March 14, 2004
Privacy on Several Fronts

Yesterday, I attended the Stanford Law School Center for Internet and Society's "Securing Privacy in the Internet Age" Symposium. It's going on today but I'm not attending. Too many conferences, and I have a lot of work to do before tomorrow.

So it was a great day, interesting presentations on lots of privacy issues, including but not limited to leaky technologies like RFID, Sensor Networks (Pam Samuelson's new research area), as well as policies on metadata, as well as some assessments of the challenges Chief Privacy Officer's face.

Lots of interesting folks as well, from academia around the world, companies and law firms with practices in security and privacy, advocacy groups and government. The CA Office of Privacy Protection Chief was there, Joanne McNabb, who on a break talked about calling Citibank where she got a hold of the Privacy Officer, who promised to send her their policy for sharing information for review. Stay tuned on their website to see if Citibank follows though.

One of the best presentations was by Jonathan Weinberg on RFID and Privacy. Pam Samuelson's on Sensor Networks, though she is at the beginning of this work, was also fascinating. Maybe it's just because I'm very interested in this stuff, but I thought they were great. The leaky tech presentation on P2P had good info on the topic, and reviewed the privacy issues that would affect the EFF's new alternative compensation system if it were adopted, but really, it feels like the reality of people's behavior on the internet makes this proposal obsolete. Yes, tons of people use P2P, but as more move to private *real* friend sharing networks, and bitcatching evolves (which seems like an extremely efficient and interesting way for sharing large files for anything including media across the internet and across many users), there may be no need.

Also, another amazing story as told by Alex Fowler of PriceWaterhouseCoopers was about how 3 years ago a statement was made at Davos by the CEO of Monsanto: they figure there are $50 mil lost sales if you ignore privacy fundamentalists. That's a high price for ignoring your customers when it comes to privacy. Fowler recommends that privacy that is good for users is good business. This is something I've believed for a long time, and I'm trying to implement this view into the design of my current project, where user's own their data, and we own the aggregate, and will not share any personal data of users under any circumstances (except a court order or subpoena, and certainly not to sell...). I've never heard anyone at a company advocate for this, and so it was really an amazing presentation.

Other postings with notes here, here, here and here. Michael Froomkin (a presenter) here. Some of my notes are under more. I have a few more notes and will post them in a bit.

Leaky Tech Privacy:

Daniel Gervais, The Price of Social Norms - P2P

Just returned from Europe with a copy of new legislation -- EU directive, that allows for the seizure of bank accounts and equipment.
Also right's holders can secure information about any infringer.

Sounds like it would be about terrorism but it's about copyright.

In Europe, your digital rights mean that your home will not be your castle any more, you will have to defend it strongly...

Triangle of technology, markets and regulation, where when one changes the others react or are dependent.

When a Social norm is empowered by tech, and regulation is used to stop the behavior encouraged by the social norm, tech will react by allowing circumvention of the legal norm, or make it's enforcement practically impossible.

So if this happens, P2P will be dead because it can't live if everyone goes to P2P proxy or private networks.

140 million downloads of P2P clients.

60% of active file-sharers (25 and under) think there's nothing wrong with file-sharing. Another 25% think it's wrong, but no enough to stop doing it.

Has made the assumption that people would be willing to pay $5 a month in western countries, less in other places, for $12.5 billion dollars, if 2/3 of the file sharers opted in. Which is the same as the current music biz world wide.
Same number as CD's though CD's come a high price (manufacturing and distribution).

Why isn't industry not doing this? Question should be, isn't their biz to maximize authorized sales? If yes, then,

Who would do the work?

Centralization of content licensing brings privacy issues.

Priority there is to decouple sharers identities from the transfer.

These are the policies he would adopt
-DRM systems should not block what is licensed
-analysis limited to music (for now)
-System should use opt out model
---compulsory system illegal under TRIPS

Christopher Wolf, Air passenger privacy issues:

Once the airplane takes off, the search data and your travel info is available from teh airlines to the govt immediately after the airlines takes off.
Sent to Axiom which is a data mining company, incl name, bag and purchasing info, etc.

"passenger name record" is the data that is created when you buy a ticket and fly.

What legal protections exist for this record? not clear, at all

if you purchase air travel through a website, and jet blue does 80%, though United and AA don't have nearly that, but if you buy online, there is a privacy policy (in CA there will be a requirement in July for one) orbitz and expedia don't have privacy policies on this. The travel agent has no privacy, and buying at the counter has no policy. No expectation of privacy on PNR.

Govt is testing collections of PNRs with security programs, they have no requirements, and when Jet Blue and Northwest gave past PNRs to govt, who gave them to private contractors. 16 lawsuits by jet blue travelers, across country. EPIc filed a demand on this. Also, other privacy advocates demanded state attorney general's offices get involved.

By the time the Northwest case came along, the Jet Blue cases had been subject to demands to throw out cases, so lawyers are waiting on filing against Northwest until jetblue is figured out. Pending now.

Disclosure: he represents Jet Blue and Northwest on privacy policies but not on litigation.

Epic filed with FTC in jetblue case, DOT with Northwest.

ECPA claim, state claims.

What expectation of claims can passengers have in post 9/11? What social expectation do people have? TSA report encouraged protections for people, even though the govt claimed they never actually touched the data because they just passed it along.

Challenges for the Chief Privacy Officer:

Thomas Smedinghoff, Baker & McKenzie
Privacy policies:

-legal obligation to provide security
-obligation extends to third parties
-responsibility extends to upper management
-no fixed rule on what to do
---requires a process
---requires a fact-specific risk analysis
---requires ongoing review and monitoring

objectives to be achieved:
-ensuring availability of systems
restricting access to systems
ensuring authenticity

FTC - primary enforcement
they think process-oriented process is best, and so best practices
-conduct asset assessment
-- protected?
-- what?
-- computers, systems, networks, personally identifiable info: customers, employees
--financial, IRS tax info, trade secrets and other confidential info
-risk assessment
-- appropriate threats and vulnerability
--foreseeable threats
--likelihood that threats will materialize
--what is potential damage

-measure in place: developing a security program
-tort theory of potential liability
-what are threats
-nature of risk
-what can we do
-how far do we need to go

Assessing the burden, specific factors recognized by laws
-- company’s size, complexity, capabilities
-- nature and scope of company's activities
-- sensitivity of info to be protected
-- company's technical infrastructure, hardware, and software security capabilities
-- state of the art re security measures
-- cost of the security measures


Maybe be minimum standards:
must implement min

"best practices may not be sufficient -- TJ Hooper case 60 G 2d 737 (2d Cir 1932)

Security measures often required

never done, must constantly reassess

look here:

Andrew Charlesworth, Centre for IT and Law, University of Bristol:

argument that "command and control" style info privacy reg. will become ineffective in key economic areas as ICT's develop
some form of decentered regulatory solutions are needed
must have more clear idea over what we are trying to protect

public perceptions of what privacy is changes quickly, old stuff dated...

me: what does privacy look like when there are interoperable, decentralized architecture across many systems
Federated Identity Management:
if command and control doesn't work, then "govt at a distance"
--companies interest in building trust with public, and interoperable trust in systems

Alex Fowler,
network solutions: study that 70% of us lie when asked for personal information in forms

new school privacy:
stakeholder perspective
industry standards
regulatory requirements

-focus groups
-Quantative survey
-customer touchpoint review
-privacy notice linkage
-conducted annually

Rapid response program:

-privacy fundamentalists -- growing group
-the unconcerned -- growing smaller

so need to look at high risk stakeholder outreach, key:
-customer complaint resolution
-incident response tracking
-privacy notice linkage

3 years ago a stmt was made at Davos by CEO of Monsanto: they figure there are $50 mil lost sales if you ignore privacy fundamentalists

Jon Sobel
Market failure with privacy
What do people care about

Posted by Mary Hodder at March 14, 2004 03:49 PM
Post a comment

Email Address:



Remember info?