Potential threats to privacy
A set of electronic privacy principles has been distributed by the CPSR Cyber Rights Working Group, with input from NetAction. A carefully researched report finds that 40 out of 50 surveyed countries are enacting comprehensive privacy laws, although the United States is avoiding them. Naturally, the terrorist attacks on September 11, 2001 shift the impetus toward greater surveillance, not greater privacy. A vast increase in all kinds of surveillance (such as public cameras with face recognition) is underway.
Monitoring shows signs of being woven right into everyday Internet activities, perhaps in a form like the Globally Unique Identifier that RealJukeBox assigns to every user who registers and downloads the product. Thanks to a public flap over the RealNetworks company's practice of noting every song each user downloads, the company has halted some of its monitoring. But such encroachments on privacy tempt other companies, sometimes as part of their attempts to protect copyright.
Browser cookies, which were invented as a simple way to maintain state in Web page (for instance, allowing you to add information from one form to the next form presented by the server) have turned into full-fledged user tracking tools. Some companies, the best-known being DoubleClick, set and retrieve cookies from click-through Web advertisements placed by large numbers of corporate clients. DoubleClick bought a direct-marketing firm that had accumulated a huge amount of identifying customer information, raising the possibility that companies using DoubleClick's services could tie you to any interests you reveal by clicking on their ads or browsing their sites. Public outcry, a campaign by EPIC, and government investigations caused DoubleClick to retreat from that plan.
Another important facet of private communications is the concept of anonymity. A report prepared by the American Association for the Advancement of Science with funding from the National Science Foundation, and covered in a special issue of the Information Society, champions the importance of online anonymity. Anonymous remailers, for instance, provide the user with the options of complete or pseudo-anonymous communication - i.e. sending E-mail or posting News without revealing your actual address.
While U.S. law protects a right to anonymity, the practice is coming under attack because it can be used as cover for distributing illegal pornographic materials, issuing libelous statements, and so on. Courts in the U.S. have issued rulings requiring chat rooms or email forums to reveal the identities of anonymous posters who criticize the companies or reveal internal secrets, so that companies could discipline their employees of bring defamation lawsuits. In effect, the precedents allow anonymity to be breached even before any court rules that the messages actually violate any laws. In several cases, judges have required ISPs or Web hosting sites to reveal subscribers' identity. But in March 2001, a court upheld the right to anonymity for an online poster not convicted of any crime.
In the best-known case of anonymity being breeched, the world’s most famous anonymous remailer, anon.penet.fi, closed down after a Church of Scientology claim of copyright violation led a court to force the administrator to reveal a user's identity.
Technological advances continue to strip away anonymity and make it easier for large sites to maintain databases on individuals. An identifier that the Intel Corporation has announced it will put in every chip led to a boycott from privacy organizations.
A court case against a French service hosting free Web sites, called Altern, has (ironically, in the name of prosecuting a violation of privacy) threatened the privacy of Web publishers by making it unfeasible to host anonymous Web sites. A French online campaign to save Altern drew many supporters, and the French government soon passed a law protecting Internet providers from liability for the sites they host, similar to protections in U.S. law.
Governments encroach almost instinctively on privacy in their attempts to fight crime or dissent. The Russian government, under a regulation called SORM, are trying to force Internet providers to give the police access to all online material. The British police have been negotiating with Internet providers to reach an agreement whereby the ISPs would furnish any requested material to the police without the safeguards required by law for telephone wiretapping.
The standand response by the United States government to public concerns over data privacy is to call for self-regulation rather than protective legislation, although the Federal Trade Commission made a tiny break from that stance in a paper criticizing industry and calling for the protection of children’s information. Following the report, a law was passed placing conditions on the collection of information from children 13 years old or younger on the Internet. Although the FTC moves slowly and continually give companies chances to conform to its expectations voluntarily, in May 2000 it asked Congress to pass a law requiring that companies at least describe their policies concerning customer data. Congress is not likely to respond in this session, but the wheels of government are slowly grinding toward regulation.
However, governments around the world are finding they must move faster, not only in response to public pressure but because of a European Parliament directive that would cut off data exchanges with any country lacking adequate privacy safeguards. The directive was scheduled to take effect on October 24, 1998, but it was only in March 2000 that the European Union announced a successful conclusion to negotiations with the United States, which has been trying to avoid any restrictions on the collection and use of data. The new agreement would require U.S. businesses to provide the same protection to European customers as European businesses do; this may lead to broader changes because it would force U.S. businesses to put protections in place.
Canada has broken from the self-regulation rhetoric to offer a comprehensive privacy bill. A group in Australia called the Campaign for Fair Privacy Laws is pushing the government there to follow through on promises to pass laws.
The Clinton Administration encouraged Congress to pass a bill ensuring medical privacy; currently a 150-page proposed regulation is available to the public for review. The Administration's prescription for solving the problem is inadequate, as reflected in an ACLU critique. Insurance companies complain about the cost of compliance. Others say these complaints are exaggerated, but certainly the insurance companies and health care providers have to make major changes in their transactions. Meanwhile, the Federal Trade Commission warns that the regulations offer no protections to users of most online health sites.
A bill in the U.S. Senate promotes centralization of medical records and lays down rules for access by insurance companies, police, and other groups. Most civil liberties groups are opposing it because of the wide range of information stored and the large number of people who could get access. But CDT expressed support.
The World Wide Web Consortium is working on a system called Platform for Privacy Preferences (P3P) to help Web users choose how their data is shared, but it remains up to the courts and legislatures to enforce agreements made under the system. Privacy expert Roger Clarke has released a critique balancing the positive contributions of P3P and what is left undone.
The Social Security Administration inadvertently pushed online privacy onto the front pages by its well-meaning offer of online social security information. The FTC held hearings on the collection and sharing of information about consumers, with input from EPIC and several other public-interest groups.
Tightened regulations on monitoring information on air travelors, ordered by the Clinton Administration and implemented by the FAA in an attempt to find terrorists, were opposed by several organizations including CPSR, EPIC, and the ACLU, have opposed the initiative.
Last updated: November 21, 2001
Suggestions to: email@example.com
Created before October 2004