The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.- Samuel D. Warren, Louis D. Brandeis (1890)
“You have zero privacy anyway. Get over it.” Sun Microsystems CEO Scott McNeally
The mantra in Washington D.C. in the 1990s concerning the Internet was "self-regulation." The paradigm example of the mantra has been privacy. It was preached that premature intervention by the Federal government would risk stifling ecommerce. In a competitive market where consumers have bountiful choices, where information concerning company practices and transgressions is readily available, and where fraudulent and deceptive activity can be penalized, industry's solemn oath to be good would be sufficient.
Every year, privacy legislation would be introduced in Congress (sometimes it would be among the first legislative proposals submitted in a given Congress) and every year it would be rejected. The Federal Trade Commission, prior to 2002, had submitted several reports to Congress on the impact of the Internet and ecommerce on privacy, and every time the FTC has stayed largely faithful to the tenant of self-regulation.
But in time, visions of paradise transformed into the reality of trouble and abuse. Growing pains of the new online economy were tolerated as industry, consumer groups, and governments continued to negotiated resolutions to privacy blunders. [News] But, when it comes to children, industry blunders were swiftly greeted with the hammer coming down. [See also e.g. CDA, COPA, CIPA seeking to protect children from harmful content]
The first reformation came in 1996 with the Center for Media Education Report documenting the behavior of online services with children’s information. The documented behavior was atrocious. The online services might set up games where the children could earn points towards winning prizes. Play a few games and win a few points. Provide the salaries of your parents along with information about whom they work for and win lots of points.
This led to the Federal Trade Commission 1998 report Privacy Online: A Report to Congress. This Report found that while 89% of sites surveyed collected information from children, only 24% had posted privacy policies, and only 1% required prior parental consent. These reports led to the unusual break from the mantra for self regulation and the swift passage of the Children's Online Privacy Protection Act, the first online privacy law of the Internet era.
As the Clinton Administration's time came to a close, the faithful continued to abandon "self regulation." The last FTC Privacy Report of the Clinton era continued the call for reform, concluding that the time for self regulation had passed. The FTC recommended to Congress that privacy legislation responsive to industry transgressions would be appropriate.
Ongoing consumer concerns regarding privacy online and the limited success of self-regulation efforts to date make it time for government to act to protect consumers' privacy on the Internet. Accordingly, the Commission recommends that Congress enact legislation to ensure adequate protection of consumer privacy online.
[Privacy Report 2000 p. 36]
Reminder: Unlike the private sector where there is no federal legislation generally mandating privacy policies, the public sector plays under different rules. [See Privacy Act] Government entities have explicit legal obligations concerning privacy, the collection of information, and the dissemination of that information. There are specific obligations that apply to government online resources. [See Sec. 626, Exec. Memo M-00-13, Exec. Memo M-99-18, ECPA] Oh, one area of privacy protection for the private sector involves telephone carriers. [See CPNI]
Privacy is a core value for public networks, with roots deep within common carriage.
During revolutionary times, Benjamin Franklin had a problem. Had been appointed Postmaster of the Colonies mail service. But the mail service was not to be trusted. A post office during those times tended to pretty much a bag hanging in the town tavern. Posting a letter by dropping it in the bag meant it was available for purusal by anyone else in the tavern. When the letter departed the tavern, it was then vulnerable to deep packet inspection by the nasty British - who though surveillance of the communications network was an excellent way to do intillegence gathering on colonial terrorists (aka Founding Fathers). The communications network was vulnerable and those who used the network put themselves potentially at risk. Franklin knew that in order for the network to succeed - and in order for colonial businesses and discourse to succeed - the network had to be trusted. Communications through the network had to be private.
This lesson would be repeated as the network evolved from a postal network, to an electronic telegraph, to telephone, to the Internet, and beyond.
As the telegraph network created a communications revolution, the value of privacy in the public network had already matured. But the legacy value had to evolve to fit the new network. MORE
The telephone network likewise struggled as it too innovated and introducted its communications revolution. The telephone went through typical stages of adoption, moving from a novelty of the select few businesses, to widely deployed amoung businesses, and finally to a universal service available to all. But as the telephone moved from novelty to utility, the value of privacy had to evolve. Fourth Amendment privacy protection traditionally protected against the search and seizure of papers within one's house. Therefore, thought the police, if we are not inside the house, we can listen into telephone conversations all we want (just like the nasty British). During prohibition, suspecting Olmstead to be a bootlegger, law enforcement installed wiretaps outside of Olstead's home and business. After his conviction, Olmstead challenged the wiretaps as Fourth Amendment violations. The Supreme Court in a rigid analysis analysis failed to transform Benjamin Franklin's wisedom to evolve with historical progress. In a famous dissent, however, Justice Brandeis articulated the necessity of privacy in the communications network.
When the Fourth and Fifth Amendments were adopted, "the form that evil had theretofore taken," had been necessarily simple. Force and violence were then the only means known to man by which a Government could directly effect self-incrimination. It could compel the individual to testify - a compulsion effected, if need be, by torture. It could secure possession of his papers and other articles incident to his private life - a seizure effected, if need be, by breaking and entry. Protection against such invasion of "the sanctities of a man's home and the privacies of life" was provided in the Fourth and Fifth Amendments by specific language. But "time works changes, brings into existence new conditions and purposes." Subtler and more far-reaching means of invading privacy have become available to the Government. Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.
[Olmstead, Brandeis dissent, 473]
While the evolution of criminal law to keep pace with privacy wisedom struggled during decades of national tribulation (the Depression, World War II), civil privacy progressed. Section 605 of the Communications Act barred telephone companies from easvesdropping on communications for any reason other than those incidents necessary for the operation and protection of the network. See also 47 U.S.C. 222 (CPNI).
After Brandeis' dissent, history occured: The Depression and World War II. The courts grappled with privacy in the network but the necessity of the public defense overshadowed. When the country emerged from decades of trial, once again the courts struggled to bring traditional wisedom in alignment with technological progress. By the 1960s, the telephone had become prolific in business and society, and the idea that the individual lacked privacy was an anathema. In 1968, the Supreme Court in Katz adopted Brandeis' wisedom and held that the individual has the right to privacy as against the nasty government.
Once against technology innovated, and once again legal wisedom had to evolve. By the 1980s, computer networks were breaking onto the scene, but computer networks were not covered by the Wiretap Act. Therefore Congressed passed the Electronic Communications Privacy Act.
Technological progress hasnt stopped. The Internet has moved from a narrowband application capable of small data transimissions, to the broadband Internet pervassively present in our lives. While the law has failed so far to evolve, the recognition of the necessity is ever present. Prof. Kevin Werbach testified before Congress that in order for Cloud computing to be successful, their had to be trust in the network. CITATION
- Written statement of Kevin Werbach, Associate Professor of Legal Studies & Business Ethics, The Wharton School, University of Pennsylvania, Hearing on ECPA Reform and the Revolution in Cloud Computing, House Judiciary Committee, Subcommittee on the Constitution, Civil Rights and Civil Liberties, p. 6-8 (Sept. 23, 2010)
This is a rich dialog that involves many values and public policy objectives. It is in part a discussion of personal liberty; it is in part a discussion of government restraint (the nasty government); and it is also in part a discussion of the necessary characteristics of a public communications network. The tradition of common carrier seeks to ensure the viability and utility of the public network, for the benefit of the public. For the network to suceed, and for business to thrive and discourse to transpire, people must trust the network - privacy must be assured. [Ohm, The Rise and Fall of Invasive ISP Surveillance (privacy "is a pillar of the concept of 'common carriage'")]
What is Privacy
The discussion of privacy can become muddled because different participants have different conceptions of what Privacy is. [Solove 2005] The conception of Privacy in the United States is very different from the conception of Privacy in the EU. Different "privacy" laws seek to protect against very different harms. Privacy can be viewed as
- Limitation on Government Power / Search and Seizure
- Torts [Restatement of the Law, Second, Torts, Sec. 652B, The American Law Institute (1977)]
- Intrusion on Seclusion
- Right to be left alone : A trespass notion where an individual "does not want their privacy interrupted." An example of this might be telemarketer calls which interrupt dinner time. See Do Not Call
- Right to be left alone / Intrusion into solitude (Warren & Brandeis 1890)
- False Light
- Private Lives:
- This includes the notion that there aspects of our lives that are reserved to private, and should not warrant public exposure.
- Examples of this might be the posting of pictures of children at an elementary school to a public website, without the permission of the children's' parents. A norm suggests that this public exposure is inappropriate and many photo hosting sites will remove such photos when an objection is lodged. Another example might be the President's children; there is a norm in journalism that the lives of the President's children are private and the Press should not cover what sports teams the President's children are on or how they are doing at school.
- Disclosure of intimate facts
- Audience (Context) management (what information gets shared with whom, when and where)
- Social networks = an invisible audience
- Information Management / Control
- Right to control information about oneself
- Collection of Information: The collection of personally identifiable information (PII) by a third party
- In the United States there is a cultural norm that the collection of information should not be objectionable unless one has something to hide. Objecting to such collections is tantamount to self incrimination. [see Solove 2007] In Europe which has experienced fascists governments, the collection of unnecessary information begs the question "why do you need to know." Europeans view personal information as something which has been used against them as a tool of oppression; those who unnecessarily collect it are met with suspicion.
- The ability to determine when, how, and to whom information about an individual is disclosed to others. [Westin]
- The collection of PII involves several situations:
- Collection of PII from an individual by a firm and how that firm uses (or abuses that information)
- Permissive Collection
- the collection of PII from children under age 13
- Compelled disclosure of information
- Non Permissive Collection
- Theft of PII (see identity theft)
- From an individual or
- from a firm that has previously collected the PII
- Data breach response / notification of the firm when a theft has occurred
- Use of Information
- How will the information be used
- Will it be shared with third parties
- Can individual review and revise information collected
- Data Security
- Data Storage
- Data Breach
- Federal Information Security Management Act
What is Personally Identifiable Information (PII):
Privacy policies generally address the collection of PII. But what is PII? What information identifies an individual and what information provides no personal information? According to NIST and GAO
PII is "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." Examples of PII include, but are not limited to:
- Name, such as full name, maiden name, mother's maiden name, or alias
- Personal identification number, such as social security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number
- Address information, such as street address or email address
- Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people
- IP Addresses
- COPPA 16 C.F.R. § 312.2 Personal information means individually identifiable information about an individual collected online, including:... (7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
- IP Addresses May Be Subject to EU Data Protection Laws, White & Case (May 19, 2016) ("the AG found that dynamic IP addresses are personal data in the hands of a website operator if an internet service provider has further information, which, in combination with the dynamic IP address, could identify a user, since it was likely reasonable to use the information available at the internet service provider. ")
- Lindsey Tonsager, FTC's Jessica Rich Argues IP Addresses and Other Persistent Identifiers are "Personally Identifiable," Inside Privacy Covington April 29, 2016 ("a blanket characterization of browser and device identifiers as “personally identifiable” information for purposes of Section 5 of the FTC Act is in tension with certain privacy statutes as interpreted by the federal courts.")
- Jessica Rich, Keeping Up with Online Advertising Industry, FTC Blog (April 21, 2016) ("we regard data as “personally identifiable,” and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test. For this reason, in the Commission’s 2013 amendments to the Children’s Online Privacy Protection Rule, it modified the definition of “personal information” to include “a persistent identifier that can be used to recognize a user over time and across different Web sites or online services [including but not limited to] a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.”")
- In re Nickelodeon Consumer Privacy Litigation, -- F.3d -- (3rd Cir. 2016) ("The Video Privacy Protection Act, passed by Congress in 1988, prohibits the disclosure of personally identifying information relating to viewers' consumption of videorelated services. Interpreting the Act for the first time, we hold that the law permits plaintiffs to sue only a person who discloses such information, not a person who receives such information. We also hold that the Act's prohibition on the disclosure of personally identifiable information applies only to the kind of information that would readily permit an ordinary person to identify a specific individual's video-watching behavior. In our view, the kinds of disclosures at issue here, involving digital identifiers like IP addresses, fall outside the Act's protections.")
- Jane E. Brown, In re Nickelodeon Consumer Privacy Litigation: An IP Address Is Not Always Personally Identifiable Information, Beyond IP Law, July 29th, 2016
- Yershov v. Gannett Satellite Information Network, Inc., No. 15-1719, Slip at 6 (1st Cir. April 29, 2016) ("While there is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work, here the linkage, as plausibly alleged, is both firm and readily foreseeable to Gannett. The complaint therefore adequately alleges that Gannett disclosed information reasonably and foreseeably likely to reveal which USA Today videos Yershov has obtained. ")
- "The plaintiff there downloaded USA Today's free application onto his smartphone. He alleged that Gannett, which publishes USA Today, shared information about videos he watched on his phone with a third-party analytics company, Adobe Systems, Inc. The information did not include the plaintiff's name or address, but rather his cell phone identification number and his GPS coordinates at the time he viewed a particular video. 134 Rejecting the approach taken in Hulu, Yershov concluded that any unique identifier—including a person's smartphone ID— is personally identifiable information."
- In re Hulu Privacy Litigation No. 11-cv-3764 (LB), 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014) (static digital identifiers that could, in theory, be combined with other information to identify a person do not count as “personally identifiable information” under the Video Privacy Protection Act, at least by themselves.). Other cases in accord: Robinson v. Disney Online, --- F. Supp. 3d ---, 2015 WL 6161284, at *6 (S.D.N.Y. 2015); Eichenberger v. ESPN, Inc., No. 14-cv-463 (TSZ), 2015 WL 7252985, at *4–5 (W.D. Wash. May 7, 2015); Ellis v. Cartoon Network, Inc., No. 14- cv-484 (TWT), 2014 WL 5023535, at *3 (N.D. Ga. Oct. 8, 2014), aff'd on other grounds, 803 F.3d 1251 (11th Cir. 2015).
- Office of the Privacy Commissioner of Canada, “Legal Information Related to PIPEDA,” last modified 2 October 2013
- Trend 4 - The Growing Ambiguity of Personal Information, Transparent Lives Surveillance in Canada ("Although an IP address is rarely going to be directly related to one identifiable individual, it is how the IP address is combined with other information (or could reasonably be combined with other information) about tastes, behaviours, and interests that has privacy advocates concerned.")
- FTC’s 2012 Report on Protecting Consumer Privacy in an Era of Rapid Change
- Erika McCallister, Tim Grance, Karen Scarfone, Guide to Protecting Confidentiality of Personally Identifiable Information (PII), Sec. 3.2.2 NIST Publication 800-122 (April 2010) (citing as examples of linked PII first an intranet log that records users IP address, where "organization has a closely-related system with a log that contains domain login information records, which include user IDs and corresponding IP addresses. Administrators who have access to both systems and their logs could correlate information between the logs and identify individuals. Potentially, information could be stored about the actions of most of the organization‘s users involving web access to intranet resources." Second, a fraud, waste and abuse website that logs IP addresses, "However, the log information is not linked or readily linkable with the database or other sources to identify specific individuals.")
- FTC 2009 Self-Regulatory Principles for Online Behavioral Advertising ("In many cases, the information collected is not personally identifiable in the traditional sense – that is, the information does not include the consumer’s name, physical address, or similar identifier that could be used to identify the consumer in the offline world. Instead, businesses generally use “cookies” to track consumers’ activities and associate those activities with a particular computer or device. . . . [H]owever, it may be possible to link or merge the collected information with personally identifiable information – for example, name, address, and other information provided by a consumer when the consumer registers at a website.")
- Washington Court Rules that IP Addresses Are Not Personally Identifiable Information, Privacy and Information Security Law Blog, Hunton & Williams July 10, 2009
- Johnson v. Microsoft Corp. U.S. District Court for the Western District of Washington 2009 ("In order for “personally identifiable information” to be personally identifiable, it must identify a person. But an IP address identifies a computer, and can do that only after matching the IP address to a list of a particular Internet service provider’s subscribers. Thus, because an IP address is not personally identifiable, Microsoft did not breach the EULA when it collected IP addresses")
- Alma Whitten, “Are IP Addresses Personal?” Google Public Policy Blog, 22 February 2008
- Klimas v. Comcast Cable Comm’cns, Inc., 465 F.3d 271, 276 n.2 (6th Cir. 2006) (“We further note that IP addresses do not in and of themselves reveal ‘a subscriber’s name, address, [or] social security number.’ That information can only be gleaned if a list of subscribers is matched up with a list of their individual IP addresses.”)
- Klimas v. Comcast Cable Communications, Inc., Case No. 02-CV-72054-DT, 2003 WL 23472182, *5 (E.D. Mich. July 1, 2003) (“[U]nless an IP address is correlated to some other information, such as Comcast’s log of IP addresses assigned to its subscribers (or a hotel registry in the analogy of hotel room numbers), it does not identify any single subscriber by itself. In other words, an IP address, by itself, is not ‘specific information about the subscriber.’ Therefore, Comcast’s collection of IP-URL linkages cannot constitute PII unless it is linked to the IP address/subscriber log.”);
- Pruitt v. Comcast Cable Holdings, LLC, 100 Fed. Appx. 713, 716 (10th Cir. 2004) (“Without [additional information] one cannot connect the [information contained in the converter box] with a specific consumer”).
- MAC Addresses
- Ann Cavoukian, PhD, Kim Cameron, WiFi Positioning Systems: Beware of Unintended Consequences, Information and Privacy Commissioner (June 2011) ("Since the MAC address was designed to be persistent and unique over the lifetime of a Wi-Fi device, in a WPS, it identifies Wi-Fi devices that are closely associated with individuals – not only stationary routers, but personal laptops and mobile phones. When a unique identifier may be linked to an individual, it often falls under the definition of “personal information” through that data linkage and carries with it a host of regulatory responsibilities. The associated privacy issues range from lack of knowledge or consent of the mobile device owner for the use of the unique identifier, the possibility of unauthorized disclosure to third parties, or potential uses for secondary purposes")
- Telephone numbers, including mobile, business, and personal numbers
- Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
- Information identifying personally owned property, such as vehicle registration number or title number and related information
- Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
[NIST PII 2010 p 7, & Sec. 2.2 (This definition is the GAO expression of an amalgam of the definitions of PII from OMB Memorandums 07-16 and 06-19. GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008)] Office of Management and Budget (OMB) Memorandum 07-16 (PII is "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.").
Congress in COPPA specified what it considered PII to be, but also noted that the list was not exhaustive. CPNI also identifies what it considers PII. As technologies advance, new questions are raised about what should be added to PII. Some argue that IP numbers should be considered PII [McIntyre 2011]
Protection / Confidentiality of PII
The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years. Breaches involving PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds." [NIST PII 2010]
The Federal Government has a number of documents concerning the handling of PII. [NIST PII 2010]
- Protection of PII, NARA (Aug. 6, 2009)
- GSA Rules of Behavior for Handling Personally Identifiable Information (PII) (Aug 7, 2009)
- Corey Ciocchetti, Just Click Submit: The Collection, Dissemination, and Tagging of Personally Identifying Information, 10 VAND. J. ENT. & TECH. L. 553 (2008).
- IP Addresses and Personally Identifiable Information, CircleID 2/25/2008
- Are IP addresses personal?, Google 2/25/2008
Online Privacy Issue
|Children's Online Privacy||
|EU Privacy Directive||
|Privacy Policies (eCommerce)||
|Law Enforcement: Wiretaps||
Broadband Plan Recommendations
- Recommendation 4.14: Congress, the Federal Trade Commission (FTC ) and the FCC should consider clarifying the relationship between users and their online profiles.
- Recommendation 4.15: Congress should consider helping spur development of trusted "identity providers" to assist consumers in managing their data in a manner that maximizes the privacy and security of the information.
- Recommendation 4.16: The FCC and FTC should jointly develop principles to require that customers provide informed consent before broadband service providers share certain types of information with third parties.
The risk to privacy resulting from the collection of personally identifiable information is not new. The collection of personal information and the tracking of customer preferences has occurred for many years in many settings. For example, when a consumer calls a toll free number, or when a business uses caller ID technology, the consumer’s telephone number is revealed to the business. Additionally, buying habits are recorded in a host of contexts, such as when consumers place catalog orders, make purchases utilizing credit cards, fill prescriptions, and join grocery store customer loyalty clubs. Thus, the privacy concerns that stem from the collection of personally identifiable information are not new and are not caused by the Internet. However, the facility with which the Internet and other new communication technologies enable the collection of such information to occur, along with the rapid growth of e-commerce, has prompted enhanced scrutiny of this privacy issue. Some have expressed concerns that:
the automated collection and distribution of personal information is forcing Americans to live in a virtual fishbowl. The increased accessibility, on the Internet, of personal details about our lives will erode other American liberties: people will think twice before consulting a doctor, joining a political organization, or sending e-mail, when the information winds up in an online database.
- Know the Rules Use the Tools, Privacy in the Digital Age: A Resource for Internet Users, US Senate Judiciary Committee, p. 2 (n.d.)