Privacy Policy Issues & Pages Amy Reese INF385E Information Architecture and Design 1 UT iSchool 21 September 2004
Overview pri·va·cy (prī′ və sē; Brit. also prīv′ ə sē), n., pl –cies. The state of being private; retirement or seclusion. The state of being free from intrusion or disturbance in one’s private life or affairs: the right to privacy. Secrecy. Archaic. A private place. [1400-50; late ME privace. See private, -acy] Source: Webster’s New Universal Unabridged Dictionary © 1996 Barnes & Noble, Inc. by arrangement with Random House Value Publishing.
A Little Bit of History Federal Trade Commission Act (1914) Privacy Act (1974) Electronic Communications Privacy Act (1986) Children’s Online Privacy Protection Act (1988) Gramm-Leach-Bliley Act (2000) Report to Congress: Privacy Online (2000) Fair Credit Reporting Act (2002)
A Little Bit of History Federal Trade Commission Act (1914) (15 U.S.C. §§ 41-58, as amended) prevent unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce seek monetary redress and other relief for conduct injurious to consumers prescribe trade regulation rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce make reports and legislative recommendations to Congress http://www.ftc.gov/ogc/stat1.htm Federal Trade Commission Act (1914) (15 U.S.C. §§ 41-58, as amended) Under this Act, the Commission is empowered, among other things, to (a) prevent unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce; (b) seek monetary redress and other relief for conduct injurious to consumers; (c) prescribe trade regulation rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; (d) conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce; and (e) make reports and legislative recommendations to Congress. http://www.ftc.gov/ogc/stat1.htm
A Little Bit of History Privacy Act (1974) developed with the intent to regulate the collection and use of personal information by federal executive branch agencies problems with the dispute of outdated regulatory guidelines and misinterpretation unresolved issues defy attempts at clarification http://www.personal.umd.umich.edu/%7Edrafalsk/Legislation.htm The Privacy Act of 1974 (1975) This act was developed with the intent to regulate the collection and use of personal information by federal executive branch agencies. Although the Privacy Act tries to protect our consumers, there are often problems that arise in the dispute of outdated regulatory guidelines and misinterpretation. There are numerous issues that have been unresolved in the attempt to clarify this act. http://www-personal.umd.umich.edu/%7Edrafalsk/Legislation.htm
A Little Bit of History Electronic Communications Privacy Act (1986) sets out provisions for disclosure and privacy protections of electronic communications this refers to is any signals, data or intelligence transmitted via wire, radio waves, photo electronic, etc. that affects interstate commerce the EPCA prohibits any unlawful access of electronic communication and prevents government entities from requiring disclosure of this communication from a provider without proper procedure http://www.personal.umd.umich.edu/%7Edrafalsk/Legislation.htm The Electronic Communications Privacy Act (1986) This act sets out provisions for disclosure and privacy protections of electronic communications. The electronic communication that this act refers to is any signals, data or intelligence transmitted via wire, radio waves, photo electronic, etc. that affects interstate commerce. The EPCA prohibits any unlawful access of electronic communication and prevents government entities from requiring disclosure of this communication from a provider without proper procedure. http://www-personal.umd.umich.edu/%7Edrafalsk/Legislation.htm
A Little Bit of History Children's Online Privacy Protection Act (1988) gives parents control over what information is collected from children under age 13 online and how that information is used applies to operators of web sites directed to children or that collect personal information from children The Rule requires operators to: Post a privacy policy on the page and provide a link to the policy everywhere personal information is collected Provide notice to parents about collection practices and obtain verifiable parental consent before collecting personal information Give parents a choice as to whether their child’s personal information will be disclosed to third parties Provide parents to access or delete their child’s personal information, or opt-out of future information collection or use Allow activity access without disclosing more personal information than is reasonably necessary Maintain the confidentiality, security and integrity of personal information collected from children http://www.ftc.gov/privacy/privacyinitiatives/childrens.html Children's Privacy: The Children's Online Privacy Protection Act The primary goal of the Children’s Online Privacy Protection Act (COPPA) Rule is to give parents control over what information is collected from their children online and how such information may be used. The Rule applies to: Operators of commercial Web sites and online services directed to children under 13 that collect personal information from them; Operators of general audience sites that knowingly collect personal information from children under 13; and Operators of general audience sites that have a separate children’s area and that collect personal information from children under 13. The Rule requires operators to: Post a privacy policy on the homepage of the Web site and link to the privacy policy on every page where personal information is collected. Provide notice about the site’s information collection practices to parents and obtain verifiable parental consent before collecting personal information from children. Give parents a choice as to whether their child’s personal information will be disclosed to third parties. Provide parents access to their child’s personal information and the opportunity to delete the child’s personal information and opt-out of future collection or use of the information. Not condition a child’s participation in a game, contest or other activity on the child’s disclosing more personal information than is reasonably necessary to participate in that activity. Maintain the confidentiality, security and integrity of personal information collected from children. In order to encourage active industry self-regulation, COPPA also includes a safe harbor provision allowing industry groups and others to request Commission approval of self-regulatory guidelines to govern participating Web sites’ compliance with the Rule http://www.ftc.gov/privacy/privacyinitiatives/childrens.html
A Little Bit of History Gramm-Leach-Bliley Act (2000) requires companies to provide their consumers with privacy notices, explaining the institutions’ information-sharing process consumers are given the right to limit some sharing of their information companies have the right to share the consumers’ information within the organization, but not with outside sources, such as telemarketers. http://www.personal.umd.umich.edu/%7Edrafalsk/Legislation.htm The Gramm-Leach-Bliley Act (2000) This act requires companies to provide their consumers with privacy notices, which explain the institutions’ information-sharing process. On the consumers’ end, they are given the right to limit some sharing of their information. Companies have the right to share the consumers’ information within the organization, but not with outside sources, such as telemarketers. http://www-personal.umd.umich.edu/%7Edrafalsk/Legislation.htm
A Little Bit of History Report to Congress: Privacy Online (2000) commercial Web sites that collect personal identifying information (Pii) from or about consumers online would be required to comply with the four widely-accepted fair information practices: Notice Choice Access Security http://www.ftc.gov/reports/privacy2000/privacy2000.pdf Consumer-oriented commercial Web sites that collect personal identifying information from or about consumers online would be required to comply with the four widely-accepted fair information practices: (1) Notice . Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through non-obvious means such as cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose the information collected to other entities, and whether other entities are collecting information through the site.3 (2) Choice . Web sites would be required to offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice would encompass both internal secondary uses (such as marketing back to consumers) and external secondary uses (such as disclosing data to other entities). (3) Access . Web sites would be required to offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information. (4) Security . Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers. http://www.ftc.gov/reports/privacy2000/privacy2000.pdf Notice what information they collect how they collect it how they use it how they provide Choice, Access, and Security to consumers whether they disclose the information collected to other entities whether other entities are collecting information through the site Choice how their personal identifying information is used beyond the use for which the information was provided encompass both internal secondary uses and external secondary uses Access offer consumers reasonable access to the information collected include a reasonable opportunity to review, correct inaccuracies, or delete information Security required to take reasonable steps to protect the security of the information they collect
A Little Bit of History Fair Credit Reporting Act (2002) Accuracy and fairness of credit reporting the banking system is dependent upon fair and accurate credit reporting investigate and evaluate the credit worthiness, standing, capacity, character, and reputation consumer reporting agencies are vital in assembling and evaluating consumer credit and other information insure that consumer reporting agencies exercise their responsibilities with fairness, impartiality, and respect for the right to privacy Reasonable procedures adopt reasonable procedures for meeting the needs of information in a fair and equitable manner, with regard to the confidentiality, accuracy, relevancy, and proper utilization http://www.techlawjournal.com/cong107/privacy/hollings/20020418summary.asp Fair Credit Reporting Act (2002) § 602. Congressional findings and statement of purpose [15 U.S.C. § 1681] (a) Accuracy and fairness of credit reporting. The Congress makes the following findings: (1) The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system. (2) An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers. (3) Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers. (4) There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy. (b) Reasonable procedures. It is the purpose of this title to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title. http://www.techlawjournal.com/cong107/privacy/hollings/20020418summary.asp
What Information is Out There? Information Mining Government & Private Sectors differ vastly What information do businesses collect? Corporate liability? What do they do with it? How secure is the information out there? What can I do to control my information? Information Mining Data mining (also known as Knowledge Discovery in Databases - KDD) has been defined as "The nontrivial extraction of implicit, previously unknown, and potentially useful information from data"[1] It uses machine learning, statistical and visualization techniques to discovery and present knowledge in a form which is easily comprehensible to humans. What information do businesses collect? White house & .gov pages – internet domain, browser, operating sys, date & time of access, pages visited, & address of link used to get there -- http://www.whitehouse.gov/privacy.html Private sector – Paypal: name, address, phone, email, credit/bank info, security questions, ssn, transaction info (amount, type, email of 3rd party), IP, credit service reports, background check, site usage, cookies & share info! WDIG (Disney): name, address, phone, email, gender, age, # children, interests, credit card info, buying habits, purchase dates, IP, beacons, cookies & share info! Disney’s liability statement: UNDER NO CIRCUMSTANCES, INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE, SHALL WE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES THAT RESULT FROM THE USE OF, OR THE INABILITY TO USE, ANY WDIG SITE OR MATERIALS OR FUNCTIONS ON ANY SUCH SITE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. APPLICABLE LAW MAY NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY OR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT SHALL OUR TOTAL LIABILITY TO YOU FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION WHETHER IN CONTRACT, TORT (INCLUDING, BUT NOT LIMITED TO, NEGLIGENCE), OR OTHERWISE EXCEED THE AMOUNT PAID BY YOU, IF ANY, OR $100 (WHICHEVER IS LESS) FOR ACCESSING OR PARTICIPATING IN ANY ACTIVITY RELATED TO ANY WDIG SITE. Sun Microsystems: name, address, phone, email, cookies Yahoo!: name, address, birth date, gender, phone, email, credit/bank info, security questions, fin(ssn & assets), transaction info, IP, site usage, cookies & share info! What do they do with it? How secure is the information out there? What can I do to control my information?
Do We Really Have Privacy? Legislative Measures Is enough being done to insure our privacy? Is all privacy legislation in our best interests? California’s Spyware Bill How can I help? Personal Privacy & Freedom of Information “Mommy, can I have a cookie?” “Mommy, where does spam come from?” Identity Theft Corporations vs. the Individual Spyware bill: the author accepted several amendments from industry that in our estimation remove meaningful privacy and consumer protections “While this bill is well-intentioned, it would establish provisions that are virtually unenforceable, could well undermine existing law, and further, would set a bad precedent nationwide for other spyware bills that are likely to be considered in other states and in Congress.“ Cookies: Spam:
Legislative Measures http://www.ftc.gov/ Spyware bill: the author accepted several amendments from industry that in our estimation remove meaningful privacy and consumer protections “While this bill is well-intentioned, it would establish provisions that are virtually unenforceable, could well undermine existing law, and further, would set a bad precedent nationwide for other spyware bills that are likely to be considered in other states and in Congress.“ Cookies: Spam: http://www.ftc.gov/
Legislative Measures
Do We Really Have Privacy? Legislative Measures Is enough being done to insure our privacy? Is all privacy legislation in our best interests? California’s Spyware Bill How can I help? Personal Privacy & Freedom of Information “Mommy, can I have a cookie?” “Mommy, where does spam come from?” Identity Theft Corporations vs. the Individual Spyware bill: the author accepted several amendments from industry that in our estimation remove meaningful privacy and consumer protections “While this bill is well-intentioned, it would establish provisions that are virtually unenforceable, could well undermine existing law, and further, would set a bad precedent nationwide for other spyware bills that are likely to be considered in other states and in Congress.“ Cookies: Spam:
Personal Privacy & Freedom of Information “Essentially, cookies make use of user-specific information transmitted by the Web server onto the user's computer so that the information might be available for later access by itself or other servers. In most cases, not only does the storage of personal information into a cookie go unnoticed, so does access to it. Web servers automatically gain access to relevant cookies whenever the user establishes a connection to them, usually in the form of Web requests.”
Personal Privacy & Freedom of Information “Cookies are based on a two-stage process. First the cookie is stored in the user's computer without their consent or knowledge. During the second stage, the cookie is clandestinely and automatically transferred from the user's machine to a Web server.”
Personal Privacy & Freedom of Information
Personal Privacy & Freedom of Information How savvy are you? Take the Privacy Rights Clearinghouse Identity Theft Quiz! http://www.privacyrights.org/itrc-quiz1.htm
Personal Privacy & Freedom of Information Identity Theft If you live in California, you have the right to put a "security freeze" on your credit file. A security freeze means that your file cannot be shared with potential creditors. A security freeze can help prevent identity theft. Most businesses will not open credit accounts without checking a consumer's credit history first. If your credit file is frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. For more information on security freezes, http://www.privacy.ca.gov/financial/cfreeze.htm.
Do We Really Have Privacy? Legislative Measures Is enough being done to insure our privacy? Is all privacy legislation in our best interests? California’s Spyware Bill How can I help? Personal Privacy & Freedom of Information “Mommy, can I have a cookie?” “Mommy, where does spam come from?” Identity Theft Corporations vs. the Individual Spyware bill: the author accepted several amendments from industry that in our estimation remove meaningful privacy and consumer protections “While this bill is well-intentioned, it would establish provisions that are virtually unenforceable, could well undermine existing law, and further, would set a bad precedent nationwide for other spyware bills that are likely to be considered in other states and in Congress.“ Cookies: Spam:
Do We Really Have Privacy? Controlling Required Information Sites must provide opt-out measures Once given, can information be controlled? Background Checks & Employment Are they really necessary? Can we opt out? Can I move beyond my past?
Do We Really Have Privacy? Privacy Policies What do these policies cover? Do I have recourse when they fail? What do they really do for you? Software How secure are the programs I’m using? Accidental security leaks Mixing software is like mixing medicine
Do We Really Have Privacy? Be afraid, be very afraid….
Feeling Secure? Questions? Fears?