The Future of Privacy Forum is proud to be a sponsor of Tech Policy Central’s new pii2010 conference, which takes place August 17 – 19 in Seattle, WA.
pii2010 (privacy identity innovation) will explore how emerging technologies and business models are impacting data creation, sharing and aggregation, and how to strike a balance between protecting sensitive information and enabling innovation. Hosted by CBS News technology analyst Larry Magid, the conference will bring together key stakeholders from the technology, legal, academic, nonprofit and government communities to talk about the latest developments and where innovation is heading.
Chris will be speaking at pii2010, along with more than 30 leading experts including:
Kim Cameron – Chief Architect of Identity for Microsoft
Marc Davis – Cofounder and CTO of Invention Arts
Marie Alexander – CEO of Quova
Michael Fertik – CEO of ReputationDefender
Anne Toth – Chief Privacy Officer of Yahoo!
Rick Klau – Product Manager for Google
Berin Szoka – Director, Center for Internet Freedom at PFF
Scott Meyer – CEO of Better Advertising
Pete Kazanjy – Cofounder and CEO of Unvarnished
Stephen Hood – Cofounder and CEO of BlockChalk
Fran Maier – President of TRUSTe
Denise Tayloe – CEO of Privo
Drummond Reed – Executive Director of the Information Card Foundation and Open Identity Exchange
In addition, pii2010 will serve as the official launch pad for pii Labs, an open forum for learning about and collaborating on new projects that will take place on August 19 inside Seattle’s famous Space Needle building. Other special activities at the conference include a screening of the British documentary “Erasing David,” featuring the film’s director and namesake David Bond, and a startup “Pitch Slam” where eight promising entrepreneurs will deliver their best 5-minute pitch.
As privacy enthusiasts eagerly await this afternoon’s Senate Commerce Committee hearing on consumer online privacy, FPF Co-Chairs Jules Polonetsky and Christopher Wolf, provided some thoughts to Huffington Post about how the business community can help address some of the concerns that have been escalating in this arena.
Congressman Rush Pushes Privacy Agenda With Introduction of Bill
Yesterday Illinois Congressman Bobby Rush, Chairman of the Committee on Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection introduced H.R. 5777 the “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act”, or BEST PRACTICES Act of 2010. The bill adds to the contentious privacy debate that came with the much-anticipated Boucher-Stearns privacy legislation circulated in draft form earlier this year, and which is still in draft form.
While the just-introduced bill shares similarities with the draft Boucher legislation, the 55-page bill proposes to levy fines of up to $5 million on businesses and individuals unless they abide by a regulations to be administrated by the Federal Trade Commission. There is an exemption for small businesses, but entities (and even individuals) that hold 15,000 or more names, e-mail addresses, or other personal information in their records will be subject to the proposed law.
Some additional points that differentiate it from the Boucher-Stearns draft bill also include:
– A broader safe-harbor rule, which is essentially tossed to the FTC to detail the rule-making;
– A broader definition of sensitive data;
– A broader definition of third parties (i.e. a company’s different brands could be third party if a consumer wouldn’t associate them together);
– IP addresses are not covered, unless linked to a profile used for analysis or tracking;
– A wider exemption for operational needs;
– A private right of action is included.
Congressman Rush has scheduled an initial hearing on the bill for this Thursday at 2 PM EDT, which will be an important continuation of the ongoing discussion of what legal protections may be needed. Our prediction is that the bill is not likely to near passage this year, given the limited legislative time available, but it serves to further the discussion about some very important issues in this space. The Future of Privacy Forum looks forward to further analysis and discussion of the bill in the days ahead.
Leading Privacy Experts Join the FPF Advisory Board
FPF is fortunate and honored to have many of the leading minds from the business, academic and advocacy worlds among our Advisory Board members, and with the addition of the following six new members, our Board will become even more enriching. We thank them for joining and look forward to their counsel:
James Byrne is Lockheed Martin’s Chief Privacy Officer. He is also responsible for company data and records management. Prior to his new position, Byrne served with the Ethics and Business Conduct organization. He joined Lockheed Martin in August 2008 from the Office of the United States Special Counsel (OSC), where he served as the Deputy Special Counsel, a career Senior Executive Service (SES) position. Prior to that assignment, Byrne was the General Counsel and Assistant Inspector General for Investigations with the Office of the Special Inspector General for Iraq Reconstruction (SIGIR), also an SES level position. He has nearly 25 years of professional experience in the military and federal government including several years as a federal narcotics prosecutor and deployed Marine infantry officer.
Scott Gossis Senior Privacy Counsel for Qualcomm Incorporated, a global leader in wireless technologies and services. As Qualcomm’s first attorney focusing exclusively on privacy issues, he is responsible for leading the company’s efforts to design, create, and execute a comprehensive and consistent global privacy program. Goss received his J.D. from University of California, Davis in 1998 and became a Certified Information Privacy Professional in 2005. He started his legal career as a patent litigator for an IP boutique firm in Silicon Valley. After two years in a law firm, he went in-house – first to a map database company and then to an online advertising company. Now at Qualcomm, Goss provides legal and policy advice on privacy matters to Qualcomm and its wholly owned subsidiaries.
Pamela Jones Harbour is a Former Federal Trade Commissioner and now a partner at the law firm Fulbright & Jaworski LLP, where she works in their antitrust and competition practice. Harbour served on the Federal Trade Commission from 2003 until 2010. She previously spent a decade working in the New York Attorney General’s Office, including her role as Deputy Attorney General, where she investigated and prosecuted a variety of antitrust and consumer protection violations.
Ian Kerr holds the Canada Research Chair in Ethics, Law & Technology at the University of Ottawa, Faculty of Law, with cross appointments to the Faculty of Medicine, Department of Philosophy and School of Information Studies. Kerr has published numerous books and articles on topics that discuss the intersection of ethics, law and technology. His more recent focus on robotics and implantable devices examines legal and ethical implications of emerging technologies in the health sector. Kerr holds several positions on editorial and advisory boards and is co-author of Managing the Law: The Legal Aspects of Doing Business, a business law text published by Prentice Hall, which is used by thousands of students each year at universities across Canada.
MeMe Jacobs Rasmussen is chief privacy officer, vice president, and associate general counsel at Adobe, where she oversees Adobe’s privacy strategy and policy, and leads a team of attorneys and paralegals with responsibility for the protection of Adobe’s intellectual property. Prior to joining Adobe in 1997, Jacobs Rasmussen served as general counsel and later chief operating officer at Rocket Science Games. Previously, she practiced law at Gray Cary Ware & Freidenrichin Palo Alto, California, and at Foley, Hoag & Eliot in Boston. Jacobs Rasmussen started her career in the early 80s as a technical instructor at Prime Computer near Boston before joining the company’s in-house legal department.
Russell (Russ) Schrader is Chief Privacy Officer and Associate General Counsel – Global Enterprise Risk for Visa Inc, where he is responsible for privacy and payment systems risk policies and related subject matter. Schrader is also a principal legal liaison for Visa financial institutions’ attorneys on regulatory issues. He is a Fellow of the American College of Consumer Financial Services Attorneys, chairman of the ABA Consumer Financial Services Committee on electronic payments, a former member of the Federal Reserve Board’s Consumer Advisory Committee, and a former director at the Council of Better Business Bureaus. Prior to Visa, Schrader headed the National Consumer group in the Legal Department of Chase in New York City. He was responsible for legal services to the mortgage, auto, home equity and unsecured lending businesses.
The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups. FPF was launched in November 2008.
Privacy Papers for Policy Makers
The Future of Privacy Forum is calling on academics and thinkers with an interest in privacy issues for their involvement in “Privacy Papers for Policy Makers.”
PURPOSE
• To highlight important research and analytical work on a variety of privacy topics, and to ensure policy makers are informed of the most influential scholarship as they address privacy issues.
• Papers should clearly analyze current and emerging privacy issues and either propose achievable short-term solutions, or propose new means of analysis that could lead to solutions.
REVIEW PROCESS
• Academics, privacy advocates and Chief Privacy Officers on FPF’s Advisory Board will review the submitted papers to determine which papers are best suited and most useful for policy makers in Congress, the FTC, FCC, state and worldwide leaders.
• The Advisory Board will announce the selected papers at an event in September, and provide a bound compilation to policy makers in the United States and abroad.
SUBMISSION
Paper Submission Deadline: July 15
Please include: author’s full name, phone number, current postal address and e-mail address.
The entry can provide a link to a published paper or a draft paper that has a publication date. FPF will work with the authors of selected papers to develop a policy maker-appropriate summary that respects any relevant copyright concerns.
A special thanks to AT&T, LexisNexis, Microsoft and Procter & Gamble for support of the Privacy Papers for Policy Makers project.
Additional sponsors welcome. Please contact Andrew Kovalcin at [email protected]
"HTTP Everywhere" Browser Security – A Step In the Right Direction
The following piece is a guest blog from Mark Goldstein, CIPP.Goldstein is a privacy/security consultant and previously served as a senior director in AOL’s consumer advocacy and privacy department.
Most consumers are aware that they should look for the “padlock” icon on their browser when visiting their online bank. The “padlock” tells the consumer that there is an encrypted connection between their browser and their bank, which is known as an “HTTPS connection,” and it cannot be deciphered. Being encrypted prevents the hacker sitting across from you at Starbucks, who is also using their free wireless service, from viewing your bank information. The encrypted connection prevents anyone from snooping on your communications. (Believe it or not, up until the last couple of months most e-mail communications with AOL, Google, Yahoo, etc. was open and easily visible by hackers, with the exception of your login info which was usually encrypted). The point is that encryption is essential for strong privacy and security protections.
With that in mind, the Electronic Freedom Foundation recently developed a plug-in called “HTTPS Everywhere,” which allows for securing communications between your PC and a number of websites including Google search, Wikipedia, Facebook, and Twitter which don’t normally default to HTTPS. This is a step in the right direction, because ideally anytime there could be sensitive information being transferred between your browser and a website it should be encrypted…
FPF Icon Project Cited By EU Article 29 Working Party
The EU Article 29 Working Party has issued an opinion on the need under EU law for consumer opt-ins for behavioral advertising that involves online tracking. Our friends at Hogan Lovells have provided this analysis on their blog. In calling for “simple and effective mechanisms for users to affirmatively give their consent for online behavioral advertising,” the Working Party cited the work of the Future of Privacy Forum in creating a user-friendly mechanism for notice and consent, and encouraged industry to engage in a dialogue with data protection authorities on ways to effectively and efficiently implement the opt-in requirement. Just as the Future of Privacy Forum has contributed to the discussion of empowering consumers in the behavioral advertising space in the United States, we look forward to sharing our perspectives during the EU dialogue.
Tying IP Addresses to Offline Data
This morning Media Post’s Wendy Davis reported on ClearSight Interactive’s new behavioral targeting platform, which allows marketers to target Web users based on the profiles associated with their specific neighborhoods. FPF’s Co-Chair and Director, Jules Polonetsky was quoted as saying, “[The practice] strains the limits of sanity to think that someone with a straight face would claim that users have opted in to being labeled ‘impotent. … This appears to be exactly the kind of behavior that regulators want to see constrained.”
To see the full article click the image below:
The Future of Privacy Legislation: A Conversation with Congressmen Rick Boucher and Cliff Stearns
On Wednesday, Representatives Rick Boucher (D-VA) and Cliff Stearns (R-FL), Chairman and Ranking Member of the House Subcommittee on Communications, Technology and the Internet, spoke exclusively with the Future of Privacy Forum and a select group of privacy advocates, academics, and members of the business community about the discussion draft of privacy legislation the Congressmen released on May 4. The event was held in the Cannon House Office Building and more than a hundred participants joined either in person or via teleconference.
FPF is extremely grateful to all those who attended, and most importantly to Reps. Boucher and Stearns for their candor and willingness to participate in such a robust discussion about the future of consumer privacy legislation.
Below are several topics that were discussed during the event and some very pertinent quotes from the Congressmen.
Privacy Legislation:
The Congressmen stated that they published the bill in draft form because they wanted to receive and consider the input of public and private stakeholders before the bill’s formal introduction in Congress, and said that they have received more than seventy comments to date. Congressman Boucher emphasized that he would like to move forward as soon as possible, but given that he wanted to take time to read and synthesize all the comments, a bill would not likely be introduced before the end of July: “When we have that satisfaction with our committee, bipartisan congressmen and stakeholders, we’ll move forward,” explained Boucher. “It is optimistic to think this will happen by end of July. We’ll spend time digesting and thinking and seeing what level of support we can expect to receive.”
As Congressman Boucher explained, “There is a lot of concern about what information is collected and how information is shared. The lack of understanding about practices leads to a lack of trust for online consumers.” According to the Chairman, “Our goal is to resolve the uncertainty, and to provide fundamental privacy assurances that will lead to more levels of Internet utilization.” He added that this legislation is not designed to regulate the Internet but to provide privacy guarantees that will enhance users’ experience on the Internet.
The draft legislation aims to set baseline standards for all entities regarding how they collect, use, and share personal information in both the online and offline contexts, while recognizing that best practices are already being implemented by the largest, most reputable companies.
Targeted Advertising:
Congressman Boucher explicitly noted that his bill will not inhibit targeted advertising: “We’re internet advocates. This is not a measure designed to regulate the internet in any way. It is designed to provide the privacy guarantees that will enhance the internet experience and lead to a greater willingness to trust online transactions. We are not seeking to impose barriers or to inhibit targeted advertising. We respect targeted advertising. It is the model today that has been highly successful and it enables a lot of a very useful content to be provided for free to internet users. We don’t want to inhibit that.”
Opt-In and Opt-Out Requirements:
Congressman Boucher explained the thought process behind opt-in and opt-our requirements included in the legislation: “The first clear requirement that we have is prominent disclosure by all entities that collect information of the information that is collected, how that information is used and the circumstances under which, and the ability, at least generically of the individuals of whom that information is collected. We then provide as a second major principle control over the collection and use practice on the part of the individual from whom the information is collected.
We generally apply an opt-out principal and the mechanism for control. We apply opt-out, for example, to all first-party transactions. We apply opt-out to interactions between a first party and a service provider, whose services are necessary to complete the first party transaction. That information is subject to opt-out. We apply opt-out to affiliates of the first party, [and] we apply opt-out and exemptions generally for operational and transactional collection of sharing. We apply opt-in in limited instances and those instances fall into two categories: First of all, sensitive information. We define that as information that is very personal to the individual, such as financial information, medical information, information about children and adolescents, geographic location-specific information. For the most sensitive information, opt-in would be required before that could be collected or used. The second major way in which we apply opt-in is that it would generally apply to the sharing of information with unaffiliated parties. But we have a major exception to that requirement: the sharing of information with unaffiliated parties. Advertising networks, for example would be permitted under the ‘opt-out’ principles where those advertising networks or similarly situated parties follow the best business practices.
Let’s be specific about what these are. These are opt-out if each advertisement that is received from any of the entities on an advertising network has a link associated with that ad that identifies the derivation of the ad, and says that it stems from the creation and use of a preference profile. And this provides access to the preference profile. And the opportunity for that user to modify that profile, So access to the profile, and the opportunity to modify would be the first requirement. Second requirement is that those advertisements have a link associated with it that enables upon activation the elimination of information sharing about that individual within the advertising network. So the individual could choose not to have the individual about them distributed within the advertising network. If those two requirements are met—and I’ll stress again, these are requirements that are in practice today by some advertising networks, then opt-out would apply with regard to information sharing, even among the unaffiliated parties.”
Privacy Notices and Privacy Policies:
Prompted from a question about the length of privacy policies from FPF Co-Chair Christopher Wolf, Congressman Stearns discussed the issue at length: “As policymakers, Rick and I have to decide to what degree to do and what degree not to do. When I had these hearings and recognized how difficult it was to come up with a privacy bill, I almost thought that a “Good Housekeeping” seal of approval—let the private sector develop this seal of approval by talking to the Federal Trade Commission, and the FTC would give them a seal and they would use that on the webpage so that the consumer, rather than reading through the long contract about privacy, he could just use that seal of approval and that would be sufficient.
This is sort of the easy way out on this, because then the private sector is doing it and we don’t have the FTC issuing fines or perhaps we don’t have complicated bills. But at the same time, some of this, as Rick pointed out, sometimes the consumer has a right to know what they are collecting and he or she should be able to opt-out of that collection.”
Stearns went on to explain that, “When we had a hearing they [the FTC] could not answer when and where the dialogue boxes should come up. It didn’t come up at that point the legal language, but many of us don’t read the privacy forums that are popping up now because there is so much legalese. So I think what you need is a general understanding of what the dialogue boxes contain, and sort of a checklist if that’s in there. There’s got to be something so that the consumer doesn’t have to read the legal contract in detail, because one: he or she won’t know what it means; and two: it’ll scare them. We don’t want in the long run to have consumers deterred from using the internet through these dialogue boxes that pop up that are hugely legalese. So in the end it’s got to be up to the FTC but at the same time consumer friendly, so in the end we don’t feel as though we’re putting ourselves in a legal situation.”
Congressman Boucher added, “We are in an almost daily conversation with the FTC about privacy principles.” Boucher also noted that the FTC would have final say over the regulations of bill including the language of the privacy notices.
Innovation with Notices:
FPF Co-Chair Jules Polonetsky highlighted the inclusion of better transparency and control tools that appear to be a piece of the draft legislation, which would mirror the recent development of the “Power-I icon,” which was created by FPF and WPP in the past year. This discussion prompted Congressman Boucher’s comments about how similar innovations are already being seen with innovations in the mobile technology sphere: “Many of the mobile providers have already begun a very productive consideration of how to ensure and enhance levels of privacy. I’m reminded, for example, of the universal “opt-in” that occurs when you start a Smartphone for the first time. It basically says, ‘Do we have the permission to track your geographic location for various applications that you may decide to employ on this device?’ … With one click affirmatively at that point [users] can decide to allow the tracking of geographic-specific information.”
US vs. EU
Congressmen Boucher and Stearns noted that even if privacy legislation is enacted, the FTC would still have the discretion to bring enforcement actions regarding the language and manner of privacy disclosures (including for Apps and mobile devices, which they also confirmed are covered by the draft bill). They also discussed privacy regulation in general and the compatibility of European and global standards – commenting that despite supposedly stricter privacy regimes overseas, enforcement is more robust in the United States – and stated that their legislation would aim to honor practical applications over cumbersome regulatory policy.
As Boucher stated, “We are not looking to imitate the EU. We want a lighter regulatory touch. The EU has always honored the law over practical applications.”
Stearns added, “EU privacy policy is very onerous. We don’t want the same burden. So I don’t think you can ever make them happy. We don’t want that in the U.S. [and] that’s why [the] lite draft bill is good.”
June 25, 2010 – House Panel Wants Apple To Explain Privacy Changes, Sci-tech-today
Yesterday Illinois 
