The Case for a Privacy Protocol

0 Comments
Join the Conversation
Information Security Model - Image provided courtesy purpleslog, flickr.com
Information Security Model - Image provided courtesy purpleslog, flickr.com
Why a comprehensive privacy law may be the only way to protect on-line consumer privacy choice.

On June 10, 2011 EPIC ( Electronic Privacy Information Center) filed a consumer fraud complaint with the FTC against Facebook alleging Facebook collects and generates biometric profiling data from face photos without explicit user consent, and fails to provide a meaningful way to opt-out of collection, or request deletion of such data.

Central to EPIC’s case is an alleged pattern of a general lack of transparency about the purpose and nature of the technology behind Facebook’s photo tagging system. On July 26, 2011, in response to an inquiry by Connecticut Attorney General George Jepsen, Facebook announced it will implement "Tag Suggest Ads", designed to give users a quick link to opt out of tagging from their privacy settings. Nevertheless, EPIC’s Facebook allegations, if true, are indicative of a general industry trend where platform operators provide some kind of initial privacy choice, but meaningful control diminishes with the number of applications and services used. A privacy law or protocol might be the best way to address this issue.

Despite Voluntary Industry Efforts at More Transparency and Accountability, Social Networking and Mobile Applications are not Effectively Regulated

Without some kind of binding technological control, Apps may perform covert procedures to collect and transmit information with a user being unaware or only partially aware of the context their information is being collected and used. Currently the only real measure of technological control is the amount of freedom given to application developers.

At the May 10th 2011 hearing of the Senate Judiciary Committee, Subcommittee on Privacy, Technology and the Law, both Dr. Bud Tribble, V.P. of Software Technology for Apple and Alan Davidson, Director of Public Policy at Google testified about restrictions each platform puts on application developers for the collection of location-based data.

Apple may have the strictest developer requirements in the industry. The iPhone Developer Agreement, among other things, requires developers to follow existing privacy and data collection laws, provide consent notices before location-based data is collected, when relevant to the use of the application and/or releasing it to 3rd parties, and technologically comply with platform-based collection mechanisms. Dr. Tribble states that Apple will not permit an App to be listed in the App store without compliance, but Dr.Tribble says Apple doesn’t regulate (more than 350,000) Apps once they become registered at the App store until a problem arises.

Google, on the other hand, employs privacy measures based upon its open-development philosophy which Alan Davidson says is why Google employs a permissions-based model where users accept or reject an Apps privacy policy at the time of initial download. Mr. Davidson further says Google’s Mobile Terms of Service and Mobile Privacy Policy don’t cover Apps not created by Google, once downloaded, an App may store location information or transmit it across the Internet. Mr. Davidson says Google does not control how Apps developed by 3rd parties process geolocation or other personal information, requiring only voluntary compliance to suggested Google privacy guidelines.

Facebook apparently has few, if any, restrictions on App developers. According to EPIC’s June 2011 Facebook complaint, Facebook permits App developers to write code that connects to the main Facebook API (application programming interface), the Facebook Social Graph, an array of related programmable objects such as people, photos, events, pages, browsing history, and shared content. Furthermore, EPIC states that websites that employ Facebook plug-ins can access Facebook profiles through the API.

Popular topics

The reality of the App debate was summarized by both Ashkan Soltani, Independent Researcher and Justin Brookman, Director, Consumer Privacy Center for Democracy & Technology, at May’s Subcommittee hearing who both gave numerous examples of Apps that are documented to be prone to hacking or secretly transmit information to 3rd parties. Facebook, the subject of several EPIC actions and complaints through June 2011, is referenced by Mr. Brookman, for a May 2010 FTC inclusive privacy complaint that mentions Pandora (and several other Facebook services) for allegedly transmitting personal information without consent.

A Do Not Track Mechanism that Restricts Collection of Personal Data is Central to the Issue, but Not the Whole Picture

One of the biggest topics in privacy legislation is creation of a “do not track” technological restriction to enforce on-line privacy choice. At the June 29th 2011 Senate Commerce Committee’s 3rd privacy hearing of 2011, Ms. Iaona Rusu, Regulatory Counsel for the Consumers Union asked FTC Commissioner Julie Brill to qualify the future outlook for development of an effective Do Not Track mechanism. She replied by saying Do Not Track will work effectively as a technology-driven solution.

Commissioner Brill stated that the “critical piece” of an effective Do Not Track enforcement mechanism is industry adoption of a common technology such as a header or cookie that transmits user choice from the Web browser to the ad company. Commissioner Brill further stated that the FTC has been doing everything they can to facilitate industry adoption of this common technology by promoting self-regulation, but results have been very slow. She expressed doubts about Industry’s ability, in the short-term, to agree on a common technology because the ad industry is so widely dispersed

Commissioner Brill’s comments indicate that only some kind of government regulation will do the most to speed up industry efforts at adopting a common opt-out of tracking technology. More importantly her remarks indicate, in practical terms, what is further necessary for a privacy standard: mandatory rules for the collection, use, retention, and destruction of data for all entities that process or store consumer information.

Effective enforcement further requires clarifying any privacy law with FIPPs (Fair Information Practices) which have formed the basis of most federal privacy laws since 1974. This position is strongly endorsed by EPIC as well as by Justin Brookman (testimony noted above) who at June 29th’s Commerce Committee hearing articulated the most recent version of FIPPs as outlined by the Dept. of Homeland Security. The most important of these are:

  • Purpose specification
  • Transparency
  • Use limitation
  • Security
  • Accountability
  • Individual participation (consumer’s right to access, review, and request deletion of information)

Marc Rotenberg, EPIC’s Executive Director who co-authored EPIC’s Public Comments to the FTC (Feb 18, 2011) states that FIPPs are “not just guidelines” but “actual business practices.”

In addition to giving Internet users more rights to directly access their information, FIPPs, as part of a privacy law, could be designed to give Internet users more meaningful control over their privacy choices with specific rules and practices that restrict the flow of information.

A Privacy law will Consolidate Numerous Privacy Bills before Congress, Ending a Glut of Privacy Legislation.

The nine different proposed Internet privacy bills which are currently before Congress are listed on the Consumer Action Web site - three Do Not Track Bills, one by Rep. Ed Markey MA, (May 2011) Do Not Track Kids On-line Act, emphasizing parental controls and restrictions for on-line game applications aimed at children. This disparity in viewpoint merely reflects the fact that privacy legislation is more or less progressively reactive to various aspects of public concern, but is far from complete.

A privacy protocol could possibly do some of the following:

  • Provide a mandatory short, standard phrase format for opt-in consent notices, applicable across all mobile platforms and the Internet, with dialog boxes that highlight “Do Not Share” or “Decline to Share.” as default choices.
  • Minimize the total number of privacy notices and dialogues a user may expect to encounter over the scope of their Internet activity.
  • Set uniform rules for parental control and opt-out requirements for children- both those younger than 13, and older teenagers who use social networking sites and Apps.
  • Provide criminal and civil penalties for those who produce harmful malware or rogue Apps.

A Privacy Law May be Cost Effective in the Long-term.

The move in government towards privacy regulation coincides with the move towards mandating minimum technological standards for data security. In addition to one Do Not Track bill, Chairman Rockefeller introduced S. 1207, the Data Security and Breach Notification Act. which would mandate companies adopt basic security protocols as well as provide notice to consumers after a security breach.

Chairman Rockefeller said in his opening remarks to June29th Commerce Committee hearing:

"I have focused on the need for companies to provide everyday consumers with a clear understanding of what information they are collecting, where the information goes and how it is being used. I have also asked companies to give consumers an easy way for them to stop those collection practices. I don’t think this is too much to ask of companies that are making millions, if not billions, of dollars off of consumers’ personal information. .."

By the same token, a privacy law may not only be justified, but be in the best interest of both consumers and industry. EPIC’s Comments to the FTC (Feb 18, 2011) raised the issue the FTC might be currently lacking either the authority or resources it needs to effectively handle privacy cases. The FTC has nonetheless, set some very strong precedent for deceptive representations, both in data breach cases, and two recent social networking cases, Google and Twitter, by requiring companies to implement a full-scale IT security programs to enforce promises made to consumers and safeguard the data collected, followed by long-term auditing.

FTC Commissioner Brill at June 29th’s Commerce Committee hearing alluded to the fact enforcement can be difficult when the facts and circumstances don’t clearly indicate a practice is deceptive rather than unfair. Her comments infer that when a company makes a promise, and clearly breaks that promise, the test under the Agency’s deception jurisdiction is easier to meet than when there is no promise made or when some representation made, but the case rests on having to prove the elements of unfairness. A privacy law that provides specific rules for transparency, use limitation, and accountability might help prevent the kind of issues raised in EPIC’s June 2011 Facebook complaint, and, in any given case make it easier to apply the facts to the law.

In this day when lawmakers in Washington are severely hindered by the need to keep debt spending under control, privacy legislation appears to be on hold. A privacy law that delegates agency powers to monitoring and enforcement, that puts the burden of compliance on Industry, will not only take some of the burden off the FTC, by making it easier for consumers to bring and resolve complaints, but could save money in the long-run if properly designed.

Sources:

  • (February 18, 2011) COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER TO THE FEDERAL TRADE COMMISSION Bureau of Consumer Protection. A Preliminary FTC Staff Report on "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” Epic.org
  • (June 29, 2011) U.S. Senate, Committee on Commerce, Science, and Transportation. Chairman Rockefeller Remarks on Privacy and Data Security Hearing: Protecting Consumers in the Modern World. Opening Statement – John D. (Jay) Rockefeller IV, Chairman [Press Release]. commerce.senate.gov
  • In the Matter of Facebook and the Facial Identification of Users (filed, pending) Before the FTC June 10, 2011
  • U.S. Senate, Committee on Commerce, Science, and Transportation, Privacy and Data Security: Protecting Consumers in the Modern World. Hearing June 29th, 2011. [Archived WebCast]. Washington: Democratic Press Office June 29, 2011
  • U.S. Senate, Committee on the Judiciary, Subcommittee on Privacy, Technology and The Law. Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy, Hearing May 10, 2011. [Archived Webcast] judiciary.senate.gov
  • Davidson, Alan. Testimony to the U.S. Senate. Senate Committee on the Judiciary Subcommittee on Privacy, Technology and The Law. Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy, Hearing May 10, 2011. Available at: judiciary.senate.gov Accessed: 08/05/11
  • Tribble, Guy “Bud”, Dr. Testimony to the U.S. Senate. Senate Committee on the Judiciary Subcommittee on Privacy, Technology and The Law. Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy, Hearing May 10, 2011. Available at: judiciary.senate.gov Accessed: 08/05/11
Home is My Office, copyright 2011 Tim Andrews

Timothy Andrews - Tim Andrews is an Editor's Choice Award Winner @ www.Suite101.com.

rss
Advertisement
Leave a comment
NOTE: Because you are not a Suite101 member, your comment will be moderated before it is viewable.
Submit
What is 8+0?
Advertisement

Popular topics

more in social networking/tagging »
Advertisement