Tag: PrivacyClassSP12

Bruna Izydorczyk
Obama’s effort to enforce clear rules on privacy

 

President Obama took the initiative to convoke major technology companies – of course Facebook and Google are involved – to craft voluntary codes of conduct for handling consumer data based on a bill of rights for Web users. Among other reasons, this initiative represents a Congress answer to the existence of modern foreign rules on the subject – the European Directive on privacy – and also, an attempt to avoid cross-border issues on privacy/data control.

 

The development of such policies/rules will take place through meetings among the Commerce Department, companies and consumer groups. The Federal Trade Commission, which has the authority to act when companies engage in unfair and deceptive trade practices, would have the challenging mission to implement and enforce the standards approved.

 

However, the effort to create clear policies on privacy seems to be interesting for the companies, whom are interested in obtaining competitive advantages in well serving their consumers. As we all know, consumer’s trust is essential for the success of any business. Let’s hope that the future of privacy in US relies also in the collective importance of the matter, and not only in the economic analysis of this issue.

 

For more information, please see:

 

http://news.businessweek.com/article.asp?documentKey=1377-a5jAQ79TwrjI-2MRQR870NSTPL8TGO31UVR346I

Brian Smith

Netflix Advocates for Amendment to VPPA

 

Netflix, the popular DVD rental and video streaming service, is currently supporting an amendment to the Video Privacy Protection Act (VPPA) (18 U.S.C. 2710).  The proposed amendment would allow video tape service providers (which includes Netflix) to disclose a consumer’s video rental history if that consumer has given written consent prior to the disclosure. Under current law, a company must seek consent “at the time the disclosure is sought.” Netflix claims that this reform is necessary before a proposed integration of Netflix and Facebook can be achieved, which will allow users to share the titles of the movies they watch with their Facebook friends.

 

Privacy advocacy organization EPIC claims that this reform would shift the control over a user’s rental history form the consumer to the company, allowing companies like Netflix to broadcast a user’s rental and viewing history automatically after a one-time consent.  The amendment has already passed the House, and the Senate’s Privacy Subcommittee held hearings on the subject in January.

 

By liberalizing when and how video rental services may share a user’s rental history, this proposed amendment is poised to substantially weaken the VPPA.  This legislation was originally passed in response to the disclosure of Robert Bork’s video rental history to the public, and integrating Facebook with Netflix could lead to similar inadvertent disclosures of video viewing history.  Hopefully, future Supreme Court nominees will have the foresight not to include any journalists among their Facebook “friends.”

 

For more information, please see:

 

Washington Post’s Post Tech Blog: http://www.washingtonpost.com/blogs/post-tech/post/netflix-discusses-video-privacy-act-along-with-earnings/2012/01/26/gIQAQFk3SQ_blog.html

 

EPIC’s Description of the VPPA: http://epic.org/privacy/vppa/#2011%20Netflix-Backed%20Amendment

 

Danny Blumberg

Consumer Advocacy Groups Voice Concerns Over White House Proposal

http://www.sacbee.com/2012/02/23/4285987/white-house-plan-for-privacy-bill.html

The White House’s newly released Consumer Data Privacy white paper proposes a co-regulatory process to implement the Consumer Privacy Bill of Rights.  Recent class readings describe how a multi-stakeholder process can provide benefits such as increased compliance and innovative solutions, but several consumer advocacy groups are concerned about the regulatory process which will be conducted by the Department of Commerce (and likely enforced by the FTC).  The Commerce Department’s role is to promote business interests, not consumers, and so advocacy groups are worried that large tech companies such as Google and Facebook will have too much influence during the process.  Consequently, the advocacy groups are asking that the process be public to maximize transparency and increase participation from a broad range of public interest groups.

The multi-stakeholder proposal can be found here: http://www.worldprivacyforum.org/pdf/MultiStakeholderPrinciples2012fs.pdf.  Signatories to the baseline principles include the World Privacy Forum, American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers League, Privacy Rights Clearinghouse and U.S. PIRG.
Read more here: http://www.sacbee.com/2012/02/23/4285987/white-house-plan-for-privacy-bill.html#storylink=cpy

Jenna Levy

 

Obama Administration Unveils Plan to Protect Privacy in the Information Age, including a “Consumer Privacy Bill of Rights”

 

On February 23, 2012, the White House revealed its plan to protect privacy in the information age, which includes a “Consumer Privacy Bill of Rights.”  The Obama Administration explains that as a world leader in the Internet marketplace, the US has a special responsibility to develop effective privacy practices that meet global standards and to protect individual privacy rights and give users more control over how their information is handled.

 

The White House plan consists of three steps:

 

1)     Putting in place a Consumer Privacy Bill of Rights (see below)

2)     Achieving Privacy Policies for a Global, Open Market

3)     Industry Action

 

The Consumer Privacy Bill of Rights contains seven rights:

1)     Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

2)     Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

3)     Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide data.

4)     Security: Consumers have a right to secure and responsible handling of personal data.

5)     Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a matter that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

6)     Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

7)     Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

 

For the official press release with the complete plan and more in depth explanation of the rights contained in the Consumer Privacy Bill of Rights, see http://www.whitehouse.gov/the-press-office/2012/02/23/fact-sheet-plan-protect-privacy-internet-age-adopting-consumer-privacy-b

 

For some of the first articles about the plan, please see the following:

 

http://www.nytimes.com/2012/02/23/business/white-house-outlines-online-privacy-guidelines.html?scp=1&sq=privacy%20bill%20of%20rights&st=cse

 

http://online.wsj.com/article/SB10001424052970203960804577239774264364692.html?mod=business_newsreel

 

http://www.usatoday.com/tech/news/story/2012-02-23/ftc-consumer-internet-privacy/53213162/1

 

http://thehill.com/blogs/hillicon-valley/technology/212143-white-house-unveils-privacy-bill-of-rights

Krystan Hitchcock

 

Advertisers Can’t Be Trusted To Self-regulate on Data Collection, Says EFF

 

The Electronic frontier Foundation’s opinion that the digital advertising industry can regulate itself properly.  The Digital Advertising Alliance is an association of online advertisers that was created to establish guidelines to regulate matters of consumer choice e.g. data collection, but their previous programs have been unsuccessful.  A study revealed that users found the DAA’s cookie-based opt-out tool difficult to use and to understand and the same goes for their advertising option icon.

 

The EFF says even if advertisers violate the newer principles, there’s no repercussions and it’s unclear how the guidelines are enforced.  The EFF thinks simpler opt-out tools like the Do No Track Feature found in Safari, Internet Explorer and Firefox achiever more user benefits, but proper legislation is still the best route.

 

http://www.pcworld.com/businesscenter/article/243884/advertisers_cant_be_trusted_to_selfregulate_on_data_collection_says_eff.html

Josh Goldman

One twist on privacy self-regulation is regulation through competitive pressures.  A recent back-and-forth between Microsoft and Google has turned a spotlight on browser privacy settings and online advertising companies’ ability to work around the settings to collect data on users.

Late last week, The Wall Street Journal reported that a Stanford graduate student had discovered a technique Google and other ad companies were using to circumvent default settings in Safari that blocked websites from installing cookies.  According to the Journal, “While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.”

On Monday, Microsoft accused Google of using similar techniques to circumvent privacy settings in Internet Explorer through “a nuance in the P3P specification that has the effect of bypassing user preferences about cookies.”

Google’s response? On the Safari workaround, Google noted, “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”  On the Internet Explorer issue, Google pointed to what it described as outdated Microsoft policies, countering that it is “impractical to comply with Microsoft’s request” given modern web functionality.

Drew Hodel

 

I’m a law student in an information privacy class and when Google alerted me: “New Really Really Important Privacy Policy.  Click here,” …I clicked… but definitely not ßthere.  My lack of bargaining power told me it wasn’t worth my time.  So instead, I signed in and began g-chatting with a friend…

 

Anonymous: Hey man.

Me:                  Hey.  Did you check out Google’s new privacy policy?

 

Anonymous:  No.

Anonymous:  You’re such a nerd.

Me:             I know.  I figure I’ll check it out later.

 

The problem is I’m not representing Google and I’m not representing its users.  I haven’t been hired to write anyone’s privacy policy, I’m definitely not switching to hotmail and if I use Microsoft my situation won’t change.  So when I tried reading the policy today, I struggled to get through the entire thing.  That’s just the truth but in case you were curious:

 

Here is a link to a good article discussing the new policy: http://marketingland.com/google-terms-of-service-privacy-policy-4293

 

Here is a link to the new policy:

http://www.google.com/intl/en/policies/privacy/preview/

 

In any case, whether you think Google is moving in the right direction or not with this privacy policy can it serve as a legally binding contract between you and them and should it?

Google wants to create a “beautifully simple, intuitive user experience” by converting its more than 70 different privacy policies into 1, and I appreciate the thought, but it’s not always the thought that counts.  Substituting 70 individually convoluted policies with one convoluted policy does nothing to solve the convoluted part.  Moreover, no one reads the policies anyways.

On one hand these policies seem insufficient (in most cases) to constitute unilateral contracts:  The general rule in contracts cases is that “general statements of policy are not contractual.”  User’s lack of knowledge and reliance interests, making it difficult to say any offer was “accepted” in the traditional sense.  On the other hand: if these policies are simply meant to serve as warnings or notices, they’re clearly not getting that job done either.

All this set aside, the casebook points out that users do “regularly take advantage of” their privacy settings. (p. 819) So if google were to expose a user’s information more broadly than he set it in his privacy settings I believe the user would at least have a viable lawsuit under the theory of promissory estoppel and perhaps as a breach of a legally binding and bargained for contract.  In any case, I do not like the idea that privacy policy might represent a legally binding contract.  Google has unfair bargaining power and should not be able to take advantage of this by including terms that not favorable to customers in a legally binding contract.

J.D. Bean

Proposed Amendment to the Privacy Act: The Privacy Act Modernization for the Information Age Act of 2011

– Introduced October 18th, 2011 by Senator Daniel K. Akaka chairman of the Senate Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia

– Available At: http://www.gpo.gov/fdsys/pkg/BILLS-112s1732is/pdf/BILLS-112s1732is.pdf

– More Info At: http://akaka.senate.gov/press-releases.cfm?method=releases.view&id=b5750831-557f-452d-a96d-b98dc967de57

– Relevance: The amended act would overturn Doe v. Chao, update definitions and language to better correspond with modern IT techniques/concepts, codify the OMB definition of “personally identifiable information”, and extend the enhanced authority to investigate privacy act violations currently enjoyed by the Department of Homeland Security’s Chief Privacy Officer to additional agency CPOs. The act would stregthen civil and criminal remedies for Privacy act violations and updates both exceptions for agency notice of disclosure requirements and the requirements to agency publication of notices of systems of records.

Vladimir Andric

 

http://www.nytimes.com/2011/12/19/technology/as-patient-records-are-digitized-data-breaches-are-on-the-rise.html?_r=1&ref=identitytheft

 

Digital Data on Patients Raises Risk of Breaches

 

Another article confirming the “stick with it like glue” as the major security principle when it comes to data protection in the world of electronic data management systems. The health industry is reported to have lost $6.5 billion to consequences of data breaches in 2010, and 2011 estimates show a 32% increase in the number of reported breaches. The article offers some interesting points on dealing with such data breaches and liability issues.

 

And for an international perspective, http://www.aboutidentitytheft.co.uk/ provides an outlook of how the United Kingdom deals with identity theft issues.

 

Josh Perles

Proposed EU Data-Privacy Rules Require Breach Disclosure within 24 Hours

 

Part of a comprehensive suite of data-privacy reforms, the proposed rules would require any firm with EU customers to notify affected individuals and the relevant authorities within 24 hours of detecting a breach.

 

The draft legislation has received mixed responses.  Though designed to enhance consumers’ ability to manage personal data, critics point out that the short deadline may ultimately undermine privacy goals by interfering with law enforcement investigations, distracting from damage control, and creating confusing false alarms.

 

Some view the proposal as a reaction to the PlayStation Network breach last spring, after which Sony failed to notify customers for over a week.  Even if the proposal never comes into effect, it sends a strong message to IT firms: step up your data-privacy game or risk strict regulation.

 

http://www.nextgov.com/nextgov/ng_20120127_6325.php?oref=topnews