The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.- Samuel D. Warren, Louis D. Brandeis (1890)
The mantra in Washington D.C. in the 1990s concerning the Internet was "self-regulation." The paradigm example of the mantra has been privacy. It was preached that premature intervention by the Federal government would risk stifling ecommerce. In a competitive market where consumers have bountiful choices, where information concerning company practices and transgressions is readily available, and where fraudulent and deceptive activity can be penalized, industry's solemn oath to be good would be sufficient.
Every year, privacy legislation would be introduced in Congress (sometimes it would be among the first legislative proposals submitted in a given Congress) and every year it would be rejected. The Federal Trade Commission, prior to 2002, had submitted several reports to Congress on the impact of the Internet and ecommerce on privacy, and every time the FTC has stayed largely faithful to the tenant of self-regulation.
But in time, visions of paradise transformed into the reality of trouble and abuse. Growing pains of the new online economy were tolerated as industry, consumer groups, and governments continued to negotiated resolutions to privacy blunders. [News] But, when it comes to children, industry blunders were swiftly greeted with the hammer coming down. [See also e.g.CDA, COPA, CIPA seeking to protect children from harmful content]
The first reformation came in 1996 with the Center for Media Education Report documenting the behavior of online services with children’s information. The documented behavior was atrocious. The online services might set up games where the children could earn points towards winning prizes. Play a few games and win a few points. Provide the salaries of your parents along with information about whom they work for and win lots of points.
This led to the Federal Trade Commission 1998 reportPrivacy Online: A Report to Congress. This Report found that while 89% of sites surveyed collected information from children, only 24% had posted privacy policies, and only 1% required prior parental consent. These reports led to the unusual break from the mantra for self regulation and the swift passage of the Children's Online Privacy Protection Act, the first online privacy law of the Internet era.
As the Clinton Administration's time came to a close, the faithful continued to abandon "self regulation." The last FTC Privacy Report of the Clinton era continued the call for reformation, concluding that the time for self regulation had passed. The FTC recommended to Congress that privacy legislation responsive to industry transgressions would be appropriate.
Ongoing consumer concerns regarding privacy online and the limited success of self-regulation efforts to date make it time for government to act to protect consumers' privacy on the Internet. Accordingly, the Commission recommends that Congress enact legislation to ensure adequate protection of consumer privacy online.
Reminder: Unlike the private sector where there is no federal legislation generally mandating privacy policies, the public sector plays under different rules. [See Privacy Act] Government entities have explicit legal obligations concerning privacy, the collection of information, and the dissemination of that information. There are specific obligations that apply to government online resources. [See Sec. 626, Exec. Memo M-00-13, Exec. Memo M-99-18, ECPA] Oh, one area of privacy protection for the private sector involves telephone carriers. [See CPNI]
What is Privacy
The discussion of privacy can become muddled because different participants have different conceptions of what Privacy is. [Solove 2005] The conception of Privacy in the United States is very different from the conception of Privacy in the EU. Different "privacy" laws seek to protect against very different harms. Privacy can be viewed as
Invasion of Privacy: A trespass notion where an individual "does not want their privacy interrupted." An example of this might be telemarketer calls which interrupt dinner time.
See Do Not Call
Private Lives: Similar to invasion of privacy, this includes the notion that there aspects of our lives that are reserved to private, and should not warrant public exposure. Examples of this might be the posting of pictures of children at an elementary school to a public website, without the permission of the childrens' parents. A norm suggests that this public exposure is inappropriate and many photo hosting sites will remove such photos when an objection is lodged. Another example might be the President's children; there is a norm in journalism that the lives of the President's children are private and the Press should not cover what sports teams the President's children are on or how they are doing at school.
Torts
Disclosure of intimate facts
False Light
Misappropriation
Intrusion into solitude
Collection of Information: The collection of personally identifiable information (PII) by a third party
In the United States there is a cultural norm that the collection of information should not be objectionable unless one has something to hide. Objecting to such collections is tantamount to self incrimination. [see Solove 2007] In Europe which has experienced fascists governments, the collection of unnecessary information begs the question "why do you need to know." Europeans view personal information as something which has been used against them as a tool of oppression; those who unnecessarily collect it are met with suspicion.
The collection of PII involves several situations:
Collection of PII from an individual by a firm and how that firm uses (or abuses that information)
"Appropriateness: Is the collection of location information appropriate given the context of the service or application?
"Minimization: Is the minimum necessary granularity of location information distributed or collected?
"User Control: How much ongoing control does the user have over location information? Is the user a passive receiver of notices or an active transmitter of policies? Are there defaults? Do they privilege privacy or information
ow?
"Notice: Can requesters transmit information about their identity and practices? What information is required to be provided to the user by the requesting entity? What rules can individuals establish, attach to their location information and transmit? Is there a standard language for such rules?
"Consent: Is the user in control of decisions to disclose location information? Is control provided on a
per use, per recipient or some other basis? Is it operationalized as an opt-in, opt-out or opt model?
"Secondary Use: Is user consent required for secondary use (a use beyond the one for which the infor
mation was supplied by the user)? Do mechanisms facilitate setting of limits or asking permission for secondary uses?
"Distribution: Is distribution of location information limited to the entity with whom the individual believes they are interacting or is information re-transmitted to others?
"Retention: Are timestamps for limiting retention attached to location information? How can policy statements about retention be made?
"Transparency and Feedback: Are
flows of information transparent to the individual? Does the specification facilitate individual access and related rights? Are there mechanisms to log location information
requests and is it easy for individuals to access such logs
"Aggregation: Does the standard facilitate aggregation of location information on speci c users or users generally? Does the specification create persistent unique identiers?
Recommendation 4.14: Congress, the Federal Trade Commission (FTC ) and the FCC should consider clarifying the relationship between users and their online profiles.
Recommendation 4.15: Congress should consider helping
spur development of trusted “identity providers” to assist
consumers in managing their data in a manner that maximizes
the privacy and security of the information.
Recommendation 4.16: The FCC and FTC should jointly
develop principles to require that customers provide informed
consent before broadband service providers share
certain types of information with third parties.
The risk to privacy resulting from the collection of personally identifiable information is not new. The collection of personal information and the tracking of customer preferences has occurred for many years in many settings. For example, when a consumer calls a toll free number, or when a business uses caller ID technology, the consumer’s telephone number is revealed to the business. Additionally, buying habits are recorded in a host of contexts, such as when consumers place catalog orders, make purchases utilizing credit cards, fill prescriptions, and join grocery store customer loyalty clubs. Thus, the privacy concerns that stem from the collection of personally identifiable information are not new and are not caused by the Internet. However, the facility with which the Internet and other new communication technologies enable the collection of such information to occur, along with the rapid growth of e-commerce, has prompted enhanced scrutiny of this privacy issue. Some have expressed concerns that:
the automated collection and distribution of personal information is forcing Americans to live in a virtual fishbowl. The increased accessibility, on the Internet, of personal details about our lives will erode other American liberties: people will think twice before consulting a doctor, joining a political organization, or sending e-mail, when the information winds up in an online database.
