The American Way-Way Behind

Privacy issues dominated discussions at this year's ninth annual Computers, Freedom and Privacy (CFP 99) conference in Washington D.C. While in the past, programmers and security experts have raised privacy concerns, online services such as shopping, banking and putting up personal homepages have brought these issues home to the everyday surfer.

Privacy on the Net essentially entails balancing corporate interests and individual's interests in regards to collecting, storing and using Web surfer data. Information on a site can be collected through surreptitious methods such as tracking a visitors' movements to overt methods like questionnaires and registration forms. In the digital age, this data acts as a currency for retailers hoping to entice those dead presidents out of your pocket.

While we consider ourselves advanced on many fronts here in the United States, the consensus by many observers at CFP 99 is that the U.S. privacy policy is not an effective one. The Clinton administration adheres to a self-regulation policy within the industry, while the international trend seems to welcome more government regulation.

Becky Burr, head of the Commerce Department unit overseeing many Internet issues said that the industry programs to protect privacy have not developed as quickly as the administration anticipated when it announced its policy in July of 1997. "We did underestimate the ease with which private-sector participants could come together," Burr said during the convention. "I don't think that fundamentally changes the validity of that model."

A strict new law protecting privacy went into effect in October of 1998 in the European Union. The EU directive prohibits the buying and selling of personal data about European citizens and mandates that websites tell users when data about them is collected and gives users the right to refuse disclosure. This law could affect the data flow of American companies who deal in the European market, which has been the cause of conflict between the U.S. and EU.

Over the last few years, American private organizations such as TrustE and the Better Business Bureau started online privacy seal programs to promote appropriate use of personal data collected by websites (see article on online privacy seal programs on page ???)

Hong Kong's chief privacy watchdog, Stephen Lau Ka-men, severely criticizes the U.S. government's policy of self-regulation. He feels that digital privacy laws are not expensive nor stifling for businesses to comply with and that voluntary, industry self-regulation is comparable to letting "Dracula look after the blood bank."

Many consider Lau's privacy policy paradoxical since China is not known for its sensitivity to human rights. A major problem Lau has with self-regulation in the industry is that there is no redress system. "Some of these seals, like TrustE or [Better Business Bureau] Online, they are boosting up redress mechanisms, but still the worst [punishment] is if a company can be kicked out of the program. It seems to me that these companies only act when they are embarrassed into doing something."

Lau implemented Hong Kong's Personal Data Privacy Ordinance which bases itself on the Organizational for Economic Cooperation and Development (OECD) guidelines passed almost 20 years ago that require individuals, public and private entities to disclose information collection practices. The policy states that consumers must not be forced into providing private data, can have access to their records and be able to correct any errors. Companies additionally cannot collect data for one purpose then use it for another. When Lau's staff surveyed 531 Hong Kong-based websites (out of 7000 total), they found that only six percent were in compliance with OECD.

Some American lawmakers in Congress have said they plan to push for legislation limiting the ability of all websites to collect personal data without notifying people how the information will be used and allowing people to prohibit the collection. During the CHP 99, Rep. Edward Markey (D-Massachusetts) said that he would introduce legislation to give Web surfers broad rights to limit collection and use of their personal data over the Internet.

"Do not wait for a privacy meltdown of Chernobyl-like proportions before you endorse some governmental role," Markey said. Congress last year adopted legislation prohibiting commercial websites from collecting a variety of personal information from children age 12 and under without parental consent. An earlier bill passed by Markey, which would extend privacy protection to adults, did not pass.

Because lawmakers were divided over this bill, Markey is revising it now. The proposal will require websites to notify visitors what information is being collected and how the data will be used or sold. It also gives visitors the opportunity to prohibit the collection of their personal data. An additional provision, which would grant visitors the right to review and correct errors in data collected, is receiving opposition from some companies and congressional members.

But some lawmakers worry about what happens after the legislation process. "It will require more than legislation�it will require oversight," said Rep. Bob Barr (R-Georgia), who sits on the House Judiciary Committee which has called for Net privacy hearings.

A classic case in privacy misuse occurred when Yahoo revealed customer addresses and order information of one of its e-commerce partners. Paul Graham, Yahoo Store producer, said the breach was due to a software bug (which has been fixed). Information was exposed on a demo site targeted at potential tenants of Yahoo Store. The site included customer information from Vitanet, a nutritional supplement vendor. Partial credit card numbers, products ordered, amounts spent and a link to a map which gave customer street addresses and a map of their area was included in the data.

"Information turned over for one use shouldn't be used for another purpose without consent. Nutritional information is getting darned close to medical information, and medical information is the hallmark of privacy." Sandy Davidson, communications law professor at the University of Missouri's journalism school said.

Other individual privacy topics at CHP 99 addressed evidence about international governments building widespread surveillance systems for e-mail, phone and wireless communications. Many countries including the United States refuse to lift controls on encryption, which would allow more individual data security. Based on policies examined in the United Kingdom, France, Russia, Austria and EU countries, conference participants noted the trend toward unethical cooperation between national governments.

According to a January report delivered to the Scientific and Technical Options Assessment Panel of the European Parliament, the EU and FBI's "Enfopol network" could allegedly force telephone and Internet Service Providers to build tappable networks. The report also noted the significance of the "Echelon" network, which relies on satellites to "intercept and record" information created by the United States, United Kingdom, Australia and New Zealand.

"If every cell phone call on the planet is being listened to, that is wrong," said Scott Charney, head of the Justice Department's Computer Crime Unit. "You have to establish the practices that govern the surveillance and have internal and external reviews." Charney felt that technology could both be used to increase surveillance and privacy.

Many liken governmental surveillance such as the Enfopol network and the Echelon network to the familiar 'Big Brother' concept in George Orwell's 1984. But the policy of privacy gets trickier when corporate interests are at stake. When asked about today's privacy issues in comparison to the Orwellian predictions, Lau said that while the technology can be used in a negative manner, "at the end of the day I believe in the human spirit. Justice always prevails. People speak out, and shout, and use their knowledge and will fight any repressive regime that doesn't recognize the rights of individuals."

For more information about the conference, visit their website at www.cfp.org.