LawMeme LawMeme Yale Law School  
LawMeme
Search LawMeme [ Advanced Search ]
 
 
 
 
Features: Protecting Your Online Privacy – Right!
Posted by Raul Ruiz on Monday, April 29 @ 19:14:21 EDT Privacy

Senator Fritz Hollings (D-SC), a.k.a. The Senator from Disney, recently introduced The Online Personal Privacy Act in the United States Senate. While on its face the bill appears to be a reversal of character of the Senator’s previous efforts to aid industry and trump consumers, the truth is that the Online Personal Privacy Act simply illuminates Senator Hollings’ pro-business and anti-consumer attitude.

The Online Personal Privacy Act is a bad deal for consumers. It gives consumers a false sense of security and encourages them to give their information, be it literal or behavioral information, to web sites because they feel it is protected by the power of law. Where did it go wrong?



Cruelty Disguised as Kindness

Information means power and money in today’s rapidly evolving world. Nowhere is information more readily available than on the Internet. An “educated guess” of how many people are online gives an answer of 544.2 million people, a vast marketplace for advertising and data gathering. Online businesses and service providers not only thrive on retail sales on the net, but on the collection and sale of personal information to others.

The Online Personal Privacy Act seeks to limit the information that online providers can obtain without your consent by dividing personal information into two types: sensitive and non-sensitive information. “Sensitive” information is defined in Section 401 (14) and Section 401 (15) of the bill to mean any information related to:

  • the amount of income earned or losses suffered by an individual
  • an individual's account number or balance information for a savings, checking, money market, credit card, brokerage, or other financial services account
  • the access code, security password, or similar mechanism that permits access to an individual's financial services account
  • an individual's insurance policy information, including the existence, premium, face amount, or coverage limits of an insurance policy held by or for the benefit of an individual
  • an individual's outstanding credit card, debt, or loan obligations
  • individually identifiable health information (as defined in section 164.501 of title 45, Code of Federal Regulations)
  • race or ethnicity
  • political party affiliation
  • religious beliefs
  • sexual orientation
  • a Social Security number
  • sensitive financial information

(For simplicity, I have grouped sensitive financial information and sensitive personally identifiable information together.)

The bill demands that users opt-in to release sensitive personally identifiable information to web sites that wish to gather such information. More specifically, Section 102(b) states:

SENSITIVE PERSONALLY IDENTIFIABLE INFORMATION REQUIRES OPT-IN CONSENT- An internet service provider, online service provider, or operator of a commercial website may not--
(1) collect sensitive personally identifiable information online, or
(2) disclose or otherwise use such information collected online, from a user of that service or website,
unless the provider or operator obtains that user's affirmative consent to the collection and disclosure or use of that information before, or at the time, the information is collected.

The act defines personally identifiable information in Section 401(11) as:

  • a first and last name, whether given at birth or adoption, assumed, or legally changed
  • a home or other physical address including street name and name of a city or town
  • an e-mail address
  • a telephone number
  • a birth certificate number
  • any other identifier for which the Commission finds there is a substantial likelihood that the identifier would permit the physical or online contacting of a specific individual
  • information that an Internet service provider, online service provider, or operator of a commercial website collects and combines with an identifier described in clauses (i) through (vi) of this subparagraph. (i.e. the above bullets).

The Online Privacy Privacy Act, however, does not limit the collection of non-sensitive and non-personally identifiable information. By failing to require an opt-in measure for this type of information, businesses are given the opportunity and are encouraged to collect information about users. In order to prevent disclosure and use of your information, users must opt-out at the time of registration or information disclosure and the web site must provide a “robust notice,” defined in Section 401(13) as “…actual notice at the point of collection of the personally identifiable information describing briefly and succinctly the intent of the Internet service provider, online service provider, or operator of a commercial website to use or disclose that information for marketing or other purposes,” informing you, the user, that your information is being collected and will be used in accordance with the policies set forth by the notice.

How many sites actually ask you questions that can be considered sensitive and personally identifiable? When was the last time that you gave your Social Security number to Yahoo? Did you ever divulge your religious beliefs to the New York Times when you were registering to read all the great articles on their site? Perhaps you told Amazon.com your sexual preference when you were registering for an account? Sensitive personally identifiable information is usually collected at sites that provide custom services to consumers, such as financial institutions or tax houses. These sites most always have a long disclaimer telling you that this information is needed to provide you with a service and the utmost care is taken to protect the information you provide. Many sites, on the other hand, collect information such as your name, your email address, and perhaps your address. The collection of this information is a requirement for these companies to provide you with a usually free service. Most of these sites, who primarily depend on gathering your information and providing custom advertisements, would likely refuse to offer you service unless you agreed to disclosure and use of your information.

So what is the Online Privacy Privacy Act actually protecting us from? It is protecting us from the very small number of sites that would wish to collect sensitive information about us, such as our political affiliation, sexual orientation, and religious beliefs without our consent. We would have to actively wish to disclose this information to those parties. Those sites that desire to collect non-sensitive information from us would allow us to opt-out if they would still be willing to provide their service without our disclosure of information.

The privacy act fails in that it does not adequately safeguard the privacy of consumers. It instills a false sense of security in Internet users by having them believe that non-sensitive information that is collected online cannot be used without their consent. In actuality, the information can be used unless you request it not be. The Online Personal Privacy Act fails to protect users from behavioral identification, the process of determining a user’s like and dislikes, preferences, and other behavioral information without the need to personally identify the person. Web site owners and software creators are actually encouraged to do so because the bill does not specifically outlaw it or impose any provisions with regard to behavioral identification. The gathering of information with your knowledge may be acceptable to some, but observing someone’s behavior on the Internet from the comfort of their home is disturbing to say the least. The Online Personal Privacy Act offers no safeguard to this type of behavioral tracking and in essence, compromises our sense of privacy.

Data Mining Your Mouse

Websites can track a user’s tastes by utilizing some very simple techniques. One of the most notorious techniques is the use of cookies to track a user’s movement throughout a site and gauge what he/she is interested in. By simply looking at the websites that one visits, the purchases that they make online, and the ads that we respond positively to by way of our mouse clicks, the bill’s idea of privacy is destroyed. The Online Personal Privacy Act specifies that “collecting” information includes tracking users by cookies that allow the user to be personally identifiable. As noted, the bill does not care about non-personally identifiable information, so cookies that track where you’ve been and where you are going on the Internet is fair game so long as the cookies do not carry information of the type contained within Section 401(11).

What about those size 1x1 pictures on web pages (web bugs)? We cannot see them and rarely know that they are there, but they are indeed used to track your movements across pages and even web sites without the use of cookies. Is our online privacy really being protected?

Modern day technologies make it entirely feasible to track the activities of computer users by installing a Trojan horse, or spyware. Take for example Brilliant Digital Entertainment’s (BDE) Kazaa file-swapping program. It was recently discovered that Kazaa installed additional software on a user’s computer that would allow BDE to use these individual computers as points of distribution for advertisements. Was it legal? That remains unclear, but Kazaa would have some much needed ammunition for its defense with the Online Personal Privacy Act. Users had to agree to a 2,644-word “terms of service” contract in order to install Kazaa. Within the mess that is a license was a provision that Kazaa may tap the “unused computing power and storage space” of your computer.

Now that Kazaa’s business practices have been made generally known, it is only a matter of time before others begin to package spyware with applications. When installing, you would have to agree to the license presented, but how many of us actually read these things? If you are using Windows XP, forget about installing VNC, a remote desktop access tool, for you would be violating the XP license (“Except as otherwise permitted by the NetMeeting, Remote Assistance, and Remote Desktop features described below, you may not use the Product to permit any Device to use, access, display, or run other executable software residing on the Workstation Computer, nor may you permit any Device to use, access, display, or run the Product or Product's user interface, unless the Device has a separate license for the Product”). This spyware can be used to track the sites that you visit and sell this information to third-party advertisers in order for them to focus their advertising efforts. Take the case of Windows Media Player 8, which comes installed with Windows XP by default. Every DVD and song that is played with Windows Media Player 8 has their titles recorded. Microsoft executives are claiming that for the moment, no marketing use right exists, but they are unwilling to rule out that right because of profit possibilities in the future.

Amazon.com, although refraining from asking you for sensitive and personally identifiable information, tracks the books that a user views on their site in order to target advertisements and book recommendations to the user. This fact is stated in their privacy policy under the sub-heading of “Automatic Information.” Suppose I search for books on Catholicism. Might it not imply that I am indeed a Catholic? Or suppose I purchase a myriad of books by very liberal authors. Could Amazon infer that I may be a Democrat? Assuming I had an account on Amazon, which contains my name, Amazon would be obtaining sensitive personally identifiable information (as defined by the act) from me without my consent. Inferring information, however, is actually protected by the Online Personal Privacy Act in Section 401(11)(B), “INFERENTIAL INFORMATION EXCLUDED- Information about an individual derived or inferred from data collected online but not actually collected online is not personally identifiable information.” Because it is not considered personally identifiable information, it also does not fall within the jurisdiction of sensitive personally identifiable information.

Legal and Criminal Considerations

Once a record of your information exists in any database, it is subject to seizure by law enforcement or opponents in a lawsuit assuming proper authorization has been obtained. Because inferred information can be stored in a database and is protected under the act, the possibility of having personally identifiable information, although not classified as such by the act, used against a person in court is very real. From behavioral information, profiles of persons can be built and attached to names. This profile could possibly be used in a criminal or civil procedure. The problem rests with the behavior that we as Internet citizens adapt. Our personalities on the Internet can be drastically different from those we follow in the real world. By having a false sense of security with our privacy online, our online profiles can become severely distorted and use in our legal system would not be truly representative of a person’s character.

Conclusion

The Online Personal Privacy Act falls well short of what it must do. By instilling a false sense of security in Internet users, we will be more willing to give away non-sensitive information to web sites and other commercial entities under the guise that it will be protected and safe from distribution to third parties. Senator Hollings’ has proposed a bill that serves only the interests of big business. It is comforting, however, to know that the Senator’s bill is receiving very limited support. Surprisingly enough, some of the dissent is coming from businesses. Their gripe comes with a provision in the bill that mandates companies to tell a user what information has been collected from them. Such a requirement, it is argued, imposes significant costs on companies, albeit financially sound users can be charged $3 to access the information.

If Hollings truly wanted to make a bill that advocated for consumer privacy, Internet users should be required to opt-in to releasing any information, including behavioral information. Inferring sensitive data should be outlawed. Only then may this bill be truly called The Online Personal Privacy Act.

 
Login
Nickname

Password

Don't have an account yet? You can create one. As registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Related Links
· Senator Fritz Hollings
· The Senator from Disney
· The Online Personal Privacy Act
· United States Senate
· pro-business and anti-consumer attitude
· “educated guess”
· Yahoo
· New York Times
· Amazon.com
· cookies
· web bugs
· 
spyware
· Brilliant Digital Entertainment’s
· Kazaa file-swapping program
· recently discovered
· VNC
· Windows Media Player 8
· Amazon.com
· “Automatic Information.”
· More about Privacy
· News by Raul Ruiz


Most read story about Privacy:
Protecting Your Online Privacy – Right!

Article Rating
Average Score: 4.83
Votes: 12


Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent


Options

Printer Friendly Page  Printer Friendly Page

Send to a Friend  Send to a Friend
"User's Login" | Login/Create an Account | 0 comments
Threshold
  
The comments are owned by the poster. We aren't responsible for their content.

Leges humanae nascuntur, vivunt, moriuntur
Human laws are born, live, and die


All stories, comments and submissions copyright their respective posters.
Everything Else Copyright (c) 2002 by the Information Society Project.
This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

You can syndicate our news using the file backend.php