ELECTRONIC PRIVACY PRINCIPLESThe CPSR Cyber-Rights Working Group created the following Cyberspace Privacy Paper, edited and approved by the CPSR Board on Tuesday, 3 September, 1996.
(Paper followed by Some Online Sources for Information on Privacy. )
Electronic mail, web surfing, and other on-line resources open the door to a whole new world of computer-mediated communication. However, these conversations are not conducted in private: employers, advertising companies, government officials, information providers and others are watching the net to see what is being said and who is saying it. This monitoring is easily done, and often impossible to detect.
The extraordinary growth of the Internet has led to increased concerns regarding individual privacy. Since detection of privacy violations is difficult, prevention is the key. Protection of privacy is best achieved through cooperation between employers, service providers, software developers, individuals, governments, and information collectors. This document provides guidelines that might be used by principled institutions to guarantee proper respect for the privacy and dignity of employees, customers, and citizens.
Each individual has an important role in protecting his or her own privacy. Privacy implications of network use vary according to the tools used, and the context in which they are used. To protect their privacy, network users must take the responsibility to learn about the privacy implications of the tools they are using.
Many employers and institutions have no standing policy on employee and user privacy. In the absence of any policy to the contrary, users should assume that they have no privacy in workplace environments. Courts have upheld the right of the employer to monitor any and all employee communications over the employer's computer system regardless of implied or explicit statements regarding employee message privacy.
Even if the user has an assurance of privacy from the service provider, no one can absolutely guarantee the privacy of messages going across today's computer networks. Fortunately, technology exists today to protect and preserve privacy. These include encryption products like PGP, anonymous remailers, and a variety of security and privacy mechanisms built into commonly-used software. Some of these resources have been attacked at the Federal level as dangerous to national and internal security. The real danger is that the world of networked communication will be one in which users can be monitored in their every move. These privacy resources must be protected for the benefit of all.
The Responsibilities of Employers
- Each employer must provide clear policies regarding the privacy implications of the computing resources used in the workplace. These policies should explicitly describe:
- acceptable use of electronic mail and computer resources, including personal use;
- practices that may be used to enforce these policies, such as reading of electronic mail or scanning of hard disks;
- and penalties for non-compliance with these policies.
- Employees should be informed of any electronic monitoring systems that might be used on workplace computers.
The Responsibilities of Service and Information Providers
- Service providers must provide users with a clear understanding of privacy implications of the service contract. This includes:
- the intended use of any information collected as part of the subscription to an ISP, such as mailing address, phone number and credit card information
- a description of the intended use of "registration" information required by some Web sites prior to access or to downloading of information.
- Demographic or identifying information gathered at servers that is not actively provided by the user should not be used beyond the analysis of site activity; in particular, no attempt should be made to identify individual users or to pass this information on to other parties.
- Internet white pages services should use only legitimate, publicly available sources for information. For example, Usenet posts and home pages might be appropriate, while service provider customer lists would not be. These services should provide automated delete me services suitable for eliminating present and future inclusions of an individuals identifying information.
- Individuals should have access to a Electronic Direct Marketers Association. This electronic counterpart to the paper-based organization would allow users to remove their names from mass electronic mailing lists.
The Responsibilities of Mailing List Operators, Database Managers, and other Information Collectors
- Individuals should be provided with descriptions of potential uses of any personal information. These potential uses should be narrowly and clearly defined.
- Information collected should be limited to that which is necessary for these uses, and all personal information should be accurate and up-to-date.
- Information collectors should take appropriate technical measures to insure the protection of individual privacy.
- Upon request, information collectors must be required to provide an individual with copies of any information that the collector may have regarding him/her. Individuals should be allowed to dispute and/or correct any inaccuracies.
The Responsibilities of Software Developers
- Network software should provider users with the ability to take active measures to protect their privacy. These measures might include
- support for encryption, such as PGP;
- mailer/news-posting options that might be used to exclude an item from automated search services;
- and explicit notification of any cases where a users identity might be implicitly revealed.
The Responsibilities of Individuals
- Network users must take appropriate and proactive measures to assure protection of their own individual privacy.
- In particular, individuals must be willing to learn the privacy protections in software they are using, and must take responsibility for making use of the tools at their disposal.
The Responsibilities of Governments
- Attempts at protecting individual privacy and anonymity must not be hindered by government interference or legislation.
- Strong encryption and complete anonymity for protection of individual privacy should available without restriction.
- Law-enforcement efforts must not be used as a pretext for invasion of privacy rights.
- Laws must make it clear that the use of information stored in computers and on networks should be limited to the use for which the information was collected, and should include penalties for misuse of that information by individuals, private institutions, or government agencies.
SOME ONLINE SOURCES OF INFORMATION ON PRIVACYComputer Professionals for Social Responsibility
The Electronic Privacy Information Center
The Consumer Project on Technology
The Federal Trade Commission
CNET article on Privacy
Commerce Department report
Privacy and the NII: Safeguarding Telecommunications-related Personal Information
Information Infrastructure Task Force report
Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information
Georgia Tech Internet survey
Return to the CPSR home page.
Send mail to webmaster.
Created before October 2004