Geolocation API Specification
Excellent to see that Alissa Cooper, CDT Chief Scientist, is involved with the development of this important Geolocation API spec at the W3C.
Excellent to see that Alissa Cooper, CDT Chief Scientist, is involved with the development of this important Geolocation API spec at the W3C.
Although coverage of the ABA Conference remarks of the new Consumer Protection Director at the FTC (raising the need for a new paradigm for privacy regulation) got my attention, I didnt get a chance to catch up on full coverage of the panel until today. Check out Professor Rebecca Tushnet’s blog for great coverage of the insightful conversation about the FTC, its jurisdiction and activities.
Rebecca Tushnet’s 43(B)log: ABA Consumer Protection Conference, part 1.
Court: IP Addresses Are Not ‘Personally Identifiable’ Information
Media Post
By Wendy Davis
July 6, 2009
In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information.
“In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” U.S. District Court Judge Richard Jones said in a written decision…
Jules Polonetsky quoted:
Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain that they don’t collect personally identifiable information, but log IP addresses. “For many years, people just threw around the term ‘personal information,'” he says. “They didn’t pay attention to account IDs in the hands of third parties, IP addresses — other types of information that, with some effort, could become identifiable.”
Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.
Click here to view the full article.
MediaPost Publications Court: IP Addresses Are Not ‘Personally Identifiable’ Information 07/07/2009.
Snip…..”Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain they don’t collect personally identifiable information, but log IP addresses. “For many years, people just threw around the term personal information,” he says. “They didn’t pay attention to account IDs in the hands of third parties, IP addresses, other types of information that, with some effort, could become identifiable.”
Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.”…….
— Let’s quit debating whether IP addresses are PII. Lets’s just agree that they are more significant than some less personal information and arrange to not log them when we dont need to or let’s obscure or delete IP addresses at an earlier date. For example, consider Yahoo’s example – they anonimyze search and adserving logfiles, deleting IP addresses, after 6 months. (and it doesnt appear to have shut down their business). Others retain for 9 months or a year, but many don’t yet have public policies around such data retention. Time for everyone else to follow.
Online privacy: New tool makes it easier to hide your tracks: Consumer Reports Electronics Blog.
Chris Soghoian’s TACO opt-out tool continues to pick up steam. Kudo’s to our friends at Lotame who include TACO in their opt-out offered to users, one of the only ad networks to do so.
From the NY Times.
The Ethicist – A Facebook Teaching Moment – Question – NYTimes.com.
“Strictly speaking, when these students gave her access to their Facebook pages, they waived their right to privacy. But that’s not how many kids see it. To them, Facebook and the like occupy some weird twilight zone between public and private information, rather like a diary left on the kitchen table. That a photo of drunken antics might thwart a chance at a job or a scholarship is not something all kids seriously consider. This teacher can get them to think about that.
She might send e-mail messages to transgressing students, noting their misdeeds and reminding them of their vulnerability. Or she could address her entire class, citing (anonymous) examples of student escapades.”
— We read this smugly and think kids are silly, we know better, especially us responsible business people. But I am aware of some experts who do “anti-trust” training, and then follow up by having the company scan the stored emails of senior execs. They pull out all kinds of scandalous comments made on email by the execs – we will crush them in the market etc. Only then do the execs grok the fact that the emails they write, even casually, can and will be used against them if turned over in an anti-trust suit. Why do we expect teens to be savvier than smart tech businesspeople?
Our friend Professor Alessandro Acquisti has published his paper showing how it is possible to predict social security numbers with a high degree of certainty, if your date of birth and location of birth are known. When Alessandro presented an early draft of his paper at the 2008 Privacy law Scholars Conference at GWU School of Law last year, he had the audience floored. Now that he has released it, the implications for any company or agency still using Social Security numbers and a user ID or a password are significant. This is big news!
The principles agreed to by the trade groups are available here.
Future of Privacy Forum Statement Regarding Industry Behavioral Advertising July 2 Agreement
The entire industry reaching agreement on the need to get more information to users beyond the limits of a privacy policy is a significant advance. But to ensure that this will be a true step forward for consumers, companies will need to consider these rules a starting point and not a finish line and they need to ensure that the required notice is a meaningful communication clearly advising consumers that their web experience is being tailored for them. The credibility of this effort will be determined by whether this notice is only a barely visible disclaimer or whether it is really a good faith effort to educate users about a key feature. We look forward to providing input based on the results of research we have underway and to working cooperatively to make this effort a success.
There are some issues we think need to be addressed by the trade groups or by the enforcement and monitoring groups that will be involved. These would include the following: Further expand the definitions of sensitive data to cover clickstream profiles based on searches for sexual terms or for sensitive diseases, ensure that activities like re-targeting are expressly included, establish specific data retention limits for web surfing profiles and include requirements to show users their profiles. We will have a more detailed assessment of additional items needed in a report we provide on Thursday.
We also urge the browser companies to support the industry efforts by making advances on fixing the current unstable opt-out cookie process.
We have also participated in detailed discussions with TRUSTe about their plans for a behavioral advertising program and look forward to their efforts in this area.
Overall, this is a very significant step towards bringing data use out of the shadows. Getting the entire set of actors in the advertising ecosystem pulling in the direction of more consumer control could be an important turning point towards improved privacy practices.