| |
       |
The nature of the Internet poses a variety of challenges to our traditional, top-down methods of implementing policy and controlling behavior. Providing seamless privacy protection for data as it flows through this international network requires a careful reconsideration of the business community's interest in promoting commerce, the government's interests in fostering economic growth and protecting its citizens, and the interest of individuals in protecting themselves from intrusive overreach by government and the private sector. It requires the use of all of the tools at our disposal -- international agreements, legislation, self-regulation, public education, and the technology itself -- to protect the right to privacy of Internet users. The Courts and Privacy"The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men - the right to be let alone."- Louis Brandeis One may be surprised to learn that the right to privacy is not an explicit Constitutional right. In fact, Louis Brandeis and Samuel Warren developed the notion of privacy as a legal concern in their pivotal work "the Right to Privacy," published in the Harvard Law Review in 1890. In 1928, Brandeis voted against his Supreme Court colleagues and stated that wiretaps should be illegal without a warrant. His famous dissent mentioned that the fourth amendment forms the basis of a right to privacy. The majority opinions of the court, in terms of privacy, started to shift in the late 1950s. The Supreme Court recognized privacy interests such as "associational privacy," (NAACP v. Alabama, 1958) "political privacy," (Watkins v. United States, 1957, Sweezy v. New Hampshire, 1957), and the "right to anonymity in public expression" (Talley v. California, 1960.) In 1967, The Supreme Court sided with Brandeis' earlier judgment on wiretaps and declared that citizens have a "reasonable" and "legitimate" expectation of privacy in their communications as central part of the Fourth Amendment in the landmark case Katz v. United States. In the 1960s and 1970s, the Supreme Court defined the concept of privacy to include personal decisions concerning reproduction, sex, and marriage. In Griswold v. Connecticut (1965), the Court, decided that citizens' fundamental right to privacy prohibits the criminalization of birth control. Justice Douglas stated in the majority opinion that the First, Third, Fourth, Fifth, and Ninth Constitutional Amendments create penumbras of privacy. In Whalen v. Roe (1977), the Supreme Court held that the Fourteenth Amendment protects the privacy of certain information, in that case, sensitive prescription drug data collected by the state. The Whalen Court recognized a right to privacy when it stated that the constitutionally protected zone of privacy involves two types of interests. One is the "individual interest in avoiding disclosure of personal matters" or informational privacy, and another is the "interest in independence in making certain kinds of important decisions." The majority of Circuits recognize both privacy interests. See, Crawford v. United States Tr., 194 F.3d 954, 959 (9th Cir. 1999). See also, Doe v. Attorney General, 941 F.2d 780, 795(9th Cir. 1991). Accord, Fadjo v. Coon, 633 F.2d 1172, 1175-76 (5th Cir. 1981); Plante v. Gonzales, 575 F.2d 1119, 1132-34 (5th Cir. 1978); United States v. Westinghouse, 638 F.2d 570, 577 (3rd Cir. 1980); Barry v. City of New York, 712 F.2d 1554, 1559 (2d Cir. 1983). Cf. J.P. v. DeSanti, 653 F.2d 1080,1090(6th Cir. 1981) (rejecting a construction of Whalen that recognizes informational privacy as a constitutionally protected interest.) Since the 1970s, the courts have had an ambivalent relationship with privacy. The modern concept of privacy as the right of individuals to control information about themselves has not been fully protected by the courts, but some protections have been added. In Greidinger v. Davis (1993), for example, a federal appeals court declared unconstitutional Virginia's requirement that one's Social Security number be provided before a citizen may register to vote. Legislative ProtectionsIn the United States, privacy rights have developed in the form of a patchwork of industry and sector-specific statutes. Legislation designed to protect the right to privacy from private and government sector infringement includes:
CDT's Guide to Existing Federal Privacy Laws. Executive Branch AgenciesRegulating online privacy has been a difficult challenge for the executive branch of the federal government. While many federal agencies struggle to comply internally with the Privacy Act, agencies such as the Federal Trade Commission (FTC) are laying out a privacy landscape for the private sector. Other federal participants in the consumer privacy debate include the White House Office of Management and Budget (OMB) and the National Telecommunications and Information Administration (NTIA) of the U.S. Department of Commerce. In the past 30 years, the federal government has engaged in a wide range of privacy initiatives. For a comprehensive listing of federal privacy agencies, and their recommendations regarding privacy, read CDT's May 2000 testimony. FTC InitiativesSince April 1995, the Federal Trade Commission (FTC) staff has held numerous hearings and workshops on Internet privacy and has issued a number of surveys, studies and reports. The FTC's June 1998 survey of Web sites revealed an overwhelming lack of action on the part of industry toward addressing the issue of privacy. As a result, CDT called upon the FTC to immediately commence regulatory proceedings to establish enforceable rules to protect the privacy of all Americans online. In August 1998, the FTC set a historic precedent and highlighted the need for uniform privacy rules by settling with GeoCities, a company that provided free email and Web accounts to Internet users. FTC and GeoCities agreed to settle their dispute over GeoCities' practices with regard to the collection and disclosure of customer information. While the GeoCities case showed that the FTC could use its existing authority to protect privacy, the need persisted for a broader, public effort to adopt baseline privacy rules that could be enforced by the FTC. In February 1999, following initial discussions with the FTC, privacy and consumer groups filed a complaint against Intel, a dominant computer chip maker. Intel created the Pentium III chip with an identifying serial number that could be used to track computers across the Internet. The identifying number, which Intel used in the Pentium III, was phased out in later versions. The Children's Online Privacy Protection Act was enacted in 1998 to ensure the protection of children's personal information from commercial Web Site misuse. In May 1999, the FTC announced a settlement with the Liberty Financial Companies, Inc., which had been misrepresenting its practices regarding the collection of personal information from children, including their family's income and finances. In October 1999, FTC released its Final Rule on the Children's Online Privacy Protection Act, which requires Web sites targeted to children 12 and under to obtain parental consent before collecting personal information. The Act gives the FTC authority to regulate companies that collect information from minors without "verifiable parental consent." In November 1999, FTC examined online profiling, the practice of aggregating information about consumers' preferences and interests, gathered primarily by tracking their movements online, and using the resulting profiles to create targeted advertising on Web sites. CDT's testimony to the FTC concluded, "The profiling activities of these advertising networks pose a significant risk to consumers' privacy." In February 2000, CDT and other privacy advocates filed a Statement of Additional Facts and Grounds for Relief with the FTC, noting that sensitive information including video titles, salaries, and search terms were being passed to DoubleClick, an Internet advertiser. The filing asked the FTC to bar DoubleClick and other businesses from tying individuals' names and addresses to information collected online. In March 2000, DoubleClick announced that it would not move forward with its plans to tie personally identifiable information to Internet users' online surfing habits until government and industry reached a consensus on privacy rules for the Internet. In July 2000, the FTC voted to seek a preliminary injunction against Toysmart.com, which planned to sell customer data as it searched for a buyer for the business, despite a guarantee not share the information. Later that month, FTC announced a settlement which forbade the sale of Toysmart.com's customer database except under very limited circumstances to a "qualified buyer." The FTC defined a qualified buyer as a company in a similar market that agrees to abide by Toysmart.com's privacy policy and be named successor-in-interest regarding the purchased customer data. On May 23, 2000, after several years of relying on a self-regulatory approach, the Federal Trade Commission issued a report [.PDF] to Congress asking for the authority to regulate online privacy. While the report noted that an increasing number of Web sites now post privacy policies, it also noted that only 20% of those policies incorporate the FTC's fair information practices. In June and July of 2000, the FTC issued a two-part report on online profiling and industry self-regulation. June 2000 .pdf [.PDF] [ The Commissioners unanimously commended the Network Advertising Initiative (NAI) for its self-regulatory proposal that seeks to implement Fair Information Practices for the major Internet advertisers' collection of online consumer data. The July report also asked Congress to enact baseline legislation to protect consumer privacy. More resources: In January 2004, FTC released its annual report detailing consumer complaints about identity theft and listing the top ten fraud complaint categories reported by consumers. Press Release Report Executive Office of the PresidentIn 1999, the Office of Management and Budget (OMB) created the office of the Chief Counselor for Privacy to coordinate the federal government's response to privacy issues. Peter P. Swire, a professor of law at Ohio State University and internationally recognized expert on privacy issues, was appointed as the first person to hold the position in the OMB's Office of Information and Regulatory Affairs, which oversees implementation of the Privacy Act of 1974. The Chief Counselor for Privacy coordinates the efforts of federal government agencies to address privacy issues. The OMB's Office of Information and Regulatory Affairs Web Site In February 2003, the Bush-Cheney administration issued a report outlining steps the government, citizens, and consumers should take to protect systems from online attacks. The final document directs the government to "lead by example by tightening the security of federal information systems." Technical InitiativesTechnologies designed to meet the information needs of government and business have effectively deprived private individuals of the power to control their personal information. In addition to facilitating the collection of detailed personal data, communication technologies have enabled collectors to share data between themselves for a wide range of purposes. Moreover, information technologies have enabled collection, sharing and distribution of personal information without the knowledge or consent of online users. Today, most privacy protection online -- if it exists at all -- takes the form of a lengthy privacy policy. Although these notices purport to protect sensitive private data, many of them contain fine-print provisions that explain how information is, in fact, disclosed and used for other purposes. Yet technology can be designed to empower users to make decisions about the collection, use and disclosure of personal information every time they go online. Some tools developed to protect privacy by cloaking information likely to reveal identity, or decoupling this identity information from the individual's actions and communications. Privacy technologies, for example, may conceal a user's identity by obfuscating the originator and recipient of a message from points in the network. Other technical tools make it possible to browse the World Wide Web without revealing one's identity and purchase goods with the anonymity of cash. Strong encryption is the backbone of technological protections for privacy. For a comprehensive list of privacy products and services, view CDT's Resource Library. The following is an outline of the major technical concepts and initiatives. Platform for Privacy Preferences Project (P3P)On June 21, 2000, major Internet companies offered the first public demonstration of a new generation of Web-browsing software designed to give users more control over their personal information online. The new products are based on the Platform for Privacy Preferences Project (P3P), a set of software-writing guidelines developed by the World Wide Web Consortium (W3C), the standard-setting body for the Web. P3P is designed to provide Internet users with a clear understanding of how personal information will be used by a particular Web site. P3P provides Web site operators with a language to explain their privacy practices to visitors. Users will be able to configure their browsers or other software tools in such a way that they are notified whether Web site privacy policies match their pre-set preferences. P3P enables parents to establish set privacy rules that govern their children's activities online. Once Web sites and Internet users can better communicate about privacy, consumers will be able to make better judgments about which Web sites respect their privacy concerns. W3C held a workshop in November of 2002 to discuss the future of P3P. Participants determined that the next steps involved creations of a working group to address issues, such as adding an element to indicate agent status and clarification of specification ambiguities. However, enforcement mechanisms for P3P policy violations were not addressed. Some critics consider the lack of enforcement mechanisms a major drawback of the P3P system. However, as W3C is not considered a regulatory body, P3P should be viewed as a complement to current laws and other self-regulatory programs that do have enforcement mechanisms. Visit the P3P Web Site. Also, view a detailed analysis of P3P in Volume 6, Number 10 issue of the CDT Policy Post. Proxies and FirewallsProxies and firewalls are technological barriers between a computer and the Internet that allow communications only under certain circumstances and block certain types of communications entirely. There are two main types: third party proxy servers (i.e. "The Anonymizer" service, described below) and firewall routers. A proxy computer can be set up to block communications such as cookies, junk e-mail, Java, ad banners, the types of communications used by intruders attempting to hack into computers, and others. There are several third party proxy servers that can be accessed on the Internet. Firewalls can be set up, via hardware or software, to filter data based upon the customers' preferences. For example, you may establish "rules" to block all cookies from a certain domain or reject communications from a specified e-mail server. For a listing of available proxies, see CDT's Resource Library. For a listing of available firewalls, see CDT's Resource Library. AnonymizersAnonymizers are Internet tools developed by the private sector to strip out personal information in order to protect user privacy. One such tool is "The Anonymizer" service, which allows you to browse the Internet using an intermediary to prevent unauthorized parties from gathering your personal information. For a listing of available anonymizers, see CDT's Resource Library. CookiesAn Internet "cookie" is a unique piece of text that a Web site, through the means of the browser, saves on your computer's hard drive and retrieves when you revisit that Web site. Cookies contain information such as login or registration data, online "shopping cart" selections, user preferences, Web sites you have visited, etc. A major Internet standards body, the Internet Engineering Task Force (IETF), is currently developing two standards of new guidelines for the appropriate use of cookies. The IETF has issued two complementary "RFC's," based on the original Netscape standard, that would encourage software makers to design cookies in ways that give users more control. These documents lay out guidelines for the use of cookies, suggesting that programmers should make sure that:
CDT's advice on rejecting unnecessary cookies in our Top Ten Ways to Protect Your Privacy Online. For a listing of available cookie management tools, see CDT's Resource Library. System CleanersSystem cleaners are software that a consumer can purchase to remove records stored in the browser cache, history folder, and cookies files of PC and Internet activity so that they do not leave web trails. For a list of available system cleaning software, see CDT's Resource Library. Web BeaconsAlso known as web bugs, pixel tags or clear GIFs, web beacons are small hidden strings of code that deliver a graphic image to email message or website for data transfer. Web site owners can use Web beacons to collect user information prior to receiving permission. The Network Advising Initiative has released a set of guidelines [pdf], that asks advertisers to give consumers prior notice about the use of web beacons, as well information about what data is being collected and for what purpose. The guidelines are used by privacy seal organizations, such as TRUSTe, to govern their web beacon policy. A Massachusetts District Court granted summary judgment for the defendant, Pharmatrak, in a class action alleging that Pharmatrak's placement of web beacons violated federal laws. The court found no violation of the Computer Fraud and Abuse Act as the plaintiff's failed to meet the threshold damages. Further, the court found that no violation of federal wiretap statutes had occurred due to the consent exception. Finally, the court found no violation of Electronic Communications Privacy Act, as the provision in discussion prevents hackers from accessing stored electronic data over networks and as such Pharmatrak's interception of data stored on the plaintiffs' computers did not fall within the definition of the Act. More information on the summary judgment Encryption softwareEncryption software enables the user to scramble digital data to protect the contents of emails and online communications. This type of software enables an individual to protect stored files and authentication issues. For a comprehensive list of data encryption software, view CDT's Resource Library International AgreementsNational laws may be insufficient, on their own, to provide citizens with privacy protections across borders. Various international bodies, including the European Union and the Organization for E-Commerce Cooperation and Development, have developed privacy rules. OECD GuidelinesIn late 1980, the Organization for Economic Cooperation and Development (OECD) issued a "Recommendation Concerning and Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data." Albeit broad, the OECD guidelines established important standards for future governmental privacy rules. These guidelines, while not enforceable, have influenced international agreements, national laws, and self-regulatory policies. The OECD Guidelines include:
View Full Text of the OECD Guidelines. In June 2000, OECD released a set of guidelines for Multinational Enterprises, included in the Declaration on International Investment and Multinational Enterprises, which provide voluntary principles and standards for responsible business conduct with the goal of complementing and reinforcing private efforts to define responsible business conduct. As reported, one principle requires enterprises to respect consumer privacy and provide protection for personal data. In January of 2003, OECD published a report on online privacy [PDF], whose objective was to build bridges between different national approaches and provide protection for private data. The report, entitled "Privacy Online- Policy and Practical Guidance," demonstrates OECD's dedication to promoting privacy policy adoption, consumer awareness, and the use of privacy enhancing technologies. The report also gives specific practical guidance for implementation of privacy protection online for member countries, businesses, and consumers. OECD also offers a privacy policy generator to assist organizations reviewing their current privacy practices. The generator collects some organization-specific information and then generates a policy consistent with the OECD Privacy Guidelines. The generator is available at no cost online. EU Data Protection DirectiveIn 1995, the Council of Ministers of the European Union formally adopted the Directive on the Protection of Personal Data. The Directive granted data subjects a number of important rights including the right of access to personal data, the right to know where the data originated (if such information is available), the right to have inaccurate data corrected, the right of recourse in the event of unlawful processing, and the right to withhold permission to use data in certain circumstances -- for example, individuals have the right to opt out free of charge from being sent direct marketing material. The EU Data Protection Directive has forced the United States government and industry leaders to carefully reexamine the U.S. privacy policies. In May of 2000, the EU Member States voted unanimously to approve the U.S. proposed safe harbor principles, designed to enable corporations to run multinational operations and meet the EU standard for adequate privacy protection. In July of 2000, despite privacy protection concerns raised by the European Parliament, the European Commission declared its final approval of the agreement. Summary and text of the EU Data Protection Directive. Briefing materials on the EU Directive. In July July 2002, the EU adopted a directive translating the principles of the 1995 directive into specific rules for telecommunications and other electronic communications, addressing privacy and security, marketing, cookies, data retention, etc.
Industry Self-RegulationThe debate continues over the ability of self-regulation and market forces to adequately address privacy concerns. Advocates often take the position that self-regulation is inadequate due to both a lack of enforcement and the absence of legal redress to harmed individuals. Industry tends to strongly favor self-regulation, stating that it results in workable, market-based solutions while placing minimal burdens on affected companies. Numerous efforts at self-regulation have emerged; examples include TRUSTe, the Better Business Bureau's Online Privacy Program (BBBOnLine), and the Online Privacy Alliance, described below. A growing number of companies, under public and regulatory scrutiny, have begun incorporating privacy into their management process. Elements of Effective Self-Regulation for Protection of Privacy: The Department of Commerce paper discusses the elements of effective self-regulatory regimes -- elements that incorporate principles of fair information practices with enforcement mechanisms that promote compliance with those practices. Opting OutOpt-out is an option that gives consumers the choice to prevent personally identifiable information from being used by a particular Web site or shared with third parties. Online opt-out procedures vary greatly; regardless of Web sites' explicit policies, opting out is often virtually impossible. CDT has created the Operation Opt-Out Web site to make it as easy as possible for individuals to opt-out of having your personal information shared and sold by the companies with which you interact. Online Seal ProgramsIndustry's primary self-regulatory enforcement initiative has been the development of online privacy seal programs. These programs require their licensees to implement certain fair information practices and to submit to various types of compliance monitoring in order to display a privacy seal on their Web sites. If widely adopted, they promise an efficient way to alert consumers to licensees' information practices and to demonstrate licensees' compliance with program requirements. CDT's Behind the Numbers report addresses privacy seal initiatives.
Online Privacy Alliance (OPA)The Online Privacy Alliance (OPA), a group of more than 80 global corporations and associations, is committed to lead and support self-regulatory initiatives that create an environment of trust and that foster the protection of individuals' privacy online and in electronic commerce. The OPA identifies and advances online privacy policies across the private sector, supports the development and use of self-regulatory enforcement mechanisms and activities, as well as user empowerment technology tools designed to protect individuals' privacy, and supports compliance with and strong enforcement of applicable laws and regulations. OPA's Privacy Policy Guidelines. Network Advertisers Initiative (NAI)The Network Advertising Initiative (NAI) is a group of third party network advertisers, who provide consumers with "clear explanations of Internet advertising initiatives and how they affect you and the Internet itself." The Initiative is committed to providing consumers with a comprehensible description of what data the advertisers collect, how they use it, and why use of data can benefit consumers' experience. From their web site, consumers can learn about online preference marketing, which is also referred to as "profiling." In 1999, the NAI committed to consumer notice and choice, and began an educational campaign on network advertising. In its July 2000 report on online profiling and industry self-regulation, the FTC unanimously commended the NAI for its self-regulatory proposal that seeks to implement Fair Information Practices for the major Internet advertisers' collection of online consumer data. In November 2002, NAI, along with TRUSTe and BBBOnline, released guidelines [pdf] governing web beacon usage. The guidelines require notice of web beacon usage, and that advertisers provide choice if personally identifiable information is transferred through web beacons. Resources: Liberty AllianceThe Liberty Alliance (LA), a consortium of over 160 companies, was founded in 2001 to establish standards for federated network identity management systems, which allow users to link information between accounts. Such systems prevent centralization of information, thus inhibiting identity theft. Federated identity provides customers with more control over their personal data, and it fosters relationships between businesses. One of the key goals of the LA is to develop specifications that enable service providers to protect consumer privacy. In May 2004, Liberty Alliance outlined "framework to support federated web services." |
[ CDT Home Page ] [ Getting Started ] [ Privacy Basics ] [ Protections & Initiatives ] [ Debates & Trials ] [ References ] [ Contents ] [ Glossary ]
Copyright © 1998-2004