privacy and the internet professor peter p. swire ohio state university national press foundation...
Post on 27-Mar-2015
220 Views
Preview:
TRANSCRIPT
“Privacy and the Internet”
Professor Peter P. Swire
Ohio State University
National Press Foundation
February 14, 2001
Do People Care About Privacy?
90 percent of Americans say they have “lost all control” over their personal information
WSJ poll 9/99
Overview The Clinton Administration and privacy This year
The Clinton Administration
Supported self-regulation generally Sensitive categories deserve legal protection
– Medical & Genetic– Financial– Children’s Online
Government should lead by example Chief Counselor for Privacy
Internet Privacy
Quantity of policies– 15% to 66% to 88% from 1998 to 2000
Quality of policies– Seek continued improvement on choice, access
& security Enforcement if company breaks its privacy
promise– Unfair and deceptive trade practice
Internet Sectors
Individual Reference Services Group (1998)– Look up services code of conduct– Limits on distribution of SSNs
Network Advertising Initiative (2000)– Special sensitivity when a 3d party, unknown to
user, compiles information Safe Harbor for transfers with E.U. (2000)
– Self-regulation as a core achievement
Children’s Online Privacy Protection Act of 1998 FTC rules took effect 4/00 Web sites targeted at under 13s Key is “verifiable parental consent”
Medical Records Privacy
HIPAA 1996 called for legislation by 8/99 President announced proposed regs 10/99 Over 52,000 submissions of comments Final rules 12/00 Administration decision by February 26
Medical Records (cont.)
Fair information practices– Notice– Patient choice– Access– Security– Enforcement
Medical -- Who is Covered?
“Covered entities”– Providers– Plans– Clearninghouses
Business associates Online/offline neutrality
Financial Privacy
Title V of Gramm-Leach-Bliley– Notice– Opt-out 3d parties– Enforcement
Online/offline neutrality President Clinton called for greater
protections last year
Government as a Model
Government web sites– Privacy policies at major sites– Presumption against cookies
Computer security Coordination & oversight mechanisms
Government computer security
Good security is necessary for privacy– Weak security allows access to tax records, criminal
investigative files, etc.– Good security helps stop hackers and other
unauthorized users Good security is not sufficient for privacy
– What can an authorized user do with the data?– Post it to the Internet?– Privacy policies govern authorized users
Coordination & oversight
Coordination -- Chief Counselor position 3/99
Must become aware of issues before you can affect them-- “clearance”
Alert decisionmakers before problems become public
No announcement on Bush approach
II. This Year
Fair information practices and Internet Privacy
Notice– Some favor notice only– Can do with technology, such as P3P– Less strict -- no other requirements– More strict -- a new law more likely later
Choice
The biggest debate so far Opt out
– Customer gets choice– But opt out may be hard to find on web page– Maybe “spyware” and no one to give notice
Choice (cont.)
Opt in– Strong privacy protection– Forces web site to explain why sharing is good– But, how do small sites find customers?
Robust opt out– Possible compromise
Access
Like FOIA -- check on abuse “Reasonable” access
– Cost matters Some exceptions
– Information about other persons– Trade secrets and proprietary
Access (cont.)
Access only to decisional information– Credit reports– Medical records
Access to all information– Psychographic information– Every memo in the company
Target marketing– Decisional?– Proprietary?
Security
Good security in layers– Hardware– Software– Personnel policies
Hard to measure Law focuses on notice of security? Detailed regs on security? Must update anti-virus at least once a week?
Enforcement
FTC new powers State AGs to help Private right of action?
Enforcement (cont.)
What role for TRUSTe, BBBOnline?– Safe harbor in COPPA– Multiplies enforcement resources– Teams enforcement with consulting– Privatizes enforcement– Target for EU pressure
Other Internet Privacy Issues
Preemption In favor:
– Same web site sells to all 50 states– Possibly inconsistent state laws
Opposed:– The big reason for industry to accept legislation– Financial and engine for continued change– Don’t place ceiling on “human rights”
Other Issues (cont.)
Customer lists in bankruptcy– Toysmart case
Law enforcement access to Internet records Extend to offline, too?
– Leary -- consistency requires it– But, ready to regulate each corner store?
Concluding thoughts
Many flows are good in Information Age, but not all flows are good
Self-regulation has been central to date Treat sensitive data more carefully, subject to
legal protections where appropriate Will political system insist on Internet
legislation? In closing, a common sense test:
President Clinton, at Aspen Institute:
“Do you have privacy policies you can be proud of? Do you have privacy policies you would be glad to have reported in the media?”
If so, your policies are far more likely to survive, and help your organization prosper, in the information age.
top related