Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

http://www.truste.org/docs/TRUSTe_Amicus_Brief_in_Klimas_v_Comcast.doc

advertisement 
United States Court of Appeals
for the
Sixth Circuit
Case No. 03-2012
JEFFREY KLIMAS
Individually and as a Class Representative
Plaintiff-Appellant,
-v-
COMCAST CORPORATION
Defendant,
COMCAST CABLE COMMUNICATIONS, INC.,
Defendant-Appellee.
APPEAL FROM THE UNITED STATES DISTRICT COURT
FOR THE EASTERN DISTRICT OF MICHIGAN AT DETROIT
BRIEF OF AMICUS CURIAE TRUSTe
UNITED STATES COURT OF APPEALS
FOR THE SIXTH CIRCUIT
JEFFREY KLIMAS, individually and as )
a class representative,
)
)
Plaintiff - Appellant,
)
)
v.
)
)
)
COMCAST CABLE
)
COMMUNICATIONS, INC.,
)
)
Defendant - Appellee.
)
_________________________________)
DISCLOSURE OF CORPORATE AFFILIATIONS
AND FINANCIAL INTERESTS
Pursuant to 6th Cir. R. 26.1, Amicus TRUSTe Trusted Universal Standards
In Electronic Transactions (“TRUSTe”), a not-for-profit corporation organized
under the laws of California and classified as a Section 501(c)(6) entity under the
Internal Revenue Code, hereby provides its nongovernmental corporate party
disclosure as follows:
1.
TRUSTe is not a publicly held corporation or other publicly held
entity.
2.
TRUSTe has no parent corporation.
3.
No publicly held corporation or other publicly held entity owns 10
percent or more of TRUSTe.
_____________________________
June 9, 2004
TABLE OF CONTENTS
Page
TABLE OF AUTHORITIES ............................................................................................... 3
STATEMENT OF AMICUS CURIAE ............................................................................. 1
INTRODUCTION ................................................................................................................... 3
ARGUMENT ............................................................................................................................. 5
I.
Dynamic IP Addresses Are Not Personally Identifiable
Information Because They Are Anonymous, Temporary, And Only
Identify Internet Devices ............................................................................................... 5
II. Holding That IP Addresses Are Personally Identifiable Information
Potentially Could Have Wide-Ranging Consequences ....................................... 7
CONCLUSION.........................................................................................................9
2
--
TABLE OF AUTHORITIES
FEDERAL CASES
Reno v. ACLU, 521 U.S. 844 (1997)....................................................................................5
FEDERAL STATUTES
47 U.S.C. §230(f)(1) ........................................................................................ 5
47 U.S.C. § 551(b) ........................................................................................... 6
Fed. R. App. P. 32(a)(7) ................................................................................ 10
3
--
STATEMENT OF AMICUS CURIAE
TRUSTe respectfully submits this amicus brief solely to address one issue:
whether an Internet Protocol (“IP”) address that is not linked to personal
information constitutes “personally identifiable information” (hereinafter “PII”).
On this issue, TRUSTe supports affirmance of the decision of the District Court.
TRUSTe is an independent, nonprofit organization dedicated to enabling
individuals and organizations to establish trusting relationships based on respect
for personal identity and information in the evolving networked world. Founded in
1997, TRUSTe runs an award-winning global privacy certification and seal
program. Its seal programs are considered Safe Harbors for the Children's Online
Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. §§ 6501-6506, and the
European Union Safe Harbor Framework under the auspices of the Department of
Commerce. Today, TRUSTe maintains the largest privacy seal program with more
than 1,300 Web sites certified throughout the world including AOL, Microsoft,
IBM, Nationwide and The New York Times. For more information on TRUSTe
please visit www.truste.org.
TRUSTe establishes and enforces appropriate privacy standards that
recognize the best practices of the industries and the requirements of various
existing laws and regulations. Companies seeking to participate in the TRUSTe
program must subject themselves to certification by TRUSTe and adhere to
recognized standards of acceptable practices.
The core of TRUSTe’s privacy certification program is the TRUSTe Privacy
Seal. Displaying the TRUSTe Privacy Seal signals to customers that the company
meets TRUSTe’s standards for data gathering and dissemination practices. By
displaying the TRUSTe Privacy Seal, Web sites agree to abide by the program’s
core tenets, which are based on long-standing principles of fair information
practices as interpreted by the United States Federal Trade Commission and
Department of Commerce.1 These core tenets are: notice; choice; access; security,
and redress.
As part of its program, TRUSTe provides users with an alternate dispute
resolution mechanism designed to allow customers to bring their complaints to
TRUSTe if they believe a TRUSTe-licensed Web site has misused their data.
The TRUSTe Privacy Seal program has now become the most widely used
privacy certification program and is used by all of the Internet portal sites (i.e.,
Yahoo!, Google) and fifteen (15) of the top twenty (20) most visited websites.
See Department of Commerce staff discussion paper, “Elements of Effective
Self Regulation for the Protection of Privacy,” enumerating principles of fair
information practices that are essential for a strong self-regulatory approach to
addressing privacy available at <<www.ecommerce.gov>>.
1
2
--
Comcast Cable Communications, Inc.’s (“Comcast”) Web site is part of the
TRUSTe Privacy Seal program.
INTRODUCTION
The TRUSTe online Privacy Seal program defines “personally identifiable
information” as follows:
Personally Identifiable Information” means any information collected
through the Site (i) that identifies or can be used to identify, contact,
or locate the person to whom such information pertains, or (ii) from
which identification or contact information of an individual person
can be derived. Personally Identifiable Information includes, but is
not limited to: name, address, phone number, fax number, email
address, financial profiles, medical profile, social security number,
and credit card information. Additionally, to the extent unique
information (which by itself is not Personally Identifiable
Information) such as, but not necessarily limited to, a personal profile,
unique identifier, biometric information, and/or IP address is
associated with Personally Identifiable Information, then such unique
information also will be considered Personally Identifiable
Information. Personally Identifiable Information does not include
information that is collected anonymously (i.e., without identification
of the individual user) or demographic information not connected to
an identified individual.
Thus, the TRUSTe program does not consider an IP address or other unique
information that is not associated with PII itself to be PII. The IP address or other
unique identifier becomes PII only if it becomes “associated with” personally
identifiable information.
Because the definition of personally identifiable information is at the heart
of the TRUSTe Privacy Seal program, the classification of anonymous, impersonal
3
--
IP addresses that are used to track Web traffic, but are not associated with
personally identifiable information, is of direct concern to TRUSTe. Although this
case concerns the definition of PII under the Cable Act, the decision of the District
Court regarding the classification of dynamic IP addresses is fully consistent with
the definition of personally identifiable information used by TRUSTe in its online
Privacy Seal program.
In contrast, the Appellant and its amicus Electronic Frontier Foundation
argue that IP addresses should be considered PII because an ISP has the ability to
correlate the IP address with a subscriber’s identity even if the ISP does not, in
fact, do so. TRUSTe respectfully submits that Appellant’s position is inconsistent
with a proper understanding of PII. This Court should uphold the District Court’s
decision.
4
--
ARGUMENT
I.
Dynamic IP Addresses Are Not Personally Identifiable Information
Because They Are Anonymous, Temporary, And Only Identify Internet
Devices
IP addresses are the way the Internet2 identifies each unique device
connected to the Internet. Every single computer, server, or other Internet-enabled
device is assigned a unique IP address that consists of four numbers – each less
than 256 – separated by a period (i.e., 101.201.102.11). Dynamic IP addresses are
IP addresses that change over time.
ISPs, like Comcast, deliver Internet service by assigning an IP address to a
subscriber’s computer. When a subscriber requests a document from the Web, the
ISP’s routers record the IP address of the computer requesting the information,
direct the inquiry to servers where the requested documents are stored, and then
transmit the information back to the subscribers’ computer assigned to the
requesting IP address.
TRUSTe considers IP addresses to be anonymous identifiers because they
are not used as personal identifiers. IP addresses, standing alone, are anonymous
2
The federal Communications Act defines the Internet as “the international
computer network of both Federal and non-Federal interoperable packet
switched data networks.” 47 U.S.C. §230(f)(1). The Supreme Court has
stated that the Internet is simply “an international network of interconnected
computers” that exchanges information across the world. Reno v. ACLU,
521 U.S. 844, 849 (1997).
5
--
and only identify a device on the Internet, not the ultimate person using that
device. While an IP address is a computer’s public face on the Internet, the
identity of an individual whose computer has been assigned an IP address by an
ISP is, absent a publication of the information, known only by the ISP and the
subscriber. Only the most technically adept Internet users even know their own IP
addresses.
Accordingly, under the TRUSTe program IP addresses, standing alone, are
not considered “personally identifiable information” unless associated with other
information that is traditionally considered PII – such as a name, address or
telephone number. The common practice of using IP addresses to track Web
surfing activities should not be considered a collection of PII as a general
proposition. TRUSTe is unaware of any rationale for concluding otherwise under
the Cable Communications Policy Act of 1984 (“Cable Act”). See 47 U.S.C. §
551(b).
In contrast, PII consists of commonly used unique personal identifiers
available to the general public and traceable back to the person that it identifies (as
well as certain especially sensitive information such as a person’s financial or
medical data). In other words, PII is information that might, for example, enable
someone to develop a profile of an individual for marketing purposes; and, in order
to have practical usefulness, that profile must include a name and/or some form of
6
--
contact information. Anonymous Web tracking, in and of itself, has little or no
value for such purposes.
For these reasons, the District Court was correct when it found that a
“dynamic IP address, by itself, does not constitute PII.” Opinion of 7/1/03 (R. 32).
An additional step must occur before an IP address assigned to a subscriber’s
Internet connected device can become PII – namely an association between the IP
address with identifying personal subscriber information.
II.
Holding That IP Addresses Are Personally Identifiable Information
Potentially Could Have Wide-Ranging Consequences
Although TRUSTe does not track the number of its licensees that routinely
collect IP addresses without associating them with personally identifiable
information, the collection of a Website visitor’s IP address is a common practice
on the Internet. Websites typically collect IP addresses in order to monitor usage
patterns, collect statistical information, and to aid in updating the Web site as
necessary. These practices are common and, unless the IP addresses are linked to
PII, in TRUSTe’s view raise no legitimate privacy issue.
A decision by this Court that IP addresses are, by themselves, PII could
therefore have significant consequences. First, it could affect the common
technical operations of a large number of Internet Websites. Any website that is
potentially subject to any of the various state or federal privacy laws could be
7
--
forced to obtain a blanket consent from its visitors before using their IP addresses
to monitor Web usage on its site, or cease any use of IP addresses in the first place.
Moreover, the web site could be forced to seek this consent each time the visitor’s
ISP changed the IP address assigned to the visitor’s Internet device. As most
Internet users do not even know what their IP address is, this process could be
confusing and cumbersome.
Second, although the TRUSTe program per se is not subject to the Cable
Act (although cable company participants in the Privacy Seal program themselves
may be), such a ruling could potentially affect the TRUSTe program, which as
noted above does not classify IP addresses as PII unless associated with PII. As a
result, TRUSTe licensees could be forced to rethink their privacy policies and
potentially be forced to implement onerous practices to perform routine functions.
Web sites could also be forced to change their privacy policies should this
Court hold that IP addresses are PII. This change would not be limited to IP
addresses but would also include any other anonymous identifiers that were
“capable” of being traced back to the user no matter how accurate or difficult that
process may be.
Instead, the proper result is for this Court to hold that IP addresses are not,
by themselves, PII.
Only when IP addresses are actually correlated with the
personal information of the user of the device assigned the IP address should an IP
8
--
address be considered PII. To hold any other way would run counter to the privacy
expectations and practices of the vast majority of Web sites and Internet users.
Conclusion
Accordingly, the decision of the District Court should be upheld.
_______________________
John C. Yang
William B. Baker
Wiley Rein & Fielding LLP
1776 K Street, N.W.
Washington, D.C. 20006
202.719.4483
9
--
CERTIFICATE OF COMPLIANCE WITH FRAP 32(a)(7)
I hereby certify that this brief complies with the type-volume limitation of
Fed. R. App. P. 32(a)(7)(B) because it contains, according to the Microsoft Word
software in which it was composed and excluding the parts of the brief exempted
by Fed. R. App. P. 23(a)(7)(iii), 1728 words.
________________________
John C. Yang
10
--
CERTIFICATE OF SERVICE
I hereby certify that, on this 9th day of June, 2004, two (2) true and correct
copies of this Brief of Amicus Curiae TRUSTe were served via UPS, Overnight
Delivery, upon the following:
Seth Lesser
Locks Law Firm, PLLC
110 East 55th Street
New York, NY 10022
Thomas J. Tallerico
Bodman, Longley
201 W. Big Beaver Road, Suite 500
Troy, MI 48084
Steven E. Goren
Goren, Goren & Harris, P.C.
30400 Telegraph Road, Suite 470
Bingham Farms, MI 48025
Jaime Bianchi
White & Case
200 S. Biscayne Boulevard
Suite 4900
Miami, FL 33131-2352
Kevin Bankston
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110
__________________________
John C. Yang
11
--
Related documents
Data Management Group Policy Employees Working with Data
Data Management Group Policy Employees Working with Data
Data Management Group Policy Requests for Personally Identifiable Information by External
Data Management Group Policy Requests for Personally Identifiable Information by External
Understanding - SOURCE Conference
Understanding - SOURCE Conference
File - Camp Wakonda
File - Camp Wakonda
Instructions for Use - Delete before Printing
Instructions for Use - Delete before Printing
TRUSTe Guidelines on Personally Identifiable Information Uses in Mergers,
TRUSTe Guidelines on Personally Identifiable Information Uses in Mergers,
Download
advertisement