priv4.ppt

45-848 ECOMMERCE LEGAL ENVIRONMENT SPRING 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Lecture 4:Privacy



Outline

• Proliferation of data• What is privacy?• Driver’s License Data• Privacy Laws• De-identification• Medical privacy• P3P• European Union approach



What is Privacy?

• Many different concepts all collected under the single word “privacy”

• Protection against intrusion into one’s “space” – Protection from Government (4th Amendment)– Freedom from publicity, disclosure of

embarrassing facts (“Invasion of Privacy”)– Protection from telemarketers

• Protection in cyberspace– Anti-spam– Web data collection



What is Privacy?

• Bodily privacy (Roe v. Wade)• Communications privacy

– Against eavesdropping, wiretapping– Electronic Communications Privacy Act

• Identity privacy– Anonymity

• Data privacy– Right to control collection, use and dissemination

of non-public personal information



Data Privacy

• Who “owns” data about you? Can data be owned?– Facts (residence, phone #, age)

e.g. Allegheny County Property– Sales information– Habits, personal preferences– Message traffic

• Problem: electronic collections are subject to greater abuse than paper ones

• Problem: having everything on line is different from just having records be public

• Policy: is it the data or its use that requires protection?

http://www2.county.allegheny.pa.us/RealEstate/Search.asp



U.S. Privacy Law• No definition of “privacy”; few legal principles• Federally protected categories: financial, educational, medical• State: limited, usually embarrassing facts or photos• Constitutional basis?

– 4th amendment: government searches– “liberty” as right of privacy

• State constitutions

California Const. Art. I, §1: “All people are by nature free and independent and have inalienable rights. Among these are ... pursuing and obtaining safety, happiness, and privacy.” (Not in the 1849 Constutution)

Hawaii Const. Art. 1, §6: “The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest.” (Added in 1978)

http://www.leginfo.ca.gov/.const/.article_1

http://www.ksbe.edu/endowment/hawaiian/hawaii/state/allhicon.html



Sample Federal Privacy Statutes

• Gramm-Leach-Bliley (financial privacy)• Health Insurance Portability and Accountability Act of 1996 (medical)• Children’s Online Privacy Protection Act of 1998• Privacy Act of 1974 (covers U.S. government)• Driver’s Privacy Protection Act of 1994 (driver’s license info)• Video Privacy Protection Act of 1998 (videotape rental and sale

records)• Electronic Communications Privacy Act of 1986• Family Education Rights and Privacy Act of 1974 (academic)• Fair Credit Reporting Act of 1970• Cable Communications Policy Act of 1984

. . .



Driver’s Privacy Protection Act of 1994

• Deals with release of information obtained by a State department of motor vehicles

• Designed to prevent sale of driver’s license information

• “personal information” means information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status

• “highly restricted personal information” means an individual's photograph or image, social security number, medical or disability information;

Driver’s Privacy Protection Act of 1994• A State department of motor vehicles, and any officer, employee, or

contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity:– personal information … about any individual obtained by the

department in connection with a motor vehicle record, except [lots of exceptions]; or

– highly restricted personal information … without the express consent of the person to whom such information applies, except [small list of exceptions]

• Statute makes it a crime. Penalty: fine + prison– For a State Department of Motor Vehicles, $5000/day

• Is this constitutional?• Where does Congress get the power to regulate state drivers’ licenses?



Reno v. Condon• South Carolina made driver’s license information available to anyone

(except telephone solicitors)• Charlie Condon was the Attorney General of South Carolina• When the DPPA was passed, Condon sued the U.S. Attorney General

to prevent enforcement (or he would become a criminal)• Claimed it makes “state officials the unwilling implementors of federal

policy”• U.S. Constitution, Art. 1, Sec. 8, Clause 3: “The Congress shall have

Power … To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes”

• “sale or release of … information in interstate commerce is … a proper subject of congressional regulation”

• Information as an article of commerceReno v. Condon, 528 U.S. 666 (2000)

http://euro.ecom.cmu.edu/program/courses/tcr840/2003/RENO%20v_%20CONDON.htm



Data Collection

• Public birth records now contain 226 fields of information, including name, DOB, gender, ZIP, parents’ race, level of education, genetic risk factors

• Voter registration data contains name, address, gender

• Public hospital discharge records contain 50 fields, including DOB, gender, ZIP, diagnosis, treatments, medical bills (no name)

• Grocery store data include name, address, bank account, SSAN, weekly spending

• Linking produces huge dossiers



Data Anonymity

• Data is “anonymous” if it cannot be associated with a a specific individual

• Data that includes a name, SSAN, address, etc. is not anonymous.

• Data can be made anonymous by abridging or modifying it, e.g. change ZIP from 20011 to 200** (de-identifying)

• Problem: abridging data affects its integrity• How much data must be eliminated to make it

anonymous? Is it ever possible?



Methods of De-Identification

• Quasi-identifier, profile {Birth0.5, ZIP0.7, Sex0.3}

• Generalization 10/27/59 1959

• Suppression 02139

• Encryption 3245123 2168582

SOURCE: LATANYA SWEENEY

Idea: onebecomes

many



Data Anonymity

• Problem: de-identifying data does not necessarily make it anonymous. It can often be re-identified:

Ethnicity

Visit date

Diagnosis

Procedure

Medication

Total bill

ZIP

Birth date

Sex

Medical Data

Name

Address

Dateregistered

Party

Date lastvoted

Voter Lists

ZIP

Birth date

Sex


Date of birth, gender + 5-digit ZIP uniquely identifies 87.1% of U.S. population

ZIP 60623 has 112,167 people, 11%, not 0% uniquely identified. Insufficient # over 55 living there.


= one ZIP code



Privacy Act of 19745 U.S.C. §552a

• Deals with disclosure of Federal Government records on individuals

• “No agency shall disclose any record … to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [except … ]”– … the record is to be transferred in a form that is not

individually identifiable; – authorized law enforcement– heath or safety– Congress– court order

http://www4.law.cornell.edu/uscode/5/552a.html



Privacy Act of 1974

• “No agency shall disclose any record … to any person, or to another agency, except … with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be --– … used solely as a statistical research or reporting

record, and the record is to be transferred in a form that is not individually identifiable” (not a defined term)

• Restriction on “matching programs”

– any computerized comparison of -- (i) two or more automated systems of records … [certain exceptions]



Privacy on the Web

• Posted privacy policies are legal representations• Violation of privacy policy by a website is deceptive

advertising and an unfair trade practice• The Federal Trade Commission acts on behalf of

consumers• Vigorous enforcement

– Example: In the Matter of Microsoft Corporation

• FTC is the leading U.S. government privacy watchdog– Is this good? (It was never intended.)

http://www.ftc.gov/privacy/index.html

http://www.ftc.gov/opa/2002/08/microsoft.htm



Electronic Communications Privacy Act 18 U.S.C. §§1367, 2232, 2510, 2701, 3117, 3121

• Defines “oral communication” as “any oral communication uttered by a person exhibiting an

expectation that such communication is not subject to interception under circumstances justifying such expectation”

• Prohibits– interception of wire, oral, or electronic communication– use or disclosure of intercepted communication

• Complicated exceptions– Inadvertently overhearing evidence of a crime

• Chat rooms?

http://www4.law.cornell.edu/uscode/18/1367.html








Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• A “covered entity” may not use or disclose protected health information, except as permitted or required …– pursuant to … a consent … to carry out treatment, payment, or

health care operations– pursuant to … an authorization– pursuant to … an agreement (opt-in)– [other provisions]

45 CFR §164.502

• Health information that meets … specifications for de-identification … is considered not to be individually identifiable health information

45 CFR §164.502(d)

http://aspe.hhs.gov/admnsimp/pl104191.htm

http://euro.ecom.cmu.edu/external/law/45CFR164-502.htm

http://euro.ecom.cmu.edu/external/law/45CFR164-502.htm



What HIPAA Protects

• “Individually identifiable health information” is information that is a subset of health information, including demographic information collected from an individual, and: …– relates to … physical or mental health or condition of an

individual;… provision of health care to an individual; or… payment for … health care to an individual; and

– identifies the individual; or– with respect to which there is a reasonable basis to believe the

information can be used to identify the individual

45 CFR §164.501



De-Identification• A covered entity may determine that health information is not individually identifiable

only if: … the following identifiers of the individual or of relatives, employers, or household members of the individual are removed:

• Names; • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip

code, …, except for the initial three digits of a zip code if …• All elements of dates (except year) for dates directly related to an individual, including birth date,

admission date, discharge date, date of death; and all ages over 89…• Telephone numbers; Fax numbers; email addresses; URLs; IP addresses• Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account

numbers; • Certificate/license numbers; vehicle identifiers, serial numbers, plate numbers; • Device identifiers and serial numbers; • Biometric identifiers, including finger and voice prints; • Full face photographic images and any comparable images; and • Any other unique identifying number, characteristic, or code; and • The covered entity does not have actual knowledge that the information could be used alone or in

combination with other information to identify an individual who is a subject of the information.

45 CFR §164.514



Employer Surveillance

• In general, surveillance by the employer is legal if– the computer being monitored belongs to the employer; or– the computer is connected to the employer’s network; and– even if communications are encrypted

• McLaren v. Microsoft Corp.,No. 05-97-00824 (Tex. Ct. App. May 28, 1999).– Employee used private password to encrypt email messages

stored on office computer.– Company decrypted and viewed files.– Email account and workstation were provided for business

use, so Microsoft could legitimately access data stored there.

• Notice of Electronic Monitoring Act (CT)– Versions introduced in other states and Congress



Platform for Privacy Preferences

• P3P• Developed by World Wide Web Consortium• Protocol allowing users to interrogate websites about

privacy• P3P-enabled site posts machine-readable privacy

policy summary (IBM P3P editor, PrivacyBot)• User sets up his privacy preferences in his browser• User’s browser examines the summary; does not

allow access to non-compliant sites• Compliance is voluntary. Validator available.

http://www.alphaworks.ibm.com/tech/p3peditor

http://www.privacybot.com/

http://www.w3.org/P3P/validator/20001215/



Anonymity (U.S.)

• Freedom to publish anonymously is guaranteed by the First Amendment. McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995). Basis: Federalist Papers (1787-1788)

• Are you anonymous if your ISP can be forced to identify you?

• Currenty a VERY HOT topic because of efforts of the recording industry to identify file swappers– Not strictly a privacy rights matter because the Digital Millennium

Copyright Act specifically authorizes such subpoenas



Subpoenas to Identify• No privilege between a user and and ISP. But ISP

may have standing to assert user’s rights, especially First Amendment rights

• In re Subpoena Duces Tecum to America Online, Inc. (Anonymous Publicly Traded Co. v. Doe), Va. Cir. Ct., Fairfax Cty., Misc. Law No. 40570, 2/7/00

• Company alleged it was defamed by an anonymous AOL subscriber

• Company did not want to identify itself, but demanded in a subpoena that AOL identify the subscriber

• (Underlying case was in Ohio; AOL is in Virginia)



Subpoenas to Identify

• Lower court allowed the subpoena• Gave a test for subpoenas to identify a user:

– are pleadings and evidence supplied to the court satisfactory?

– does the party requesting the subpoena have a legitimate, good faith basis that it may be the victim of actionable conduct?

– is identifying the subscribers central to advancing the claim?



America OnLine, Inc. v. Record No. 000974 Anonymous Publicly Traded Company

• Appeals court REVERSED the decision to allow the anonymous subpoena (2001 Va. LEXIS 38; 29 Media L. Rep. 1442) HTML version

• HELD, anonymous plaintiff could be given subpoena power only if it would suffer exceptional harm, such as social stigma, or extraordinary economic retaliation, as a result of exposing its identity

• Company subsequently dropped the lawsuit



Korean Privacy Law

• Constitution of the Republic of Korea– Article 17 [Privacy]

The privacy of no citizen may be infringed. – Article 18 [Secrecy of Correspondence]

The secrecy of correspondence of no citizen may be infringed.

• Act on the Protection of Personal Information Maintained by Public Agencies (1995)

• Act on Promotion of Information and Communication Network Utilization and Data Protection (“DP Act,” 2001)

• Korea Personal Data Protection Center



European Union Privacy Approach

• Total contrast to U.S.• Europeans fear their neighbors, not the government• Americans fear the government, not their neighbors• “Public” information highly restricted• No notion of personal data as a commodity to be

bought and sold• Concept:

– prior notice and consent by individual– use restricted to disclosed use– right of access and correction– onward transfer restricted



EU Privacy Structure

European Parliament

UKGovernment

Information Commissioner

Registered DataControllers, e.g. Shell

FrenchGovernment

GermanGovernment

Privacy Commissioner Privacy Commissioner

Individuals



European Union Privacy Directive

• Member States shall provide that personal data may be processed only if:(a) the data subject has given his consent unambiguously; or(b) processing is necessary for– performance of a contact to which the data subject is party;– compliance with a legal obligation to which the controller is

subject; – protecting the vital interests of the data subject; or– legitimate interests of parties to whom the data are

disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject

• EU claims this also applies to U.S. companies who use cookies



Remote Data Collection

• Where the data have not been obtained from the data subject … the controller must at the time of undertaking the recording of personal data provide the data subject with at least:– identity of the controller and his representative,– purposes of the processing– categories of data concerned– recipients or categories of recipients;– existence of the right of access and rectification

• Subject may object, but not refuse



European Union Privacy Directive• Member States shall grant the right to every person not to

be subject to a decision which produces legal effects concerning him … based solely on automated processing of data … such as– performance at work– creditworthiness– reliability– conduct, etc.

• Member States shall provide that the transfer to a third country of personal data ... may take place only if ... the third country in question ensures an adequate level of protection.– big problem with respect to U.S.



US/EU Agreement on Data Privacy and Safe Harbor

• 7 Principles to which a US company may voluntarily agree• Safe harbor companies deemed to protect data

adequately and data flows to them from the EU may occur • Member State requirements for prior approval of data

transfers either will be waived or approval will be automatically granted; and

• Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions

• Enforcement in the US by the Federal Trade Commission and Department of Transportation, 49 U.S.C. §41712

• Does not include financial institutions



Seven US/EU Safe Harbor Principles

• Notice– “clear and conspicuous” first time data is collected– purpose of collection– how to complain– types of third parties with whom data will be shared

• Choice (opt-out always, opt-in for “sensitive” information)• Onward Transfer (ascertain status of transferee)• Security• Data Integrity (reliability + use consistent with purpose)• Access (+ right to correct)• Enforcement (recourse + obligation to remedy)



Major Ideas

• Privacy is important• No accepted definition of privacy• Federal legislation in medical, financial, educational• Many state laws, few dealing with data• Anonymizing databases is difficult• Privacy policies are contracts• FTC is the main U.S. privacy enforcement body• Complying with privacy policies and laws is not easy



QA&

A simple HTTP transaction

WebServerGET /index.html HTTP/1.1

Host: www.att.com. . . Request web page

HTTP/1.1 200 OKContent-Type: text/html. . . Send web page

SOURCE: LORRIE CRANOR

… with P3P 1.0 added

WebServer

GET /w3c/p3p.xml HTTP/1.1Host: www.att.comRequest Policy Reference File

Send Policy Reference File

GET /index.html HTTP/1.1Host: www.att.com. . . Request web page

HTTP/1.1 200 OKContent-Type: text/html. . . Send web page

Request P3P Policy

Send P3P Policy


P3P increases transparency

• P3P clients can check a privacy policy each time it changes

• P3P clients can check privacy policies on all objects in a web page, including ads and invisible images

http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE

http://www.att.com/accessatt/


P3P in IE6

Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears

Automatic processing of compact policies only;third-party cookies without compact policies blocked by default


Users can click on privacy icon forlist of cookies;

privacy summariesare available atsites that are P3P-enabled


Privacy summary report isgenerated automaticallyfrom full P3P policy


P3P/XML encoding<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1"><POLICY discuri="http://p3pbook.com/privacy.html" name="policy"> <ENTITY> <DATA-GROUP> <DATA ref="#business.contact-info.online.email">[email protected] </DATA> <DATA ref="#business.contact-info.online.uri">http://p3pbook.com/ </DATA> <DATA ref="#business.name">Web Privacy With P3P</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <STATEMENT> <CONSEQUENCE>We keep standard web server logs.</CONSEQUENCE> <PURPOSE><admin/><current/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> </DATA-GROUP> </STATEMENT></POLICY></POLICIES>

P3P version

Location ofhuman-readableprivacy policy

P3P policy name

Site’s nameandcontactinfo

Access disclosure

Sta

tem

en

t

Human-readableexplanation

How data maybe used

Data recipients

Data retention policy

Types of data collected


priv4.ppt

Documents

Transcript of priv4.ppt