Second Annual World Data Privacy Day

Wednesday marked the second annual World Data Privacy Day! Industry leaders and government officials from 27 countries around Europe, Canada and the U.S. participated in events focused on ways to raise awareness about data privacy and the protection of personal information on the internet. Take a look at the site Intel provides to help coordinate the effort. FPF participated in NYC by speaking on panels at the Institute for American and Talmudic Law Midwinter Conference, along with Supreme Court Justice Scalia, GWU Law Professor Jeff Rosen, NYU Professor Helen Nissenbaum and constitutional law expert Nathan Lewin.

The Future of Privacy Forum Consumer Privacy Agenda for the New Administration

1. Appoint a Chief Privacy Officer to Promote Fair Information Practices in the Public and Private Sectors.

We embrace the idea of government catching up to industry by creating the central role of a Chief Technology Officer, as has been announced. But we also point out the need — recognized by hundreds of privacy-sensitive companies — for a senior level Chief Privacy Officer, someone to ensure that data protection is a central consideration for technology, data and policy decisions. Although many federal agencies have privacy officers, the fact that data is increasingly available across government entities demonstrates the need for a central figure to lead U.S. efforts to respect citizen data. To ensure that the data needed to combat terror will be available while appropriate oversight is in place to protect essential freedoms, the Administration should have an accountable, executive-level figure to drive an agenda based on responsible data practices. And as behavioral targeting, correlation of data across platforms, cloud computing and the use of personal health records becomes widespread in the business world, the need for a senior figure who can drive a consumer-centric agenda based on Fair Information Practices becomes increasingly crucial.

As data flows have already become a global issue, an empowered central address for U.S. data protection will also more effectively allow the U.S. to engage with data authorities around the world.

2. Ensure that Interactive Tools used by Government Provide Users with Enhanced Transparency and Controls.

Federal policy today requires that government Web sites refrain from using persistent cookies without agency head approval. As a result, government sites either go without the benefit of data-driven services that could optimize their usage and performance, or simply obtain agency approval and make use of such cookies without additional safeguards. At a time when citizens expect a widely expanded form of e-government, including social media and commercial Web 2.0 tools, refraining from the use of innovative tools is not an option. But also unacceptable would be simply using the tools that are available on the market today, without enhanced responsible data use rules.

The OMB and the E-Government Administrator should establish baseline principles for cookies, social media tools and other information use by commercial vendors for government. In doing so, they will drive responsible development of these tools for government and for industry. For example, analytics tools should be required to delete log-files after a defined period of time, cookies should have limited expiration periods and should not be used to store information unprotected, IP addresses should be obscured as soon as possible, and the use of the tools and user options should be transparent and prominently explained. In addition, a very limited amount of funding for basic research could challenge our best and brightest researchers to create completely new technologies that would deliver the benefit of current day cookies while also increasing transparency and truly protecting privacy.

The Federal government can lead the way in driving companies to provide consumer-centric services that provide users control over data. We propose modeling a set of requirements similar to the concept of Section 508 of the Rehabilitation Act, which requires federal agencies to make their electronic and information technology accessible to people with disabilities. Section 508 was enacted to eliminate barriers in information technology, to make available new opportunities for people with disabilities and to encourage development of technologies that will help achieve these goals. We live today in a society where the public has different abilities with regard to managing data collection. As our government Web sites become increasingly interactive, the federal government should require that federally-supported agencies and grantees drive requirements to provide users with enhanced transparency and controls.

3. Establish a Standard Definition of Personal Information.

Most privacy commitments today rely on a definition of personal information, but with the exception of a few statutes such as HIPPA and Gramm Leach Bliley, the interpretations of what constitutes personal information are wide ranging. Companies rely on a myriad of methods, from encryption to simple encoding to use purportedly non-personal information to aggregate, track, and target robust amounts and types of on- and off-line data. NIST should work with the FTC and the proposed Chief Privacy Officer to establish standards for levels of anonymity and identifiability.

4. Increase Technology and Research Support for the Federal Trade Commission

The FTC must become a technology leader to further increase its effectiveness in understanding and countering increasingly complex threats to individual privacy. It should have a significantly expanded team of technologists and an enhanced operations center to track and respond to abuses. The FTC should be provided with authority and funding for Centers of Excellence that can lead research into how to communicate about privacy to users. It should also develop a deeper liaison relationship with the academic and security research communities so that it can both respond to new concerns and help guide external efforts on the type of research that is of value to Commission staff. The FTC should also develop a major effort to evaluate and promote the use of Privacy Enabling Technologies (PETS) that can be used to mask personal information while allowing for robust information use in commerce and analysis.

5. Enhance Criminal Law Enforcement Support for the Federal Trade Commission

The FBI and DOJ must allocate their limited resources to combat terror and prosecute child predators, and are currently unable to adequately attend to the increasingly dangerous criminals involved in spam, spyware, phishing, identity theft and malware. Appropriate global criminal law enforcement support must be dedicated to support the efforts of the FTC so that it can use its expertise to ensure full prosecution of those responsible for these threats to user data. Although there has been increased cooperation between criminal law agencies and the FTC in recent years, dedicated support would ensure that serious harms uncovered by the FTC would lead to a significant threat of criminal charges, as opposed to only civil action.

Example: Malvertising: Major portals, ad networks and publishers are inundated with “malvertising attacks”. Criminal groups purchase banner ads from unsuspecting networks, and these ads morph into attacks that hijack the browsers of Web surfers who simply view the banner. Despite an impact that has affected millions of users and thousands of networks, the response has been limited to the FTC’s civil enforcement efforts. No coordinated criminal effort from law enforcement is in place to respond to this threat.

6. Provide National Leadership to Resolve the Conflict between Privacy and Online Safety for Youth.

State enforcement actions by Attorneys General have sought to require social networks to implement systems that would require the authentication of many users. Although tools to accurately authenticate minors are not currently available, the ability of users to exercise control over their online identity will be undermined if such efforts do not adequately take into account the privacy impact of many authentication services. The Administration should create a National Internet Safety Technical Task Force to develop a national policy that balances conflicting pressures for online authentication, age screening, and child safety vs. online identity and privacy. Shortly, the Internet Safety Technical Task Force, created by the settlement between social networking sites and 49 Attorneys General, will present its final report. The conclusions of this effort and additional examination of this issue should form the basis for a national policy that promotes online privacy while equally ensuring that our youth are protected.

Note: The NTIA just issued a request for individuals to serve on the NTIA Online Safety and Technology Working Group, which will provide a report to the Assistant Secretary of Commerce on ways to promote a safe Internet environment for children. This effort should be replaced by a senior-level effort, including representation from the Attorneys General, Members of Congress, advocates, academics and industry experts. This would ensure a unified government approach and provide greater likelihood of achieving national consensus on this issue.

7. Encourage Accountable Business Models

The Internet has led to the development of highly-efficient business models, by which companies collaborate and combine their individual expertise to provide a customer service. A user, by requesting one Web page, can share data with dozens of companies – a Web publisher, an ad network, an ad exchange, a search engine, an analytics company, a content distribution network, multiple advertisers and more. Despite the fact that consumers may believe the brand they are visiting is responsible for the data activity on the page, the complexity, lack of transparency and, sometimes, bargaining power imbalance has created a situation where data flows are dispersed and responsibility is often unclear. The DOC should partner with the FTC and industry groups to address this problem and identify steps that may foster accountable online business models.

——————————————————————-

The above proposals do not intend to cover the full range of privacy issues facing the new administration. Rather, we seek to highlight areas that affect consumers and in which we have particular insight because of our experience as a Chief Privacy Officer and the leader of a major law firm privacy practice. Other important issues, such as those relating to civil liberties and law enforcement, government use of private-sector data, revisions to the Privacy Act of 1974, and other concerns have been raised by groups such as the Center for Democracy and Technology. We call those to your attention.

We also call to your attention the importance of consumer confidence in e-commerce. If the misuse of data led to an erosion of consumer trust regarding e-commerce, the economic impact would be significant.

Online Privacy Decisions Confront Obama

Washington Post

By Kim Hart

January 13, 2009

Page D04

President-elect Barack Obama is about to face his first tests on consumer privacy, with questions about how much personal information Internet companies should be able to collect about consumers, how long they should keep that data, and whether they should use it to serve ads to Web surfers.

The Future of Privacy Forum, a Washington group supported by AT&T, is pushing the transition team to appoint a chief privacy officer to shape standards about the use of consumer data. Separately, the Center for Digital Democracy and the U.S. Public Interest Research Group said they plan to file a complaint today with the Federal Trade Commission, urging the agency to investigate mobile marketing practices that may threaten consumer privacy.

Jules Polonetsky quoted:

“With this administration, how data is handled is going to be far more central than ever before,” said Jules Polonetsky, co-chair of the Future of Privacy Forum and a former chief privacy officer at AOL. “We have people enthusiastically interacting with the government — wanting Barack to be our Facebook friend — yet we don’t have an accountable figure to help shape information policy.”

Click here to view the full article.

The Future of Privacy Forum Consumer Privacy Agenda for the New Administration

1. Appoint a Chief Privacy Officer to Promote Fair Information Practices in the Public and Private Sectors.

We embrace the idea of government catching up to industry by creating the central role of a Chief Technology Officer, as has been announced. But we also point out the need — recognized by hundreds of privacy-sensitive companies — for a senior level Chief Privacy Officer, someone to ensure that data protection is a central consideration for technology, data and policy decisions. Although many federal agencies have privacy officers, the fact that data is increasingly available across government entities demonstrates the need for a central figure to lead U.S. efforts to respect citizen data. To ensure that the data needed to combat terror will be available while appropriate oversight is in place to protect essential freedoms, the Administration should have an accountable, executive-level figure to drive an agenda based on responsible data practices. And as behavioral targeting, correlation of data across platforms, cloud computing and the use of personal health records becomes widespread in the business world, the need for a senior figure who can drive a consumer-centric agenda based on Fair Information Practices becomes increasingly crucial.

As data flows have already become a global issue, an empowered central address for U.S. data protection will also more effectively allow the U.S. to engage with data authorities around the world.

2. Ensure that Interactive Tools used by Government Provide Users with Enhanced Transparency and Controls.

Federal policy today requires that government Web sites refrain from using persistent cookies without agency head approval. As a result, government sites either go without the benefit of data-driven services that could optimize their usage and performance, or simply obtain agency approval and make use of such cookies without additional safeguards. At a time when citizens expect a widely expanded form of e-government, including social media and commercial Web 2.0 tools, refraining from the use of innovative tools is not an option. But also unacceptable would be simply using the tools that are available on the market today, without enhanced responsible data use rules.

The OMB and the E-Government Administrator should establish baseline principles for cookies, social media tools and other information use by commercial vendors for government. In doing so, they will drive responsible development of these tools for government and for industry. For example, analytics tools should be required to delete log-files after a defined period of time, cookies should have limited expiration periods and should not be used to store information unprotected, IP addresses should be obscured as soon as possible, and the use of the tools and user options should be transparent and prominently explained. In addition, a very limited amount of funding for basic research could challenge our best and brightest researchers to create completely new technologies that would deliver the benefit of current day cookies while also increasing transparency and truly protecting privacy.

The Federal government can lead the way in driving companies to provide consumer-centric services that provide users control over data. We propose modeling a set of requirements similar to the concept of Section 508 of the Rehabilitation Act, which requires federal agencies to make their electronic and information technology accessible to people with disabilities. Section 508 was enacted to eliminate barriers in information technology, to make available new opportunities for people with disabilities and to encourage development of technologies that will help achieve these goals. We live today in a society where the public has different abilities with regard to managing data collection. As our government Web sites become increasingly interactive, the federal government should require that federally-supported agencies and grantees drive requirements to provide users with enhanced transparency and controls.

3. Establish a Standard Definition of Personal Information.

Most privacy commitments today rely on a definition of personal information, but with the exception of a few statutes such as HIPPA and Gramm Leach Bliley, the interpretations of what constitutes personal information are wide ranging. Companies rely on a myriad of methods, from encryption to simple encoding to use purportedly non-personal information to aggregate, track, and target robust amounts and types of on- and off-line data. NIST should work with the FTC and the proposed Chief Privacy Officer to establish standards for levels of anonymity and identifiability.

4. Increase Technology and Research Support for the Federal Trade Commission

The FTC must become a technology leader to further increase its effectiveness in understanding and countering increasingly complex threats to individual privacy. It should have a significantly expanded team of technologists and an enhanced operations center to track and respond to abuses. The FTC should be provided with authority and funding for Centers of Excellence that can lead research into how to communicate about privacy to users. It should also develop a deeper liaison relationship with the academic and security research communities so that it can both respond to new concerns and help guide external efforts on the type of research that is of value to Commission staff. The FTC should also develop a major effort to evaluate and promote the use of Privacy Enabling Technologies (PETS) that can be used to mask personal information while allowing for robust information use in commerce and analysis.

5. Enhance Criminal Law Enforcement Support for the Federal Trade Commission

The FBI and DOJ must allocate their limited resources to combat terror and prosecute child predators, and are currently unable to adequately attend to the increasingly dangerous criminals involved in spam, spyware, phishing, identity theft and malware. Appropriate global criminal law enforcement support must be dedicated to support the efforts of the FTC so that it can use its expertise to ensure full prosecution of those responsible for these threats to user data. Although there has been increased cooperation between criminal law agencies and the FTC in recent years, dedicated support would ensure that serious harms uncovered by the FTC would lead to a significant threat of criminal charges, as opposed to only civil action.

Example: Malvertising: Major portals, ad networks and publishers are inundated with “malvertising attacks”. Criminal groups purchase banner ads from unsuspecting networks, and these ads morph into attacks that hijack the browsers of Web surfers who simply view the banner. Despite an impact that has affected millions of users and thousands of networks, the response has been limited to the FTC’s civil enforcement efforts. No coordinated criminal effort from law enforcement is in place to respond to this threat.

6. Provide National Leadership to Resolve the Conflict between Privacy and Online Safety for Youth.

State enforcement actions by Attorneys General have sought to require social networks to implement systems that would require the authentication of many users. Although tools to accurately authenticate minors are not currently available, the ability of users to exercise control over their online identity will be undermined if such efforts do not adequately take into account the privacy impact of many authentication services. The Administration should create a National Internet Safety Technical Task Force to develop a national policy that balances conflicting pressures for online authentication, age screening, and child safety vs. online identity and privacy. Shortly, the Internet Safety Technical Task Force, created by the settlement between social networking sites and 49 Attorneys General, will present its final report. The conclusions of this effort and additional examination of this issue should form the basis for a national policy that promotes online privacy while equally ensuring that our youth are protected.

Note: The NTIA just issued a request for individuals to serve on the NTIA Online Safety and Technology Working Group, which will provide a report to the Assistant Secretary of Commerce on ways to promote a safe Internet environment for children. This effort should be replaced by a senior-level effort, including representation from the Attorneys General, Members of Congress, advocates, academics and industry experts. This would ensure a unified government approach and provide greater likelihood of achieving national consensus on this issue.

7. Encourage Accountable Business Models

The Internet has led to the development of highly-efficient business models, by which companies collaborate and combine their individual expertise to provide a customer service. A user, by requesting one Web page, can share data with dozens of companies – a Web publisher, an ad network, an ad exchange, a search engine, an analytics company, a content distribution network, multiple advertisers and more. Despite the fact that consumers may believe the brand they are visiting is responsible for the data activity on the page, the complexity, lack of transparency and, sometimes, bargaining power imbalance has created a situation where data flows are dispersed and responsibility is often unclear. The DOC should partner with the FTC and industry groups to address this problem and identify steps that may foster accountable online business models.

———————————————————————————————————————

The above proposals do not intend to cover the full range of privacy issues facing the new administration. Rather, we seek to highlight areas that affect consumers and in which we have particular insight because of our experience as a Chief Privacy Officer and the leader of a major law firm privacy practice. Other important issues, such as those relating to civil liberties and law enforcement, government use of private-sector data, revisions to the Privacy Act of 1974, and other concerns have been raised by groups such as the Center for Democracy and Technology. We call those to your attention.

We also call to your attention the importance of consumer confidence in e-commerce. If the misuse of data led to an erosion of consumer trust regarding e-commerce, the economic impact would be significant.

Data Security Breach Laws Remain the Province of the States

With 44 states and the District of Columbia having breach notification laws on the books, California — the first state in the nation to enact such a law — is proposing to amend its law (SB. 20) to require notification of breaches to the attorney general (a requirement contained in many other states’ laws), and to require “plain language” in the notices sent to consumers. Missouri is considering a law that would make the state the 45th with a breach notice law and the first to have criminal penalties for a failure to notify individuals of a data security breach involving their personal information. Other states are considering new breach liability provisions. For example, a New Jersey bill (A. 2270) would establish retailer liability to banks for breaches of payment card data and also subject every entity covered by the state’s existing data breach notification law to liability to banks for breaches of any protected personal information. Thus, the legal regime to protect consumers from identity theft when their personal information is exposed through a breach of data security remains the province of the states, with Congress considering but yet to enact a nationwide law for consumer notification. Reg S-P, the SEC’s implementation of Gramm-Lech-Bliley, was widely expected to be finally amended by year-end 2008 to provide clearer guidance on when entities supervised by the SEC needed to provide notification of data breaches, but the amended reg is still pending.