Future of Privacy Forum Letter to the White Office of Science and Technology Policy
Following is the test of the letter we sent to the White House in response to the call for feedback on the President’s memo on Openness and Transparency
April 3, 2009
Dear Ms. Noveck:
The Future of Privacy Forum is providing the below suggestions to offer a roadmap for enabling use of analysis, site optimization and tracking technologies by government agencies. Personalizing site content for users, enabling log term shopping carts and improving site usage are key to providing the public the best possible web experience and these functions are reliant on cookies and other technologies currently limited by various approval requirements. As a result, agencies may end up either forgoing the use, or they seek approval but may not seek to establish additional necessary controls to ensure these technologies are used in the most privacy friendly manner.
We provide below practical guidelines that could enable the use of cookies to better serve the public as desired by many government web managers. Some of these concepts are already in place at some of the most progressive private sector companies, and government leadership in this area would spur wider adoption of these practices that both optimize the user experience and ensure privacy and transparency in data use.
We propose that the current restrictions on cookies and similar technologies be abolished. In their place should be requirements that establish leading practices for such technology practices.
Ensuring that Interactive Tools used by Government Provide Users with Enhanced Transparency and Controls for Data Collection and Retention
Analytics, Research or Others Using Cookies, Tracking Pixels or Other Tools
1. Delete log-files after a defined period of time.
a. Data retention periods for “non-personal” log-files vary widely across vendors, are not publicly disclosed and are rarely committed to contractually.
2. Cookies should have limited expiration periods and should not be used to store information unprotected.
3. IP addresses logged by vendors should be obscured or deleted as soon as possible.
a. Some vendors can use and then immediately scramble IP addresses as they log them.
4. The use of the tools and user options should be transparent and prominently explained.
5. Consider implications of use of “first party” White House domain for analytics, rather than “third party” domain, to avoid potential for unwanted correlation.
6. Contractual representations barring use of data for purposes other than services contracted, other than aggregate reporting.
We will be pleased to provide further detail about the above upon request.
Sincerely
Jules Polonetsky
Future Of Privacy Forum
fpf.org
Privacy notices work best in tables, says US gov research • The Register
Important privacy notices study conducted by leading researchers Dr Manoj Hastak of American University and Dr Alan Levy of the FDA on behalf of the Federal Deposit Insurance Corporation, the Federal Reserve
Board, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the Securities and Exchange
Commission.
MediaPost Publications The Further Adventures Of Opt-In Man
Excellent review by Behavioral Insider’s Steve Smith of how networks are beginning to provide users access to profiles and a roadmap to make this more useful for users. The eXelate widgetised version of a profile viewer that publishers or advertisers could provide at their own sites seems to make sense — if there was a way to scale this indeed.
The Department of Homeland Security is seeking applications for appointments to the agency’s Data Privacy and Integrity Advisory Committee. The committee provides advice at the request of the Secretary of DHS and the agency’s Chief Privacy Officer on privacy related matters. The agency is seeking to fill two terms that would expire in January 2012, and January 2013. Applications for the positions must be received by the agency on or before June 8, 2009.
Looks like a fabulous talk today at Harvard to be presented by our Advisory Board member Professor Annie Anton. Harvard CRCS » 2009 » March. Hope someone will be live blogging/twittering!
CRCS Privacy and Security Lunch Seminar
Date: Wednesday, May 6, 2009
Time: 12:00pm-1:30 pm
Place: Maxwell Dworkin 119
Speaker: Annie Anton
Title: Designing Software Systems that Comply with Privacy Laws
Abstract: Properly protecting information is in all our best interests, but it is a complex undertaking. The fact that regulation is often written by non-technologists, introduces additional challenges and obstacles. Moreover, those who design systems that collect, store, and maintain sensitive information have an obligation to design systems holistically within this broader context of regulatory and legal compliance.
There are questions that should be asked when developing new requirements for information systems. For example ….. How do we build systems to handle data that must be kept secure and private when relevant regulations tie your hands? When building a system that maintains health or financial records for a large number of people, what do we need to do to protect the information against theft and abuse, keep the information private, AND at the same time, satisfy all governing privacy laws and restrictions? Moreover, how do we know that we’ve satisfied those laws? How do we monitor for compliance while ensuring that we’re monitoring the right things? And, how do you accomplish all this in a way that can be expressed clearly to end-users and legislators (or auditors) so they can be confident you are doing the right things?
We’ve been working on technologies to make these tasks simpler, and in some senses, automatic. In this talk, I will describe some of the research that we have been conducting to address these problems. I will also discuss the results of a survey involving 975 Internet users in which we compared various ways to represent privacy management information to online healthcare consumers. The results of this work and our other studies pose interesting ethical questions for industry and society at large, and help illustrate the complexity of the problems.
Opt-Out Cookie Best Practices
Some very thoughtful guidance on opt-out cookie practices just released by our friend at privacy choice. Check them out!
More on Scalia
Scalia: Free Speech Trumps Privacy Online
by Wendy Davishttp://web.archive.org/web/20090508122947/http://www.mediapost.com:80/publications/?fa=Articles.printFriendly&art_aid=105258
Some lawmakers are talking about enacting new online privacy laws, but at least one U.S. Supreme Court Judge has indicated that such laws might not be constitutional.Earlier this year, conservative judge Antonin Scalia said new privacy laws would conflict with the First Amendment. The remarks, made at an event held by the Institute of American and Talmudic Law, were in response to comments made by Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum.Polonetsky outlined the various ways that data is collected across different Web platforms and proposed that people need some assurances that the information won’t be used against them. Scalia responded that the First Amendment would prevent much of the privacy protection that Polonetsky seemed to favor.
In a follow-up question, Polonetsky asked Scalia what he thought about a federal law banning video rental stores from disclosing the names of movies customers borrow. That law has particular resonance for Supreme Court judges because it was passed after a newspaper obtained and printed video rental records of nominee Robert Bork. Scalia then softened his position somewhat, to concede that “sensitive” information might warrant privacy protection…more at http://web.archive.org/web/20090508122947/http://www.mediapost.com:80/publications/?fa=Articles.printFriendly&art_aid=105258
IAPP Audio Conference – Identity, Identifiers and Personal Data
Two of the most important concepts of data protection law and its application are identifiable data and (in many jurisdictions) the relationship of this data to an identifiable person. For privacy laws to apply effectively this relationship must be clear. Yet, what is less clear is the critical dividing line between personal data and de-identified data. Join us to explore both established and emerging definitions of “PII” and “personal data” within the framework of existing technical capabilities, case law and regulatory views.
Speakers:
David Hoffman, CIPP, Director of Security Policy and Global Privacy Officer, Intel Corporation
Renzo Marchini, Counsel, Dechert LLP
Jules Polonetsky, CIPP, Co-Chairman and Director, Future of Privacy Forum
Price:
IAPP Members: $159
Nonmembers: $179
Justice Scalia’s Remarks About Privacy
Justice Scalia’s remarks about privacy, which came in response to Jules’ call for privacy advances at the IAT Law Conference, have been causing some controversy!
We now have respected and savvy technologists in place in government as CTO and CIO. Jules will be speaking at RSA this week to CIOs and CSOs about the key relationship between them and their CPO, an issue that has become an increasing corporate focus. With the many federal privacy issues in play right now, we now need a Chief Privacy Officer at the most senior government level to help ensure trust about user data. Consider the skepticism over putting NSA in charge of federal government cyber-security – even though NSA may have the best technical security expertise, critics have expressed concerns about NSA playing this role due to past government privacy controversies. An empowered CPO with clout (or a Chief Counselor for Privacy, as a version of this role was called when Peter Swire held it during the Clinton years) could bolster the level of faith in government needed to ensure that every agency is aware that the President wants the oversight, checks and balances, and legal processes in place that ensure both security and respect for privacy and civil liberties.
There are great agency CPOs in the intelligence agencies and elsewhere in government and the recent appointment of Mary Ellen Callahan at Homeland Security was a great move. But the Obama Administration could continue its record of innovation by the appointment of a CPO to partner with our new CTO and CIO.
