Category Archives: Law: Privacy

Today the the Obama Administration is unveiling its new “Consumer Privacy Bill of Rights” (quoted in full at the end of this post) which they tout “as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled.” [Update: The White House issued this ‘white paper’, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy that it says provides the background for the proposal. Despite the January cover date, I think it’s new, suggesting that there may have been some last-minute tussle about the contents?] [Update2: White House “Fact Sheet” on ‘Consumer Privacy Bill of Rights’.]

But as far as I can tell from my initial read, this is only a first step towards rules with a tooth or two. Next, our friends at NTIA (the people who gave you the modern ICANN), will be “conven[ing] Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights, building on strong enforcement by the Federal Trade Commission. The Administration will also work with Congress to enact comprehensive privacy legislation based on the rights outlined here.” Good luck with that in this Congress.

NTIA does have a strong and smart leader right now, Lawrence E. Strickling, the Assistant Secretary for Communications and Information, so this could be good. On the other hand, Strickling has shown willingness to carry the trademark lobby’s water on some ICANN issues (what else is new?), so this bears watching. On the good side, the administration is asking for enforceable legislation, not some blurry new public-private partnership. And the Commerce Department wrote a pretty good requirements document for what the policy should look like in its recent National Strategy for Trusted Identities in Cyberspace (April 2011). That document envisioned an “Identity Ecosystem” described as a system that will enhance privacy and civil liberties:

The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual’s transactions, thus ensuring that no one service provider can gain a complete picture of an individual’s life in cyberspace. By default, only the minimum necessary information will be shared in a transaction. For example, the Identity Ecosystem will allow a consumer to provide her age during a transaction without also providing her birth date, name, address, or other identifying data.

In addition to privacy protections, the Identity Ecosystem will preserve online anonymity and pseudonymity, including anonymous browsing.

However, while setting out the outlines of how such a system might work in theory, the Strategy did not attempt to explain key aspects of how its ambitious goals might be attained in practice. Instead it sets out a ten-year roadmap, in which the first three to five years require “standardization of policy and technology” based on the twin pillars of underlying reliable offline credentials and private-sector leadership. Worse, only one month later, however, the White House released its International Strategy For Cyberspace, a document that while by no means all bad (it extolled the Internet’s benefits and opportunities), also warned darkly of the Internet’s dangers:

Extortion, fraud, identity theft, and child exploitation can threaten users’ confidence in online commerce, social networks and even their personal safety The theft of intellectual property threatens national competitiveness and the innovation that drives it These challenges transcend national borders; low costs of entry to cyberspace and the ability to establish an anonymous virtual presence can also lead to “safe havens” for criminals, with or without a state’s knowledge Cybersecurity threats can even endanger international peace and security more broadly, as traditional forms of conflict are extended into cyberspace.

And it is this latter document, not the better Identity Management paper from a month earlier, that gets cited in today’s press release about the “Consumer Privacy Bill of Rights”. Which vision will prevail – the primarily pro-privacy vision or the Internet-as-danger vision? The Administration’s press release sounds some positive notes, for example this one:

Achieving privacy policies for a Global, Open Internet: U.S. companies doing business on the global Internet depend on the free flow of information across borders. The Administration’s plan lays the groundwork for increasing interoperability between the U.S. data privacy framework and those of our trading partners.

At very hurried first glance the Consumer Privacy Bill of Rights idea seems based on principles that actually sound good…but may not be quite as great as they sound:

American Internet users should have the right to control personal information about themselves. Based on globally accepted privacy principles originally developed in the United States, the Consumer Privacy Bill of Rights is a comprehensive statement of the rights consumers should expect and the obligations to which companies handling personal data should commit. These rights include the right to control how personal data is used, the right to avoid having information collected in one context and then used for an unrelated purpose, the right to have information held securely, and the right to know who is accountable for the use or misuse of an individual’s personal data.

Does this mean the US will catch up with the EU’s data protection regime? I can’t tell for sure, but my first guess is “no”. To say that these are “obligations to which companies handling personal data should commit” is carefully not to say that these are obligations to which corporations will be required to adhere. At least not yet. Or at most only sectorally, rather than generally. Meanwhile, though, we’re going to kick the can down the road a bit, and “convene stakeholders including industry and privacy advocates to develop enforceable codes of conduct that implement the principles in the Consumer Privacy Bill of Rights for specific industry sectors.” But only those rules that “will keep up with, and not hamper, the pace of innovation.” So if your business model is, like Facebook or Google, based on using consumer information, then what?

There is one thing everyone agrees on – that companies should keep their promises about privacy and that the FTC can enforce on them when they do not – and this will remain a major enforcement tool. That’s good as afar as it goes, but in most cases that is only as far as your carefully drafted EULA.

The Administration seems to envision a legislative proposal, I would imagine after the election. It will set out the “basic principles the Administration believes should be reflected in a privacy law” which will on the one hand involve proposing “clear and actionable rights” while also providing “a way for companies to be confident that they are respecting these rights through an FTC-approved enforcement safe harbor.”

Let the food fight begin?

Here is the advance text of the Obama administration’s “Consumer Privacy Bill of Rights”:

Continue reading →

We’re clearly moving towards a tipping point on total traffic surveillance. Here’s SF’s contribution:

Big Brother will be watching you.

Within the next 15 months, every one of Muni’s 819 buses will be outfitted with cameras capable of snapping photos of vehicles illegally travelling or parking in The City’s transit-only lanes. Any car caught on tape will be subject to fines of up to $115.

Since 2008, about 30 Muni buses have been equipped with the cameras. And even though the rollout has been modest so far, the results have been telling, said John Haley, transit director of the San Francisco Municipal Transportation Agency, which operates Muni.

“The cameras have been instrumental in changing driver behavior,” said Haley. “When cars see a bus coming, they get the hell out of the way now.”

— Muni expanding camera program to nab drivers in transit-only lanes

Spotted via Slashdot, San Francisco Enlists Bus Cameras For Traffic Law Enforcement.

So both government and private industry (insurance) will be watching us. Parents following kids are next (cellphone based apps already provide a form of this service, but it’s easier to ditch the phone than the car). Then we start monitoring people parked near bars. Eventually we move to predictive models of traffic violation. Then maybe we start modeling other crimes, like drug buys and curb crawling. (Pity it doesn’t work for insider trading.) Meanwhile the huge databases are constructed for use by law enforcement, and discovery in civil suits. Even if all this remains on balance benign in rule-of-law democracies, it invites small-scale abuses.

And in autocracies we can expect large-scale abuses on a grand scale. That’s a serious problem that doesn’t get thought about nearly enough as we build and then export the technologies.

TomTom has signed a deal with an insurance company to use its satnav technology to measure driving ability to set premiums.

The satnav specialist said it has teamed up with Motaquote on Fair Pay Insurance – a product that the companies claim rewards ‘good’ drivers with lower premiums, using technology to monitor driver behaviour.

— TomTom tech to set driver insurance premiums (spotted via Slashdot.)

Sorry to sound like a broken record here, but I predicted something like this over a decade ago in The Death of Privacy?. That doesn’t mean I have to like it…although in principle this one I hate a little less than some, since at least it’s a private transaction, and in theory you have some choice about whether you sign on for it.

The problem is that the choice to refrain likely won’t last long. Other companies are already doing something similar. See for example Progressive Insurance’s “Snapshot” program that monitors your driving for 30 days in order to figure out your quote. Once this sort of monitoring becomes widespread, those who do not sign up for it will be dumped into the high-risk pool. This seems to be an example of the phenomenon discussed so well by Lior Strahilevitz in Privacy versus Antidiscrimination.

Previously:

• Total Traffic Surveillance Systems (2/4/12)
• Privacy Myopia, Economics of (5/18/09)
• Who Owns Transaction Information? (5/4/08)
• I Predicted This Years Ago (6/6/07) (divorce lawyers are using commuter records to make their cases)
• The Rise of Masks in Public (10/8/05)

Update (2/10/12): Looks like insurers will be tracking drivers in the UK too:

The AA is set to launch a new insurance policy which uses sat-nav technology to track driver performance.

The firm said the system would allow its better drivers to receive cheaper premiums.

It follows similar efforts by smaller insurers. Larger rival Direct Line has told the BBC it is also piloting its own “black box” scheme.