Do-Not-Track Online Act of 2011 – possible amendment to Kerry act belowPros:provisions would apply to mobile phone network operators as well as Websites and online advertising networksSupported by Consumers Union, the Electronic Frontier Foundation, Consumer Action, the Center for Digital Democracy and the American Civil Liberties Unionwould force companies to respect a consumer’s decision to opt out of data collectionsupports a mandatory browser-based “Do Not Track” mechanism would allow the Federal Trade Commission to define the rules within a year of the bill being signed into law.Cons:Blanket opt-out is not ideal for advertising companies, who would prefer selective opt outProhibits gathering info from minors, but how is this to be accomplished?Commercial Privacy Bill of Rights Act of 2011Pros:would require companies to informusers up-front what data was being collected and to provide a clear way to opt out of the collection. Cons:does not explicitly address “do not track”
1. Privacy Law and PolicyBryce Newell, J.D.Ph.D. student, UW iSchoolJan. 13, 2012
2. eReader Privacy• Librarians Weigh Kindle Ebook Lending against Reader Privacy• EFFs take on CAs newly enacted E-Reader Privacy Law• Privacy Rights Re-―Kindled‖: eBook Reader Privacy
3. What is privacy?
4. Privacy: a Fundamental Right, or not?• Fundamental Right ▫ Europe ▫ Canada ▫ Australia ▫ New Zealand• Sectored Protection ▫ United States (except in some narrow constitutional areas)
5. Types of Privacy Protections• Tort Privacy (common law / state law)• Informational Privacy (largely guided by statutory law – i.e. federal legislation)• Freedom from unreasonable search and seizure (4th Am.)• Free speech (1st Am.)• Fundamental decision (14th Am.)
6. US Privacy Milestones• 1890 – right to privacy ▫ promoted in article by Warren and Brandeis (tort-based privacy)• 1928 -- ―the right to be let alone‖ ▫ (Brandeis dissent in Olmstead -- search and seizure)• 1958 – nexus of anonymity and speech ▫ (NAACP v. Alabama) (disclosure of member list)• 1960 – Prosser’s Torts ▫ based on Warren and Brandeis’s ideas• 1967 – ―reasonable expectation‖ ▫ (Katz v. US -- search and seizure)• 1977 – no ―zone of privacy‖ where data is protected and used within broad police powers of state ▫ (Whalen v. Roe -- disclosure of prescription data)
7. Warren & Brandeis (1890)• ―…now that modern devices afford abundant opportunities for the perpetration of such wrongs without any participation by the injured party, the protection granted by the law must be placed upon a broader foundation."
8. Warren & Brandeis• The ―right to be let alone‖• Elements of privacy from: ▫ defamation law ▫ IP law ▫ Contract law ▫ Property ▫ Olmstead v. US (1928)
9. Warren & Brandeis to Prosser• Dean Prosser’s four torts (1960): ▫ appropriating the plaintiffs identity for the defendants benefit ▫ placing the plaintiff in a false light in the public eye ▫ publicly disclosing private facts about the plaintiff ▫ unreasonably intruding upon the seclusion or solitude of the plaintiff
10. International Privacy Conventions• Article 8 of the European Convention on Human Rights ▫ ―Everyone has the right to respect for his private and family life, his home and his correspondence.‖• Article 17 of the International Covenant on Civil and Political Rights (UN)
11. Nissenbaum (2004): Cases• Public Records Online ▫ Concerns? The info is already public…• Consumer Profiling and Data Mining ▫ One view: targeted advertising is the most consumer friendly form of advertising ▫ Is the data really sensitive?• RFID Tags and Surveillance
12. Surveillance• US v. Jones (US v. Maynard)• Toll roads, video cameras in public spaces, facial recognition (e.g. Google and PittPatt), GPS tracking….• DC Police• PATRIOT Act ▫ Lessens requirements for obtaining Wiretap warrants ▫ Sneak and Peak Warrants
13. Nissenbaum (2004): PrinciplesThree principles that dominate public deliberation• 1) Protecting Privacy of Individuals Against Intrusive Government Agents• 2) Restricting Access to Intimate, Sensitive, or Confidential Information• 3) Curtailing Intrusions into Spaces or Spheres Deemed Private or Personal
14. Nissenbaum: Contextual Integrity• Presiding norms of ▫ Appropriateness ▫ Distribution / Norms of information flow• Considers the context, nature of information in relation to context, the roles of those receiving the info, their relationships to info subjects, terms of sharing, and terms of further dissemination.• Is this practical?• Is it a better way to visualize/protect privacy?
15. Nehf (2005)• FTC history – law/industry self-regulation• Market driven solutions led to widespread adoption of privacy policies• But policies don’t protect information, only disclose how it is being sold, used, etc• ―encouraging posting of privacy policies without regulating their content‖ = less info privacy for consumers ―than an efficient market would produce‖
16. Nehf (2005)• ―Until privacy becomes a salient attribute influencing consumer choice, Web site operators will continue to take and share more personal information than consumers would choose to provide in a more transparent exchange.‖
18. Facebook (2)• ―Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to peoples names and, in some cases, their friends names—to dozens of advertising and Internet tracking companies…• ―The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebooks strictest privacy settings. The practice breaks Facebooks rules, and renews questions about its ability to keep identifiable information about its users activities secure.‖ - Wall Street Journal, Oct 18, 2010
19. Facebook (3)• Who can see what? ▫ Public ▫ Friends ▫ Apps• Facebook settles with the FTC: http://www.nytimes.com/2011/11/30/tech nology/facebook-agrees-to-ftc-settlement-on- privacy.html
20. Online Behavioral Advertising• ABC News Story [link]• For discussion of someof the recently proposed "Do Not Track" legislation in Congress look here, here, and here.
21. Problems• ―…there is no single definition of what it means to be tracked, so expressing a preference does not guarantee users that they will be able to block all web sites and content that they may view as being associated with tracking behavior.‖ - From Microsoft.com• Industry self-regulation does not provide for any enforcement mechanism beyond current FTC powers (e.g. to prosecute for engaging in deceptive practices)
22. What Do “They” Know?• The Open Data Partnership allows a glimpse into what information is being collected and by whom. ▫ http://www.evidon.com/partners/open_data_par tnership - contains list of 1021 companies that engage in online behavioral advertising, many of which also have multiple advertising products.
23. Who Knows? * Ghostery results from NAI’s Opt-Out page.
24. FTC Report• FTC report calls for ―browser based do-not-track mechanism‖ in December 2010• Industry self-regulation ▫ Browsers build in do not track options ▫ Industry groups set up opt-out mechanisms (DAA, NAI) ▫ BUT self-regulation has no teeth (enforcement mechanism) and may only mean you don’t see targeted ads, not that you won’t be tracked.• FTC sues Chitika, reaches settlement
25. AdChoices Evolution
26. Recent Legislation• Europe ▫ 2009 amendments to the EU ePrivacy Directive require member states to implement by May 25, 2011• United States ▫ S. 913: Do-Not-Track Online Act of 2011 ▫ S. 799: Commercial Privacy Bill of Rights Act of 2011 ▫ H.R. 1528: Consumer Privacy Protection Act of 2011 ▫ H.R. 654: Do Not Track Me Online Act ▫ H.R. 1895: Do Not Track Kids Act of 2011 ▫ California: S.B. 761