’s communications. This duplicative process of obtaining a separate order for each link in the communications chain has delayed or—given the difficulty of real-time tracing— completely thwarted important investigations. Amendment. Gives federal courts the authority to compel assistance from any provider of communication services in the United States whose assistance is appropriate to effectuate the order. For example, a federal prosecutor may obtain an order to trace calls made to a telephone within the prosecutor’s local district. The order applies not only to the local carrier serving that line, but also to other providers (such as long-distance carriers and regional carriers in other parts of the country) through whom calls are placed to the target telephone. In some circumstances, the investigators may have to serve the order on the first carrier in the chain and receive from that carrier information identifying the communication’s path to convey to the next carrier in the chain. The investigator would then serve the same court order on the next carrier, including the additional relevant connection information learned from the first carrier; the second carrier would then provide the connection information in its possession for the communication. The investigator would repeat this process until the order has been served on the originating carrier who is able to identify the source of the communication. When prosecutors apply for a pen/trap order using this procedure, they generally will not know the name of the second or subsequent providers in the chain of communication covered by the order. Thus, the application and order will not necessarily name these providers. The amendments therefore specify that, if a provider requests it, law enforcement must provide a “written or electronic certification” that the order applies to that provider.
146
PRIVACY LEGISLATION
The amendments also empower courts to authorize the installation and use of pen/trap devices in other districts. Thus, for example, if terrorism or other criminal investigation based in Virginia uncovers a conspirator using a phone or an Internet account in New York, the Virginia court can compel communications providers in New York to assist investigators in collecting information under a Virginia pen/trap order. Consistent with the change above, the amendment eliminates the requirement that federal pen/trap orders specify their geographic limits. However, because the new law gives nationwide effect for federal pen/trap orders, the amendment imposes a “nexus” requirement: the issuing court must have jurisdiction over the particular crime under investigation.
Reports for Use of Law Enforcement Pen/Trap Devices on Computer Networks. Section 216 of the Act also contains an additional requirement for the use of pen/trap devices in a narrow class of cases. Generally, when law enforcement serves a pen/trap order on a communication service provider that provides Internet access or other computing services to the public, the provider itself should be able to collect the needed information and provide it to law enforcement. In certain rare cases, however, the provider may be unable to carry out the court order, necessitating installation of a device (such as Etherpeek or the FBI’s DCS1000, otherwise known as Carnivore) to collect the information. In these infrequent cases, the amendments in section 216 require the law enforcement agency to provide the following information to the court under seal within thirty days: (1) the identity of the officers who installed or accessed the device; (2) the date and time the device was installed, accessed, and uninstalled; (3) the configuration of the device at installation and any modifications to that configuration; and (4) the information collected by the device. Section 217, Intercepting the Communications of Computer Trespassers
Previous law. Although the wiretap statute allows computer owners to monitor the activity on their machines to protect their rights and property, until Section 217 of the Act was enacted it was unclear whether computer owners could obtain the assistance of law enforcement in conducting such monitoring. This lack of clarity prevented law enforcement from assisting victims to take the natural and reasonable steps in their own defense that would be entirely legal in the physical world. In the physical world, burglary victims may invite the police into their homes to help them catch burglars in the act of committing their crimes. The wiretap statute should not block investigators from responding to similar requests in the computer context simply because the means of committing the burglary happen to fall within the definition of a “wire or electronic communication” according to the wiretap statute. Indeed, because providers often lack the expertise, equipment, or financial resources required to monitor attacks themselves, they commonly have no effective way to exercise their rights to protect themselves from unauthorized attackers. This anomaly in the law created, as one commentator has noted, a “bizarre result,” in which a “computer hacker’s undeserved statutory privacy right trumps the legitimate privacy rights of the hacker’s victims.”24 Amendment. To correct this problem, the amendments in Section 217 of the Act allow victims of computer attacks to authorize persons “acting under color of law” to monitor trespassers on their computer systems. Under a new section, law enforcement may intercept the communications of a computer trespasser transmitted to, through, or from a protected computer. Before monitoring can occur, however, four requirements must be
EXISTING PRIVACY LEGISLATION
147
met. First, the owner or operator of the protected computer must authorize the interception of the trespasser’s communications. Second, the person who intercepts the communication must be lawfully engaged in an ongoing investigation. Both criminal and intelligence investigations qualify, but the authority to intercept ceases at the conclusion of the investigation. Third, the people acting under the color of law must have reasonable grounds to believe that the contents of the communication to be intercepted will be relevant to the ongoing investigation. Fourth, investigators may intercept only the communications sent or received by trespassers. Thus, this section would only apply where the configuration of the computer system allows the interception of communications to and from the trespasser, and not the interception of non-consenting users authorized to use the computer. Finally, section 217 of the Act creates a definition of “computer trespasser.” Such trespassers include any person who accesses a protected computer without authorization. In addition, the definition explicitly excludes any person “known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator for access to all or part of the computer.” For example, certain Internet service providers do not allow their customers to send bulk unsolicited e-mails (or “spam”). Customers who send spam would be in violation of the provider’s terms of service, but would not qualify as trespassers—both because they are authorized users and because they have an existing contractual relationship with the provider. These provisions will sunset December 31, 2005. Section 220, Nationwide Search Warrants for E-mail
Previous law. Requires the government to use a search warrant to compel a provider to disclose unopened e-mail less than six months old. Rule 41 of the Federal Rules of Criminal Procedure requires that the “property” to be obtained be “within the district” of the issuing court, however, some courts have declined to issue warrants for e-mail located in other districts. Unfortunately, this refusal has placed an enormous administrative burden on those districts in which major ISPs are located, such as the Eastern District of Virginia and the Northern District of California, even though these districts may have no relationship with the criminal acts under investigation. In addition, requiring investigators to obtain warrants in distant jurisdictions has slowed time-sensitive investigations. Amendment. Allows investigators to use warrants to compel records outside of the district in which the court is located, just as they use federal grand jury subpoenas and orders. This change enables courts with jurisdiction over investigations to compel evidence directly, without requiring the intervention of agents, prosecutors, and judges in the districts where major ISPs are located. This provision will sunset December 31, 2005. Section 814, Deterrence and Prevention of Cyberterrorism
Section 814 makes a number of changes to improve the Computer Fraud and Abuse Act. This section increases penalties for hackers who damage protected computers (from a maximum of 10 years to a maximum of 20 years); clarifies the mens rea required for such offenses to make explicit that a hacker need only intend damage, not a particular type of damage; adds a new offense for damaging computers used for national security or criminal justice; expands the coverage of the statute to include computers in foreign countries so long as there is an effect on U.S.
148
PRIVACY LEGISLATION
interstate or foreign commerce; counts state convictions as “prior offenses” for the purpose of recidivist sentencing enhancements; and allows losses to several computers from a hacker’s course of conduct to be aggregated for purposes of meeting the $5,000 jurisdictional threshold. The following discussion analyzes these and other provisions in more detail.
Section 1030(c), Raising the Maximum Penalty for Hackers That Damage Protected Computers and Eliminating Mandatory Minimums. Previous law. Under previous law, first-time offenders could be punished by no more than five years’ imprisonment, while repeat offenders could receive up to ten years. Certain offenders, however, can cause such severe damage to protected computers that this fiveyear maximum did not adequately take into account the seriousness of their crimes. For example, David Smith pled guilty to releasing the “Melissa” virus that damaged thousands of computers across the Internet. Although Smith agreed, as part of his plea, that his conduct caused over $80,000,000 worth of loss (the maximum dollar figure contained in the Sentencing Guidelines), experts estimate that the real loss was as much as ten times that amount. In addition, previous law set mandatory sentencing guidelines to have a minimum of six months imprisonment for violations accessing a protected computer with the intent to defraud. Amendment. Section 814 of the Act raises the maximum penalty for violations for damaging a protected computer to ten years for first offenders, and twenty years for repeat offenders. Congress chose, however, to eliminate all mandatory minimum sentencing guidelines for violations.
Subsection 1030(c)(2)(C) and (e)(8), Hackers Need Only Intend to Cause Damage, Not a Particular Consequence or Degree of Damage. Previous law. Under previous law an offender had to “intentionally [cause] damage without authorization.” Section 1030 defined “damage” as impairment to the integrity or availability of data, a program, a system, or information that (1) caused loss of at least $5,000; (2) modified or impaired medical treatment; (3) caused physical injury; or (4) threatened public health or safety. The question repeatedly arose, however, whether an offender must intend the $5,000 loss or other special harm, or whether a violation occurs if the person only intends to damage the computer, that in fact ends up causing the $5,000 loss or harming individuals. It appears that Congress never intended that the language contained in the definition of “damage” would create additional elements of proof of the actor’s mental state. Moreover, in most cases, it would be almost impossible to prove this additional intent. Amendment. Section 814 of the Act restructures the statute to make clear that an individual need only intend to damage the computer or the information on it, and not a specific dollar amount of loss or other special harm. The amendments move these jurisdictional requirements to explicitly making them elements of the offense, and define “damage” to mean “any impairment to the integrity or availability of data, a program, a system or information.” Under this clarified structure, in order for the government to prove a violation, it must show that the actor caused damage to a protected computer (with one of the listed mental states), and that the actor’s conduct
EXISTING PRIVACY LEGISLATION
149
caused either loss exceeding $5,000, impairment of medical records, harm to a person, or threat to public safety.
Section 1030(c), Aggregating the Damage Caused by a Hacker’s Entire Course of Conduct. Previous law. Previous law was unclear about whether the government could aggregate the loss resulting from damage an individual caused to different protected computers in seeking to meet the jurisdictional threshold of $5,000 in loss. For example, an individual could unlawfully access five computers on a network on ten different dates—as part of a related course of conduct—but cause only $1,000 loss to each computer during each intrusion. If previous law were interpreted not to allow aggregation, then that person would not have committed a federal crime at all since he or she had not caused over $5,000 to any particular computer. Amendment. Under the amendments in Section 814 of the Act, the government may now aggregate “loss resulting from a related course of conduct affecting one or more other protected computers” that occurs within a one year period in proving the $5,000 jurisdictional threshold for damaging a protected computer.
1030(c)(2)(C), New Offense for Damaging Computers Used for National Security and Criminal Justice. Previous law. Section 1030 previously had no special provision that would enhance punishment for hackers who damage computers used in furtherance of the administration of justice, national defense, or national security. Thus, federal investigators and prosecutors did not have jurisdiction over efforts to damage criminal justice and military computers where the attack did not cause over $5,000 loss (or meet one of the other special requirements). Yet these systems serve critical functions and merit felony prosecutions even where the damage is relatively slight. Indeed, attacks on computers used in the national defense that occur during periods of active military engagement are particularly serious—even if they do not cause extensive damage or disrupt the warfighting capabilities of the military—because they divert time and attention away from the military’s proper objectives. Similarly, disruption of court computer systems and data could seriously impair the integrity of the criminal justice system. Amendment. Amendments in Section 814 of the Act created a section to solve this inadequacy. Under this provision, a hacker violates federal law by damaging a computer “used by or for a government entity in furtherance of the administration of justice, national defense, or national security,” even if that damage does not result in provable loss over $5,000.
Subsection 1030(e)(2), Expanding the Definition of “Protected Computer” to Include Computers in Foreign Countries. Previous law. Before the amendments in Section 814 of the Act, section 1030 of title 18 defined “protected computer” as a computer used by the federal government or a financial institution, or one “which is used in interstate or foreign commerce.” The definition did not explicitly include computers outside the United States. Because of the interdependency and availability of global computer networks, hackers from within the United States are increasingly targeting systems located entirely outside
150
PRIVACY LEGISLATION
of this country. The statute did not explicitly allow for prosecution of such hackers. In addition, individuals in foreign countries frequently route communications through the United States, even as they hack from one foreign country to another. In such cases, their hope may be that the lack of any U.S. victim would either prevent or discourage U.S. law enforcement agencies from assisting in any foreign investigation or prosecution. Amendment. Section 814 of the Act amends the definition of “protected computer” to make clear that this term includes computers outside of the United States so long as they affect “interstate or foreign commerce or communication of the United States.” By clarifying the fact that a domestic offense exists, the United States can now use speedier domestic procedures to join in international hacker investigations. As these crimes often involve investigators and victims in more than one country, fostering international law enforcement cooperation is essential. In addition, the amendment creates the option, where appropriate, of prosecuting such criminals in the United States. Since the United States is urging other countries to ensure that they can vindicate the interests of U.S. victims for computer crimes that originate in their nations, this provision will allow the United States to provide reciprocal coverage.
Subsection 1030(e)(10), Counting State Convictions As “Prior Offenses.” Previous law. Under previous law, the court at sentencing could, of course, consider the offender’s prior convictions for State computer crime offenses. State convictions, however, did not trigger the recidivist sentencing provisions of section 1030, which double the maximum penalties available under the statute. Amendment. Section 814 of the Act alters the definition of “conviction” so that it includes convictions for serious computer hacking crimes under State law (i.e., State felonies where an element of the offense is “unauthorized access, or exceeding authorized access, to a computer”).
Subsection 1030(e)(11), Definition of “Loss.” Previous law. Calculating “loss” is important where the government seeks to prove that an individual caused over $5,000 loss in order to meet the jurisdictional requirements. Yet prior to the amendments in Section 814 of the Act, section 1030 of title 18 had no definition of “loss.” The only court to address the scope of the definition of loss adopted an inclusive reading of what costs the government may include. In United States v. Middleton, the court held that the definition of loss includes a wide range of harms typically suffered by the victims of computer crimes, including costs of responding to the offense, conducting a damage assessment, restoring the system and data to their condition prior to the offense, and any lost revenue or costs incurred because of interruption of service. Amendments. Amendments in Section 814 codify the appropriately broad definition of loss adopted in Middleton. Section 815, Additional Defense to Civil Actions Relating to Preserving Records in Response to Government Requests
Section 815 added to an existing defense to a cause for damages for violations of the Electronic Communications Privacy Act.
PENDING FEDERAL LEGISLATION
151
Previous law. Under prior law it was a defense to such a cause of action to rely in good faith on a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization. Amendment. Makes clear that the “statutory authorization” defense includes good-faith reliance on a government request to preserve evidence. Section 816, Development and Support of Cybersecurity Forensic Capabilities
Section 816 requires the Attorney General to establish such regional computer forensic laboratories as he considers appropriate, to provide support for existing computer forensic laboratories, and to enable them to provide certain forensic and training capabilities. The provision also authorizes the spending of money to support those laboratories.
PENDING FEDERAL LEGISLATION As indicated previously, privacy is a major concern among consumers and both Democrats and Republicans are looking for legislative solutions to protect consumers. As of December 2001, there were 246 proposed bills that contained the word privacy somewhere in the text of the bill. Of these 246 proposed bills, 110 were not related to information privacy. That left 136 bills that propose new legislation to regulate various aspects of privacy. Of these, five were made into law as recently as October 2001. Thus, there are 131 outstanding, proposed bills specifically aimed at information privacy. Of these 131 pieces of legislation, further examinations revealed that, 53 proposed bills were similar in content, and it is anticipated that these bills will be combined at some point in the process.25 The remaining 78 proposed bills address some form of legislating information privacy. Of those 78, the top 30 important pieces of privacy legislation are summarized here for the reader (see Exhibit 5.2, Proposed Privacy Legislation). A brief synopsis of these most important proposed pieces of privacy legislation follows. On-line Appendices V and W at www.wiley.com/go/ privacy include a synopsis of the remaining bills currently related to privacy in the U.S. House and Senate, respectively.
HR 89 On-line Privacy Protection Act of 2001 Makes it unlawful for an operator of a Web site or on-line service to collect, use, or disclose personal information concerning an individual (age 13 and above) in a manner that violates regulations to be prescribed by the Federal Trade Commission (FTC). Requires operators to protect the confidentiality, security, and integrity of personal information it collects from such individuals. Requires operators to provide a process for such individuals to consent to or limit the disclosure of such information.26 Directs the FTC to provide incentives for efforts of self-regulation by operators to implement appropriate protections for such information. Authorizes the States to enforce such regulations by bringing actions on behalf of residents, requiring the State attorney general to first notify the FTC of such action. Authorizes the FTC to intervene in any such action. Provides for enforcement of this Act through the Federal Trade Commission Act.
HR 90 Know Your Caller Act of 2001 Amends the Communications Act of 1934 to make it unlawful for any person making a telephone solicitation to: (1) interfere with or circumvent a caller identification service from ac-
152
PRIVACY LEGISLATION
Exhibit 5.2. Bill#
30 Critical Proposed Pieces of Privacy Legislation as of December 2001 Title
HR 89 HR 90 HR 91 HR 112 HR 220
On-line Privacy Protection Act of 2001 Know Your Caller Act Social Security On-line Privacy Protection Act Electronic Privacy Protection Act Identity Theft Protection Act of 2001
HR 583 HR 1478 HR 2135 HR 2136 HR 2435 HR 2615 HR 2720 HR 2730 HR 2915
Privacy Commission Act Personal Information Privacy Act of 2001 Consumer Privacy Protection Act Confidential Information Protection Act Cyber Security Information Act Patient Privacy Act of 2001 Consumer’s Right to Financial Privacy Act National Consumer Privacy Act Public Safety and Cyber Security Enhancement Act of 2001 To amend the Antiterrorism and Effective Death Penalty Act of 1996 Title I: Bioterrorism Prevention Title II: Cable Television Privacy Provisions Title III: Nuclear Facility Security Financial Privacy and National Security Enhancement Act Enhanced Border Security Act of 2001 Visa Entry Reform Act of 2001 Federal-Local Information Sharing Partnership Act of 2001 Protecting Civil Rights for All Americans Act Financial Information Privacy Protection Act of 2001 Spyware Control and Privacy Protection Act of 2001 E-Government Act of 2001 Citizen’s Privacy Commission Act of 2001 End Racial Profiling Act of 2001 Privacy Act of 2001 Cyber Terrorism Prevention Act of 2001 Name Matching for Enforcement and Security Act of 2001 Restore Your Identity Act of 2001 Enhanced Border Security and Visa Entry Reform Act of 2001
HR 3016
HR 3068 HR 3205 HR 3229 HR 3285 S 19 S 30 S 197 S 803 S 851 S 989 S 1055 S 1568 S 1733 S 1742 S 1749
Related bills HR 347 S722 S848, S324, HR2036, S1014, S451 HR2036, S1014, HR3053, S1359, S1399, S451, S848
HR3482, HR3394 S450
S1618 S1627 HR3285, HR3483, S1489, S1615 S318, HR602 HR2458 HR2074, HR1907, S536
HR2965, HR3052, HR3181, S1627, S1749, S1491, HR3221, HR3229, HR3525
cessing or providing the call recipient with identifying information about the call; or (2) fail to provide caller identification information that is accessible by a caller identification service, if such person has the capability to provide such information.27 Provides a cause of action for a person or entity, or a State attorney general on behalf of its residents, for violations of such prohibition or regulations. Requires the Federal Communications Commission to study and report to Congress with respect to the transmission capabilities of caller identification information.
PENDING FEDERAL LEGISLATION
153
HR 91 Social Security On-line Privacy Protection Act Prohibits an interactive computer service from disclosing to a third party an individual’s social security number or related personally identifiable information without the individual’s prior informed written consent. Requires such service to permit an individual to revoke any consent at any time.28
HR 112 Electronic Privacy Protection Act Makes it unlawful for any person to knowingly: (1) make, import, export, or sell an information collection device for a computer unless it has a label disclosing to the computer’s primary user or to another operator who is not a primary user that it may transmit from the computer information identifiable to it; (2) install an information collection device on a computer that is not under general management and control of such person, unless such person has given notice of such installation to the computer’s primary user and obtained the user’s consent to such installation; or (3) use an information collection device to transmit from a computer that is not under general management and control of such person any information identifiable to such computer to a primary user or to an operator who is not a primary user, unless such person has given notice that the device may transmit such information to the primary user and obtained the user’s consent to such transmission. Sets forth civil penalties for violations of this Act.29
HR 220 Identity Theft Protection Act of 2001 Seeks to amend Title II of the Social Security Act and the Internal Revenue Code of 1986 to protect the integrity and confidentiality of Social Security Numbers. This bill would prevent the Federal government from creating a centralized Federal identifying number for people, and would stop agencies from imposing a single standard for identification.30 Amends the Privacy Act of 1974 to prohibit any Federal, State, or local government agency from requiring or requesting an individual to disclose his Social Security number.
HR 583 The Privacy Commission Act Establishes the Commission for the Comprehensive Study of Privacy Protection to study and report to Congress and the President on issues relating to protection of individual privacy and the appropriate balance to be achieved between protecting such privacy and allowing appropriate uses of information. Requires the Commission to conduct at least two hearings in each of the five geographical regions of the United States.31
HR 1478 Personal Information Privacy Act of 2001 Amends the Fair Credit Reporting Act to redefine the term “consumer report” to exclude identifying information listed in a local telephone directory (thereby ensuring that the personal identification information in the credit headers accompanying credit reports of unlisted individuals remains confidential).32
154
PRIVACY LEGISLATION
Amends part A (General Provisions) of title XI of the Social Security Act to prohibit the commercial acquisition or distribution of an individual’s social security number (or any derivative), as well as its use as a personal identification number, without the individual’s written consent. Provides for: (1) civil money penalties and civil action in U.S. District Court by an aggrieved individual; and (2) coordination with criminal enforcement of identification document fraud. Amends the Federal criminal code to: (1) require State motor vehicle department uses of social security numbers to be consistent with uses authorized by the Social Security Act, the Privacy Act, and any other appropriate statutes; (2) prohibit marketing company use of social security numbers; and (3) prohibit, with an exception for specified law enforcement requests, State motor vehicle department release or disclosure of an individual’s photograph without the individual’s written consent. Amends the Fair Credit Reporting Act to prohibit a consumer reporting agency from providing a report in connection with a credit or insurance transaction not initiated by the consumer without the consumer’s written consent. Requires full consumer disclosure before such consent shall be effective. Prohibits, with specified exceptions, a person doing business with a consumer from selling or transferring for marketing purposes any transaction or experience information without the consumer’s written consent.
HR 2135 Consumer Privacy Protection Act Requires notice before the disclosure of any personally identifiable information, with “opt-out” for most personally identifiable information, and affirmative “opt-in” for especially sensitive information like social security numbers and financial information. Limits the collection of nonessential personally identifiable information.33 Deems disclosures in violation of this Act to constitute unfair or deceptive practices within the purview of the Federal Trade Commission Act. Specifies practices and procedures that shall not be deemed a violation of this Act. Authorizes civil suits brought in Federal district courts by: (1) a consumer for violations of this Act; and (2) a State, for any person engaging in a pattern or practice of such violations.
HR 2136 Confidential Information Protection Act Requires data or information acquired by executive agencies for exclusively statistical purposes to be used only for such purposes. Prohibits data or information acquired by an agency for such purposes from being disclosed in identifiable form, for any purpose other than such a purpose, without the informed consent of the respondent.34 Requires a statistical agency to clearly distinguish any data or information it collects for non-statistical purposes by a rule that provides that the respondent is fully informed that the information to be collected will be used for such purposes. Requires: (1) the Director of the Office of Management and Budget to coordinate and oversee such confidentiality and disclosure policies; and (2) any rules proposed by an agency pursuant to this Act to be subject to the Director’s review and approval.
PENDING FEDERAL LEGISLATION
155
Exempts data or information acquired for exclusively statistical purposes from mandatory disclosure under the Freedom of Information Act. Provides that this Act does not preempt applicable State law regarding the confidentiality of data collected by the States. Sets forth penalties for violations of this Act.
HR 2435 Cyber Security Information Act Prohibits the disclosure of “cyber security information” (defined to include information related to the ability of any protected system, or critical infrastructure, to resist intentional interference or incapacitation through the misuse of or unauthorized access to or use of the Internet, telecommunications systems, or similar conduct that violates Federal, State, or international law, harms U.S. interstate commerce, or threatens public health or safety) that is voluntarily provided to a Federal entity.35 Provides that (with exceptions) any such information voluntarily provided directly to the Government about its own cyber security, a third party’s cyber security, or to an Information Sharing Organization which is subsequently provided to the Government in identifiable form shall: (1) be exempt from disclosure under the Freedom of Information Act; (2) not be disclosed to any third party; and (3) not be used by any Federal or State entity or by any third party in any civil action. Makes the antitrust laws inapplicable (with an exception) to conduct engaged in solely for the purpose of and limited to: (1) facilitating the correction or avoidance of a cyber securityrelated problem; or (2) communication of or disclosing information to help correct or avoid the effects of a cyber security-related program. Authorizes the President to establish and terminate working groups composed of Federal employees who will engage outside organizations in discussions to address or share information related to cyber security, and otherwise to serve the purposes of this Act.
HR 2615 Patient Privacy Act Amends part C (Administrative Simplification) of title XI of the Social Security Act (SSA) to repeal: (1) the requirement of unique health identifiers for each individual, employer, health plan, and health care provider; and (2) penalties for wrongful disclosure of unique health identifiers.36 Prohibits the expenditure of Federal funds to develop or implement any database or other system of records containing personal medical information of any U.S. citizen, or to collect medical records for the purpose of storing them in a database or other system of records, with specified exceptions including part A (Hospital Insurance) or part B (Supplementary Medical Insurance) of the Medicare program under SSA title XVIII and the Medicaid program under SSA title XIX.
HR 2720 Consumer’s Right to Financial Privacy Act Amends the Gramm-Leach-Bliley Act to revamp financial institution obligations regarding disclosures of personal information sharing. Prohibits such institutions from either disclosing, or making unrelated use, of nonpublic personal information collected in a consumer transaction
156
PRIVACY LEGISLATION
unless the institution has notified the consumer. Requires the consumer’s affirmative consent (opt-in) to any such information sharing between a financial institution, its affiliates, or any other person that is neither an employee or agent of such institution.37 Mandates that designated regulatory agencies promulgate regulations that: (1) require affirmative consumer consent as a prerequisite to any information sharing by a financial institution; (2) prohibit a financial institution from denying a product or service to a consumer who has denied consent to such information transfer; and (3) require consumer access and opportunity to dispute nonpublic personal information made available by the institution to persons other than its own personnel. Prohibits a financial institution from disclosing a consumer’s access number or code to an affiliated or nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. Restricts nonpublic personal information received from a financial institution by an affiliate or nonaffiliated third party from being further disclosed to another affiliate or nonaffiliated third party of both the financial institution and such recipient. Prohibits obtaining, or soliciting a person to obtain, customer information from a financial institution under false pretenses.
HR 2730 National Consumer Privacy Act Amends the Gramm-Leach-Bliley Act (the Act) to prohibit the States from imposing any requirement or prohibition upon either financial institutions, or upon recipients of nonpublic personal information from such institutions, with respect to financial privacy concerns currently regulated by the Act’s privacy guidelines (thus establishing Federal preemption of financial privacy standards for financial institutions). Exempts from this preemption the authority of a State insurance authority to prescribe regulations and enforce related Federal law. Amends the Fair Credit Reporting Act regarding Federal preemption of consumer credit privacy guidelines to: (1) provide that such preemption shall not affect certain settlements, agreements, or consent judgments between a State Attorney General and a consumer reporting agency; and (2) preempt certain State law that explicitly states its intention to supplement such Federal privacy guidelines, and grant greater protection to consumers than is provided under the Federal guidelines.38
HR 2915 Public Safety and Cyber Security Enhancement Act of 2001 Amends the Federal criminal code to provide an exception to wiretapping prohibitions for a person acting under color of law to intercept the wire or electronic communications of a “computer trespasser” under specified circumstances. Creates a foreign intelligence exception involving the interception of electronic communications.39 Permits a Government agency authorized to use a pen register or trap and trace device to use technology reasonably available that restricts the recording or decoding of electronic or other impulses to the dialing, routing, addressing, and signaling information utilized in the processing and transmitting of wire and electronic communications.
PENDING FEDERAL LEGISLATION
157
Directs the court, upon application to it, to enter an ex parte order authorizing the installation and use of a pen register or a trap and trace device: (1) if the court finds that the Government attorney has certified that the information likely to be obtained is relevant to an ongoing criminal investigation (which order shall apply nationwide); or (2) within the jurisdiction of the court if the court finds that the State law enforcement or investigative officer has certified that the information likely to be obtained is relevant. Authorizes any U.S. Attorney or acting U.S. Attorney to have installed and to use a pen register or trap and trace device under specified emergency situations, including situations involving: (1) an immediate threat to national security; and (2) an ongoing attack on a protected computer that constitutes a crime punishable by a term of imprisonment greater than one year.
HR 3016 To amend the Antiterrorism and Effective Death Penalty Act of 1996 Title I: Bioterrorism Prevention
Amends the Federal criminal code to set penalties for: (1) possessing, using, or exercising control over a select agent (i.e., a biological agent or toxin that is listed and not exempt under the Antiterrorism and Effective Death Penalty Act of 1996 (AEDPA)) in a manner constituting reckless disregard for the public health and safety, knowing the agent to be a biological agent or toxin; (2) causing bodily injury to another in the course of a violation; (3) possessing such agents without registration; and (4) transferring such agents to an unregistered person.40 Prohibits the disclosure under the Freedom of Information Act of agency information that identifies a person, or the geographic location of a person, who is registered pursuant to such regulations and any site-specific information relating to the type, quantity, or identity of a listed biological agent or toxin or the site-specific security mechanisms in place to protect such agents and toxins, except for disclosures for purposes of protecting public health and safety or to congressional committees or subcommittees, with appropriate jurisdiction, upon request. Title II: Cable Television Privacy Provisions
Amends the Communications Act of 1934 (the Act) to replace provisions regarding disclosure of information concerning a cable subscriber to a governmental entity pursuant to a court order with provisions regarding a governmental entity’s access to information collected and maintained by a multi-channel video programming distributor (MVPD) or any other person relating to the selection of video programming.41 Specifies that nothing in the Act restricts, impairs, conditions, or otherwise affects the authority of a governmental entity to obtain personally identifiable information concerning a subscriber from an MVPD or other person pursuant to specified Federal criminal code provisions, with the following exception. Authorizes a governmental entity to obtain information collected and maintained by an MVPD or other person concerning the selection of video programming by a subscriber of any MVPD pursuant to a court order only if, in the court proceeding relevant to such order: (1) such entity offers clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case; and (2) the subject of the information is afforded the opportunity to appear and contest such entity’s claim.
158
PRIVACY LEGISLATION
HR 3068 Financial Privacy and National Security Enhancement Act Establishes the Presidential Commission on Financial Privacy and National Security to study and report to Congress on financial service industry practices for protecting the privacy of consumer financial information, the manner and extent to which such practices are regulated by financial service regulators, and ways to improve and strengthen financial information privacy while preserving effective financial information flow for national security.42 Imposes a moratorium on State financial privacy laws during the period the Commission is performing its duties.
HR 3205 Enhanced Border Security Act of 2001 Directs the Secretary of State (Secretary), the Commissioner of the Immigration and Naturalization Service (Commissioner), and the Director of Central Intelligence to submit a congressional report, and develop a plan and an interoperable intelligence data system (with the Attorney General), for the identification and provision of law enforcement and intelligence information needed by the Department of State and the Immigration and Naturalization Service (INS) to screen visa and admissions applicants. Provides for machinereadable visa fees.43 Directs the Attorney General to waive INS personnel limits. Authorizes appropriations for INS, Border Patrol, United States Customs Service, and consular personnel, training, and securityrelated technology. Directs the Secretary and the Commissioner to study the costs and implementation alternatives of a Perimeter National Security Program, which shall include: (1) the feasibility of establishing a North American National Security Cooperative (Canada, Mexico, and the United States); and (2) alien preclearance and preinspection programs. Directs: (1) the Commissioner to expeditiously implement the port of entry integrated entry and exit data system; and (2) the Secretary to provide Foreign Service officers with visa screening training. Requires international commercial air carriers arriving in the United States to: (1) provide specified passenger manifest information; and (2) develop procedures for electronic transmission of such information. Amends the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 to include among the data required to be collected on foreign students and exchange visitors information on such alien’s dates of entry and enrollment commencement and termination. Sets forth related reporting provisions, including the requirement that an institution of higher education report to the INS concerning an alien student’s failure to enroll. Prohibits the admission of an alien from a country designated to be a state sponsor of terrorism until appropriate clearances are conducted on such individual. Requires the INS to periodically review institutions authorized to enroll foreign students and exchange visitors. Amends Federal law to treat INS immigration inspectors as law enforcement officers for Federal retirement program purposes. Amends the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 to extend the deadline for presentation of biometric border crossing identification cards.
PENDING FEDERAL LEGISLATION
159
HR 3229 Visa Entry Reform Act of 2001 Requires the Director of the Office of Homeland Security, in conjunction with specified other entities, to establish and supervise a single computerized database (lookout database) to screen and identify inadmissible or deportable aliens. States that such information shall be available to immigration, Customs, law enforcement, and intelligence personnel. Sets forth required database and related information.44 Directs: (1) the Secretary of State to establish a Terrorist Lookout Committee at each embassy; (2) the Attorney General and the Secretary of State to develop a “SmartVisa” system which shall include machine-readable visas containing biometric information; and (3) that issued U.S. passports contain standard biometric identifiers. Conditions participation in the visa waiver program upon a country’s: (1) issuance of U.S. machine-readable, tamper-resistant passports containing biometric data; and (2) reporting of its stolen passports to the United States. Authorizes the Attorney General to terminate a country from program participation for reasons of national security. Requires air, land, or sea carriers arriving from a foreign country to provide the United States with specified crew and passenger manifest information prior to departure for the United States. Sets forth requirements for fraud-resistant Federal and federally-regulated documents. Prohibits, with exceptions, issuance of a foreign student visa to a national of a country on the Department of State’s list of state sponsors of international terrorism. Provides for the implementation and expansion of the foreign student monitoring program, including provisions respecting: (1) submission of certain Immigration and Naturalization service (INS) forms; (2) background checks; and (3) educational institution reporting data on foreign students, including student failure to enroll. Provides for additional consular Customs, and INS investigative personnel. Amends Federal law to include in the category of identification document-related fraud the knowing possession of a stolen or illegally produced foreign identification document. Directs the Comptroller General to determine the feasibility of requiring each nonimmigrant alien to report annually to the INS respecting his or her status.
HR 3285 Federal-Local Information Sharing Partnership Act of 2001 Amends the Federal Rules of Criminal Procedure, the Federal criminal code, and the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT ACT) of 2001 to authorize the sharing of grand jury information, electronic, wire, and oral interception information, and foreign intelligence information, respectively, with State or local law enforcement personnel. Directs that such information be used consistent with such guidelines as the Attorney General shall issue to protect confidentiality.45 Amends: (1) the Fair Credit Reporting Act to authorize the recipient of a consumer report or information to disclose the contents to law enforcement personnel to assist in the performance of official duties; and (2) the Immigration and Nationality Act to authorize the Secretary of State to provide copies of Department of State and U.S. diplomatic and consular office records regarding visas or related information to law enforcement personnel. Directs that such information be used consistent with such guidelines.
160
PRIVACY LEGISLATION
Amends: (1) the Foreign Intelligence Surveillance Act of 1978 to authorize the sharing of information acquired from an electronic surveillance or from a physical search with law enforcement personnel; and (2) the General Education Provisions Act and the National Education Statistics Act of 1994 to authorize the disclosure of the contents of education records and reports, records, and information to law enforcement personnel, subject to guidelines for the use of that information.
S 19 Protecting Civil Rights for All Americans Act Title II: Traffic Stops Statistics Study Act
Traffic Stops Statistics Study Act of 2001 directs the AG to conduct a nationwide study for traffic violations by law enforcement officers. Requires the Attorney General to: (1) perform an initial analysis of existing data, including complaints alleging and other information concerning traffic stops motivated by race and other bias; (2) gather specified data on traffic stops from a nationwide sample of jurisdictions; and (3) report the results to Congress and make such report available to the public. Authorizes the AG to provide grants to law enforcement agencies to collect and submit the data to the appropriate agency as designated by the AG. Prohibits information released pursuant to this title from revealing the identity of any individual who is stopped or any law enforcement officer involved in a traffic stop.46 Title IV: Genetic Nondiscrimination of Health Insurance Discrimination on the Basis of Predictive Genetic Information
Subtitle A: Prohibition of Health Insurance Discrimination on the Basis of Predictive Genetic Information. Amends the Employee Retirement Income Security Act of 1974 (ERISA) (regarding a group health plan, and a health insurance issuer offering group insurance through a group plan) the Public Health Service Act (PHSA) (regarding such a plan or issuer, and with regard to an issuer offering health insurance in the individual market), the Internal Revenue Code (IRC) (regarding a group health plan), and title XVIII (Medicare) of the Social Security Act (SSA) (regarding Medicare supplemental policies) to prohibit, with respect to genetic information: (1) discriminating in individual enrollment; (2) discriminating in group eligibility or group premium or contribution rates; (3) requesting or requiring test performance; and (4) requesting, requiring, collecting, purchasing, or disclosing information, unless authorized by the individual. Allows a plan or issuer: (1) regarding payment for genetic services, to request evidence that the services were performed; and (2) regarding payment for other benefits, to request predictive genetic information in certain circumstances. Allows a court, for violations, to award any appropriate legal or equitable relief, attorney’s fees and costs, and expert witness costs. Allows civil monetary penalties. Applies the requirements of this paragraph to plans that have fewer than two participants who are current employees. Amends ERISA and the PHSA to: (1) declare that the provisions of paragraph above do not preempt any provision of State law that protects genetic information confidentiality or privacy, or prohibits genetic discrimination, more completely than ERISA’s and the PHSA’s group health plan provisions; and (2) apply the requirements of the paragraph above to Medicare supplemental health insurance and similar supplemental coverage, if provided under a separate policy, certificate, or contract of insurance.
PENDING FEDERAL LEGISLATION
161
Amends the PHSA to disallow nonfederal governmental group plans from electing to be exempted from the requirements of this title.
Subtitle B: Prohibition of Employment Discrimination on the Basis of Predictive Genetic Information. Makes it an unlawful employment practice for an employer, employment agency, labor organization, or training program to discriminate because of predictive genetic information, including making it unlawful to request, require, collect, or purchase such information. Allows an employer to request, require, collect, or purchase such information: (1) where used for genetic monitoring of biological effects of workplace toxic substances; or (2) with consent of the employee, if results are received only by the employee (or the employee’s family). Requires employers possessing such information to treat and maintain the information as part of the employee’s confidential medical records. Prohibits disclosure, subject to exception. Title V: Employment Nondiscrimination
The Employment Non-Discrimination Act of 2001 prohibits employment discrimination on the basis of sexual orientation by covered entities. Declares that a disparate impact does not establish a prima facie violation of this Act. Prohibits related retaliation and coercion. Declares that this Act does not apply to the provision of employee benefits for the benefit of an employee’s domestic partner. Prohibits the Equal Employment Opportunity Commission from: (1) collecting statistics on sexual orientation from covered entities; and (2) compelling covered entities to collect such statistics. Prohibits: (1) quotas and preferential treatment; and (2) an order or consent decree for a violation of this Act that includes a quota or preferential treatment. Declares that this Act does not apply to: (1) religious organizations (except regarding employment in a position the duties of which pertain solely to activities of the organization that generate unrelated business income subject to taxation under specified Internal Revenue Code provisions); (2) the relationship between the United States and members of the armed forces; or (3) laws creating special rights or preferences for veterans. Provides for enforcement. Prohibits the imposition of affirmative action for a violation of this Act. Disallows State immunity. Makes the United States or a State liable for all remedies (except punitive damages, with compensatory damages available to the extent specified in certain existing provisions of law) to the same extent as under specified provisions of the Civil Rights Act of 1964. Allows recovery of attorney’s fees. Requires posting notices for employees, applicants, and members. Title VI: Promoting Civil Rights Enforcement
Establishes, in the Department of Justice, a National Task Force on Violence Against Health Care Providers which shall: (1) coordinate the national investigation and prosecution of incidents of violence and other unlawful acts directed against reproductive health care providers; (2) serve as a clearinghouse of information, for use by investigators and prosecutors, relating to acts of violence against reproductive health care providers; (3) make available security information and recommendations to enhance the safety and protection of reproductive health care providers; (4) provide training to Federal, State, and local law enforcement on issues relating to clinic violence; and (5) support Federal civil investigation and litigation of violence and other unlawful acts directed at reproductive health care providers. Authorizes increased FY 2002 (as compared to FY 2001) appropriations to specified Federal offices involved in the enforcement of civil rights.
162
PRIVACY LEGISLATION
S 30 Financial Information Privacy Protection Act of 2001 Amends the Gramm-Leach-Bliley Act to provide that the customer’s affirmative consent is a prerequisite to financial institution disclosure to affiliates of customer nonpublic personal information, including information about personal spending habits (currently such consent is only required for financial institution disclosure to nonaffiliated third parties).47 Sets forth limits upon re-disclosure and reuse of nonpublic consumer personal information received by an affiliated or nonaffiliated third party from a financial institution. Prescribes guidelines for: (1) consumer rights to access and correct information; and (2) Federal and State enforcement powers under this Act. Revises requirements for the timing of a financial institution’s disclosure to consumers of its privacy policies and practices, including a new requirement that the disclosure first occur before a customer relationship is established (currently, when it is established). Prohibits a financial institution from disclosing to either an affiliate or nonaffiliated third party its customer’s account number or comparable access number or code. Permits financial institution disclosure of nonpublic personal information: (1) in connection with performing services or functions solely on such institution’s behalf regarding its own customers, including marketing of the institution’s own products or services to its customers; and (2) in order to facilitate certain customer services. Directs specified Federal agencies, including the Federal Trade Commission, to prescribe implementing regulations.
S 197 Spyware Control and Privacy Protection Act of 2001 Requires any computer software made available to the public that includes the capability to collect information about the user of such software, the hardware on which such software is used, or the manner in which such software is used, and the capability to disclose such information to any person other than the software user, with specified exceptions, to include: (1) a clear notice that such software contains such capability; (2) a description of the information subject to collection; and (3) clear electronic instructions on how to disable such capability without affecting software performance or operation.48 Prohibits such capability from being enabled unless the user consents in advance. Treats each violation of such requirements and prohibition as an unfair or deceptive act or practice under the Federal Trade Commission Act. Authorizes a software provider to disclose such information to law enforcement officials or a court under a warrant or court order. Requires a court issuing such an order to ensure appropriate safeguards on the use of such information.
S 803 E-Government Act of 2001 Establishes the Office of Information Policy in the Office of Management and Budget (OMB) to be administered by a Federal Chief Information Officer (CIO) who shall provide direction, coordination, and oversight of the development, application, and management of information
PENDING FEDERAL LEGISLATION
163
resources by the Government. Provides for the Office of Information and Regulatory Affairs to retain information collection review functions. Establishes a Chief Information Officers Council as the principal interagency forum for improving agency practices related to the development, use, operation, and performance of Government information resources. Establishes in the Treasury an E-Government Fund to be used to fund interagency information technology projects and other innovative uses of information technology.49 Requires each executive agency to: (1) comply with standards established by the CIO and support the CIO’s efforts to develop and maintain an integrated Internet-based system of delivering Government information and services to the public; (2) ensure compatibility of its methods for use and acceptance of electronic signatures; (3) publish an online agency directory; (4) establish a website and post all information required to be published on regulatory proceedings and electronic dockets for rulemakings; and (5) conduct a privacy impact assessment before developing or procuring an information system or initiating a new collection of personally identifiable information that will be processed electronically. Requires establishment of: (1) an online Federal telephone directory; (2) an online National Library; and (3) individual Federal court websites. Requires the CIO to: (1) study the feasibility of integrating Federal information systems across agencies; (2) convene an interagency task force to develop recommendations on standards for the collection and dissemination of essential information about federally funded research and development databases that address public availability and agency coordination and collaboration; (3) establish guidelines for privacy notices on agency Web sites; and (4) promulgate standards and criteria for agency Web sites. Requires the Secretary of the Interior to facilitate the development of common protocols for geographic information systems. Provides for the use of the share-in-savings contracting approach for information technology projects. Requires studies on: (1) using information technology to enhance crisis response and consequence management of natural and manmade disasters; (2) best practices of federally funded community technology centers; and (3) disparities in Internet access across various demographic distributions. Provides for establishment of: (1) a Federal Information Technology Training Center; and (2) an Advisory Board on Government Information which shall recommend standards for establishing permanent public access to government information disseminated on the Internet, developing inventories of government information, and cataloguing and indexing government information. Requires the CIO and each agency to develop and post on the Internet a public domain directory of Government Web sites.
S 851 Citizens’ Privacy Commission Act of 2001 Establishes the Citizens’ Privacy Commission to study and report to Congress and the President on issues relating to protection of individual privacy and the appropriate balance to be achieved between protecting such privacy and allowing appropriate uses of information, including: (1) the collection, use, and distribution of personal information by government; (2) privacy protection efforts and proposals of government; and (3) individual redress for privacy violations by government.50
164
PRIVACY LEGISLATION
S 989 End Racial Profiling Act of 2001 Prohibits any law enforcement agency or agent from engaging in racial profiling. Authorizes the United States, or an individual injured by racial profiling, to bring a civil action for declaratory or injunctive relief to enforce this prohibition.51 Specifies that proof that the routine investigatory activities of law enforcement agents in a jurisdiction have had a disparate impact on racial or ethnic minorities shall constitute prima facie evidence of a violation. Authorizes the court to allow a prevailing plaintiff, other than the United States, reasonable attorneys’ fees as part of the costs, including expert fees. Requires Federal law enforcement agencies to: (1) maintain adequate policies and procedures designed to eliminate racial profiling; and (2) cease existing practices that encourage racial profiling. Directs that any application by a State or governmental unit for funding under a covered program include a certification that such unit and any agency to which it is redistributing program funds: (1) maintains adequate policies and procedures designed to eliminate racial profiling; and (2) has ceased existing practices that encourage racial profiling. Authorizes the Attorney General to make grants to States, law enforcement agencies, and other governmental units, Indian tribal governments, or other public and private entities to develop and implement best practice devices and systems to ensure the racially neutral administration of justice. Directs the Attorney General to submit to Congress a report on racial profiling by Federal, State, and local law enforcement agencies.
S 1055 Privacy Act of 2001 Prohibits the sale and disclosure of personally identifiable information by a commercial entity to a non-affiliated third party unless prescribed procedures for notice and opportunity to restrict such disclosure have been followed. Grants the Federal Trade Commission enforcement authority.52 Amends Federal criminal law to prohibit the display, sale, or purchase of social security numbers without the affirmatively expressed consent of the individual. Exempts certain public records containing social security numbers from such prohibition. Amends the Social Security Act to prohibit the use of social security account numbers on: (1) checks issued for payment by governmental agencies; and (2) driver’s licenses or motor vehicle registration. Prohibits a commercial entity from requiring disclosure of an individual’s social security number in order to obtain goods or services. Imposes civil monetary penalties for misuse of a social security number. Amends the Gramm-Leach-Bliley Act to make conforming limitations upon financial industry sale and sharing of non-public personal financial information. Sets forth prohibitions against the selling or marketing of protected health information by specified entities. Amends the Driver’s Privacy Protection Act relating to proscriptions against release and use of certain personal information from State motor vehicle records to expand the definition of such personal information, and to include “highly restricted personal information” among such proscriptions.
PENDING FEDERAL LEGISLATION
165
Empowers State Attorneys General to enforce this Act. Establishes Federal injunctive authority regarding any violation of this Act.
S 1568 Cyberterrorism Prevention Act of 2001 Modifies Federal criminal code provisions regarding fraud and related activity in connection with computers. Establishes penalties for intentionally accessing a protected computer without authorization, or exceeding authorized access, thereby causing: (1) loss to one or more persons during any one-year period aggregating at least $5,000 in value; (2) the modification or impairment of the medical examination, diagnosis, treatment, or care of one or more individuals; (3) physical injury to any person; (4) a threat to public health or safety; or (5) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security.53 Increases penalties and broadens the scope of provisions regarding computer-related fraud. Includes within the definition of “protected computer” a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States. Includes good faith reliance on a request of a governmental entity to preserve evidence among defenses to civil actions relating to a violation of provisions governing access to stored wire or electronic communications. Requires the Director of the Federal Bureau of Investigation to take appropriate actions to develop at least ten regional computer forensic laboratories and to provide support, education, and assistance for existing laboratories so that such laboratories have the capability to provide forensic examinations regarding seized or intercepted computer evidence relating to criminal activity, to provide training and education regarding computer-related crime for and to assist law enforcement personnel, and to promote sharing of Federal law enforcement computer crime expertise with State and local authorities.
S 1733 Name Matching for Enforcement and Security Act of 2001 Directs the Secretary of State, the Attorney General, the Secretary of the Treasury, the Commissioner of Immigration and Naturalization, and the Director of Central Intelligence (DCI) to develop and implement a unified electronic data system to provide current and immediate access to information in databases of U.S. law enforcement agencies and the intelligence community that is relevant to determine: (1) whether to issue a visa; or (2) the admissibility of an alien to the United States.54 Sets forth provisions regarding name search capacity and support and languages required. Requires: (1) such officials to consult with the Director of the Office of Homeland Security, the Foreign Terrorist Tracking Task Force, U.S. law enforcement agencies, and the intelligence community; and (2) the system to utilize the technology standard established pursuant to the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act of 2001. Directs that system information be readily and easily accessible to any: (1) Foreign Service officer responsible for the issuance of visas; and (2) Federal agent responsible for determining the admissibility of an alien to the United States. Requires the Secretary of State, the Attorney
166
PRIVACY LEGISLATION
General, and the DCI to establish procedures to restrict access to intelligence information in the system under circumstances in which such information is not to be disclosed directly to Government officials.
S 1742 Restore Your Identity Act of 2001 Amends the Racketeer Influenced and Corrupt Organizations Act to cover offenses chargeable under State law similar to Federal racketeering offenses regarding fraud and related activity in connection with identification documents.55 Requires a business entity possessing information relating to an identity theft or who may have done business with a person that has made unauthorized use of a victim’s means of identification to provide without charge to the victim or to any Federal, State, or local governing law enforcement agency or officer specified by the victim copies of all related application and transaction information. Specifies what constitutes proof of positive identification. Limits liability for a business entity that provides information under this Act for the purpose of identification and prosecution of identity theft or to assist a victim. Amends: (1) the Fair Credit Reporting Act to direct a consumer reporting agency to permanently block the reporting of any information identified by the consumer in such consumer’s file resulting from identity theft, subject to specified requirements; and (2) the Internet False Identification Prevention Act of 2000 to include within report contents specified descriptions regarding identity theft. Authorizes civil enforcement actions by State attorneys general regarding identity theft.
S 1749 Enhanced Border Security and Visa Entry Reform Act of 2001 Directs the Attorney General to waive Immigration and Naturalization Service (INS) personnel limits. Authorizes appropriations for INS, Border Patrol, United States Customs Service, and consular personnel, training, facilities, and security-related technology. Provides for machinereadable visa fees.56 Directs U.S. law enforcement and intelligence entities to share alien admissibility- and deportation-related information with INS and the Department of State. Directs the President to develop and implement an interoperable law enforcement and intelligence data system (with name-matching and linguistic capacity) for visa, admissibility, or deportation determination purposes. Amends the Immigration and Nationality Act (Act) to require a consular officer issuing a visa to provide INS with an electronic version of the alien’s visa file prior to the alien’s U.S. entry. Sets forth technology standard and interoperability requirements respecting development and implementation of the integrated entry and exit data system and related tamper-resistant, machine-readable documents containing biometric identifiers. Directs the Secretary of State (Secretary) to: (1) establish a Terrorist Lookout Committee at each U.S. mission in which there is a consular post; and (2) provide consular staff with visa screening training. Prohibits the admission of an alien from a country designated to be a state sponsor of terrorism until a determination has been made that such individual does not pose a risk to the United States.
SUMMARY
167
Conditions participation in the visa waiver program upon a country’s timely reporting to the United States of its stolen blank passports. Requires the Attorney General to enter stolen passport identification numbers into the interoperable data system. Directs the Secretary, the Secretary of the Treasury, the Attorney General, and the Commissioner of INS to study the feasibility of establishing a North American Perimeter National Security Program (United States, Canada, Mexico), including consideration of alien preclearance and preinspection. Amends the Act to require commercial aircraft or vessels arriving at, or departing from, the United States to provide immigration officers with specified passenger and crew manifest information. Authorizes such provisions’ extension to land carriers. Requires electronic manifest transmission by a specified date. Amends the Ports and Waterways Safety Act to revise and specify vessel prearrival message requirements. Amends the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 to direct the Attorney General to develop an electronic means of verifying and monitoring the foreign student information program, including aspects of documentation and visas issuance, and registration and enrollment. Increases student data requirements. Specifies information required for foreign student visa applications. Sets forth transitional monitoring requirements, including a requirement that an educational institution report student failure to enroll information to INS. Provides for INS and Department of State review of institutions authorized to enroll foreign students and exchange visitors. Amends Federal law to treat INS immigration inspectors as law enforcement officers for Federal retirement purposes. Amends the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 to extend the deadline for presentation of biometric border crossing identification cards. Directs: (1) the Comptroller General to determine the feasibility of requiring each nonimmigrant alien to report annually to INS respecting his or her address and employer’s address; and (2) the Secretary and INS to study alternative approaches to international electronic data cooperation.
SUMMARY Self-regulation has worked to some degree, in that self-regulation polices the companies who have adopted privacy standards, but it does not adequately address companies who ignore or violate these standards. Per Senator Dianne Feinstein (D—California), the problem is that many of the measures pending before Congress today provide only part of the solution: What’s needed is a comprehensive level of protection. We must ask ourselves: Are we doing enough to protect people from the growing crime of identity theft and invasion of privacy? After trying to decipher the recent bevy of privacy notices, [via the Gramm-Leach-Bliley banking law], I would hazard a guess that most Americans would say no.57
There is a need for Congress to enact legislation that provides individuals with a baseline of privacy protection on the Internet by codifying these fair information principles. Surveys show that consumers favor government passing laws that regulate how personal information is collected and used on the Internet.
168
PRIVACY LEGISLATION
According to 300 IT executives who participated in InformationWeek Research’s Outlook for 2001 study, 64 percent said that government intervention is not necessary to ensure adequate privacy protection for users of the Internet. Thirty-one percent responded that government intervention is necessary and 5 percent didn’t know.58 Chapters 6 and 7 examine personal and business privacy issues, respectively. After reading these chapters, the reader can independently decide if self-regulation is working or if more legislation is needed.
ENDNOTES 1. Carlson, C., “Pondering Privacy” (January 29, 2001), www.eweek.com/article2/0,3959, 146060,00.asp. 2. McCarthy, R., and Aronson, J., “Analyzing the Balance Between Consumer, Business and Government: The Emergent Internet Privacy Legal Framework,” The International Association for Computer Information Systems, Session 4b: Issues in Internet Use (October 3–6, 2001), Vancouver, British Columbia, Canada. 3. Federal Trade Commission (2001) www.ftc.gov. 4. Id. 5. Id. 6. Id. 7. Id. 8. Id. 9. Id. 10. Id. 11. The Electronic Frontier Foundation, “EFF Analysis of the Provisions of the USA PATRIOT Act That Relate to On-line Activities” (October 31, 2001), www.eff.org/Privacy/Surveillance/ Terrorism_militias/20011031_eff_usa_ patriot_analysis.html. 12. See note 3. 13. See note 11. 14. See note 3. 15. Id. 16. Id. 17. Id. 18. Id. 19. Id. 20. Du Bois, G., “Privacy Standards Grant Patients’Rights” (January 18, 2001), www.eweek.com/ article2/0,3959,114476,00.asp. 21. Frequently Asked Questions (and Answers) About the Children’s Online Privacy Protection Act, www.eff.org/Privacy/Children/20000420_eff_coppa_ faq.html. 22. See note 3. 23. Department of Justice, The US Patriot Act of 2001 (2001), www.ins.usdoj.gov/graphics/ lawsregs/patriot.pdf. 24. Kerr, O., “Are We Overprotecting Code? Thoughts on First-Generation Internet Law,” Field Guidance on New Authorities (Redacted) Enacted in the 2001 Anti-Terrorism Legislation, Section 217 Intercepting the Communications of Computer Trespassers, Washington and Lee Law Review, Vol. 57 (2000) 1287–1300. 25. State Privacy Legislation 2000 Session, http://www.sia.com/state_affairs/html/state_privacy _issues.html.
ENDNOTES
26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54.
55. 56. 57.
58.
169
Id. Id. Id. Id. Id. Id. Id. Id. Id. Id. See note 20. See note 25. Id. Id. Id. Id. Id. Id. See note 11. See note 23. See note 25. See note 11. Id. Id. Id. Id. Id. Id. Computer Crime and Intellectual Property Section, “Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001” 2001, www.usdoj.gov/criminal/cybercrime/PatriotAct.htm. See note 25. Id. Feinstein, D., “We Need Additional Privacy Laws Now: Legislation must strike a balance between the right to privacy and business needs” (August 20, 2001), www.informationweek. com/story/IWK20010817S0015. See note 1.
6 PERSONAL PRIVACY AND NATIONAL SECURITY
[Image not available in this electronic edition.]
Source: C. Slane, 2002. Used with permission.
Introduction The Patriot Act Echelon Carnivore Biometrics National ID Cards Oasis Fluent TEMPEST Summary
INTRODUCTION In the wake of 9/11, national security has been a subject at the top of everyone’s list. We have seen the government take actions to prevent such an event from occurring again. These actions include the implementation of new security measures at airports, new legislation to allow eas170
THE PATRIOT ACT
171
ier investigation and identification of terrorist activities, and the call for the use of new technologies to aid in this fight against those who would harm our nation and way of life. The sweeping and hopefully not rash legislation and technologies that have been proposed and in some instances implemented are: The Patriot Act, the use of Echelon and Carnivore (government surveillance systems), biometric technology like face recognition systems, and the use of national ID cards for all citizens. Each of these items has a set of issues and concerns that may affect personal privacy in the name of national security. In this chapter we will discuss each of these items, what it is, how it works, and its implications for privacy in the short and long term.
THE PATRIOT ACT The Patriot Act was the first direct change to a law as a result of the terrorist attacks on 9/11. This Act is also referred to as the “Anti-terrorism Surveillance Legislation.” The Patriot Act is 342 pages long and makes changes to over 15 different statutes. Items changed include: electronic surveillance, search warrants, funding of investigative taskforces, money laundering, financial records, seizure of funds, counterfeiting, protecting the borders, immigrant status and detentions, benefits for immigrants, authority to pay rewards for information, providing for victims of terrorism, information sharing between agencies, strengthening criminal laws against terrorism, and improving intelligence. Although executed in the name of fighting terrorism, the Patriot Act has aroused the fears of those concerned with rights that these amendments will not be used for anti-terrorism but for general crime fighting and for the repression of people, citizen or not. Some fear that the Act will impinge upon the privacy rights of individuals, turning hackers into “cyber-terrorists” and allowing for secret searches, for example. To help smooth over these fears and provide balance to the new law, most of the provisions that have been expanded to grant law enforcement agencies more power will expire in four years (12/31/2005). At that time or before the expiration, more legislation will be required to be passed to retain these new powers, or the refining of these laws will be made via other legislation as needed. Now let us outline these new powers and their implications and you can judge for yourself if they violate personal privacy in the name of national security. As this book is focused more on computer privacy, we will only discuss the legislation that affects computers and electronic privacy. Although electronic surveillance was already an integral part of law enforcement’s arsenal of investigative tools, the Patriot Act expands the use of wiretapping and surveillance tools, and clarifies definitions and use of information obtained via this surveillance. Via the Patriot Act, there are 11 amendments to previous laws that relate to Computer Crime and Electronic Evidence.
Section 202, Authority to Intercept Voice Communications in Computer Hacking Investigations Previous law. Investigators could not obtain a wiretap order to intercept wire communications (those involving the human voice) for violations of the Computer Fraud and Abuse Act. For example, in several investigations, hackers have stolen teleconferencing services from a telephone company and used it to plan and execute hacking attacks.
172
PERSONAL PRIVACY AND NATIONAL SECURITY
Amendment. Amends sections that list those crimes for which investigators may obtain a wiretap order for wire communications. This provision will sunset December 31, 2005. Effects on privacy. This amendment updates the laws to fit with the technology of today. If this amendment had not been made, then law enforcement could not legally investigate and prosecute violations of the Computer Fraud and Abuse Act.
Section 209, Obtaining Voice-mail and Other Stored Voice Communications Previous law. The Electronics Communications Privacy Act governed law enforcement access to stored electronic communications (such as e-mail), but not stored wire communications (such as voice mail). The statute governed such access because the definition of “wire communication” included stored communications, requiring law enforcement to use a wiretap order (rather than a search warrant) to obtain unopened voice mails. Thus, authorities used a wiretap order to obtain voice communications stored with a third-party provider but could use a search warrant if that same information were stored on an answering machine inside a suspect’s home. Furthermore, with new technology the original statute did not foresee that an e-mail could contain an attachment that was voice. Thus, the search warrant would not cover these attachments and required a separate wiretap order. Amendment. The amendments delete “electronic storage” of wire communications from the definition of “wire communication” and insert language to ensure that stored wire communications are covered under the same rules as stored electronic communications. Thus, law enforcement can now obtain such communications using the procedures (such as a search warrant), rather than those in the wiretap statute (such as a wiretap order). This provision will sunset December 31, 2005. Effects on privacy. This amendment updates the laws to fit the technology of today and streamlines law enforcement, in that it allows law enforcement to obtain a single warrant, a wiretap warrant, to allow them to review e-mails that contain voice attachments, rather than making them get a separate warrant, a search warrant, to listen to the voice attachment.
Section 210, Scope of Subpoena for Electronic Evidence Previous law. Allows the government to use a subpoena to compel a limited class of information, such as the customer’s name, address, length of service, and means of payment. The list of records that investigators could obtain with a subpoena did not include certain records (such as credit card number or other form of payment for the communication service) relevant to determining a customer’s true identity. In many cases, users register with Internet service providers using false names. In order to hold these individuals responsible for criminal acts committed on-line, the method of payment is an essential means of determining true identity. Moreover, many of the definitions were technology-specific, relating primarily to telephone communications. For example, the list included “local and long distance telephone toll billing records,” but did not include parallel terms for communications on computer networks, such as “records of session times and
THE PATRIOT ACT
173
durations.” Similarly, the previous list allowed the government to use a subpoena to obtain the customer’s “telephone number or other subscriber number or identity,” but did not define what that phrase meant in the context of Internet communications. Amendment. Updates and expands the narrow list of records that law enforcement authorities may obtain with a subpoena. The new subsection includes “records of session times and durations,” as well as “any temporarily assigned network address.” In the Internet context, such records include the Internet Protocol (IP) address assigned by the provider to the customer or subscriber for a particular session, as well as the remote IP address from which a customer connects to the provider. Obtaining such records will make the process of identifying computer criminals and tracing their Internet communications faster and easier. Moreover, the amendments clarify that investigators may use a subpoena to obtain the “means and source of payment” that a customer uses to pay for his or her account with a communications provider, “including any credit card or bank account number.” While generally helpful, this information will prove particularly valuable in identifying the users of Internet services where a company does not verify its users’ biographical information. (This section is not subject to the sunset provision of the Act.) Effects on privacy. This amendment updates laws to fit the technology of today by expanding the list of records law enforcement may obtain a subpoena for. This amendment allows law enforcement to request records of session times and durations of Internet use, call length, and payment sources, including any bank account and credit card numbers. This allows the law to investigate when a call or e-mail was made, how long a user was on the Internet, and how they paid for the session or call. These items can be key elements to finding a criminal.
Section 211, Clarify the Scope of the Cable Act Previous law. The law contains two different sets of rules regarding privacy protection of communications and their disclosure to law enforcement: one governing cable service (the “Cable Act”), and the other applying to the use of telephone service and Internet access (the wiretap statute, and the pen register and trap and trace statute (the “pen/trap” statute). The Cable Act set out an extremely restrictive system of rules governing law enforcement access to most records possessed by a cable company. For example, the Cable Act did not allow the use of subpoenas or even search warrants to obtain such records. Instead, the cable company had to provide prior notice to the customer (even if he or she were the target of the investigation), and the government had to allow the customer to appear in court with an attorney and then justify to the court the investigative need to obtain the records. The court could then order disclosure of the records only if it found by “clear and convincing evidence”—a standard greater than probable cause or even a preponderance of the evidence—that the subscriber was “reasonably suspected” of engaging in criminal activity. This procedure was completely unworkable for virtually any criminal investigation. The legal regime created by the Cable Act caused grave difficulties in criminal investigations because today, unlike in 1984 when Congress passed the Cable Act, many cable companies offer not only traditional cable programming services but also Internet
174
PERSONAL PRIVACY AND NATIONAL SECURITY
access and telephone service. In recent years, some cable companies have refused to accept subpoenas and court orders pursuant to the pen/trap statute and ECPA, noting the seeming inconsistency of these statutes with the Cable Act’s harsh restrictions. Amendment. Clarifies that ECPA, the wiretap statute, and the trap and trace statute govern disclosures by cable companies that relate to the provision of communication services—such as telephone and Internet services. The amendment preserves, however, the Cable Act’s primacy with respect to records revealing what ordinary cable television programming a customer chooses to purchase, such as particular premium channels or “pay per view” shows. Thus, in a case where a customer receives both Internet access and conventional cable television service from a single cable provider, a government entity can use legal process under ECPA to compel the provider to disclose only those customer records relating to Internet service. (This section is not subject to the sunset provision.) Effects on privacy. This amendment updates laws to fit the technology of today by allowing law enforcement to obtain warrants to review Internet access via cable networks, where previously this was not allowed under the Cable Act because when the Act was put into effect, there was no Internet access via Cable networks.
Section 212, Emergency Disclosures by Communications Providers Previous law. The law relating to voluntary disclosures by communication service providers was inadequate in two respects. First, it contained no special provision allowing providers to disclose customer records or communications in emergencies. If, for example, an Internet service provider (ISP) independently learned that one of its customers was part of a conspiracy to commit an imminent terrorist attack, prompt disclosure of the account information to law enforcement could save lives. Since providing this information did not fall within one of the statutory exceptions, however, an ISP making such a disclosure could be sued civilly. Second, prior to the Act, the law did not expressly permit a provider to voluntarily disclose non-content records (such as a subscriber’s login records) to law enforcement for purposes of self-protection, even though providers could disclose the content of communications for this reason. Yet the right to disclose the content of communications necessarily implies the less intrusive ability to disclose non-content records. Moreover, as a practical matter, providers must have the right to disclose to law enforcement the facts surrounding attacks on their systems. For example, when an ISP’s customer hacks into the ISP’s network, gains complete control over an e-mail server, and reads or modifies the e-mail of other customers; the provider must have the legal ability to report the complete details of the crime to law enforcement. Amendment. Corrects both of these inadequacies in previous law. Amends subsection to permit, but not require, a service provider to disclose to law enforcement either content or non-content customer records in emergencies involving an immediate risk of death or serious physical injury to any person. This voluntary disclosure, however, does not create an affirmative obligation to review customer communications in search of such imminent dangers.
THE PATRIOT ACT
175
The amendments also change ECPA to allow providers to disclose information to protect their rights and property. It accomplishes this change by two related sets of amendments. First, the amendments simplify the treatment of voluntary disclosures by providers (of content and non-content records alike). Second, an amendment to new subsection clarifies that service providers do have the statutory authority to disclose non-content records to protect their rights and property. All of these changes will sunset December 31, 2005. Effects on privacy. Protects companies that assist in investigations of crimes by not allowing them to be held liable for assisting law enforcement, thus violating consumer privacy.
Section 216, Pen Register and Trap and Trace Statute The pen register and trap and trace statute (the “pen/trap” statute) governs the prospective collection of non-content traffic information associated with communications, such as the phone numbers dialed by a particular telephone. Section 216 updates the pen/trap statute in three important ways: (1) the amendments clarify that law enforcement may use pen/trap orders to trace communications on the Internet and other computer networks; (2) pen/trap orders issued by federal courts now have nationwide effect; and (3) law enforcement authorities must file a special report with the court whenever they use a pen/trap order to install their own monitoring device (such as the FBI’s DCS1000, otherwise known as Carnivore) on computers belonging to a public provider. The following sections discuss these provisions in greater detail. (This section is not subject to the sunset provision.) Using Pen/Trap Orders to Trace Communications on Computer Networks
Previous law. When Congress enacted the pen/trap statute in 1986, it could not anticipate the dramatic expansion in electronic communications that would occur in the following fifteen years. Thus, the statute contained certain language that appeared to apply to telephone communications and that did not unambiguously encompass communications over computer networks. Although numerous courts across the country have applied the pen/trap statute to communications on computer networks, no federal district or appellate court has explicitly ruled on its propriety. Moreover, certain private litigants have challenged the application of the pen/trap statute to such electronic communications based on the statute’s telephone-specific language. Amendment. Clarifies that the pen/trap statute applies to a broad variety of communications technologies. References to the target “line,” for example, are revised to encompass a “line or other facility.” Such a facility might include, for example, a cellular telephone number; a specific cellular telephone identified by its electronic serial number; an Internet user account or e-mail address; or an Internet Protocol address, port number, or similar computer network address or range of addresses. In addition, because the statute takes into account a wide variety of such facilities, amendments now allow applicants for pen/trap orders to submit a description of the communications to be traced using any of these or other identifiers. Moreover, the amendments clarify that orders for the installation of pen register and trap and trace devices may obtain any non-content information—all “dialing, routing, addressing, and signaling information”—utilized in the processing and transmitting of wire and electronic communications. Such information includes IP addresses and port
176
PERSONAL PRIVACY AND NATIONAL SECURITY
numbers, as well as the “To” and “From” information contained in an e-mail header. Pen/trap orders cannot, however, authorize the interception of the content of a communication, such as words in the “subject line” or the body of an e-mail. Further, because the pen register or trap and trace “device” often cannot be physically “attached” to the target facility, Section 216 makes two other related changes. First, in recognition of the fact that such functions are commonly performed today by software instead of physical mechanisms, the amended statute allows the pen register or trap and trace device to be “attached or applied” to the target facility. Likewise, Section 216 revises the definitions of “pen register” and “trap and trace device” in section 3127 to include an intangible “process” (such as a software routine) which collects the same information as a physical device. Nationwide Effect of Pen/Trap Orders
Previous law. Under previous law, a court could only authorize the installation of a pen/trap device “within the jurisdiction of the court.” Because of deregulation in the telecommunications industry, however, many providers may carry a single communication. For example, a telephone call may be carried by a competitive local exchange carrier, which passes it to a local phone company, which passes it to a long distance carrier, which hands it to a local exchange carrier elsewhere in the United States, which in turn may finally hand it to a cellular carrier. If these carriers do not pass source information with each call, identifying that source may require compelling information from a string of providers located throughout the country—each requiring a separate order. Moreover, since, under previous law, a court could only authorize the installation of a pen/trap device within its own jurisdiction, when one provider indicated that the source of a communication was a different carrier in another district, a second order in the new district became necessary. This order had to be acquired by a supporting prosecutor in the new district from a local federal judge—neither of whom had any other interest in the case. Indeed, in one case investigators needed three separate orders to trace a hacker’s communications. This duplicative process of obtaining a separate order for each link in the communications chain has delayed or—given the difficulty of real-time tracing— completely thwarted important investigations. Amendment. Gives federal courts the authority to compel assistance from any provider of communication services in the United States whose assistance is appropriate to effectuate the order. For example, a federal prosecutor may obtain an order to trace calls made to a telephone within the prosecutor’s local district. The order applies not only to the local carrier serving that line, but also to other providers (such as long-distance carriers and regional carriers in other parts of the country) through whom calls are placed to the target telephone. In some circumstances, the investigators may have to serve the order on the first carrier in the chain and receive from that carrier information identifying the communication’s path to convey to the next carrier in the chain. The investigator would then serve the same court order on the next carrier, including the additional relevant connection information learned from the first carrier; the second carrier would then provide the connection information in its possession for the communication. The investigator would repeat this process until the order has been served on the originating carrier who is able to identify the source of the communication.
THE PATRIOT ACT
177
When prosecutors apply for a pen/trap order using this procedure, they generally will not know the name of the second or subsequent providers in the chain of communication covered by the order. Thus, the application and order will not necessarily name these providers. The amendments therefore specify that, if a provider requests it, law enforcement must provide a “written or electronic certification” that the order applies to that provider. The amendments also empower courts to authorize the installation and use of pen/trap devices in other districts. Thus, for example, if a terrorism or other criminal investigation based in Virginia uncovers a conspirator using a phone or an Internet account in New York, the Virginia court can compel communications providers in New York to assist investigators in collecting information under a Virginia pen/trap order. Consistent with the change above, the amendment eliminates the requirement that federal pen/trap orders specify their geographic limits. However, because the new law gives nationwide effect for federal pen/trap orders, the amendment imposes a “nexus” requirement: the issuing court must have jurisdiction over the particular crime under investigation. Reports for Use of Law Enforcement Pen/Trap Devices on Computer Networks
Section 216 of the Act also contains an additional requirement for the use of pen/trap devices in a narrow class of cases. Generally, when law enforcement serves a pen/trap order on a communication service provider that provides Internet access or other computing services to the public, the provider itself should be able to collect the needed information and provide it to law enforcement. In certain rare cases, however, the provider may be unable to carry out the court order, necessitating installation of a device (such as Etherpeek or the FBI’s DCS1000, otherwise known as Carnivore) to collect the information. In these infrequent cases, the amendments in section 216 require the law enforcement agency to provide the following information to the court under seal within thirty days: (1) the identity of the officers who installed or accessed the device; (2) the date and time the device was installed, accessed, and uninstalled; (3) the configuration of the device at installation and any modifications to that configuration; and (4) the information collected by the device. Effects on privacy. Updates laws to fit the technology of today and streamlines investigation for law enforcement by: (1) clarifying that law enforcement may use pen/trap orders to trace communications on the Internet and other computer networks; (2) granting pen/trap orders issued by federal courts nationwide effect; and (3) requiring law enforcement authorities to file a special report with the court whenever they use a pen/trap order to install their own monitoring device (such as the FBI’s DCS1000, otherwise known as Carnivore) on computers belonging to a public provider.
Section 217, Intercepting the Communications of Computer Trespassers Previous law. Although the wiretap statute allows computer owners to monitor the activity on their machines to protect their rights and property, until Section 217 of the Act was enacted it was unclear whether computer owners could obtain the assistance of law enforcement in conducting such monitoring. This lack of clarity prevented law
178
PERSONAL PRIVACY AND NATIONAL SECURITY
enforcement from assisting victims to take the natural and reasonable steps in their own defense that would be entirely legal in the physical world. In the physical world, burglary victims may invite the police into their homes to help them catch burglars in the act of committing their crimes. The wiretap statute should not block investigators from responding to similar requests in the computer context simply because the means of committing the burglary happen to fall within the definition of a “wire or electronic communication” according to the wiretap statute. Indeed, because providers often lack the expertise, equipment, or financial resources required to monitor attacks themselves, they commonly have no effective way to exercise their rights to protect themselves from unauthorized attackers. This anomaly in the law created, as one commentator has noted, a “bizarre result,” in which a “computer hacker’s undeserved statutory privacy right trumps the legitimate privacy rights of the hacker’s victims.”1 Amendment. To correct this problem, the amendments in Section 217 of the Act allow victims of computer attacks to authorize persons “acting under color of law” to monitor trespassers on their computer systems. Under a new section, law enforcement may intercept the communications of a computer trespasser transmitted to, through, or from a protected computer. Before monitoring can occur, however, four requirements must be met. First, the owner or operator of the protected computer must authorize the interception of the trespasser’s communications. Second, the person who intercepts the communication must be lawfully engaged in an ongoing investigation. Both criminal and intelligence investigations qualify, but the authority to intercept ceases at the conclusion of the investigation. Third, the people acting under the color of law must have reasonable grounds to believe that the contents of the communication to be intercepted will be relevant to the ongoing investigation. Fourth, investigators are permitted to intercept only the communications sent or received by trespassers. Thus, this section would only apply where the configuration of the computer system allows the interception of communications to and from the trespasser, and not the interception of non-consenting users authorized to use the computer. Finally, section 217 of the Act creates a definition of “computer trespasser.” Such trespassers include any person who accesses a protected computer without authorization. In addition, the definition explicitly excludes any person “known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator for access to all or part of the computer.” For example, certain Internet service providers do not allow their customers to send bulk unsolicited e-mails (or “spam”). Customers who send spam would be in violation of the provider’s terms of service, but would not qualify as trespassers—both because they are authorized users and because they have an existing contractual relationship with the provider. These provisions will sunset December 31, 2005. Effects on privacy. This amendment updates laws to fit the technology of today and matches law to computer criminal activity. When the original Act was enacted it was unclear whether computer owners could obtain the assistance of law enforcement in conducting such monitoring. This lack of clarity prevented law enforcement from assisting victims to take the natural and reasonable steps in their own defense that would be entirely legal in the physical world. Thus computer owners who lack expertise can request law enforcement to help track down trespassers on their systems.
THE PATRIOT ACT
179
Section 220, Nationwide Search Warrants for E-mail Previous law. Requires the government to use a search warrant to compel a provider to disclose unopened e-mail less than six months old. Because Rule 41 of the Federal Rules of Criminal Procedure requires that the “property” to be obtained be “within the district” of the issuing court, however, some courts have declined to issue warrants for e-mail located in other districts. Unfortunately, this refusal has placed an enormous administrative burden on those districts in which major ISPs are located, such as the Eastern District of Virginia and the Northern District of California, even though these districts may have no relationship with the criminal acts under investigation. In addition, requiring investigators to obtain warrants in distant jurisdictions has slowed timesensitive investigations. Amendment. Allows investigators to use warrants to compel records outside of the district in which the court is located, just as they use federal grand jury subpoenas and orders. This change enables courts with jurisdiction over investigations to compel evidence directly, without requiring the intervention of agents, prosecutors, and judges in the districts where major ISPs are located. This provision will sunset December 31, 2005. Effects on privacy. Streamlines law enforcement by allowing one warrant to be used across multiple jurisdictions, thus only one warrant is needed instead of many.
Section 814, Deterrence and Prevention of Cyberterrorism Section 814 makes a number of changes to improve the Computer Fraud and Abuse Act. This section increases penalties for hackers who damage protected computers (from a maximum of 10 years to a maximum of 20 years); clarifies the mens rea required for such offenses to make explicit that a hacker need only intend damage, not a particular type of damage; adds a new offense for damaging computers used for national security or criminal justice; expands the coverage of the statute to include computers in foreign countries so long as there is an effect on U.S. interstate or foreign commerce; counts state convictions as “prior offenses” for purpose of recidivist sentencing enhancements; and allows losses to several computers from a hacker’s course of conduct to be aggregated for purposes of meeting the $5,000 jurisdictional threshold. The following discussion analyzes these and other provisions in more detail. Section 1030(c), Raising the Maximum Penalty for Hackers That Damage Protected Computers and Eliminating Mandatory Minimums
Previous law. Under previous law, first-time offenders could be punished by no more than five years’ imprisonment, while repeat offenders could receive up to ten years. Certain offenders, however, can cause such severe damage to protected computers that this fiveyear maximum did not adequately take into account the seriousness of their crimes. For example, David Smith pled guilty to releasing the “Melissa” virus that damaged thousands of computers across the Internet. Although Smith agreed, as part of his plea, that his conduct caused over $80,000,000 worth of loss (the maximum dollar figure contained in the Sentencing Guidelines), experts estimate that the real loss was as much as ten times that amount.
180
PERSONAL PRIVACY AND NATIONAL SECURITY
In addition, previous law set a mandatory sentencing guidelines minimum of six months’ imprisonment for violations, including accessing a protected computer with the intent to defraud. Amendment. Section 814 of the Act raises the maximum penalty for violations for damaging a protected computer to ten years for first offenders, and twenty years for repeat offenders. Congress did choose to eliminate all mandatory minimum guidelines sentencing for violations. Subsection 1030(c)(2)(C) and (e)(8), Hackers Need Only Intend to Cause Damage, Not a Particular Consequence or Degree of Damage
Previous law. Under previous law an offender had to “intentionally [cause] damage without authorization.” Section 1030 defined “damage” as impairment to the integrity or availability of data, a program, a system, or information that (1) caused loss of at least $5,000; (2) modified or impairs medical treatment; (3) caused physical injury; or (4) threatened public health or safety. The question repeatedly arose, however, whether an offender must intend the $5,000 loss or other special harm, or whether a violation occurs if the person only intends to damage the computer, that in fact ends up causing the $5,000 loss or harming the individuals. It appears that Congress never intended that the language contained in the definition of “damage” would create additional elements of proof of the actor’s mental state. Moreover, in most cases, it would be almost impossible to prove this additional intent. Amendment. Section 814 of the Act restructures the statute to make clear that an individual need only intend to damage the computer or the information on it, and not a specific dollar amount of loss or other special harm. The amendments move these jurisdictional requirements to explicitly making them elements of the offense, and define “damage” to mean “any impairment to the integrity or availability of data, a program, a system or information.” Under this clarified structure, in order for the government to prove a violation, it must show that the actor caused damage to a protected computer (with one of the listed mental states), and that the actor’s conduct caused either loss exceeding $5,000, impairment of medical records, harm to a person, or threat to public safety. Section 1030(c), Aggregating the Damage Caused By a Hacker’s Entire Course of Conduct
Previous law. Previous law was unclear about whether the government could aggregate the loss resulting from damage an individual caused to different protected computers in seeking to meet the jurisdictional threshold of $5,000 in loss. For example, an individual could unlawfully access five computers on a network on ten different dates—as part of a related course of conduct—but cause only $1,000 loss to each computer during each intrusion. If previous law were interpreted not to allow aggregation, then that person would not have committed a federal crime at all since he or she had not caused over $5,000 loss to any particular computer. Amendment. Under the amendments in Section 814 of the Act, the government may now aggregate “loss resulting from a related course of conduct affecting one or more other protected computers” that occurs within a one-year period in proving the $5,000 jurisdictional threshold for damaging a protected computer.
THE PATRIOT ACT
181
1030(c)(2)(C), New Offense for Damaging Computers Used for National Security and Criminal Justice
Previous law. Section 1030 previously had no special provision that would enhance punishment for hackers who damage computers used in furtherance of the administration of justice, national defense, or national security. Thus, federal investigators and prosecutors did not have jurisdiction over efforts to damage criminal justice and military computers where the attack did not cause over $5,000 loss (or meet one of the other special requirements). Yet these systems serve critical functions and merit felony prosecutions even where the damage is relatively slight. Indeed, attacks on computers used in the national defense that occur during periods of active military engagement are particularly serious—even if they do not cause extensive damage or disrupt the warfighting capabilities of the military—because they divert time and attention away from the military’s proper objectives. Similarly, disruption of court computer systems and data could seriously impair the integrity of the criminal justice system. Amendment. Amendments in Section 814 of the Act created a section to solve this inadequacy. Under this provision, a hacker violates federal law by damaging a computer “used by or for a government entity in furtherance of the administration of justice, national defense, or national security,” even if that damage does not result in provable loss over $5,000. Subsection 1030(e)(2), Expanding the Definition of “Protected Computer” to Include Computers in Foreign Countries
Previous law. Before the amendments in Section 814 of the Act, section 1030 of title 18 defined “protected computer” as a computer used by the federal government or a financial institution, or one “which is used in interstate or foreign commerce.” The definition did not explicitly include computers outside the United States. Because of the interdependency and availability of global computer networks, hackers from within the United States are increasingly targeting systems located entirely outside of this country. The statute did not explicitly allow for prosecution of such hackers. In addition, individuals in foreign countries frequently route communications through the United States, even as they hack from one foreign country to another. In such cases, their hope may be that the lack of any U.S. victim would either prevent or discourage U.S. law enforcement agencies from assisting in any foreign investigation or prosecution. Amendment. Section 814 of the Act amends the definition of “protected computer” to make clear that this term includes computers outside of the United States so long as they affect “interstate or foreign commerce or communication of the United States.” By clarifying the fact that a domestic offense exists, the United States can now use speedier domestic procedures to join in international hacker investigations. As these crimes often involve investigators and victims in more than one country, fostering international law enforcement cooperation is essential. In addition, the amendment creates the option, where appropriate, of prosecuting such criminals in the United States. Since the United States is urging other countries to ensure that they can vindicate the interests of U.S. victims for computer crimes that originate in their nations, this provision will allow the United States to provide reciprocal coverage.
182
PERSONAL PRIVACY AND NATIONAL SECURITY
Subsection 1030(e)(10), Counting State Convictions as “Prior Offenses”
Previous law. Under previous law, the court at sentencing could, of course, consider the offender’s prior convictions for State computer crime offenses. State convictions, however, did not trigger the recidivist sentencing provisions of section 1030, which double the maximum penalties available under the statute. Amendment. Section 814 of the Act alters the definition of “conviction” so that it includes convictions for serious computer hacking crimes under State law (i.e., State felonies where an element of the offense is “unauthorized access, or exceeding authorized access, to a computer”). Subsection 1030(e)(11), Definition of “Loss”
Previous law. Calculating “loss” is important where the government seeks to prove that an individual caused over $5,000 loss in order to meet the jurisdictional requirements. Yet prior to the amendments in Section 814 of the Act, section 1030 of title 18 had no definition of “loss.” The only court to address the scope of the definition of loss adopted an inclusive reading of what costs the government may include. In United States v. Middleton, the court held that the definition of loss includes a wide range of harms typically suffered by the victims of computer crimes, including costs of responding to the offense, conducting a damage assessment, restoring the system and data to their condition prior to the offense, and any lost revenue or costs incurred because of interruption of service. Amendments. Amendments in Section 814 codify the appropriately broad definition of loss adopted in Middleton. Effects on privacy. Update laws to match penalties with the crime. This amendment increases penalties for hackers who damage protected computers (from a maximum of 10 years to a maximum of 20 years); clarifies the mens rea required for such offenses to make explicit that a hacker need only intend damage, not a particular type of damage; adds a new offense for damaging computers used for national security or criminal justice; expands the coverage of the statute to include computers in foreign countries so long as there is an effect on U.S. interstate or foreign commerce; counts state convictions as “prior offenses” for the purpose of recidivist sentencing enhancements; and allows losses to several computers from a hacker’s course of conduct to be aggregated for purposes of meeting the $5,000 jurisdictional threshold.
Section 815, Additional Defense to Civil Actions Relating to Preserving Records in Response to Government Requests Section 815 added to an existing defense to a cause for damages for violations of the Electronic Communications Privacy Act. Previous law. Under prior law it was a defense to such a cause of action to rely in good faith on a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization. Amendment. This amendment makes clear that the “statutory authorization” defense includes good-faith reliance on a government request to preserve evidence.
ECHELON
183
Effects on privacy. Clarifies that the entity from which evidence is retrieved and stored should preserve that evidence in good faith.
Section 816, Development and Support of Cybersecurity Forensic Capabilities Section 816 requires the Attorney General to establish such regional computer forensic laboratories, as he considers appropriate, and to provide support for existing computer forensic laboratories, to enable them to provide certain forensic and training capabilities. The provision also authorizes the spending of money to support those laboratories.
ECHELON Echelon is the term popularly used for an automated global interception and relay system operated by the intelligence agencies in five nations: the United States, the United Kingdom, Canada, Australia, and New Zealand (it is believed that Echelon is the code name for the portion of the system that intercepts satellite-based communications). While the United States National Security Agency (NSA) takes the lead, Echelon works in conjunction with other intelligence agencies, including the Australian Defense Signals Directorate (DSD). It is believed that Echelon also works with Britain’s Government Communications Headquarters (GCHQ) and the agencies of other allies of the United States, pursuant to various treaties. According to reports, Echelon is capable of intercepting and processing many types of transmissions, throughout the globe. In fact, it has been suggested that Echelon may intercept as many as 3 billion communications everyday, including phone calls, e-mail messages, Internet downloads, satellite transmissions, and so on. The Echelon system gathers all of these transmissions indiscriminately, and then distills the information that is most heavily desired through artificial intelligence programs. Some sources have claimed that Echelon sifts through an estimated 90 percent of all traffic that flows through the Internet. However, the exact capabilities and goals of Echelon remain unclear. For example, it is unknown whether Echelon actually targets domestic communications. Also, it is apparently very difficult for Echelon to intercept certain types of transmissions, particularly fiber communications. The U.S. government has gone to extreme lengths to keep Echelon a secret. To this day, the U.S. government refuses to admit that Echelon even exists. We know it exists because both the governments of Australia (through its Defense Signals Directorate) and New Zealand have admitted to this fact. However, even with this revelation, U.S. officials have refused to comment. This “wall of silence” is beginning to erode. The first report on Echelon was published in 1988. In addition, besides the revelations from Australia, the Scientific and Technical Options Assessment program office (STOA) of the European Parliament commissioned two reports, which describe Echelon’s activities. These reports unearthed a startling amount of evidence, which suggests that Echelon’s powers may have been underestimated. The first report, entitled “An Appraisal of Technologies of Political Control,” suggested that Echelon primarily targeted civilians.2 Echelon works by collecting data in several ways. Reports suggest it has massive groundbased radio antennae to intercept satellite transmissions. In addition, some sites reputedly are tasked with tapping surface traffic. These antennae reportedly are in the United States, Italy,
184
PERSONAL PRIVACY AND NATIONAL SECURITY
England, Turkey, New Zealand, Canada, Australia, and several other places. Similarly, it is believed that Echelon uses numerous satellites to catch “spillover” data from transmissions between cities. These satellites then beam the information down to processing centers on the ground. The main centers are in the United States (near Denver), England (Menwith Hill), Australia, and Germany. According to various sources,3 Echelon also routinely intercepts Internet transmissions. The organization allegedly has installed numerous “sniffer” devices. These “sniffers” collect information from data packets as they traverse the Internet via several key junctions. It also uses search software to scan for Web sites that may be of interest. After capturing this raw data, Echelon sifts through the data using DICTIONARY. DICTIONARY is actually a special system of computers, which finds pertinent information by searching for keywords, addresses, and so forth. These search programs help pare down the voluminous quantity of transmissions which pass through the Echelon network every day. These programs also seem to enable users to focus on any specific subject upon which information is desired. The original purpose of Echelon was to protect national security. That purpose continues today. For example, we know that Echelon is gathering information on North Korea. Sources from Australia’s DSD have disclosed this much because Australian officials help operate the facilities there which scan through transmissions, looking for pertinent material. However, national security is not Echelon’s only concern. Reports have indicated that industrial espionage has become a part of Echelon’s activities.4 While present information seems to suggest that only high-ranking government officials have direct control over Echelon’s tasks, the information that is gained may be passed along at the discretion of these very same officials. As a result, much of this information has been given to American companies, in apparent attempts to give these companies an edge over their less knowledgeable counterparts. There are concerns that Echelon’s actions may be used to stifle political dissent. Many of these concerns were voiced in a report commissioned by the European Parliament. What is more, there are no known safeguards to prevent such abuses of power. Echelon is a highly classified operation, which is conducted with little or no oversight by national parliaments or courts. Most of what is known comes from whistleblowers and classified documents. The simple truth is that there is no way to know precisely what Echelon is being used for, but there is evidence, much of it circumstantial, that Echelon (along with its British counterpart) has been engaged in significant invasions of privacy. These alleged violations include secret surveillance of political organizations, such as Amnesty International. It has also been reported that Echelon has engaged in industrial espionage on various private companies such as Airbus Industries and Panavia, and then has passed along the information to their American competitors.5 It is unclear just how far Echelon’s activities have harmed private individuals. What is even more disquieting is that, if these allegations are proven to be true, the NSA and its compatriot organizations may have circumvented countless laws in numerous countries. Many nations have laws in place to prevent such invasions of privacy. However, there are suspicions that Echelon has engaged in subterfuge to avoid these legal restrictions. For example, it is rumored that nations would not use their own agents to spy on their own citizens, but assign the task to agents from other countries. In addition, as mentioned earlier, it is unclear just what legal standards Echelon follows, if any actually exist. Thus, it is difficult to say what could prevent Echelon from abusing its remarkable capabilities. On September 5, 2001, the European Union voted to adopt recommendations designed to counter Echelon. Also included is a recommendation that the EU and the United States draw up rules strengthening international laws on data and privacy protection.
CARNIVORE
185
CARNIVORE The terrorist attacks on the United States are likely to give federal officials justification to continue or even expand surveillance techniques such as the FBI’s controversial DCS-100 technology, known as Carnivore. When attached to an ISP’s server, Carnivore can filter large amounts of e-mail to identify and capture messages to and from targeted suspects.6 This Internet surveillance program, which is currently being used by the U. S. government, is somewhat similar to Echelon. Contrary to prior assertions, a subsequent governmentcommissioned review panel found that Carnivore is indeed capable of collecting all communications over the segment of the network being surveyed: “The results show that all TCP communications on the network segment being sniffed were captured by Carnivore.” Moreover, the default configuration is to do just that: “When turning on TCP full mode collection and not selecting any port, the default is to collect traffic from all TCP ports.”7 Carnivore is now being replaced by an even more powerful system, known as DCS 1000 or Enhanced Carnivore, which reportedly has higher capacity in order to deal with speedier broadband networks. The U.S. government also has issued a controversial field guidance memorandum regarding the installation and operation for this family of surveillance tools. The controversial Carnivore system centers around a Windows-based system located at U.S. and other ISP and carrier control centers, monitoring Internet traffic on a stored basis. The FBI and other U.S. agencies usually retrieve encrypted data from each Carnivore system on a regular basis. Kevin V. Di Gregory, Deputy Assistant Attorney General, U.S. Department of Justice described Carnivore, how it works, and how the FBI uses it:8 Carnivore is simply an investigative tool that is used online only under narrowly defined circumstances, and only when authorized by law, to meet our responsibilities to the public. When a criminal uses e-mail to send a kidnapping demand, to buy and sell illegal drugs or to distribute child pornography, law enforcement needs to know to whom he is sending messages and from whom he receives them. To get this information, we obtain a court order, which we serve on the appropriate service provider. Because of the nature of Internet communications, the addressing information (which does not include the content of the message) is often mixed in with a lot of other non-content data that we have no desire to gather. If the service provider can comply with the order and provide us with only the addressing information required by court order, it will do so and we will not employ Carnivore. If, however, the service provider is unwilling or unable to comply with the order, we simply cannot give a criminal a free pass. It is for that narrow set of circumstances that the FBI designed Carnivore. Carnivore is, in essence, a special filtering tool that can gather the information authorized by court order, and only that information. It permits law enforcement, for example, to gather only the e-mail addresses of those persons with whom the drug dealer is communicating, without allowing any human being, either from law enforcement or the service provider, to view private information outside of the scope of the court’s order. In other words, Carnivore is a minimization tool that permits law enforcement strictly to comply with court orders, strongly to protect privacy, and effectively to enforce the law to protect the public interest. In addition, Carnivore creates an audit trail that demonstrates exactly what it is capturing. As with any other investigative tools, there are many mechanisms we have in place to prevent against possible misuse of Carnivore, and to remedy misuse that has occurred. The Fourth Amendment, of course, restricts what law enforcement can do with Carnivore, as do the statutory requirements of Title III and the Electronic Communications Privacy Act, and the courts.
186
PERSONAL PRIVACY AND NATIONAL SECURITY
Carnivore itself also contains self-regulating features. For example, because of its sophisticated passive filtering features, it automates the process of minimization without intrusive monitoring by investigators, and simply disregards packets of information that do not satisfy the criteria in the court’s authorization. Indeed, one of the most powerful privacyprotecting features of Carnivore is its ability to ignore information that is outside the scope of the court-ordered authority. For later verification, it also logs the filter settings. In addition, as a practical matter, Carnivore is not deployed except with close cooperation with the appropriate system provider. In any event, the FBI does not use Carnivore in every instance in which the court orders a Title III electronic communication intercept. Indeed, I understand that the Bureau uses Carnivore only in those instances when the service provider is unable to comply with the court order using its own equipment, or when the provider asks the FBI to use Bureau equipment. As I testified in April, we face three major categories of challenges in trying to keep the Internet a safe and secure place for our citizens. These are: 1. Technical challenges that hamper law enforcement’s ability to locate and prosecute criminals that operate online 2. Certain substantive and procedural laws that have not kept pace with the changing technology, creating significant legal challenges to effective investigation and prosecution of crime in cyberspace 3. Resource needs that must be addressed to ensure that law enforcement can keep pace with changing technology and has the ability to hire and train people to fight cybercrime Carnivore is an investigative tool that assists us in meeting the first challenge. As we have witnessed, tracking a criminal online is not always an impossible task using our investigative tools. For example, last year federal and state law enforcement combined to successfully apprehend the creator of the Melissa virus and the individual who created a fraudulent Bloomberg News Service website in order to artificially drive up the stock price of PairGain, a telecommunications company based in California. Although we are proud of these important successes, we still face significant challenges as online criminals become more and more sophisticated.
BIOMETRICS A biometric is, as its name suggests, a measurement of a biological characteristic. Fingerprints are the best-known example, but others include hand geometry, iris scanning, and facial recognition. Because biometrics cannot be lost, forgotten, or passed from one person to another, and are hard to forge, they are already used widely as security measures. Biometric systems are employed for two main purposes. The first is identification (“Who is this person?”), in which a subject’s identity is determined by comparing a measured biometric against a database of stored records. The second is verification (“Is this person who he claims to be?”), which compares a measured biometric with one known to come from a particular person. All biometrics can be used for verification, but only those that are unique to an individual— notably fingerprints, iris scanning, and facial recognition—can be used for identification. As a result, different biometrics are used for different kinds of security checks.
BIOMETRICS
187
Biometrics is widely employed for access control—to ensure that only authorized people gain entry to particular rooms or buildings. Hand-geometry systems, which measure the shape, size, and other characteristics (such as finger length) of some or all of the hand, are used to control access and check identities at airports, offices, factories, schools, hospitals, nuclear-power plants, and high-security government buildings. Since hand geometry is a verification, not an identification technology (people’s hands are more similar than their fingerprints), users are required to make a claim about who they are—by swiping a card, for example—before a scan. The biometric template of the person they claim to be (which can be stored on the card itself) is then compared with the scan. A well-known example of the technology is the INPASS program, which allows frequent travelers to the United States to skip immigration queues at large airports by swiping a card and placing their hand on a scanner. In theory, this idea could be extended to require passports to contain a hand-geometry biometric, which could be compared with the holder’s hand. That would make passports harder to forge. But it would also require international agreement and cooperation over biometric standards. There would appear to be considerable scope for wider use of access-control technology. In security tests carried out at 83 airports last year by America’s Federal Aviation Authority (FAA), attempts to gain access to secure areas succeeded 31% of the time, and inspectors successfully boarded planes in 82 cases. But a report published by the Department of Transportation found that most of these security violations were due to human factors: airport staff failed to ensure that doors closed properly behind them and did not challenge people they met in unauthorized areas. Biometrics cannot do anything about that. This summer, the FAA proposed new rules under which airport staff could be fined as much as $11,000 for holding doors open for others, or allowing friends into secure areas. Another biometric technology that is starting to appear in airports is iris scanning. This is used in dozens of jails in America to identify prisoners, staff, and visitors, ensuring that the right people are let in and out. Iris scanners have also been tested by banks in a number of countries to identify users of cash machines. Since the iris scan identifies each customer, there is no need to insert a bankcard or remember a personal identification number. Iris scanners are being tried out in several airports to let frequent flyers step up to a machine and get their boarding cards automatically. But all this does is make it more likely that the person who gets on a plane is the rightful ticket-holder. The terrorists responsible for the attacks on the United States appear to have traveled under their own names and with their own passports. Iris scanners would not have stopped them. Facial recognition, on the other hand, is unique among biometrics in that it can be used passively—in other words, an image of a face can be compared with a database of suspects without the subject’s knowledge. Such systems, connected to a network of closed-circuit television (CCTV) cameras, are already used to spot criminals and football hooligans in Britain. The traditional objections to facial-recognition systems—that they violate privacy, and could end up being used to pick out people with overdue parking tickets, as well as terrorists— are likely to be drowned out in the fearful atmosphere following the 9/11 attacks. But according to Richard Smith of the Privacy Foundation, a lobby group based in Denver, Colorado, even if facial-recognition systems were in place, the technology would not be a silver bullet. Most of the hijackers, he notes, were not suspected terrorists, so no pictures of them were available. And in the case of the two who were suspects, attempts to track them down had begun only a few weeks before the attack. He concludes that a breakdown in communications, rather than inadequate technology, is the problem.9
188
PERSONAL PRIVACY AND NATIONAL SECURITY
Throughout the nation and the world, the debate on the privacy implications of face recognition and other surveillance technologies is heating up. In January 2001, the city of Tampa used the technology to scan the faces of people in crowds at the Super Bowl, comparing them with images in a database of digital mug shots. Earlier this year, Privacy International gave the 2001 Big Brother Award for “Worst Public Official” to the City of Tampa for spying on Super Bowl attendees. Tampa has since installed cameras equipped with face-recognition technology in their Ybor City nightlife district, where they have since encountered opposition from people wearing masks and making obscene gestures at the cameras. In late August 2001, a member of the Jacksonville, Florida City Council proposed legislation to keep the technology out of Jacksonville. But resistance to the technology, which the companies tout as nonintrusive, is expected to fade as the public becomes accustomed to stronger security measures following the attacks. “There is a mind-set that we shouldn’t do it because it infringes on privacy, but in the long run we will deploy these technologies as necessary,”10 said Rob Atkinson, director of the New Economy and Technology Project at the Progressive Policy Institute, Washington. Following the attacks, integrators will be looking not only at traditional applications of facial-recognition technology for law enforcement and criminal justice, but also at creative ways it might be applied to sectors where it has not been used before, such as health and human services, said analysts and industry officials. For example, integrators helping government agencies comply with the security and privacy requirements of the Health Insurance Portability and Accountability Act may want to use facial-recognition software to control who has access to medical records.11 Security experts warn that facial scanning is not a panacea for Internet security or protection against criminals or terrorists. Indeed, they are urging agencies and departments at all levels of government to deploy the technology gradually and to allow it to reach full maturity. “It’s proven for 1-1 matches, but we’re uncertain how it will work on a 1-to-many basis,” Atkinson said. As time elapses, “systems will improve and have fewer false positives,”12 he said. Facial scanning is not completely effective at identifying individuals in crowds, it is not immune to adverse photographic conditions, and it cannot always adjust to subject appearance over time, according to the International Biometric Group (IBG). Facial scanning is not as reliable as, for example, fingerprinting or iris scanning, said Michael Thieme, an IBG senior consultant. “It’s not going to redefine criminal justice, and it won’t replace fingerprinting,”13 he said. Still, using facial scanning in public places could significantly deter criminal and terrorist activity, Thieme said. “It’s useful when used as a deterrence,” he said. “But it’s not helpful if it is not advertised that it is being used.” The issue has grown much larger as of fall 2001. Now more than ever, in the wake of the terrorist attacks on the United States, privacy advocates, citizen groups, political leaders, and the manufacturers of the technology itself are debating whether these technologies should be permitted in certain situations, especially as a security measure in U.S. airports, and if so, how they should be regulated to protect the privacy of the public. The uses for biometric security are varied and growing. The technology is used to verify attendance (a foolproof time clock for manufacturing facilities, for instance) or control physical access. At Walt Disney World, for example, yearly passes are keyed to people’s fingerprints to ensure that passes aren’t shared. Beginning in 2002, some companies will begin issuing smart credit cards, with customers’ fingerprint information embedded. Beyond that, ATMs and other kiosks will have face or voice scanners. Once the technology proves itself, we’ll see biometrics on PDAs, cell phones, and other wireless devices.
BIOMETRICS
189
But perhaps the biggest growth area for biometrics is in replacing or complementing password security for corporate networks. Why? “It’s fairly easy to break or guess passwords, because there are only about 80,000 common English words used by most people,”14 explains Bill Bozman of Secure Computing, a San Jose, California-based firm specializing in security systems for e-business. Most passwords have personal meaning (a pet’s name, a favorite food, a child’s nickname) which makes them easier to remember—and also easier to guess by others. If they aren’t easy to remember, people write them down and keep the paper somewhere near their computer—pretty much defeating the purpose. Passwords are also high-maintenance, since they should be changed periodically to conform to proper security procedures. What’s more, the inconvenience of network passwords actually costs businesses money. As Internet use increases, security and privacy become intertwined with issues of accessibility and trust. Last year, lawmakers passed the Electronic Signatures bill into law, which made digital contracts legally binding. All this has led to the proliferation of certificate organizations, such as VeriSign, and encryption schemes, such as Public Key Infrastructure (more commonly known as PKI) to increase users’ confidence in Internet transactions. Such certificates establish systems and methodologies for identifying the source of on-line documents and data and confirming that they haven’t been tampered with or otherwise changed en route to the recipient. Biometrics provides the last necessary ingredient for doing business electronically—assurance that the other person is who he or she claims to be. One thing is certain: Remaining anonymous with so much biometric technology on the way will become increasingly difficult. But then again, you should have fewer identity crises. Given a digital image of a person’s face, face-recognition software matches it against a database of other images. If any of the stored images matches closely enough, the system reports the sighting to its owner. Research on automatic face-recognition has been around for decades, but accelerated in the 1990s. Now it is becoming practical, and face-recognition systems are being deployed on a large scale. Legal constraints on the practice in the United States are minimal. (In Europe the data protection laws will apply, providing at least some basic rights of notice and correction.) Databases of identified facial images already exist in large numbers (driver’s license and employee ID records, for example), and new facial-image databases will not be hard to construct, with or without the knowledge or consent of the people whose faces are captured. As the database of facial images grows bigger, the chance of a false match to one of those images grows proportionally larger. Philip E. Agre, Department of Information Studies, UCLA, relates some statistics that support the futility of using face recognition in crowded places such as airports: Face recognition is nearly useless for the application that has been most widely discussed since the September 11th attacks on New York and Washington: identifying terrorists in a crowd. The reasons why are statistical. Let us assume, with extreme generosity, that a face recognition system is 99.99 percent accurate. In other words, if a high-quality photograph of your face is not in the “terrorist watch list” database, then it is 99.99 percent likely that the software will not produce a match when it scans your face in real life. Then let us say that one airline passenger in ten million has their face in the database. Now, 99.99 percent probably sounds good. It means one failure in 10,000. In scanning ten million passengers, however, one failure in 10,000 means 1,000 failures—and only one correct match of a real terrorist. In other words, 999 matches out of 1,000 will be false, and each of those false matches will cost time and effort that could have been spent protecting security in other
190
PERSONAL PRIVACY AND NATIONAL SECURITY
ways. Perhaps one would argue that 1,000 false alarms are worth the benefits of one hijacking prevented. Once the initial shock of the recent attacks wears off, however, the enormous percentage of false matches will condition security workers to assume that all positive matches are mistaken. The great cost of implementing and maintaining the face recognition systems will have gone to waste. The fact is, spotting terrorists in a crowd is a needle-in-ahaystack problem, and automatic face recognition is not a needle-in-a-haystack-quality technology. Hijackings can be prevented in many ways, and resources should be invested in the measures that are likely to work.15
NATIONAL ID CARDS Almost from the day the planes hit the World Trade Center and the Pentagon, members of Congress, security experts, and high-tech executives have endorsed the idea of some new form of identification system as a critical weapon in the fight against terrorism. They believe the cards, linked to giant databases, would be invaluable in preventing terrorists from operating under assumed names and identities. The nation’s new consciousness of terrorism, a product of both the fear and anger engendered by September 11, has markedly changed the way Americans think about security, surveillance, and their civil liberties. For many people, the trade-off of less privacy for more security now seems reasonable. As Alan M. Dershowitz, a Harvard University law professor, wrote in October in endorsing a national ID card, the “fear of an intrusive government can be addressed by setting criteria for any official who demands to see the card. Even without a national card, people are always being asked to show identification,” he said. “The existence of a national card need not change the rules about when ID can properly be demanded.”16 In a recent Washington Post-ABC News poll, almost three of four people said they support government eavesdropping on telephone conversations between terrorist suspects and their lawyers. For the first time, there is also strong support for secret tribunals for terrorist suspects and more government wiretapping. On the specific question of a national ID card, about 70 percent of those recently polled by the Pew Research Center said they favor a system that would require people to show a card to authorities who request it.17 To be sure, the political hurdles to a national ID card remain huge. President Bush has publicly downplayed their benefits, saying they’re unnecessary to improve security. Bush’s new cyberspace security chief, Richard Clarke, recently said he “does not think it’s a very smart idea.”18 A range of steps now underway could lead to a de facto national ID system that could accomplish many of the same goals. The American Association of Motor Vehicle Administrators, for example, a group of state officials, is devising a plan to create a national identification system that would link all driver databases to high-tech driver’s license cards with computer chips, bar codes, and biometric identifiers.19 The Air Transport Association, meanwhile, has called for the creation of a voluntary travel card for passengers that would include a biometric identifier. They proposed linking the card to a system of government databases that would include criminal, intelligence, and financial records. Passengers who agree to use the card would have easier access to airplanes.20 Much of the momentum for a card has been generated by the fact that five of the 19 terrorists involved in the attacks on New York and at the Pentagon were able to obtain Social Security numbers, even with false identities. The other 14 probably made up or appropriated other
NATIONAL ID CARDS
191
numbers and used them for false identification, according to Social Security officials.21 At least seven of the hijackers also obtained Virginia state ID cards, which would serve as identification to board a plane, even though they lived in Maryland motels. “If we can’t be sure when interacting that someone is who they purport to be, where are we?” said James G. Huse, Jr., the Social Security Administration’s inspector general.22 Over the years, the government has found myriad ways to get involved in the identity business—passports, for one, or state-issued drivers’ licenses. A Social Security number is a ubiquitous identifier, now used far beyond its original purpose. Still, there is broad recognition that existing forms of identification are inadequate, an awareness that has been fueled by an explosion in the number of financial crimes in which fraud artists adopt the identity of their victims. Social Security cards contain no authenticating information, such as pictures, and they can be easily forged. Pilot licenses are often printed on paper. Driver’s licenses, even those now designed to be tamper-proof, also are vulnerable to abuse because they can be obtained with fraudulent birth certificates, Social Security cards, and other documentation. Tamper-proof smart cards don’t necessarily worry privacy advocates, who have made identity theft a banner issue in recent years. What does trouble them is the more complex question of whether a national ID system should go beyond simple authentication of an individual’s identity. In the world before September 11, a large majority of Americans expressed concerns about personal privacy in surveys, and those concerns focused on the increasing collection of data— names, addresses, buying habits, and movements—by businesses interested in developing ever more sophisticated marketing campaigns. At the same time, they also demonstrated a willingness to surrender personal information for discounts or conveniences, such as cheaper groceries, faster passage through tollbooths, and upgrades on airline travel, one reason for an enormous growth in databases in recent years. “It’s massive,” said Judith DeCew, a Clark University professor and author of In Pursuit of Privacy: Law, Ethics and the Rise of Technology. “It’s financial information. It’s credit information. It’s medical records, insurance records, what you buy, calls you make. Almost every action or activity you participate in while living a normal life potentially generates a huge database about you.”23 State and federal governments also expanded their data networks and use of personal information. Nearly every time police make a traffic stop, for example, they tap into National Crime Information Center databases to check whether the driver is a known criminal or suspect. And as part of a new and aggressive effort to track down parents who owe child support, the federal government created a vast, computerized data-monitoring system that includes all individuals with new jobs and the names, addresses, Social Security numbers, and wages of nearly every working adult in the United States. Under the system, banks are obligated to search through lists of accounts for deadbeats, or turn the data over to the government. Privacy groups are troubled by the evolving uses agencies, marketers, and others find for the new databases. Law enforcement authorities and private attorneys, for instance, regularly use subpoena power now to gain access to grocery, toll, and a bonanza of other kinds of privately collected data for use in civil and criminal cases. And many of the databases that grew so quickly in recent years are now being studied for their potential value to law enforcement authorities. A centralized ID database system would dramatically speed verification and make life more convenient for travelers, airlines, and others. The disadvantage, according to civil liberties activists, is that agencies would gain access to unprecedented amounts of aggregated data. They also would have to be relied upon to ensure the database is current and accurate. Questions about who would maintain the database and gain access to it would be thorny
192
PERSONAL PRIVACY AND NATIONAL SECURITY
ones. “Any national ID system, regardless of who controls it, has a tremendous potential for misuse and abuse,”24 said John Berthoud, president of the National Taxpayers Union in Alexandria. Even a de facto national ID system, of the sort proposed by motor vehicle administrators, would dramatically ease the collection of sensitive personal information about individuals by linking it all to a single, unique identifier: A smart card with a fingerprint or other biometric. Simon Davies, director of Privacy International, a London-based advocacy group that has studied national IDs, said the computers and networks in a centralized system would also become targets of hackers. In recent years, scores of private and government databases, containing financial, medical, and other personal information, have been breached by hackers, some of whom publicized the data or used it in fraud schemes. It also could make it easier for a successful forger or hacker to maintain a false identity, since authorities would be so trusting in a new, high-tech system. A lost or stolen card under such a system “will paralyze your card or your identity for days or weeks.”25 National ID cards have global roots. More than 100 nations have a form of national identification and use them in a variety of ways to improve security, assist law enforcement, and make the delivery of services more efficient. In Spain, for example, an ID card is mandatory for all citizens older than 14, and they are required for many government programs. Argentinians must get a card when they turn 8 and then re-register at 17. Kenya requires its citizens to carry an ID at all times. Germany likewise requires all citizens over 16 to carry a card that is similar to a passport. Belgium first used ID cards during the German occupation in World War I. Today, every citizen older than 15 has to carry one, and it is used as proof of age and identity for an array of consumer and financial transactions. It also allows Belgians to travel to several countries without a passport. Police officers in Belgium can request to see the card for any reason, at any time. Finland has one of the most sophisticated systems in the world, including a voluntary smart card that comes with a computer chip and serves as a travel card, or “mini-passport,” in at least 15 European countries. Much like the Defense Department card, which is officially called the Common Access Card, the Finnish ID enables users to electronically sign and encrypt on-line documents. Eventually, it would allow users to improve the security of cell phones by scrambling calls. To protect against fraud or misuse, officials limit the amount of personal information contained on the chip. To critics, such a card opens the door to a host of difficult questions over when and where it would be used. Could Greyhound require it, even if a person wants to pay cash? Could a hardware store require it if you buy only certain things, such as large quantities of fertilizer? Who decides? How would an individual’s name be shared? And what if a database is mistaken—what kind of access and recourse would an individual have? Robert Ellis Smith, a lawyer and privacy specialist, said the push for a national ID card is based on the false belief there can be a simple, high-tech solution to an immensely complex problem. “One way to predict the effectiveness of a national ID number or document is to look at environments where the true identity of all residents is known: prisons, the military, many workplaces, many college campuses,” he writes in a paper about national ID cards. “And yet these places are far from crime free.”26 A national identification system would raise privacy questions, said Tate Preston, vice president at Datacard Group, which creates high-tech IDs. But the need for a better identification system is beyond question.
TEMPEST
193
OASIS U.S. intelligence officials have developed programs that many experts believe may be used to enhance Echelon’s capabilities. One of these programs, Oasis, automatically creates machinereadable transcripts from television and audio broadcasts. Reports indicate that Oasis can also distinguish individual speakers and detect personal characteristics (such as gender), then denote these characteristics in the transcripts it creates. Oasis uses automated speech recognition technology pioneered by the Defense Advanced Research Projects Agency to turn audio feeds into formatted, searchable text. The computer can distinguish one voice from another and duly differentiates “speaker 1” from “speaker 2” in transcripts. But alas, there are limits to even the most advanced of artificial brains: So far, the computer understands only “American” English, though it is learning various English “accents”—and the CIA is busy, for obvious reasons, teaching it Chinese and Arabic. A half-hour broadcast, which used to take an analyst 90 minutes to listen to, assess, and disseminate, can now be processed—and stored in searchable format—in 10 minutes, officials said.
FLUENT Another program developed by U.S. intelligence, Fluent, allows English-language keyword searches of non-English materials. This data-mining tool not only finds pertinent documents, but also translates them, although the number of languages that can currently be translated is apparently limited (Russian, Chinese, Portuguese, Serbo-Croatian, Korean, and Ukrainian). In addition, Fluent displays the frequency with which a given word is used in a document and can handle alternate search term spellings. Although “machine translation” technology has been around since the 1950s, CIA officials say it is becoming increasingly accurate and more powerful when combined with Web-based search capabilities.27
TEMPEST Transient Electromagnetic Pulse Emanation Standard, or TEMPEST, is reportedly another NSA project that is designed to capture computer signals (such as keystrokes or monitor images) through walls or from other buildings, even if the computers are not linked to a network. Details about this project, which is apparently code named TEMPEST, are only just becoming available. One NSA document, entitled “Compromising Emanations Laboratory Test Requirements, Electromagnetics,” was prepared by the NSA’s Telecommunications and Information Systems Security group. It describes test procedures for measuring the radiation emitted from a computer—both through radio waves and through telephone, serial, network, or power cables attached to it. A second document the NSA released describes the agency’s “Technical Security Program,” which is responsible for assessing electronic security and providing “technical security facility countermeasures.”28
194
PERSONAL PRIVACY AND NATIONAL SECURITY
SUMMARY According to a survey conducted by InformationWeek after 9/11/01, of 2,000 businesstechnology professionals, “Seventy-one percent would be willing to trade more of their privacy for greater protection from terrorist threats.”29 In the wake of the 9/11 attacks, calls for greater scrutiny of computers and electronic communications for signs of illegal activity have been heard more frequently. “The ease with which information can be shared globally, for all its good, also works to the advantage of terrorists,” says Howard Perlmutter, professor emeritus of social architecture at the Wharton School of the University of Pennsylvania. The question is whether heightened surveillance will upset the delicate balance between legitimate law-enforcement efforts and individual privacy. Although most agree that personal privacy must be sacrificed in times of national crisis, what are the long-term effects of such sacrifices? Privacy advocates fear that such rash changes will erode the personal liberty that underpins life in the United States. “The obvious reaction to the terrorist attack is to clamp down on security and perform more invasive searches,” says Jason Catlett, president of Junkbusters Corp., a consumer privacy group. “A free society decides to place limits on what [government agencies] can do, and it would be a mistake to have a kneejerk reaction to abandon those limits due to the recent tragedies.”30 Many IT professionals acknowledge just how fragile the expectation of privacy is in the case of electronic communications such as e-mail, especially in the workplace, where internal monitoring is already common practice. “You give up your privacy when you join a firm,” says Gary Douglas, supervisor of Web support at Andersen. “Any large company at this point is tighter with how [workers] surf the Web and what [they] use e-mail for, and I don’t think that’s going to change. When it’s electronic, everything is very accessible.”31 In October 2001, the Pentagon issued a rush appeal for ideas for fighting terrorism, asking contractors for exotic new surveillance technologies that could be used against faraway enemies, as well as at American airports and shopping malls. The requested items include a computer system for tracking anyone who buys material that could be used in making bombs, a portable polygraph machine for questioning airline passengers, and voiceprint software for automatically recognizing people speaking Middle Eastern languages. Officials put no price on the effort and said it was an attempt to find a new way of doing business in a time of urgent need. Many of the surveillance technologies are already highly developed in the commercial world. In the wake of the September 11 terrorist attacks, they are being rapidly embraced for law enforcement, intelligence, and security purposes. Among other technologies, defense officials want proposals for facial-recognition systems, computer programs that can predict terrorist behavior, and sophisticated scanners for spotting people who have handled weapons of mass destruction. “Some of this technology could be used in ways that have not been legal in the past and may become legal in the future,” Rockwell said. “But I think that’s happened during every time of war in the U.S.”32 Civil liberties specialists say the military’s effort will accelerate the development and adoption of biometric systems throughout society. While there’s little doubt such systems could help the military fight terror, the improved technology will almost surely migrate into civilian law enforcement agencies, said James Dempsey, deputy director at the center for democracy and technology, a civil liberties advocacy group based in D.C. “The government is increasingly go-
ENDNOTES
195
ing to be conducting scans—facial scans, voice scans, data scans,” Dempsey said. “They’re going to be tapping into this digital ocean…of daily behavior.”33 Before the terrorist attacks, corporations were being threatened. There are rampant viruses and worms clogging up the Internet. Credit card fraud is a several-billion-dollar problem; and there have been dozens of well-publicized attacks on Web sites and company data. Each of those problems has led to an increase in tactical security measures. Got worms? Get a new anti-virus tool. Got hacked? Put up a new firewall. That’s exactly what companies did, yet the attacks and virulence of worms grow even stronger. The reaction to terrorist attacks is accordingly strong, leading us more into a debate about the balance between security and personal freedom. There’s been intense interest in the FBI’s Carnivore technology, which is used to scan e-mail messages passed over the public Internet, and the National Security Agency’s Echelon, used to eavesdrop on telecommunications. The latest cry has been for the use of biometric technology to sniff out terrorists in airports and other public places using face-recognition software. But there’s no proof that these things work in large public places. In fact, with today’s technology they will not work well. Up until the terrorist attacks, facial scanning for surveillance drew controversy like a magnet. Biometric technology is best used for authenticating users on a per-user, per-system basis. In fact, that’s what security should be about—authentication and authorization—not profiling and scanning the populace at large.
ENDNOTES 1. Orin S. Kerr, Are We Overprotecting Code? Thoughts on First-Generation Internet Law 57, Wash. & Lee L. Rev. 1287 (2000), 1300. 2. An Appraisal of Technologies of Political Control, Scientific and Technological Options Assessment (STOA), Working Document (Consultation Version), PE 166499, Luxembourg, 06.Kamiaru, 1998, www.a42.de:2342/archiv/echelon.clc.html. 3. Lynch, D., “U.K. Looks to Eavesdrop on Net,” USA Today (June 28, 2000), www.usatoday. com/life/cyber/tech/cti161.htm. 4. “EU to set up probe into US ‘spy’ charges,” Reuters (March 17, 2000), http://news.zdnet. co.uk/story/0,,s2077784,00.html, see also Barry, R., “Echelon: The Evidence” (June 29, 2000), ZDNet UK, http:news.zdnet.co.uk/story/0,,s2079850,00.html. 5. Campbell, D., “Interception Capabilities 2000,” (Luxembourg: European Parliament, 1999), www.iptvreports.mcmail.com/ic2kreport.htm. 6. McDougall, P. and Whiting, R., “Assessing the Impact (Part One) Privacy rights get looked at much more closely in the wake of terrorism” (September 17, 2001), http://www. informationweek.com/story/IWK20010916S0014, and Part Two, Rendleman, J., et al., www.informationweek.com/story/IWK20010916S0015. 7. Smith, S., et al., “Independent Review of the Carnivore System Draft Report,” (November 17, 2000) IIT Research Institute, Lanham, MD, Contract No. 00-C-0328, IITRI CR-022216, www.usdoj.gov/jmd/publications/carnivore_draft_1.pdf. 8. Di Gregory, Kevin V., Excerpt from his address before the Subcommittee on the Constitution of the House Committee on the Judiciary on Carnivore and the Fourth Amendment, July 24, 2000. 9. “Watching You—What Technology Can and Cannot Do About Terrorism,” The Economist.com (September 20,2001), www.economist.com/science/displayStory.cfm?Story ID⫽787987.
196
PERSONAL PRIVACY AND NATIONAL SECURITY
10. Welsh, W., “Security as Plain as the Nose on Your Face,” Vol. 16 No. 15, Washington Technology (October 2, 2001), www.washingtontechnology.com/news/16_15/state/17338–1.html. 11. Id. 12. Id. 13. Id. 14. Wiener Grotta, S., “Analysis,” PC Magazine (May 21, 2001), www.ibgweb.com/in_the _news/pc_magazine.html. 15. Agre, P., “Your Face Is Not a Bar Code: Arguments Against Automatic Face Recognition in Public Places,” Department of Information Studies, University of California, Los Angeles, CA, http://dlis.gseis.ucla.edu/people/pagre/barcode.html. 16. O’Harrow, R., Krim., “National ID Card Gaining Support: A smart card with a fingerprint could link a person to sensitive personal data,” washingtonpost.com (December 17, 2001), www.washingtonpost.com/ac2/wp-dyn/A52300–2001Dec16. 17. “Smart ID Card Gaining Support in U.S.? Hurdles and Doubts Remain Huge,” Washington Post (December 18, 2001), http://www.itsa.org/ITSNEWS.NSF/4e0650bef 6193b3e852562350056a3a7/c2dad4688ffea3c. 18. Id. 19. Id. 20. Id. 21. Id. 22. See note 16. 23. See note 16. 24. See note 16. 25. See note 16. 26. See note 16. 27. Loeb, V., “Making Sense of the Deluge of Data: CIA Technologies Refine Mass of Information into Analysis, The Washington Post (March 26, 2001), www.washingtonpost.com/ac2/. 28. McCullagh, D., “TEMPEST Brewing for PC Privacy?” Wired Digital Inc. (October 26, 1999), www.wired.com/news/print/0,1294,32097,00.html. 29. See note 6. 30. See note 6. 31. See note 6. 32. Schneider, G., O’Harrow, R., “Pentagon Makes Rush Order for Anti-Terror Technology,” Washington Post (October 26, 2001), www.globalsecurity.org/org/news/2001/011026-attack02.htm. 33. Id.
7 BUSINESS PRIVACY ISSUES
Introduction The Issues Business Exposures Employee Monitoring Developing Privacy Policies and Procedures Implementing Privacy Policies and Procedures Enforcing Privacy Policies Third-party Certification Programs Summary
INTRODUCTION Privacy has been an issue of rapidly rising importance for the public over the past 10 years. Personal privacy and protecting that privacy in the information age has become a concern for many in America and abroad. How businesses treat the privacy of an employee, consumer, and child will be discussed at length in this chapter. We will discuss the regulations and laws that govern business practices in regards to privacy. We will discuss the tools businesses use to gather information on their employees, consumers, and competitors. And finally we will discuss privacy policies and procedures businesses have adopted to meet the demands of the regulators and consumers, how those policies are enforced, and the third-party certification programs being used today by many businesses.
THE ISSUES If you asked 10 people, “What exactly is privacy?”, you will probably get 10 different answers. Many people equate privacy with security, controlling access to personal information and surveillance. To others, it means the freedom to be left alone. How these questions are answered could have a significant impact on industry’s ability to conduct business. At the core of the privacy debate is personally identifiable information, what it is and who has access to it. In the United States, many forms of data are, in fact, in the public domain. This data includes: Name, address, telephone number, birth certificates, and real estate transactions, to name a few of the types of information that are available to the public. Personally identifiable 197
198
BUSINESS PRIVACY ISSUES
information is generated every day by individuals during the course of normal everyday life. Transactional data, such as the record of purchasing products and services from merchants, is one such example. There are many privacy-related questions related to such transactions, including: Who has control of that data—the consumer who bought the product or the merchant who sold it? Should there be restrictions on subsequent use of that information? These questions have become even more important with the advent of the Internet. Other types of information, such as medical data, financial records, and information about children, clearly are more sensitive and deserve closer scrutiny as to how they are used, accessed, and shared with others. For example, there has been general agreement among privacy advocates, industry leaders, and government officials about regulating collection of information on-line from and about children, resulting in the Children’s Online Privacy Protection Act (COPPA) in 1999. Direct marketers rely on public information as a vital source of data from which they can more accurately target offers to prospective customers. The more information marketers have, the more accurately they can target solicitations to consumers who may be interested in them. Information is what helps make direct marketing useful and interesting to consumers. As a result, consumers may enjoy receiving offers they may not have asked for, but are relevant to them. The more information a marketer has, the better able it is to send product and service offers to those who most welcome such offers—and to avoid those who don’t. And the simple fact is that direct marketing works. Individual privacy is an increasingly sensitive issue to public policymakers, the media, and consumers. Most marketing organizations believe that self-regulation is the preferred method of ensuring that most types of personal information are handled in a responsible manner. Industry has a solid understanding of the needs of consumers and can react much faster than government to new conditions in the marketplace, and it is in industry’s interest to meet them. At the same time, especially in the new Internet environment, it is entirely possible that legislation could be enacted that, no matter how well-intentioned, seeks to address the wrong issues or fix problems that no longer exist, thanks to industry’s response to market/consumer demands. The collection and use of personal information for marketing purposes and related privacy concerns are very complex issues. While many different forms of personal information have traditionally remained in the public domain, increasingly easy access to such data, spurred on by new technologies and the Internet, are raising privacy concerns from consumers and public policymakers. This, in turn, has led to increased calls for government regulation. The direct marketing industry believes that self-regulation is effective and, with a few narrow exceptions, preferable to government involvement in the marketplace. Discussions of the privacy issues throughout this chapter show that self-regulation is not working and explain why.
BUSINESS EXPOSURES Marketers, both on-line and off, know that economic growth and future prosperity rest squarely on consumer confidence and trust, and increasingly that trust is centered on the protection of personal information. Responsible marketers also understand that protecting consumer information is the “right thing to do” from an ethical and legal point of view. The following sections discuss legislation, trust issues, marketing issues, and data collection techniques that businesses are faced with in the context of the on-line privacy issue.
BUSINESS EXPOSURES
199
Legislation As the Internet emerges as the next “growth” marketplace, consumer concerns about personal data, how they are collected and used, and their role in marketing, are being closely scrutinized by privacy advocates, consumer advocates, and policymakers at all levels of government in the United States and overseas. Nearly 80 privacy-related bills were introduced during the 105th Congress. More than that will be introduced during the 106th Congress (50 bills were introduced in the first session alone). (See on-line Appendices V and W at www.wiley.com/go/ privacy for a list of Congressional Bills for 105th and 106th sessions.) The United States has taken a sectoral approach to privacy, enacting laws that apply to specific industries and practices. Examples are: • • • • • • • • • •
Fair Credit Reporting Act of 1970 Privacy Act of 1974 Cable Communications Policy Act of 1984 Electronic Communications Privacy Act of 1986 Video Privacy Protection Act of 1988 Telephone Consumer Protection Act of 1991 Drivers Privacy Protection Act of 1994 Health Insurance Portability and Accountability Act (HIPAA) of 1996 Children’s Online Privacy Protection Act (COPPA) of 1998 The Gramm-Leach-Bliley Act of 2001
This patchwork approach is in contrast to the European nations, Canada, Australia, New Zealand, and Hong Kong. These countries have enacted omnibus data protection laws covering the full spectrum of uses of personally identifiable information. In some countries, these laws encompass both the private and public sectors. The sectoral approach has left large gaps where there is little to no protection for individuals. There is little regulation of the direct marketing industry’s use of personal information, for example, with the limited exception of the telemarketing bill, the Telephone Consumer Protection Act. We have no federal law protecting the confidentiality of medical records, although the Department of Health and Human Services has been mandated by a federal law to develop regulations for electronic records. These are currently under review and are quite controversial. The Cable Act of 1984 includes a fairly good privacy protection section. But the question now is whether it covers data collection by cable companies that offer cable modems and Internet Service Provider services. The Fair Credit Reporting Act of 1970 comes the closest to a robust privacy protection law. It enables individuals to have access to their own data profile. Individuals have a right to learn who has accessed their files. And there are restrictions on who can obtain credit reports. Yet this law, too, is limited. Congress created the first guarantee of a federal policy to govern the privacy of health information in electronic form by passing the Kennedy-Kassebaum Health Insurance Portability and Accountability Act, better known as HIPAA. The Act contains a section known as “Administrative Simplification,” which mandates the development and adoption of standards for electronic exchanges of health information. It also requires that Congress or the Secretary of Health and Human Services develop privacy rules to govern such electronic exchanges. The Act required either the Congress or the Executive Branch to enact the privacy rules within before
200
BUSINESS PRIVACY ISSUES
August 21, 1999. In October of 1999, after Congress failed to meet its self-imposed deadline, the Clinton administration issued the first set of federal privacy rules to protect medical information. The proposal, known as the Clinton-Gore initiative, aims to require consumer consent before companies share medical data or detailed information about consumer spending habits. The proposal also requires companies to disclose their privacy policies prior to engaging in data transactions with users. A more recent example of a robust privacy law is the Children’s Online Protection Act (COPPA) of 1998. COPPA provides safeguards to protect children’s privacy on the Internet by regulating the collection of personal information from children under age 13. The Gramm-Leach-Bliley Act states that any financial institution that provides financial products or services to consumers must comply with the privacy provisions of Subtitle A of Title V of the Gramm-Leach-Bliley Act (“GLB Act”) and the Privacy Rule. You have consumers if you provide your financial products or services to individuals, not businesses, to be used primarily for their personal, family, or household purposes. However, this act applies only to financial institutions. Virtually all on-line services offer some sort of “private” activity, which allows subscribers to send personal e-mail messages to others. The federal Electronic Communications Privacy Act (ECPA) makes it unlawful for anyone to read or disclose the contents of an electronic communication. This law applies to e-mail messages. However, there are three important exceptions to the ECPA: 1. The on-line service may view private e-mail if it suspects the sender is attempting to damage the system or harm another user. However, random monitoring of e-mail is prohibited. 2. The service may legally view and disclose private e-mail if either the sender or the recipient of the message consents to the inspection or disclosure. Many commercial services require a consent agreement from new members when signing up for the service. 3. If the e-mail system is owned by an employer, the employer may inspect the contents of employee e-mail on the system. Therefore, any e-mail sent from a business location is probably not private. Several court cases have determined that employers have a right to monitor the e-mail messages of their employees. Law enforcement officials may access or disclose electronic communications only after receiving a court-ordered search warrant. A final result of the patchwork approach to privacy protection is the public’s lack of trust in companies that collect their personal information. A 1998 Harris poll on consumer privacy found that:1 • Nearly 9 in 10 (88%) Americans say they are “concerned about general threats to their privacy.” • Eight in ten (82%) feel they have “lost all control over how companies collect and use their personal information.” • Nearly eight in ten (78%) believe that businesses ask for too much information. • Three-fourths (78%) say they have “refused to give information to a business…because they thought it was too personal and not needed.” Interestingly, when this question was first asked in 1990, only 42% said they had declined to give such information to a business. • And only 43%, or two in five, said they had “exercised an opportunity to opt out.”
BUSINESS EXPOSURES
201
Now, we’re experiencing the explosion of commerce on the Internet. Web sites are able to capture data from their visitors, and to merge that data with other information. With the exception of the Children’s Online Privacy Protection Act and a smattering of state laws regulating spam, or unsolicited electronic mail, there is little regulation of data collection on the Net. Many sites have joined a Web-branding service like TRUSTe or BBB-Online. These programs require that Web sites post policies regarding their data collection and use. They also audit their members to evaluate compliance. So, what are consumers’ experiences on the Net concerning their privacy? Here are five themes that have been observed about on-line privacy abuses in recent months. The first theme is the invisibility of data capture. We have learned of numerous companies whose Web sites have been programmed to track and capture not only surfing patterns, but also information from users’ hard drives. For example the on-line music service, RealNetworks, secretly compiled information from its users in violation of its own privacy policy. This site is a member of TRUSTe. A result of the invisibility of data capture—or as the European Union (EU) would describe it, the lack of transparency in data collection—is that many consumers lack understanding of what’s happening to their data. There have been numerous reports from individuals who say, “I want to know what’s out there about me.” When pressed for more details about their concerns, they describe a blurred world of large databases containing huge amounts of information about them—not altogether untrue. They often are concerned that such unidentified databases may contain negative information about them, which would explain why they can’t find a job. It’s significant that these reports often use the same words, “out there,” and that they have almost no specific knowledge of the variety of data files that exist about them, how they’re being used, and what limits to usage exist on many of these databases. A second theme is the potential ubiquitousness of data gathering, and the ability of data from several sources to be merged to create massive electronic dossiers on individuals. We are hearing a great deal these days about the ad-placement network DoubleClick and its ability not only to track users’ clickstream as they travel from site to site, but also to be able to link the data gathered on-line with an off-line data source. DoubleClick merged with Abacus, a company that tracks mail-order purchases of about 90 million households. At the time of the merger, the Abacus CEO told MSNBC “the goal is to have the most complete picture of the consumer you can.”2 A third theme is invasion. Web sites can capture and track visitors’ clickstream data by placing small text files called “cookies” onto their hard drives. Unless users are savvy enough to set their browsers to notify them about the pending placement of a cookie, it is done without the user’s consent, and it’s an invisible process. Now there are reports using the word “stalking” to describe cookies’ tracking capabilities. A fourth theme is the fear of harm befalling Internet users—fear, for example, that their credit card numbers will be stolen. This is not far-fetched given the news story of the Russian hacker obtaining over 300,000 account numbers from CD Universe. Many fear that their identities will be stolen, even though this is predominately a low-tech crime. And many fear that the information that is captured will be used for other unrelated purposes. Although it’s not Internet-based, let us use the example of supermarket buyer’s club data to illustrate the potential for secondary uses of personal data. Smith’s Foods, a large supermarket chain in the Southwest, has been subpoenaed by the U.S. Drug Enforcement Agency for data on specific customers being investigated for illicit drug manufacture and sale. Were they looking for high-volume purchases of over-the-counter medications like Sudafed? No,
202
BUSINESS PRIVACY ISSUES
they were interested in learning if these individuals had purchased large quantities of plastic baggies, presumably for packaging the drugs for sale on the street—a most interesting and troubling secondary use of the data given the number of households that probably purchase lots of plastic bags for a variety of uses. A fifth theme is confusion over their privacy rights. It has been observed that many consumers believe they have far more protection in law than they actually do, whether it’s a real world experience they are describing or an on-line experience. They often say, “There’s a Privacy Act, you know, and I have rights.” The Privacy Act that they are referring to is actually rather limited. It addresses what federal government agencies can do with personal information. It has no bearing on the private sector. Yet, individuals often think it applies across the board, much like the European countries’ data protection laws. What are the consequences of such experiences by consumers? • Reluctance to go on-line • A desire to mess up the system: Many individuals take great delight in telling how they falsify information, both on-line and off. This is their way of getting even in a marketplace they view as unfair • Refusal to provide information The Federal Trade Commission is monitoring commercial Web sites that gather information about people who visit them to see if they have privacy policies prominently posted which disclose the information gathering practices of the company behind the Web site. They recently released the results of a survey of 1,400 Web sites and found that 92 percent of them gather information. But only 14 percent of them disclosed their information collection practices. Worse, 89 percent of children-oriented sites collect information and only 10 percent provide for some kind of parental permission. The Federal Trade Commission has stated that if these numbers don’t improve, they will recommend legislation to enforce disclosure policies.3 What is missing at the moment are fundamental privacy laws giving consumers the protection they say they need, together with the assurance that Web sites are doing what they say they are doing with regard to privacy.
Loss of Trust in Business Now let us explore some cases of how consumers have lost trust in businesses. The privacy practices of on-line job search site Monster.com came into question in September 2001 after a report published by the Privacy Foundation, a nonprofit agency, alleged that the company doesn’t sufficiently disclose what it does with job seekers’ resumes after they have been posted to the Monster.com site. A researcher with the foundation claims that the site shares resume data and on-line behavior information with partner AOL-Time Warner, and that resumes job seekers post directly to the sites of Monster clients are also stored on Monster without their knowledge. The research states they posted dummy resumes on the sites of some Monster clients and the resumes were available moments later on the Monster site, without her consent. She says all the issues can be easily addressed if Monster changes the way it collects and uses data.4 There is no single path to earning customer trust. Harrah’s Entertainment Inc.’s casinos track the detailed gambling habits of 8 million members of its loyalty program but won’t aug-
BUSINESS EXPOSURES
203
ment that with external data. American Express Co. combines customers’ purchasing data with outside information sources and uses it for direct marketing but refuses to sell it to third parties. Fidelity won’t even share information across business lines—only the customer can link multiple accounts such as a 401(k) account and a money-market fund. For most businesses, good privacy practice doesn’t mean never gathering information, using it, or sharing it. The companies that succeed will be those that figure out just how much privacy—and personalized attention—their customers really want. DoubleClick became the symbol for Internet privacy intrusion, thanks to the New York technology and ad placement company’s plan to link customer data collected off-line to people’s Web-browsing habits. DoubleClick merged with an information aggregator, Abacas Direct Inc., and announced their intent to link their respective databases. After an investigation, the FTC decided not to file any charges because DoubleClick had acted in accordance with its own privacy policy by giving members advanced notice and a chance to opt out. DoubleClick has had to carefully spell out and expand their privacy policies. In its clarification and expanding, DoubleClick hopes to reach both technical and non-technical consumers. Their policy includes a page each to explain Web and e-mail marketing concepts such as cookies, pixel tags, opt out campaigns, and marketing scores. Each page includes links that help concerned customers opt out of those devices. Pharmaceutical firm Eli Lilly and Co. inadvertently divulged the e-mail addresses of 600 patients to one another due to a computer programming error in June 2001. The incident sparked an outcry from the American Civil Liberties Union (ACLU) for the breach of privacy. The incident occurred when the drug maker sent an electronic message to its registered Web site users to notify them that the site’s “reminder” feature, which alerts them to take their medication, would be discontinued due to a redesign. Instead of each message being sent individually, the system sent one e-mail, whose “to” field revealed the complete e-mail addresses of about 600 patients. Analysts said the error violates the pending Health Insurance Portability and Accountability Act (HIPAA), which among other things, stipulates that health care organizations must establish policies and procedures to protect patient privacy. The drug maker won’t face any HIPAA penalties because organizations have until April 2003 to comply with the rules. But how much damage to consumer trust was done? A recent Gartner survey of 7,000 consumers showed more than 80 percent are concerned about the privacy of their Social Security and credit-card numbers, and 60 percent say security and privacy worries keep them from doing business on-line.5 On the other hand, a Jupiter Media Metrix report released in August 2001, suggests companies can win the trust of Web users over time. The survey found more than 30 percent of long-time Web users trusted merchants and banks enough to give them personal information, while only 13 percent of people who’ve been on-line less than a year had that same level of trust.6 “The key to privacy protection is enforcement. Right now, there’s no financial harm for not having or following a privacy policy,”7 says Andrew Shen, an analyst at the Electronic Privacy Information Center (EPIC), a privacy and free-speech advocacy firm in Washington. For the most part, regulators go after privacy violators under laws governing unfair and deceptive business practices. But one can argue that this also creates an impetus for businesses to avoid posting privacy statements, to limit their liability. Meanwhile, ethical businesses are posting privacy statements voluntarily, because customers demand them. Failure to voluntarily protect consumer privacy could result in a black eye on the company’s image.
204
BUSINESS PRIVACY ISSUES
Marketing Issues Many marketing and advertising organizations have developed guidelines, policies, and certification programs to assist industries in meeting the demands for consumer privacy and business well-being in the new millennium. Some of these organizations require membership while others are purely informational. Most adhere to the limited legislation for the business sector in dealing with privacy. The Electronic Retailing Association (ERA) believes that consumer confidence is the key to the continued growth and success of the electronic retailing industry. In order to encourage fair, ethical, and responsible on-line marketing practices that will promote consumer confidence in electronic commerce, ERA has adopted “Online Marketing Guidelines,” which apply to all on-line advertising (including Web sites and commercial e-mail) by ERA members. These guidelines include:8 • • • • • • • • •
General guidelines for advertising Claims substantiation Testimonials and endorsements Disclosure of costs and other material terms of an offer Warranties Order fulfillment, money-back refunds, and customer service The on-line collection and use of personal information E-mail advertisements Self-certification/enforcement
The Direct Marketing Association (DMA) members follow specific practices to protect consumer privacy. Those practices are designed to have a major impact on those consumers who wish to receive fewer advertising solicitations. The DMA promises to abide by four traditional privacy protection practices:9 1. Provide customers with notice of their ability to opt out of information exchanges. 2. Honor customer opt-out requests not to have their contact information transferred to others for marketing purposes. 3. Accept and maintain consumer requests to be on an in-house suppress file to stop receiving solicitations from your company. 4. Use the DMA Preference Service suppression files, which exist for mail, telephone, and e-mail lists.
How Businesses Collect Consumer Information on the Web There are many techniques used by businesses on the Web to collect, profile, and market to consumers. Some of these include opt-in/out, cookies, pixel tags, clear GIFs, profiling software, and P3P. Let us define each of these and then we will give examples of how each can be used by a business to collect useful information for its marketing purposes. • Opt out. Consumers have the option to remove their name and other information from lists that businesses share and sell to other businesses. This process is known as “optingout.” Some sites offer a way for consumers to do this on-line via the business’ Web site,
BUSINESS EXPOSURES
•
•
•
•
•
205
others require the consumer to dig to find an address to mail a letter requesting that their name be removed from a list. Opt-in. Businesses ask your permission before they use your information for any other purpose than what it was originally collected for. Opting-in and -out refers to not only the selling or sharing of consumer information in the form of lists, but also to the use of other profiling and marketing techniques, such as use of ad serving, e-mails, and cookies. Cookies. This feature of many Web browsers is defined as client-side persistent information. Cookies allow Web sites to store information about your visit to that site on your hard drive. Then when you return, cookies will read your hard drive to find out if you have been there before. The Web site might offer you products or ads tailored to your interests, based on the contents of the cookies’ data. A clear GIF (Graphics Interchange Format) or pixel tag. Also known as a web beacon, this is a line of code that companies place on their Web sites which allows them to analyze their advertising campaigns and the general usage patterns of visitors to their Web sites. Here’s how they work. When a user is on the Internet and clicks an advertiser’s Internet ad, the user is taken to the advertiser’s Web page. If the advertiser chooses to use clear GIF technology, the advertiser’s Web page will contain a clear GIF that is not visible on your screen. A GIF is a type of Web page graphic that often appears invisible because it is only 1 pixel by 1 pixel in size. That is about the size of a period. In these instances, GIFs are represented by HTML tags. HTML, or HyperText Markup Language, is the language used to create documents on the World Wide Web. The HTML tag is programmed by the advertisers to collect certain anonymous information about your visit to a particular Web site. This information is sent to the company’s ad server for processing. On-line profiling or preference marketing. This refers to the creation of a marketing score and the delivery of ads based on that marketing score. This process is performed in conjunction with Web sites in the United States and under strict disclosure guidelines. These guidelines, which can be found at www.networkadvertising.org, require that all Web sites sharing anonymous data for marketing scores must disclose this practice in the Web site’s privacy policy. Some marketing scores are derived by categorizing the types of sites your browser has visited (and, in certain circumstances, activities performed, such as words searched, or whether an action, such as a purchase, was completed) and assigning your browser a numeric score that relates to your interest in a particular topic, such as “sports” or “gardening.” Based upon how interested you may be in a particular area, as shown by how frequently or recently your browser has visited a certain type of site, you may receive certain types of advertising. The Platform for Privacy Preferences Project (P3P). Developed by the World Wide Web Consortium, this is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions covering all the major aspects of a Web site’s privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can “read” this snapshot automatically and compare it to the consumer’s own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.
206
BUSINESS PRIVACY ISSUES
These are the most popular techniques used today by companies to collect consumer marketing information. Another side to the privacy issue can be seen in the Internet start-up companies. The startups began with opt-out as the norm for all users who visited their sites. Some have no interest in knowing the identities of those they pitch their ads and services to. They are using the anonymity model, and have developed ad delivery mechanisms that do not require knowing individuals’ actual names. They simply know their consumer profiles. Thanks to the Internet, collecting and analyzing customer data is easier and more widespread than ever before. Though the practice of collecting data about consumers is decades old, the Internet and its ability to collect data so easily have spurred new protests from privacy groups. Consumer concerns are greater on-line because the collection is a little less obvious. Most of the consumer information available for sale is compiled from public sources that are easy to locate, and most of the data is used to create mailing lists that fuel the direct marketing of products and services. The key to successful list creation lies in being able to augment and correlate basic name and address information with enough other data about individual consumer’s interests and buying habits to be able to generate narrowly focused marketing lists. This saves companies money in marketing materials. “Few consumers could write down even 1% of the amount of data that companies have about them,”10 says Jason Catlett, President of Junkbusters Corp., a nonprofit privacy advocacy group. Catlett estimates that a typical person’s name and address are known to 500 companies or more. These companies know what you buy, how much you spend, and how frequently you buy. That information in itself is worth a lot of money. Now that we know how this information is gathered, let us explore what is done with that data. Once companies get consumers’ names, addresses, and phone numbers, they combine basic demographic data with more personalized data they get from other sources, including product warranty cards and consumer surveys, to generate lists that target specific segments of the population. Big list brokers sell mailing lists, usually for one-time use by customers such as catalog companies. The average cost is about $150 for every 1,000 names on the list, says Patricia Faley, VP of ethics and consumer affairs at the Direct Marketing Association. Even though lists are for single-use only, once a business turns a prospect into a customer, the business can add the new consumer to its own list. The bottom line is, the right information will pay for itself. “A good mailing list can produce a couple of millions of dollars in sales all by itself,”11 says Jim Workman, CEO of BFW Advertising. In this argument of opt-in versus opt-out, informed consent and what it means to consumers and treatment of their personal data, the main cause seems to arise around meaningful and understandable privacy policies. We will cover this issue later in this chapter, but first let us turn to the privacy policies of a business as they relate to employees.
EMPLOYEE MONITORING Employers want to be sure their employees are doing a good job, but employees don’t want their every sneeze or trip to the water cooler logged. That’s the essential conflict of workplace monitoring. New technologies make it possible for employers to monitor many aspects of their employees’ jobs, especially on telephones, computer terminals, through electronic and voice mail,
EMPLOYEE MONITORING
207
and when employees are using the Internet. Such monitoring is virtually unregulated. Therefore, unless company policy specifically states otherwise (and even this is not assured), your employer may listen, watch, and read most of your workplace communications, including: • Telephone calls. Employers may monitor calls with clients or customers for reasons of quality control. However, when the parties to the call are all in California, state law requires that they be informed that the conversation is recorded or monitored by either putting a beep tone on the line or playing a recorded message. Federal law, which regulates phone calls with persons outside the state, does allow unannounced monitoring for businessrelated calls. An important exception is made for personal calls. Under federal case law, when an employer realizes that the call is personal, he or she must immediately stop monitoring the call. However, when employees are told not to make personal calls from specified business phones, the employee then takes the risk that calls on those phones may be monitored. Even if an employer does not record an actual phone conversation, they can access a record of phone calls made from an employee’s extension. Telephone numbers dialed from phone extensions can be recorded by a device called a pen register. It allows the employer to see a list of phone numbers dialed by your extension and the length of each call. This information may be used to evaluate the amount of time spent by employees with clients. Employers often use pen registers to monitor employees with jobs in which telephones are used extensively. Frequently, employees are concerned that the information gathered from the pen register is unfairly used to evaluate their efficiency with clients without consideration of the quality of service. • Computer monitoring. If you have a computer terminal at your job, it may be your employer’s window into your workspace. There are several types of computer monitoring: • Employers can use computer software that enables them to see what is on the screen or stored in the employees’ computer terminals and hard disks. Employers can monitor Internet usage such as Web surfing and electronic mail. • People involved in intensive word-processing and data-entry jobs may be subject to keystroke monitoring. Such systems tell the manager how many keystrokes per hour each employee is performing. It also may inform employees if they are above or below the standard number of keystrokes expected. Keystroke monitoring has been linked with health problems including stress disabilities and physical problems like carpal tunnel syndrome. • Another computer-monitoring technique allows employers to keep track of the amount of time an employee spends away from the computer or idle time at the terminal. Since the employer owns the computer network and the terminals, he or she is free to use them to monitor employees. Employees are given some protection from computer and other forms of electronmoitoring under certain circumstances. Union contracts, for example, may limit the employer’s right to monitor. Also, public sector employees may have some minimal rights under the U.S. Constitution, in particular the Fourth Amendment, which safeguards against unreasonable search and seizure. • Electronic mail and voice mail. If an electronic mail (e-mail) system is used at a company, the employer owns it and is allowed to review its contents. Messages sent within the company as well as those that are sent from your terminal to another company or from
208
BUSINESS PRIVACY ISSUES
another company to you can be subject to monitoring by your employer. The same holds true for voice-mail systems. Electronic and voice-mail systems retain messages in memory even after they have been deleted. Although it appears they are erased, they are often permanently “backed up” on magnetic tape, along with other important data from the computer system. Usually, when an employer states a policy regarding any issue in the workplace, including privacy issues, that policy is legally binding. Policies can be communicated in various ways: through employee handbooks, via memos, and in union contracts. For example, if an employer explicitly states that employees will be notified when telephone monitoring takes place, the employer generally must honor that policy. There are usually exceptions for investigations of wrongdoing. If you are not already aware of your employer’s workplace privacy policies, it is a good idea to become informed. There are several groups that are actively involved in workplace-monitoring issues and that advocate stronger government regulation of employee-monitoring activities. The American Civil Liberties Union (ACLU) has information related to workplace privacy issues. Some of the issues of growing concern involve psychological testing, drug testing, polygraph or lie detector testing, and off-the-job surveillance of employees. Visit the ACLU’s Web site at www.aclu.org.
How to Keep Employees Honest Without Violating Their Trust According to an April 2001 survey by the American Management Association (AMA), more than 77 percent of companies record and review employee communications and activities including e-mails, Web logs, and computer files. When other types of monitoring methods such as videotaping and tracking employee calls via phone logs are included in the mix, a whopping 82 percent of companies reported keeping a close eye or ear on their employees. “It sounds like ‘Big Brother’ but it’s not,” according to Eric Rolf Greenburg, Director of Management Studies for the AMA. “It’s simply the modern twenty-first-century equivalent of supervision.”12 The impetus for monitoring stems from worries about three distinct problems, says Bill Gassman, Senior Research Analyst with Stamford, Connecticut–based Gartner Group, a technology research firm. Companies are concerned about 1) their legal liability from sexual harassment or hostile workplace claims, 2) theft of company properties, intellectual or actual, as well as, 3) productivity issues. The result is employers who check phone logs looking for 900number access, scrutinize Web usage, and monitor incoming and outgoing e-mails.13 Monitoring of traffic usually happens at the firewall, where company IT managers or HR managers can match domain names with employee Internet Protocol (IP) addresses to see where people have been, what they are looking at, and how long they stick around. There are several problems with this technique. For one, pouring over Web logs can be time and labor intensive, not to mention the fact that the only people who can do it are those who know their way around a firewall. In addition, if a company shares machines or has floating IP addresses (that is, addresses that are not assigned to a specific workstation or server), the Web logs are virtually meaningless. Besides, if an employee is offended by a site that’s up on a neighbor’s monitor, there’s little an employer can do after the fact. A better option is to block access to specific sites or site categories such as pornography, gambling, or hate groups. Blocking is done by software or hardware. Many companies that choose to block Web traffic rather than monitor actually end up seeing it pay off in as little as a
EMPLOYEE MONITORING
209
week. Aside from the fact that the company is protected from employees who surf inappropriately, in many cases there is also a reduction in bandwidth costs. Companies are doing a lot of business through the Internet, and when bandwidth is tied up by casual use, that’s a problem. Because the employer owns the telecom equipment, owns the premises on which the work is done, and, in fact, owns the job (the employee merely occupies it), courts have upheld employers’ broad rights to watch and review what employees are doing with their equipment. The best way to avoid lawsuits from an employee over privacy issues is to put everything in writing and create a company policy. Once the policy is created, it needs to be disseminated to the employees and regular training and updates to the policies should be conducted.
Employer Spying and Morale While an employer has the right to spy on its employees, and the moral and legal obligation to do this, it can still make the employee feel he/she is working in too controlled an environment. Most employees are honest and hardworking people and do not abuse the privileges they have. But if a company becomes overly authoritarian, the employees are less likely to come in early and stay late, company loyalty suffers, and the likelihood of job-hopping increases. In a paper by Marsha Woodbury, Ph.D., she states that to maintain employee morale a company “…should endeavor to change its overall atmosphere of trust and humanity as little as possible…the average person is only mentally productive a few hours a day no matter how many hours are ‘worked,’ and the e-mail and v-mail policy should endeavor not to kill happiness and creativity.”14 This brings to mind the question of how government and military employees feel with strict policies and procedures and security overseeing their every move. The point is that if an employee enters an environment known to have strict policies, they learn to cope. But if the employee exists in an environment with light to moderately restrictive policies and surveillance and then the policies are made stricter, the employee then tends to suffer and complain. It is that old adage about it being “easier to grant rights than to take them away” regardless of the reason.
Pre-Employment Screening Since the 9/11 attacks in the United States, there have been many changes in business policies. Many companies reviewed their military leave policies but most were looking into beefing up their background checks on employees. It is illegal for any employer to single out an employee for a background check, even if they appear suspicious. If you are going to conduct background checks, you have to do it for everyone. Although most employers use a third-party company to perform pre-employment screening for potential candidates, many businesses, especially small ones, have begun to do this screening for themselves. With the growing amount of electronic data available about a person via the Internet, there are many ways to gather information about a person. Employers should require that a candidate give them written permission to access personal information, such as credit reports. The employer is thus required to keep this information confidential, whether the candidate is hired or not. However, there is a lot of information that can be obtained about a person that is publicly available and does not require the person’s consent.
210
BUSINESS PRIVACY ISSUES
I’ll bet many of you have received junk e-mail messages that go something like this: You can find out ANYTHING about ANYONE on the net. • Find that old romantic interest. • Dig dirt on your neighbors. • Find out if your fellow employee was jailed on sex charges. • Perform background checks. • Check credit, driving, or criminal records. • Verify income. • Find out the background of your children’s friends and their dates. Order our report SNOOPING THE INTERNET—just $29.95. What’s going on here? Are these promises true or exaggerations? A little bit of both. You can find out simple directory information about people on a variety of Web sites, Switchboard, WhoWhere, Four11, Bigfoot. These contain telephone book information, so if you’re unlisted, you won’t be in such Web sites. But if you go beyond the free services to feebased services, yes, you can find out a great deal about individuals on the Internet. There are services like: KnowX, Informus, Infotel, CDB Infotek, Information America, and LexisNexis to which you subscribe and then access them either through the Internet or through their own telephone networks. The information they provide is primarily from public records: • Records of court cases, both civil and criminal (not the full text, not yet anyway, but an index of cases) • Bankruptcies, judgments, and liens • Property records, such as county tax assessors’ files • Professional license information, if regulated by the state • Department of Motor Vehicle data from many states (not California) • Voter registration data from many states (not California) • Stock investments, if you own 15 percent or more of a company’s stock Regardless of the source of the information, the concern is if the information is accurate. Thus, employers are better off verifying that the sources they use are reputable and up to date.
DEVELOPING PRIVACY POLICIES AND PROCEDURES Okay, so you know all about how to collect consumer and employee data and the legislation and regulations concerning collecting that data. Now, how do you protect your customers’ privacy? According to Forrester Research: “Ninety-two percent of companies feel that they adequately protect users’ privacy by disclosing practices and not selling data. However, ninety percent of sites fail to comply with…basic privacy protection principles.” Achieving your electronic goals and optimizing your business potential means: • Assuring your business and trading partners that you are committed to meeting their needs and overcoming any concerns they have • Providing on-line shoppers with a safe, inviting, efficient, and valuable shopping environment • Keeping your sales promise
DEVELOPING PRIVACY POLICIES AND PROCEDURES
211
• Concretely demonstrating your trustworthiness has benefits, such as improved customer acquisition and higher sales conversion ratios; you will also have peace of mind knowing that your customers are being well treated
What Should Be in a Privacy Policy? The Online Privacy Alliance (OPA), www.privacyalliance.org, a coalition of nearly 100 global companies and associations, urges all Web businesses to post privacy policies that contain all the following elements, recognized by policymakers as the foundation for a policy that engenders trust: • • • • •
Adoption and Implementation of a Privacy Policy Notice and Disclosure Choice/Consent Data Security Data Quality and Access
Consequentially, these are the same elements that the FTC recommends for a privacy policy. The Organisation for Economic Co-operation and Development (OECD), www.oecd.org, was one of the first organizations to recognize the need for data protection. Its concern is maintaining privacy protection for personal information in cross-border data flows. By the late 1970s, approximately one-half of OECD member countries had introduced, or prepared in draft, data protection legislation. It became apparent that disparities in national legislation could affect the free flow of data and cause serious disruption to important sectors of the economy, such as banking and insurance. In 1980, the Council of the OECD introduced Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These guidelines have eight core principles:15 1. 2. 3. 4. 5. 6. 7. 8.
Collection limitation Data quality Purpose specification Use limitation Security safeguards Openness Individual participation Accountability
These guidelines were intended to establish uniformity in the Transborder Flow of Personal Data. Meanwhile, back in the United States the FTC guidelines are based on four core elements:16 1. Notice. Clear and conspicuous notice to consumers of what information is collected by the site, how it will be used, and whether it will be disclosed to other entities 2. Choice. Consumer choice as to how this information will be used for purposes beyond consummating the transaction for which it was originally collected 3. Access. Consumer access to the information collected on them by the Web site, including a reasonable opportunity to correct inaccuracies and delete information altogether
212
BUSINESS PRIVACY ISSUES
4. Security. Reasonable security precautions to safeguard information collected about consumers These four elements are half of the eight recommended by the OECD. The Kids Privacy Organization, www.kidsprivacy.org, an advocacy group concerned about the application of the Children’s Online Privacy Protection Act (COPPA), believes a privacy policy should include:17 • Who is collecting the data (including all contact information for a company and names of Web operators who might participate in the data collection) • The kinds of personal information collected from children • How the information is used, for example: Is it for marketing back to the child? Notifying contest winners? Allowing the child to make the information publicly available through a chat room? • Whether the Web site operator discloses such information to third parties and information about the third party • A notice stating that the operator may not require a child to disclose more information than is necessary to participate in an activity • A notice stating that a parent can review the child’s personal information, ask to have it deleted, refuse to allow any further collection or use of the child’s information, and the procedures for the parent to follow to accomplish these steps These four distinct groups promote four different sets of principles of what should be included in a privacy policy. We can see similarities in what is being proposed but there are some significant differences. (See Exhibit 7.1.) As Exhibit 7.1 shows, the various organizations and legislation have different opinions on what should be contained in a privacy policy. What is more disconcerting is that the FTC and COPPA recommendations are different and they are both current laws of the United States. At one end of the spectrum you have the FTC and at the other the OEDC. The FTC is a U.S. regulatory agency, and takes a conservative stance. On the other end, the OEDC is an international agency and takes a more robust stance. There is nothing wrong with what any of these four organizations purport. There is simply a need for standardization and regulation of what should be in a policy and less is not necessarily better. The FTC conducted a survey of the top 100 Web sites in May 2001. The good news is that they found that 90 percent of the most traveled Web sites have privacy policies. The bad news is only 20 percent of these sites offer all four of the FTC principles: Notice, Choice, Access, and Security.18 Exhibit 7.1. FTC
Comparison of Policy Content OPA
Notice
Notice
Security Choice Access
Data Security Choice/Consent Data Quality/Access
COPPA Notice Use Limit Collection Limitation Access Purpose Specification
OECD Openness Use Limitation Security Collection Limitation Data Quality Purpose Specification Accountability
DEVELOPING PRIVACY POLICIES AND PROCEDURES
213
The majority of the sites have Notice. Only 42 percent of the sites have both Notice and Choice. Most do not have Access. Only 42 percent of the top Web sites belong to a voluntary regulation program like TRUSTe and BBB-Online. And of those 42 percent that are members, only eight percent display a seal stating to the public that they are certified by these regulation programs. This is proof in itself that self-regulation is not working in the eCommerce world.
How to Develop a Policy The OEDC has a Web site with a policy generator that can draft a policy statement for an organization (www.oecd.org). They also outline a set of five steps on how to go about developing a privacy policy. These steps include:19 Step 1. Carry out an extensive internal review of your organization’s current personal data practices. You will need to be able to answer the following questions: • Do you collect personal data? • What kinds of personal data do you collect? • How are they collected? From individuals, from third parties, from public bodies or authorities? Are individuals aware that their personal data are being collected? • Who in your organization is responsible for deciding what personal data are collected and how? • Why do you collect personal data? • How are they used? • Who controls personal data once they are collected? • Are personal data disclosed to third parties, and if so, why? • How and where are they stored? • Do you have standards, guidelines and regulations, which apply to your collection and use of personal data? • Do you allow visitors access to the personal data you have about them? • What happens if a visitor has a query about their personal data? What if they are not satisfied with how you deal with their query? Step 2. Review laws or self-regulatory schemes, which may apply to your collection and use of personal data. Review your current practices against such regulation and amend them where necessary. Step 3. Use the OECD Generator to create a draft policy statement. Step 4. Assess the draft policy statement and ensure the following: • That the draft privacy statement accurately reflects your organization’s personal data practices • That the draft privacy statement complies with applicable national, regional, and international laws or (self) regulatory schemes • That errors are corrected and that the privacy statement reads smoothly Step 5. Place the Privacy Policy Statement on your Web site.
214
BUSINESS PRIVACY ISSUES
Regulations to which you may be subject may require a specific location for such a statement, such as on your homepage, or at the point(s) where personal data are collected. In the absence of specific regulatory requirements, you may wish to consider creating a link between your homepage and your privacy statement, or between pages where you collect personal data and your privacy statement. The OECD Privacy Guidelines recommend that individuals should be able to gain access to information about personal data practices without unreasonable effort as to time, knowledge, and expense. You may also wish to create links to relevant Web sites to make visitors aware of any relevant regulation. Other sources state that there are other ways and means to develop privacy policies and procedures. One such process includes: 1. Developing privacy procedures and policies by determining how your organization protects customers’ privacy in the transmission, storage, and use of information. This includes evaluating: • Who is in charge of privacy and how much authority they have • Technical and operational security measures currently in place • Notice to customers of what information is being collected and how it is being used • Best practices of opt-in • Appropriate uses of the information • Information transfer to third parties (What is the purpose? Do the contracts include privacy conditions?) • Employee education and training regarding company privacy procedures • Methods of communicating the privacy policy to consumers • Dispute resolution procedures if the privacy policy is violated 2. Implement the procedures and policies developed in Step 1 by setting formal privacy standards, developing any necessary technical solutions, conducting security and privacy audits, and educating employees. 3. Communicate the privacy statement to your customers. 4. Continuously monitor your privacy policies and procedures. Perform periodic privacy and security audits to maintain system and employee integrity. There is still more advice on creating privacy policies. One of the top accounting firms in the United States, Deloitte & Touche, has their own methodology for creating a privacy-compliant organization. They use a four-phased approach: Assess, Design, Build, and Monitor. This methodology is not much different from those described above.
Making it Understandable Even if all privacy organizations agreed on what a privacy policy should contain, the next issue is making the policy understandable and meaningful. Here is what Mark Hochhauser, a psychologist and linguistics expert, has to say about privacy policies he reviewed for 10 major sites:20 Many of the Web sites have been certified by industry bodies such as TRUSTe. But without exception, policies are ponderous, full of jargon or written so as to leave many surfers scratching their heads. Every policy studied is written at a college level or higher. And in a
ENFORCING PRIVACY POLICIES
215
nation in which most people read at the 10th-grade level or below, that means a minority will understand the policies. If you really don’t want people to understand, write it in legalese and have it run on for four or five pages. People will say, “To hell with it.”
Robert Pitofsky, a lawyer for more than 50 years and chairman of the Federal Trade Commission, which monitors privacy on-line, says even he has difficulty. “Some sites bury your rights in a long page of legal jargon so it’s hard to find them and hard to understand them once you find them,” Pitofsky says. “Self-regulation that creates opt-out rights that cannot be found (or) understood is really not an acceptable form of consumer protection.”21 Another problem with policies is that they change over time. Many are not dated and the changes are not flagged. So the user must re-read the policy every time he/she visits a site. Hochhauser says that after analyzing the sites, he’s convinced that most Web privacy policies don’t do the job they claim to do. “You can say you have a privacy policy, but if no one understands it, it’s pointless. It does something for the organization, but nothing for the consumer.”22 “All of these policies can be boiled down to three simple words,” says privacy advocate Jason Catlett of Junkbusters. “Subject to change.”23
IMPLEMENTING PRIVACY POLICIES AND PROCEDURES Regardless of which methodology you choose to create your privacy policy, sooner or later you will need to implement it for it to take effect. During implementation, an organization will need to ensure all needed changes to procedures, documents, technical and manual systems, and training programs are initiated and maintained. Procedures that need to be changed might include customer contact protocols, marketing practices, and internal use of data. Documents to be changed might include forms, documentation on systems, user manuals, training materials, customer brochures, marketing information, and contracts. Technical systems might include the changing of software to comply with the policy and updating security to protect the data. Training programs will need to be initiated for internal employees as well as customers and partners. All of these things will need to be coordinated and scheduled to ensure that the organization is compliant with the policy prior to its release for public consumption. Thomas Regan, an attorney with the Philadelphia law firm Cozen O’Connor, warns that very few privacy policies have faced the scrutiny of a court test. He advises executives who may feel a competitive urge to match their rivals’ privacy policy to first make sure they have done the audits and allocated the resources to live up to it. “Their question is ‘Why can’t I have the strongest privacy policy possible?’ ” Regan says, “If you can comply with it, fine.”24
ENFORCING PRIVACY POLICIES If you have a policy and procedures, and you have implemented them, you are not even halfway there. If you don’t enforce the policy you might as well have not gone to the trouble of creating one. Enforcement of on-line privacy policies is intended to assure an organization’s compliance with its privacy policies. This requires verification and monitoring, complaint resolution, and education and outreach. Methods like peer review and change control can help immensely with the enforcement effort. Verification and monitoring can mean that internal audits and reviews
216
BUSINESS PRIVACY ISSUES
are regularly conducted to ensure the organization is complying with its posted privacy policy. This review should not only include the Web site collection and security of that data, but also the marketing department and their practices of selling and buying lists. A complaint resolution process should be in place and reviewed to ensure that complaints are being addressed. There should be enough resources allocated to handle the number of complaints. The complaints should be grouped and/or categorized and trended so that management can see the trends and match them to cause and effect so that they may be appropriately addressed. The complaint resolution statistics should also be monitored to ensure that enough resources are being allocated to the handling and resolution of complaints. Encouraging awareness of the organizations’ policy might include publicity for participating companies, periodic training of internal employees, and advertising of the policies to consumers. Enforcement of on-line privacy policies can also be done via the membership requirements for privacy seal programs.
THIRD-PARTY CERTIFICATION PROGRAMS There are a few well-known Web certification programs that specialize in on-line privacy. These include: • TRUSTe • WebTrust • BBB-Online We will give an overview of what each of these programs specializes in and requires of their members, but first let us take a look at what the OPA states a seal program should include. A seal program should include the following characteristics:25 • Ubiquity. In order to minimize confusion and increase consumer confidence, efforts shall be taken to ensure ubiquitous adoption and recognition of seals through branding efforts, including, for example, co-branding with corporations or associations. • Comprehensiveness. A seal program should be flexible enough to address issues related to both sensitive and non-sensitive information. • Accessibility. A seal should be easy for the user to locate, use, and comprehend. • Affordability. The cost and structure of a seal should encourage broad use and should not be prohibitive to small businesses. The cost of a seal will vary based on a number of factors, including the extent and complexity of review, size of the business, the amount and type of individually identifiable information collected, used and distributed, and other criteria. • Integrity. A seal provider should be able to pursue all necessary avenues to maintain the integrity of the seal, including trademark enforcement actions. • Depth. A seal provider should have the ability to handle the number and breadth of consumer inquiries and complaints about the potential violation of on-line privacy policies and should have an established set of mechanisms to address those inquiries and complaints. The TRUSTe program embodies principles that comply with fair information practices approved by the government and prominent industry-represented organizations. These principles include:26
THIRD-PARTY CERTIFICATION PROGRAMS
217
• Adopting and implementing a privacy policy that factors in the goals of your individual Web site as well as consumer anxiety over sharing personal information on-line. • Posting notice and disclosure of collection and use practices regarding personally identifiable information (data used to identify, contact, or locate a person), via a posted privacy statement. • Giving users choice and consent over how their personal information is used and shared. • Putting data security and quality, and access measures in place to safeguard, update, and correct personally identifiable information. TRUSTe also has a children’s seal that complies with COPPA. All Web sites that display the TRUSTe seal also agree to comply with TRUSTe oversight and complaint resolution procedures. They monitor licensees for compliance with program principles and posted privacy practices through a variety of measures:27 • Initial and periodic reviews of the site by TRUSTe • Seeding, whereby they submit personal user information on-line to verify that a site is following its stated privacy policies • Compliance reviews by a CPA firm • Feedback and complaints from the on-line community • Click-to-verify seal to determine privacy of the trustmark WebTrust identifies and helps to reduce e-Commerce business risks and encourages on-line confidence and activity. Performed by CPAs and their equivalents worldwide, WebTrust can:28 • Identify risks, including possible privacy breaches, security gaps, and other systems affecting the customer interface • Benchmark and encourage best practices • Provide independent verification that the site complies with the international WebTrust Standards for e-Commerce WebTrust is supported by the AICPA, as it requires CPA reviews to obtain and keep the seal. The WebTrust standards include:29 • On-line privacy. The enterprise ensures that personally identifiable information obtained as a result of electronic commerce is protected as stated in its on-line privacy statement. • Confidentiality. The enterprise ensures that access to information obtained as a result of electronic commerce and designated as confidential is restricted to authorized individuals in conformity with its disclosed confidentiality practices. • Security. The enterprise ensures that access to the electronic commerce system and data is restricted only to authorized individuals in conformity with its disclosed security policies. • Business practices and transaction integrity. The enterprise’s electronic commerce transactions are processed completely, accurately, and in conformity with its disclosed business practices. • Availability. The enterprise ensures that e-commerce systems and data are available as disclosed. • Non-repudiation. The enterprise ensures that the authentication and integrity of transactions and messages received electronically are provable to third parties in conformity with its disclosed non-repudiation practices.
218
BUSINESS PRIVACY ISSUES
• Customized disclosures. The enterprise’s specified disclosures (e.g., number of hits on the site in an established time frame) are consistent with professional standards for suitable criteria and relevant to its electronic commerce business. BBB-Online has ethical business principles that include:30 • Truthful and Accurate Communications. On-line advertisers should not engage in deceptive or misleading practices with regard to any aspect of electronic commerce, including advertising, marketing, or in their use of technology. • Disclosure. On-line merchants should disclose to their customers and prospective customers information about the business, the goods or services available for purchase online, and the transaction itself. • Information Practices and Security. On-line advertisers should adopt information practices that treat customers’ personal information with care. They should post and adhere to a privacy policy based on fair information principles, take appropriate measures to provide adequate security, and respect customers’ preferences regarding unsolicited e-mail. • Customer Satisfaction. On-line merchants should seek to ensure that their customers are satisfied by honoring their representations, answering questions, and resolving customer complaints and disputes in a timely and responsive manner. • Protecting Children. If on-line advertisers target children under the age of 13, they should take special care to protect them by recognizing children’s developing cognitive abilities. Now let us examine how these seal programs measure up to the FTC guidelines for on-line privacy (see Exhibit 7.2). So, even the seal programs don’t necessarily have principles that measure up to the FTC guidelines, although they all purport to adhere to the laws and regulations.
Exhibit 7.2.
Comparison of FTC Guidelines to Seal Programs
FTC
TRUSTe
WebTrust
Notice
Privacy Policy Notice, Disclosure
Privacy Policy Customized Disclosures
Security
Data Security and Quality
Security, Confidentiality
Choice
User’s Choice and Consent
Access
Access
RESULTS
4 of 4
BBB-Online Truthful and Accurate Communication, Disclosure Information Practices and Security
Availability Business Practices and Transaction Integrity Non-Repudiation
Customer Satisfaction Protecting Children
3 of 4
2 of 4
ENDNOTES
219
SUMMARY What have we learned? No laws, regulations, or regulatory bodies currently exist in the United States that comprehensively provide for or monitor privacy on-line. Employers have the right to monitor their employees while at work. No standards for privacy are consistently used or applied in the United States or abroad. Even though many businesses and marketing organizations support self-regulation of on-line privacy, most businesses and Web sites that have privacy policies do not adhere to the four basic guidelines recommended by the FTC. Technology is growing at a very rapid pace and the potential for the invasion of privacy grows along with the amount of data gathered via these new technologies. With privacy being a hot concern of all Web users, the media can be a powerful tool in tarnishing an organization’s reputation about privacy, which in turn can lead to loss of trust and thus loss of business for an organization. It is best for an organization to create and implement a privacy policy that follows at least the basic principles recommended by the FTC. But most importantly, an organization should comply with their posted privacy policy or they could loose the trust of their consumers and business partners. With business to consumer e-commerce, private information, whether personal or sensitive, may have to be provided in order to obtain the goods and services offered by a Web site. Without this information, it may not be possible for the Web site to process the customer’s order. Without some of the personal information, what is the use of having a Web site? Thus, e-commerce would have a very limited use. Business needs to ensure trust in the consumer so that they can conduct business via e-commerce.
ENDNOTES 1. Harris Poll on Consumer Privacy (1998). 2. Privacy Rights Organization, Privacy Expectations in a High Tech World (2001), www. privacyrights.org/ar/expect.htm. 3. Federal Trade Commission, Frequently Asked Questions for the Privacy Regulation (December 2001), www.ftc.gov. 4. Dixon, Pam, Click, You’re Hired. Or Tracked…, Privacy Foundation (September 5, 2001), www.privacyfoundation.org/privacywatch/monster.asp. 5. Gartner, Inc., “Privacy and Security: The Hidden Growth Strategy” (August 2001), www.gartner.com. 6. Sweat, J., “Privacy: Can Businesses Build Trust and Exploit Opportunity?” InformationWeek (August 20, 2001), www.informationweek.com/story/IWK20010817S0004. 7. Radcliff, D., “Privacy: The Liability Link,” ComputerWorld (August 27, 2001), www. computerworld.com/printthis/2001/0,4814,63289,00.html. 8. Electronic Retailing Association (ERA), The Electronic Retailing Association (“ERA”) Online Marketing Guidelines (regulatory and consumer information) (2001), www. retailing.org/regulatory/online.htm. 9. Direct Marketing Association, Understanding Privacy (2001), www.the-dma.org. 10. Rendleman, J., “Customer Data Means Money: Businesses are buying and selling customer data in a dizzying number of ways,” InformationWeek (August 20, 2001), www.informationweek. com/story/IWK20010816S0008. 11. Id.
220
BUSINESS PRIVACY ISSUES
12. Bannan, K., “Passive Attack” (October 4, 2001), www.smallbusinesscomputing.com/biztools/ article.php/686611. 13. Id. 14. Woodbury, M., “Email, Voicemail, and Privacy: What Policy is Ethical?”, Paper prepared for The Fourth International Conference on Ethical Issues of Information Technology, Erasmus University, The Netherlands (March 27, 1998), http://netsecurity.about.com/ gi/dynamic/offsite.htm?site⫽http://www.cpsr.org/program/emailpolicy.html. 15. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (September 27, 2000), Council of the OECD (December 23, 1980), www.oecd.org/dsti/sti/it/ secur/prod/PRIV-EN.HTM. 16. Federal Trade Commission, Gramm-Leach-Bliley Act (2001), www.ftc.gov/privacy/glbact/ index/html. 17. Kids Privacy Organization, Privacy Policies and Parental Consent (2001), www.kidsprivacy. org/consent.html. 18. Federal Trade Commission, “Privacy Online: Fair Information Practices in the Electronic Marketplace,” http://www.ftc.gov, and also from the FTC’s Consumer Response Center, Washington, D.C., FTC File No. P004806, www.ftc.gov/opa/2000/05/privacy2k.htm. 19. Organisation for Economic Co-operation and Development, www.oecd.org. 20. Rodger, W., “Privacy Isn’t Public Knowledge: Online policies spread confusion with legal jargon,” USATODAY.com (June 7, 2000), www.usatoday.com/life/cyber/tech/cth818.htm. 21. Id. 22. Id. 23. Id. 24. Sweat, J., “Privacy: Can Businesses Build Trust and Exploit Opportunity?” Information Week (August 20, 2001), www.informationweek.com/story/IWK20010817S0004. 25. Online Privacy Alliance (OPA), Brochure for Creating Confidence Online (2001), www. privacyalliance.org. 26. Truste, Certification of websites (2001), www.truste.org. 27. Id. 28. WebTrust, Certification of business websites, programs (2001), www.webtrust.org. 29. Id. 30. Better Business Bureau, BBB-code of online business practices, privacy seal, reliability seal, international seals, Japan, EU, Safe Harbor (2001), www.bbbonline.org.
8 PERSONAL PRIVACY ISSUES
[Image not available in this electronic edition.]
Source: C. Slane, 2002. Used with permission.
Introduction Why Privacy Is Such a Hot Topic Today Privacy Exposures and Risks Protecting Children•s On-line Privacy Employer Spying Changes to Personal Privacy Following September 11, 2001 Summary
INTRODUCTION Personal privacy is a subject of great, unending debate. On one hand, businesses argue that they have a responsibility to protect their private assets and a fundamental right to promote their products; similarly, governments argue that they have a responsibility to protect public assets and promote the general welfare of citizens. On the other hand, many people feel that it is unacceptable for businesses and governments to accomplish their objectives at the expense of personal freedoms. The constant challenge is to find the proper balance between freedom, safety, and the public good. 221
222
PERSONAL PRIVACY ISSUES
Robert Ellis Smith provides a good working definition of privacy in his book of the same name: Privacy is the right to control your own living space, as in the right to be free from unreasonable searches and seizures. Privacy is the right to control your own identity, as in the right to be known by a name of your own choice and not a number, the right to choose your own hair and dress styles, the right to personality. Privacy is the right to control information about yourself, as in the right to prevent disclosure of private facts or the right to know which information is kept on you and how it is used.1
Clearly, a key element of privacy is the ability of each individual to control his or her own information, identity, and property. Although society could not function if each person demanded complete personal privacy, we all want to feel we have control over the amount and types of personal information others know about us. Individuals need privacy in which to think, create, and grow. Similarly, organizations need to maintain a degree of privacy to protect trade secrets, research results, and other proprietary information necessary to develop a competitive edge in the business world. But there is no such thing as complete personal freedom. We are all subject to laws and rules. Each day when driving to work we must drive in the proper lanes, in the proper direction, and within the posted speed limits—or we must face the consequences. Likewise, complete personal privacy is generally not possible or even desirable for most people. For example, we like it when the host at our favorite restaurant remembers our name or culinary preferences. Yet even as children we learn to respect other people’s privacy by knocking on closed doors before entering or not opening someone else’s mail. The quest for privacy must not come at the expense of what can be described as “the right to know.” Businesses have a right to know what their employees are doing on the job, governments have a right to know that public assets are being used for their intended purposes, and marketers have a right to identify customers who may be interested in buying their products. The goal is not to isolate oneself from society in order to maintain complete personal privacy, it is to live within society while still maintaining control over who sees your personal information. But there are new threats to personal privacy every day, as well as new tools to protect that privacy. The purpose of this chapter is to identify some of today’s threats to personal privacy and to present some suggestions that individuals and businesses can use to protect their privacy and assets.
WHY PRIVACY IS SUCH A HOT TOPIC TODAY The privacy debate is the subject of countless books and articles, Web pages, newsletters, and reports. Personal privacy has become a major concern because of the ease with which information is now obtained, stored, and shared through computers, specifically through the Internet. Web sites, for example, collect information that individuals freely provide, such as names, addresses, credit card numbers, phone numbers, and Social Security numbers. However, technologies are also available that allow information to be collected about the Web sites a person visits, or their buying patterns and preferences. In addition to increased reliance on computers and the Internet, new developments in medical research and care, telecommunications, transportation systems, and financial transfers have also increased the level of information generated about each individual. New technologies in biometrics (e.g., face recognition) developed by the defense industry are spreading into law enforcement, civilian agencies, and private companies.2
WHY PRIVACY IS SUCH A HOT TOPIC TODAY
223
Americans received a lesson into the extent that our buying patterns are monitored when, during the Monica Lewinsky/President Clinton investigation, Kenneth Starr subpoenaed a Washington bookstore to provide receipts for all of the books Lewinsky had purchased for the past three years. We all learned a lesson about the limits of privacy when prosecutors obtained from Lewinsky’s personal computer drafts of letters she wrote but never sent. One of the major threats to personal privacy is that people do not know the type, scope, and volume of information that is being collected about them. In the past, Americans took privacy for granted and voluntarily gave some of it up to make their lives easier. One good example of this is the switch from paying by cash to credit or debit card. People showed they were eager to provide their name and account number to strangers in exchange for the convenience of carrying less cash and the ability to buy goods and services on demand. Similarly, we readily provide vast amounts of personal information about our earnings, bank account balances, and personal history to banks and finance companies in exchange for the credit needed to purchase cars and homes. The increasing use of on-line credit card purchases shows that many people remain willing to exchange personal information for greater convenience in satisfying their needs and desires. A major reason personal privacy is at risk more today than ever before is that paper records have been mostly replaced by computerized records. The vast amounts of information stored on computers can be easily shared throughout the world at the click of a button. Technological advances have also changed the way people work, play, communicate, interact, buy goods and services, and conduct their everyday lives. We in America live closer to our neighbors than ever before in both a literal and figurative sense. The migration to cities has reduced the physical space between us and the computer age has closed the gap even further. The types of data routinely collected on individuals by various means include: • • • • • • • • • • • •
Your credit history Your health history Your educational history Your employment history How much you earn What you eat What you do in your spare time What magazines and books you read What calls you make What you buy (credit card and check) What Web sites you use Your sexual preference
When we visit Web sites, we leave electronic footprints that can be retrieved at any point in the future to disclose our preferences, desires, and thoughts. But it is not only our current activities that are being watched. The Web sites we visit or e-mail messages we write today add to our growing historical profile—a profile of personal information that is becoming increasingly more public each day. Employers and law enforcement officials have the ability to retrieve even deleted electronic mail messages. Thus, computers and related technology provide threats to personal privacy through the monitoring or observation of our current activities and through the retrieval of historical records.
224
PERSONAL PRIVACY ISSUES
Although this chapter will focus extensively on the unauthorized acquisition or misuse of personal information through computers, this is only one type of threat to personal privacy, albeit a major one. Other concerns include: • • • • • • • •
Surveillance Eavesdropping Wiretapping Office searches Alcohol and drug testing Ethnic and racial profiling Biometrics Unsolicited e-mails (spam), phone calls (telemarketers), or mail
For discussion purposes, it is possible to divide all threats to personal privacy into the following separate but related concepts:3 • Information privacy, or data protection, is related to the collection and handling of personal data such as credit information or medical records. • Bodily privacy relates to protections against invasive procedures such as genetic tests, drug tests, and cavity searches. • Privacy of communications is related to the security and privacy of mail, telephones, e-mail, and other forms of communication. • Territorial privacy is related to intrusions into personal domains or environments through searches, video surveillance, and ID checks. The following sections of this chapter will explore specific threats within these categories in greater detail.
PRIVACY EXPOSURES AND RISKS Biometrics Biometrics is the collecting, processing, and storing of a person’s physical characteristics for the purpose of identification and authentication. The most popular forms of biometric ID are retina scans, hand geometry, thumb scans, fingerprints, voice recognition, and digitized (electronically stored) photographs.4 In an effort to increase security following the World Trade Center and Pentagon attacks on September 11, 2001, there has been an increased interest in using biometric technology to check identities at many public places such as airports and shopping malls. The goal is to be able to immediately check a person’s identity by accessing a vast database of digital personal images. One possible scenario would be to require everyone to carry cards containing their fingerprint information as a means of identification (see National ID Cards). A more ominous scenario involves video surveillance cameras in virtually every public building and on every street corner so that every person can be monitored. One of the most controversial forms of biometrics—DNA identification—is benefiting from new scanning technology that can automatically match DNA samples against a large database in minutes. Police forces in several countries, including the United States, have created national DNA databases. Samples are being routinely taken from larger and larger groups of
PRIVACY EXPOSURES AND RISKS
225
people, including people arrested for minor offenses. In addition, there have been proposals to begin collecting DNA samples from all newborn babies. The privacy concerns with biometrics include how to maintain the security of the image database, whether the personal images will be linked to other personal information stored on-line, and whether it is desirable to have video cameras in all public places. There are also unknown potential legal ramifications stemming from false positive or false negative identifications. One example of biometrics in use was the face-recognition technology used at the Super Bowl in Tampa. In January 2001, the city of Tampa used the technology to scan the faces of people in crowds at the Super Bowl, comparing them with images in a database of digital mug shots. Tampa also installed cameras equipped with face-recognition technology in their Ybor City nightlife district. The technology failed to identify any criminals and produced several false matches. However, Tampa police said that the publicity probably deterred criminals and that they intended to resume the experiment with improved software. But critics like Barry Steinhardt, president of the American Civil Liberties Union, want the monitoring to stop because facial-recognition technology is prone to error and abuse of privacy.5 Joseph J. Atick, the chairman and chief executive of Visionics, a biometric technology supplier, said he is also concerned about the privacy issues raised by biometrics. He supports greater federal regulation and certification of biometric systems, as well as stringent privacy guidelines that could include a ban on keeping any photographic image that does not match data on a suspect. “No match, no memory, is crucial,” he said. “This technology has broad potential to affect our lives and I have a responsibility to ensure it is not misused.”6 Biometric technology has also been used in Virginia Beach, Virginia. The Virginia Department of Criminal Justice Services gave a $150,000 grant to the city in July 2001 to help it obtain face-recognition cameras to look for criminal suspects and missing children. Although officials had initially expressed mixed feelings about the technology, the city council voted to install the software at the oceanfront. To fully fund the system, the city will have to pay an additional $50,000.7 Citizens can expect increased use of biometric technology in airports following the terrorist attacks on New York and Washington on September 11, 2001. Privacy advocates, citizen groups, political leaders, and manufacturers of the technology itself are debating whether these technologies should be permitted in certain locations, such as airports, and if so, how they should be regulated to protect the privacy of the public. Airlines are looking into biometrics technologies that would allow passengers to volunteer for traveler IDs that could speed the screening process. Also, officials at Logan Airport in Boston and T.F. Green airport in Providence, Rhode Island, have announced that they will be installing face-recognition technology.8 The American Civil Liberties Union (ACLU) has opposed the use of face-recognition software to check the identity of airline passengers due to ineffectiveness and privacy concerns. The ACLU noted that the face-recognition technology called “Ferret” by the Department of Defense was abandoned by some government agencies after finding it did not work as advertised. The Immigration and Naturalization Service, for example, had experimented with using facerecognition technology to identify people in cars at the Mexico–United States border. The ACLU warns that face-recognition software is easily confused by changes in hairstyle or facial hair, by aging, weight gain or loss, and by simple disguises. It notes a Department of Defense study that found very high error rates even under ideal conditions where the subject was staring directly into the camera under bright lights. The study found very high rates of both “false positives” (wrongly matching people with photos of others) and “false negatives” (not catching
226
PERSONAL PRIVACY ISSUES
people in the database). The ACLU concluded that if installed in airports, face-recognition systems would miss a high proportion of suspects included in the photo database and flag huge numbers of innocent people, thereby lessening vigilance, wasting precious manpower resources, and creating a false sense of security.9
Communications Monitoring It is relatively easy for people to eavesdrop or intercept messages between various types of communications devices such as cordless phones, cellular phones, and pagers. For example, because analog cordless phones use radio signals, eavesdroppers can use radio scanners or another cordless phone to listen in on calls. Thus, people should avoid discussing sensitive information or making credit card purchases using their cordless phone. All such information should be shared using wired telephones on both ends of the conversation. However, the advent of digital cordless phones that use frequencies not picked up by scanners may increase the privacy offered by these devices. The federal government has broad powers to use wiretaps of telephones, pagers, wireless phones, computers and all other electronic communications and communications devices. The two sources of authority for wiretapping in the United States are:10 1. The Federal Wiretap Act of 1968. Wiretaps subject to this Act require a court order indicating that there is probable cause to believe that a crime has been, is being, or is about to be committed. 2. The Foreign Intelligence Surveillance Act of 1978. Wiretapping of aliens and citizens is allowed if there is probable cause to believe that the target is a member of a foreign terrorist group or an agent of a foreign power. For U.S. citizens and permanent resident aliens, there must also be probable cause to believe that the person is engaged in activities that “may” involve a criminal violation. Suspicion of illegal activity is not required in the case of aliens who are not permanent residents. Both Acts allow the government to carry out wiretaps without a court order in emergency situations involving risk of death or serious bodily injury and in national security cases. More information on this type of privacy invasion can be obtained from the Cellular Telecommunications Industry Association, 1250 Connecticut Avenue, N.W., Ste. 200, Washington, D.C. 20036, (202) 785-0081.
Unwanted or Threatening Phone Calls While unwanted calls are a routine problem for nearly everyone, threatening calls can be a major threat to privacy and security. Phone companies will generally assist customers in tracking and stopping threatening calls. Therefore, as a general rule, recipients of these calls should contact their local telephone service provider before contacting the police. However, the phone company may have trouble identifying the caller if that person uses pay phones or multiple phone numbers. Telemarketers are a major source of unwanted calls. Everyone has probably had the experience of answering the phone and no one is on the line. This is probably a telemarketing service that uses automatic dialing machines. The machines dial many phone numbers simultaneously,
PRIVACY EXPOSURES AND RISKS
227
wait for a person to answer, and then transfer the call to an operator. If all of the operators are busy, the recipient of the call hears silence. The National Fraud Information Center offers these tips to consumers who wish to avoid being harassed or defrauded by telemarketers:11 • Do business with known and trusted companies. Ask the caller to send information about the product or service offered. Honest companies will be glad to do this. • Understand all aspects of the transaction before accepting an offer. Know the company, its address and phone number, the product or service, its price, the delivery date, the return and cancellation policy, and the terms of any guarantee. Obtain this information in writing. • Check out the company’s complaint record at a consumer protection agency or the Better Business Bureau. • Only share financial or other personal information such as bank account numbers, credit card numbers, or Social Security numbers with trusted companies that have a legitimate need to know. • Do not succumb to high-pressure tactics. • Request to be removed from the call lists of harassing salespeople. Keep a list next to the phone with the company names and dates. If you are called again on behalf of those companies, report it to your state attorney general and the Federal Trade Commission. • To avoid unwanted phone calls from many national marketers, send your name, address, and telephone number to: DMA Telephone Preference Service P.O. Box 9014 Farmingdale, NY 11735-9014 OR Preference Service Manager Direct Marketing Association 1120 Avenue of the Americas New York, NY 10036-6700 Send via fax to: (212) 790-1427 DMA member companies that participate in this industry-sponsored program will put you on their “do not call” lists. If you are repeatedly called by fraudulent telemarketers, you may want to consider changing your phone number. For more information, visit www.the-dma.org. • Don’t be shy about hanging up. Your phone is just like the door to your home or apartment. You don’t have to open it or invite people in, and you can ask guests to leave at any time. Fraudulent telemarketers are very good at lying to, bullying, or sweet-talking their intended victims. The longer you stay on the line, the deeper they sink their hooks. Don’t let a criminal in your home through your telephone line! • If you need advice about a telephone solicitation or you want to report a possible scam, call the NFIC hotline at 1-800-876-7060. Here are some things people can do to reduce the number of unwanted or threatening phone calls they receive: • Change your phone number and request that it be unlisted and unpublished if you are receiving threatening calls.
228
PERSONAL PRIVACY ISSUES
• Get an answering machine so you can screen your calls. • Use the Caller ID features available from some companies to help identify the name of the person making the call and phone number from which the call was placed. Although there are ways for callers to override this function, recipients of calls can elect to pick up only calls from numbers they recognize.
Surveillance The two primary means of surveillance are video surveillance and satellite surveillance. These methods are commonly used to monitor a variety of public and private spaces. Video surveillance, or Closed Circuit Television (CCTV), uses small cameras to view people at areas such as office buildings, shopping malls, parking lots, roads, and sports stadiums. Private homeowners also use video surveillance to protect their property from intruders. The visual quality of video surveillance pictures has improved dramatically in recent years and some systems now include such technical features as infrared capabilities for night viewing. Video systems linked to computer databases have the ability to immediately identify individuals in a crowd. There is a concern that video surveillance technology could be used to subject specific groups of people (e.g., minority youths) to more intense scrutiny than others. Satellite surveillance can be used to view small details anywhere on the face of the earth. The technology can be used to enhance capabilities during war efforts or to view the aftermath of a natural disaster. The risk to privacy is that the technology will be used as a surveillance tool to monitor individual’s homes. Retail stores use surveillance not only to watch for shoplifters, but also to analyze patterns of customer movement throughout the store. The purpose is to determine the effectiveness of marketing and customer service. For example, Brickstream Corporation has developed a system that uses ceiling cameras to record and analyze customer movements throughout the store. Any store using the system might be able to determine how long customers will wait in a nonmoving checkout line or how many customers stop to look at a particular advertising display. Brickstream executives state that the system reports numeric data and does not personally identify particular shoppers.12 However, the idea of even more video surveillance in retail shops worries some privacy experts.
ID Chips Tiny computer chips have been developed that can be implanted into living beings to track their movement. The chips, which have already been implanted into many house pets to track their movement, transmit personal information that can be read by a handheld reader. One day the technology may be used to keep track of people. For example, corrections authorities are interested in using the chips to identify prisoners and parolees, primarily because it is a tamper-proof form of identification. Workers in high-security jobs, like nuclear power plants or airports, might also use the chips. Elderly or disabled people who cannot communicate their name or other personal information might also be candidates for the device. However, the device must still be tested and approved by the Food and Drug Administration. Meanwhile, privacy experts are concerned that the chips could be implanted against someone’s wishes. Also, there is a con-
PRIVACY EXPOSURES AND RISKS
229
cern that information contained on the chip would be difficult to update if necessary. Meanwhile, the use of chip technology is growing as automobile manufacturers use chips in keys to deter auto theft and libraries use chips to track books.13
Unsolicited Mail Many companies use direct mail advertising campaigns to market the goods or services they are selling. The volume and frequency of the mailings has become a nuisance to many people. The mailing lists companies use contain the names of people who have done business with the company or with companies in the same industry, or people who have expressed an interest in the type of product or service the company sells. A growing number of consumers are electing to “opt out” by asking companies to remove their name from mailing lists and to not sell their name and other personal information to other marketers. Opt-out agreements may either be permanent or for a limited period. The Web site ConsumerPrivacyGuide.org lists several ways consumers can communicate their preference to opt out of direct mail lists:14 • Contact your bank, grocery store, utilities, and phone company directly and ask that they do not distribute your personal information. • Write or call the magazines that you subscribe to and ask them not to release your mailing information when they make their subscription list available. • Direct marketers are required under the rules of the Direct Marketing Association to provide an opportunity to opt out. Even if the site does not offer the option to opt out when placing orders on-line or on the phone, ask that your information not be shared. • Contact Operation Opt-Out (www.opt-out.cdt.org), which provides you with links to companies that provide you with an opportunity to opt out on-line. Operation Opt Out also enables you to generate and mail letters to companies that do not allow you to opt out on-line. The Direct Marketing Association’s (DMA) Mail and E-mail Preference Services allow consumers to opt out of direct mail marketing and e-mail marketing solicitations from many national companies. Because your name will not be on their lists, it also means that these companies can’t rent or sell your name to other companies. To remove your name from many national direct mail lists, write: Direct Marketing Association P.O. Box 9008 Farmingdale, NY 11735-9014 OR Preference Service Manager Direct Marketing Association 1120 Avenue of the Americas New York, NY 10036-6700 Send via fax to: (212) 790-1427 Consumers can also remove their e-mail addresses from many national direct e-mail lists by visiting www.e-mps.org. Consumers can opt out of receiving pre-screened credit card offers by
230
PERSONAL PRIVACY ISSUES
calling 1-888-5-OPTOUT (1-888-567-8688). The three major credit bureaus use the same tollfree number to let consumers choose not to receive pre-screened credit offers. The National Consumers League offers these tips to consumers who want to remove their name from marketing lists:15 • Don’t provide information that isn’t necessary for the transaction. Don’t just fill in the blanks without thinking about whether you want to limit the information you supply. • Be anonymous. Consider using on-line tools and fictitious names in situations where your real identity isn’t needed and there is no other option to avoid getting on marketing lists. • Think twice before entering contests. Entry forms are often used to build marketing lists. • Know the privacy policy. If you don’t see anything about what personal information companies collect and how they use it, ask. • Understand your privacy choices. If there is no privacy policy or it doesn’t allow you to avoid unwanted marketing, take your business elsewhere. • Know when your personal information is being collected. Be aware of Automatic Number Identification and other ways that your information may be collected and tell the company if you don’t want to be put on a marketing list. Ask your phone company how to block your number if you don’t want it to show. • Understand that unlisted and unpublished phone numbers don’t guarantee privacy. Marketers may get your number if you’ve given it to others or they may simply dial you randomly. • Know your telemarketing rights. Federal law allows you to tell marketers not to call you again. Check with your state attorney general’s office to find out if you also have “Do Not Call” rights under state law. • Know your financial privacy rights. Federal law requires financial institutions to tell you what information they collect and how they use it, and allows you to request that your personal information not be shared with unrelated companies. Check with your state attorney general’s office to find out if you also have financial privacy rights under state law. • Know your medical privacy rights. Federal regulations limit how your health information can be used and shared with others for marketing purposes. Check with your state attorney general’s office to find out if you also have medical privacy rights under state law. • Your state may protect you against spam, or unsolicited e-mails. Check with your state attorney general’s office. Other valuable resources include Junkbusters, Mailshell, and Spamex. Junkbusters (www. junkbusters.com) provides information on reducing the volume of junk e-mail and telemarketing calls. Mailshell (www.mailshell.com) uses filtering technology to prevent junk e-mail from reaching a user’s computer. Spamex (www.spamex.com) provides users with disposable e-mail addresses that allow them to identify and stop unwanted e-mail.
Credit Card Fraud Many purchases and financial transactions are made with credit cards instead of cash. In exchange for the convenience and security of not carrying large sums of cash, consumers must realize that cards and card numbers can be easily stolen. Card issuers are placing photos of the card holders on the card to reduce the potential misuse of the card. However, credit and debit
PRIVACY EXPOSURES AND RISKS
231
card fraud is still quite common. The American Association of Retired Persons (AARP) provides a list of tips for protecting against the theft or misuse of credit cards:16 • Don’t carry more cards than you plan to use. • Immediately report lost or stolen cards to the credit card company. If you report the theft early, you won’t have to pay the thief’s credit card bills. In addition, the credit card company can stop the thief by canceling your credit card number. • Don’t write your PIN (personal identification number) on your credit card. This will prevent the thief from using your PIN to “borrow” large amounts of cash with your card. • Keep your credit card number to yourself. Thieves don’t need your credit card to charge merchandise to your account. They only need your credit card number. Criminals use stolen credit card numbers to make purchases over the phone or through the mail. Sophisticated lawbreakers can even make a new credit card with your name and number on it. Here are some ways to protect your credit card number: • When checking out at store registers, shield your credit card from the people around you. Someone might be looking over your shoulder to copy your number. • Keep track of your credit card receipts. These receipts can reveal your credit card number to anyone who finds them. • Don’t give your credit card number to a telemarketer unless you are sure he or she represents a reputable company or you placed the call. Con artists could pretend to sell you something just to get your credit card number. • Check your monthly billing statement to see if it includes purchases or transactions you did not make. Report these to the credit card company right away. • Make sure your transactions are accurate. Be on guard for dishonest merchants who might change your credit card slip after you sign it. • Always total your charge slip before signing the credit card receipt. Don’t leave blank spaces where additional amounts could be added. • Never sign a blank charge slip. • Always check your receipts against your billing statement. If you think a charge amount was changed, call your credit card company immediately.
Debit Card Fraud Debit cards work like a personal check. The card is run through a scanner and the amount of purchase is automatically deducted from the purchaser’s checking or savings account. The limit on spending equals the amount in the account. The AARP offers several tips for safely using a debit card:17 • Guard the card against loss or misuse because a thief can clear out a bank account before the owner even knows the card is missing. • If your card is lost or stolen, or if you think it is being used fraudulently, call your bank immediately. Follow up the phone call with a letter. If you fail to notify your bank within 60 days after you receive your bank statement, your liability is unlimited so you could lose all the money in your account. Check your bank statements carefully and promptly for unauthorized charges. There are major debit card issuers that provide more protection and some state laws cap your total loss at $50.00.
232
PERSONAL PRIVACY ISSUES
• For all debit card transactions, hold on to your receipts. A thief can get your name and debit card number from a receipt and order goods by mail or over the telephone. The items could be paid for out of your bank account before you know about it. • Memorize your PIN and don’t keep it with your card. Don’t choose one that a smart thief could figure out, like your phone number, address, or birthday. Never give your PIN to anyone.
National Identity (ID) Cards Many countries use cards as a means of identification. In the United States, national ID cards have been generally opposed. However, advocates believe the use of national ID cards can enhance national security and help identify illegal aliens. Technology is available that would allow legal U.S. residents to carry a card containing a computer chip that could hold a considerable amount of personal information, such as fingerprint images. Many countries use national ID cards and the information on them includes holder’s name, identifying number, photograph, date and place of birth, gender, parent’s name, place and date the card was issued, expiration date, holder’s signature, height, color of eyes, marital status, and profession. Much of the information is contained in bar codes that are machine readable.18 In January 2002, state motor vehicle officials asked Congress for up to $100 million to create a national ID system that would include high-tech driver’s licenses and a network of tightly linked databases of driver information. In the wake of September 11, driver’s license association officials suggested adopting cards containing biometric information such as fingerprints embedded on computer chips to improve security. In their view, the driver’s licenses had already become the de facto national identification card. The proposal calls for standardized licensing procedures and improved methods to authenticate drivers to help prevent terrorists and con artists from obtaining and using false driver’s licenses as identification. Civil libertarians argue that such a system would allow for unchecked government scrutiny.19 The military is already using this technology with more than 120,000 active duty military personnel, selected reservists, and Defense Department civilians using the cards as of December 2001. The military plans to issue more than 4 million high-tech identity cards in the next two years.20 The cards the military uses have two photos, two bar codes, a magnetic strip, and an identity chip. The cards have the potential to hold an individual’s complete medical history. However, because the cards are “smart cards” (discussed later), they can be used to monitor where a person is physically located at any time. The attacks on September 11, 2001, escalated a debate about whether national ID cards could help in the war against terrorism by linking the cards to a worldwide database. Governments and law enforcement officials could theoretically access the database records to immediately verify the identity of any person in the world. Critics argue that the “smart card” location tracking technology would erode people’s sense of privacy and encourage harassment by law enforcement officials. Although a national ID card has not been implemented in the United States, the technology used to create the cards has found similar uses. As stated earlier, the American Association of Motor Vehicle Administrators is devising a plan to create a national identification system to connect all state driver databases to driver’s licenses embedded with computer chips, bar codes, and biometric
PRIVACY EXPOSURES AND RISKS
233
identifiers. Also, the Air Transport Association wants travelers to carry a travel card that would include a biometric identifier that could be linked to criminal, intelligence, and financial databases.21 One advantage of a national ID system would be that a person’s identification could be immediately identified, which would make for more convenience and shorter lines at places like airport terminals. However, the risk is that the information on the cards and vast storehouses of personalized data on each individual that the cards are linked to could be misused. A Privacy International survey of ID cards found that police throughout the world arbitrarily detained individuals who failed to produce their card. The survey also found that minorities and juveniles were often targets of abuse or discrimination based on data the cards contained.22 Although serious questions remain unanswered about how the cards and related databases would be used, updated, and controlled, perhaps an even more serious concern is the potential damage to a person’s life if their card is lost or stolen. The results could range from something as simple as denial of service to a complete loss of identity.23 The last time Congress addressed similar questions was in 1996 when it voted not to amend the Illegal Immigration Act of 1996. The Act would have required states to list Social Security numbers on all driver’s licenses. However, the debate on a national identifier continues, especially after the attacks that occurred on September 11, 2001. For example, Senator Lamar Smith (R—Texas) said he would like to explore requiring Social Security cards and certain immigration documents to have biometric identifiers, such as fingerprints.24
ID Theft As of the end of December 2000, the Federal Trade Commission (FTC) had processed over 40,000 entries from consumers and victims of identity theft. Of the entries collected during 2000, 69 percent were victims’ complaints, reporting incidents in which one or more types of identity theft occurred. Thirty-one percent were requests for information from consumers that are concerned about becoming victims of identity theft. In 2001, the FTC processed 117,210 reports (a 34 percent increase in reported cases): 86,168 (74 percent) from victims of identity theft, and 31,042 (26 percent) from other consumers concerned about identity theft, making identity theft/fraud today’s fastest growing white-collar crime. Identity theft was the leading consumer fraud complaint reported in 2001. The Federal Trade Commission’s identity theft hot line receives about 1,700 calls each week. About 42 percent of the 204,000 total complaints received by the FTC in 2001 involved identity theft. Identify theft occurs when a person’s identity information (e.g., credit card number or Social Security number) is used by another person to steal the victim’s money or to commit some other type of fraud. There may be as many as 750,000 identity thefts each year.25 The AARP reports that losses to consumers and institutions due to identity theft totaled $745 million in 1997, according to the U.S. Secret Service.26 In November 2002, federal investigators uncovered a massive identity theft and identity fraud scheme that is thought to have spanned nearly three years and involved more than 30,000 victims. Early in the investigation it was estimated that losses to individuals, identity theft victims, could reach as high as $2.7 million. Three individuals were arrested and charged with wire fraud and related wire fraud charges, as well as stealing financial information on thousands of Americans (and possibly foreign nationals).
234
PERSONAL PRIVACY ISSUES
The mole in this identity fraud/theft scam was a company insider. The insider had worked as a help-desk professional with Teledata Communications Inc., a New York–based company that provides financial institutions and other companies with individualized customer credit reports. The credit reports, which Teledata sells to client companies, are compiled using data provided by the leading credit rating organizations (i.e., Equifax, TransUnion, and Experian). Ultimately, when all the dust settles, this could turn out to be one of the largest cases of identity fraud/theft ever uncovered. The Federal Trade Commission has identified the following ways thieves can steal a person’s identity:27 • Open a new credit card account using another person’s name, date of birth, and Social Security number; use the credit card up to its limit; and not pay the bill. • Change the mailing address on another person’s credit card account and use the card in that person’s name. • Establish cellular phone service in another person’s name. • Open a bank account in another person’s name and write bad checks on the bogus account. • File for bankruptcy under another person’s name to avoid paying debts incurred in the course of stealing their identity. • Counterfeit checks or debit cards containing another person’s bank account number. • Take out auto loans in another person’s name to buy cars for themselves. Thieves obtain personal identifying information by finding or stealing consumers’ credit card receipts, purse, or wallet. Sometimes the thieves take this information directly from the victim’s mailbox or garbage cans. Other thieves simply forge or create fake information and documents such as Social Security cards or driver’s licenses. Also, many people still put their Social Security number on their checks, which makes the information easy for others to obtain. Increasingly, high-tech thieves are hacking into corporate databases in attempts to obtain large volumes of credit card numbers and other identifying information. Although credit card companies usually have limits on the amount of money a customer can lose through identity theft, it often takes victims a considerable amount of time and effort to regain control of their lives.28 The Social Security number has to some extent become a national identifier. Although Social Security numbers were originally issued for the Social Security Administration to use for employment and tax purposes, some other federal agencies currently mandated to use the number include the Civil Service Commission, Internal Revenue Service, Department of Defense, food stamp program, Department of Justice, Department of Energy, Department of Treasury, Department of State, Department of Interior, Department of Labor, and the Department of Veterans Affairs. All federal agencies use the number as an identifier for record-keeping purposes. State agencies also use the number for welfare, health, and revenue purposes. Third parties, such as banks and universities, regularly request the number to verify the purchaser of products or services.29 Because the number is so widely used as a unique identifying number, the privacy of the number is no longer guaranteed. Also, Social Security cards are easy to forge because they contain no photo or other unique information. Criminals can almost literally adopt the identity of another person by obtaining his/her Social Security number. A great deal of basic personal information is becoming public information. For example, a Web site called anybirthday.com claims to contain the birthdates of 135 million people. The site can also provide gender and zip code information. Searches are free of charge. Like so many Internet companies, anybirthday.com makes money by selling advertising space on its Web site. Anyone who wishes not to be listed on the database can “opt out.”30
PRIVACY EXPOSURES AND RISKS
235
Although the Federal Trade Commission acknowledges that identity theft cannot be prevented, it provides the following suggestions for minimizing the risk of becoming a victim:31 • Before revealing any personally identifiable information, find out how it will be used and whether it will be shared with others. Ask if you can choose to not submit the confidential information requested. • Pay attention to billing cycles and contact creditors if bills don’t arrive on time. Identity thieves often change the billing address on a victim’s credit card in an attempt to avoid detection. • Guard your mail from theft by depositing outgoing mail in post office collection boxes and by promptly removing mail from mailboxes after it has been delivered. Put a vacation hold on mail deliveries when on vacation and away from home. • Passwords protect credit cards, bank accounts, and phone accounts. Avoid using passwords that are easily guessed such as mother’s maiden name, birth date, last four digits of phone number or Social Security number, or any series of consecutive numbers. • Carry only the identification and credit cards that are actually needed. • Do not give out personal information on the phone, through the mail, or over the Internet unless you have initiated the contact or know whom you are dealing with. Identity thieves often misrepresent themselves over the phone to obtain personal information. • Shred charge receipts, credit card applications, insurance forms, physician statements, bank checks, and other financial statements that are being discarded. Cut up all expired credit cards and driver’s licenses before discarding. • Store confidential personal information in a safe place. • Find out who controls personal information at work and ensure that the records are kept in a secure location. • Give your Social Security number only when absolutely necessary. Ask to use other types of identifiers when possible. • Don’t carry your Social Security card or birth certificate. Keep them in a safe place. • Review your credit report every year and make sure it is accurate and includes only authorized activities. A credit report contains information on where a person works and lives, credit accounts opened, debt information, arrest data, and any bankruptcy proceedings. The major credit bureaus have Web sites that generally allow consumers to order a copy of their credit report on-line or off, or to learn how to identify and report credit card misuse, how to remove their name from pre-approved credit card offer mailing lists, and how to opt out of other junk mail lists. The major credit bureaus are as follows: • Equifax (www.equifax.com). To order a credit report, call 800-685-1111, or write to P.O. Box 740241, Atlanta, GA 30374-0241. To report fraud, call 800-525-6285/ TDD 800-255-0056, or write to P.O. Box 740241, Atlanta, GA 30374-0241. • Experian (www.experian.com). To order a report, call 888-EXPERIAN (397-3742), or write to P.O. Box 2104, Allen, TX 75013. To report fraud, call 888-EXPERIAN (3973742)/ TDD 800-972-0322, or write to P.O. Box 9532, Allen, TX 75013. • TransUnion (www.transunion.com). To order a report, call 800-916-8800, or write to P.O. Box 1000, Chester, PA 19022. To report fraud, call 800-680-7289/ TDD 877-553-7803, or write to Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92634-6790. The FTC recommends the following steps to be followed by people who feel their identity has been stolen:32
236
PERSONAL PRIVACY ISSUES
1. Contact the fraud departments of each of the three major credit bureaus (listed previously), review your credit report, and request that a “fraud alert” be placed in your file. 2. Contact creditors to determine whether any accounts have been tampered with or opened fraudulently. Immediately close accounts that have been tampered with and open new ones with new, non-identifiable Personal Identification Numbers (PINs) and passwords. 3. File a report with local police or the police in the community where the identity theft took place. The United States Department of Justice provides additional information on actions that should be taken by victims of identity theft. The list is based in part on information from the California Public Interest Research Group (CalPIRG) and the Privacy Rights Clearinghouse. The following actions should be taken immediately after identity theft is suspected in order to minimize the financial damage the crime can cause:33 • Contact the Federal Trade Commission (FTC) to report the situation at either www.ftc.gov, 1-877-ID THEFT (877-438-4338) or TDD at 202-326-2502, or at Consumer Response Center, FTC, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. • Contact the local office of the Postal Inspection Service if you suspect that an identity thief submitted a change-of-address form with the Post Office to redirect your mail or used the mail to commit frauds involving your identity. • Contact the Social Security Administration if you suspect that your Social Security number was fraudulently used (call 800-269-0271 to report the fraud). • Contact the Internal Revenue Service if you suspect the improper use of identification information in connection with tax violations (call 1-800-829-0433 to report the violations). • Call the fraud units of the three major credit bureaus (listed previously). • Contact all creditors with whom your name or identifying data have been fraudulently used. For example, you may need to contact your long-distance telephone company if your longdistance calling card has been stolen or if you find fraudulent charges on your bill. • Contact all financial institutions where you have accounts that an identity thief has taken over or that have been created in your name without your knowledge. You may need to cancel those accounts, place stop-payment orders on any outstanding checks that may not have cleared, and change your Automated Teller Machine (ATM) card, account, and Personal Identification Number (PIN). • Contact the major check verification companies if you have had checks stolen or bank accounts set up by an identity thief. In particular, if you know that a particular merchant has received a check stolen from you, contact the verification company that the merchant uses. Some check verification companies include: • • • • • • •
CheckRite—(800) 766-2748 ChexSystems—(800) 428-9623 (closed checking accounts) CrossCheck—(800) 552-1900 Equifax—(800) 437-5120 National Processing Co. (NPC)—(800) 526-5380 SCAN—(800) 262-7771 TeleCheck—(800) 710-9898
The FTC’s Web site (www.ftc.gov/privacy/cred-ltr.htm) also contains a sample opt-out letter (see Exhibit 8.1). Consumers can use the form to contact the three national credit reporting
PRIVACY EXPOSURES AND RISKS
237
agencies (Equifax, Experian, and TransUnion) to request that their personal credit report information not be shared with third parties. Fraud-related information and assistance are also available through the Internet Fraud Watch (www.fraud.org) and the Call for Action Hotline (www.callforaction.org). Victims should also report any stolen securities to the Securities and Exchange Commission.
Census Information Some people are concerned that personal information provided to the United States Census Bureau will become public information. However, the Privacy Act of 1974 and Title 13 of the United States Code protect privacy and confidentiality by restricting the use or disclosure of census information received from individuals and businesses. Furthermore, census data is generally published in aggregate or summary form. Only sworn employees of the Census Bureau may have access to individual census information.34
Interactive Television Technology is quickly obliterating the line between computers and television. New technologies allow interactive devices that act like computers to receive television signals. Also, many personal computers are equipped with television tuner cards. These new systems promise shows on demand and interactive communication with other viewers. However, as more people receive television through communications networks, television viewers will begin to face the same privacy concerns now facing computer users. Viewers can anticipate that their viewing habits will be tracked and their viewing profile will be made available to marketing companies. Advertisers are also interested in using interactive television to track which commercials each customer watches. The next possible step is for cable companies to target specific commercials to specific households or television sets during normal programming.
Medical Privacy Medical information is regularly shared between third parties such as drug companies, employers, universities, and government health agencies. Patients often do not know their information is being shared. For example, a Washington, D.C., woman sued a surgeon and a national magazine after the magazine ran a photo of her following cosmetic surgery. A risk to privacy in the workplace is that employers will use the increasing amount of medical information at their disposal as a basis for personnel decisions involving hiring and job promotions.35 Consumers Digest provided the following statistics related to medical privacy:36 • According to the AFL/CIO, “employers commonly use information about an individual’s medical condition in [making] decisions about hiring, firing or promotions.” • Medical information is available from insurers through state workers’ compensation programs and industry databases on insurance claims known as the “Index” system. • Workers’ compensation claim information is easily bought from employment-screening firms for as little as $12.
238
PERSONAL PRIVACY ISSUES
Be sure to send your letter to ALL three credit bureaus. Options Equifax, Inc. P.O. Box 740123 Atlanta, GA 30374-0123
Experian Consumer Opt-Out Name Removal Option 701 Experian Parkway Allen, TX 75013
Trans Union Corporation's Name Removal Option P.O. Box 97328 Jackson, MS 39288-7328
Date To whom it may concern:
I request to have my name removed from your marketing lists. Here is the information you have asked me to include in my request: FIRST, MIDDLE & LAST NAME
_____________________________________
(List all name variations, including Jr., Sr., etc.)
_____________________________________ _____________________________________
CURRENT MAILING ADDRESS
_____________________________________
__________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ PREVIOUS MAILING ADDRESS
_____________________________________
(Fill in your previous mailing address
_____________________________________
if you have moved in the last 6 months.)
_____________________________________
Note: not required by Equifax and Experian.
_____________________________________
__________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ SOCIAL SECURITY NUMBER Note: not required by Experian.
_____________________________________
DATE OF BIRTH Note: not required by Equifax and Experian.
_____________________________________
Thank you for your prompt handling of my request. _____________________________________ SIGNATURE
Exhibit 8.1.
Credit Bureaus: Sample Opt-Out Letter37
PRIVACY EXPOSURES AND RISKS
239
• Employers can pull even more medical information from credit records (health-care billing), bankruptcy records, and even handwriting analysis (some medical and mental states). Consumers Digest recommends that individuals follow these actions to protect their medical privacy:38 • Ask for a copy of your medical records from your physician, hospital, and other care providers. Correct any misinformation. Ask your doctor how much information is released to third parties, what privacy policies they have in place, and what they do in practice, as opposed to their policies. • If you are concerned about privacy during a hospital stay, find out who has access to your treatment and records. If your concern is extreme, ask to see “access logs” of computer medical-records systems. • If possible, restrict the amount of medical information released to employers or insurers. Instead of signing blanket authorizations regarding “any medical provider to release any medical information,” negotiate to restrict the authorization to a specific provider or hospital. • If you are concerned about your personal information being sold, don’t fill out medical questionnaires accompanying surveys or drug promotions or toll-free information hotlines. Your name may be sold to companies marketing products that apply to your particular maladies. • It is advisable to obtain a copy of your MIB file to ensure that if any information has been added, it should actually be there and it is accurate and has not been miscoded. MIB (www.mib.com) is an association of U.S. and Canadian life insurance companies. It is a leading provider of information and database management services to the financial services industry. MIB’s core fraud protection services have protected insurers, policyholders, and applicants from those who would attempt to conceal or omit information relevant to the sound and equitable underwriting of life, health, disability, and long-term care insurance. Member companies send information to MIB when they receive an application for life, health, disability, or long-term care insurance. The applicant receives a written notice that authorizes the insurance company to release the information to MIB. The type of information in your MIB record may include medical conditions represented by one or more of about 230 codes. Conditions most commonly reported include: • • • •
Height and weight Blood pressure ECG readings Laboratory test results if, and only if, these facts are considered significant to health or longevity
There are also five codes for non-medical information that might affect insurability. Examples of non-medical information significant enough to warrant a report to MIB include: • An adverse driving record • Participation in hazardous sports • Aviation activity When a consumer applies to an MIB member company for life, health, disability, or long-term care insurance coverage, the company may check for a record at MIB. If there is a record, it is sent in coded form to authorized personnel only at the company making the request. The purpose of the report is to detect and deter applicants from omit-
240
PERSONAL PRIVACY ISSUES
ting or misrepresenting significant facts. The insurer who receives a record from MIB will compare it with information provided by the applicant. If the information in the MIB record is inconsistent with other information, the insurer may conduct further investigation. To obtain a copy of your MIB Record (if one exists) follow these steps: 1. Download a Request for Disclosure Form (www.mib.com/html/us_residents.html or www.mib.com/html/canadian_residents.html for Canadian residents). 2. Fill in the Request for Disclosure Form completely. 3. Print the Request for Disclosure Form. 4. Sign and mail the Request for Disclosure Form (along with your check/money order for $9.00, unless paying by credit card) to: • U.S. Residents: MIB, Inc. P.O. Box 105 Essex Station Boston, MA 02112 (617) 426-3660 • Canadian Residents: MIB, Inc. 330 University Avenue Toronto, Ontario M5G 1R7 (416) 597-0590 • Ask your employer if it is self-insured and obtain a copy of all policies relating to medical information. Are medical records stored in personnel files (that’s illegal under federal law)? Does your insurer or health-maintenance plan share information with your employer? If so, who sees it and how is it used? • Do not give out your Social Security number unless you have to. This number can be used to track a great deal of information on you, including workers’ compensation records and credit files. Never provide health information over the phone and make sure your healthcare providers won’t release your medical records without your written authorization. • Call or write your congressman or congresswoman and tell him/her you want a comprehensive medical privacy law that does not include a universal “health identification number” and that restricts medical information only to health-care providers and insurers. The Patient Safety Institute (PSI) announced on December 11, 2001, that it is developing a system to electronically link medical databases using the same confidential computer systems now used to facilitate on-line banking. The PSI system will allow doctors, hospitals, and pharmacies to access patient information about a patient’s medical history, allergies, medications, and vaccinations at any time and from any location.39
On-line Privacy On-line companies routinely collect a great deal of personal information about the people who visit their Web sites or buy their products. Internet retailers and other companies regularly create and share profiles of their customers and those who visit their Web site. The profile may actually be of your Internet address rather than of you because it is created based on the Web sites
PRIVACY EXPOSURES AND RISKS
241
you visit. However, the problem is becoming more acute as Web addresses are now being linked to actual identities. The threat is that the FBI might come knocking on your door if you happened to view a Web page related to bomb making, or that your insurance company will cancel your health insurance if it finds out you accessed information about cures for cancer. In August 2001, the Yankee Group released the results of a poll that found that 83 percent of consumers are somewhat or very concerned about privacy on the Internet.40 Web surfers leave behind a trail of electronic footprints, often unknowingly. Every time users visit a Web site, their Internet address and the Web page they most recently visited is communicated to the host site. It is now common for companies to sell or trade individuals’ personal information, often without those individuals’ knowledge or consent. Companies create extensive on-line profiles of Internet users that include sites visited, the length of the visits, terms searched for, and whether or not the user responds to unsolicited banner ads. This practice has an unprecedented impact on personal privacy. Your demographic data combined with an extensive profile of your interests (preferences for books, magazines, travel, restaurants, entertainment, etc.) represents a gold mine for marketers who can use the information to target their advertising. In some cases, the biggest asset many Internet companies have is the resale value of the names, addresses, and e-mail addresses of their customers. Companies value this information because those names become the target of direct mail or e-mail advertising campaigns. As a result, many individuals experience the problem of receiving unsolicited e-mails (spam) or direct mail offers from companies they have never contacted. This is why users often notice they receive target messages or advertisements about certain topics that they recently searched for on the Web. The on-line profiles are created when a Web site places a “cookie” (ID number) on the user’s hard drive. Cookies can be used to identify users returning to a Web site. Session cookies last only while the user is visiting the Web site. However, persistent cookies remain on the hard drive and can be used by advertisers to track the browsing habits of users. Cookies can also be placed on users’ computers via invisible images or “Web bugs.” According to Privacy International, one advertising service, DoubleClick, has agreements with over 11,000 Web sites and maintains cookies on 100 million users.41 Some customers have learned to foil cookies by setting their computers to reject them. There are also many on-line privacy tools that consumers can use to protect their Internet privacy. These tools include snoop-proof e-mail, encryption, anonymous re-mailers, and cookie busters. (See Appendix X “Recommendations for Protecting Your Privacy” for additional information and insights into protecting your privacy. This Appendix can be found by accessing the book’s companion Web site at www.wiley.com/go/privacy.) Approximately 18 states have anti-spam laws. The courts in Washington and California recently voted to uphold those laws to protect consumer privacy. In December 2001, the Webmaster for Peacefire.org won $2,000 in damages in small claims court by invoking Washington’s anti-spam law that prohibits sending commercial e-mail containing misleading information in its subject line or using a bogus return address or third-party domain name return address without permission. In January 2002, a court ruled that California has the right to force e-mail marketers to include accurate subject headers and valid contact information in every spam message sent to California residents. The California law specifically requires spam messages to include “ADV” (for advertisement) in their subject headers and makes failure to do so a misdemeanor.42
242
PERSONAL PRIVACY ISSUES
In January 2002, Toys “R” Us Inc. agreed to pay $50,000 and change its Internet privacy policies to end a New Jersey state inquiry into how the toy company protected personal information about its customers. Toys “R” Us, which cooperated fully with the state, signed the consent order with Consumer Affairs without admitting any wrongdoing or liability. In December 2000, Consumer Affairs and the Attorney General’s Office subpoenaed records from Toys “R” Us to investigate whether the company had adhered to its written pledge to protect the privacy of consumers’ personal information gathered from its Web site. Coremetrics Inc., a company that worked briefly with Toys “R” Us, gathered the consumer data—addresses and credit card numbers—from cookies which were placed on on-line shoppers’ hard drives. The investigation heightened concerns about the undisclosed use of cookies by on-line merchants. Toys “R” Us agreed to maintain “a clear and conspicuous link to [its] privacy policy on the initial Web page consumers are brought to when they enter the Web addresses www.toysrus.com and/or www. babiesrus.com.” The agreement also calls for all data transmitted to Coremetrics from the Toys “R” Us Web site to be returned to consumers or destroyed. At the time of this writing, a classaction suit against Toys “R” Us is still pending in California.43 In 2001, Monster.com, an on-line job resource, announced that it was going to sell information contained in its resume database to marketers. The company had already supplied AOL-TimeWarner with information from its database without disclosing the fact to its users. More that 8.6 million people have their resumes listed on Monster.com, with 25,000 new listings each day. The Privacy Foundation states that most people who list their resumes with online services have no idea their information may be sold. Furthermore, many resumes may be stored for several years, and may be misused for data mining and identity theft. Also unknown to many job seekers, some resumes that are sent to corporate Web sites often end up being forwarded to third-party resume databases for searching by other employers. Even worse, job sites might forward personal information such as name, address, age, gender, and work history to advertisers.44 Monster.com’s potential impact on privacy continues to grow. In June 2001, Monster.com and the U.S. Department of Labor entered into a partnership agreement that will require the sharing of data between the two entities. Monster.com will provide a link to the federal government’s career placement site and cross-list job postings throughout its network. The Privacy Foundation quotes the president of Recruiters Online Network as saying Monster.com probably has “more information on people than anyone outside of the federal government.”45 There are several organizations and Web sites dedicated to preserving personal privacy. TRUSTe is an independent, non-profit privacy initiative dedicated to building users’ trust and confidence on the Internet and accelerating growth of the Internet industry. TRUSTe has developed a third-party oversight program that awards a trustmark seal to Web sites that adhere to established privacy principles and agree to comply with TRUSTe’s oversight and consumer resolution process. TRUSTe claims that the trustmark signifies to on-line users that the Web site will openly share, at a minimum, what personal information is being gathered, how it will be used, with whom it will be shared, and whether the user has an option to control its dissemination. With this information, TRUSTe believes users can make informed decisions about whether or not to release their personally identifiable information (e.g., credit card numbers) to the Web site.46 In December 2001, a consortium of consumer privacy groups launched an on-line guide for protecting security and privacy on the Internet. ConsumerPrivacyGuide.org offers tips on how to read and understand the privacy policies of on-line retailers and other Web sites that collect information about visitors. It also offers how-to guides for getting rid of “cookies,” the small tags that Web sites leave on users’ hard drives to track their preferences and other information the next time
PRIVACY EXPOSURES AND RISKS
243
they return to the site. The site is co-sponsored by six consumer groups: the Center for Democracy and Technology (CDT), the National Consumers League, Consumer Action, Common Cause, Call for Action, and Privacy Rights Clearinghouse. The site was launched to bring Internet privacy and security issues back into focus, group members say. Protecting on-line privacy has fallen out of favor since the September 11 attacks on the United States, with Congress and the Bush administration giving law enforcement agencies more power to snoop on digital communication.47 In August 2002, TRUSTe and Watchfire Corporation, a provider of Web site Management software and services, announced a strategic partnership to strengthen TRUSTe’s certification and compliance efforts. TRUSTe will deploy Watchfire WebXM to perform Web site content analysis of its members’ sites to identify issues affecting privacy compliance. WebXM’s privacy management module, Privacy XM, enables organizations to collect, audit, and report on privacy-related Web site management issues such as identifying secure and unsecured forms, P3P cookie issues, Web site data collection practices, and Web beacons. PrivacyXM gives companies the ability to understand their site’s data collection, use, and potential sharing practices, helping them to avoid privacy glitches and better manage their ongoing compliance efforts. In December 2002, TRUSTe strengthened its privacy certification requirements with the release of its version 8-license agreement. Changes to the license agreement adopted in version 8 include: • Requiring companies to provide consumers with the choice to opt out before sharing their personal information with any third party unless the sharing is part of a third-party service relationship. Choice no longer hinges on a company’s definition of its primary business purpose. • Requiring licensees to adhere to user preferences for a specified period of time. These preference changes, also known as “Shelf Life Preferences”, must be maintained for no less than 12 months with up-front disclosure of intended changes. Furthermore, companies must notify consumers as to the length of time their preferences will remain fixed at the time of registration and via e-mail when preferences expire. • Requiring companies to gain TRUSTe approval on all notices of a change in practice to better ensure clarity and robust notice. • Clarifying the requirement that companies ensure that their Comprehensive Privacy Statement is consistent with all other privacy disclosures, such as FAQs and P3P statements. TRUSTe has implemented these changes in an effort to put more “teeth” into its ability to monitor the privacy practices of Web sites that display TRUSTe’s “seal of approval.” In upgrading and revising their licensing requirements, TRUSTe has risen the bar for privacy monitoring and compliance. Many on-line companies have responded to public concerns by posting their privacy policies on the organization’s Web site. The policies vary in content and the level of protection they ensure. However, most policies contain a statement of how and why a company collects information, what it does with it, how the information is stored, and what the site does to ensure that the information remains secure. Consumers can use the information contained in the privacy policy to decide whether or not to provide personal information to the site. ConsumerPrivacyGuide.org provides a list of questions consumers should try to answer when reviewing a company’s on-line privacy policy:48 • What information is being collected? Is the information personally identifiable? • Why is it necessary to collect this information? Is the data collection appropriate to the activity or transaction? If not, why does the site need it?
244
PERSONAL PRIVACY ISSUES
• How is the data being collected? Does the site set cookies? Does the site maintain Web logs? • How is personal information used once it is collected? Is it ever used for purposes other than those that a visitor intended? (If so, the visitor should be informed of the use.) Has the visitor consented to it? Does the visitor have the option to prohibit such secondary use? Can a visitor prohibit it and still enjoy the site? • Does the site offer different kinds of service depending on user privacy preferences? Does a user have a choice regarding the type and quantity of personal information that the site collects? Does the site disadvantage users who exercise data collection choices? • Can users access information that has been collected about them? Are users able to correct inaccurate data? • How long is personal information stored? Is it kept any longer than necessary for the task at hand? • What is the complaint and redress process? Whom can users contact? • What laws govern the collection? Is it a federal government site regulated by the Privacy Act? • Is the entity collecting information regulated by another privacy law? • When reviewing the policy, be careful to distinguish information about information collection and privacy from language included to market to you or to encourage you to reveal information. The Washington Post provides the following tips for protecting on-line privacy:49 • • • •
Read the privacy policies of Web sites. Ask how your data will be used. Set your browser to alert you to cookies and to reject unnecessary ones. Use an anonymizer to hide personal information while browsing. One site to try is www.Anonymizer.com. • “Opt out” of list sharing. Check individual sites for their policies or look at Operation Opt-out for help. • Get separate addresses for personal e-mail and for e-mail addresses you give to Web sites.
PROTECTING CHILDREN’S ON-LINE PRIVACY The privacy of children is especially vulnerable on the Internet. A Web site called kidsprivacy.com provides tips for keeping kids safe on-line. This organization believes the involvement of parents, child care providers, and teachers is the key to helping children have a safe experience on the Internet. Kidsprivacy.com lists the following recommendations for helping young people use the Internet wisely:50 • First and foremost, children need to know that just because they are asked for personal information, that does not mean they have to give it out. Even if the request is from a familiar animated character from a television show or a request to fill out a questionnaire to enter a site, play a game, or participate in a contest, a child still needs to ask a grownup first. • Discuss what personal information is. Many children understand name and address, but should also know that hobbies, pet names, favorite cereal, and amount of allowance are part of their private information and should not be given out on a Web site without asking permission.
PROTECTING CHILDREN’S ON-LINE PRIVACY
245
• Talk with your child about the Children’s Online Privacy Protection Act (COPPA) and why Congress thought the issue of children’s privacy on the Web was important enough to pass a law to protect it. • Look at a Web site’s privacy policy together. This tells you what information a child might be asked for and how it might be used. Discuss what you find there. • Selling on the Web is big business—and expanding rapidly. Talk about how advertising and marketing works. Children understand the world differently than adults, making them especially vulnerable to advertising and marketing. They need to rely on an adult’s analytical abilities, judgment and experience. Explain that no matter how cute or clever the Web site, the main reason it’s on the Internet is to get a child to want a company’s products and services. Keep in mind that some Web sites are aimed at children as young as four to six years old. • Be around when your child is on-line. Put the computer in a highly visible place and check in periodically. Children can move through Web sites quickly and the enticements to give up personal information are numerous. Children also tend to be particularly trusting of computers and more open to interacting with them. • If you think that a Web site is collecting information inappropriately, send an e-mail message to register your objection to the company sponsoring the site. And, notify the Federal Trade Commission, which is in charge of enforcing COPPA: Federal Trade Commission’s Consumer Response Center at Room 130, 600 Pennsylvania Ave. NW, Washington, DC 20580, or call toll-free 1-877-FTC-HELP (1-877-382-4357). You can also go to the FTC Web site www.ftc.gov and fill out an on-line complaint form. • Look for sites other than the more well-known, product-based sites. Many of them are just as much fun and interesting. The American Library Association’s list of “700⫹ great sites for kids” at www.ala.org/parents/ is a good place to start. • Teach children that the Web is a resource, not just a place to play games. Work with them on the Web on family projects—plan a family vacation, research a charity for a donation, find a book on a hobby, build a family Web page. Lawmakers recently introduced legislation mandating the creation of a “.kids” Internet domain, also called the “Dot Kids Domain Name Act of 2001.” Rep. John Shimkus (R—Illinois) and Rep. Edward Markey (D—Massachusetts) co-sponsored the bill because the Internet Corporation for Assigned Names and Numbers (ICANN) had failed to create such a domain. The bill required ICANN to include “.kids” alongside “.com,” “.net,” and “.org” in the Internet’s worldwide addressing system. The domain “.kids” would join domains like “.aero,” “.biz,” “.coop,” “.info,” “.museum,” “.name,” “.gov” and “.pro” that were created since “.com,” “.net,” and “.org” more than a decade ago. The “.kids” domain received strong support from pro-family groups as a means of identifying the content of on-line material. However, the Congress’s Child Online Privacy Protection Act Commission has not recommended the creation of a “.kids” domain because different countries have different standards of what constitutes child-appropriate material. The Commission argued that “kids” is a term not used or understood in many other nations.51 Other children’s privacy resources include:52 • America Links Up (www.americalinksup.org) is a public awareness and education campaign sponsored by a group of non-profits, education groups, and corporations concerned with providing children a safe and rewarding experience on-line. This site
246
PERSONAL PRIVACY ISSUES
•
•
•
•
•
•
•
•
contains resources for parents and kids, and offers a way for individuals and groups to get involved nationwide by planning or attending teach-ins. Center for Media Education (www.cme.org) is a non-profit organization dedicated to improving the quality of electronic media, especially on behalf of children and families. The Center for Media Education is involved in investigating the children’s on-line marketplace. Children’s Advertising Review Unit (CARU) (www.bbb.org/advertising/childrensmonitor. asp) is a unit of the Council of Better Business Bureau and is intended to provide voluntary standards for the protection of children under the age of 12. The Federal Trade Commission’s Kidz Privacy site (www.ftc.gov/bcp/conline/edcams/ kidzprivacy/index.html) is an educational Web site produced by the FTC surrounding the enactment of the Children’s Online Privacy Protection Act. This site offers guidance to parents and children, as well as Web site operators, on the dos and don’ts of children’s on-line privacy. GetNetWise (www.getnetwise.org) is a resource for families and caregivers to help kids have safe, educational, and entertaining on-line experiences. The Web site includes a glossary of Internet terms, a guide to on-line safety, directions for reporting on-line trouble, a directory of on-line safety tools, and a listing of great sites for kids to visit. Online Public Education Network, or Project OPEN (www.internetalliance.org/projectopen/about.html) was founded in 1996 as a partnership of the Internet Alliance, the National Consumers League, and leading Internet companies to help consumers get the most out of going on-line. Two guides, “How to Get the Most Out of Going Online” and “Child Safety on the Information Highway,” provide tips for parental empowerment. Wired Kids (www.wiredkids.org) is the official North American site of UNESCO’s Innocence in Danger program. The site’s mission is to allow children to enjoy the vast benefits of the Internet while at the same time protecting them from cyber-criminals. CyberAngels (www.cyberangels.org) finds and reports illegal on-line material, educates families about on-line safety, works with schools and libraries, and shares basic Internet tips and help resources. The United States Department of Justice maintains a “kidspage” on its Web site (www. usdoj.gov/kidspage/) that offers kids a variety of tips for staying safe on-line.
EMPLOYER SPYING Employers today use many techniques to monitor their employees. The courts have generally upheld employers’ rights to monitor employees for security or productivity purposes. Consequently, employers are allowed to conduct background checks and validate the personal histories of potential hires and existing staff. However, in cases where an employee has an expectation of privacy, the courts have generally sided with workers whose privacy has been violated. In any case, employer spying can reduce employee morale and increase anxiety in the workplace.
Video Surveillance A common method of employer spying is through direct observation of employees. Technological advances have reduced the size and expense of video surveillance to the point where it is common in American workplaces. Employers regularly monitor not only office areas
EMPLOYER SPYING
247
and productions lines, but also traditionally private areas such as employee bathrooms and locker rooms. Satellite-based tracking systems can be used to monitor the geographic movements of vehicles as well as people. The technology can show the exact position of vehicles at all times to ensure employees are following intended routes and not deviating from approved travel plans.
“Smart” ID cards These cards include a chip that contains employee information. These high-tech cards use location-tracking technologies used by the military to track the location of personnel throughout the world. Employers have recently begun using the technology to monitor the location of their employees as they move through the office or work site. The technology could be used to determine whether an employee spends too much time on a work break or in the bathroom. One example of a “smart” card is the automated immigration system developed by the U.S. Immigration and Naturalization Service.53 The system identifies people by matching their hand geometry with their hand’s image stored on the “smart” card.
Phone Calls Although the Electronic Communications Privacy Act of 1986 (ECPA) prohibits the intentional interception of electronic communications in the workplace except for business purposes, phone surveillance is often used in American workplaces. Employers are able to monitor employee phone calls due to a loophole in ECPA that allows employers to listen in on all employee phone calls except personal ones. Obviously, an employer must listen to all phone calls to determine whether each one is personal or not. If a call is deemed personal, employers are supposed to stop listening. However, many employers continue to monitor the length and content of all phone calls, as well as the time of day those calls are made. Many employers also monitor employee phone calls received via company voice-mail systems. For example, default pass codes installed in some voice-mail systems give managers access to all voice-mail boxes by bypassing employee-selected passwords. Telephone surveillance or wiretapping can occur in personal as well as business phones. In 1994, the Communications Assistance for Law Enforcement Act (CALEA) required that surveillance capabilities be built into all telephone systems used in the United States.54
Computer Monitoring Many sophisticated techniques are available for employers to use in monitoring how their employees use the computer equipment assigned to them. “Packet sniffing” software packages can analyze and retain all network communications such as an employee’s e-mails, Web sites visited, and files shared. Packet sniffers continuously search employee messages and documents for threatening or sensitive terms or phrases within its search criteria. When these terms are found, administrators can conduct further analysis to determine if the message posed a risk to the company or not. Employers use these computer monitoring tools not only to mitigate risks,
248
PERSONAL PRIVACY ISSUES
but also to verify that the hardware, software, and communications systems are being used for business purposes only. Some of the monitoring programs employers can use to determine how their employees are using the Internet include the following:55 • “LittleBrother” tracks employee Internet usage and provides detailed reports for analysis. • “SurfWatch” provides Internet monitoring, filtering, and blocking features that can prevent users from accessing unproductive sites. There is also a version that interfaces with CheckPoint’s Firewall-1 and uses some of Firewall-1’s features in conjunction with its own filtering and monitoring capabilities. • “Internet Manager” tracks most active users and most visited sites. • “Cyber Snoop” provides Internet monitoring and filtering and allows a system administrator to control sites visited. Another way employers can monitor computer use is through the use of keystroke loggers that can record every key pressed on a computer keyboard, even if the information was deleted. Keystroke loggers and other programs that can scan data files and e-mails allow employers to monitor Internet usage as it happens. One example of a keystroke logger is “Stealth Keylogger Pro.” Users of computers with this program installed have no idea that it is operating because there is no indication on the task bar or task manager. All keystrokes and application launches are logged to a text file and can be e-mailed to the system administrator.56 Employers and law enforcement officials are able to recall the Web sites an employee has visited at any time in the past, even if the Internet history file has been deleted. In this way, records of computer use can assist employers in developing profiles on potential and current employees, as well as assisting in reviews and investigations. Telecommuters are employees who work from their homes or other remote locations rather than within a business facility. Today there is less distinction than ever before between home and office as telecommuting continues to grow. The privacy issues related to telecommuting continue to unfold. Among the controversial issues still unresolved is how an employer can distinguish between work and non-work activities when monitoring an employee at home, and how an employer can distinguish whether employees or one of their family members is using the office’s equipment. Despite these unresolved issues, employers are increasing their monitoring of how workers with remote Internet access use their e-mail and Web surfing privileges. Employers use software that can record Web sites visited or keystrokes typed, and companies keep copies of e-mails sent through their systems. Thus, employees should be careful about doing personal business on an office computer, even at nights or on weekends, as an increasing number of employees are being fired or reprimanded for inappropriate Internet usage. Employees who send e-mails or browse the Internet using the workplace network or phone lines should expect very little privacy. Some government employees have argued that employer searches of their e-mails sent from the office violated their rights under the Fourth Amendment to the Constitution, which provides for “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” In O’Connor v. Ortega, the Supreme Court extended Fourth Amendment privacy protection to government workplaces. Specifically, the desks and file cabinets of government employees were deemed private places. However, the government may perform searches necessary to promote efficient workplace operations. Government employers may also have a legal right to conduct broader searches of employee offices and equipment if they inform the employees that their desks, computers, and lockers may be searched.
EMPLOYER SPYING
249
While private employers are not bound by the Fourth Amendment, they must adhere to any applicable laws relating to search and seizure. The courts have generally held that as long as network administrators have the ability to view the contents of e-mails, employees should expect them to be read. Also, e-mails sent from personal computers have been considered private in the same way the contents of a first-class letter are considered private. Personal e-mails can be intercepted and read by law enforcement officials who obtain the proper search warrants. The Electronic Communications Privacy Act of 1986 (ECPA) also allows employers to intercept electronic communications (such as e-mails), if there is an actual or implied consent by the employee. Consent is considered to be implied in cases where employers simply inform employees that their e-mail messages might be monitored. As stated earlier, ECPA also allows employers to monitor employee phone calls, except personal ones. One major reason employers are concerned about the content of e-mails is sexual harassment. Employers are afraid they will be found liable for sexual harassment in instances where it is perpetuated through the company’s computer system. There have been many cases where employees have been fired after sending e-mails that have been deemed inappropriate. However, e-mail messages can be especially susceptible to misinterpretation. The problem is that people often say things in e-mail that they would not say in other settings. E-mail has become a means of informal communication where communicants adopt the slang, jargon, or tone of the person they are communicating with. Also, unlike face-to-face communication, e-mails do not allow the reader to interpret the sender’s underlying meaning by observing their body language, tone, or facial expressions. Therefore, an inside joke between two people could be interpreted as a threat or harassment. Employees also face the problem of receiving e-mails that they did not request or do not want. The content of e-mails is difficult to assess without opening them. Even if opened e-mails are subsequently deleted, the record of them remains on the network file server. Similarly, many Web sites that appear innocent in name may turn out to be pornographic or at least inappropriate to the mission of the organization. Employees who accidentally enter inappropriate Web sites should close them immediately and inform the network administrator that an error was made. Many employers allow for mistakes of this type and monitor Internet and e-mail use to deter or catch the most egregious violators. Another debate revolves around the difference between using the telephone at work versus the Internet to communicate. Most employers are comfortable with the fact that employees routinely use the telephone at work to call their spouse or to make dinner reservations, yet many of those same employers would be reluctant to allow an employee to make a dinner reservation through the Internet during business hours. The difference is the comfort level associated with the telephone and the relative uncertainty associated with the Internet. Until there is parity between the two mediums, employees should be circumspect in their use of the company’s Internet service for personal business. The courts will continue to address how much privacy employees should be entitled to expect when using office equipment. However, it is clear that companies could be held liable for providing resources that are used to disseminate inappropriate, offensive, or proprietary information. Many companies are responding by developing policies that define the limits of Internet use and that inform employees that their Internet use may be monitored. This trend toward making monitoring policies explicit should help reduce inappropriate Internet use by employees who do not realize the potential implications of what they do on-line.
250
PERSONAL PRIVACY ISSUES
In order to prevent abuses, the American Civil Liberties Union recommends that employers adopt an electronic monitoring policy that includes the following features:57 • • • • • • •
Notice to employees of the company’s electronic monitoring practices Use of a signal to let an employee know when he or she is being monitored Employee access to all personal electronic data collected through monitoring No monitoring of areas designed for the health or comfort of employees The right to dispute and delete inaccurate data A ban on the collection of data unrelated to work performance Restrictions on the disclosure of personal data to others without the employee’s consent
The Internet gives employees great freedom to access information. However, because the service is not free, employers have a right to expect that its employees will use the Internet wisely and for business-related purposes. Telecommuting makes the issue more difficult. If a business supplies an employee with a computer to use at home, does that give the employer the right to read all materials prepared or viewed on that computer? Many people would say that an employee who uses company equipment to view pornography over the Internet is misusing company property, but what about the employee who uses an office laptop to download recipes for chocolate chip cookies? Employer spying is bound to have a negative influence on employee morale. Most employees are honest, but some are not. Undisclosed spying on everyone in an effort to catch a few thieves can create an atmosphere of distrust throughout the entire organization. As a result, employee dissatisfaction and turnover may increase. Thus, employers are encouraged to clearly communicate their expectations to employees and the methods that will be used to ensure adherence to those expectations. A recent article on employee spying cited another article by Marsha Woodbury, Ph.D., who wrote, “There is just so much work that can be expected from an employee no matter how many hours he is on the job. If you maintain a happy and trusting atmosphere you are more likely to get more productivity out of those hours that are worked.” The article continued to note that, “As a business or corporation you feel that you have a right to protect your business productivity and in fact you do, but doing so in draconian terms can actually hurt your cause rather than help it. In extreme situations such as high security operations or where employee concentration must not be broken by distractions that might endanger the health and safety of others, then employee monitoring is a must. But for most businesses employee monitoring might be best left alone and only put into place if extreme abuse is suspected. In any case, make sure your monitoring policies are known and that your employees can review those policies. Spell out what is acceptable and what is not and what exactly are the consequences for policy violations.”58 Monitoring e-mail content allows employers to assess the productivity of their workers or to protect trade secrets. Therefore, employers are advised to explicitly warn their employees that their e-mails will be monitored. Companies should develop written privacy policies to address all aspects of privacy, including e-mails. All employees should be required to read and sign a form indicating that they have read and understand the policy.
Monitoring of the U.S. Judiciary Even federal judges are exposed to workplace monitoring. In May 2001, a group of U.S. federal court judges disabled the Internet connections on their computers after they learned their Web browsing was being monitored by the court administrators who maintained the computers.
CHANGES TO PERSONAL PRIVACY FOLLOWING SEPTEMBER 11, 2001
251
The judges, troubled by the privacy and confidentiality issues, argued that the monitoring violated the Electronic Communications Privacy Act of 1986 (ECPA). The administrators felt that monitoring was necessary and sought to institute a policy to inform federal judges and their staff that they should have no expectation of workplace privacy. In September 2001, the Judicial Conference, the policy-making body of the federal judiciary, decided in favor of the judges. The Conference rejected the administrators’ proposed policy to eliminate all judicial expectation of privacy in the workplace and voted to end monitoring of the judges’ e-mails. However, the Conference approved limited monitoring of Internet use and prohibited the use of certain file-sharing programs.59
Profiling Employers are increasing their use of psychometric or aptitude testing to evaluate potential employees. Such tests can measure intelligence, personality traits, character, honesty, and work skills. Most employers also conduct extensive background checks before hiring a new staff member. After employees are hired, many can expect to be subjected to regular drug testing. Easy-to-use kits allow companies to administer tests that give immediate results without the need for special laboratory equipment or medical training. The common tests use hair or urine samples and can detect a variety of drugs in the system. However, because tampering with the tests to avoid a positive reading is common, employees may be forced to give a urine sample in the presence of the test administrator. The personal privacy concerns in this case are obvious. Workers subjected to frequent drug tests often feel mistrusted and unmotivated, which can negatively affect productivity. Employers, however, argue that drug tests are necessary to help ensure a safe working environment. There is increasing concern that future hiring and promotion decisions could be based in part on DNA test results, which could be used to predict a worker’s behavioral patterns or predisposition to health problems. A study conducted by the American Management Association in 2000 found that 15 percent of major U.S. firms were using genetic testing or similar tests to predict susceptibility to workplace hazards.60 The concern is that these tests will be used to discriminate against certain ethnic or religious groups.
CHANGES TO PERSONAL PRIVACY FOLLOWING SEPTEMBER 11, 2001 On September 11, 2001, the terrorist attacks on the World Trade Center and Pentagon shook the world. In response to those attacks, there have been numerous new laws and policies implemented to reduce the threat of terrorism. However well intentioned these measures, some people have become worried that the increased security measures will have a negative effect on personal privacy. Yet many Americans remain supportive of the intrusions into their private lives brought about by increased surveillance, searches, and other measures. Robert B. Reich, Secretary of Labor under President Bill Clinton, summed up the concerns of privacy advocates when he said, “I’m surprised there hasn’t been more of an outcry. The president [George W. Bush] is by emergency decree getting rid of rights that we assumed that anyone within our borders legally would have. We can find ourselves in a police state step by step without realizing that we have made these compromises along the way.”61
252
PERSONAL PRIVACY ISSUES
New Airport Security Laws The Aviation and Transportation Security Act (P.L. 107-71), signed by President Bush on November 19, 2001, created the Transportation Security Administration (TSA) in the Department of Transportation. The law makes many fundamental changes in the way transportation security will be performed and managed in the United States. For the first time, aviation security will become a direct federal responsibility, overseen by the new Under Secretary of Transportation for Security (in charge of the TSA), who will report directly to the Secretary of Transportation. In addition, all transportation security activities will be managed by one agency. The TSA will be very visible to air travelers because it operates the passenger screening process in over 400 communities around the country. The mission of the TSA is broader than aviation and its activities will be more than screening. The job of the TSA is to look at threats across the national transportation system and prevent disruption by terrorists. The TSA will work with all of the agencies of the United States government to take advantage of the best available intelligence information. The TSA will design and operate a system of overlapping systems—some that are visible to the public, and others that are not. Sophisticated uses of information and advanced technology will be among the tools of a flexible, well-trained, and equipped security force. Although TSA took over the screener contracts in 2002, federal screener personnel replaced these contracts on November 19, 2002. In addition, according to the law, explosive detection systems are to be in place to screen all checked baggage by December 31, 2002.62 The law allows for more aggressive and extensive search of passengers’ bags, and other measures to counter terrorism. The law also allows airlines to use one of four methods to better track baggage: (1) explosive-detection machines, (2) hand searches, (3) bomb-sniffing dogs, or (4) matching checked luggage to passenger lists. Airlines are required to inspect all checked luggage and have a law enforcement officer stationed at every screening station at major airports. Passengers are now subject to more extensive and thorough hand searches of luggage and more computer cross-checks with watch lists maintained by the FBI and other law enforcement groups.
Anti-Terrorism Law On October 26, 2001, President Bush signed into law the PATRIOT (Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act, an anti-terrorism package giving the government access to more personal data and communications. The law, which applies to criminal and intelligence investigations as well as to terrorism investigations, contains the following provisions:63 • It allows government agents to collect undefined new information about Web browsing and e-mail without meaningful judicial review. • It allows Internet service providers, universities, and network administrators to authorize surveillance of “computer trespassers” without a judicial order. • It allows the FBI to compel disclosure of any kind of records, including sensitive medical, educational, and library borrowing records, if they are connected with an intelligence investigation. • It allows law enforcement agencies to search homes and offices without notifying the owner for days or weeks after the search. • It allows the FBI to conduct wiretaps and secret searches in criminal cases.
SUMMARY
253
The concern of the Center for Democracy and Technology (CDT) is that the law will cut government agencies loose from standards and judicial controls, which could result in the government casting an even wider net and collecting more information on innocent people. The CDT called upon Congress to exercise its oversight powers to conduct review of how the law will be interpreted and applied. The CDT is also looking at the privacy implications of other changes following September 11, such as proposals to allow increased telephone and Internet surveillance, to implement national ID cards, or to increase the use of biometrics (e.g., face recognition technology) at United States borders and in other situations.64
Increased Surveillance In October 2001, the Pentagon issued a rush appeal for ideas for fighting terrorism by asking contractors for new surveillance technologies that could be used for military or civilian purposes. The requested items included a computer system for tracking anyone who buys material that could be used in making bombs, a portable polygraph machine for questioning airline passengers, facial-recognition systems, computer programs that can predict terrorist behavior, scanners for spotting people who have handled weapons of mass destruction, and voiceprint software for automatically recognizing people speaking Middle Eastern languages. The Senate also approved a bill that would greatly expand the ability of law enforcement and intelligence agencies to tap phones, monitor Internet traffic, and conduct other forms of surveillance in pursuit of terrorists.65
SUMMARY Intrusions on personal privacy are increasing at a rapid pace. Business owners expect to know where their employees are and what they are doing, marketers ravenously seek out personal information to build clientele, and the government diligently tries to fulfill its obligation to make sure public places are safe and secure. Meanwhile, the Internet has made vast amounts of information, including private data, available and transferable at the click of a mouse button. But even as the fences guarding our privacy are under siege, new technologies and strategies are being developed to help protect our information, identity, and property. The major components of privacy are information privacy, bodily privacy, communications privacy, and territorial privacy. Some of the major threats to these aspects of privacy come from surveillance, eavesdropping, wiretapping, office searches, alcohol and drug testing, ethnic and racial profiling, identity theft, biometrics, and unsolicited e-mails, phone calls, or mail. In the future, people could be asked to carry national ID cards that hold their personal information on a computer chip, or the chip with that data could be implanted directly into their bodies. The attacks of September 11, 2001, have resulted in more measures that affect personal privacy. In the days following the attacks, the government passed new airport security laws and antiterrorism laws that resulted in more searches of personal belongings and increased surveillance. But just as new privacy threats appear, new privacy protection ideas are introduced. More and more people are beginning to protect their privacy by opting out of mail and phone lists, by using on-line privacy tools such as anonymous re-mailers and cookie busters, and by restricting outside access to their personal data whenever possible. It is clear that as threats to
254
PERSONAL PRIVACY ISSUES
privacy increase, more people will be demanding to know why information is being collected, how it will be used, and how it will be kept private. Chapter 9 discusses in more depth the various means, methods, and tools available to provide individuals with privacy protection.
ENDNOTES 1. Robert Ellis Smith, Privacy (Garden City, NJ: Archer/Doubleday, 1980), 323. ISBN: 0385142706 2. Privacy and Human Rights 1999: An International Survey of privacy laws and Developments, Privacy International and the Electronic Privacy Information Center, www. privacyinternational.org/survey/Overview.html#Heading2. 3. Id., www.privacyinternational.org/survey/Overview.html#fn9. 4. Id., www.privacyinternational.org/survey/technologies.html. 5. Feder, B.F., “The Face of Security Technology,” The New York Times (January 20, 2002), www.nytimes.com/2002/01/20/business/yourmoney/20PROF.html?todaysheadlines. 6. Id. 7. Electronic Privacy Information Center, “Face Recognition,” www.epic.org/privacy/face recognition/ (accessed January 2002). 8. “ACLU Opposes Use of Face Recognition Software in Airports Due to Ineffectiveness and Privacy Concerns”, http://archive.aclu.org/issues/privacy/FaceRec_Feature.html. 9. Id. 10. Center for Democracy and Technology, “The Nature and Scope of Governmental Electronic Surveillance Activity,” September 2001, www.cdt.org/wiretap/wiretap_overview.html. 11. National Fraud Information Center, General Telemarketing Tips, www.fraud.org/ telemarketing/teletips/gentips.htm. 12. McCarthy, E., “Studying Consumers’ Movements,” Washington Post (January 14, 2002): E05. Available on-line at www.washingtonpost.com/ac2/wp-dyn?pagename⫽article&node⫽ &contentId⫽A40943-2002Jan13¬Found⫽true. 13. O’Harrow, R., “Next: An ID Chip Planted in Your Body?” Washington Post (December 19, 2001):E01. Available on-line at www.washingtonpost.com/ac2/wp-dyn?pagename⫽article &node⫽&contentId⫽A62663-2001Dec18¬Found⫽true. 14. Center for Democracy and Technology, “How to Opt Out,” ConsumerPrivacyGuide.org at www.consumerprivacyguide.org/howto/optout.shtml. 15. The National Consumers League, “Tips to Remove Your Name from Marketing Lists,” available on-line at www.nclnet.org//privacy/printable.htm. 16. American Association of Retired Persons, “Tips for Protecting Against Credit Card Fraud,” available on-line at www.aarp.org/consumerprotect-frauds/Articles/a2002-10-01-FraudsCreditCards. 17. American Association of Retired Persons, “Understanding Debit Cards,” available on-line at www.aarp.org/financial/Articles/a2002-08-14-ManagingMoneyDebitCards. 18. Privacy International’s Frequently Asked Questions report on national ID cards, www. privacyinternational.org/issues/idcard/idcard_ faq.html. 19. O’Harrow, R., “States Seek National ID Funds Motor Vehicle Group Backs High-Tech Driver’s Licenses,” Washington Post (January 14, 2002): A04. Available on-line at www.washingtonpost.com/ac2/wp-dyn?pagename⫽article&node⫽&contentId⫽A410322002Jan13¬Found⫽true.
ENDNOTES
255
20. O’Harrow, R., and J. Krim, “National ID Card Gaining Support,” Washington Post (December 17, 2001): A01. Available on-line at www.washingtonpost.com/ac2/wp-dyn?pagename⫽article&node⫽&contentId⫽A52300-2001Dec16¬Found⫽true. 21. Id. 22. Privacy International, “Do ID cards facilitate an increase in police powers?” Identity Cards: Frequently Asked Questions, www.privacy.org/pi/activities/idcard/idcard_ faq.html#9. 23. Id. 24. Krebs, B., “National ID-Card Push Roils Privacy Advocates,” Newsbytes, September 26, 2001, www.govtech.net/news/news.phtml?docid⫽2001.09.26-3030000000003103. 25. Ho, D., “Is Someone Out To Steal You? Identity Theft On The Rise,” Associated Press, January 23, 2002. Available on-line at www.lexisone.com/practicemanagement/pmlibrary/ appm012402c.html. 26. American Association of Retired Persons, “Wise Consumer: Identity Theft,” available on-line at www.aarp.org/consumerprotect-wise/Articles/a2002-10-03-WiseConsumerIdentityTheft. 27. U.S. government’s central Web site for information about Identity Theft, www.consumer. gov/idtheft/. 28. See note 25. 29. See note 22. 30. AnyBirthday.com, on-line at http://anybirthday.com/faq.htm, and http://anybirthday.com/ privacy.htm, for opt-out procedures. 31. Federal Trade Commission Tips for Consumers, “Id Theft: When Bad Things Happen To Your Good Name,” www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm#risk. 32. Id., www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm#victim. 33. Justice Department, “What Should I Do If I’ve Become A Victim of Identity Theft?” www.usdoj.gov/criminal/fraud/idtheft.html#What%20Should%20I%20Do%20If%20I’ve %20Become%20A%20Victim%20OF. 34. U.S. Census Bureau’s Confidentiality Protection of Confidential Information—Sections 9 and 214 of Title 13, www.census.gov/main/www/policies.html#confidential. 35. Crowley, Susan L., “Invading Your Medical Privacy: Snoops Finding New Ways to Breach Medical Files,” March 2000, www.aarp.org. 36. Wasik, John F., “Protecting Your Medical Privacy,” Consumers Digest 38, no. 2 (March/April 1999). 37. Federal Trade Commission Privacy Initiatives, “Credit Bureaus: Sample Opt-Out Letter,” www.ftc.gov/privacy/cred-ltr.htm. 38. Id. 39. Patient Safety Institute (PSI) “Launch of Patient Safety Institute Empowers New Era In Patient Safety and Quality of Care,” news release, www.ptsafety.org/news/nr011211.asp. 40. Yankee Group, “Online Privacy Continues to Be a Major Concern for Consumers” (August 7, 2001), www.yankeegroup.com/webfolder/yg21a.nsf/LatestNews/ 69E54E0BB8 B2BB1885256A9B006F7D26. 41. Electronic Privacy Information Center Washington, DC, USA, and Privacy International London, UK, “Privacy And Human Rights 2001: An International Survey Of Privacy Laws and Developments,” p. 45, available on-line at www.privacyinternational.org/survey/phr2001/phr 2001.pdf. 42. Krebs, Brian, “Peacefire.org Wins Spam Suits,” Newsbytes, 12/12/01, and Mcguire, David, “California Spam Law Upheld As Constitutional — Update,” Newsbytes, 1/4/02n. 43. DeMarrais, Kevin, “Deal Set for Net Privacy,” The Hackensack Record, 1/3/02. 44. Dixon, Pam, “Click You’re Hired. Or Tracked . . .,” Privacy Foundation, 9/5/01.
256
PERSONAL PRIVACY ISSUES
45. “A Report on the Privacy Practices of Monster.com,” Privacy Foundation, 9/5/01. 46. Truste.org, “The TRUSTe Program: How It Protects Your Privacy,” www.truste.org/ consumers/users_how.html. 47. Berger, Matt., “Consumer Groups Launch Net Privacy Guide: Privacy Advocates Hope to Draw Attention to Privacy Policies of Major Online Retailers,” IDG News Service, 12/18/01. 48. The Center for Democracy and Technology, Consumer Privacy Organization, “How to Read a Privacy Policy,” www.consumerprivacyguide.org/howto/readpp.shtml. 49. O’Harrow, R., “Survey: Internet Users Have More Control Over How Data Is Used,” Washington Post (March 27, 2002), available on-line at www.washingtonpost.com/ac2/ wp-dyn?pagename⫽article&node⫽&contentId⫽A25920-2002Mar27¬Found⫽true. 50. Federal Trade Commission, “How to Protect Kids’ Privacy Online,” Tips for Consumers, Kidsprivacy.com, www.ftc.gov/bcp/conline/pubs/online/kidsprivacy.htm. 51. McGuire, D., “Addressing Authorities Will Tackle Internet Keywords,” Newsbytes (January 23, 2002), www.computeruser.com/news/02/01/25/news3.html. 52. Electronic Privacy Information Center (EPIC), Children’s Privacy, www.epic.org/privacy/kids, and Online Guide to Practical Privacy Tools, http://www.epic.org/privacy/tools.html. 53. Immigration and Naturalization Service, The INS Passenger Accelerated Service System (INSPASS), www.ins.usdoj.gov/text/howdoi/inspass.htm. 54. FCC Again Approves FBI’s CALEA Requirements (April 11, 2002), www.epic.org/ privacy/wiretap/calea/FCC_order_04_02.pdf. 55. How Do They Spy on You, http://netsecurity.about.com/library/weekly/aa082100b.htm, and Electronic Privacy Information Center (EPIC), Work Place Privacy, www.epic.org/ privacy/workplace. 56. Id. 57. Privacy in America: Electronic Monitoring, www.aclu.org (accessed 1/23/02). 58. Employer Spying and Morale, http://netsecurity.about.com/library/weekly/aa082100c.htm. 59. Electronic Privacy Information Center (EPIC), Work Place Privacy, www.epic.org/privacy/ workplace. 60. American Management Association, “Survey of Medical and Workplace Testing (2000),” www.amanet.org/research/archives.htm. 61. Privacy Digest News Page, www.privacydigest.com (accessed 1/26/02). 62. U.S. Department of Transportation, Transportation Security Administration, Overview: The Aviation and Transportation Security Act (P.L. 107-71), www.dot.gov/bib/tsa.html. 63. Doyle, C., Center for Democracy and Technology, American Law Division, “Terrorism: Section by Section Analysis of the USA PATRIOT Act” (December 10, 2001), www.cdt.org/security/usapatriot/011210crs.pdf; and Plesser, R., et al., “Summary and Analysis of Key Sections of USA PATRIOT ACT of 2001,” Center for Democracy and Technology (October 31, 2001), www.cdt.org/security/011031summary.shtml. 64. Id. 65. Schneider, G., and R. O’Harrow, “Pentagon Makes Rush Order For Anti-Terror Technology,” Washington Post (October 26, 2001): A10. Available on-line at www.washingtonpost. com/ac2/wp-dyn?pagename⫽article&node⫽&contentId⫽A53844-2001Oct25¬Found⫽true.
9 PRIVACY TOOLS
Introduction Protecting Your Privacy — A Universal Quest Who’s After Your Data? Things That Do Go Bump in the Night Behind Door Number Two Consumer Concerns About Data Collection Privacy Enhancing Technologies (PETs) Types of Privacy “Tools” P3P Privacy Tools Tools That Detect Net Privacy Problems Summary
INTRODUCTION Corporate Privacy Officers (CPOs) are increasingly seeking software products to help them mount a comprehensive approach to complying with new privacy regulations. Bob Blakley, chief scientist for security at Tivoli Systems, an IBM subsidiary that makes IT management software, said that with all the privacy legislation that has been passed recently, it’s no wonder that the average organization does not yet have a good understanding of all the issues surrounding privacy.1 According to Blakley, there is not yet a set of robust and secure products to help CPOs get a handle on it, which compounds the problem. The first concern of CPOs is usually figuring out what private information is collected by their organization, and that can be difficult because back-end systems were not designed with that requirement in mind. Next is figuring out who has access to the private information and what has been done with it. Third is to make sure the company’s processes and systems support the company’s privacy policies. This list of duties is typically carried out on an ad hoc basis and sometimes manually. Gradually, tools that automate the procedures are coming out, but no CPO thinks automation will be a reality any time soon. As Blakley says, “Everyone realizes that they are going to want to automate this process, but they generally do not believe the tools exist to automate the process yet.”2 Keeping private data (confidential, secret, or personal) private is growing increasingly more difficult as technologies designed to strip away the layers of security protecting this data become increasingly accessible, easy to use, and available to almost anyone interested in obtaining them. What then can organizations, as well as individuals, do to increase their ability to keep private data private? 257
258
PRIVACY TOOLS
This chapter examines the issue of maintaining privacy and provides a host of tools with various applications and uses for accomplishing this objective. The authors provide this information with the implicit understanding that these are not implied nor stated endorsements, warranties, or guarantees of privacy, should the reader acquire, implement, or use any of the tools discussed in this chapter. As always, the reader is advised to examine all manufacturer claims and further investigate any individual product prior to purchasing or implementing any tool. Additionally, the authors do not endorse any tool discussed in this chapter and list and discuss tools for informational purposes only. It is impossible to list and/or discuss all the tools available on the market today that claim to ensure one’s privacy (be that individual or corporate). The products discussed in this chapter are merely a representative sample of the plethora of products available. Lastly, it is important to note that failure to read and follow each manufacturer’s supplied instructions regarding the installation and proper set-up and use of any software product may indeed expose the user to unseen, unsuspecting, and unwanted privacy leaks.
PROTECTING YOUR PRIVACY — A UNIVERSAL QUEST Concern over the collection of personal data has grown for a number of reasons. First, advanced technologies make it possible for data to be collected about individuals that visit Web sites, participate in chat rooms or newsgroups, send e-mail, or otherwise use Internet services, without their knowledge or consent. All the data that is collected is not directly identifiable personal data; rather, in many cases it is essential information to support system maintenance and network viability. Nonetheless, consumers are often surprised to learn that such information may be collected. Second, much more can and should be done to enable individuals who are concerned about on-line privacy to utilize the empowering tools that protect them from the unwanted disclosure of personal data (PD). Third, while recognizing different approaches to privacy among nations is a norm, this landscape complicates the privacy issue for policy makers, businesses, and individuals. Europe and the United States, for example, have very different approaches to the issue of privacy (as demonstrated by the negotiated U.S.-EU safe harbor agreement), creating a significant challenge for companies that serve both European and U.S. customers.3
WHO’S AFTER YOUR DATA? The list of those seeking your most private data is conceivably endless and new individuals, groups, and organizations are added to it daily. To individuals (or corporations), the reams of data that exist to identify you or your organization’s actions may seem dull, boring, or worthless to someone outside of the organization or personal social circle of friends and family. However, to those who lurk on the “dark side of the Net” or who take advantage of the freedoms technology provides, every scrap of data, if combined properly, could possess value (and it does). So, who would be on that “list” of third-party individuals or groups who are after your data? How about for example: • Hackers • Crackers • Spam generators
THINGS THAT DO GO BUMP IN THE NIGHT
• • • • • • • • • • • • • • • •
259
Mass mail marketing brokers Cyber-terrorists Disgruntled employees Satisfied and happy employees Competitors—Domestic Government agencies—Domestic Competitors—Foreign Government agencies—International Retailers of every ilk Rogue nation states Software manufacturers Illegal foreign aliens Web sites and Web masters Saboteurs Corporate raiders Identity thieves
Given that there is a growing number of ways in which privacy can be undermined, both personal and corporate, this chapter addresses the expanding field of privacy tools and software. Tools designed to limit one’s exposure to prying eyes (and technology) as well as to cloak one’s identity while moving about cyberspace and virtual villages.
THINGS THAT DO GO BUMP IN THE NIGHT So, what is there to be afraid of anyway—exactly? Every piece of technology has its dark side, if one looks hard enough, and sometimes you don’t have to look that hard at all. Let’s begin with an old nemesis, spam. At its root, spam has been part of the Internet/Web environment almost since the beginning. Spam is used to send unsolicited, usually unwanted, and most often, annoying e-mail, banner ads, messages, and so on, to unsuspecting and uninterested users. Bottom-line, unsolicited advertising e-mail contributes to increasing business losses each year. Many people think of spam simply as an annoyance. But within the last year, it has emerged as one of the biggest headaches for Netizens, ISPs, and corporations alike. While the volume of email sent increased 14 percent from November 2001 to January 2002, the volume of spam increased 46 percent, according to a survey by anti-spam technology company Brightmail, whose clients include eight of the 11 largest U.S. ISPs. In January, Brightmail says, spam accounted for 11 percent to 26 percent of all e-mail traffic on the Internet. For some ISPs and corporations, spam makes up more than 50 percent of total e-mail.4 It’s only going to get worse. Jupiter Media Metrix estimates that each Internet user received 571 spam messages in 2001. By 2006, it expects that number to rise to 1,500. Others are even more pessimistic. David Ferris, a principal at market researcher Ferris Research, estimates that spam will double or triple this year alone. He also warns that the size of spam messages, which averages about 8 kilobytes today, is bound to increase, requiring more servers and storage space.5 Already, the costs are burdensome. Computer Mail Services, a Southfield, Michigan, technology company, has created a calculator that projects the cost of spam. It shows that a company with 500 employees, each of whom receives five junk e-mails per day and spends about 10 seconds deleting each one, can expect to lose close to $40,000 per year in wasted salaries and 105 days in lost productivity.6
260
PRIVACY TOOLS
For ISPs, who are on the front line in the battle against spam, the costs are even higher. An ISP with 1 million customers will lose more than $6 million annually in revenues due to higher churn and increased customer acquisition costs to replace those it loses, according to a 1999 report from market researcher Gartner. Add to that $500,000 for new hardware, software, and personnel dedicated to the war against spam. According to a 2001 European Union study, spam’s costs now total about $8.6 billion a year worldwide.7 How you wonder, did your e-mail address fall prey to one of the many mass e-mail spammers out “there”? Unfortunately there are a number of ways your e-mail address can be “determined,” if not actually obtained, all legally but not necessarily ethically. Spammers’ target e-mail addresses: • • • • •
By random generation (it’s easy and successful) Constructed from common user names and domain addresses Via publicly available sources of e-mail addresses (e.g., Usenet groups) Harvested from posts on public Web forums or message boards Directly from publicly available corporate Web sites, designed to allow legitimate customers to contact company representatives
If that wasn’t bad enough, now comes that darker side and the tool that makes piercing the privacy veil even easier. Beware of spambots! Spambots are software “spiders” that troll the Web collecting information. Similar in design to search engines, the critical difference here and the concern for privacy, is that spambots have a different prime directive. The sole purpose of a spambot is to scrape or harvest every e-mail address they find on every page they transverse, ultimately adding these addresses to bulk mailing lists. So, how does one go about nailing down a more secure and private existence without abstaining from surfing the Web or joining on-line discussion groups? Following are Web sites, and their URLs, that offer appropriate tools to shield you (or your firm) from both spam and those nasty “bots.” • SpamCop (http://spamcop.net/). A tool that allows you to paste in spams that you receive, traces the source of spams, and assists you in complaining to the spammers’ ISPs • Spamex (www.spamex.com). SpamEx provides anonymous e-mail addresses to its users, and the ability to create new ones on an as-needed basis, so that different addresses can be given out to different companies and people. • The Spamcon Foundation Law Center (http://law.spamcon.org). Contains information on exiting spam-related laws, and how to sue spammers under them Some additional useful Web sites include: • www.turnstep.com/Spambot. Information on how to avoid, detect, and harass spambots • www.robotstxt.org/wc/active.html. Web Robots are programs that traverse the Web automatically. Some people call them Web Wanderers, Crawlers, or Spiders. • www.mall-net.com/spamfaq.html. An extensive Stop Spam FAQ Even more spam abatement sites include the following: • UCSD’s Spam info page, http://weber.ucsd.edu/⬃pagre/spam.html • Coalition Against Unsolicited E-mail, http://www.cauce.org/ • Spam-fighting site, http://spam.abuse.net/spam/
CONSUMER CONCERNS ABOUT DATA COLLECTION
261
• Internet news forum on general net abuse, news.admin.net-abuse.misc • Internet news forum for reporting SPAM, alt.current-events.net-abuse
BEHIND DOOR NUMBER TWO If spambots aren’t enough to scare Web security and privacy managers along with individuals, next comes a host of additional software aimed at getting at your most private data—without your knowledge. Enter—Web bugs—small images, generally only one pixel in size, which are placed on HTML pages. Web bugs are often used to track usage and provide information back to the party that placed the images. Web bugs are also referred to as: Clear GIFs, Invisible GIFs, lxl GIFs, and Beacon GIFs. Web bugs are most often used to gauge Web traffic, how many times a page has been viewed, and other administrative or site monitoring requirements. Because these images typically cannot be seen or blocked by traditional cookie blockers or other similar technologies, they have raised concerns among privacy advocates (and they should among readers as well).8
CONSUMER CONCERNS ABOUT DATA COLLECTION Consumer concerns can generally be categorized into several areas.
Sharing of Data With Third Parties Consumers who have provided personal information to a particular site, organization, or business should not have that information shared with a third party (i.e., one not involved in or associated with the site, organization, or business in question) without their permission or knowledge.
Security Fears Users are often concerned that the data collector may not adequately protect personal information from accidental or malicious disclosure. Lack of security or misinformation about available security may deter consumers from providing information across the Internet. Wellpublicized disclosures of consumer information, including credit card information, from a few popular Web sites has increased public fears. While the fear has increased, awareness of the need for security and how to evaluate security have not increased dramatically.
Lack of Knowledge About Data Usage The rapid growth of electronic commerce demonstrates that consumers are willing to provide information, even personal data, in exchange for services, personalization features, or customized content. However, many consumers are concerned about how the information that they provided will be used by the receiving organization. A consumer, for example, may be very
262
PRIVACY TOOLS
comfortable knowing that personal information is used to create customized news updates, but less willing to provide the same data if it is to be used for unrelated marketing purposes.
Consumer “Profiling” Businesses often use consumer information to create customer profiles. Profiles may be personal (i.e., related to a specific individual consumer) or aggregated (i.e., where common characteristics are used to identify a specific demographic). Profiles can be beneficial to consumers and greatly simplify their on-line experiences, but the concept of profiling has received extremely negative coverage in the media. Some consumers are uncomfortable being categorized, having their order history stored, or having a Web site maintain personal information. In addition, some consumers seem particularly concerned with the practice of data collected at one site being combined with off-line information or data collected from other on-line sites or stores.
Identity Theft The sharing of particularly sensitive information, such as credit or financial data, is of particular concern to many consumers and policy makers. The abuse of personal information may, in some circumstances, result in identity theft. While identity theft can occur on-line or off, there has been a rise in identity theft in recent years. It is unclear to what extent this rise is attributed to poor data security, increased information theft or abuse, or if it is simply easier for criminals to share the information necessary to steal an individual’s identity on global networks. Whatever the case, increased awareness about the crime of identity theft has undoubtedly made some consumers more hesitant to share personal information.9
PRIVACY ENHANCING TECHNOLOGIES (PETs) Privacy enhancing technologies (PETs) commonly refer to a wide range of technologies that help protect personal privacy. Ranging from tools that provide anonymity to those that allow a user to choose if, when, and under what circumstances personal information is disclosed, the use of privacy enhancing technologies helps users make informed choices about privacy protection. In addition, many technologies that enhance security—such as digital signatures or authentication technologies—can enhance the privacy of or ensure the integrity of communications or on-line transactions, but because they are designed to ensure the identity of the individual, may limit the potential of anonymous on-line activity. Despite the recognized role that personal data plays in promoting key technical and commercial operations, individual users remain concerned about the risks associated with the sharing of their personal data. PETs are an important element in promoting the protection of personal data; moreover, they enable users to make informed choices about privacy. PETs that provide users more control over their personal information can help alleviate many of the concerns that consumers have identified as barriers to the growth of electronic commerce. PETs also allow consumers to exercise the broadest possible choices, and make more subjective and detailed decisions concerning their information.
PRIVACY ENHANCING TECHNOLOGIES (PETs)
263
PETs vary widely in their functionality, capabilities, technical structure, and usability. However, all PETs aim to give the individual user or technology manager the capability of controlling if, how much, and under what circumstances information is disclosed. At the same time, it is important to realize that PETs cannot, and are not designed to, address every consumer or policy maker’s concern about data collection. PETs are simply one of many tools available to consumers in the on-line environment, one that consumers should be encouraged to use if they have concerns about data collection and data privacy. The biggest limitation of PETs is simply lack of consumer awareness. PETs have recently gone through a significant shakeout. As a result of increasingly difficult market conditions for all start-ups and low awareness and uptake by consumers, a number of PETs have either gone out of business or have significantly revised their operations. In short, consumers must be aware of the availability and capabilities of PETs in order to benefit from their features, just as a consumer must use his or her seatbelt in order to be better protected in the event of a car accident. In addition, even consumers that choose to use PETs must be encouraged to use them consistently. Many users in search of simple, efficient on-line experiences give up using PETs after a short period, negating the benefits that a PET can have. Finally, consumers must choose the right PET or other technology to address their particular concern. For different consumers, the primary concern could be anonymity, conducting trustworthy transactions, control over personal data, or transaction security. There are a wide variety of PETs and security enhancing tools, and consumers must understand that not every PET will address all of their concerns. For example, while an e-mail encryption program may work well at keeping electronic correspondence confidential, it will do little to help the consumer manage cookies or keep clear GIFs from displaying on a Web page. Governments, industry, consumer groups, and privacy protection authorities and experts all have a role in helping consumers make the right decisions about which PETs are best suited to address their individual concerns.10
Why PETs? The CEN (Committee for European Standardization) has undertaken a comprehensive review of whether technology standards can be used to implement the EU Data Directive. As work here continues, there may be the opportunity to use PETs to support the implementation of the EU Data Directive (though it may not address U.S. or other national laws), which may in turn encourage the development of other standards to address different regulatory initiatives. See Chapter 4, “International Privacy Issues,” for more information on the EU Directive. Both governments and consumers should see PETs, then, as a secondary tool for privacy protection. Consumer engagement—namely checking privacy policies and establishing one’s own privacy preferences—is a crucial element without which PETs are largely ineffective. In addition to national law (where consumers and governments determine what approach is appropriate) and proactive consumers, PETs can be beneficial. There are constructive ways that governments can support the development and use of PETs, including:11 • Ensuring consumers that users of PETs are not discriminated against in criminal or civil investigations. There is a natural tendency to believe that a consumer who uses robust encryption or anonymizing technologies, for example, on his or her computer must be “hiding something.” Data protection laws should recognize that consumers who opt to use
264
PRIVACY TOOLS
such tools may simply be protecting the accidental disclosure of their personal information and not hiding activities of concern. While this may create difficulties for law enforcement or investigating personnel, the ability of individuals to use PETs should be protected. • Recognizing the important role that PETs can play in assisting individual consumers to implement their personal privacy choices in any data protection or privacy related legislation. Such efforts will help raise awareness about the availability of PETs for consumers who may not be aware of their existence. • Data protection policies that look favorably on Web sites that utilize or make available PETs to their consumers. Whether a site provides robust choices for a consumer or incorporates privacy tools into its own infrastructure, companies that take these additional steps to help empower consumers should be given favorable consideration in consumer complaints or other similar situations. • Prohibiting Web sites from discriminating against consumers who deploy PETs, except in cases where the PET prohibits the site from meeting consumer requests. For example, a site should not refuse to display for a consumer simply because he or she chooses not to accept cookies. However, the site should be free to deploy whatever technologies or tools it chooses to be most appropriate. For example, just as a hotel that requires a credit card or other deposit for advance reservations should not be required to hold a room for a consumer who refuses to provide such information, a Web site should not be required to provide customized information or facilitate on-line purchases in the same situation if cookies are the technology deployed by the site and the user chooses not to accept cookies except where the use of cookies provides functions beyond personalization or marketing, such as maintenance of a shopping cart or enhanced security.
Private Sector Initiatives for PETs The private sector has long recognized the important role that PETs can play. The wide variety of PETs available demonstrates that companies are responding to consumers seeking such empowering tools. Companies using the Internet understand that privacy concerns pose a barrier to the future growth of electronic commerce. As the private sector seeks to address consumers’ concerns and eliminate barriers to future growth, a wide variety of robust PETs for individual, Internet, and network use are increasingly being deployed to enable consumers to make informed choices about the collection and use of personal information. The private sector should evaluate the feasibility of more widespread use of PETs to support the objectives of policy makers interested in exploring the viability of PETs to protect personal privacy. In particular: • Businesses should evaluate whether incorporating PETs into their corporate networks will help protect the privacy of their users (i.e., providing privacy to corporate users). Similarly, Internet service providers should consider whether making PETs available will help alleviate many of the privacy concerns expressed by subscribers. • Consumer and business organizations should work, in conjunction with governments and public sector organizations, to educate consumers about the availability and use of PETs. • Electronic Commerce and other on-line sites that collect personal information should evaluate whether integrating PETs, such as P3P, into their own sites is feasible and useful to their consumers.
PRIVACY ENHANCING TECHNOLOGIES (PETs)
265
• Technology companies should consider how privacy-enhancing technologies can be better incorporated into standard on-line tools, such as browsers, FTP clients, and other access-oriented software, hardware, and handheld devices. As the market continues to develop a wide variety of robust tools, consumers must be made aware of the utility of PETs. Industry, private sector organizations, and governments can help consumers learn about PETs, understand their role in aiding individuals in protecting personal information, and encourage their use. Such efforts can only serve to enhance consumer confidence, support the continued growth of electronic commerce, and ensure that the attendant benefits are widely shared among all on-line users.12 The following is a brief listing of several PETs that are currently available. It is recommended that the reader investigate each PET in detail prior to selecting any single application or privacy enhancing tool/methodology. In most cases, implementing more than one PET is usually a very sound idea. • Privaseek (www.privaseek.com). PrivaSeek’s primary technology, Persona&trade, is a control tool that enables consumers to automatically safeguard and gain value from the use of personal information. Persona acts as a buffer between consumers and Web sites, allowing users to decide which information can be shared. Persona also allows you to store that information for use on the Web safely and securely. • Zero-Knowledge Systems (www.zeroknowledge.com). Zero-Knowledge Systems designs tools and strategies to protect the privacy of Internet users in order to lay the foundations for trust and commerce between individuals and the companies, governments, and organizations they interact with on-line. Zero-Knowledge creates simple, easy-to-use software and services that integrate advanced mathematics, cryptography, and source code. The company’s Freedom software allows users to surf the Web anonymously and has been engineered so that no one, including Zero-Knowledge, can readily ascertain a Freedom user’s true identity or decrypt their communications. • Hush Communications (www.hush.com). Hush was founded to develop and distribute encryption technology over the Internet. Hush’s mission is to provide Internet users with secure Internet communications worldwide. HushMail.Com and HushMail Private Label allow users to protect the privacy of their e-mail and Web site traffic. • Lumeria (www.lumeria.com). Lumeria’s technology allows people to organize, securely access, and selectively share their information from any personal electronic device or computer that is connected to the Net. Lumeria’s Personal Knowledge Management products help individuals securely organize their information and knowledge. The company’s Identity Management products help individuals maintain one or more identities privately and securely that they can access from any device connected to the Net. • PrivacyX (www.privacyx.com). PrivacyX is an Internet privacy solution that helps Internet users take control of their on-line privacy. Currently the company has a free anonymous encrypted e-mail service that is available to users. The service allows users to send and receive e-mail with complete privacy and security. If you are concerned with the various pieces of electronic junk that your system seems to accumulate on a daily basis, you may be interested in checking out the following site: • Junkbusters (www.junkbusters.com). Its mission is to “free the world from junk communications.” The site includes an array of information, resources, and publication links as
266
PRIVACY TOOLS
well as actionable tips and on-line tools to help you rid yourself of junk e-mail, telemarketing calls, and other kinds of unwanted solicitations.
TYPES OF PRIVACY “TOOLS” The following pages present a brief overview of the many different kinds of privacy tools that are available in the market today. These tools are designed to protect you and your company in many different ways. Two caveats are critical here. First, not all tools are created equal. While a tool may claim to provide a certain level of security or privacy, the reader should remember that these claims are usually made by the very manufacturers themselves, and should be independently verified and tested before trusting them with your most secret or private data. Secondly, if you are unfamiliar with the tool and its operation, you are encouraged to seek additional information, advice, and assistance from the vendor, FAQ sites, colleagues, other trusted third parties, and others prior to committing your secrets and private life to a digital format. Remember, there IS a dark side to the Net, and many, many unsavory individuals ply this side of our digital world, our cyber-community. For those readers interested in a more extensive list of privacy tools and where to find them, please see Appendix JJ. This appendix can be found by accessing the book’s companion Web site at www.wiley.com/go/privacy.
The Subtle Differences and Variants of Privacy Tools Steganography Programs that hide data inside a picture so that the picture appears the same (or nearly the same) to the naked eye, but contains data if you know where to look Identity Management Synonymous with authentication, identity management is designed to validate end users’ identities, and provide preferences and profiles to get personalized service on the Internet and corporate networks Anonymizer A software application or third-party service that separates user’s identity from his or her transactions Anonymous E-mail An independent re-mailer that lets users send messages anonymously Cookie Cutter Software filter that blocks cookies from being placed in a browser Crowds A software application/mechanism in which Web requests from a group of users cannot be linked to any individual within the group Infomediaries Tools and services that help users manage their on-line identities Mixes A technique that lets a sender route messages randomly through a network using layered, public key encryption Privacy-rights Manager Server software that automates the implementation and ongoing monitoring of privacy policies in relation to corporate databases and applications that contain personal customer info Proxymate A facility that automatically generates a unique user name and password for each site a user visits Snoop-proof E-mail Software that scrambles/encrypts your e-mail and shreds unwanted emails
TYPES OF PRIVACY ”TOOLS”
267
Surf Anonymously Identity masking for Web surfing HTML Filters Block unwanted banner ads and provide protection from receiving unwanted cookies Voice Privacy Turns a PC into a secure telephone E-mail and File Privacy Protects the privacy of electronic mail and files Web Encryption Specialized encryption software for Web browsers Telnet Encryption Used to secure Telnet transactions Disk Encryption Encrypt your hard drive data from prying eyes Disk/File Erasing Programs Completely erase files so that they cannot be recovered or undeleted (at least not by your average employee or “data snoop”) Privacy Policy Generators Software that assists users in generating privacy statements for Web sites and marketing materials (See Chapter 10 for more detail on policy generators.) Password Generators Software that allows a user to generate almost un-crackable passwords PC Firewalls Software that provides and establishes firewall security Cryptographic Solutions Hardware and software solutions for encrypting data
Anonymous Browsing While surfing the Web, you leave “fingerprints” every place you stop. Web sites collect all sorts of information about visitors, from what Web browser and ISP you use to your IP and e-mail addresses. What are the solutions to keeping your surfing and browsing anonymous and from keeping those pesky Web sites from obtaining your information? Use an anonymous browser (a tool that lets you surf the Net without disclosing your true identity, and that also protects the identity of your IP address). There are numerous solutions offering varying levels of security, convenience, and cost. Most of these services require a monthly fee. The reader is advised to explore all the options to find one that is right for themselves or their organization. Some of the anonymous Web browsing tools available include the following: Tool SafeWeb IDzap IDsecure Subdimension Freedom PrivadaControl Bugnosis Web Bug Detector Steganography Tools
Web Address www.safeweb.com www.idzap.com www.idzap.com www.subdimension.com www.zeroknowledge.com www.privada.com www.bugnosis.org www.cotse.com/tools/stega.htm
E-mail Security Normal e-mail security is fine for many. But if you need to send confidential or competitive information via e-mail, you might want to consider encrypted messaging and self-destructing e-mail. Applications, Web-based services, and e-mail client plug-ins can easily add layers of
268
PRIVACY TOOLS
security (and privacy) to your messages. The available e-mail security application software includes (but is not limited to) the following packages: Tool Disappearing Email PrivacyX SafeMessage ZixMail HushMail
Web Address www.disappearing.com www.privacyx.com www.safemessage.com www.zixmail.com www.hush.com
Cookie Managers To attract and maintain visitors, companies try to personalize Web site experiences for visitors. Amazon.com, for example, remembers your name and purchasing behavior and recommends products based on what you have bought before. This is done using a cookie, a small file that collects specific information about your Web browsing activities and stores it on your PC. This file is accessed when you visit the site again and the personalization is added via the information obtained in the cookie file. You can set your browser to accept all cookies, reject all cookies, or prompt you when a cookie is encountered. Each of these options has its pros and cons. A cookie manager program can identify and block specific types of cookies, like banner ads, but still let others in that allow some personalization for your Web site visits. Some of the cookie manager software applications available, which you may wish to investigate, include: Tool McAfee Internet Privacy Service Norton Internet Security 2001 Privacy Companion Cookie Crusher Cookie Pal
Web Address www.mcafee-at-home.com www.symantec.com www.idcide.com www.thelimitsoft.com www.kburra.com
Personal Firewalls While you are enjoying your browsing and purchasing activities on-line, some hacker could be lurking in the background, stealing your credit card numbers or rifling through the data stored on your PC or system. Simply put, your Internet connection is a wide-open path to your PC and anyone connected to the Web with malicious intent, the proper technology, and technological skills can skulk down that connection and right into your PC. The best solution to prevent this from happening may be a personal firewall. A personal firewall is a software security barrier that is established between your system and the Internet. Firewalls are designed to keep hackers and many virus programs out of your PC. Many companies have firewalls already in place, thus it is not necessary for protection in such an infrastructure. However, many do not; therefore, why take a risk and unnecessarily expose your data and yourself. Some of the personal firewall software solutions available on the market include:
TOOLS THAT DETECT NET PRIVACY PROBLEMS
Tool BackICE Defender 2.1 ZoneAlarm 2.1 ZoneAlarm Pro 1.0 eSafe Desktop 2.2 McAfee Firewall 2.1 McAfee Internet Guard Dog 3.0 Norton Personal Firewall 2001
269
Web Address www.networkice.com www.zonelabs.com www.zonelabs.com www.ealaddin.com www.mcafee-at-home.com www.mcafee-at-home.com www.symantec.com
P3P PRIVACY TOOLS The Platform for Privacy Preferences Project (P3P), developed by the World Wide Web Consortium, has emerged as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site’s privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can “read” this snapshot automatically and compare it to the consumer’s own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see. The basics surrounding P3P and its use as a privacy tool are covered in greater depth in Chapter 7, Business Privacy Issues.
TOOLS THAT DETECT NET PRIVACY PROBLEMS Following are even more tools that detect problems or spots where individual (or corporate) privacy may be in jeopardy and/or invaded: • Watchfire WebCPO (www.webcpo.com). Monitors how you handle data internally and issues alerts if it’s not done right; monitors privacy compliance across internal and external Web sites • iDcide’s PrivacyWall (www.idcide.com). Monitors Web site traffic and looks for privacyrelated information such as age and credit card numbers being collected or shared • Axciom AbiliTec (www.axiom.com). Software that includes controls for complying with the privacy rules in the Graham-Leach-Bliley Act • PrivacyRight TrustFilter (www.privacyright.com). Keeps close tabs on who sees all customer information within your company, even on multiple databases • Courion/PasswordCourier and Profile Builder (www.courion.com). Server software that lets customers reset their passwords and manage personal data collected about them • IBM/P3P Policy Editor (www.alphaworks.ibm.com). Software that walks Web site operators through the process of creating a machine-readable privacy policy using the P3P standard • Tivoli/SecureWay Privacy Manager (www.tivoli.com). Access control system for protecting customer data and enforcing privacy policies (Note: This tool requires proprietary Tivoli’s SecureWay Policy Director software in order to operate the privacy manager tool.) • Ad-aware (www.lavasoftusa.com). Software that helps to locate and identify spyware which may be planted on your machine
270
PRIVACY TOOLS
General Privacy Tools Worth Further Examination The following are several sites worth further examination as you compile a bevy of resources to serve and protect your privacy: • Privacy.net (www.privacy.net/analyze/). Privacy analysis of your Internet connection. Analyzes many different types of information that is collected about you when you visit a Web site, such as whether cookies are accepted, what site you linked to the page from, and the date and time as set on your computer. • NetWork Tools.com (http://network-tools.com/error.asp), TRACE. Runs a trace on any computer on the Internet. Traces the route through the Internet from Consumer.net to the destination computer. The signal generally goes from a computer to the Internet Service Provider (ISP) and then to their provider until it reaches a “backbone” provider. This could take one or many steps. It then eventually transfers to the destination “backbone” provider and reverses the process to the destination computer. This feature only checks a computer connected to the Internet; it cannot verify the validity of an e-mail address. It also cannot check a specific Web page (e.g., www.consumer.net is valid but www. consumer.net/sitemap.htm is not). Note that a traceroute may follow a completely different path as compared to downloading Web pages or sending e-mail. • NetWork Tools.com (http://network-tools.com/error.asp), Xwhois. Program checks domain name and searches for the registration records for that domain based on the top level domain (.com, .uk, .au, etc.). To find information on a top level domain, enter the domain ending (such as “com,” “uk,” “ro,” “biz,” etc.). This tool cannot look up who owns an email address, just who registered a domain name. • SpyCop, Inc. (www.spycop.com). Spyware covers the broad range of software that takes information from your system without your knowledge or consent. There are two major flavors of spyware, Advertiser spyware and Computer Monitoring spyware. SpyCop is designed specifically to detect the computer monitoring variety. Some examples of computer monitoring programs are Spector, KeyKey, 007 STARR, Boss Everywhere, and ISee-U. • Window Washer (www.webroot.com/washer12.htm). Window Washer cleans the tracks left behind on your computer by today’s latest browsers, including Cache, Cookies, History, Mail, Trash, Drop Down, Address Bar, Auto Complete, Data forms, and Downloaded Program Files. • IEClean (www.nsclean.com). Using an IEClean alias helps to ensure your real e-mail address won’t be the one that’s harvested. Internet Explorer users also can be given up by their GUID, a unique (to you) number that identifies both your system’s hardware and software. IEClean offers a quick, easy means to disable system recognition of all known Visual Basic script extensions, including HTA-HyperText Application, which has no security protection at all. IEClean recovers your valuable disk space used by the myriad of databases Internet Explorer utilizes, along with the hidden files it keeps in your system. It’s well known that “deleting” these files in the browser itself still leaves them recoverable, while IEClean securely deletes them, so they can never be recovered. The ability to track your movements over time through the use of persistent cookies is still a significant issue, while XML persistence, the hidden “supercookies,” has grown in popularity amongst those who want to know far more about you than you’d like them to.
SUMMARY
271
• ShieldsUp! (https://grc.com/x/ne.dll?bh0bkyd2). Without your knowledge or explicit permission, the Windows networking technology, which connects your computer to the Internet, may be offering some or all of your computer’s data to the entire world at this very moment! Technically savvy intruders are using high-speed “Internet Scanners” that can probe every computer in a small country within a short time! Nothing would make them happier than lifting your personal information, credit card numbers, bank account balances, and so forth through your computer’s insecure connection to the Internet. This Web site provides immediate, on-line, no cost tools for analyzing your system’s venerability to external probes and attacks. • EPIC (Electronic Privacy Information Center) Online Guide to Practical Privacy Tools (www.epic.org/privacy/tools.html). Another very proactive Web site dedicated to securing individual privacy and assisting individuals in achieving this goal. At this very useful site the reader will find scores of privacy tools beyond those discussed in this chapter, along with vital links to other pro-privacy sites.
SUMMARY Keeping the Hounds at Bay: Protecting Your Privacy On-line, the title of a new best-seller, or your worst nightmare? Maybe a little of both! As society rushes headlong into the twenty-first century and as our dependence on technology continues to grow, so does our exposure to abuses of that same technology. Every time we engage in any type of transaction, some form of technology (regardless of how insignificant) has a role in the successful completion of that transaction (regardless of how small of a role). Our digital “fingerprints,” digital crumbs of our actions and whereabouts, are being left throughout cyberspace, and throughout virtual communities, on a global scale. Privacy is not guaranteed by the U.S. government nor does any constitutional law mandate it. Privacy is as personal and individual as one’s DNA. It’s your privacy; therefore it is your responsibility—yes, you, the individual, who must take whatever precautions are necessary to protect this privacy. If you do not, no one else will. For those ready to take proactive steps in protecting their own privacy, there must always be a beginning. Begin by implementing one or more of the privacy and security tools discussed in this chapter. As a start, here are 15 steps that you can take to help protect your on-line privacy and the data stored on your PC:13 1. Use a cookie manager to remove existing cookies and block subsequent ones. 2. Get a copy of your credit report from the three national credit-reporting agencies (Equifax, Experian, and TransUnion) to see who has been checking your credit. 3. Always make sure you’re submitting sensitive information—particularly credit card information—via a secure server. 4. Never reveal your real name in chat rooms or news groups. Similarly, avoid using names from which your name can be easily discerned. 5. At home, use firewall software and log your system off when it’s not in use. 6. Read the privacy statements of the sites you visit, and contact the companies if something isn’t clear. Also, check for a privacy seal from such organizations as BBBonLine and TRUSTe. 7. If you ever send sensitive information via e-mail, make sure you are using encryption.
272
PRIVACY TOOLS
8. Be VERY leery of giving out your Social Security number. It is rarely necessary for online transactions. 9. Create a junk mail account to keep your real e-mail spam-free, and try your ISP’s spam filter to weed out the spam you’re already receiving. 10. Resist the urge; never reply to spam! 11. Be especially wary of sites offering prizes in exchange for personal information. Giving out private information isn’t worth what you’ll get in return. 12. Remove yourself from lists. You can request that the credit agencies not share your data, and inform information marketers that you don’t want to receive marketing calls or e-mails. 13. It’s legal to give a fake name, phone number, and address—but don’t use your neighbor’s. Try something along the lines of 123 Main Street, Anywhere, PA 00101. 14. Surf anonymously. Covering your tracks in this way is the only way to ensure that no one is watching where you browse. 15. Don’t reveal your information inadvertently; remove your personal information from your Web browser’s configuration. Don’t use your e-mail address when connecting to FTP servers.
ENDNOTES 1. Johnston, M., “Industry Searches for Better Privacy Software,” InfoWorld (June 6, 2001), 21. 2. Id. 3. Organization for Economic Co-operation and Development (OECD), Working Party on Information Security and Privacy, “Inventory of Privacy-enhancing Technologies (PETs),” prepared by Lauren Hall, Executive Vice President of the Software & Information Industry Association (SIIA) in co-operation with the Secretariat of the OCED, unclassified document, JT00119007 (January 2, 2002), re-printed and used with permission of the OCED, OECD, 2, rue André-Pascal, 75775 Paris Cedex 16, France. 4. Black, J., “The High Price of Spam,” BusinessWeek online (March 1, 2002), www. businessweek.com/technology/content/mar2002/tc2002031_8613.htm. 5. Id. 6. Id. 7. Id. 8. See note 3. 9. Id. 10. Id. 11. Id. 12. Id. 13. Smith, R. E., Privacy Journal (2000), www.privacyjournal.net, P.O. Box 28577, Providence, RI, 02908, (401) 274-7861; see also, R. E. Smith, “Ben Franklin’s Web site: Privacy and Curiosity From Plymouth Rock to the Internet,” Privacy Journal (2000), used with permission.
10 ESTABLISHING PRIVACY CONTROLS
[Image not available in this electronic edition.]
C.Slane, 2002. Used with permission
Introduction Obstacles and Keys to Success The Seven Steps to Establishing a Company Privacy Policy Privacy Policy Generators Summary In the new global economy and in the technology enabled digital works, new rules are being established. Privacy is one of them. Ensuring an organization is privacy compliant is rapidly becoming an imperative. Privacy compliance may be the price of admission to the world of global eBusiness.1
—Robert Parker, Partner at Deloitte & Touche — Canada
INTRODUCTION Throughout most of this book you can read about privacy policies, which companies have them, and what they should contain. This chapter discusses the details of what your business should do to establish privacy controls to protect itself, its employees, and its customers and partners. The 273
274
ESTABLISHING PRIVACY CONTROLS
privacy controls, which should be established, start with internal security, both physical and logical, and cover privacy statements/policies and procedures. Included in this chapter are Web addresses where you can find privacy policy generators that can be custom-tailored to fit your specific business and industry privacy requirements. Chapter 7 provided information on thirdparty certification programs, which can be used to develop and implement these privacy policies. This chapter provides a seven-step outline detailing the development of a business privacy policy. A “policy,” as it is referred to in this chapter, is an overarching corporate privacy policy for any given business. This is not simply a privacy policy statement, developed solely to be placed on company marketing materials or on a corporate Web site, but rather an interactive “living” document designed to guide corporate behavior, strategy, and decision making.
OBSTACLES AND KEYS TO SUCCESS In implementing data privacy initiatives companies are faced with complex business issues and technological issues that include access, storage, and transmission of customer information. Furthermore, privacy policies have to accommodate emerging domestic and international regulations. Privacy policies have to be backed by the right technology architecture and processes to ensure compliance. The greatest challenge is to develop a clear understanding of the impact of a patchwork of international, federal, and state privacy regulations and to balance that with business and consumer needs. Developing successful policies requires: • Having an accurate disclosure policy • Deciding who: • owns the customer data • makes decisions with respect to the use of the customer data • responds to privacy inquiries from customers and regulators • Determining the ramifications for breaches of these policies • Determining what the response will be to breaches of the policy • Having procedures in place to respond appropriately and in a timely manner Technology success depends on: • Determining where and how customer data is stored, secured, accessed, and transported • Determining what processes are followed with personally identifiable information • Determining who approves security policies
THE SEVEN STEPS TO ESTABLISHING A COMPANY PRIVACY POLICY Step 1 — Project Initiation As with any project, and this is a large project, you will need to gather all appropriate information necessary to define the problem to be solved by the project. Project initiation requires (by varying degrees depending on the company and the circumstances under which the privacy policy is being developed or revised) the following actions/activities:
THE SEVEN STEPS TO ESTABLISHING A COMPANY PRIVACY POLICY
275
1. Develop project charter. This Charter should include a Purpose, Objective, Deliverables, and Plan for the project. Why is this project necessary? What is to be accomplished by the project? What deliverables are expected? What is the plan in terms of time frame, resource needs, and budget for this project? 2. Identify project team. The key members of the project team should be identified during this stage. It is best to have members that will be permanent throughout the life of this project for continuity. These members should include representatives from the major departments within the company such as Finance, Legal, Marketing, Human Resources, and Information Technology. These representatives should know how their respective department uses information, should understand the legal and procedural requirements for keeping information private, and should have authority to make decisions for their department. 3. Organize project work space and technical environment (project room). It is ideal to have a designated area or meeting room in which the team can meet and store documents. It is not necessary to have a full-time room for this team exclusively, but it is best to have designated times and places for team meetings. 4. Project workplan. A basic plan consisting of a timeline, milestones, and needed resources (human and supplies) should be drawn up during this stage. This plan sets the stage for how long and how big the project is estimated to be. 5. Conduct project team kickoff, orientation, and training. It is always best to start the project off with a meeting of all team members. This is when it is explained to the team how the project team will be conducting its business and who to contact with comments about the process. 6. Establish project governance. The team will need to determine the hierarchy of authority and assignments of tasks for project team members. The governance should also include procedures for gathering, assimilating, and recording information. This also includes tools used to perform these tasks. If everyone uses e-mail, then perhaps a group e-mail box might need to be established. Also, a repository or database for the gathering of the data might be appropriate. Details on procedures can save time when analyzing the data. 7. Secure participation and commitment. The team will need management buy-in and approval to use resources to make this a successful project. This authority should come from the top-level management to ensure that the importance of the project is conveyed and cooperation is ensured. 8. Announce project to organization. It is always best to start the project off with a meeting of all department heads and any management necessary to support this project. This informs the company of why this project is being conducted and by whom. This will help alleviate problems when the time comes to borrow resources and interview personnel throughout the project. This is also the time to explain to everyone how the project team will be conducting its business and who to contact with comments about the process. 9. Organize and schedule initial workshops and data collection. Workshops or meetings are useful techniques to gather the data needed to analyze how privacy data is collected and used. If there is a set schedule, people are more likely to attend and contribute information.
276
ESTABLISHING PRIVACY CONTROLS
The deliverables of this step are: • Project charter • Project team • Project plan/schedule This documentation could prove invaluable should your organization be required to substantiate its claim of securing and controlling sensitive information, either prior to or after implementation of a formal privacy program/policy.
Step 2 — Identify Business Direction and Alignment In this step, persons responsible for developing the firm’s privacy policy will need to conduct a review of the business in terms of what the organization does and how the organization uses the information it gathers, obtains, saves, and shares with customers, clients, and trading partners, and so on. Pivotal is first defining what the organization considers to be private/confidential data and then defining privacy in concert with and as understood by industry, consumer, and legislative factions. Activities undertaken in Step 2 include: 1. Analyze current environment. Analyze what your business does today, how they use information, and how it is secured. • Collect and analyze current documents: • HR policies • IT security policies/procedures • Marketing policies/procedures • Contract obligations (partners and customers) • Interview key executives. • Analyze overall security structure and processes. • Analyze business strategies/plans. • Review legal requirements: • State and local laws and regulations • Federal regulations • International laws • Industry self-regulations • Define key processes and capabilities/effectiveness. 2. Define future business direction (what you want privacy to be). • Identify best practices. • Define marketplace, competition, and cost drivers. • Define new business ventures. • Define new products, services, alliances. • Define target business practices/concept of operations (roles, etc.).
THE SEVEN STEPS TO ESTABLISHING A COMPANY PRIVACY POLICY
277
3. Define future business processes. • Define responsibilities for each player/department. • Analyze effectiveness of business processes. • Determine “how” the organization intends to use the private data it has collected. • Examine policies for the sharing, distribution, or sale of “private” data. • Establish a formal document classification system for identifying and marking documents as confidential, private, and so on. 4. Conduct improvement opportunity workshop. • Identify opportunities • Summarize requirements Deliverables for this step include: • Analysis of the current environment • Definition of the future business direction • Improvement opportunities
Step 3 — Assessment/Feasibility Determine if the company needs a new approach/strategy or if the current one is justified. Identify the resources on hand and those needed to undertake the new strategy. Activities for Step 3 include: 1. Assess current privacy and security strategies. • Benefits • Disadvantages 2. Assess need for new strategies. • What is the value added to the company/business? • Save money ensuring company stays with strategy. • Identify things are/are not working with current strategy. 3. Perform gap analysis between what currently exists and what the company wants or needs in the way of a privacy strategy. 4. Identify resource needs. 5. Identify training needs. Deliverables for this step include: • • • •
Gap analysis Needs statement Resource needs Training needs
Step 4 — Design/Construct Privacy Strategy Design a privacy strategy that will benefit the company in terms of cost and time to implement the privacy policy. Tailor the selected strategy to fit the organizational structure and resources on hand.
278
ESTABLISHING PRIVACY CONTROLS
1. Define future state processes. • HR • IT • Marketing • Additional departments, as required 2. Define core competencies: current and required. • HR • IT • Marketing • Additional departments, as required 3. Define support required for future architectures and enabling technologies. 4. Define future skill requirements. 5. Define key resource requirements. 6. Define future organization model. • Define organizational responsibilities. • Define future management practices. • Define governance approach. • Define performance metrics and process. • Define incentive program. 7. Identify IT capability initiatives. This is where the project team determines what technology is available to help protect private information and how it can be implemented to solve the issues identified in the gap analysis. • Develop the business case for each initiative. • Assess benefits. • Develop initiative schedule. • Define initiative dependencies. 8. Develop road map/plan for implementation. Deliverables for this step include: • • • • • •
Future state process Core competencies Support/skill requirements Resources needed Future organization model Road map/plan for implementation
Step 5 — Evaluation and Acceptance — Presenting the Plan Develop a campaign that will get the company’s buy-in and support for the new strategy. 1. Bottom-up buy-in 2. Top-down buy-in
THE SEVEN STEPS TO ESTABLISHING A COMPANY PRIVACY POLICY
279
3. Combine bottom-up and top-down buy-in (depending on projects). 4. Presentation of plan: • Audit committee • Board of directors • Regulatory commission • Other stakeholders as necessary/required 5. Feedback and incorporation of feedback Deliverables for this step include: • • • • •
Presentation for management Management approval Project plan Training plan Implementation plan
Step 6 — Implementing the Plan The strategic privacy plan should be rolled out internally to the company to ensure motivation and support. Roll out the new plan outside the company as it may benefit to advertise that the company is changing. During implementation, an organization will need to ensure that all needed changes to procedures, documents, technical and manual systems, and training programs are initiated and maintained. Procedures that need to be changed might include customer contact protocols, marketing practices, and internal use of data. Documents to be changed might include forms, documentation on systems, user manuals, training materials, customer brochures, marketing information, and contracts. Technical systems might include the changing of software to comply with the policy and updating security to protect the data. Training programs will need to be initiated for internal employees as well as customers and partners. Activities for Step 6 include: 1. Consider available resources necessary for successful implementation. 2. Project schedules for an organization-wide privacy policy roll out 3. Training/education • Employees • Partners • Customers 4. Logistics 5. Marketing roll out • Internal to company • External to company 6. Scheduling the audits/reviews 7. Reporting milestones to executives/audit committee/steering committee Deliverables for this step include: • New policies and procedures • Implemented plan
280
ESTABLISHING PRIVACY CONTROLS
• Schedule for audits/reviews • Reporting measurements
Step 7 — Follow-up and Enforcement of Process Conduct ongoing analysis to ensure that the privacy policy has been implemented and is effective. Develop measurements and data gathering techniques to report findings to management (and potentially to external end users, federal agencies, etc.). Conduct reviews to verify that the privacy policy is being followed and measure its success. Enforcement of on-line privacy policies is intended to assure an organization’s compliance with its privacy policies. This requires verification and monitoring, complaint resolution, education, and outreach. Methods like peer review and change control can help immensely with the enforcement effort. Verification and monitoring can mean that internal audits and reviews are regularly conducted to ensure that the organization is complying with its posted privacy policy. This review should not only include the Web site collection data and security of that data, but also any department that engages in the purchase and/or sale of data (internally or externally). Activities for Step 7 include: 1. Report milestones/data: • Schedule • Audit reports • Findings 2. Conduct follow-up reviews/schedule adjustments. 3. Ensure policy is followed: • Compliance reviews • Peer reviews • Customer complaint analysis 4. Define skills needed. 5. Define reviews to perform. 6. Outline key things to look for. 7. Consider utilizing the Privacy Impact Assessment (PIA) tool (see Appendices A and B in this book) to evaluate the organization’s privacy preparedness and compliance to stated privacy policies. Deliverables for this step include: • Schedule for reporting milestones • Compliance reviews • Adjusted plans
PRIVACY POLICY GENERATORS There are automated software generators available that can assist your organization in developing privacy policies. These “policies” that are generated are suitable for a company’s Web site and general marketing materials. These are working policies that the organization desires to
SUMMARY
281
communicate to external customers, clients, trading partners, contacts, and so on, about how the organization handles personally identifiable information. These policies are not however suitable as internal organizational policies and procedures; they should be compatible with the organization’s internal procedures developed using the seven-step procedure outlined in this chapter. See Chapter 7 for more detailed information on what should be included in an external privacy policy. There are several Web sites and organizations that can assist in devising privacy policies. What they deliver will only be draft quality and will still need to be tailored to your organization’s specific needs. These privacy policy generators can be referenced at the following Web addresses: • • • • •
Direct Marketing Association, www.the-dma.org/library/privacy/creating.shtml Microsoft Central Privacy Wizard, www.privacy.linkexchange.com OECD Privacy Policy Generator, www.oecd.org Secure Assure Privacy Profile Wizard, www.secureassure.org TRUSTe Privacy Statement Wizard, www.truste.org/wizard (An example of the TRUSTe model privacy statement can be viewed in the on-line Appendix Y at www.wiley.com/go/privacy)
Examples of individual company policies can be viewed at www.privacyexchange.org/bus codes/icp/icp.html.
SUMMARY Making your organization privacy compliant is a process. It requires adherence to a well-defined methodology, documentation of information, systems, data uses and users, and requirements. The first step is to identify where the organization is, then where it should be, and finally, the path to get there. In between, numerous activities are required. The seven-step plan described in this chapter defines the process in terms of steps, activities, and tasks. For each step, the objective, the major activities, and the key deliverables are specified. In addition, the plan identifies the activities that the auditors should assess in providing oversight monitoring to the privacy compliant project. The concept of performing a privacy impact assessment was also introduced in this chapter. Generally, the International Association for Impact Assessment (IAIA) defines impact assessment as “the identification of future consequences of a current or proposed action.”2 More specifically, “a privacy impact assessment involves an assessment of the possible effects that a particular activity or proposal may have on privacy. …” 3 The argument for a PIA was put in Clarke (1996) as follows: “It is highly desirable that sponsors recognize that their schemes have wide implications and that many different stakeholders are affected. The most effective way to evidence that awareness is to prepare and publish impact statements…in relation to privacy.”4 From the perspective of the organization, a proactive rather than a reactive stance ensures that the cost of compliance is kept as low as practicable, by avoiding expensive re-work and retro-fitting. Important requirements of a PIA are that it:5 • • • •
Be systematic Identify the key factors Emphasizes process as well as product Draw on appropriate expertise
282
ESTABLISHING PRIVACY CONTROLS
• Have a sufficient degree of independence • Have a degree of public exposure (the less independent, the more public) • Be integrated into the decision process A PIA is quite different from a privacy compliance audit. Such an audit presumes the existence of specific laws and/or standards with which a proposal or project needs to comply. An audit is an appropriate means whereby performance of an operational system can be evaluated. A PIA adopts a much broader perspective than an audit. It considers the impacts of a proposed action and is not constrained by questions of whether the action is already authorized by law. Moreover, to the extent that relevant codes or standards exist, it does not merely accept them, but considers whether they address the public’s needs. A PIA can be conceived as addressing only information privacy issues. This is far too limiting, however, and the scope should extend to the full gamut of privacy concerns, including privacy of the person, and privacy of behavior.6 The reader interested in a further, more detailed examination of the PIA process and tool are strongly urged to read Appendix A. Furthermore, Appendix B contains a generic PIA tool, which the reader may modify to fit specific company circumstances, as an assessment of privacy conditions is undertaken and evaluated.
ENDNOTES 1. Parker, R., “Creating the Privacy Compliant Organization,” Information Systems Control Journal 3 (2001). 2. Clarke, R., Privacy Impact Assessments: The Concept, Origins and Definition (April 19, 1999) www.anu.edu.au/people/Roger.Clarke/DV/PIA.html. 3. RMMB “The Privacy Act: The honeymoon is over,” Intellectual Property & Media Law Update, Russell McVeagh McKenzie Bartleet (October 1996), at www.rmmb.co.nz/ updates/ipoct96.html. 4. Clarke, R. “Smart Move by the Smart Card Industry” Privacy Law & Policy Reporter 2:10 (January 1996): 189-191, 195, at www.anu.edu.au/people/Roger.Clarke/DV/SMSC.html. 5. Stewart, B. “Privacy impact assessments” Privacy Law & Policy Reporter 3, 4 (July 1996) 61–64, in NZPC (1997). And Stewart B. “PIAs—an early warning system” Privacy Law & Policy Reporter 3, 7 (October/November 1996) 134–138, in NZPC (1997). 6. Clarke, R., “Smart Move by the Smart Card Industry,” Privacy Law & Policy Reporter (January 1996) Vol. 2, No. 10 189–191, 195, at www.anu.edu.au/people/Roger.Clarke/DV/ SMSC.html.
PULSE PIECES Privacy is not something that I’m merely entitled to; it’s an absolute prerequisite.
— Marlon Brando, U.S. actor
Introduction
283
Privacy in a Connected World Harriet P. Pearson, Vice President of Workforce Effectiveness & Chief Privacy Officer, IBM
284
Privacy Compliance: Putting the Principles into Practice Jane Dargie, senior consultant, Secure e-Business group (Enterprise Risk Services Group), Deloitte and Touche, Canada
290
Understanding Privacy in an Age of Information Joseph I. Rosenbaum, Partner and head of the New York City–based Electronic Commerce practice of Reed Smith LLP
297
Conducting a Privacy Gap Analysis Jackie Huchenski, Marketing Coordinator, Moses & Singer LLP
312
The Qualities One Should Look for in a CPO Herman Collins, CEO, Privacy Leaders
316
Pulse \Pulse\, n. [OE. pous, OF. pous, F. pouls, fr. L. pulsus (sc. venarum), the beating of the pulse, the pulse, from pellere, pulsum, to beat, strike; cf. Gr. to swing, shake, to shake (a) To ascertain, by the sense of feeling, the condition of the arterial pulse. (b) Hence, to sound one’s opinion: to try to discover one’s mind (Webster Revised Unabridged Dictionary, 1996).
“…to sound one’s opinion: to try to discover one’s mind.” The following pages of this book contain the current thoughts and ideas on the critical and sensitive issue of privacy, in all of its shapes, forms, designs, and meanings, as discussed by some of today’s foremost privacy practitioners. Practitioners who have their finger directly on the pulse of privacy issues and concerns facing corporations, governments, and individuals—hence Pulse Pieces. These practitioners have graciously agreed to discuss the privacy issues currently showing up on their “radar” and the privacy concerns that top their critical issues list. The following pulse pieces address the “hottest,” sensitive and at times, nerve-racking privacy issues, which these practitioners deal with on a daily basis, and which you should be aware of before they become “issues” within your organization. 283
PRIVACY IN A CONNECTED WORLD By Harriet P. Pearson
THE ISSUE The ability to protect individual privacy has been a concern for hundreds, if not thousands, of years. Whether the frame of reference is the privacy we seek behind closed doors or on the Web, the issue continues to redefine itself. And the process of defining privacy is complicated by the reality that privacy means different things to different people at different times. A paraphrased version of one widely accepted definition of privacy recognizes the fundamental importance of individual preferences: “Privacy is the ability of individuals to determine for themselves when, how and to what extent information about them is communicated to others.” This definition can still be applied today, even in our fast-paced world.
THE CHALLENGE The advent of the Internet and other pervasive technologies compounds the challenge of finding the right balance between individual expectations of privacy and other important values such as physical safety and security, law enforcement, personalized services, and economywide benefits from information sharing. The privacy challenge extends far beyond the information technology, financial, or healthcare industries, into many aspects of our lives. This fact becomes even more compelling when we realize the relative infancy of the Internet revolution—one that experts estimate is less than 10 percent complete. Many organizations and consumers are only just beginning to realize the value of applied information technology and the increased efficiency and effectiveness of innovations in data collection and management. Complicating the landscape today are heightened interests and concerns about privacy and personal and national security resulting from the unprecedented attacks on the United States on September 11th. The search for a balance between personal privacy and the benefits of the networked world became immediately amplified by the desire for enhanced national and personal physical security. Government’s ability to collect and use personal information in the interest of national security is now a core piece of the broader public policy debate on privacy. In business, respect for personal privacy is integral to maintaining trusted relationships with existing and prospective customers. It’s a reality that when businesses strive to offer more tailored, personalized services, the need to effectively and efficiently collect, store, analyze, and disseminate information proportionately increases. This equation leads to the desire on the part of customers and employees to be repeatedly reassured that their personal information is secure Harriet P. Pearson is the Vice President of Workforce Effectiveness and Chief Privacy Officer at IBM in Armonk, New York. This material is used with permission, July 2002, © Deloitte & Touche. 284
PRIVACY IN A CONNECTED WORLD
285
from harm and fraud and is adequately protected. In fact, surveys show that most consumers will only shop on-line if they believe that their privacy and security will not be compromised. In our own actions, and for societies that want to avail themselves of the opportunities presented by e-business, striking a balance between the appropriate use of information on the one hand, and privacy and data protection on the other, is mission critical. IBM recognizes that imperative.
— Harriet P. Pearson Chief Privacy Officer, IBM Architecting an environment in which an individual’s concern for privacy can be respected and protected while allowing businesses to offer tailored customer service is challenging, but not impossible. As the world’s largest information services and technology company, IBM has taken a leadership role in understanding the many aspects of privacy—from the perspective of the individual, to the enterprise and government. Through the establishment of sound, crosscompany privacy policies and practices and business innovation, we are helping ourselves and our customers integrate privacy and security into their business models and objectives.
TOWARDS A FRAMEWORK Today’s increasingly information-dependent society demands the careful development of thoughtful frameworks that help us address the complex issues of privacy and data protection. To start from the broadest perspective, it is necessary to identify the roles and responsibilities of the core audiences involved—government, industry, and consumers. Then we can begin to map current practices and identify those that need to be evolved or created.
Government Action Policy makers throughout the world have worked for years to balance national security and domestic law enforcement, civil liberties and free speech, open public records that support privatesector needs for data with economic benefits to citizens, such as lower product and credit costs. Government leaders also recognize that they have at least two roles to play when it comes to privacy: setting the rules for the operation of the private sector and establishing guidelines for the government’s own use of information—whether it’s to provide improved government services to citizens or to carry out law enforcement. The growing interconnectedness of society underscores the need for government officials to understand the broad implications of the Internet and the information technology revolution. Shifts in computing models—from centralized to distributed, from desktop-driven to “Netdriven,” from closed to open—have opened up the gates for data to freely flow around the world at lightning speed. These data flows can be originated by a single person working on his or her PC or by an international organization managing its activities across borders in order to realize operating efficiencies. These challenges spurred the development of an internationally accepted set of principles by the Organization for Economic Cooperation and Development (OECD) nearly two decades
286
PULSE PIECES
ago. A solid start, the OECD Guidelines were the first to outline “fair information practices” for organizations, including disclosure of data practices, use of appropriate security, and offering choices to individuals as to the use of data. With the OECD offering high-level guidelines, the challenge confronting many governments now is how to move these principles into practice. Over the years, several models have emerged. In the European Union, comprehensive laws that govern information uses within the region and that attempt to regulate its flow outside the EU have been enacted. Canada and Australia have done the same, perhaps with a greater reliance on industry codes of practice. The United States has legislatively required protections in focused areas: government, credit reporting, banking and finance, health, and children’s information. In other commercial areas, such as retail and on-line marketing, the United States relies on its common-law traditions coupled with industry responsibility and leadership to chart the way. What is clear here is that when it comes to privacy, one size does not fit all. Countries will continue to work through the challenges of establishing a balanced approach. IBM believes that government has a legitimate role to play in safeguarding privacy, as well as furthering the Internet revolution and supporting the global economy. To be able to play a meaningful role, government needs to stay on top of technological innovations and their impact on society at large. Only when our policy makers understand new technologies, the legitimate uses of data and the potential risks involved, can they effectively shape the right policies and focus their unique tools of legislation and enforcement. Beyond putting to use tools of legislation, government must: • Openly encourage the private sector to further adopt appropriate information policies and practices on their own or through industry leadership groups such as TRUSTe or the Better Business Bureau • Set an example to the private sector by becoming an “early adopter” of sound privacy policies and practices • Recognize the global nature of the Internet and the international flows of data inherent in today’s economies and build policies that accommodate these realities IBM can and is making a significant impact on privacy policy. From working closely with government officials and business leaders to offering testimony on issues of information technology policy, we are helping shape and drive the privacy debate. Privacy is the subject of considerable legal attention in Europe. But privacy is not just a legal consideration. It also makes sense from a business point of view, as our surveys show the growth of e-commerce depends on data privacy. Customers don’t give their trust to us, they only lend it to us.
— Armgard von Reden Europe, Middle East, Africa Chief Privacy Officer, IBM
Industry Responsiveness What are the responsibilities and roles of the private sector? Even in geographies with considerable privacy regulation, governments recognize that robust and accountable market-led mea-
PRIVACY IN A CONNECTED WORLD
287
sures must play a prominent if not preeminent role. Europeans call it “co-regulation.” In the United States, we refer to private sector participation as “market-led governance” or industry “self-regulation.” The private sector can and is contributing a great deal to ensure a trusted marketplace. Why is that? The straightforward answer lies in the pervasiveness of technology within organizations and especially in such organizations’ adoption of leading-edge technologies. Clearly the private sector has an immediate and critical need to effectively and efficiently respond to existing and unfolding privacy challenges. One key point to remember is that in order to achieve privacy, one must cover the fundamental security policies and practices. In today’s security-conscious environment, it is critical to recognize that much of the infrastructure that secures data and other assets is under the control of the private sector—and thus much of the responsibility lies with individual companies and collective industry efforts. As a starting point, private sector institutions can: • Establish a level of corporate commitment to privacy and security at the top of the company, beginning with the chief executive officer. • Establish and implement clear and effective privacy and security policies. • Participate in collective action by relevant industry groups, to address society-wide privacy and security concerns.
Individual Empowerment Protecting one’s privacy, by its very nature, requires individual responsibility and action. It’s easy to overlook the power of the consumer. But consider an individual who is dissatisfied with the way a particular company or organization presents and handles personal information. They have the ultimate recourse—break the relationship, no longer be a patron, and communicate their dissatisfaction to others. They can also publicly complain and seek recourse from the company. The bottom line is that respecting the privacy preferences of customers is good business. Active participation and responsibility comes in many forms: from using available technologies to achieve greater security and privacy on the Web; to frequenting only those organizations and Web sites that have public, solid privacy policies; to educating children to be vigilant; to learning and pursuing one’s rights under law and industry guidelines. Responsible individuals who provide personal information only to those organizations that gain their trust will in turn experience better-tailored and personalized services. Many resources are available to help individuals. For basic information on privacy-related guidelines, tools and laws, start with www.understandingprivacy.org and explore the resources listed at the end of this paper.
IBM’S CONTRIBUTION E-business gives enterprises a powerful new capability to capture and analyze massive amounts of information they can use to serve individual customers more effectively. Yet this very capability troubles some people, who see it as a means to disclose or exploit
288
PULSE PIECES
their information. These are legitimate concerns, and they must be addressed if the world of e-business is to reach its full potential.
— Louis V. Gerstner, Jr. Chairman, IBM More than three decades have passed since IBM became one of the first companies to adopt a global privacy policy, focused on employee information. Since then our commitment has produced a much broader range of data protection and privacy actions. As the Internet emerged, we continued to lead the industry with our privacy actions, including: • Adopted one of the first global privacy policies for the Web on IBM’s Web site, www.ibm.com • Established commercial Web privacy guidelines with other industry leaders and adopted them ourselves • Provided seed funding and support for the establishment of independent Web trustmark programs, TRUSTe and BBBOnline • As one of the largest advertisers, committed that IBM would advertise on a Web site only if it posted a privacy notice, influencing the industry to follow suit • Appointed one of the industry’s first corporate Chief Privacy Officers • Established industry’s first comprehensive, global privacy technology research initiative Underscoring these milestones, IBM has actively supported and participated in supporting the development of promising privacy technology standards including contributing substantial work to the World Wide Web Consortium on the Web standard P3P, or Platform for Privacy Preferences. During 2002, these efforts will continue within IBM and in conjunction with our customers and partners. For the marketplace, IBM has an extensive portfolio of privacy and security-related services, from technologies for enterprises and individuals to help define privacy preferences, to leadership and solutions expertise for large companies and governments. We recognize that the amount of valuable information enterprises gather is growing exponentially—creating both benefits and sometimes risks. Information that is appropriately secured and managed will help organizations better understand their markets and thus reduce costs and increase revenue. But not properly managing this information can lead to significant risks and exposures. IBM believes that the right technology and business processes—combined with strategic vision and policies—can help organizations extract value and minimize risks. Through business units such as our Tivoli software group, the office of our Chief Privacy Officer, the IBM Global Security Solutions organization, Privacy Research Institute, and public policy programs, IBM has the resources to address the many dimensions of the privacy issue. We can help provide answers to some of the tough questions facing our existing and potential customers, including “How do we approach privacy?” or “Where do we start?”
THE CONCLUSION OF THE BEGINNING Privacy is a shared responsibility requiring well-planned management practices and systems to support it. It is an issue that requires the attention of everyone in a company or institution. Only
PRIVACY IN A CONNECTED WORLD
289
then can privacy become pervasive and an expected part of how an organization interacts with its customers and stakeholders. IBM stands ready to play a leadership role. Addressing privacy, maintaining our leadership stance, and helping our customers address privacy is not only the right thing to do, it makes business sense. Trust is an imperative for any business and we will not jeopardize the trust of our customers, nor our workforce.
— Harriet Pearson Chief Privacy Officer, IBM
RESOURCES FROM IBM www.ibm.com/security/privacy Comprehensive information on IBM’s security and privacy offerings
OTHER RESOURCES FOR BUSINESSES UnderstandingPrivacy.org Provides a Privacy Manager’s Resource Center and other information; co-sponsored by IBM PrivacyExchange.org An on-line resource for consumer privacy and data protection laws, practices, issues, trends and developments worldwide TRUSTe.com IBM is a member of the TRUSTe program; TRUSTe is an independent, nonprofit initiative whose mission is to build users’ trust and confidence in the Internet by promoting the principles of disclosure and informed consent. BBBOnline.com BBBOnline is the on-line subsidiary of the Council of Better Business Bureaus. IBM has sponsored BBBOnline and its parent organization.
RESOURCES FOR INDIVIDUALS UnderstandingPrivacy.org Educational information from the Privacy Leadership Initiative Consumerprivacy.org Educational material from several sponsoring consumer organizations Center for Democracy and Technology (www.cdt.org) Their mission is to promote democratic values and constitutional liberties in the digital age. European Union (http://europa.eu.int/comm/internal_market) www.privacyservice.org A virtual partnership of several data protection offices, including Germany and Ontario, Canada Governmental organizations: • United States: Federal Trade Commission (www.ftc.gov) • Australia: www.privacy.gov.au
PRIVACY COMPLIANCE:
PUTTING THE PRINCIPLES INTO PRACTICE By Jane Dargie
Privacy compliance essentially means adapting the way an organization operates to incorporate effectively fair information principles into its business and to identify and implement any additional privacy protection goals (such as compliance with legislation) as required. In other words, by operationalising privacy compliance goals, an organization will have built and implemented a privacy framework that operates, and operates adequately and effectively, on an ongoing basis. Translating privacy compliance goals from the theoretical into the practical may, nonetheless, pose significant challenges for organizations given the breadth and depth of the obligations entailed; a structured approach is therefore required to ensure that the appropriate level of due diligence is achieved. This paper suggests a privacy compliance process, breaking it down into four key phases, and identifying the major objectives and activities entailed. In particular, it presents an approach based on experiences gained in the Canadian environment. Given, however, that the Canadian standards on which it is based were grounded in common fair information principles, the key messages are readily transferable to other jurisdictions. The discussion focuses mainly on informational privacy in the context of the private sector: that is, individuals’ ability to control the collection, use, and disclosure of their personal information when dealing with private sector organizations. This ought to be contrasted at the outset with confidentiality, a related concept which means ensuring that only authorised individuals have access to information under the conditions that they are authorised to use or view it. The concept of privacy encompasses confidentiality and goes further. The author has observed that establishing a clear understanding of the difference between privacy and confidentiality is critical to the success of operationalising privacy or, in other words, making privacy compliance a reality within an organization.
PRIVACY, EH? Privacy compliance! Organizations across Canada are starting to hear the call. Word about legislation is spreading: Public sector legislation in force at both the federal and provincial levels for a number of years has recently been joined on the Statute books by a private sector counterpart, the Government of Canada’s Personal Information Protection and Electronic Documents Act. Provincial equivalents are set to follow,1 Quebec having already enacted legislation in the early 1990s.2
Jane Dargie is a senior consultant with the Secure e-Business group (Enterprise Risk Services Group) at Deloitte and Touche, 181 Bay Street, Bay Wellington Tower—BCE Place, Suite 1400, Toronto, Ontario, Canada. Phone: (416) 601-6150, Fax: (416) 601-6151, [MC] 416-601-5700, URL: www.deloitte.ca/en/. This material is used with permission, July 2002, © Deloitte & Touche. 290
PRIVACY COMPLIANCE
291
Granted, legislation is undoubtedly a driver for tackling privacy in Canada today. Nonetheless, privacy compliance is not just about ensuring technical compliance with a statute. In the author’s experience, organizations that attempt to demonstrate either that they are technically compliant with a piece of legislation or that they are not subject to any privacy legislation in the first place (both, by extension, implying that an organization is operating within the law) have still faced challenges over their privacy practices. Operationalising the obligations imposed by privacy legislation, then, may be better described as a business issue. The discussion that follows expands on this proposition by outlining activities commonly undertaken by organizations when operationalising privacy requirements.
THE CANADIAN APPROACH As noted previously, Canada has had standards in place for a number of years placing limits on the collection, use, and disclosure of personal information by government departments and agencies both at the federal and provincial level.3 PIPEDA, enacted more recently and applicable to private sector organizations insofar as they collect, use, or disclose personal information in the course of commercial activities, incorporates the following information management principles:4 • Accountability. An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles. • Identifying purposes. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. • Consent. The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except when inappropriate. • Limiting collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. • Limiting use, disclosure, and retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal information shall be retained only as long as necessary for fulfillment of those purposes. • Accuracy. Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. • Safeguards. Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. • Openness. An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. • Individual access. Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. • Challenging compliance. An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals for the organization’s compliance.
292
PULSE PIECES
Given that these principles will most likely be incorporated in some form as obligations into any provincial equivalent to PIPEDA,5 it is arguable that, at the very minimum, incorporating these standards into a privacy framework is what is required of any organization operating in Canada to achieve some level of privacy compliance. Operationalising privacy is an iterative process that may be broken into four key phases following an initial planning stage; the remainder of this paper will explore the steps entailed in achieving compliance.
WHERE TO BEGIN? Although not a new concept, privacy compliance is a relatively nascent element of the climate in which organizations operating in Canada today conduct business. Although there are a number of reasons for which privacy compliance ought to be pursued as a business strategy,6 it would appear that the enactment of legislation has forced businesses as a whole to address the issues more closely. In many cases, organizations are being forced to approach privacy compliance for the first time whilst those that are more mature are testing to ensure that they remain compliant on a continuing basis. Becoming privacy compliant is a complex and iterative process and for many organizations, the prospect, though attractive, is also daunting. Developing a strong and practicable strategy is imperative; determining where and how to start is key. Organizations’ chosen approaches will be influenced by a number of factors such as structure and culture, but all must consider carefully a number of important issues at the outset including: • Their high-level drivers for becoming privacy compliant (for example, these could include the need to: comply with legislation, protect their reputation, satisfy partners’ and suppliers’ requirements, gain customer buy-in to their services and products, retain trust) • Whom will be made accountable for privacy and what will be that individual’s reporting lines • Whether privacy initiatives will be undertaken at the functional level or at the process level • Who else will be involved in the privacy initiatives (few organizations employ privacy specialists, there may therefore be a need to involve external expertise) • How best to prioritize enterprise-level privacy initiatives Once these planning decisions have been made and a high-level strategy developed for achieving compliance, an organization may begin to work toward its goals. This process may be broken down into four key phases.
Phase 1: Assessing In essence, in order for an organization to become privacy compliant it must: identify its privacy requirements; assess how its current processes, environment, technology, and people measure against them; design and make any appropriate changes necessitated; and ensure on an ongoing basis that it continues to meet its compliance goals. Phase 1, then, deals with the first two areas listed and has the following objectives:
PRIVACY COMPLIANCE
293
• To confirm at a detailed level an organization’s privacy requirements and to map them into documented privacy compliance goals. As indicated, privacy compliance should not always be equated solely with legislative compliance. In many cases, additional industry codes, broader standards, competitors’ initiatives, public opinion, and other factors will serve to inform privacy requirements and compliance objectives and should not be overlooked at the start. Indeed, the author has worked with a number of clients that, although required to comply with legislation, are more concerned about working to achieve wider, and more onerous, privacy goals, in line with their broader privacy strategies. Identifying these goals at the outset of the compliance process is therefore key to completing the remainder of the phases and activities listed in an effective and timely manner. • To conduct a gap analysis between the controls that the organization has in place and its compliance objectives; to assess the risks that any gaps raise; and to develop and prioritize the implementation of solutions to address them. In order to achieve this objective, an organization must initially undertake an information-gathering exercise that: • Identifies and documents the technologies and processes employed • Identifies and documents its personal information7 holdings (including those held by third-party service providers on its behalf) and their life cycle (in other words, from the collection to the destruction) • Identifies and documents its information management practices in respect to the personal information identified Once this information-gathering exercise has been undertaken with an appropriate level of due diligence, the organization is in the position to be able to map the results against its privacy compliance goals and to identify and document any gaps. The gaps may then, in turn, be analyzed to identify privacy risks and to assess their likelihood and impact for the organization. To be clear, privacy risks go far beyond non-compliance with legislation and may include: • Financial impact—loss of revenue or share price and payment of damages or legal fees • Sabotaged marketing and sales initiatives • Customer and employee distrust • Legal liability • Industry and government sanctions such as the requirement to amend business practices • Severe embarrassment and damage to reputation and brand • Damage to key business relationships • Fines and criminal records for employees At the end of Phase 1, the organization will have gained an overview of its current state of privacy compliance, will have documented its privacy risks, and will have developed recommendations for dealing with them. At this point, it is for the senior management team to decide whether or not to accept, transfer, or mitigate the risks identified, thus validating and perhaps refining somewhat the organization’s compliance goals and providing direction for the design phase of the compliance process.
Phase 2: Designing Privacy compliance entails developing a business strategy around privacy. To achieve this, an organization must build on the gap analysis, risk assessment, and direction determined at the end of Phase 1 and:
294
PULSE PIECES
• Develop strategic and tactical plans for implementing the recommendations agreed upon in Phase 1. These planning exercises generate in detail the direction for the remainder of the organization’s initial privacy compliance initiative. • Further develop and formalize the organization’s privacy framework as required. Dependent on the results of the gap analysis, an organization may be required to undertake a number of sub-projects to ensure that it becomes privacy compliant. In particular, it requires the design and eventual implementation of a strong privacy framework that would normally encompass organizational policies, procedures, guidelines, codes, standards, templates, and accountability structures. Accordingly, consideration should be made of the following at this stage: • Creating a privacy team and attendant supporting infrastructure (this would include delegating accountability for privacy compliance as appropriate, if not already done) • Developing detailed policies, procedures, and guidelines • Developing standard clauses and templates • Developing training and awareness programs Whether privacy compliance is approached from an organizational or from a functional perspective, the involvement of a number of individuals will be required over the course of the project (though not always necessarily contemporaneously). Privacy compliance entails gaining a true appreciation of the organization’s broader business strategy, processes, information management practices, technologies, and culture; the breadth and depth of knowledge of an enterprise that this requires are unlikely to be found within any one person. A privacy team or committee must often be pulled together and trained as a result to support the organization’s compliance initiatives. In addition, resourcing issues very often arise over the course of an enterprise-wide privacy compliance project and it is usually far more efficient and effective to call on the expertise from around an organization as and when it is required in order to streamline the process. In particular, it is common to find individuals involved from the following areas: the business units, legal, marketing, human resources, security, IT, compliance. Given the wide level of participation required, it is imperative that the individual tasked with ensuring privacy compliance overall has the clear support of the senior management team and that the appropriate reporting lines, both upwards and downwards in respect to the wider privacy compliance team, are established and documented at the outset. Expectations must be set and an individual’s involvement and performance goals clearly enumerated at the start of his or her involvement. In some cases, this will require the organization to provide training to its employees to equip them with the knowledge or skills required for the project ahead. In the author’s experience, the broader privacy team benefits from foundation training in privacy which normally involves providing an overview of fair information principles, examples of how they may be operationalised, and examples of privacy risks and pitfalls and how they may be avoided.
Phase 3: Implementing Privacy implementations may be defined broadly as operationalising the organization’s privacy objectives. In other words, this means building on the results of Phases 1 and 2 and remediating any gaps found in respect to the organization’s environment, technology, processes, or peo-
PRIVACY COMPLIANCE
295
ple and, on a go-forward basis, building privacy compliance into the same. Phase 3 therefore involves a number of steps including: 1. Remediating processes, systems, applications and other tools used to collect, use, disclose, retain, and destroy personal information 2. Adding privacy checkpoints into systems and application development 3. Implementing policies, procedures, and guidelines 4. Implementing technologies that will enhance privacy compliance or that will monitor the ongoing level of privacy compliance in an organization 5. Rolling-out job descriptions, responsibilities, and performance metrics 6. Rolling-out training and awareness programs 7. Renegotiating contracts and agreements to include privacy provisions 8. Implementing templates and standards 9. Rolling out a privacy communications plan 10. Putting in place an incident response plan and escalation process
Phase 4: Ensuring that Compliance Is an Ongoing Reality By the end of Phase 3, an organization will have developed and implemented its privacy framework and will have operationalised it. Nonetheless, privacy compliance as a business strategy must evolve with an organization’s broader business goals. It is also clear that an organization’s environment, technology, processes, and people will usually change over time. Ensuring that the privacy framework continues to operate over time, is used as planned, and is adequate and effective in upholding the organization’s chosen privacy compliance goals is therefore critical to continued compliance. Phase 4 therefore deals with how to keep privacy compliance alive and involves a number of initiatives including: • Conducting periodic but regular privacy compliance audits (self-assessment, internal, or third party) • Conducting regular security assessments • Regular data quality and integrity testing • Auditing or requesting assurance of the privacy controls in place in partners’ operations as they pertain to services performed on behalf of the organization • Undertaking regular environmental scans to identify new or additional privacy requirements and risks, or risks previously identified that have become a higher level of concern for the organization • Benchmarking an organization’s privacy strategy or compliance initiatives against competitors’ and internally • Updating the privacy strategic plan as appropriate • Reviewing privacy performance metrics results and responding as appropriate • Continuing to train employees • Continuing to foster a privacy-friendly climate within an organization—the importance of “tone from the top” cannot be underestimated here • Developing privacy requirements for use in the procurement process for a particular system, application, business process, or relationship • Building privacy into products and services
296
PULSE PIECES
• Ensuring that new templates and standards have been developed to incorporate privacy considerations (for example, forms that will be used to collect personal information may be required to contain wording around consent) • Conducting privacy impact assessments (perhaps better described as privacy feasibility assessments) on all proposed changes to processes, or to the development of new systems, that involve personal information and raising some initial privacy concerns to identify whether or not they are real. If they are, the privacy impact assessment process will assist an organization to build privacy controls when the system or process is being conceptualized, leading to documented assurance that any privacy risks have been identified and addressed or taken forward to senior management for direction. In other words, privacy impact assessments, when informative and informed, will provide an organization with comfort that the system or process is consistent with its privacy compliance goals whether they pertain to legislative compliance or go further. Put simply: privacy will have been built-in
PRIVACY COMPLIANCE: A FINAL CAUTION Privacy compliance, then, may be viewed as an iterative process, one that must respond to internal and external stimuli. It involves establishing an enterprise-level privacy strategy that could entail both technical compliance with legislation and broader privacy goals identified. Operationalising each of the privacy principles described earlier in order to achieve these goals is critical. It is the author’s experience, however, that those organizations that create a common privacy frame of reference, or privacy culture, are those whose privacy compliance programs and privacy business strategies operate the most successfully.
UNDERSTANDING PRIVACY IN AN AGE OF INFORMATION By Joseph I. Rosenbaum
Would it surprise you to receive an e-mail from an electronics manufacturer, thanking you for mailing back your warranty card in connection with a recent purchase of a stereo and asking if you would like to also buy headsets, better speakers or, perhaps, a new MP3 player? Or even, if you would like to receive mailings about concerts or join a music or video club? How about a message from a local department store, advising you that for a limited time only you can buy sheets and pillowcases to complement that new mattress you bought the other day? Do you think twice about receiving a notification from your primary care physician that it’s time to schedule your annual physical? Or from your dentist, that healthy teeth require attention and it’s now time to attend to yours? Is it disturbing to receive a pre-approved credit card solicitation from a subsidiary of a bank from which you recently obtained a mortgage? Without over-generalizing, these intrusions in our modern life are probably not disturbing to most people, although as I will note later on, “most people” is a very context-sensitive label that varies by time, place, culture, and society, among other things. In fact, most of us have come to expect that the transactions or relationships we choose to initiate or enter into, will spawn some form of advertising, marketing, and solicitation from the very companies and individuals with whom we have interacted. We sign up for a department store credit card and we expect (or at least are not surprised) to receive advertising material from the store (or even its affiliated companies). Indeed, increasing numbers of us expect to receive “special sale” notices, inside or early information about great buys “not yet open to the public,” or even financial incentives— yes, you too can benefit from a lower APR for the next six months or “buy now and make no payments till. . . . ” We go to a dentist or doctor and accept—indeed many of us with busy schedules welcome—the friendly reminder that it’s time for another visit. Many health care providers schedule your next appointment as you are walking out the door and hand you cards, calendars, toothbrushes, dental floss, refrigerator magnets, and pens emblazoned with the health care provider’s name and number. Although no facet of human endeavor has escaped our evolution into the information age, one merely has to look to industries such as financial services, health care, publishing, and
Joe Rosenbaum is a Partner and head of the New York City–based Electronic Commerce practice of Reed Smith LLP. Mr. Rosenbaum chairs the Information Technology & Global Networks Committee of the American Bar Association’s Section of Science and Technology, is a past Council member of the Section and is also an ABA member of the National Conference of Lawyers and Scientists. Mr. Rosenbaum writes and lectures extensively both domestically and internationally, and is an Adjunct Professor of Law at New York Law School, where he teaches The Law of Electronic Commerce and Information Technology. The text of this article was drawn and adapted from a course and presentation given by Mr. Rosenbaum at the E-Commerce Law School sponsored by Glasser Legal Works. This article has also appeared in the ECommerce Law Journal, Aspen Publishers, Inc., Executive Editors, Grimes and Battersby, LLP, Three Landmark Square, Suite 405, Stamford, CT 06901, © November/December 2001 (Volume 2, Number 1) on pg 1-11, used with permission, www.aspenecommercelaw.com/journal.html. 297
298
PULSE PIECES
entertainment to see the rather dramatic effects that the use of information and information technology play. Furthermore, although law and regulation in the United States has traditionally approached privacy from a vertical or industry point of view (e.g., laws and regulation in the United States such as the proposed database protection acts or the existing Video Rental Privacy Act, HIPAA, or Gramm-Leach-Bliley Act), emerging law is increasingly horizontal—recognizing that the relationship between the business and the consumer (e.g., advertising, marketing, customer lists) and the business and its employees is multi-dimensional and increasingly horizontal, not merely vertical. It should come as no surprise that these activities and industries have been and continue to be the focus of increasing legislation and regulation in the United States. Each of the vertical industries are ones in which vast amounts of personal and potentially sensitive information must be collected. The provision of health care involves the collection and maintenance of current and highly personal information about individuals and, in the case of clinical trials and other forms of medical research, vast amounts of medical information about groups of individuals. The confidential relationship between a physician and patient has long been recognized as sacred, and often a legally protected relationship. Similarly in the financial services industry, the disclosure of confidential information is often a prerequisite to obtaining the benefit of a financial transaction. Businesses voluntarily disclose otherwise extremely confidential and sensitive information about their financial condition to bankers and investment advisors, in order to obtain advice and services which would not otherwise be forthcoming or available. Perhaps not as intuitively obvious, the publishing and entertainment industries—the so-called “media” (whether new, emerging, multi- or otherwise) are increasingly at the forefront of the privacy debate. If one recognizes that “entertainment,” by definition, requires individuals to make choices and articulate preferences, technology and networking has enabled the collection and maintenance of vast amounts of information about preferences that until recently were unimaginable or too difficult to accumulate, maintain, or use in any meaningful manner. The accumulation of compiled databases of personally identifiable information and the ability to merge lists and fields of information about any individual or groups of individuals which years ago might have involved millions of dollars and years of effort, rendering the results out of date when published, can now be accomplished with a keystroke. Add to this technological capability, a recognition that entertainment and communication are now ubiquitous and everywhere. The Internet and that portion of the Internet we endearingly refer to as the “World Wide Web,” coupled with e-mail, voice mail, pagers, cellular telephones, wired and wireless modems, DSL connections, and Internet cafes have not only made time and space irrelevant, but have made content available almost anywhere, anytime, and in any form. This has given the entertainment industry the ability to provide its content and services on demand and outside the traditional control of parents, the norms of society and culture, and even government. As with any industry, most businesses attempt to “do the right thing,” balancing their desire for revenue and profitability, with a sense of right and wrong targeting the majority of consumers and customers likely to seek their goods and services. Often these notions of right and wrong are bounded by particular laws and regulations which determine the outer limits of right or wrong in any particular society or jurisdiction. In our technologically networked world, we cannot ignore the increasing presence of activities often considered either illegal or on the fringes of permitted activity in any particular society (e.g., gambling, child pornography, the sale of liquor, firearms, prescription medication). Activities once easily (although not necessarily without controversy) monitored, regulated, and enforced by local authorities, are now unfettered by national bound-
UNDERSTANDING PRIVACY IN AN AGE OF INFORMATION
299
aries. Again, it should come as no surprise that these media industries have been at the forefront of law and regulation intended to preserve local societal norms and governmental authority or to modernize law and regulation which traditionally sought to protect children, the ill, disabled, or others perceived as vulnerable or requiring special protection (e.g., COPPA). In addition to looking at particular industries, both the dissemination and collection of information using technology and the technology itself have been surrounded by increasing controversy and debate. Cutting across these and virtually every other business in the world today, are radical changes in advertising and marketing. Not only has the manner in which transactions are consummated been transformed by e-commerce, but the nature, extent, and use of information obtained and maintained in connection with these activities is fundamentally different in a digital world than one based in paper. Witness the recent shift in traditional FTC policy from “voluntary” compliance to the promulgation of its Dot Com Disclosures (www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html) which now makes it clear that advertising and marketing in digital or any other form are under the jurisdiction of the FTC and that the FTC intends to regulate the advertising of goods and services on the Internet as it does any other form of advertising and marketing activity. The increasing ability to use technology to monitor and regulate conduct, behavior, and activity (e.g., the “V-Chip”) stirs increasing controversy over the line between the proper and legitimate interest of society to protect itself and its citizens and the right to be left alone, free from improper and unreasonable searches and seizures—a right protected not only by the Fourth Amendment to the Constitution, but also by a patchwork quilt of laws, regulation, and jurisprudence which has evolved over a hundred years in the United States. Technology has also created a bit of a schizophrenic paradox. Encryption, pseudonyms (screen names), anonymizers, invisible gifs, pixel tags, Web bugs and other technological tools and techniques now available have not created any really new legal issues, but have certainly stirred up a hotbed of controversy as to if, when, and how to bring our laws and regulation into the twenty-first century. In an era in which a popular musical rock group, The Police, sang “every breath you take, every step you make, I’ll be watching you…” the Director of the FBI, in a statement before the U.S. Senate Committee on Commerce, Science, and Transportation (Louis J. Freeh, July 25, 1996) expressed a strong commitment to the protection of the individual’s right to privacy: “Without question, the use of strong cryptography is important if the Global Information Infrastructure (GII) is to fulfill its promise. Data must be protected—both in transit and in storage—if the GII is to be used for personal communications, financial transactions, medical care, the development of new intellectual property, and a virtually limitless number of other applications. Our support for robust encryption stems from a commitment to protecting privacy and commerce.” That being noted, law enforcement agencies, charged with the responsibility of protecting the public’s interest and bringing evidence of criminal activity before the courts, have expressed increasing concern over the technology. In the same testimony noted above, the FBI expressed increasing concern over the impact of technology on law enforcement and public safety. In espionage cases, encryption makes detection and prosecution difficult; in child pornography cases, offenders use encryption to transmit pornographic images of children over the Internet; in drug-trafficking cases, encryption devices often frustrate surveillance and court-ordered wiretaps. For all its benefits, technology can also be viewed as a means to hinder law enforcement officials from effectively investigating or prosecuting society’s most dangerous felons or from saving lives in kidnappings, drug and child abuse cases, and in numerous other life and death cases.
300
PULSE PIECES
MUCH ADO ABOUT SOMETHING? Lest you think mountains are being made of molehills, permit a brief foray into the world of marketing and advertising facts and figures relevant to privacy. A study conducted by Pricewaterhousecoopers indicated the forecasted advertising spending on the Internet exceeded expectations and rose to over $2 billion in 1999. Local on-line advertising, which as of April 2001 accounts for just 14 percent of spending, will grow to 24 percent, or $2.7 billion, by 2003, according to a study released by Jupiter Communications. 110 million adults were on-line by the end of 1999, up sharply from 84 million at the end of 1998, and current estimates are that there are 162 million connected users worldwide, with over 160 countries connected to the Internet— indeed estimates are that a new computer connects to the Internet every 30 seconds. In the first quarter of 1999, for the first time, Web banner advertising exceeded billboard advertising in North America, and from 1996 through the end of 2000, advertising revenue on the Internet jumped from $266.9 million to $4.6 billion. According to Forrester Research, the number of U.S. households shopping on-line is expected to triple over the next five years from 17 million in 1999 to 49 million in 2004. Average on-line spending per household is also expected to increase dramatically from $1,167 in 1999 to $3,738 in 2004. In 1998, e-Commerce totaled $105 billion and by 2004, e-Commerce will reach approximately $3 trillion or about 12 percent of all global trade. Indeed, using those figures, by 2004 over 50 percent of all business interactions will take place over an IP network. Extrapolating further into the future, by 2010 the number of connected users will reach over 1.5 billion and e-Commerce will reach $7 trillion. In other words one out of every six people worldwide will be on-line and e-Commerce will account for approximately 20 percent of all global trade. In the face of these figures, ask any advertising and marketing professional and they will assure you that the collection of personally identifiable information for legitimate business purposes allows companies to better target customers and create accurate profiles, focus market segmentation, obtain virtually instant customer feedback to provide enhanced and efficient customer service, create powerful new distribution channels, create mass customization capabilities, obtain higher effective response rates, and provide better products and services at lower cost. Indeed, many consumers will extol the virtues of technology and the ability of companies with accurate and timely information, used properly to provide individuals with convenience, speed, efficiency, reduced cost, increased choice, improved customer service, and greater security. Yet many of the studies and findings regarding consumer perception of privacy and companies’ privacy policies on the Internet are remarkably paradoxical—consumers both abhor and ignore the risk to personal privacy inherent in their growing use of the Internet. For example, the Pew Internet & American Life Project (August 20, 2000; www.pewinternet. org), noted that 84 percent of Internet users are concerned that business and people they do not know will obtain personal information about them or their families, 54 percent believe tracking users is a harmful invasion of privacy, and only 27 percent of Internet users say it helps sites tailor information for them. Approximately 87 percent of Internet users are concerned with threats to their individual privacy while on-line (Beyond Concern: Understanding Net Users’Attitudes About Online Privacy, AT&T, April 14, 1999); 85 percent of on-line users regard the privacy of information transmitted on-line as the most important issue on the Internet (@Plan/Yahoo! Internet Poll, March 6, 2000); 62 percent of Internet users are “very concerned” that someone could connect a user’s on-line activity to their name, address, phone number, or other personal
UNDERSTANDING PRIVACY IN AN AGE OF INFORMATION
301
information (Id.); and 76 percent of consumers on-line for a year or less rated themselves “concerned” or “very concerned” about sharing their personal information on-line, as did 53 percent of experienced users, those on-line for four years or more. (The Privacy Best Practice, Forrester Research, September 1999.) In fact, a poll (March 16, 1998 issue of Business Week) noted that 61 percent of individuals who did not go on-line or access the Internet, would be more likely to begin using the Internet if they believed their personal information would be protected. Of those who indicated they already use the Internet, 52 percent have never bought anything on-line, believing that information regarding their transactions would be used for marketing or other purposes outside their wishes or outside their control and the June 19, 2000, edition of the San Francisco Examiner (B5) states that “About 80% of Internet users cite the potential loss of privacy as the leading concern of doing business on the Web. …” In the face of these statistics, one would think that consumers using the Internet would set their browsers to refuse to accept cookies, would be reluctant to give out any personally identifiable information, would use anonymizers, fictitious names, and pseudonyms or otherwise be concerned with information and the use of the Internet for anything other than gathering non-critical information or simple entertainment. On the contrary, according to these same studies, 54 percent of Internet users have provided personal information and another 10 percent would under the right circumstances, while only 27 percent say “never.” Only 24 percent have provided a fake name or personal information; only 9 percent use encryption in e-mail; only 5 percent use anonymizing software. Over 48 percent have used a credit card to make an on-line purchase; 36 percent have gone to a medical or personal support group on-line and of those, 24 percent have used their real name or e-mail address or shared real experiences. Fortythree percent of Internet users are not concerned about unqualified people providing medical information on-line; 49 percent are not concerned about seeing false or inaccurate news reports on-line; 50 percent are not concerned about false rumors on-line affecting stock prices; 68 percent are not concerned that someone might know what Web sites they have visited; 72 percent are not concerned that e-mail will be read by someone other than the person to whom it was sent? Go figure!
THE ORIGINS OF PRIVACY Privacy was the subject of debate and legal and regulatory controversy long before the invention of the computer and computer networks. In ancient Rome, Roman emperors traveled abroad with card registers containing data on Roman citizens (C. Hamelink, Transnational Data Flows in the Information Age, 1984:9). The Bible has numerous references to privacy. Protection of privacy is found in early Hebrew and classical Greek societies, as well as ancient Chinese culture. The earliest recorded legal enforcement of privacy rights, dates back to 1361, when Justices of the Peace Act in England provided for the arrest of Peeping Toms and eavesdroppers. The origin of the phrase “a man’s home is his castle” can be traced to the writings of English Parliamentarian William Pitt who, in the 1760s wrote: “The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow through it; the storms may enter; the rain may enter—but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement.” The right to be secure from unlawful searches and seizures and from intrusions into one’s home, is among the earliest expressions of the legal right to privacy.
302
PULSE PIECES
Most scholars attribute the modern U.S. notion of privacy to the Harvard Law Review article written by Louis Brandeis and Samuel Warren in 1890 (“The Right to Privacy,” 4 Harv. L. Rev. 193, 1890). The motivation for this article was their growing concern over the rapid growth of communications and imaging technology—“Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops’.” Imagine what Brandeis and Warren would have thought of the release by the U.S. House of Representatives, over the Internet, of recorded grand jury testimony originally given by a sitting President of the United States over secure, remote communications lines. Brandeis and Warren advocated that certain facets of one’s life be kept private, specifically, habits, acts, and relations of an individual, with the caveat that the list was neither “totally accurate nor exhaustive.” It was not, however, until 1905 when their view was embraced by a court of law. In Pavesich v. New England Life Insurance Company (122 Ga. 190, 50 S.E. 68 (1905)), the Supreme Court of Georgia applied the nascent privacy “right” in connection with the contention that an insurance company had violated a right to privacy by using the plaintiff’s “name, portrait, and a fictitious testimonial in their newspaper advertisement without his consent.” By 1928, Brandeis had the opportunity to weave privacy into his dissent in a Supreme Court decision (Olmstead v. U.S. 277, 438 (1928)). Although the majority opinion did not view wiretapping as trespass on physical property and held it was not violative of the Fourth Amendment, Brandeis argued that the Fourth and Fifth Amendments “conferred a general right to individual privacy rather than the mere protection of material things and that allowing the introduction of evidence illegally acquired by federal officers made the government a lawbreaker.” In 1939, the American Law Institute first codified the right to privacy in the Restatement of Torts, which was categorized into four separate torts (William L. Prosser, Privacy, 48 Cal. L. Rev. 383 (1960)): unreasonable intrusion upon another’s seclusion; the appropriation of another’s name or likeness; unreasonable publicity given to another’s private life; and publicity that unreasonably places another in a false public light. Justice Blackmun, in the historic 1973 opinion in the case of Roe v. Wade wrote that although the Constitution does not specifically mention privacy, the right does exist under the Constitution. “In varying contexts, the Court or individual justices have, indeed, found at least the roots of that right in the First Amendment (Stanley v. Georgia); in the Fourth & Fifth Amendments; in the penumbras of the Bill of Rights (Griswold); in the Ninth Amendment (Id.); or in the concept of liberty guaranteed by the 14th Amendment (Meyer). These decisions make it clear that only personal rights that can be deemed “fundamental” or “implicit in the concept or ordered liberty” (Palko) are included in this guarantee of personal privacy” (Roe v. Wade, 410 U.S. 113, 93 S. Ct. 705 (1973)). In the United States, privacy is one of the very few exceptions to the principle of free flow of information. The hallmark of U.S. privacy law is its diversity, influenced mainly by the law’s long history of development and the decentralized, federalist system of government in the United States—a system which encourages both local experimentation and state-sponsored solutions. The United States does not have a single, omnibus data protection law that covers both public and private sector information. Nor does it have any one statute that covers all forms of data collection by government or the private sector. Nor does the United States even have a central privacy or data protection commission or a single regulatory body that oversees privacy or data protection.
UNDERSTANDING PRIVACY IN AN AGE OF INFORMATION
303
As early as 1977, the U.S. Privacy Protection Study Commission, a federally established independent study group, explicitly rejected the notion of an omnibus privacy statute establishing authority to regulate the flow of personal data. Citing the importance of the free flow of information, the group concluded that the danger of government control, the greater influence of economic incentives on the private sector to adopt voluntary privacy guidelines, and the difficulty in legislating a single standard for widely varying information-keeping practices, all argued for rejecting any attempt to develop a comprehensive regulatory scheme of protection. Instead the Commission recommended that effective privacy protection must have three objectives. First, to minimize intrusiveness into individual lives; second, to maximize fairness in institutional decisions about individuals; and third, to provide individuals with legitimate, enforceable expectations of confidentiality. As a result, privacy laws in the United States generally contain provisions consistent with these objectives, even though there is no central authority or omnibus legislation. Indeed, the fear of government intrusion into the lives of citizens prompted Robert Ellis Smith, in his book entitled Privacy (Archer/Doubleday, 1980), to write: “Academic experts in technology and information were once shut up in a room for a day and asked to devise the most effective surveillance system imaginable for a tyrannical regime to keep tabs on its citizens. What they devised in this experiment was exactly what the bankers want to develop nationwide in the United States—a real time electronic funds transfer system.” In 1982, the National Telecommunications and Information Administration of the U.S. Department of Commerce issued a report entitled “Privacy Protection Law in the United States.” This report examined the then current state of privacy laws in the United States and concluded that: “The body of law implementing privacy protection principles in the United States has evolved in diverse, multi-jurisdictional layers, reflecting our pragmatic, pluralistic system as well as an inclination to avoid centralized authority over personal data. Much of the law is rooted in Constitutional restrictions on the power of government, and in the individual’s commonlaw “right to be left alone.” In some areas, the source of protection is the Federal Congress and courts; however, the States have also acted to protect privacy in the many areas where they have traditionally asserted jurisdiction. As a result of the broad range of concerns covered by the modern definition of privacy, and the pragmatism that has informed the application of privacy principles, the content of privacy law varies widely for different kinds of record-keeping activity, with more comprehensive coverage of the government than of the private sector. The end result is a highly varied system of privacy law which nevertheless affords an extensive network of protections for the individual.” In fact, there are hundreds of federal and state laws and regulations, supported by judicial decisions and self-regulatory activities—a rather extensive network of privacy protection in the United States, although critics argue such a network is neither effective nor able to keep up with rapidly changing technology and electronic commerce. Today, there are roughly 600 U.S. federal and state laws dealing with the treatment of personally identifiable information. Although the seeds of modern privacy were planted in the United States, the United States today is unique when compared with many other nations. In those 50 or so countries that have opted to nationally legislate the protection of privacy, almost all have opted for comprehensive data protection laws. These laws generally establish some form of national data protection agency, require registration of compilations of personally identifiable information, and require individual consent before a commercial enterprise is permitted to process that data. For example, effective in January 2001, Canada has a privacy law that covers private organizations engaged in commercial
304
PULSE PIECES
activity. Initially, federally regulated industries such as banking, broadcast cable, and telecommunications are subject to the regulations, with all other commercial enterprises phased into coverage over a period of years. The U.S. approach, however, is not simply a reluctance by citizens to confront privacy issues. Rather, it is a product of differing perceptions U.S. citizens hold from their brethren in other countries concerning the role of government. Modern privacy theory may have its origins in the United States, but Americans still mistrust big government and regulation that touches individuals’ personal lives, while many citizens in other countries believe government is responsible for protecting and helping them—further evidence that normative values and expectations of privacy (certainly those that represent legally enforceable expectations of privacy) are highly subjective and context-sensitive. Advocates of the European approach cite the “broad principles - specific interpretation” approach as a compromise between the reactive U.S. approach and those who favor self-regulation or virtually no government regulation at all. “As long as the United States approach to privacy is sectoral, with separate, uncoordinated legislation applying to separate record systems and separate industries, these problems are certain to arise. The omnibus approach adopted by European countries establishes privacy standards that are independent of technological and market considerations. By establishing broadly applicable standards, the Europeans ensure privacy is considered in the planning stages of new technology or activities, rather than at a less efficient and less effective point in the process. The United States is rarely, if ever, able to anticipate technology with privacy laws or policies.” (Gellman, Robert M., Can Privacy Be Regulated Effectively on a National Level? Thoughts on the Possible Need for International Privacy Rules, 41 Vill. L. Rev. 129, 146-147 (1996)). Although neither time nor space permit including a discussion of global or international issues, anyone knowledgeable in the area can attest to the increasing leadership role the European Commission has played in the privacy arena and the growing notion amongst business, technology, and legal thinkers, as well as government, that in the borderless world of the Internet, only global initiatives and multinational cooperation can be either effective or provide the degree of legal and regulatory certainty necessary to foster a stable commercial environment regarding the flow of information and electronic commerce activities. Unfortunately, the “long run” and effective cooperation among nations may be many years away and business leaders need to deal with the legislation and regulation that confronts them today.
PRIVACY IN THE UNITED STATES TODAY Today, we can think of the privacy in the United States as existing in three categories: territorial, personal, and informational. Territorial privacy, the oldest privacy concept and one rooted in traditional property rights, refers to the physical right to be left alone or undisturbed within one’s defined territory. The principle, simply stated, means that without an invitation or permission (e.g., a warrant), no one is allowed into an individual’s proprietary space. Our legal principles concerning real estate and national sovereignty are examples of this “spatial” notion of privacy. Personal privacy generally refers to our notions of freedom of movement and expression, restrictions against unlawful searches and seizures and prohibitions against both physical (e.g., battery, bodily harm, and injury) and non-physical assaults (e.g., discrimination, defamation,
UNDERSTANDING PRIVACY IN AN AGE OF INFORMATION
305
sexual harassment, obscenity, stalking). Although personal privacy includes the notion of physical space or territoriality, it does not only refer to the physical individual, but is also based upon social and cultural norms which have, and continue to, evolve to reflect society’s values. In many ways, personal privacy relates to the protection of an individual’s perceived sense of dignity and is highly context based. Because personal privacy is highly contextual, laws evolve in each jurisdiction to mirror the perceived values of society. The U.S. legal principle of judging obscenity by “community standards” or the specific legal responses to discrimination are examples of the application of the law to invasions of personal privacy, which is legally protected and enforced, not only because individuals have a subjective expectation of privacy, but because that expectation is considered reasonable within current social practices and values. The Internet is changing both the individual’s reasonable expectation of privacy and the notion of what is socially acceptable or reasonable to expect. What is a “community,” much less community standard, is increasingly difficult to define and judge in cyberspace. Where previously geographic boundaries defined neighborhoods, cities, provinces, states, and nations, global chat rooms and Web sites today permit communities of interest to gather and share information, anywhere, anytime, in any form. The Internet has raised the level of concern and controversy in the third category of privacy: the disclosure, distribution, use, and abuse of information about an individual—informational privacy. Informational privacy is a relatively new concept on the privacy landscape and refers to the right to control the public and private disclosure, distribution, and use of our own information and information about us. Individuals disclose private information based on personal values and relationships (e.g., to a spouse, religious confessor, or physician). Social, cultural, and personal values and the need to function in society require individuals to make decisions about the disclosure of otherwise personal information. The decision as to what, when, and to whom disclosures are made evolves as the nature and extent of relationships (personal, commercial, or governmental) change. One provides personal information to a physician to obtain medical treatment and advice. Disclosure is voluntary because the benefits are considered valuable and the treatment of the information is perceived to be protected in an acceptable manner. Similarly, to avoid carrying large amounts of currency, individuals voluntarily provide otherwise personal financial information to credit card issuers to obtain credit cards. Here again, there is a balance between the perceived benefit and the risk. Each individual makes a personal decision, albeit dependent on many factors (e.g., societal norms, culture, peer pressure, status), as to whether and to what extent voluntary disclosure is necessary. Invasions of informational privacy frequently occur when a third party wrongfully or improperly obtains information or when information is obtained by or available to a third party and used or made available to other parties or the public, without permission (e.g., secondary use). It’s hard to know if Jill objected to her neighbor Adam knowing how much she paid for the old farm or whether the fact that everyone in town knows David has an open credit account at the general store until the crops are sold is an invasion of privacy or just considered neighborhood gossip and prattle. The answer probably depends on how big the town is, what their relationship is, what culture or society they live in and whether or not this type of information is freely and openly available about everyone and to everyone—that is, it depends on the context and what is considered “normal” in that environment and to those individuals. Today, technology has rendered information about Jill, Adam, and David collectible, maintainable, and communicable in ways, to persons and enterprises, and for uses inconceivable a decade ago. Indeed,
306
PULSE PIECES
even the type of information that is collectible—what programs are being watched, what music is being listened to, what perfume is being applied, and how much every item of clothing or furniture costs—even what thermostat setting is used to heat or cool the house—are bits and bytes of data hitherto quite private and unavailable. One can only imagine an interactive, on-demand, personalized home video in the future entitled “I Know What You Will Do Next Summer”! In May 2000, a Federal Trade Commission Report to Congress entitled Privacy Online: Fair Information Practices in the Electronic Marketplace stated: “With this remarkable growth in e-commerce has come increased consumer awareness that online businesses are collecting and using personal data, and increased consumer concern about the privacy of this data.” Individuals clearly perceive a need to control how, when, where, and if, information is used or disclosed beyond its original purpose. Legislation, regulation, and litigation are often the result of a strong belief that there is, or should be, a continuing individual right to control such information. Indeed, according to a Forrester Research report (The Privacy Best Practice, September 1999) 90 percent of on-line consumers want to be able to control the use of their personal data. In the space remaining, let’s examine some of the key recent U.S. legal and regulatory initiatives that apply to some of the industries and areas of e-commerce previously noted.
Dot Com Disclosures—The FTC Reacts to Internet Advertising and Privacy On-line By unanimous vote, in the Spring of 2000, the FTC issued guidelines for Internet advertising. In a nutshell, the FTC affirmed its position that unfair or deceptive advertising is illegal in any medium. While many of the terms will be familiar to lawyers and marketing professionals alike in connection with the preparation and review of advertisements and marketing material (e.g., placement, prominence, clear and conspicuous, freedom from distraction), the guidelines provide some practical guidance as to the necessity for repeating disclosures on lengthy Web sites, cautioning advertisers on-line that not all users may access, view, or perceive a particular Web page or site the same way and that differences in technology (audio, video, computer platforms, etc.) require a variety of approaches to ensuring proper disclosures are made to consumers. There are references to technology and concepts unknown in the world of print, television, and radio advertising. For example, the guidelines refer to “hyperlinks” (reference markers or pointers which, when selected, redirect the user’s browser to a new Web site or Web page containing information. These links enable an advertiser to place the “legal disclaimers,” “privacy notices,” and other non-marketing materials on a separate page or view, without taking up valuable “real estate” or advertising space on the pages or views containing the “sell copy.” The FTC guidelines require that if links are used, they must be consistent (i.e., not misleading, conspicuous for some content and difficult to find or view for others). A hypertext link relating to an advertiser’s privacy policies and disclosures must link directly to those disclosures and not be interrupted or redirected via another page or view. Links should be in one or more locations that are reasonably likely to be understood and utilized by the consumer effectively. In other words, links to a company’s privacy policy should be reasonably close to areas in which the consumer is requested to provide information or in a place where the consumer can be expected to understand that information may be collected about that consumer’s visit to the Web site or Web page. The guidelines also permit advertisers to offer the consumer a choice of either “opting in” or “opting out” when it comes to the use of information collected during the course of that con-
UNDERSTANDING PRIVACY IN AN AGE OF INFORMATION
307
sumer’s interaction. These choices relate to the consumer’s ability to notify the Web site operator and the advertiser whether or not the information collected may be used and disclosed to others. The concept is to provide the consumer with a certain degree of control over the information collected about them.
Children’s Online Privacy Protection Act “COPPA,” as the Act is known, gives parents and children a legal right to control the collection, use, and disclosure of personal information about children and requires reasonable procedures to protect the confidentiality of such information. The Act describes what constitutes “personal information” and applies to the operator of any Web site which is directed to children under the age of 13, as well as the collection of information from users known to be under 13. COPPA applies to all personal information collected after April 21, 2000, notwithstanding any prior relationship or even agreement with a child or a child’s parent or legal guardian. COPPA requires that parents receive notice of a Web site’s information practices and requires parental consent prior to the collection, disclosure, or use of personal information about a child (e.g., digital signatures, credit cards—however, the Act makes it clear that e-mail, on its own, is NOT sufficiently verifiable parental consent to be effective under the law). Parents additionally have the right to review and modify personal information about their child and to withhold and prevent further use of personal information by withdrawing consent or permission at any time. In addition, there are specific restrictions on the collection and use of personal information from or about children in connection with games, sweepstakes, and contests, recognizing that children are particularly vulnerable to these types of activities. Of great importance to Web site operators is the fact that the Act specifically permits these operators to satisfy COPPA’s requirements by compliance with self-regulatory policies and procedures which are issued by marketing and on-line industry associations or groups, provided that these policies and procedures are approved by the FTC and consistent with the requirements of COPPA.
The Gramm-Leach-Bliley Act and Regulation (GLB) While the Fair Credit Reporting Act (FCRA) regulates the sharing of non-public information among affiliated entities, few lawyers and bankers on November 12, 1999, could have predicted that the provisions of the financial services modernization law that would receive the most attention in coming months would be contained in subtitle A of Title V, entitled “Disclosure of Nonpublic Personal Information.” With the passage of GLB, Congress specifically provided that “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. To further complicate the financial landscape, Section 507 of the Act specifically provides that Title V does not preempt State law—essentially those that provide greater protection than the Act—and thus financial institutions will continue to comply with state privacy laws to the extent they are (or are amended to be) more stringent than GLB. In addition, and over the objection of commentators during debate over the rulemaking in connection with the Act, the agencies have required that financial institutions include, together with their initial annual GLB disclosure notices, corresponding
308
PULSE PIECES
disclosures of their policies and practices with regard to sharing information with affiliates, an activity regulated by the FCRA. It is not hard to imagine the complexity with which privacy standards have been issued under GLB when one lists the federal agencies charged by Congress with the responsibility for issuing standards for the financial institutions each supervises: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserves System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, the Federal Trade Commission, the Secretary of the Treasury, and the Securities and Exchange Commission and, to the extent relevant to the insurance industry, to consult with state insurance authorities as designated by the National Association of Insurance Commissioners. GLB applies to any commercial entity engaged in financial services. For purposes of the Act, if a regulator determines that an activity is permissible for a financial institution, then any entity which conducts, carries on, or engages in that activity in the United States will become subject to the privacy rules. In other words, if a financial product or service COULD be offered to a natural person for personal, family, or household purposes, then that activity and any institution offering that product or service is covered under the privacy requirements of the Act. That institution must provide consumers with notice of its privacy policies and practices, must disclose the conditions under which non-public personal information about consumers may be disclosed to non-affiliated third parties, and must permit consumers to “opt out” and prevent sharing of the information with non-affiliated third parties. It is important to note that the Act distinguishes between “consumers”—individuals without a continuing relationship with the financial institution—and a “customer”—individuals with a continuing relationship. This distinction is important since it determines the nature and extent of pre-transaction and annual disclosures and notices required to be provided to each. GLB also defines nonpublic personal information and provides guidelines and samples of compliance language for initial and annual notices.
Employee/Employer Relations The Electronic Communications Privacy Act (ECPA) affords omnibus protection of electronic communications (Public Law No. 99-508, 100 Stat. 1848 (1986), codified at 18 U.S.C.A. §2510-2511). This Act protects users from not only unauthorized access of electronic communication; it also extends Title III of the Omnibus Crime Control and Safe Streets Act of 1968, to protect voice, data, video communications, including cellular phones, computer transmissions, and voice and display pagers. Duty for compliance is imposed, not only on service providers and “custodians of information,” but intruders and eavesdroppers as well. ECPA protects e-mail messages during transit from one computer to the next under Titles I & II as though it were a normal land-line telephone call and while stored on an ISP computer, it is protected from unauthorized access under Title II of ECPA. An exception to the protections of the ECPA, the business exception, arises from the Supreme Court case of O’Connor v. Ortega (480 U.S. 709), in which the Court held that an employee’s office and expectation of privacy were not protected by the Fourth Amendment and that an employer’s search was reasonable “both in its inception and in its scope.” There are actually two ways that this exception to the interception of e-mail may arise: if the employee gives prior consent or if the e-mail is a business use. Employees can obviously give consent by signing an agreement, but the employer can also impose
UNDERSTANDING PRIVACY IN AN AGE OF INFORMATION
309
on-screen messages (during log-on, at periodic intervals) advising the viewer that there is no guarantee of privacy for use of company e-mail despite features like passwords and the ability to delete a message from a mailbox. In an illustrative case, an employee was fired from Pillsbury for responding to an e-mail from his home computer. His e-mail threatened to “kill those backstabbing bastards” (i.e., management) and referred to a holiday party as “the Jim Jones Koolaid Affair” (Smyth v. The Pillsbury Company, 914 F.Supp.97 (E.D.Pa. 1996)). Company officials, reading a printout of this e-mail, then reviewed his other e-mail messages and fired him for “inappropriate and unprofessional comments over defendant’s e-mail system.” Although the employee argued invasion of privacy and alleged that his employer assured him his e-mail would not be read, the court ruled that once he communicated such unprofessional comments to his supervisor (the original reply from home noted above) over the Company e-mail system, all reasonable expectation of privacy had been lost. Generally, if employee e-mail is transmitted and/or stored on a company-owned or -controlled system, the ECPA gives the employers total, unfettered access to messages it contains—archived, back-up, hidden, or reconstructed electronically from stored fragments. Companies may keep backup media—tape, disk, or otherwise—for years if they choose. These, as well as data contained in the company’s entire computer system, are discoverable in litigation and employers can be held liable for the conduct of their employees when these employees are (or are deemed to be) acting within the scope of their employment. If an employee uses the company e-mail system in a manner which violates a statute, the employer could be held liable. As an example, in 1995, in order to avoid publicity, Chevron settled a sexual harassment/hostile work environment suit out of court for $2.2 million, based on evidence of e-mail containing sexist jokes (“Companies Discover E-Mail’s Dark Side,” Newsday (February 21, 1997): A57).
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Section 264 of HIPAA, directed the Secretary of the Department of Health and Human Services (HHS) to make recommendations to Congress regarding the protection of privacy in connection with medical records. HHS issued its proposed rule on November 3, 1999 (64 Fed. Reg. 59,917) and on December 20, 2000, President Clinton unveiled the final regulations providing Standards for Privacy of Individually Identifiable Health Information (to be codified at 45 C.F.R. parts 160-164) and I will refer to these standards as HIPAA in the discussion that follows. As noted earlier, while privacy protection has typically been a patchwork quilt of state laws, HIPAA creates a federal benchmark for health care providers, plans, and clearinghouses that does not preempt stricter state legislation. HIPAA is intended to protect consumers’ rights by providing access to their personal health information and controlling inappropriate uses of such information, to improve the quality of health care by restoring trust in the nation’s health care system among consumers, providers, and organizations, and to improve the efficiency and efficacy of health care delivery by establishing a national framework. It protects “individually identifiable health information” which is defined as information that identifies the individual (or where there exists a reasonable basis to believe the information can be used to identify the individual), which is created by or received by a health care provider, plan, employer, or clearinghouse and related to the individual’s physical or mental health or condition, the provision of care to the individual, or payment for such
310
PULSE PIECES
care. Although not the subject of this article, some interesting legal issues arise for insurance companies involved in the health care industry, at the intersection of HIPAA and GLB. In general, an individual’s protected health information may not be used or disclosed, except to carry out treatment, payment, and health care operations and HIPAA requires that consent to the use or disclosure of personal health information be obtained in “plain language” in connection with any treatment, payment, or health care operation. There are separate guidelines for obtaining “authorization” to use or disclose personal health information for purposes other than treatment, payment, and health care operations. There are some exceptions for which otherwise protected information may be used or disclosed without the individual’s permission (e.g., to a public health authority to prevent disease, to an authority authorized to receive child abuse or neglect reports, to an employer in connection with medical surveillance in the workplace or related to an employee’s actual or alleged work-related illness or injury, to alert law enforcement officials about the commission or location of a crime or to identify the perpetrator and, under certain circumstances, for research). HIPAA specifically grants the individual the right to access his or her personal health information used to make decisions regarding that individual and includes the right to inspect, obtain copies, and amend or correct inaccurate or incomplete information. Subject to some specific limitations, individuals also have the right to an accounting of disclosures of his or her protected information for purposes not involving treatment, payment, and operations. Since HHS lacks the authority to grant individual patients the right to sue, HIPAA does not create a private right of action, but it does provide for civil monetary penalties for non-compliance, capped at $25,000 per person per year for each provision violated. It also imposes certain criminal penalties for specific “wrongful disclosures”—up to $50,000 and one year in prison for intentional disclosures and up to $250,000 and ten years in prison for disclosure with intent to sell the data, with enforcement authority delegated to HHS’s Office for Civil Rights. It is noteworthy that much like the cost of Y2K compliance efforts in the years leading up to the new millennium, the government’s own estimate of the cost to the health care industry for compliance with HIPAA’s regulations over the period from 2003 through 2012, is approximately $17.6 billion.
CONCLUSION No summary could be as accurate to reflect the privacy implications and paradox spawned by e-Commerce and the staggering growth of the Internet as the following two illustrations, one citing the use of the Internet to discover information and the other…well, you be the judge. In just a few hours sitting at my computer, beginning with no more than your name and address, I can find out what you do for a living, the names and ages of your spouse and children, what kind of car you drive, the value of your house, and how much you pay in taxes on it. From what I learn about your job, your house, and the demographics of your neighborhood, I can make a good guess at your income. I can uncover that forgotten drug bust in college. In fact, if you are well-known or your name is sufficiently unusual, I can do all this without even knowing your address (Lane, Carole A., Naked in Cyberspace: How to Find Personal Information Online, Helen Burwell and Owen B. Davies (eds.), Information Today, Inc., 1997). In stark contrast, nothing serves as a more compelling illustration of the issues spawned by our faith in this rampant technology and the information it accumulates than the dramatic lead-in to the New
UNDERSTANDING PRIVACY IN AN AGE OF INFORMATION
311
York Times article on Sunday, August 1, 1993, entitled “This Is Your Life, Mr. Smith…” which begins: “Within two or three minutes, the underwriter who plugged Charles Zimmerman’s name into the insurance industry’s huge risk-evaluation data base had what he needed: a coded, computerized sketch of the Massachusetts man’s medical history, driving habits, and other personal information. For the 25 cents it cost to tap into the data base, the underwriter had found an invaluable piece of information that would affect Mr. Zimmerman’s application for a disability policy: He was an alcoholic. There was just one problem—the information was wrong.”
CONDUCTING A PRIVACY GAP ANALYSIS By Jackie Huchenski
The HIPAA Privacy Rule will require most health care organizations to revamp the way they handle medical records and health information. Exactly how much change your individual organization will need to undergo to become compliant with the Rule depends on your organization’s current practices concerning the confidentiality and security of medical records and other “protected health information” or “PHI.” One step in determining what will be involved in the process of becoming compliant with the Rule is to have legal counsel for your organization conduct a “gap analysis” to assess the gap between what will be required by the Rule and your organization’s current practices. The basic components of such a gap analysis are outlined here. This is not intended to be a comprehensive list of steps your organization needs to take; your legal counsel should decide the final steps to take in any gap analysis specific to your organization. Most providers, health plans, and clearinghouses are considered “covered entities” under the Privacy Rule. Covered entities will have to ensure compliance with the Privacy Rule by April 14, 2003. Effective compliance will require significant resources, and planning for compliance should begin now. If changes to the Rule are made before the gap analysis is completed, such changes can be taken into account. Most entities will have to comply with the following requirements under the Privacy Rule: • Obtain specific patient consent, authorization, or other permissions to use and/or disclose PHI. • Enter into business associate contracts (including ten essential provisions) understanding that you may be liable for its business associates’ violations. • Provide notices to patients regarding their individual rights, such as: • Access to their PHI • An accounting of where their PHI has gone • The right to request an amendment/correction of their PHI • The right to request further restrictions on uses/disclosures of their PHI • The right to make a complaint The notices have to be distributed and/or posted at varying times, depending on whether the covered entity is a health care provider who is treating the individual directly, or a health plan. • Revise/create policies and procedures regarding information practices in accordance with the Rule.
Jackie Huchenski is a Marketing Coordinator at Moses & Singer LLP, New York, New York, (212) 5547531. Copyright © 2001 by Atlantic Information Services, Inc. Reprinted with permission from Atlantic Information Services, Inc., 1100 17th Street, NW, Suite 300, Washington, D.C. 20036, 202-775-9008, www.AISHealth.com, Volume 1, Number 5, June 2001. 312
CONDUCTING A PRIVACY GAP ANALYSIS
313
• Develop a compliance program, including appointment of a privacy official, safeguards, implementing a complaint process, sanctioning violators, training, and implementing mitigation procedures. • Refrain from retaliation against or intimidation of an individual for either filing a complaint with the covered entity or with the Secretary, or for cooperating with an investigation by the Secretary. • Do not require individuals to waive their rights.
ANALYZING YOUR ORGANIZATION’S CURRENT STATUS In assessing your organization’s current status to determine the steps that will need to be taken in the process of becoming compliant with the Privacy Rule, your counsel can begin with the following preliminary checklist as a guide: • Policies and procedures regarding privacy/confidentiality of health information. Identify current policies and operating procedures addressing privacy or confidentiality of health information of patients and employees, including medical record creation, maintenance, storage, moving, retrieval, release and destruction, and Web site privacy policies and practices. • Tracking the flow of health information. Interview executives and staff regarding the organization’s practices relevant to tracking the flow of health information both internally and externally (disclosure and access) (e.g., medical management, billing, patient accounts). • Patient consent. Review a representative sampling of policies, procedures, and any tracking mechanisms the organization has governing patient consent as well as a sampling of the consent forms used. • Individual rights. Determine the extent to which the organization has policies, procedures, practices, and tracking mechanisms governing release of information and patient notification of rights with respect to health information, and review a representative sampling of such policies, procedures, and tracking mechanisms. • Contracts with third parties. Determine the number and types of vendor contracts, provider or managed care contracts, and any other contracts the organization has with persons or entities handling health information or handling confidential financial, business, or legal information. Review a sample of the contracts.
OTHER POTENTIAL BUSINESS ASSOCIATES Review and discuss other entities to which the organization discloses health information, but with which it does not currently have contracts, to determine the necessity of entering into business associate contracts with such entities. • Research (if relevant). For each of the research programs/departments, review IRB policies, procedures, and practices related to use and disclosure of health information, and review current informed consent forms used in such research. • Human resources. Review plan documents relating to the organization’s group health plan for its employees, and any contracts with outside entities, such as TPAs. Also review
314
PULSE PIECES
methods of separating employee health information from other employee information, and interview relevant staff members regarding access to such health information and other employee information.
ASSESSING THE GAP A comparison of the requirements under the Privacy Rule with the results of the analysis of your organization’s current status will identify the changes that your organization will need to take to be compliant with the Rule. Your organization’s risk if it does not comply can also be assessed with more specificity once you’ve identified areas of vulnerability. Planning and budgeting for necessary tasks will be much easier. The results of your gap analysis may demonstrate that your organization already has certain practices in place that lay the foundation for compliance under the Privacy Rule, due perhaps to state law requirements, HCFA requirements, or custom in the industry. In such cases, the compliance task may be to amend a policy and/or form already in place. An example of this is the consent requirement. Most providers of health care currently obtain some form of patient consent before treatment. Such consent forms may need to be amended, but the basic process for obtaining consent is already in place. Health plans will not need to obtain consent for payment or health care operations, so some plans may choose to stop asking for consent when a member enrolls with the plan (keep in mind that plans with medical staff will have to follow the rule requiring consent before treatment however). For uses other than treatment, payment, or health care operations, providers and health plans will both need to modify current practices, as the Rule has very specific requirements for obtaining patient authorization. Of course many of the requirements of the Privacy Rule will be brand-new to your organization. The specific requirements regarding business associate agreements is a good example. The Rule lists ten specific provisions that will have to be in your organization’s agreements with business associates, plus a couple of optional ones as well. Your organization will have to ensure such agreements are entered into before the compliance deadline. The gap analysis will help identify the entities with which your organization will need to have such agreements and which entities have existing agreements in place that may be amended and which entities will need to enter into a new agreement.
STATE LAWS AFFECTING YOUR ORGANIZATION Keep in mind that not all state law is preempted by the Privacy Rule. State laws that are more stringent than the Privacy Rule, which basically means laws that require more protection of the privacy of information than the Privacy Rule does, will still govern. Therefore an analysis of such laws will need to be part of the legal risk assessment performed for your organization. For example, many states have laws applying a higher standard of confidentiality to particularly sensitive information, such as that relating to HIV/AIDS, psychotherapy notes, drug and alcohol information, and genetic information. Comparing state law requirements with the Privacy Rule requirements and the current practices and policies of your organization will identify gaps in current compliance requirements as well as future requirements necessitated by the Privacy Rule.
CONDUCTING A PRIVACY GAP ANALYSIS
315
ACCREDITATION STANDARDS, ETHICAL OBLIGATIONS Finally, if your organization’s legal gap analysis includes assessing current compliance requirements, it would not be complete without comparing the requirements affecting your organization’s handling of health information under accreditation standards such as JCAHO or NCQA, as well as professional ethical obligations such as the AMA’s Code of Medical Ethics.
THE QUALITIES ONE SHOULD LOOK FOR IN A CPO By Herman Collins
Many times we are asked, What are the qualities one should have to become a Chief Privacy Officer (CPO)? Potential CPO candidates want to be sure they have the right stuff. Hiring officials are inquisitive about the experience they be should looking for in a good candidate. And young professionals interested in a career in privacy want to be sure they prepare themselves properly for the eventual attainment of a CPO position. We are always happy to respond to these inquiries as they indicate not only the steadily increasing excitement privacy is generating as a career option, but also the seriousness with which the CPO role is being taken in business and society. As recruiters, we have the privilege of being able to look across many industries, markets, and individual companies to get real world perspectives on the qualities a CPO should possess. Our role is to facilitate the acquisition of the best candidates who fit the requirements of our client companies. This facilitation, of course, requires us to provide many services, from helping companies evaluate their need for a CPO, to putting together accurate job descriptions, to assisting with compensation decisions, and more. But what we are really paid to do is provide our clients with the best candidates who fit their needs. And there is the rub. The qualities a CPO should have vary with the client’s situation, needs, and desires. An ideal CPO in one industry may be underqualified in another. The candidate who is great for one company in a given industry segment, may be overqualified in another company in that same segment. To understand differences in the ideal CPO profile we must look at the issues that affect this profile. The good news is these differences allow latitudes of entry that will make privacy a favorable career choice for many professionals over the next few years. These variations in the developing CPO profile are positive trends that are driven by market, legal, and social realities. Variations are caused by many factors. Some industries are more heavily regulated than others. Certain industries may require specialized industry knowledge whereas others may have no such restrictions. Companies involved in insurance, energy, or financial services for example, operate within multiple levels of government regulations that can vary from state to state. CPOs working in such industries will often require a greater emphasis on legal and/or compliance experience in their backgrounds. CPOs working in high technology industries, such as wireless communications or ISPs, will ideally have previous experience working inside a technology company and perhaps even require a related degree or hands-on technology experience. Companies doing business globally must be aware of and comply with the legal maze of privacy regulations that exists in many countries outside the United States and will desire a CPO with knowledge of this legislation. Even companies within the same industries may perceive a CPO’s desired qualities much differently. Companies must ask themselves many questions. What are the company’s privacy needs and goals? To whom would the CPO report? How much power should the CPO have to Herman Collins is Chief Executive Officer, Privacy Leaders, www.privacyleaders.com. 316
THE QUALITIES ONE SHOULD LOOK FOR IN A CPO
317
effect change? Should we hire an external candidate or promote internally? Do we do business locally, nationally, globally? What personality types tend to excel in our work environment? How much are we willing to pay? Answers to these and other questions help companies determine their best ultimate hire. And this may frustrate a CPO who feels their experience and qualities will be universally sought after. Market considerations are also important in the CPO profile. Markets vary in size and flavor and will affect the CPO personality requirements to a degree. Living and working in New York City is obviously very different than living in Anchorage. The same can be said for San Francisco or Tyler, Texas. While some people are chameleon-like and adaptable to many geographic regions, others have lifestyle preferences that may make certain areas less appealing to them, especially over the long-term. Astute hiring managers are aware of these issues and incorporate lifestyle compatibility in their list of desired qualities.
UNIVERSAL CPO QUALITIES If the ideal CPO candidate is a variable, can we develop a profile of universal CPO qualities? I certainly think so. Some of these qualities are present in most successful executives in many professions, not just privacy. So we include some of these classic executive characteristics along with many qualities unique to the CPO role. Let’s discuss the key qualities: • Consensus builder. An effective CPO must build alliances and get acceptance for privacy initiatives across the organization. To be successful in implementing a corporate privacy program requires establishing good working relationships with legal, compliance, IT, marketing, human resources, public relations, and other departments. Some have described this as being a good politician and that is certainly part of the equation. • Communicator. The ability to articulate the organizations’ privacy vision both internally as well as externally is a key part of the job. A CPO is an excellent communicator who expresses the reasons why privacy is important to the organization. They communicate their thinking with confidence and enthusiasm. Internally in companies, privacy is an old concern that is rapidly becoming a front-burner issue. In many cases this may change the way a company operates and can affect its culture. There is a natural reluctance to change that must be overcome. Teaching must be done. An effective communicator with a true privacy vision for the company can be more effective getting acceptance for new privacy policies and programs at all levels of the company. Externally, a CPO should be comfortable speaking, with regulators, stockholders, and the press among others, about the company’s privacy program while building credibility and goodwill. In the event of a “privacy incident” this credibility can go a long way to minimize damage to the company. • Organizer/planner. A good CPO is well organized, willing to delegate tasks, and an effective planner. The ability to integrate diverse resources into a functioning privacy program is very important. The ability to anticipate risks as well as opportunities is greatly enhanced by advanced planning skill. • Problem solver. So much of the role of a CPO is problem recognition, risk management, contingency planning, and creative problem solving. The ability to quickly recognize and resolve issues is crucial in a CPO.
318
PULSE PIECES
• Effective manager. A CPO is a multi-tasking job; effective management and delegation skills are highly prized. They have the ability to get individuals to function together as a single unit. They must be able to set clear goals and priorities and motivate others. They must be a good listener and be open-minded. Possessing very good communication skills, as we discussed, is most important. An effective CPO is a manager who can handle stress, think critically, and be consistent. • Team player. The CPO is an effective manager and the primary team leader for privacy. A CPO is also a good team player on the executive staff working alongside peers to create all-encompassing privacy and security policies that protect the company’s assets. These interdepartmental working relationships require a balanced member of a well functioning team as opposed to a competing power broker. • Good listener. Sometimes the best information about potential privacy risks come from the most unexpected sources within an organization. An ability to establish an open communication policy and listen objectively, will increase the effectiveness of a privacy program and aid in resolving problems. • Legal experience. While a legal background is a huge plus in the profile of CPO qualities and highly recommended it is not absolutely required. What is necessary is a clear understanding of existing and pending federal and state legislation as well as any applicable regulatory statutes. Another key is to know when to bring in additional legal assistance whenever and wherever it is needed. • IT experience. An IT background is also not a requirement, but certainly the comprehension of information technology security issues is. Understanding the technological complexities involved in securing information is very important and no privacy professional should ignore this knowledge requirement in their development towards becoming a CPO.
CONCLUSIONS As we have discussed, different organizations require variable degrees of CPO qualities to create an ideal for their particular privacy situation. We take this reality as a true positive as it helps encourage diversification in the backgrounds, experiences, and personalities of the CPO community. While the qualities that make a good CPO are diverse, they are nevertheless possible to define. Even though some similar qualities are to be desired in any executive level candidate, it is the heightened degree of necessity that exists for many of these qualities that constitutes the uniqueness of the CPO.
PULSE PIECES ENDNOTES
319
PULSE PIECES ENDNOTES 1. At the time of writing, both Ontario and British Columbia had produced consultation documents on privacy legislation available at www.cbs.gov.on.ca/mcbs/english/pdf/56XSMB. pdf and www.mser.gov.bc.ca/FOI_POP/psp/pspinbc.htm respectively. 2. The province passed An Act Respecting the Protection of Personal Information in the Private Sector in 1994. 3. With the exception of two provinces: Prince Edward Island and Newfoundland. 4. These are based on the Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96. 5. Under PIPEDA, the Governor in Council has the power to: “if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.” (paragraph 26(2)(b)) It is understood that substantially similar provincial or territorial legislation will be expected to incorporate the ten principles. Canada Gazette Part 1 (September 22, 2001). 6. For example: fostering and maintaining customer and employee trust and loyalty and gaining competitive advantage. 7. “Personal information” may be defined as information about an identifiable individual.
GLOSSARY OF TERMS
Acquisition Phase A stage when system hardware and software is purchased or leased. ActiveX Control A small program that provides additional features for Web pages or a Web browser. Currently, only Microsoft’s Internet Explorer browser supports ActiveX controls. An ActiveX control is automatically downloaded from a Web site and installed on a computer by Internet Explorer the first time a user visits the page. Ad Blocker Software that stops banner ads from being displayed on the Web. Ad blockers typically make Web pages load faster and prevent ad networks from tracking visits. Ad blocking software may be appropriate for users who have slow connections and do not wish to use valuable bandwidth downloading advertisements. The blocking software also benefits those who are fundamentally opposed to Internet advertising or individuals who wish to prevent their children or other users from viewing on-line advertisements. Adequate Notice One or more statement(s) that fully describes to an individual the purposes of collection, use, disclosure, and retention of personally identifiable data to him or her. Ad Network An advertising business that places banner ads, typically on thousands of Web sites. Well-known ad networks include 24/7 Media, Advertising.com, DoubleClick, and Engage. Anonymizer Web-based services that offer anonymous Web surfing by acting as an intermediary between the client and the Web site. Generally, an anonymizer service prevents a Web site from being able to identify the IP address of the visitor or planting cookies on an individual’s computer. However, for that very reason, anonymizers may also prevent a user from accessing personalized services or taking advantage of certain functionality that requires persistent cookies in order to function properly, such as on-line account access or using purchase histories. It is worth noting, however, that anonymizers do not necessarily guarantee that personal information will not be disclosed. Just because a transaction is anonymous does not mean that it is private. Because the anonymizer acts as a go-between, between an individual Internet user and the Web sites or other Internet services he or she is using, data in a server log could be used to recreate a user’s surfing habits. Because anonymizers can hide the identity of an individual—or at least make it very difficult to determine an individual’s identity—anonymizers raise concerns about accountability or the enforceability of on-line usage policies. Anonymizing the Data The act of removing personal identifiers from data (i.e., converting personally identifiable information to aggregate data). Anonymous Browsing Several companies offer software, some of it free, that allows you to create on-line fake names so you can browse Web sites, exchange e-mails, and participate in chat groups anonymously. 320
GLOSSARY OF TERMS
321
Anonymous Re-mailers Organizations that forward your e-mail to its destination after removing any information that could trace it back to you. Artificial Intelligence (AI) Intelligence produced by human effort rather than originating naturally (i.e., the result of computers and code developed by programmers used to store and manipulate large volumes of data from single or multiple programs). Authentication The process whereby a degree of confidence is established about the truth of an assertion. Banner Ad The horizontal ads you see at many Web sites. They are typically placed by ad networks and not the site you are visiting. Clicking on a banner ad will take a Web surfer to another site where they can learn more about the product or service being advertised. Biometrics A measurable, unique biological feature or personal trait used to recognize the identity or verify the claimed identity, of an individual. Chat Groups Two or more users communicating in real time with computers via the Internet. The group can consist of two people or dozens. Chat groups take place in either public or private chat rooms. The conversations can be a free-for-all or a structured discussion on a prearranged topic. Client Privacy Preventing unauthorized collection, use, and disclosure of customer data by computerized or other means. Common (Network) Directory Services A list of all internal system users (behind a firewall) including electronic routing information to deliver, for example, electronic mail. Computer Matching of Personal Information This is the expropriation of data maintained by two or more personal data systems, in order to merge previously separate data about large numbers of individuals. Computer System Vulnerabilities An assessment of threats and risks (e.g., unauthorized access, data loss, or modification, etc.) based on the computer system environment and data sensitivity. Consent Statements for Clients Notice to individuals regarding collection, use, disclosure and retention of personal data, including consequences of providing or withholding consent. Cookie A small text file, which is deposited on your hard drive by a Web site you visit. This file identifies your computer. It records your preferences and other data about your visit to that site. When you return to the site, the site knows who you are. Cookies can thus be used for longer term data collection. Cookie, Third Party These cookies are placed by ad networks and Internet marketing companies, not the site you are visiting. Cookies—Persistent Are stored on your hard drive for many months or years. Cookies—Pre-Session Are cached (stored in memory) during your visit to the Web site and are automatically deleted from your computer when you disconnect from the Internet. Cookie Buster Software to block or remove cookies to stop tracking by Web sites and ad networks. Cookie Managers or Blockers Are applications that allow the user to know when cookies are being written to his or her hard drive, to manage the acceptance of cookies, and to view what information is stored in an individual cookie. Cookie managers or blockers vary widely in their usability and features, but all give the individual more control over cookies stored on their personal computers. Data Profiling/Data Linkage Recording and collection of personally identifiable information that reveal personal manner and attitude.
322
GLOSSARY OF TERMS
Data Spill A data spill occurs when information entered into a form at a Web site is accidentally sent to Web servers of other companies. These companies can be ad networks or advertisers. Data spills are caused by poor design of forms at a Web site. Data Surveillance (Dataveillance) Is the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons. Data Warehousing and Data Marts A federated data warehouse is a centralized repository for all electronic data. Data from different programs is integrated here. Users are not permitted to access federated warehouse data. Data from the warehouse is exported in whole or in part to data marts for access by users. (The role of the data warehouse and data mart can also be reversed (i.e., whether data is imported or exported from a data warehouse to a data mart depends on the implementation strategy).) Digital Certificate A digital stamp using encryption technology that certifies where a digital document came from. A certification authority backs up the certificates. Digital Persona Is the model of an individual’s public personality based on data, and maintained by transactions, and used as a proxy for the individual. Digital Signature A digital stamp using encryption technology that certifies that the signature is legitimate. A certification authority backs up the signatures. Directive on Enhancing Privacy Mandatory rules for linking data between two or more data sets. Due Diligence Audits Independent confirmation (by an auditor) demonstrating adequate care and effort applied to one’s work. Encryption Software Allows the user to encrypt—or scramble—digital data. Users may opt to use encryption to protect the contents of their e-mail messages, stored files, and on-line communications. Once encrypted, only users that have the appropriate digital keys may “unlock” the encrypted information. Not only can encryption protect individual stored files, it can also be used for authentication purposes and to ensure private communications. A powerful tool, encryption can be used in a wide variety of circumstances to provide privacy and security for an individual user. Ethernet Adaptor Address This is the personal name of the Ethernet card in one’s computer. Ethernet is a commonly used networking technology used to link computers together. Fair Information Practices The Code of Fair Information Practices is based on five principles: 1. There must be no personal data record-keeping systems whose very existence is secret. 2. There must be a way for individuals to find out what information about themselves is in a record and how it is used. 3. There must be a way for individuals to prevent information about themselves that was obtained for one purpose from being used or made available for other purposes without their consent. 4. There must be a way for individuals to correct or amend records of identifiable information about themselves. 5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.
GLOSSARY OF TERMS
323
Firewall A software or hardware device to control access to computers on a Local Area Network (LAN) from outside computers on the Internet. Front-End Verification This is the cross-checking of data in an application form, against data from other personal data systems, in order to facilitate the processing of a transaction. GUID A Globally Unique IDentifier, used to identify a computer, a user, a file, etc. for tracking purposes. GUIDs are represented as thirty-two hex numbers. Host Name The name of a computer that is attached to a network. The host name typically includes a computer name and the organization that the computer belongs to. Example: trixie.privacyfoundation.org. Identification Identification is a process whereby a real-world entity is recognized, and its “identity” established. Identification and Authentication Schemes The process of determining and verifying the identity of an individual. Identification of Individuals In an electronic service delivery context this involves a registration process where physical and other attributes of identity claims are verified resulting in the issuance of electronic identity certificates. The electronic certificates are used to electronically authenticate individuals who wish to access government services or programs to determine eligibility, etc. Indirect Collection of Personal Information Personally identifying information collected from sources other than directly from the data subject. Information Brokers Often referred to as infomediaries, account aggregators, or other terms. Companies that act as a broker for personal information. Because this market segment is evolving, there are several different approaches encompassed within the concept of an information broker or infomediary. Brokers or infomediaries are typically subscription-based or fee-based services. An individual creates an account with the company, which then tracks through software an individual’s on-line actions, including surfing habits, purchasing history, and other data. The services serve as the primary repository of this information. The individual, however, remains in control of the information, and may direct the company to share information with a particular site and deny information sharing with another. Information Privacy Is the interest an individual has in controlling, or at least significantly influencing, the handling of data concerning him- or herself. IP Abbreviation for Internet Protocol. It refers to the standards by which computers talk to other computers via the Internet. IP Address An IP address is a number that identifies a computer that is linked to the Internet. When displayed, an IP address is typically written as four numbers separated by periods. Example: 24.12.33.56. IP Address, Dynamic A dynamic IP address is one that changes every time you go on-line. Dial-up accounts get a new IP address every time one dials up. IP Address, Static A static IP address is one that does not change every time you go online. It is thus a flag to one computer. Java Applet A small program, written in the Java language, that provides additional features for a Web page. JavaScript This is a scripting language that allows a Web site to add features to a Web page. (Note: JavaScript and Java are both programming languages, but unrelated.)
324
GLOSSARY OF TERMS
Legislative Amendments Process of changes to written law or legal requirements. MAC Address The Media Access Control address is the unique ID serial number of the Ethernet card in one’s computer. Ethernet is a commonly used networking technology, used to link computers together. MAC addresses are needed in a Local Area Network for computers to communicate. Note that MAC addresses have nothing to do with Apple Macintosh computers. Mass Dataveillance Is the systematic use of personal data systems in the investigation or monitoring of the actions or communications of groups of people. In general, the reason for investigation or monitoring is to identify individuals who belong to some particular class of interest to the surveillance organization. It may also, however, be used for its deterrent effects. Monitoring and Enforcement Mechanisms Tracking methods of compliance. On-line Forms A common method for collecting information from consumers. Forms can be used in almost countless ways—from collecting data from a user who has requested more information about a company’s products or services to participating in an on-line survey. The use of forms is widespread and their utility limited only by the imagination of a Web site designer. Opt-in When a person gives explicit permission for a company to use personal information for marketing purposes. Opt-out When a person instructs a company not to use their personal information for marketing purposes. The Platform for Privacy Preferences Project (P3P) A proposed standard developed by the World Wide Web Consortium (W3C) designed to give users more control over their personal information by allowing P3P-enabled browsers and servers to analyze privacy policies. Because P3P is a technology built upon the XML platform, it allows browsers and servers to “negotiate” before completing a request for data delivery. Once a Web page is requested by a given browser, for example, the browser will only deliver the page back to the user if the P3P preferences set in the browser are matched by the Web site. Because a consumer’s preferences are set by the individual and the policies of the site are defined by P3P, users are not required to analyze the privacy policies of every site that they visit. A company defines its privacy policy in the terms established by the P3P standard. Elements include POLICY, ENTITY, DISCLOSURE, REMEDIES, DISPUTES, STATEMENT, CONSEQUENCE, PURPOSE, RECIPIENT, RETENTION, DATA-GROUP and DATA elements. Each element has required attributes that further define the privacy policy of the covered site. The combination of core elements and different attributes creates significant flexibility for both Web sites and consumers. With a wide range of possible choices and combinations of elements and attributes, consumers can develop privacy preferences that accurately reflect their own personal choices and communicate those preferences to P3P-enabled Web sites. P3P also allows a user to define his or her privacy preferences technologically. Users can configure software to reflect what information, if any, they wish to disclose and how the data can be used. Such flexibility allows users to establish the boundaries of PD collection based on what they feel is appropriate. The ability of consumers using P3P to create a privacy profile that reflects their personal, national, or cultural preferences greatly empowers individuals in their on-line activities. Packet In Internet Protocol (IP), information is passed in little bunches of digital information called packets. Any given exchange between users and sites will consist of many packets, all of which are capable of going by different pathways to get to their assigned destination.
GLOSSARY OF TERMS
325
Packet Sniffer A software tool used by programmers. It shows what packets of information are sent to and from a computer. Password A user-chosen word to allow access to a given Web site or service. Personal Dataveillance The systematic use of personal data systems in the investigation or monitoring of the actions or communications of an identified person. In general, a specific reason exists for the investigation or monitoring of an identified individual. It may also, however, be applied as a means of deterrence against particular actions by the person, or repression of the person’s behavior. PGP Widely used encryption software from PGP Security. The initials stand for Pretty Good Privacy. Physical Observation of Individuals Creating a profile regarding the movement of individuals from data captured by electronic recording and monitoring devices (e.g., cameras, vehicle transponders, etc.) PII Personally Identifiable Information such as a name, mailing address, phone number, Social Security number, or e-mail address. Ping A short message sent by a computer across a network to another computer to confirm that the target computer is up and running. The target computer will send a ping back to confirm. Preference Information Aids a Web site in determining which offerings are most attractive and useful for its visitors, as well as which offerings are not. By determining consumer preferences based on clickstream data—both what the consumer is interested in and what he or she is not interested in—the consumer experience can be greatly enhanced. Privacy Enhancing Technologies (PETs) Those technologies that provide users with control in terms of collection, use, and disclosure of their personal information such as encryption, digital signatures, and anonymous electronic cash and service delivery systems. Privacy-Invasive Technologies (the PITs) This term usefully describes the many technologies that intrude into privacy. Among the host of examples are data-trail generation through the denial of anonymity, data-trail intensification (e.g., identified phones, stored-value cards, and intelligent transportation systems), data warehousing and data mining, stored biometrics, and imposed biometrics. Privacy Networks Like anonymizers and proxy servers, privacy networks prevent a Web site from seeing the identity of the Web site visitor. However, many of these services have added features that distinguish them from relatively simple anonymizers. Privacy networks generally rely on the use of pseudonyms or alternative identities. A user generally has an account with the service provider that contains his or her true identity. The service provides the user with a pseudonym that may or may not include accurate demographic information. The user then uses the subscriber network to host its home page, Internet service provider, or Web-surfing starting point for any Internet session. The privacy network reveals only the pseudonym identity to any Web site that the user visits. A privacy network will typically store cookies served to the user on the privacy network, preventing the delivery of cookies to the individual’s computer. The privacy network thus enables users to utilize customization, personalized services, and other convenience benefits without having to have such information stored on their personal computer hardware. Privacy Policy A Web site’s statement to users of what information it collects and what it will do with the information after it has been collected. Privacy Seal Program A program to certify compliance with standards of privacy protection. Sites with the seal claim to adhere to these standards.
326
GLOSSARY OF TERMS
Privacy Seals Seals of approval granted by organizations such as TRUSTe, BBBOnline, and WebTrust. The seals are intended to demonstrate that a Web site has adopted appropriate policies to protect personal information and to assure individuals that they are visiting a Web site they can trust. Disclaimer—keep in mind that these seals are not monitored and anyone can “stick” a seal on their Web site. Profiling This is a technique whereby a set of characteristics of a particular class of person is inferred from past experience, and data-holdings are then searched for individuals with a close fit to that set of characteristics. Proxy Server Typically located between the individual consumer and the Internet. In a corporate environment, they may be located on the local area network (LAN) at the point where the LAN is connected to the Internet, at the ISP, or somewhere in between. Proxies can also enhance security in a network environment. Firewalls and proxies are quite similar in terms of their functionality, though firewalls typically include additional security features not found in proxy servers. Generally, however, both can prevent the disclosure of an individual’s IP address or other personal information by acting as an intermediary between a Web site and an individual computer. The key difference between firewalls and proxy servers is how they deliver information to an individual browser. Information requested through a firewall—whether it be a Web page or streaming video—is delivered directly back to the individual user. The firewall may scan for viruses, restrict certain types of content, or implement additional security features, but the information is sent back to the individual computer that initially requested the data. In a proxy environment, the proxy server acts on behalf of the individual user and hides the identity of the client computer from the Web site. When an individual requests a given Web page, www.whitehouse.gov, for example—he or she is actually passing the request to the proxy, which in turn makes the request to the actual White House Web server. The White House Web server, in this example, would deliver the page and information back to the proxy, which in turn delivers the page to the individual user. Pseudonym Fictitious name assumed by the author. Publishing or Re-distributing Public Databases Containing Personal Information The act or instance of making partial or entire content of a database publicly known. Query String The last piece of a URL. A query string starts with a question mark and typically contains information that was typed into an HTML form. This data is used by a Web site to return information back to a user. Query strings are optional in URLs. Retrofitting Systems for Privacy Compliance Changes to system design and logic impacting the collection/capture, processing, storage, and/or transmission of data. Risk Assessment The process of quantifying the impact of implementing a particular idea, process, system, or strategy. Security Refers to the protection of data from accidental disclosure, misuse, or abuse, and destruction or corruption of data, whether personally identifiable or otherwise. Security may apply to the storage, transmission, backup, or other transactions involving data. Security solutions, products, and services typically seek to prevent the introduction of viruses, eliminate network vulnerabilities, limit access by unauthorized users, and authenticate data, messages, or users. Service Monitoring Maintaining regular surveillance over electronic delivery of services using computer programs that record and track information about clients in order to manage or improve services.
GLOSSARY OF TERMS
327
Smart Cards Cards that contain a computer processor (i.e., the card may be a full computing device with (contact or wireless) networking capabilities). Smart cards have the capacity for computations, running software applications, data storage, and interactions with other computing devices. Soliciting Voluntary Individual Consent Individuals acting on their own free will in giving permission to have their data collected and stored in a data warehouse. Trace Route The path that a packet takes, computer by computer, across the Internet from a sending computer to a receiving computer. Transaction Monitoring Maintaining regular surveillance over electronic interaction by individuals in their personal or official capacity. TRUSTe The TRUSTe “trustmark,” an on-line branded seal displayed by member Web sites. The trustmark is awarded only to sites that adhere to established privacy principles and agree to comply with ongoing TRUSTe oversight and consumer resolution procedures. Untraceable Anonymity Where source of authorship cannot be determined. URL The address of a Web page. URL stands for Universal Resource Locator. Example: www.privacyfoundation.com/glossary.htm. Value-added Information Services The increase in value of output data over input data that is processed by a computer relative to subjective interest of the end user. Web Bugs (a.k.a. Clear Gif, Tracker Gif) Small images, generally one pixel, that are placed on HTML pages (HTML stands for the HyperText MarkUp Language. HTML is the standard language used to develop Web pages) that are often used to track usage and provide information to the party that places the image. Web bugs are most often used to gauge Web traffic, how many times a page has been viewed, and other administrative or site monitoring requirements. A Web usage monitor will report how many times the image was accessed—a standard piece of non-personal data used in system maintenance. They may also, however, be used to solicit additional information, including the URL of the page on which the image is stored, the type of browser being used, the time of viewing, the client IP address, or to retrieve information stored in cookies. Such images may be used in any HTML code, whether on a Web page or in HTML e-mail. The Web Bug is also known as a 1-by-1 GIF, invisible GIF, and tracker GIF. Because these images typically cannot be seen or blocked by traditional cookie blockers or other similar technologies, they have raised concerns among privacy advocates. The increasing use of HTML e-mail has added to the concern. The terms in this Glossary have been compiled from a wide variety of sources, however, the authors wish to thank and recognize the following specific individuals and organizations for allowing the incorporation of terms from their works and/or electronic sites. The Privacy Foundation, Mary Reed Building, 2199 S. University Blvd., Denver, CO 80208, Phone: 303-871-4971, Fax: 303-871-7971, www.privacyfoundation.org/index.cfm. Roger Clarke,
[email protected], www.anu.edu.au/people/Roger.Clarke/DV/Surveys.html, Xamax, Consultancy Pty Ltd, Canberra, www.xamax.com.au/ Privacy Impact Assessment Guidelines, www.gov.on.ca:80/mbs/english/fip/pia/pia8.html#glossary1 The Privacy Leadership Initiative, 1300 Connecticut Avenue, NW, Suite 900, Washington, DC 20036, 202-887-1140.
328
GLOSSARY OF TERMS
U.S. Dept. of Health, Education, and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens viii (1973). Organization for Economic Co-operation and Development (OECD), (January 2, 2002), Working Party on Information Security and Privacy, “Inventory of Privacy-enhancing Technologies (PETs),” prepared by Lauren Hall, Executive Vice President of the Software & Information Industry Association (SIIA) in co-operation with the Secretariat of the OCED, unclassified document, JT00119007, OECD, 2, rue André-Pascal, 75775 Paris Cedex 16, France.
SUGGESTED READINGS
Agre, P., and M. Rotenberg (ed.), Technology and Privacy, Cambridge, MA: MIT Press, 1998. ISBN: 0262511010. Alderman, E. and C. Kennedy (contributor), The Right to Privacy, New York: Vintage Books, 1997. ISBN: 0679744347. Branscomb, A.W., Who Owns Information?: From Privacy to Public Access, New York: Basic Books, 1995. ISBN: 046509144X. Brin, D., The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom? Cambridge, MA: Perseus Press, 1999. ISBN: 0738201448. Cady, G., P. McGregor, and J. Beverley, Protect Your Digital Privacy! Survival Skills for the Information Age, New York: Que, 2001. ISBN: 0789726041. Campbell, D., and J. Fisher (ed.), Data Transmission and Privacy, New York: Kluwer Law International, 1994. ISBN: 0792327136. Cate, F., and M. Armacost, Privacy in the Information Age, Washington, D.C.: Brookings Institute, 1997. ISBN: 0815713150. Cavoukian, A., and D. Tapscott (contributor), Who Knows: Safeguarding Your Privacy in a Networked World, New York: McGraw-Hill Professional Publishing, 1996. ISBN: 0070633207. Charrett, S. Identity, Privacy, and Personal Freedom: Big Brother vs. the New Resistance, Boulder, CO: Paladin Press, 1999. ISBN: 1581600429. Chesbro, M., Privacy for Sale: How Big Brother and Others Are Selling Your Private Secrets for Profit, Boulder, CO: Paladin Press, 1999. ISBN: 158160033X. Etzioni, A., The Limits of Privacy, New York: Basic Books, 2000. ISBN: 046504090X. Garfinkel, S., and D. Russell, Database Nation: The Death of Privacy in the 21st Century, Sebastopol, CA: O’Reilly & Associates, 2001. ISBN: 0596001053. Hawke, C., Computer and Internet Use on Campus: A Legal Guide to Issues of Intellectual Property, Free Speech, and Privacy, San Francisco: Jossey-Bass, 2000. ISBN: 0787955167. Hendricks, E., T. Hayden, and J. Novik, Your Right to Privacy: A Basic Guide to Legal Rights in an Information Society (An American Civil Liberties Union Handbook), Carbondale, IL: Southern Illinois Univ. Press, 1990. ISBN: 0809316323. Imparato, N. (ed.), Public Policy and the Internet: Privacy, Taxes, and Contract, Stanford, CA: Hoover Institution Press Publication, 2000: 481. ISBN: 0817998926. Jennings, C., L. Fena, and E. Dyson, The Hundredth Window: Protecting Your Privacy and Security in the Age of the Internet, New York: Simon & Schuster, 2000. ISBN: 068483944X. Levine, J., R. Everett-Church, and G. Stebben, Internet Privacy for Dummies, New York: Hungry Minds, Inc., 2002. ISBN: 0764508466. Nock, S., The Costs of Privacy: Surveillance and Reputation in America (Social Institutions and Social Change), Berlin, Germany: Aldine De Gruyter, 1993. ISBN: 0202304558. Rosen, J., The Unwanted Gaze: The Destruction of Privacy in America, New York: Random House, 2000. ISBN: 0679445463.
329
330
SUGGESTED READINGS
Rotenberg, M., The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments, Washington, D.C.: Electronic Privacy Information Center, 2003. ISBN: 1893044122. Smith, R.E., “Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet,” Privacy Journal, June 2000. ISBN: 0930072146. Swire, P., R. Litan, and M. Armacost, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive, Washington, D.C.: Brookings Institute, 1998. ISBN: 081578239X. Sykes, C., The End of Privacy, New York: St. Martin’s Press, 1999. ISBN: 0312203500. Whitaker, R., The End of Privacy: How Total Surveillance Is Becoming a Reality, New York: New Press, 2000. ISBN: 1565845692.
ADDITIONAL, CLOSELY RELATED SUGGESTED READINGS
Banisar, D., and S. Davies, Privacy and Human Rights 1999: An International Survey of Privacy Laws & Developments, Washington, D.C.: Electronic Privacy Information Center, 1999. Henderson, H., Privacy in the Information Age, New York: Facts on File, Inc., 1999. Lessig, L., Code and Other Laws of Cyberspace, New York: Basic Books, 1999. Levy, S., Crypto: When the Code Rebels Beat the Federal Government—Saving Privacy in the Digital Age, New York: Viking Press, 2000. Morison, J., “Developing and Implementing a Privacy Compliance Program,” Proceedings, Institute for International Research (IIR) Conference on Information, 1996. OECD, “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” Paris: OECD, 1980. Available on-line at www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM. Privacy Commissioner of Australia, Privacy, Sydney, Australia (G.P.O. Box 5218 Sydney NSW 2001): Office of the Privacy Commissioner, Human Rights, 12-13 August 1996. Privacy Commissioner of Australia, Privacy Audit Manual, Sydney, Australia (G.P.O. Box 5218 Sydney NSW 2001): Office of the Privacy Commissioner, Human Rights, 1991. Stewart, B., “Privacy Impact Assessments,” Privacy Law & Policy Reporter, 3, 4 (July 1996). Taylor, J., and W. Wacker, The 500-Year Delta: What Happens After What Comes Next, New York: Harper Business Press, 1997. ISBN 0-88730-838-4.
331
A EXECUTIVE OVERVIEW: PRIVACY IMPACT ASSESSMENT
Today it is common knowledge that assets, processes, and services are being delivered over the Internet at increasing rates. At the same time, recent surveys indicate that the public’s concerns regarding privacy and its expectations continue to rise.1 Data protectors are facing increasingly difficult responsibilities in the face of increasing workloads, expanding complex bureaucratic legislation, and the speed of technological innovation. Privacy and data protection ambassadors and advocates are facing a continuing stream of new technologies that have to be evaluated systematically to measure compliance with the fair information practices or data protection principles that are central to all data protection legislation. Understanding such changes can be complex but the best approach, as indicated in the preceding pages of this text, is in a systematic manner. A crucial tool for the data protector is the undertaking of a privacy impact assessment (PIA). The idea of this “tool” or undertaking is to require the preparation of a privacy impact assessment for new products, practices, databases, and systems involving personal information. Over the last several years, privacy specialists have developed assessment models for the application of a new technology or new services. These models have the potential for raising privacy warnings at an early stage in the organization’s planning process. Various models exist that can be customized to a particular organization’s needs. The fundamental goal is to describe personal data flows as fully as possible in order to understand what impact the innovation or modification may have on the personal privacy of employees or customers and how fair information practices are met. David H. Flaherty, Ph.D., Professor Emeritus, University of Western Ontario describes this tool (PIA) as follows; “the idea is to require the preparation of privacy impact assessments for new products, practices, databases and delivery systems involving personal information . . . Ultimately, a privacy impact assessment is a risk-assessment tool for decision-makers to address not only the legal, but the moral and ethical, issues posed by whatever is being proposed.”2 An organization is responsible for safeguarding personal information in its custody or under its control. The ease of data collection too often leads companies to forego the up-front analysis regarding what personal information is needed to conduct business, and how that information will ultimately need to be protected. Public backlash (and/or financial liability) can occur if the up-front analysis is not completed, in terms of both the restricted use and indirect collection and disclosure of personal identifiable information. New systems under development and those being redesigned must incorporate both privacy and technology principles into the design, to ensure compliance with both legislative rulings and customer demands for keeping private information—private. 332
EXECUTIVE OVERVIEW: PRIVACY IMPACT ASSESSMENT
333
Given the increasing end user importance being placed on privacy, and the closer scrutiny of privacy compliance being imposed by legislative authorities, it is imperative then, that a privacy impact assessment must be implemented and utilized before, during and after deployment of a technology project. Key among the questions one must eventually ask include: • • • •
Why are you asking for this personal information? How will the information be used? Who will be able to use the information? Who is accountable?
In evaluating and assessing privacy, it is important to specify to the user, the purpose for which information is being collected and to limit the use of the information collected. Also critical is to define the primary use of the information and to set limitations on its usage. Individuals and third parties that provided the personal information must be identified, and the accountability for accuracy, security accesses by individuals, independent enforcement of procedures, and a set of privacy best practices should be established. The privacy impact assessment is presented as a framework for investigating privacy implications at the policy and technology level. In conjunction with applicable regulations, the privacy impact assessment and privacy/technology design form the foundation of two critical tools for addressing privacy.3
PRIVACY IMPACT ASSESSMENTS The Privacy Impact Assessment (PIA) has been more clearly developed with the public sector personal data processing applications in mind. These instruments have received significant attention in data protection circles as useful ways to anticipate privacy problems before systems are developed. PIAs may be used to alert public or private organizations of the potential legislative implications and public reactions to proposed systems. Research demonstrates that the country of New Zealand may have the most “hands-on,” field experience with utilizing privacy impact assessments. Blair Steward of the New Zealand Privacy Commissioner’s Office identified the following new and emerging risks that may be assessed as part of this impact analysis:4 • Arising from a new technology or convergence of existing technologies (for instance, electronic road pricing or other person-tracking using a cell phone or GPS technologies) • Where a known privacy-intrusive technology is to be used in new circumstances (for instance, expanding data matching or drug testing, or installation of CCTV in public places) • In a major endeavor or changing practice having significant privacy effects (for instance, a proposal to merge major public registries into a “super registry,” to adopt a national ID card, or to confer state powers to access computer systems) PIAs are valuable because they can significantly reduce risk (as posed by legislation or customers) for managers. The risks for failing to consider privacy implications can take many forms, such as:5 • Failure to comply with either the letter or the spirit of the Freedom of Information Act (FOIA) and Protection of Privacy Act, the Municipal Freedom of Information and
334
APPENDIX A
Privacy Act, or fair information principles more generally resulting in criticism from the Information and Privacy Commissioner, and the FTC in the United States • Stimulating public outcry as a result of a perceived loss of privacy or failure to meet expectations with regard to the protection of personal information • Loss of credibility or public confidence where the public feels that a proposed program or project has not adequately considered or addressed privacy concerns • Underestimating privacy requirements such that systems need to be redesigned or retrofitted late in the development stage at considerable expense Failing to address privacy issues may eventually result in a financial liability to organizations who are unprepared or who have failed to take the appropriate actions to implement strong internal control systems designed to protect personally identifiable information from unauthorized disclosure.
BEST PRACTICES The following are just two examples of the many “best practices” which exist in the pursuit of establishing proactive privacy procedures within organizations today. Many more examples exist and the reader is advised to seek these out and use the examples to assist in a self-evaluation of the reader’s organizational efforts at establishing and protecting the privacy of its data.
Internal Revenue Service (IRS) In February 2000, the Chief Information Officers (CIO) Council Security, Privacy, and Critical Infrastructure Committee (SPCI) endorsed the Internal Revenue Service’s PIA as a CIO Council best practice for a process of evaluating privacy risks on information systems.6 The IRS Privacy Impact Assessment is described as a process designed to guide system owners and developers in assessing privacy through early development stages. Working together, both the system owner and the developer complete the privacy assessment. Systems owners identify what data is to be used, how the data is to be used, and who will use the data. System developers must address whether the requirements pose any privacy threats. For consistent and effective application, privacy impact assessment guidelines need to be followed concerning the type of analysis necessary. These guidelines may include: • • • • • •
Personal information in which the proposed deals Sources from which this information is to be obtained Circumstances in which collection is to take place Processing of the information Intended uses of the information held or produced Safeguards, which will be operated against, unauthorized uses
The Management Board Secretariat in Ontario Privacy guidelines from the Management Board Secretariat in Ontario (Canada) represent some of the most comprehensive in the world.7 Unlike some other models, where the assessment is
EXECUTIVE OVERVIEW: PRIVACY IMPACT ASSESSMENT
335
completed before any system design, according to the Ontario policy, the assessment is best approached as an evolving document, which will grow increasingly detailed over time. Currently a privacy impact assessment is required wherever proposals entail major increases in the scope of collection, use and disclosure of personal information, through program integration, broadening of target populations, a significant shift toward indirect collection of personal information, or the expansion of data collection for new eligibility criteria. Non-compliance with a given set of privacy norms can be objectively analyzed, but privacy protection is not generally as measurable as some other types of protection (i.e., environmental). Therefore, privacy impact assessments entail a good deal of subjective and speculative analysis. One risk to be mindful of, public reaction to privacy invasions is often difficult to measure and/or predict.
SUMMARY The use of a PIA tool is essential in the long-term development of sustainable, defendable and proactive privacy policies. As the competition for specific, personally identifiable data heats up, organizations that can demonstrate the existence of solid controls aimed at protecting these data, will ultimately dominate the marketplace. Privacy and the ability to ensure it, protect it, and extend it will soon be used as a competitive weapon, a strategic tool to differentiate product and vendors, in increasingly growing and competitive virtual marketplaces. An extensive privacy impact assessment tool has been developed and is included in Appendix B. This document is a tool, and as with any tool, it must be used appropriately and it has its limitations. The reader is advised to examine the detailed questions, and to modify the tool to meet the specific needs of the organization under review. This tool should be viewed as a “living document,” one which will, which should, grow and be modified over time. As the reader, you are the best judge as to the frequency with which this tool should be used. It is advisable that you the reader take control and take charge of that frequency, and not to succumb to a forced implementation. The increase in consumer-driven demand for privacy is only beginning, it will not go away, and it WILL only grow stronger. Be prepared and be proactive, it could mean the difference between success and failure in the formative years of the twenty-first century and beyond. Appendix A was developed jointly by Dr. Marcella and Julia Lavender. Julia is a degree candidate in the Doctor of Management program at Webster University. Her doctoral research, “Understanding the Privacy Debate and Embracing Best Practices for Competitive Advantage,” is ongoing and is in fulfillment of her final degree requirements. Ms. Lavender is currently the Manager, Finance for the Suncoast District of the United States Postal Service.
ENDNOTES 1. Cavoukian, A. & Gurski, M., “Managing Privacy: A Challenge in Designing Today’s Systems,” Municipal Interface, November 2000. 2. Flaherty, D.F., “Privacy Impact Assessments: An Essential Tool for Data Protection,” retrieved January 19, 2002 from http://aspe.hhs.gov/datacncl/flaherty.htm.
336
3. 4. 5. 6.
APPENDIX A
See note 1. www.gov.on.ca, p. 27. Id., p. 28. Internal Revenue Service, IRS Privacy Impact Assessment (Version 1.3) (Washington, DC: Office of the Privacy Advocate, 1996), retrieved February 14, 2002 from www.privacy 2000.org//archives/CIO_IRS_Best_PIA_Practices.htm. 7. Information and Privacy Office, Privacy Impact Assessment: A User’s Guide (Ontario, Canada: Information and Privacy Office, 2001), retrieved from www.gov.on.ca/mbs/ english/fip/pia/pia1.pdf.
B PRIVACY IMPACT ASSESSMENT (PIA) TOOL
Note: This Privacy Impact Assessment (PIA) tool is not an all inclusive audit program, internal control questionnaire, nor single operational method guaranteed to ensure your organization is compliant with HIPAA, GLB, or any regulatory agency, in terms of privacy. This is but one tool. It is recommended that you consult regulatory advisories appropriate to your industry, and knowledgeable representatives from your organization’s legal, human resources, security and IT departments when developing comprehensive tools to assess the organization’s privacy compliant status. This Privacy Impact Assessment (PIA) tool is organized around the eight principles of the OECD (The Organization for Economic Cooperation and Development—the international organization of the industrialized, market-economy countries.) The OECD Privacy Principles are: A. B. C. D. E. F. G. H.
Accountability Identifying Purposes Limiting Collection Limiting Use, Disclosure, and Retention Accuracy Safeguards Openness Individual Access
The last two sections are for organizations affected by the Gramm-Leach-Bliley Act (GLB Act) and/or the HIPAA act. A. Accountability WP/ REF Objective: Ensure there is accountability for the organization’s privacy. Verify the responsible party has: • The authority to collect, use, disclose or retain personal information; • The authority to alter or limit in any material way, the collection, use or disclosure of personal information; • The authority to set standards and procedures for client authentication and the legal authority to collect and use personal information for authentication purposes; • The authority to amend or modify the delegation or designation of program functions to partners; and
337
By/Date
338
A.
APPENDIX B
Accountability WP/ REF
By/Date
WP/ REF
By/Date
• Determine whether the organization retained the legal or contractual right to develop methods to determine whether personal information collected on its behalf is disclosed to third parties for any reason. A.1 Verify that responsibility for the PIA been assigned to a Project Privacy Manager or other individual(s). A.2 Document the data flow where the custody or control of personal information is transferred to other public or private sector partners as part of the project. 1. Verify that the chain of accountability is documented, up to and including the ultimate accountability as the head. 2. Verify the performance requirements of the accountable parties are comprehensively specified in a measurable way, and are subject to specific performance or compliance reviews. A.3 Where public and private sector partners are not subject to your privacy policies, verify independent third-party audit mechanisms have been incorporated into performance and partnership agreements such that public accountability is assured. A.4 Where public and private sector partners are not subject to your privacy policies, determine if the option to schedule them under the organization’s privacy policies has been fully evaluated and documented. A.5 Determine if the organization will be provided with the results of regularly scheduled audits and compliance checks on the privacy practices of external partners and if those reports be made available to the program clients. A.6 Determine if legal opinions have been sought regarding: 1. Legislative authority to transfer program delivery responsibilities to partners, including a consideration of the authority for partners to collect, use, disclose or retain personal information as necessary on behalf of legislative authorities. 2. Legislative authority to alter or limit in any material way the collection, use or disclosure of personal information as authorized by legislative program statutes and your privacy policies for the purpose of delivering services through the partners. 3. Legislative authority to set service standards and procedures for client authentication and the legal authority to collect and use personal information for authentication purposes. 4. Legislative authority to amend or modify the delegation or designation of statutory program functions to the partners. A.7 Determine if the organization retained the legal or contractual right to develop mechanisms to determine whether personal information collected on its behalf is disclosed to third parties for any purposes. A.8 Verify if the organization has specific audit and enforcement mechanisms that oversee the collection, use and disclosure of personal information by public or private sector partners.
B.
Identifying Purposes
Objective: Ensure the purposes for which personal data are collected is specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
PIA TOOL
B.
339
Identifying Purposes WP/ REF
By/Date
WP/ REF
By/Date
B.1 Determine if a clear relationship has been established between the personal information to be collected and the program’s functional and operational requirements. B.2 Determine if all options to minimize the routine collection of personal information have been considered. B.3 Determine if the notice of collection contains the specific purposes, the legal authorities for collection, and the contact information for the official designated to respond to queries regarding the purposes of collection. B.4 Verify that there is documentation regarding a waiver of notice, or if notice is not required as per a specific privacy policy exception. B.5 Verify if there are secondary purposes that are not required to be included in the notice of collection (e.g., audit trail information, transaction validation, financial settlements), and if these have been documented elsewhere, such as in the Directory of Records, or attached to the record as per the organization’s privacy policies. B.6 Verify if client consent is sought for secondary uses of personal information, such as service monitoring. B.7 Verify if the notice of collection is made available through all mediums of delivery (i.e., paper forms, counter, phone, automated telephone or kiosk service mediums) and if it identifies: • The personal information to be collected, • The authority for its collection, • The principal purpose(s) for which it is collected, • The name, position, address and telephone number of a contact person B.8 Verify if the notice of collection clearly distinguishes between personal information collected for program purposes and personal information collected by partners for other purposes. Determine if separate notices are provided for each type of collection.
C.
Limit Collection
Objective: Ensure there are limits to the collection of personal data and any such data are obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. C.1 Determine if consent requires a positive action by the customer, rather than being assumed as the default. C.2 Verify that consent to indirectly collect, use, and disclose personal information is clear and unambiguous. C.3 Determine where personal information is collected indirectly from third parties, that consent is obtained from the individual to whom the information pertains, by either the organization collecting the information indirectly or by the organization disclosing the information. C.4 Determine if the consent proposal envisions possible secondary uses for the personal information collected. If yes, document where the authority for those uses flows from: • Consent • The consistent purpose rationale • Other statutory authority C.5 Verify if consent is sought for secondary uses of personal information, such as service enhancement, resource management or research. C.6 Determine if mechanisms are in place to obtain consent for the use of personal information for purposes not previously identified.
340
C.
APPENDIX B
Limit Collection WP/ REF
By/Date
WP/ REF
By/Date
C.7 Determine if a client’s refusal to consent to the collection or use of personal information for a secondary purpose, unless required by law, can be honored without disrupting service. C.8 Determine if refusal to consent to secondary uses of personal information by any service delivery partners affects the level of service provided to an individual with regard to authorized governmental transactions. C.9 Document if there are standards in place for administering consent requirements that address: 1. Making the determination whether the customer has the capacity to give consent by reasons of age or capacity; and 2. Recognition of persons authorized to make decisions on behalf of an incapable person or minor. C.10 Document if collection is performed by the following: • Dedicated Program Staff • Other individuals (e.g., staff of another co-partner, trading partner, outsource third party, or legislative body) • Dedicated Contractor (e.g., a contractor who works solely for the program) • Generic Service Provider (e.g., a contractor who works for multiple ministries or programs simultaneously) • Client Agent (e.g., solicitor, trustee, physician, or other service provider) • Other C.11 Document if collection is performed from: (List names of each as applicable) • Publicly Accessible Governmental Database • Intra/Inter-Governmental Information Sharing Agreements • Private Sector Information Sharing Agreements • Multi Program Data Marts/Warehouses • Subscription to Private Sector Data Services C.12 Itemize Customer privacy information (PI) disclosed in order to access third-party customer data records.
D.
Limit Use, Disclosure, and Retention
Objective: Ensure personal data is not disclosed, made available or otherwise used for purposes other than those specified in accordance with Privacy Guidelines except: a) With the consent of the data subject; b) By the authority of law. D.1 Verify personal information is used exclusively for the stated purposes and for uses that the average client would consider to be consistent with those purposes. D.2 Verify that personal identifiers are used for the purposes of linking across multiple databases. D.3 Verify that where data matching or profiling occurs, it is consistent with the stated purposes for which the personal information is collected. D.4 Verify there is a record of use maintained for any use or disclosure of PI not consistent with original stated purposes. D.5 Verify the record of use is attached to the personal information record. D.6 Document if there is any data matching between programs, ministries, and private sector partners, which fall outside the purview of the privacy policies and regulations.
PIA TOOL
D.
341
Limit Use, Disclosure, and Retention WP/ REF
D.7 Verify where personal information is disclosed to an authorized data mart or data warehouse, the person accountable for privacy approves each new use, user, and proposed information matches. 1. Verify such disclosures performed in consultation and in compliance with privacy policies and regulations. 2. Verify that the individual to whom the information pertains is informed of the disclosure. D.8 Document all Regular Business Transactions that disclose or give access to Personally Identifiable Data Records to the groups listed below include the following information: • Limited or Full access • If new PIA record is created (describe) • ID Custodians of New Record • A Log of Access • Transactions Created by One or Both Parties • If yes, identify Custodian(s). • What is the Authority for Disclosure? 1. Privacy Program or Systems Staff 2. Program Auditors 3. Dedicated Contractor (e.g., a contractor who works solely for the program) 4. Generic Service Provider (e.g., a contractor who works for multiple agencies or programs simultaneously) 5. Client Agent (e.g., solicitor, trustee, physician) 6. Financial Institutions 7. Financial Transaction Agents 8. External Contract Auditors 9. By Legislative Mandate to Public or Private Agencies 10. Data Marts/Warehouses other than when fully anonymized 11. By Information Sharing Agreement (ISA) to Intra/Inter-Governmental Programs 12. To the Public or For Sale to the Public or Commercial Interests 13. By ISA to Non-Governmental Programs 14. To Client by Self Service in Any Media 15. To Client via Third Party 16. Client via Written Program Request 17. Other D.9 Document Irregular Business Transactions that Disclose or Give Access to Personally Identifiable Records and include the following information: • Limited or Full access • If new PIA record is created (describe) • ID Custodians of New Record • Is a Log of Access created? • Transactions Created by One or Both Parties? • If yes, identify Custodian(s). 1. Recognized Law Enforcement (excluding police) agents without a warrant or subpoena. 2. Other public sector program investigators, by data sharing agreement, on request. 3. Other Disclosures D.10 Document any other PI record database or log produced by business or system transactions that are not listed elsewhere and are not under direct program custody or control. Include temporary and permanent record collections. • Record and contents • Under control of
By/Date
342
D.
APPENDIX B
Limit Use, Disclosure, and Retention WP/ REF
By/Date
WP/ REF
By/Date
• In the custody of Applicable privacy legislation and/or contractual privacy provisions (e.g., financial settlements provider(s) transaction logs, temporary update data stored in system pending validation, call center/help desk call logs, etc.) D.11 Determine if the collection of personal information: 1. Is expressly authorized by a statute, or 2. Does it relate directly to and is it necessary for the proper administration of a lawfully authorized activity, or, 3. Is exempt from notice (law enforcement) D.12 Determine if personal information collected directly from the individual. D.13 Determine if there is indirect collection of personal information from third parties. If so, has the individual to whom the information pertains consented to such collection, or is the collection: 1. Authorized by a statute, a treaty, or an agreement thereunder? 2. Authorized by prevailing legislation? 3. Or is it for one of the following purposes: • An honor or award • Government debt collection or payment • Law enforcement • Use in proceedings before a court, judicial or quasi-judicial tribunal D.14 Determine if data is personally identifiable information indirectly collected from other programs. D.15 Determine if information used for planning, forecasting, or evaluation purposes is anonymized. D.16 Determine if customer activity is monitored (e.g., for the purposes of providing security and quality assurances). D.17 If customer activity is monitored, determine if personal information is used. If yes, what is the authority for using the personal information: • Consent • Consistent purposes rationale • Statutory authority • Other (describe) D.18 Determine if notice is provided for customer activity monitoring and use of PI. D.19 Determine if access to data is restricted to accountable security staff. D.20 Determine if the personal information collected during monitoring is used for any other purposes or disclosed to any other business units (other than law enforcement personnel). D.21 Verify that the monitoring conforms to the organizational Privacy Policies and Information and Information Technology Security. D.22 Verify Minimum and Maximum periods have been specified for each PI. D.23 Verify procedures for the retention of PI records have been documented. D.24 Verify procedures exist for the destruction of outdated personal information. D.25 Verify that the destroyed information cannot be reconstructed.
E.
Accuracy
Objective: Ensure personal data is relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, is accurate, complete and kept up-to-date.
PIA TOOL
E.
343
Accuracy WP/ REF
By/Date
WP/ REF
By/Date
E.1 Verify the PI record indicates the last update date. E.2 Verify a record is kept of the source of the information used to make changes (e.g., paper or transaction records). E.3 Verify there is a procedure, automatically or at the request of the individual, to provide notices of correction to third parties to whom personal information has been disclosed. E.4 Verify records are kept regarding requests for a review for accuracy, corrections, or decisions not to correct. E.5 Verify the data subject has access to the request for review records. E.6 Verify that when an individual challenges the accuracy of a record, they are provided with information on how to contact the person responsible for the records. E.7 Verify that if the individual and the program representative cannot reach agreement regarding the accuracy of the record(s), the individual is advised of his or her right to file a statement of disagreement. E.8 Verify that the custodian of the record notes the statement of disagreement on the record(s) in such a manner as to ensure that subsequent users who access the record(s) through any service channel are aware that the accuracy of the record(s) is disputed.
F.
Safeguards
Objective: Ensure personal data is protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. F.1 Determine if there has been an expert review of all the risks and the reasonableness or proportionality of countermeasures taken to secure against unauthorized or improper access, collection, use, disclosure, and disposal through all access channels. F.2 Verify that security procedures for the collection, transmission, storage, and disposal of personal information, and access to it, have been documented. F.3 Verify the staff has been trained in requirements for protecting personal information and are they aware of policies regarding breaches of security or confidentiality. F.4 Verify and document that there are controls in place over the process to grant authorization to add, change or delete personal information from records. F.5 Determine if the system is designed so that access and changes to personal information can be audited by date and user identification. F.6 Verify that user accounts, access rights and security authorizations are controlled and recorded by an accountable systems or records management process. F.7 Verify that access rights are only provided to users who actually require access for stated purposes of collection or consistent purposes. F.8 Verify user access to personal information is limited to only that required to discharge the assigned functions. F.9 Verify the security measures are commensurate with the sensitivity of the information recorded. F.10 Determine if there are contingency plans and mechanisms in place to identify security breaches or disclosures of personal information in error. F.11 Verify there are mechanisms in place to communicate violations to stakeholders and to data subjects to mitigate collateral risks.
344
F.
APPENDIX B
Safeguards WP/ REF
By/Date
WP/ REF
By/Date
WP/ REF
By/Date
F.12 Verify there are mechanisms in place to advise appropriate management, corporate or other law enforcement authorities of security breaches. F.13 Determine if there are adequate ongoing resources budgeted for security upgrades; with specific measurable performance indicators in systems.
G.
Openness
Objective: Ensure there is a general policy of openness about developments, practices and policies with respect to personal data. Verify means are readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the Data Controller. G.1 Determine if the Directory of Records and information management policies list all personal information banks collected under the control of legislation in government or third-party custody, including: 1. Where information is transferred to support indirect collection 2. The operation of shared or multi-program data systems 3. Data marts or warehouses 4. Data transferred to a third party for business processing (e.g., credit and debit settlements) G.2 Verify there are procedures and policies concerning the management of personal information. G.3 Verify the PI information policies and procedures are available to all personnel.
H.
Individual Access
Objective: Ensure an individual has the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. H.1 Determine if the system is designed to ensure that access to all of the subject’s data can be achieved with minimal disruption to operations. H.2 Verify the data subject’s access rights are assured for all the data sets of all the parties in the information life cycle, including private sector partners and subcontractors, third parties provided subject information through profiling/matching. H.3 Determine if all custodians are aware of the right to access, formal or informal request procedures, mandatory advising of formal appeal procedures to data subjects, fees, and limits of their decision-making authority. H.4 Verify there is a designated individual accountable for the organization’s compliance to individual access.
PIA TOOL
H.
345
Individual Access WP/ REF
By/Date
WP/ REF
By/Date
H.5 Verify complaint procedures have been established including links to partnership agreements and staff role assignments. H.6 Verify a procedure has been established to log and periodically review complaints and their resolution with a view to establishing improved information management practices and standards. H.7 Determine if oversight and review mechanisms are being implemented, which are comparable to those ensuring the accountability of public sector bodies. H.8 Determine if regular independent compliance audits of partner information practices and privacy requirements have been established as contractual deliverables.
I.
GLB Compliance
Objective: Ensure financial institution is in compliance with the privacy provisions of the Gramm-Leach-Bliley Act (GLB Act) and the Commission’s financial privacy regulation. I.1 Determine if the organization fits the definition of a financial institution. If so verify that the institutions, products, and services are covered under the Privacy Rule. Definition from GLB Act: You have consumers if you provide your financial products or services to individuals, not businesses, to be used primarily for their personal, family, or household purposes. Under the Federal Trade Commission’s Privacy Rule, a financial institution means “any institution the business of which is engaging in financial activities as described in § 4(k) of the Bank Holding Company Act of 1956 [12 U.S.C. § 1843(k)].” See 16 C.F.R. § 313.3(k)(1). I.2 Verify individuals receive notices per the GLB act specifications: • All customers receive initial privacy notice. • Initial notices (or short form notices) are sent to consumers who are not customers only if organization intends to disclose nonpublic personal information about those consumers to nonaffiliated third parties (unless an exception in §§ 313.14 or 313.15 applies such that no initial notice is required prior to the disclosure). • Annual privacy notices are sent to customers as long as they remain customers. I.3 Verify the privacy notices include the following: • Describes the categories of nonpublic personal information collected; • States the fact that the organization does not share nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties, except as authorized by law; and • Describes the organization’s policies and practices for protecting the confidentiality and security of consumers’ nonpublic personal information (under § 501(b) of the GLB Act). I.4 Ensure that customers are provided an initial notice within a reasonable time after establishing a customer relationship. I.5 Verify that opt-out notices are sent and/or provide all consumers with a reasonable opportunity to opt out. Note: The organization does not need to provide opt-out notices if it does not disclose nonpublic personal information to nonaffiliated third parties. I.6 Verify the organization is in compliance with the limitations on redisclosure and reuse of nonpublic personal information.
346
I.
APPENDIX B
GLB Compliance WP/ REF
• A Servicer must not disclose any nonpublic personal information to a retail merchant not affiliated with the organization unless the Servicer may do so under an applicable exception. For example, the Servicer may not provide information about your customers to the retail merchant for marketing purposes. • A Servicer may disclose nonpublic information to an affiliate. • A Servicer’s affiliate may disclose and use the information only as the Servicer could disclose and use it. I.7 Verify that the organization is not disclosing nonpublic personal information to a nonaffiliated third party unless: • The organization clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed, that such information may be disclosed to such third party; • The consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and • The consumer is given an explanation of how the consumer can exercise that nondisclosure option. I.8 Verify that the organization is not disclosing, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. General exceptions to allow the disclosure of nonpublic personal information: (1) as necessary to administer, or enforce a transaction requested or authorized by the consumer, or in connection with: Servicing, processing a transaction, maintenance of an account, or security. (2) with the consent or at the direction of the consumer; (3) (A) to protect the confidentiality or security of the records; (B) to protect against or prevent fraud, unauthorized transactions, claims, or other liability; (C) for resolving customer disputes or inquiries; (D) to persons holding a legal or beneficial interest relating to the consumer; or (E) to persons acting in a fiduciary or representative capacity on behalf of the consumer; (4) to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors; (5) to the extent specifically permitted or required to law enforcement agencies; (6) (A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act, or (B) from a consumer report reported by a consumer reporting agency; (7) in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or (8) to comply with federal, state, or local laws; to comply with a properly authorized civil, criminal, or regulatory investigation; or to respond to judicial process or government regulatory authorities, or other purposes as authorized by law.
By/Date
PIA TOOL
J.
347
HIPAA Compliance WP/ REF
Objective: Ensure the organization is in compliance with The Health Insurance Portability and Accountability Act of 1996, known as HIPAA. The compliance date for the privacy standards is April 14, 2003 or, for small health plans, April 14, 2004. J.1 Verify the organization’s health care plan limits the use of pre-existing condition exclusions. Verify that no pre-existing condition will exclude an employee or an employee’s dependent for more than 12 months. J.2 Verify that the group health plan does not discriminate by denying employees and their dependents coverage or charges extra for coverage based on employee or family member’s past or present poor health. J.3 Ensure that eligibility for an individual’s enrollment in a group health plan is determined according to the terms of the health plan and the rules of the issuer, but not according to an individual’s health status or that of an individual’s dependent. These rules and terms must comply with all applicable state laws. J.4 Verify the group health plan guarantees certain small employers, and certain individuals who lose job-related coverage, the right to purchase health insurance. J.5 Verify the group health plan guarantees, in most cases, that employers or individuals who purchase health insurance can renew the coverage regardless of any health conditions of individuals covered under the insurance policy. J.6 Verify that all employees received a “certificate of creditable coverage” from the organization’s group health plan or from the organization, if it is self insured. Also verify the certificate of creditable coverage is provided without charge and within a reasonable time period. J.7 Verify that certificates for certificate of creditable coverage are furnished automatically to: • an individual whose group coverage has ended, such as when they leave or quit. The certificate then must be provided within a reasonable length of time. • an individual who loses health coverage and who is not entitled to elect COBRA continuation coverage. Then, the certificate must be provided within a reasonable time after coverage ceases. (Typically, this would happen in small-employer plans that are not subject to COBRA.) The certificate must be provided no later than when a notice would be provided under an applicable state program that is similar to COBRA. A certificate also must be provided promptly in states that do not have such a law. • an individual who is qualified for COBRA and has elected COBRA continuation coverage or after the expiration of any grace period for the payment of COBRA premiums. J.8 Verify that employees and their dependents can ask for a certificate, which can be done any time within the 24 months following loss of coverage. The plan or issuer must provide certificates at the earliest feasible time after they are requested. J.9 Ensure the organization has established standards and requirements for the electronic transmission of health information. J.10 Verify that safeguards have been established for entities that maintain or transmit health information. These safeguards include that the entity shall maintain reasonable and appropriate administrative, technical, and physical safeguards: (A) to ensure the integrity and confidentiality of the information; (B) to protect against any reasonably anticipated (i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosures of the information; and
By/Date
348
J.
APPENDIX B
HIPAA Compliance WP/ REF
By/Date
(C) otherwise to ensure compliance with this part by the officers and employees of such person. J.11 Ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets that process health care data. J.12 Ensure that when a code set is modified, the modified code set includes instructions on how data elements of health information that were encoded prior to the modification may be converted or translated so as to preserve the informational value of the data elements that existed before the modification. Any modification to a code set is implemented in a manner that minimizes the disruption and cost of complying with such modification. J.13 Verify the organization has implemented a Fraud and Abuse Control Program. J.14 Verify that the organization has adopted standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for the financial and administrative transactions. The transactions are those with respect to the following: (A) Health claims or equivalent encounter information. (B) Health claims attachments. (C) Enrollment and disenrollment in a health plan. (D) Eligibility for a health plan. (E) Health care payment and remittance advice. (F) Health plan premium payments. (G) First report of injury. (H) Health claim status. (I) Referral certification and authorization. This Privacy Impact Assessment (PIA) tool is used with the permission of the authors, who retain the copyright to this document. Copyright July 2002, used with permission.
INDEX
Abacus Direct Inc., 201, 203 Academic institutions and parental consent, 17 Access control, use of biometrics, 186–188. See also Biometrics Ad-aware, 269 Advocacy organizations, 62–64 Agre, Philip E., 189 AICPA WebTrust, 62, 216–218 Air Transport Association, 190, 233 Airport security, 187–189, 195, 224, 225 federal screeners, 252 legislation, 252 Alcohol and drug testing, 224 America Links Up, 66, 245, 246 America Online (AOL). See also AOL Time Warner cookies and Web bugs, use of, 39 American Association of Motor Vehicle Administrators, 190, 232 American Association of Retired Persons (AARP), 231 American Civil Liberties Union (ACLU), 62, 203, 208, 225, 250 American Enterprise InstituteBrookings Joint Center for Regulatory Studies, xxiii, xxiv American Express Co., 203 American Management Association (AMA), 13, 208, 251 Anonymizer, 266 Anonymous e-mail, 72, 241, 266 Anti-terrorism Surveillance Legislation. See Patriot Act of 2001 Antiterrorism and Effective Death Penalty Act of 1996, proposed amendments to (HR 3016), 152, 157 Anybirthday.com, 234, 235 AOL Time Warner, xxxi, 39, 202, 242 Approach to privacy protection, 54 Argentina national ID, 192 privacy protection laws, 78, 79 Arizona, privacy laws, 33 Arkansas, privacy laws, 33 Association for Competitive Technology (ACT), 18 Association for Interactive Media, 67 Atick, Joseph J., 225 Atkinson, Rob, 188 AT&T, xxxii
Australia, 183, 184, 199 co-regulatory model, 72 enforcement of privacy protection laws, 76 membership in OECD, 74 privacy protection laws, 79, 80 Australian Defense Signals Directorate (DSD), 183 Austria, privacy protection laws, 80, 81 Authentication technologies, 262 Aviation and Transportation Security Act, 252 Axciom AbiliTec, 269
Business. See also E-business; Marketing chief privacy officer (CPO), 61, 316–319 employees’ privacy, 13 and international privacy protection, 74, 75 workplace monitoring and surveillance. See Workplace monitoring and surveillance Business watch organizations, 64 Business Week Online, xxiv
BackICE Defender 2.1, 269
Patriot Act provisions, 142, 143, 173, 174 Cablevision, xxx California, spam e-mail, 241 California Law Enforcement Telecommunications System (CLETS), xxviii California Public Interest Research Group (CalPIRG), 236 Call for Action, 65, 243 Canada, 20, 183, 199 co-regulatory model, 72 enforcement of privacy protection laws, 76 privacy compliance, 290–296 privacy protection laws, 84, 85 Cannon, Chris, xxiv Carnivore (DCS-100 and DCS1000), xxvi, 171, 185, 186, 195 FBI software program, 50 Casinos data collection, 39 gambling habits, 202, 203, 208 Categorical imperative, 5 Catlett, Jason, 15, 194, 206, 215 CDB Infotek, 210 Cellular Telecommunications Industry Association, 226 Censorship, 78 Census information, 13, 237 Center for Democracy and Technology, 62, 243, 253 Center for Media Education, 66, 246 Certifications, 189 third-party certification programs, 216–218 Chat rooms, 19 Check verification companies, 236 Chief privacy officer (CPO), 61
Bankruptcy customer lists and privacy issues, xxiv, xxv, 25 sale of confidential information, 26 Barton, Joe, xxix BBB-Online, 201, 213, 216, 218, 271 Beacon GIF, 261 Belgium national ID, 192 privacy protection laws, 81, 82 Berthoud, John, 192 Better Business Bureau, 64 BBB-Online. See BBB-Online Bigfoot, 210 Bill of Rights and right to privacy, 129 Biometrics, xxviii, 171, 186–190, 192, 195, 222 DNA identification, 224, 225, 251 drivers licenses, 232 forms of, 224 and national ID, 44 security of image database, 225 software, 19 Black, Jane, xxiv Blakley, Bob, 257 Bodily privacy, 53 Bozman, Bill, 189 Brazil, privacy protection laws, 82, 83 Brenton, Myron, 13 Brewer, Eric, xxxi Brickstream Corporation, 228 Brightmail, 259 Browsers, 27, 59, 205 anonymous browsing tools, 267 Bugnosis Web Bug Detector, 267 Bulgaria, privacy protection laws, 83, 84
349
Cable Communications Policy Act of 1984, xxix, 133, 135, 199
350 The Qualities One Should Look for in a CPO, 316–319 Children. See also Children’s Online Privacy Protection Act of 1998 (COPPA) collecting information from online, 17, 30, 198 marketing to, xxxi privacy advocacy Web sites, 66, 67 protection of, 33 Web sites, 30 Children’s Advertising Review Unit, 66, 246 Children’s Online Privacy Protection Act of 1998 (COPPA), xxix, 30, 133, 140, 198–201, 212, 244–246 TRUSTe, 217 Chile, privacy protection laws, 85 China, privacy protection laws, 86 Citizen’s Privacy Commission Act of 2001 (S 851), 152, 163 Civil liberties, 12, 194 Clarke, Richard, 190 Clear GIF, 204, 205, 261 Click stream monitoring, 57, 201 Clinton, Bill, 223 Co-regulatory model and international privacy protection, 72 Collins, Herman, 283, 316 Colorado, law enforcement access to databases, 33 Committee for European Standardization (CEN) and EU Data Directive, 263 Common Access Card, 192 Common Cause, 243 Communications. See also Wiretaps monitoring, 224, 226 personal, 53 providers, emergency disclosures by, 143, 144, 174, 175 surveillance, 76, 78 Communications Assistance for Law Enforcement Act of 1994 (CALEA), 133, 138, 247 Comprehensive laws and international privacy protection, 71–73 Computer chips ID chips, 228, 229 and national ID card, 232, 233 Computer forensics, Patriot Act provisions, 151, 183 Computer Fraud and Abuse Act (CFAA), 31, 133, 136, 137 Patriot Act provisions, 147–150, 171, 172, 179–182 Computer Mail Services, 259 Computer Professionals for Social Responsibility, 62 Computer Security Act, 133, 137 Computer trespassers, Patriot Act provisions, 146, 147, 177, 178 Computers, 11 encryption, 267 files, review of by employers, 13
INDEX hackers. See Hackers and international privacy protection, 71 methods employed to obtain information, 19 monitoring employees, 207 national security and criminal justice, 181 Patriot Act provisions, 151 privacy protection, basic steps, 271, 272 protected computer, 181 software. See Software and storage of data, 223 and trends in international privacy, 77, 78 workplace monitoring, 247–250 Confidential Information Protection Act (HR 2136), 152, 154, 155 Consequentialism, 4 Consumer @ction, 62, 243 Consumer Internet Privacy Enhancement Act, xxiv Consumer Privacy Protection Act (HR 2135), 152, 154 Consumer Project on Technology, 62 ConsumerPrivacyGuide.org, 229, 243 Consumers Digest, 237, 239, 240 Consumer’s Right to Financial Privacy Act (HR 2720), 152, 155, 156 Cookie Crusher, 268 Cookie cutter, 266 Cookie Pal, 268 Cookies, 18, 19, 27–28, 201, 203–205, 241–244 America Online, 39 click stream monitoring, 57, 201 cookie managers, 268, 271 federal Web sites, 29 globally unique identifier, 59 Office of Management and Budget (OMB) memorandum, 31 Coremetrics Inc., 242 Corporate Privacy Officers (CPOs), 257 Council of Europe (COE), 71, 73 Convention for the Protection of Individuals, 71 international privacy protection, 71 Courion/PasswordCourier and Profile Builder, 269 Court cases, xxx CPA WEBTRUST. See WebTrust Crackers, 258 Credit bureaus and credit reports, 13, 25, 64 credit scoring, 57 Equifax privacy opinion poll, 9 and identity theft, 236, 237 sample opt-out letter, 238 Credit cards, 203, 223, 271 casinos and data collection, 39
consumer fears, 201 credit card fraud, 230, 231 and identity theft, 233, 234, 236, 237 and Internet, 18 pre-screened offers, 229, 230 privacy advocates, 64 smart cards, 188 theft, 17 Criminals and data mining, 57 and use of facial recognition systems, 50 Crowds, xxxii, 266 Cryptography, 267 Cummins, Gaylyn, 11 Customer management software, 19 Customer relationship management (CRM), 39. See also Data collection Cutter Consortium, 7 CVS Pharmacy, 56 Cyber Security Information Act (HR 2435), 152, 155 Cyber Snoop, 248 Cyber Terrorism Prevention Act of 2001 (S 1568), 152, 165 CyberAngels, 67, 246 Cybercrime, 17 Cyberterrorism, 17, 171, 259 Patriot Act provisions, 146, 147, 179–182 Cypherpunks, 63 Czech Republic, privacy protection laws, 87
Dargie, Jane, 283, 290 Data collection, 223, 242. See also Personal privacy consumer concerns, 261, 262 Consumer Internet Privacy Enhancement Act, xxiv customer relationship management, 39 data capture, 201 Department of Homeland Security, xxvii, xxviii Internet, 204–206 personal data, 53 pretexting, xxii security concerns, 261 sharing data with third parties, 12–16, 261 Total Information Awareness database, xxvii, xxviii Data haven, 75 Data mining, xxvi, 57, 58, 78 business practices, 58 Fluent, use of, 193 Data privacy. See Data collection; Personal privacy Databases and facial recognition software, 189 personal information and consumer convenience, 191
INDEX relational, 10 Total Information Awareness database, xxvii, xxviii Datacard Group, 192 Davies, Simon, 192 DCS-100 and DCS-1000 technology. See Carnivore (DCS-100 and DCS-1000) Debit cards and fraud, 231, 232 DeCew, Judith, 191 Defense Advanced Research Projects Agency, 193 Defense Signals Directorate (DSD), 183, 184 Delaware, law enforcement access to databases, 33 Deloitte & Touche methodology for creating privacy policy, 214 Dempsey, James, 194, 195 Denmark enforcement of privacy protection laws, 77 privacy protection laws, 88 Deontology, 4 Department of Commerce, 73 Department of Homeland Security, xxvii Department of Motor Vehicles (DMV). See also Drivers licenses registration information, 16 Dershowitz, Alan M., 190 Deterrent effect of facial scanning, 188 Di Gregory, Kevin D., 185, 186 DICTIONARY, 184 Digital cash, 72 Digital signatures, 189, 262 Digitized photographs, 224 Direct marketing, xxviii, 57, 198, 206, 229, 230, 259 Direct Marketing Association (DMA), 19, 65, 204, 206, 229 privacy policy generator, 281 telemarketing, 227 Disappearing Email, 268 Disk encryption, 267 Disk/file erasing programs, 267 DNA identification and testing, 224, 225, 251 Dot Kids Domain Name Act of 2001, 245 DoubleClick Inc., 55, 201, 203, 241 Douglas, Gary, 194 Drivers licenses, 190, 191, 232 and national ID, 44 Driver’s Privacy Protection Act of 1994, 16, 129, 133, 138, 199 Drug testing, 208, 224, 251 Duty, 4
E-business, 24 customer data, sharing, 15 data collection, 57 data mining practices, 57, 58 international promotion of, 73
351 loss of trust in, xxii, 16, 202, 203 P3P technology, 18 privacy concerns, xix, xx, xxi, xxii, xxx, 38–44 privacy notices. See Privacy notices privacy policies. See Privacy policies private sector initiatives for PETs, 264, 265 proposed data privacy legislation, 38, 39 security concerns, 45 self-regulation, 19, 72, 167, 198, 213, 215 E-Government Act of 2001 (S 803), 152, 162, 163 E-mail, 19, 194, 200, 203, 241 Direct Marketing Association’s preference services, 229 employees, 13, 200, 207–209, 248, 249 employer policies, 250 Patriot Act provisions, 146, 147, 179 privacy, 267 privacy advocates, 65 remailers, 72, 241, 266 removing address from direct email lists, 229, 230 security application software, 268 sexual harassment, 249 snoop proof e-mail, 266 spam, 224, 241, 258–260, 272 abatement Web sites, 260, 261 Eavesdropping, xxvi, 224, 226 Echelon system, 76, 171, 183–185, 193, 195 Electronic Communications Privacy Act, xxix, 31, 130, 133, 135, 136, 199, 200, 247, 251 Patriot Act provisions, 141–144, 150, 151, 172, 174 Electronic evidence, scope of subpoena Patriot Act provisions, 142, 172, 173 Electronic Freedom of Information Act, 130 Electronic Frontier Foundation, 63 Electronic Privacy Information Center, 63, 203 Online Guide to Practical Privacy Tools, 271 Electronic Privacy Protection Act (HR 112), 152, 153 Electronic Retailing Association (ERA), 204 Electronic signatures, 189, 262 Elensys, 56 Eli Lilly and Co., 203 Employees, 259 computer monitoring, 207, 247–250 e-mail, 200, 248–250 federal judges, 250, 251 monitoring, 206–209, 246 morale, 209, 250 offensive Web sites, blocking access to, 208, 209
pre-employment screening, 209, 210, 251 profiling, 251 smart cards, 247 surveillance of, 246, 247, 250 video, 246, 247 telecommuters, 248, 250 telephone calls, 207, 247, 249 workplace monitoring. See Workplace monitoring and surveillance Encryption, 72, 78, 189, 241, 263, 267, 271 End Racial Profiling Act of 2001 (S 989), 152, 164 Enforcement, 203 international privacy protection, 76 privacy policies, 215, 216 Enhanced Border Security Act of 2001 (HR 3205), 152, 158 Enhanced Border Security and Visa Entry Reform Act of 2001 (S 1749), 152, 166, 167 Enhanced Carnivore, 185. See also Carnivore (DCS-100 and DCS1000) Equifax, Inc., 64 privacy opinion poll, 9 ESafe Desktop 2.2, 269 Eschoo, Anna, xxiv Estonia, privacy protection laws, 88–90 Ethics, 3–5 and data mining, 57, 58 ethical use policy, xxvii guidelines for establishing ethical dilemma, 3, 4 principles, 4, 5 Ethnic profiling, 224 European Union Data Protection Directive, 73, 263 European Union (EU), 73, 77. See also International privacy protection comprehensive law model, 72 Data Directive, 73, 263 international privacy protection, 70 privacy laws and national security, 12 Evidence, preservation of, Patriot Act provisions, 150, 151, 182, 183 Experian, 64
Facial recognition, xxvi, xxviii, 50, 171, 186–190, 194, 222, 225 airport security, 225 Super Bowl, 225 Fair Credit Reporting Act (FCRA), 133, 199 Faley, Patricia, 206 Family Education Rights and Privacy Act, 133, 134 Federal Bureau of Investigation (FBI), 185 Carnivore, xxvi, 50, 171, 185, 186, 195
352 Internet traffic monitoring software, 50 Magic Lantern software, 51 Federal judges, Internet monitoring of, 250, 251 Federal-Local Information Sharing Partnership Act of 2001 (HR 3285), 152, 159, 160 Federal Trade Commission (FTC), 16, 25, 39, 130, 202, 203, 215 fair information principles and government sites, 29 identity theft, 233, 235, 236 Kidz Privacy Site, 66, 246 Operation Detect Pretext, xxii privacy initiatives, 39–43 privacy policy guidelines, 211–212, 218 privacy reports, 41–43 sample opt-out letter, 64 Web site, 67 youth-oriented Web sites, 17 Federal Wiretap Act of 1968, 226 Feinstein, Dianne, 167 Ferris, David, 259 Ferris Research, 259 Fidelity, 203 Financial Information Privacy Protection Act of 2001 (S 30), xxix, 152, 162 Financial institutions, 200 Gramm-Leach-Bliley Act. See Gramm-Leach-Bliley Act Financial Privacy and National Security Enhancement Act (HR 3068), 152, 158 Financial records, 17 Financial Service Modernization Act of 1999, xxv Fingerprints, xxviii, 186, 188, 224 Finland national ID, 192 privacy protection laws, 90, 91 Firewalls, 208, 248, 267, 271 personal, 268, 269 First Amendment, freedom of speech, 13 Fluent, 193 Food and Drug Administration and computer ID chips, 228, 229 Foreign Intelligence Surveillance Act of 1978, 226 Forrester Research, Inc., 6, 19, 210 Four11, 210 Fourth Amendment employer searches of e-mail, 248 government employees, searches, 248 private employers, 249 unreasonable search and seizure, 207 France enforcement of privacy protection laws, 76 privacy protection laws, 71, 91 Fraud. See also Identity theft
INDEX and Internet, 17 privacy advocates, 64 Freedom, 267 Freedom of Information Act (FOIA), 13, 130 and government agency protection of sensitive data, 28, 29 security threat information, 51
Gambling, 208 casinos, data collection, 39 habits, 202, 203 Gartner Group, 203, 208, 260 Gassman, Bill, 208 General Accounting Office (GAO) data sharing report, 14, 15 security management information, 46, 47 tracking technology reports, 29, 30 Georgia, law enforcement access to databases, 33 Germany enforcement of privacy protection laws, 76 national ID, 192 privacy protection laws, 71, 91, 92 Gerstner, Lou, 61 GetNetWise, 66, 246 Giant Food, 56 Globalization, 77 Globally unique identifier (GUID), 59 Glossary, 320–328 Goldberg, Ian, xxxi, xxxii Government agencies, 259 FBI. See Federal Bureau of Investigation (FBI) General Accounting Office. See General Accounting Office (GAO) Internal Revenue Service. See Internal Revenue Service (IRS) privacy notices, 29, 30 privacy policies, xxx, 29, 30, 32 privacy requirements, 30–33 protection of sensitive data, 16 and Freedom of Information Act, 28, 29 security concerns, 45 sharing of information, xxvii, 14, 15 and support of PETs, 263, 264 and use of Social Security Numbers, 234 Government Communications Headquarters (GCHQ), 183 Government intervention, 11 need for, 8, 167, 168 Government resources, privacy advocates, 67 Gramm-Leach-Bliley Act, xxiv, xxix, 56, 133, 140, 199, 200 Greece, privacy protection laws, 93 Greenburg, Eric Rolf, 208
Hackers, 14, 17, 18, 171, 258, 268 and national IDs, 192
Patriot Act provisions, 51, 141, 171, 172, 179–182 Hahn, Robert, xxiii, xxiv Hand geometry systems, 187, 224 Harrah’s Entertainment Inc., 202, 203 Hate groups, 208 Health Insurance Portability and Accountability Act of 1996 (HIPAA), xxv, xxix, xxx, 133, 139, 199, 203 cost of compliance, xxiii and facial recognition software, 188 privacy rule, 312–315 Hochhauser, Mark, 214–215 Hollings, Ernest, xxv, 18 Homeland Security Act of 2002, xxvii Hong Kong, 199 privacy protection laws, 93–95 Hotlines, privacy advocates, 65 HTML filters, 267 Huchenski, Jackie, 283, 312 Human rights violations, 76 Hungary enforcement of privacy protection laws, 76 privacy protection laws, 95, 96 Huse, James G., Jr., 191 Hush Communications, 68, 265 HushMail, 268
IBM, 61, 257 P3P Policy Editor, 269 Iceland, privacy protection laws, 96 ID chips, 228, 229 IDcide’s PrivacyWall, 269 Identification cards. See Drivers licenses; National ID system Identity management, 266 Identity theft, 26, 55, 201, 233–237, 262 and national ID, 192 privacy advocates, 64 Identity Theft Protection Act of 2001 (HR 220), 152, 153 IDsecure, 267 IDzap, 267 IEClean, 270 Illegal Immigration Act of 1996, 233 Illinois, law enforcement access to databases, 33 Immigration and Naturalization Service, 225 smart cards, use of, 247 Importance of privacy, 5–8 surveys on, 5–10 India, privacy protection laws, 97 Infomediaries, 266 Information America, 210 Information privacy. See Personal privacy Information Services Executive Council, xxii Information technology, 11, 257 rights and duties, 4 Informed consent, 20, 206
INDEX Informus, 210 Infotel, 210 INPASS program, 187 Insurance. See also Health Insurance Portability and Accountability Act of 1996 (HIPAA) MIB files, 239, 240 Interactive television, 237 Internal Revenue Service (IRS) privacy impact assessment, 47–50 and Social Security Numbers, 234 International Association for Impact Assessment (IAIA), 281 International Biometric Group (IBG), 188 International Chamber of Commerce (ICC), 73 international privacy protection, 73, 74 International privacy protection, 70 comprehensive laws, 71–73 Council of Europe (COE), 71 enforcement, 76 European Union Data Protection Directive, 73, 263 and information technology, 71 International Chamber of Commerce (ICC), 73, 74 legislation, 71 models for, 71, 72 Organization for Economic Cooperation and Development. See Organization for Economic Cooperation and Development (OECD) Privacy Exchange, 73, 74 regulatory agencies and officers, 76 safe harbor agreement, 74, 75, 258 sectoral laws, 72 self-regulation, 72 summary of laws by country, 78–130. See also individual countries technology, 72 transborder data flows, 73–75 trends, 77, 78 violations, 76, 77 Internet, 24, 25. See also E-business anonymous browsing tools, 267 anti-spam laws, 241 Canadian users, concerns of, 20 children, protection of. See Children’s Online Privacy Protection Act of 1998 (COPPA) consumer information, collection of, 204–206 consumer opinions and concerns, 5, 6, 10, 18–20, 201–203 data capture, 201, 258 domain names, 27, 245 electronic surveillance, 51 FBI monitoring software. See Federal Bureau of Investigation (FBI) on-line privacy, 240–244
353 Patriot Act. See Patriot Act of 2001 personal information, safeguarding of, 28 phone calls, xxx pre-employment screening, 209, 210 privacy concerns, xxviii, xxix, xxx, xxxi, xxxii, 28, 29, 201 Privacy in a Connected World, 284–289 and privacy legislation, 132 privacy policies. See Privacy policies privacy tools. See Privacy tools start-up companies, 206 surveillance, 17, 58. See also Patriot Act of 2001 tracking technology, 26–30 federal reports, 29, 30 Understanding Privacy in an Age of Information, 297–311 Web sites. See Web sites worms and viruses, 195 Internet Corporation for Assigned Names and Numbers (ICANN), 245 Internet Fraud Watch, 64 Internet Manager, 248 Internet Protocol (IP), 27 Internet Service Providers (ISPs) and spam, 259, 260 Invisible GIF, 261 Ireland enforcement of privacy protection laws, 76 privacy protection laws, 97, 98 Iris scanning, 186–188 Isle of Man, U.K., privacy protection laws, 99 Israel, privacy protection laws, 99, 100 Italy enforcement of privacy protection laws, 77 privacy protection laws, 100, 101
Japan enforcement of privacy protection laws, 76 membership in OECD, 74 privacy protection laws, 101, 102 self-regulation, 72 Johnson, Deborah G., 58 Junkbusters Corp., 15, 65, 194, 206, 215, 230, 265, 266 Jupiter Media Metrix, 203, 259
Kaiser Permanente, 56 Kant, Immanuel, 5 Kennedy-Kassebaum Health Insurance Portability and Accountability Act. See Health Insurance Portability and Accountability Act of 1996 (HIPAA) Kenya, national ID, 192
Kerry, John, xxv Keystroke monitoring, 19, 51, 193, 207, 248 Kids Privacy Organization, privacy policy recommendations, 212 Kidsprivacy.com, 244 Kidz Privacy, 246 Know Your Caller Act of 2001 (HR 90), 151, 152 KnowX, 210 KPMG, LLP whitepaper on privacy, 43, 44
Language translation, 193 Latvia, privacy protection laws, 102, 103 Lazar, Bart, xxiv Legislation. See Privacy laws Lewinsky, Monica, 223 Lexis-Nexis, 56, 210 Lithuania, privacy protection laws, 103 LittleBrother, 248 Lotus Development Corporation, 56 Loyalty cards, casinos and data collection, 39 Lucent Technologies Personalized Web Assistant (LPWA), xxxii Lumeria, 68, 265 Luxembourg, privacy protection laws, 104
Magic Lantern, 51 Mail, unsolicited, 229, 230 Mailing lists, 206. See also Direct Marketing Association (DMA) Mailshell, 65, 230 Malaysia, privacy protection laws, 104, 105 Marcella, Albert, 61 Marketing, xxviii, 198, 204, 230 direct marketing. See Direct marketing legislation, 199–202 and P3P technology, xxxi score, 205 Marketplace, 56 Markey, Edward, xxix Massachusetts, privacy laws, 33 Mayer, Alain, xxxii McAfee Internet Guard Dog 3.0, 269 McAfee Internet Privacy Service, 268 McAffee Firewall 2.1, 269 McCain, John, xxv, 18 Media Awareness Network, 66 Medical information, 199, 200, 237, 239, 240. See also Health Insurance Portability and Accountability Act of 1996 (HIPAA) confidentiality, 45 Metadata, 59, 60 Metromail Corporation, 56 Mexico, privacy protection laws, 105, 106
354 MIB, 239, 240 Microsoft Central Privacy Wizard, 281 Microsoft Corporation, 18, 56, 75 Military identify cards, 232 Miller, Arthur, 11 Miller, Arthur Raphael, 22 Minnesota, 56 Mixes, 266 Models for international privacy protection, 71, 72 Monster.com, 39, 202, 242 Montana, privacy laws, 33 Moral rights, 53 Muris, Timothy J., 25
Name Matching for Enforcement and Security Act of 2001 (S 1733), 152, 165, 166 National Consumer Privacy Act (HR 2730), 152, 156 National Consumers League, 243 marketing lists, tips for removing names from, 230 National Crime Information Center, 191 National Electronic Commerce Coordinating Council (NECCC) privacy policy guidebook, 31–33 risk assessment guide, 45 National Fraud Information Center, 63 telemarketing information, 227 National Hi-Tech Crime Unit (NHTCU), 11 National ID system, xxv, xxvi, 44, 171, 190–192, 232, 233 National Security Agency (NSA), 183, 184, 193 National Taxpayers Union, 192 National Telecommunications & Information Administration, 67 Natural rights, 53 Net mikes, 19 NetCoalition, 68 Netherlands, privacy protection laws, 106, 107 NetWork Tools.com, 270 Nevada, privacy laws, 33 New Economy and Technology Project, 188 New Jersey, law enforcement access to databases, 33 New York, privacy laws, 33 New Zealand, 183, 199 enforcement of privacy protection laws, 76 membership in OECD, 74 privacy protection laws, 107, 108 North Korea, 184 Northwest Cable News privacy opinion poll, 9 Norton Internet Security 2001, 268 Norton Personal Firewall 2001, 269 Norway enforcement of privacy protection laws, 77 privacy protection laws, 108, 109
INDEX 1x1 GIF, 261 Oasis, 193 Office of Management and Budget (OMB), 29 Memorandum M-99-18, privacy notices, 30, 31 policy memorandum for federal Web sites, 28 Office searches, 224 Ohio, law enforcement access to databases, 33 Omnibus Safe Streets and Crime Control Act of 1968, 130 On-Line Category of Publications Consumer and Business Education, 67 On-line Privacy Protection Act of 2001 (HR 89), 151, 152 Online Marketing Guidelines, 204 Online Privacy Alliance (OPA), 68, 211 Online privacy oversight programs privacy advocates, 61, 62 Online profiling, 205 Online Public Education Network (Project OPEN), 66, 246 Operation Opt-Out, 65, 229 Opting-in, xxv, 205, 206 Opting-out, xxv, 203–206, 215 anybirthday.com, 235 credit bureaus, sample opt-out letter, 238 direct mail lists, 229, 230 online privacy, 244 privacy advocates, 65 provisions, 18, 20, 33, 38, 39 resources, 65 Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data, 71, 211, 212, 214 international privacy protection, 71, 73, 74 Privacy Policy Generator, 213, 281
P-Trak Personal Locator, 56 P3P. See Platform for Privacy Preferences (P3P) Packet sniffing, 247 Paraguay, privacy protection laws, 109 Parker, Robert, 273 Passports, 191, 192 Passwords generators, 267 security, 189 Pathfinder, xxxi Patient Privacy Act of 2001 (HR 2615), 152, 155 Patient Safety Institute (PSI), 240 Patriot Act of 2001, 11–12, 133, 141–151, 171–183, 252–253
Anti-Terrorism Surveillance Legislation, 141 Cable Communications Policy Act, 142, 143, 173, 174 computer forensics, 151, 183 Computer Fraud and Abuse Act (CFAA), 147–150, 171, 172, 179–182 computer trespassers, 146, 147, 177, 178 computers, 151 cyberterrorism, 146, 147, 179–182 e-mail, 146, 147, 179 Electronic Communications Privacy Act, 141–144, 150, 151, 172, 174 electronic evidence, scope of subpoena, 142, 172, 173 evidence, preservation of, 150, 151, 182, 183 hackers, 51, 141, 171, 172, 179–182 Internet surveillance, 17, 58 pen register and trap and trace statute, 143–146, 173–177 voice mail, 141, 171–172 wiretaps, 11, 141, 143, 146, 147, 171–174 Peacefire.org, 241 Pearson, Harriet P., 283, 284 Pen register and trap and trace statute Patriot Act provisions, 143–146, 173–177 Pen registers, 207 Perlmutter, Howard, 194 Person, privacy of (bodily privacy), 53, 224 Personal behavior, privacy of, 53 Personal ID systems, 78 Personal Information Privacy Act of 2001 (HR 1478), 152–154 Personal privacy, 253, 254 biometrics. See Biometrics bodily privacy, 53, 224 business and government interests, 221 census information, 237 communications privacy, 224, 226 credit card fraud, 230, 231 debit card fraud, 231, 232 employee issues. See Employees ID chips, 228, 229 identity theft. See Identity theft information privacy (data protection), 224 interactive television, 237 mail, unsolicited, 229–230 medical privacy, 237, 239, 240 national ID cards. See National ID system on-line privacy. See Internet and personal freedom, xx, xxv, xxvi, xxvii, xxviii, 222 prior to computer age, xx and September 11, 251–253. See also September 11, 2001
INDEX surveillance, 228 technology, effect of, 222–224 telephone calls, 226–228 territorial privacy, 224 threats to, 224 Personally identifiable information, 197, 198 Peru, privacy protection laws, 109, 110 Pew Internet and American Life Project, 6, 18 Philippines, privacy protection laws, 110, 111 Pitofsky, Robert, xxvi, 215 Pixel tags, 204, 205 Platform for Privacy Preferences (P3P), xxxi, 18, 204–205, 243, 269 Poland, privacy protection laws, 111, 112 Police powers, 11, 12 Polygraph Protection Act, xxix Polygraph testing, 208 Pornography, 208 and workplace, 249, 250 Portugal, privacy protection laws, 113, 114 Preference marketing, 205 Preston, Tate, 192 Pretexting, xxii PricewaterhouseCoopers on-line privacy survey, 5, 6 Privacilla.org, 16 Privacy, defining, xix, xx, 1–3, 197, 222 Privacy, types of, 53, 54 Privacy Act of 1974, 30, 129, 133, 134, 199, 237 Privacy Act of 2001 (S 1055), 152, 164, 165 Privacy advocates, 60, 61 advocacy organizations, 62–64 business watch organizations, 64 credit reports and credit cards, 64 fraud and identity theft, 64 government resources, 67 hotlines, 65 junk e-mail, 65 online privacy oversight programs, 61, 62 opting out, 65 parents and children, 66, 67 privacy enhancing technologies, 68. See also Privacy enhancing technologies (PETs) trade organizations, 67, 68 Privacy Commission Act (HR 583), 152, 153 Privacy Companion, 268 Privacy concerns, xxi, xxii Privacy enhancing technologies (PETs), xxxi, xxxii, 262, 263 government role, 263, 264 PET providers, 265 privacy advocates, 68 private sector initiatives, 264, 265 Privacy Exchange, 73, 74
355 Privacy Foundation, 39, 187, 202, 242 Privacy impact assessment, 281, 282 executive overview, 332–336 IRS, 47–50 PIA tool, 337–348 Privacy interests, balancing against other interests, 54 Privacy International, 63, 188, 192, 233, 241 Privacy laws, 16–18. See also specific legislation compliance with, 257 consumer beliefs, 202 cost of compliance with privacy legislation, 18 federal legislation existing, 71, 129, 130, 133–151, 199–200 proposed, xxiv, xxv, 38, 39, 151–167, 245 goals of, 16, 17 international privacy protection, 76, 77 proactive response required, 20 reactive nature of, 16 Privacy notices, xxxi, 26, 29, 30, 33–39, 202, 205, 211–213 Privacy policies, xxi, xxii, 7–8, 25, 43, 60, 202, 204–205, 218, 219, 243, 273 assessment and feasibility, 277 business direction and alignment, identifying, 276, 277 communicating, 44 complaint resolution process, 216 developing, 210–215 contents of, 211–213 steps, 274–280 understandable and meaningful policy, 214, 215 drafting, Web site policy generator, 213 e-business. See E-business enforcing, 215, 216, 280 evaluation and acceptance of, 278, 279 federal Web sites, 29, 30 implementing, 215, 279, 280 individual company policies, online viewing, 281 informed consent, 20 NECCC privacy policy guidebook, 31–33 privacy impact assessment, 281, 282 privacy strategy, designing, 277, 278 project initiation, 274–276 regulatory requirements, 214 software programs (generators), 267, 280, 281 successful development of, 274 ToysRus, 242 violations of, consumer attitudes toward, 6
workplace monitoring, 208 Privacy protection, 258 approach to, 54 background, xx, xxi childen. See Children economic impact, xxii, xxiii, xxiv international issues. See International privacy protection legislation. See Privacy laws personal responsibility, xxxi, xxxii, 54–55 privacy advocates, 60–68 privacy concerns, xxviii, xxix, xxx, xxxi, xxxii Privacy Protection Act of 1980 (PPA), 133, 135 Privacy Rights Clearinghouse, 63, 236, 243 Privacy-rights manager, 266 Privacy risk management, 44 Privacy seal programs, third-party certification, 216–218 Privacy tools basic steps, privacy protection, 271, 272 privacy enhancing technologies (PETs), 68, 262–266 types of, 266–271 Privacy versus security, 194 Privacy XM, 243 Privacy.net, 270 PrivacyRight TrustFilter, 269 PrivacyX, 68, 265, 268 PrivadaControl, 267 Privaseek, 68, 265 Profiling consumer profiling, 262 employee, 251 racial and ethnic, 224 software, 204, 269 Progressive Policy Institute, 188 Property rights, 4 Protected health information (PHI), 312–315 Protecting Civil Rights for All Americans Act (S 19), 152, 160, 161 Proxy servers, xxxii, 72 Proxymate, 266 Psychological testing, 208 Public domain information, 197–198, 210 Public Key Infrastructure (PKI), 189 Public Safety and Cyber Security Enhancement Act of 2001 (HR 2915), 152, 156, 157 Pulse pieces, 283–319
Quittner, Joshua, xxxi R. R. Donnelly and Sons, Co., 56 Racial profiling, 224 RealNetworks, 201 Recruiters Online Network, 242 Regan, Thomas, 215
356 Regulatory agencies and officers, international privacy protection, 76 Reich, Robert B., 251 Remailers, anonymous, 72, 241, 266 Resources, suggested readings, 329–331 Restore Your Identity Act of 2001 (S 1742), 152, 166 Retail stores, use of video surveillance, 228 Retina scans, 224. See also Biometrics Right to Financial Privacy Act, 133–135 Rights and duties, 4 Risk management, 45–47 Rosenbaum, Joseph I., 283, 297 Russia, privacy protection laws, 114, 115
Safe Harbor agreements, 130, 258 international privacy protection, EU and U.S., 73–75 SafeMessage, 268 SafeWeb, 267 Sageza Groups, 7, 39 Sarbanes, Paul S., xxix Satellite surveillance, 228 Schools, 17 Scientific and Technical Options Assessment (STOA), 183 Search engines, 19 Sears CRM system, 39 Seattle Times privacy opinion poll, 9 Sectoral laws, 199 international privacy protection, 72 Secure Assure Privacy Profile Wizard, 281 Secure Computing, 189 Securities and Exchange Commission (SEC), cybersecurity issues, 51 Security, 2, 3, 5, 44–50 goals of, 44, 45 Internal Revenue Service privacy impact assessment, 47–50 management, 45, 46 and personal privacy, xxv, xxvi physical security, 25 prior to computers, xx privacy compared, 43, 44 versus privacy protection, 11, 12, 21 risk management, 45–47 Self-regulation, 19, 167, 198, 213, 215 international privacy protection, 72 September 11, 2001 airport security. See Airport security impact of, xxv, xxvi, 5, 7, 8, 11, 21, 24, 51, 170, 171, 190, 209, 224 Internet surveillance laws, 17 and Patriot Act, 12 and personal privacy issues, 251 and use of national ID cards, 232
INDEX Sexual harassment e-mails, 249 Shen, Andrew, 203 ShieldsUp!, 271 Singapore privacy protection laws, 115, 116 self-regulation, 72 Slovakia, privacy protection laws, 116, 117 Slovenia, privacy protection laws, 118 Smartcards, 19, 72, 78, 232 employee ID cards, 247 Smith, Richard, 187 Smith, Robert Ellis, 192, 222 Smith’s Foods, 201, 202 Sniffer devices, 184 Social Security Administration, 191 Social Security numbers, xxv, 190–191, 203, 233, 272 and identity theft, 233–235 Social Security On-line Privacy Protection Act (HR 91), 152, 153 Software biometric, 19. See also Biometrics cookie managers, 268 disk/file erasing programs, 267 e-mail security, 268 FBI programs. See Federal Bureau of Investigation (FBI) packet sniffers, 247, 248 personal firewalls, 268, 269 privacy enhancing technologies (PETs), 265 privacy policy generators, 267, 280, 281 and privacy regulations, 257 privacy tools, 257, 258, 270, 271 profiling, 204 stealth software, 56 tools that detect net privacy problems, 269 South Africa, privacy protection laws, 119, 120 South Korea, privacy protection laws, 120, 121 Spain national ID, 192 privacy protection laws, 121, 122 suit against Microsoft, 75 Spam, 224, 241, 258–260, 272 abatement Web sites, 260, 261 spambots, 260 Spamex, disposable e-mail address, 65, 230 SpyCop, Inc., 270 Spyware Control and Privacy Protection Act of 2001 (S 197), 152, 162 Starr, Kenneth, 223 State government. See also individual states agency Web sites, 30, 32 privacy issues, 33–38 Stealth Keylogger Pro, 248 Steganography, 266
Steganography Tools, 267 Steinhardt, Barry, 225 Student Privacy Protection Act, 17 Subdimension, 267 Surf anonymously, 267 SurfWatch, 248 Surveillance, 224. See also Communications; Employees; Wiretaps Internet, 17, 58 new technology, 253 video and satellite, 228, 246, 247 Sweden enforcement of privacy protection laws, 77 privacy protection laws, 71, 122, 123 Swindle, Orson, 16 Switchboard, 210 Switzerland enforcement of privacy protection laws, 77 privacy protection laws, 123, 124
Taiwan, privacy protection laws, 124, 125 Technology, 24 computers. See Computers effect of on demand for privacy, 10, 11 international privacy protection, 72 methods employed to obtain information, 19 new technology, 50, 51 privacy protection, 72 Web sites. See Web sites Telecommunications Act of 1996, 133, 139 Teledata Communications Inc., 233 Telemarketing, 56, 224 unwanted telephone calls, 226–228 Teleology, 4 Telephone calls. See also Pen register and trap and trace statute; Wiretaps employees, 207, 247, 249 employer policies, 208 employer surveillance, 247 pen registers, 207 unwanted or threatening, 226–228 Telephone Consumer Protection Act of 1991 (TCPA), xxx, 133, 138, 199 Telephone directories online, 210 Telnet encryption, 267 TEMPEST, 193 Terrorism, xxvi, 11, 17, 194, 195, 251–253. See also September 11, 2001 bioterrorism, 157 and Patriot Act. See Patriot Act of 2001 Terrorists, xxvi, 190 and use of facial recognition systems, 50 use of Internet to monitor, 51
INDEX Texas privacy laws, 33 privacy policies, 33, 34 Thailand enforcement of privacy protection laws, 76 privacy protection laws, 125, 126 Thieme, Michael, 188 Thumb scans, 224 Tivoli/SecureWay Privacy Manager, 269 Tivoli systems, 257 Total Information Awareness (TIA) database, xxvii, xxviii Toysrus.com, 39, 242 Trade organization privacy advocates, 67, 68 Trans Union Corporation, 64 Transactional data, 198 Transborder data flows, international privacy protection, 73–75 Transient Electromagnetic Pulse Emanation Standard (TEMPEST), 193 Transportation Security Administration (TSA), 252 Traveler IDs, 225 Trust, 2, 5, 211 loss of trust in business, 16, 201–203 online business, 203 and security concerns, 45 TRUSTe, 61, 62, 201, 213, 216, 217, 242, 243, 271 Privacy Statement Wizard, 281 Turkey, privacy protection laws, 126, 127
Ukraine, privacy protection laws, 127, 128 Unfair and deceptive business practices, 203 United Kingdom, 183 Data Protection Act, 11 enforcement of privacy protection laws, 76 National Hi-Tech Crime Unit (NHTCU), 11 privacy protection laws, 128, 129 Regulation of Investigatory Powers (RIP) Act, 11 United States Echelon system, use of. See Echelon system federal legislation existing, 71, 129, 130, 133–151, 199, 200 proposed, xxiv, xxv, 38, 39, 151–167, 245 membership in OECD, 74 sectoral laws, 72 self-regulation, 72 United States Department of Justice identity theft victims, 236 kidspage, 246 U.S. Bank, 56
357 U.S. Constitution, 2 U.S. Consumer Gateway, 67 U.S. Privacy Council, 63 U.S. Public Interest Research Group, 63, 64 USA Patriot Act. See Patriot Act of 2001 User logs (web logs), 26–28 USO Software, Inc., survey results, 10 Utah, privacy laws, 33 Utilitarianism, 4
Value of information, 10 VeriSign, 189 Video Privacy Protection Act of 1988, xxix, xxx, 16, 133, 138, 199 Video surveillance, 228 Viruses, 268 Visa Entry Reform Act of 2001 (HR 3229), 152, 159 Visionics, 225 Voice mail, 247 employees, 207, 208 Patriot Act provisions, 141, 171–172 Voice privacy, 267 Voice recognition, 224 Vons, 56, 57
Wagner, David, xxxi Washington privacy laws, 35 privacy policies, 33 privacy policy notice, example, 35–38 Watchfire Corporation, 242 Watchfire WebCPO, 269 Web beacon, 205 Web bugs, 28, 241, 261 America Online, 39 Bugnosis Web Bug Detector, 267 Web cams, 19, 50 Web encryption, 267 Web logs (user logs), 26–28, 244 employee monitoring, 208 Web sites anonymous browsing tools, 267 anybirthday.com, 234 appendices online, 349, 350 click stream monitoring, 57, 201 collecting personal data from children, 17, 30 consumer consent legislation, 18 cookie managers, 268 cost of compliance with privacy legislation, 18 e-mail security applications, 268 federal government sites, 29, 30 International Chamber of Commerce, 74 offensive, blocking access to, 208, 209 P3P technology, 18
personal firewalls, 269 pre-employment screening, 209, 210 privacy enhancing technologies. See Privacy enhancing technologies (PETs) privacy notices. See Privacy notices privacy policies. See Privacy policies privacy policy generators, 267, 280, 281 privacy problems, tools for detecting, 269 privacy requirements, 30–33 privacy resources, 61–68 privacy tools, 270, 271 spam abatement, 260, 261 state agencies, 30, 32 NECCC privacy policy guidebook, 31–33, 45 tracking technology, 26–30, 241 Web servers and data captured, 59, 60 wiley.com, online appendices, 349,350 WebTrust, 62, 216–218 WebXM, 242, 243 WhoWhere, 210 Wide area networks (WANs), 10 Window Washer, 270 Wired Kids, 67, 246 Wiretap Act, 31, 226 Wiretaps, xxx, 76, 78, 171, 224, 226, 247 Federal Wiretap Act, 31, 226 infrared technology, 130 Patriot Act provisions, 11, 141, 143, 146, 147, 171–174 Woodbury, Marsha, 209, 250 Workman, Jim, 206 Workplace monitoring and surveillance, 19, 194, 206–210, 247–250 e-mail, 13, 200, 207, 208, 248–250 and morale, 209, 250 offensive Web sites, blocking access to, 208, 209 privacy policies, 208 survey, 13, 14 World Trade Center attack. See September 11, 2001 World Wide Web Consortium, xxxi, 205
Yahoo, consumer privacy preferences, 55 Yankee Group, 241
Zero-Knowledge Systems, 68, 265 ZixMail, 268 Zona Research, 7 ZoneAlarm 2.1, 269 ZoneAlarm Pro 1.0, 269