ELECTRONIC PRIVACY PRINCIPLES
The team has also assembled some online sources of information on privacy.
Electronic Privacy GuidelinesElectronic mail, web surfing, and other online resources open the door to a whole new world of computer-mediated communication. However, these conversations are not conducted in private: employers, advertising companies, government officials, information providers, and others are watching the net to see what is being said and who is saying it. This monitoring is easily carried out, and often impossible to detect.
Technology currently facilitates massive invasions of privacy that were never possible in the days of traditional sealed envelopes and locked filing cabinets. Both data collectors and governments are taking advantage of these technical possibilities, and neither is doing enough to guarantee the privacy rights of the public. A new commitment to providing technology for privacy protection is needed among software developers and information providers. Governments must also guarantee the rights of individuals and organizations to communicate without risk of unwittingly disclosing information to unknown parties.
Protection of privacy is best achieved through cooperation between employers, service providers, software developers, governments, and information collectors. The burden of protection should fall on those collecting or using data, not on the multitudes of scattered individuals who are using a variety of electronic systems to go about their daily activities. Anonymity is a critical goal: every user should be able to conduct activities without the knowledge of uninvolved parties, and without the risk of having these activities or their embedded information logged for unrelated purposes.
Accomplishing this goal is a complex technical and social matter, requiring an industry-wide effort that governments, at best, should help to coordinate and, at the very least, should not hinder. This document provides guidelines that might be used by principled institutions to guarantee proper respect for the privacy and dignity of employees, customers, and citizens.
While we call on governments and data collectors to promote privacy-protecting technology and to offer guaranties that electronically exchanged information will not be misused, we recognize that they are not doing so adequately at present. Users should therefore protect themselves by learning about the risks of using networks and by employing available software solutions. Technologies exist today to protect and preserve privacy. These include encryption products like PGP, anonymous remailers, and a variety of security and privacy mechanisms built into commonly-used software. Some of these resources have been attacked at the federal level as dangerous to national and internal security. The real danger is that the world of networked communication will be one in which users can be monitored in their every move. These privacy resources must be protected for the benefit of all.
Employer providersMany employers have no standing policy on employee privacy. In the absence of any statement to the contrary, users should assume that they have no privacy in their workplace. From a legal perspective, employees have few privacy rights. Courts have upheld the right of the employer to monitor any and all employee communications over the employer's computer system regardless of implied or explicit statements regarding employee message privacy. To alleviate this situation, the following steps are recommended.
- Each employer should provide and act on clear policies regarding the privacy
implications of the computing resources used in the workplace.
The policies should explicitly describe:
- acceptable use of electronic mail and computer resources, including personal use;
- practices that may be used to enforce these policies, such as the interception and reading of electronic mail or scanning of hard disks;
- penalties for non-compliance with these policies.
- Employees should be informed of any electronic monitoring systems that might be used on workplace computers.
Service providersWhen an individual signs up for Internet access through an Internet Service Provider, behavior is governed by their contract. No clear laws exist that require an ISP to protect an individual's privacy rights or to notify users of ISP policies. We recommend that providers fill the gap with the following responsible contract policies.
- Service providers must provide users with a clear understanding of
privacy implications of the service contract, including:
- the intended use of any information collected as part of the subscription to an ISP, such as mailing address, phone number, credit card information, and software used;
- whether the user can choose to stop the use of the information for purposes not immediately required for operation of the service, or better yet, whether the user must explicitly permit the use before it takes place.
- Demographic or identifying information gathered at servers that is not actively provided by the user should not be used beyond the analysis of site activity; in particular, no attempt should be made to identify individual users or to pass this information on to other parties. Beyond the needs of system administration, information should not be collected or stored on usage patterns of individuals, such as time of day usage, sites visited, and downloads.
Web page owners and other information providers
- Web sites should describe the intended use of "registration" information required by some prior to access or to downloading of information.
- Internet white pages services should use only legitimate sources for information. For example, Usenet posts and home pages might be appropriate, while service provider customer lists would not be. These services should provide automated "delete me" services suitable for eliminating present and future inclusions of an individual's identifying information.
- Individuals should be able remove their names from mass electronic mailing lists.
Mailing list operators, database managers, and other information collectors
- When individuals log into any Internet site or bulletin board, they should be provided with descriptions of potential uses of any personal information. These potential uses should be narrowly and clearly defined and no commercial use outside of those described should be permitted. Whenever possible, the site should give the individual the choice as to whether to opt in to the use of this personal information.
- Information collected should be limited to that which is necessary for the described uses, and all personal information should be accurate and up-to-date.
- Individuals should have easy and immediate access to copies of any information that data collectors may have regarding them. Individuals should be allowed to dispute and correct any inaccuracies.
- Information collectors should take appropriate technical measures to insure the protection of individual privacy and to safeguard the integrity of the stored information.
- Information from multiple sources should not be stored in large centralized databases where access is too easy for unauthorized people; nor should large quantities be keyed by a single identifier (such as a social security number in the United States).
- Data collected about individuals should be sold for commercial purposes only after they give their informed consent.
- Network software should provide users with the ability to take active
measures to protect their privacy. These measures might include:
- support for strong encryption, such as Pretty Good Privacy (PGP);
- mailer/news-posting options that might be used to exclude items of information from automated search services;
- automatic and explicit notification of any cases where a user's identity might be explicitly or implicitly revealed.
- Privacy protection should be a design goal incorporated into any software that could entail an interaction between a user and a system or network that others have access to.
GovernmentsAt a minimum, governments at any level--national, state, or municipal--should observe the laws and regulations currently on the books (for instance, limitations on the use of social security numbers, restrictions on database matching, etc.) Although this guideline is obvious, it is often violated. In addition to meeting minimal legal requirements, governments should offer the following guarantees:
- Attempts at protecting individual privacy and anonymity must not be hindered by government interference or legislation.
- Strong encryption, and the ability to use communication facilities such as electronic mail and discussion groups anonymously, should be available without restriction.
- Law-enforcement efforts must not be used as a pretext for invasion of privacy rights. Investigations online must be narrowly tailored to accomplish an explicit, legitimate government purpose.
- Universal standards should be adopted that define privacy rights and the technical and legal means of securing them.
- Laws must make it clear that the use of information stored in computers and on networks should be limited to the use for which the information was collected, and should include both civil and criminal penalties for misuse of that information by individuals, private institutions, or government agencies.
ConclusionsThe ethical responsibility for privacy protection lies with those who would violate that privacy, and with those who design and provide the systems where the violations can occur. While electronic data is currently more vulnerable to misuse and secondary use than data exchanged and stored through traditional means (paper and telephone), it could and should be made more secure than those media. More work is needed on both the technical and the social/legal aspects of protecting electronic privacy.
At every step, the public should challenge information collectors and users regarding privacy issues, and not simply accept a dismissive explanation of "company policy."
Computer, network, and software developers should make their systems as secure as is technically possible, and should make privacy protection a built-in feature that is transparent or easily used. Access providers should then use these secure systems and guarantee that they will guard against privacy breeches. Governments must remove barriers to the use of technical solutions and must adopt and enforce civil and criminal penalties for privacy violations. Data collectors must allow individuals access to the data about themselves, and must restrict use of the data to activities of which the individual is aware.
Our society depends on the notion of privacy. It is the ability to
maintain privacy, ironically, that allows individuals to participate
in the daily activities of their communities. Without guarantees,
people will feel inhibited in sending electronic mail, researching in
online libraries, shopping at electronic stores, or voicing opinions
in political forums. Strong policies protecting and valuing privacy must
be put in place now, while the electronic systems that will define commerce
and communication in the coming decades are being developed.
Written by Harry Hochheiser,
and Andrew Oram, email@example.com,
of the Cyber Rights Working Group of CPSR, with input from Mary Connors, Craig
Johnson, and Christine Mailloux of CPSR, Audrie Krause of NetAction, and Marc
Rotenberg of the Electronic Privacy Information Center (EPIC). This
the Cyber Rights Working Group of CPSR on 9 September 1996 and stored on the
Web at http://www.cpsr.org/program/privacy/privacy8.htm.
Return to the CPSR home page.
Send mail to webmaster.
Written by Harry Hochheiser, firstname.lastname@example.org, and Andrew Oram, email@example.com, of the Cyber Rights Working Group of CPSR, with input from Mary Connors, Craig Johnson, and Christine Mailloux of CPSR, Audrie Krause of NetAction, and Marc Rotenberg of the Electronic Privacy Information Center (EPIC). This document was approved by the Cyber Rights Working Group of CPSR on 9 September 1996 and stored on the World Wide Web at http://www.cpsr.org/program/privacy/privacy8.htm.