Privacy Principles and Policies
In the United States,
interest in privacy and computer databases dates back at least to the early
1970s. (It is worth noting that the U.S. Watergate burglary occurred in 1972.
Shortly after, reports surfaced that Nixon maintained an enemies list and had
used IRS records as a means of combating adversaries. Thus people in the United
States were sensitive about privacy at that time. Public concern for privacy
has varied over the years.) In the early 1970s, a committee developed privacy
principles that have affected U.S. laws and regulations and that also set the
path for privacy legislation in other countries. We study the recommendations
of that committee in the next section.
Fair Information Policies
In 1973 Willis Ware of the
RAND Corporation chaired a committee to advise the Secretary of the U.S.
Department of Human Services on privacy issues. The report (summarized in [WAR73a]) proposes a set of principles of fair
information practice.
Collection limitation. Data
should be obtained lawfully and fairly.
Data quality. Data should be relevant to their purposes, accurate, complete,
and up-to-date.
Purpose specification. The
purposes for which data will be used should be identified and the data
destroyed if no longer necessary to serve that purpose.
Use limitation. Use for
purposes other than those specified is authorized only with consent of the data
subject or by authority of law.
Security safeguards.
Procedures to guard against loss, corruption, destruction, or misuse of data
should be established.
Openness. It should be
possible to acquire information about the collection, storage, and use of
personal data systems.
Individual participation. The
data subject normally has a right to access and to challenge data relating to
her.
Accountability. A data controller should be designated and accountable for
complying with the measures to give effect to the principles.
These principles describe the
rights of individuals, not requirements on collectors; that is, the principles
do not require protection of the data collected.
Ware [WAR73b] raises the problem of linking data in
multiple files and of overusing keys, such as social security numbers, that
were never intended to be used to link records. And although he saw that
society was moving toward a universal identity number, he feared that movement
would be without plan (and hence without control). He was right, even though he
could not have foreseen the amount of data exchanged 30 years later.
Turn and Ware [TUR75] consider protecting the data themselves,
recognizing that collections of data will be attractive targets for
unauthorized access attacks. They suggest four ways to protect stored data:
Reduce exposure by limiting
the amount of data maintained, asking for only what is necessary and using
random samples instead of complete surveys.
Reduce data sensitivity by
interchanging data items or adding subtle errors to the data (and warning
recipients that the data have been altered).
Anonymize the data by
removing or modifying identifying data items.
Encrypt the data.
You will see these four
approaches mentioned again because they are the standard techniques available
for protecting the privacy of data.
U.S. Privacy Laws
Ware and his committee
expected these principles to apply to all collections of personal data on
individuals. Unfortunately, that is not the way the legislation developed.
The Ware committee report led
to the 1974 Privacy Act (5 USC 552a), which embodies most of these principles,
although that law applies only to data maintained by the U.S. government. The
Privacy Act is a broad law, covering all data collected by the government. It
is the strongest U.S. privacy law because of its breadth: It applies to all
personal data held anywhere in the government.
The United States
subsequently passed laws protecting data collected and held by other
organizations, but these laws apply piecemeal, by individual data type.
Consumer credit is addressed in the Fair Credit Reporting Act, healthcare
information in the Health Insurance Portability and Accountability Act (HIPAA),
financial service organizations in the GrammLeachBliley Act (GLBA), children's
web access in the Children's Online Privacy Protection Act (COPPA), and student
records in the Federal Educational Rights and Privacy Act. Not surprisingly
these separate laws are inconsistent in protecting privacy.
Laws and regulations do help
in some aspects of privacy protection. Antón et al. investigated the impact of
the HIPAA law by analyzing companies' posted privacy policies before and after
the privacy provisions of the law became effective [ANT06].
They found the following in policies posted after HIPAA:
Statements on data transfer
(to other organizations) were more explicit than before HIPAA.
Consumers still had little
control over the disclosure or dissemination of their data.
Statements were longer and
more complex, making them harder for consumers to understand.
Even within the same industry
branch (such as drug companies), statements varied substantially, making it
hard for consumers to compare policies.
Statements were unique to
specific web pages, meaning they covered more precisely the content and
function of a particular page.
A problem with many laws is
that the target areas of the laws still overlap: Which law (if any) would
require privacy protection of a university student's health center bills paid
by credit card? The laws have different protection and handling requirements,
so it is important to determine which law applies to a single piece of data.
Also, gaps between laws are not covered. As new technologies (such as
computers, the Internet, or cell phones) are developed, either existing privacy
laws have to be reinterpreted by the courts to apply to the new technologies or
new laws have to be passed, which takes time.
Sometimes the privacy
provisions of a law are a second purpose, somewhat disguised by the first
purpose of the law. As an example, the primary purpose of HIPAA was to ensure
that people who left or were terminated from one job had health insurance to
cover them until they got another job; the privacy aspects were far less
prominent as the law was being developed.
Controls on U.S. Government Web Sites
Because privacy is ambiguous,
privacy policies are an important way to both define the concept in a
particular setting and specify what should or will be done about it.
The Federal Trade Commission
(FTC) has jurisdiction over web sites, including those of the federal
government, that solicit potentially private data. In 2000 [FTC00] , the FTC set requirements for privacy
policy for government web sites. Because government web sites are covered by
the Privacy Act, it was easy for the FTC to require privacy protection. The FTC
determined that in order to obey the Privacy Act, government web sites would
have to address five privacy factors.
Notice. Data collectors must disclose their information practices before
collecting personal information from consumers.
Choice. Consumers must be given a choice as to whether and how personal
information collected from them may be used.
Access. Consumers should be
able to view and contest the accuracy and completeness of data collected about
them.
Security. Data collectors must take reasonable steps to ensure that
information collected from consumers is accurate and secure from unauthorized use.
z Enforcement. A reliable mechanism must be in place to impose
sanctions for noncompliance with these fair information practices.
In 2002, the U.S. Congress
enacted the e-Government Act of 2002 requiring that federal government agencies
post privacy policies on their web sites. Those policies must disclose
the information that is to be
collected
the reason the information is
being collected
the intended use by the
agency of the information
the entities with whom the
information will be shared
the notice or opportunities
for consent that would be provided to individuals regarding what information is
collected and how that information is shared
the way in which the
information will be secured
the rights of the individual
under the Privacy Act and other laws relevant to the protection of the privacy
of an individual
These two acts apply only to
web sites; data collected by other means (for example, by filing forms) are
handled differently, usually on a case-by-case or agency-by-agency basis. The
requirements reflected in the e-Government Act focus on the type of data (data
supplied to the government through a web site) and not on the general notion of
privacy.
Controls on Commercial Web Sites
The e-Government Act places
strong controls on government data collection through web sites. As we
described, privacy outside the government is protected by law in some areas,
such as credit, banking, education, and healthcare. But there is no counterpart
to the e-Government Act for private companies.
No Deceptive Practices
The Federal Trade Commission
has the authority to prosecute companies that engage in deceptive trade or
unfair business practices. If a company advertises in a false or misleading
way, the FTC can sue. The FTC has used that approach on web privacy: If a
company advertises a false privacy protectionthat is, if the company says it
will protect privacy in some way but does not do sothe FTC considers that false
advertising and can take legal action. Because of the FTC, privacy notices at
the bottom of web sites do have meaning.
This practice leads to a
bizarre situation, however. A company is allowed to collect personal
information and pass it in any form to anyone, as long as the company's privacy
policy said it would do so, or at least the policy did not say it would not do
so. Vowing to maintain privacy and intentionally not doing so is an illegal
deceptive practice. Stating an intention to share data with marketing firms or
"other third parties" makes such sharing acceptable, even though the
third parties could be anyone.
Examples of Deceptive Practices
The FTC settled a prosecution
in 2005 against CartManager International, a firm that runs familiar web
shopping cart software to collect items of an order, obtain the purchaser's
name and address, and determine shipping and payment details. This software
runs as an application under other well-known retail merchants' web sites to
handle order processing. Some of these other retailers had privacy statements
on their web sites saying, in effect, that they would not sell or distribute
customers' data, but CartManager did sell the data it collected. The FTC held
that the relationship to CartManager was invisible to users, and so the policy
from the online merchants applied also to CartManager.
In another case, Antón [ANT04] analyzed the privacy policy posted on the
web site of Jet Blue airlines and found it misleading. Jet Blue stated that it
would not disclose passenger data to third parties. It then released passenger
data, "in response to a special request from the Department of
Defense" to Torch Concepts, which in turn passed it to the Defense
Department to use to test passenger screening algorithms for airline security.
The data in question involved credit card information: Clearly the only reason for
Jet Blue to have collected those data from passengers was to process charges
for airline tickets.
The analysis by Antón is
interesting for two reasons: First, Jet Blue violated its own policy. Second,
the Department of Defense may have circumvented the e-Government Act by
acquiring from a private company data it would not have been able to collect as
a government entity. The purpose for which the data were originally collected
was ordinary business and accounting activities of Jet Blue. Using those same
records to screen for terrorists was outside the scope of the original data
collection.
Commercial sites have no
standard of content comparable to the FTC recommendation from the e-Government
Act. Some companies display solid and detailed privacy statements that they
must obey. On the other hand, you may find no statement at all, which gives the
company the greatest flexibility because it is impossible to lie when saying
nothing. Cranor [CRA03] makes some
recommendations for useful web privacy policies.
Non-U.S. Privacy Principles
In 1981, the Council of
Europe (an international body of 46 European countries, founded in 1949)
adopted Convention 108 for the protection of individuals with regard to the
automatic processing of personal data, and in 1995, the European Union (E.U.)
adopted Directive 95/46/EC on the processing of personal data. Directive
95/46/EC, often called the European Privacy Directive, requires that rights of
privacy of individuals be maintained and that data about them be
·
processed fairly and lawfully
·
collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes (unless appropriate
safeguards protect privacy)
·
adequate, relevant, and not excessive in relation to the purposes
for which they are collected and/or further processed
·
accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that inaccurate or incomplete data having regard
for the purposes for which they were collected or for which they are further
processed, are erased or rectified
·
kept in a form that permits identification of data subjects for no
longer than is necessary for the purposes for which the data were collected or
for which they are further processed
In addition, individuals have
the right to access data collected about them, to correct inaccurate or
incomplete data, and to have those corrections sent to those who have received
the data. The report adds three more principles to the Fair Information
Policies.
· Special protection for sensitive data. There
should be greater restrictions on data collection and processing that involves
"sensitive data." Under the E.U. data protection directive,
information is sensitive if it involves "racial or ethnic origin,
political opinions, religious beliefs, philosophical or ethical persuasion . .
. [or] health or sexual life."
· Data transfer. This principle explicitly
restricts authorized users of personal information from transferring that
information to third parties without the permission of the data subject.
· Independent oversight. Entities that process
personal data should not only be accountable but should also be subject to
independent oversight. In the case of the government, this requires oversight
by an office or department that is separate and independent from the unit
engaged in the data processing. Under the data protection directive, the
independent overseer must have the authority to audit data processing systems,
investigate complaints brought by individuals, and enforce sanctions for
noncompliance.
(This is a very brief summary
of the much longer law. See the original Directive for more detail.) These
requirements apply to governments, businesses, and other organizations that
collect personal data. Since the 1995 directive, the European Union has
extended coverage to telecommunications systems and made other changes to adapt
to advances in technology.
In addition to European
countries and the United States, other countries, such as Japan, Australia, and
Canada, have passed laws protecting the privacy of personal data about
individuals.
Different laws in different
jurisdictions will inevitably clash. Relations between the European Union and
the United States have been strained over privacy because the E.U. law forbids
sharing data with companies or governments in countries whose privacy laws are
not as strong as those of the E.U. (The United States and the European Union
have agreed to a set of "safe harbor" principles that let U.S.
companies trade with European countries in spite of not meeting all European
privacy laws.) In Sidebar 10-1 you can
see how these different laws can affect commerce and, ultimately, diplomatic
relations.
Anonymity, Multiple Identities
One way to preserve privacy
is to guard our identity. Not every context requires us to reveal our identity,
so some people wear a form of electronic mask.
Anonymity
A person may want to do some
things anonymously. For example, a rock star buying a beach house might want to
avoid unwanted attention from neighbors, or someone posting to a dating list
might want to view replies before making a date.
Mulligan [MUL99] lists several reasons people prefer
anonymous activity on the web. Some people like the anonymity of the web
because it reduces fears of discrimination. Fairness in housing, employment,
and association are easier to ensure when the basis for potential
discrimination is hidden. Also, people researching what they consider a private
matter, such as a health issue or sexual orientation, are more likely to seek
first information from what they consider an anonymous source, turning to a
human when they have found out more about their situation.
Anonymity creates problems,
too. How does an anonymous person pay for something? A trusted third party (for
example, a real estate agent or a lawyer) can complete the sale and preserve
anonymity. But then you need a third party and the third party knows who you
are. Chaum [CHA81, CHA82, CHA85]
studied this problem and devised a set of protocols by which such payments could
occur without revealing the buyer to the seller.
Multiple IdentitiesLinked or Not
Most people already have
multiple identities. To your bank you might be the holder of account 123456, to
your motor vehicles bureau you might be the holder of driver's license number
234567, and to your credit card company you might be the holder of card 345678.
For their purposes, these numbers are your identity; the fact that each may (or
may not) be held in your name is irrelevant. The name does become important if
it is used as a way to link these records. How many people share your name? Can
(or should) it serve as a key value to link these separate databases? We ignore
the complication of misspellings and multiple valid forms (with and without
middle initials, with full middle name, with one of two middle names if you
have them, and so forth).
Sidebar
10-1: A Clash of Privacy Principles
Privacy is serious business. Commerce,
travel, or communication can stop when data are to be shared among
organizations or countries with different privacy principles. For example, in
trying to secure its borders after the 11 September 2001 attacks, the United
States created a program to screen airline passengers for possible terrorist
links. The program uses information in the Passenger Name Record (PNR): the
data collected by airlines when you book a flight from one place to another.
The PNR includes 34 categories of information: not only your name and flight
details but also your telephone number, credit card information, meal
preferences, address, and more. Because Europeans constitute the largest group
of visitors to the United States (almost 10 million in 2004), the Americans
asked European airlines to supply PNR data within 15 minutes of a plane's departure
for the United States.
Recall that the European Privacy
Directive prohibits the use of data for purposes other than those for which
they were collected. The U.S. request clearly violated the directive. After
considerable negotiation, the European Commission and the European Council
reached an agreement in May 2004 to allow airlines to give the data to the
United States.
However, the European Parliament
objected, and on 30 May 2006, the European Court of Justice, the highest court
in the European Union, ruled that the European Commission and European Council
lacked authority to make such a deal with the United States. Privacy principles
were not the primary basis for the ruling, but they had a big impact
nevertheless: "Specifically, the court said passenger records were
collected by airlines for their own commercial use, so the European Union could
not legally agree to provide them to the American authorities, even for the
purposes of public security or law enforcement" [CLA06]. A
spokesperson for the U.S. Department of Homeland Security countered that
privacy is not the issue, since the data could be solicited from each passenger
who arrives in the United States.
If the United States does not get the
requested data, it could in theory deny landing rights to the nonparticipating
airlines. Nearly half of all foreign air travel to the United States is trans-
Atlantic, so the disruption could cost millions to all the economies involved.
It remains to be seen how this clash of privacy principles will be resolved.
Suppose you changed your name
legally but never changed the name on your credit card; then your name could
not be used as a key on which to link. Another possible link field is address.
However, trying to use an address on which to link presents another risk:
Perhaps a criminal lived in your house before you bought it. You should not
have to defend your reputation because of a previous occupant. Now we need to
match on date, too, so we connect only people who actually lived in a house at
the same time. Then we need to address the problem of group houses or roommates
of convenience, and so forth. As computer scientists, we know we can program
all these possibilities, but that requires careful and time-consuming
consideration of the potential problems before designing the solution. We can
also see the potential for misuse and inaccuracy.
Linking identities correctly
to create dossiers and break anonymity creates privacy risks, but linking them
incorrectly creates much more serious risks for the use of the data and the
privacy of affected people. If we think carefully we can determine many of the
ways such a system would fail, but that approach is potentially expensive and
time consuming. The temptation to act quickly but inaccurately will also affect
privacy.
Pseudonymity
Sometimes, full anonymity is
not wanted. A person may want to order flower bulbs but not be placed on a
dozen mailing lists for gardening supplies. But the person does want to be able
to place similar orders again, asking for the same color tulips as before. This
situation calls for pseudonyms, unique identifiers that can be used to link
records in a server's database but that cannot be used to trace back to a real
identity.
Multiple identities can also
be convenient, for example, having a professional e-mail account and a social
one. Similarly, disposable identities (that you use for a while and then stop
using) can be convenient. When you sign up for something and you know your
e-mail address will be sold many times, you might get a new e-mail address to
use until the spam and other unsolicited e-mail are oppressive, and then you
discard the address. These uses are called pseudonymity.
Seigneur and Jensen [SEI03] discuss the
use of e-mail aliases to maintain privacy. These ways protect our privacy
because we do not have to divulge what we consider sensitive data. But they
also show we need a form of privacy protection that is unavailable.
The Swiss bank account was a
classic example of a pseudonym. Each customer had only a number to access the
account. Presumably anyone with that number could perform any transaction on
the account. (Obviously there were additional protections against guessing.)
While such accounts were in use (their use was discontinued in the early 1990s
because of their having been used to hold ill-gotten Nazi gains from World War
II), Swiss banks had an outstanding reputation for maintaining the anonymity of
the depositors.
Some people register
pseudonyms with e-mail providers so that they have anonymous drop boxes for
e-mail. Others use pseudonyms in chat rooms or with online dating services. We
consider pseudonyms later in this chapter when we study privacy for e-mail.
Government and Privacy
The government gathers and
stores data on citizens, residents, and visitors. Government facilitates and
regulates commerce and other kinds of personal activities such as healthcare,
employment, education, and banking. In those roles the government is both an
enabler or regulator of privacy and a user of private data. Government use of
private data should be controlled. In this section we consider some of the
implications of government access to private data.
Authentication
Government plays a complex
role in personal authentication. Many government agencies (such as the motor
vehicles bureau) use identifiers to perform their work. Authentication
documents (such as passports and insurance cards) often come from the
government. The government may also regulate the businesses that use
identification and authentication keys. And sometimes the government obtains
data based on those keys from others (for example, the U.S. government planned
to buy credit reports from private companies to help with screening airline
passenger lists for terrorists). In these multiple roles, the government may
misuse data and violate privacy rights.
Data Access Risks
Recognizing that there were
risks in government access to personal data, the Secretary of Defense appointed
a committee to investigate private data collection. The Technology and Privacy
Advisory Committee, chaired by Newton Minow, former chair of the Federal
Communications Commission, produced its report in 2004 [TAP04]. Although their charge had been to review
privacy and data collection within the Department of Defense, they found it
impossible to separate the DoD from the rest of government, so they made
recommendations for both the Department of Defense and the federal government
as a whole.
They recognized risks when
the government started to acquire data from other parties:
data errors: ranging from transcription errors to incorrect analysis
inaccurate linking: two or more correct data items but incorrectly
linked on a presumed common element
difference of form and
content: precision, accuracy, format, and semantic errors
purposely wrong: collected
from a source that intentionally gives incorrect data, such as a forged
identity card or a false address given to mislead
false positive: an incorrect or out-of-date conclusion that the
government does not have data to verify or reject, for example, delinquency in paying state taxes
mission creep: data acquired for one purpose leading to a broader use because the
data will support that mission
Steps to Protect Against Privacy Loss
The committee recommended
several steps the government can take to help safeguard private data.
Data minimization. Obtain the least data necessary for the task.
For example, if the goal is to study the spread of a disease, only the condition, date, and vague location
(city or county) may suffice; the name or contact information of the patient
may be unnecessary.
Data anonymization. Where possible, replace identifying
information with untraceable codes (such as a record number); but make sure those codes cannot be linked to
another database that reveals sensitive data.
Audit trail. Record who has accessed data and when, both to help identify
responsible parties in the event of a breach and to document the extent of damage.
Security and controlled access. Adequately protect and control access to
sensitive data.
Training. Ensure people accessing data understand what to protect and how
to do so.
Quality. Take into account the purpose for which data were collected, how
they were stored, their age, and similar factors to determine the usefulness of the data.
Restricted usage. Different from controlling access, review all
proposed uses of the data to determine if those uses are consistent with the purpose for which the data
were collected and the manner in which they were handled (validated, stored,
controlled).
Data left in place. If possible, leave data in place with the
original owner. This step helps guard against possible misuses of the data from expanded mission just because
the data are available.
Policy. Establish a clear policy for data privacy. Do not encourage
violation of privacy policies.
These steps would help
significantly to ensure protection of privacy.
Identity Theft
As the name implies, identity
theft is taking another person's identity. Use of another person's credit card
is fraud; taking out a new credit card in that person's name is identity theft.
Identity theft has risen as a problem from a relatively rare issue in the
1970s. In 2005, the U.S. Federal Trade Commission received over 250,000
complaints of identity theft [FTC06].
Most cases of identity theft become apparent in a month or two when fraudulent
bills start coming in. By that time the thief has made a profit and has dropped
this identity, moving on to a new victim.
Having relatively few unique
keys facilitates identity theft: A thief who gets one key can use that to get a
second, and those two to get a third. Each key gives access to more data and
resources. Few companies or agencies are set up to ask truly discriminating
authentication questions (such as the grocery store at which you frequently
shop or the city to which you recently bought an airplane ticket or third digit
on line four of your last tax return). Because there are few authentication
keys, we are often asked to give the same key (such as mother's maiden name)
out to many people, some of whom might be part-time accomplices in identity
theft.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.