Intellectual Property / Privacy Week 6 - February 21, 23 Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 1 Class debate #3 Google should not be permitted to scan and index library books and make short snippets from them available without permission of each book's copyright holder. Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 2 “Willfull Infringement” Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 3 Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 4 Homework 3 discussion http://cups.cs.cmu.edu/courses/compsocsp06/hw3.html Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 5 Administrivia Reminder, paper topic and abstract due next Thursday • Please submit them via the homework email address Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 6 What does privacy mean to you? Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 7 What is privacy? “Being alone.” - Shane (age 4) Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 8 Westin “Privacy and Freedom” 1967 “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” Privacy is not an absolute Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 9 Privacy as process “Each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication….” - Alan Westin, 1967 Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 10 Westin’s four states of privacy Solitude • individual separated from the group and freed from the observation of other persons Intimacy • individual is part of a small unit Anonymity • individual in public but still seeks and finds freedom from identification and surveillance Reserve • the creation of a psychological barrier against unwanted intrusion - holding back communication Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 11 Westin’s four functions of privacy Personal autonomy • control when you go public about info Emotional release • be yourself • permissible deviations to social or institutional norms Self-evaluation Limited and protected communication Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 12 Different views of privacy Privacy as limited access to self • the extent to which we are known to others and the extent to which others have physical access to us Privacy as control over information • not simply limiting what others know about you, but controlling it • this assumes individual autonomy, that you can control information in a meaningful way (not blind click through, for example) Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 13 Privacy as animal instinct Is privacy necessary for species survival? Eagles eating a deer carcass http://www.learner.org/jnorth/tm/eagle/CaptureE63.html Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 14 Multiple facets of privacy How can posting personal information about myself on my web site result in a reduction of my privacy? How can it result in an increase in my privacy? Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 15 Privacy surveys find concerns Increasingly people say they are concerned about online privacy (80-90% of US Net users) Improved privacy protection is factor most likely to persuade non-Net users to go online 27% of US Net users have abandoned online shopping carts due to privacy concerns 64% of US Net users decided not to use a web site or make an online purchase due to privacy concerns 34% of US Net users who do not buy online would buy online if they didn’t have privacy concerns Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 16 Beyond concern April 1999 Study: Beyond Concern: Understanding Net Users' Attitudes About Online Privacy by Cranor, Ackerman and Reagle (US panel results reported) http://www.research.att.com/projects/ privacystudy/ • Internet users more likely to provide info when they are not identified • Some types of data more sensitive than others • Many factors important in decisions about information disclosure • Acceptance of persistent identifiers varies according to purpose • Internet users dislike automatic data transfer Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 17 Few read privacy policies 3% review online privacy policies carefully most of the time • Most likely to review policy before providing credit card info • Policies too time consuming to read and difficult to understand 70% would prefer standard privacy policy format Most interested in knowing about data sharing and how to get off marketing lists People are more comfortable at sites that have privacy policies, even if they don’t read them Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 18 Survey references Mark S. Ackerman, Lorrie Faith Cranor and Joseph Reagle, Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy, (AT&T Labs, April 1999), http://www.research.att.com/projects/privacystudy/ Mary J. Culnan and George R. Milne, The Culnan-Milne Survey on Consumers & Online Privacy Notices: Summary of Responses, (December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/culnan-milne.pdf. Cyber Dialogue, Cyber Dialogue Survey Data Reveals Lost Revenue for Retailers Due to Widespread Consumer Privacy Concerns, (Cyber Dialogue, November 7, 2001), http://www.cyberdialogue.com/news/releases/2001/11-07-uco-retail.html. Forrester Research, Privacy Issues Inhibit Online Spending, (Forrester, October 3, 2001). Louis Harris & Associates and Alan F. Westin, Commerce, Communication and Privacy Online (Louis Harris & Associates, 1997), http://www.privacyexchange.org/iss/surveys/computersurvey97.html Louis Harris & Associates and Alan F. Westin. E-Commerce and Privacy, What Net Users Want, (Sponsored by Price Waterhouse and Privacy & American Business. P & AB, June 1998). http://www.privacyexchange.org/iss/surveys/ecommsum.html Opinion Research Corporation and Alan F. Westin. “Freebies” and Privacy: What Net Users Think. Sponsored by Privacy & American Business. P & AB, July 1999. http://www.privacyexchange.org/iss/surveys/sr990714.html Privacy Leadership Initiative, Privacy Notices Research Final Results, (Conducted by Harris Interactive, December 2001), http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf An extensive list of privacy surveys from around the world is available from http://www.privacyexchange.org/iss/surveys/surveys.html. Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 19 Privacy laws and self-regulation Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 20 Terminology Data subject • The person whose data is collected Data controller • The entity responsible for collected data Primary use of personal information (primary purpose) • Using information for the purposes intended by the data subjects when they provided the information Secondary use of personal information (secondary purpose) • Using information for purposes that go beyond the primary purpose Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 21 OECD fair information principles http://www.datenschutzberlin.de/gesetze/internat/ben.htm Collection limitation Data quality Purpose specification Use limitation Security safeguards Openness Individual participation Accountability Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 22 US FTC simplified principles Notice and disclosure Choice and consent Data security Data quality and access Recourse and remedies US Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), http://www.ftc.gov/reports/privacy3/ Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 23 Laws and regulations Privacy laws and regulations vary widely throughout the world US has mostly sector-specific laws, with relatively minimal protections • Federal Trade Commission has jurisdiction over fraud and deceptive practices • Federal Communications Commission regulates telecommunications European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws • Privacy commissions in each country (some countries have national and state commissions) • Many European companies non-compliant with privacy laws (2002 study found majority of UK web sites non-compliant) • Safe Harbor allows US companies to self-certify compliance Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 24 US law basics Constitutional law governs the rights of individuals with respect to the government Tort law governs disputes between private individuals or other private entities Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 25 US Constitution No explicit privacy right, but a zone of privacy recognized in its penumbras, including • • • • • 1st amendment (right of association) 3rd amendment (prohibits quartering of soldiers in homes) 4th amendment (prohibits unreasonable search and seizure) 5th amendment (no self-incrimination) 9th amendment (all other rights retained by the people) Penumbra: “fringe at the edge of a deep shadow create by an object standing in the light” (Smith 2000, p. 258, citing Justice William O. Douglas in Griswold v. Connecticut) Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 26 Federal statutes and state laws Federal statutes • Tend to be narrowly focused State law • State constitutions may recognize explicit right to privacy (Georgia, Hawaii) • State statutes and common (tort) law • Local laws and regulations (for example: ordinances on soliciting anonymously) Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 27 Four aspects of privacy tort You can sue for damages for the following torts (Smith 2000, p. 232-233) • Disclosure of truly intimate facts May be truthful Disclosure must be widespread, and offensive or objectionable to a person of ordinary sensibilities Must not be newsworthy or legitimate public interest • False light Personal information or picture published out of context • Misappropriation (or right of publicity) Commercial use of name or face without permission • Intrusion into a person’s solitude Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 28 Some US privacy laws Bank Secrecy Act, 1970 Fair Credit Reporting Act, 1971 Privacy Act, 1974 Right to Financial Privacy Act, 1978 Cable TV Privacy Act, 1984 Video Privacy Protection Act, 1988 Family Educational Right to Privacy Act, 1993 Electronic Communications Privacy Act, 1994 Freedom of Information Act, 1966, 1991, 1996 Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 29 US law – recent additions HIPAA (Health Insurance Portability and Accountability Act, 1996) • When implemented, will protect medical records and other individually identifiable health information COPPA (Children‘s Online Privacy Protection Act, 1998) • Web sites that target children must obtain parental consent before collecting personal information from children under the age of 13 GLB (Gramm-Leach-Bliley-Act, 1999) • Requires privacy policy disclosure and opt-out mechanisms from financial service institutions Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 30 Safe harbor Membership • US companies self-certify adherence to requirements • Dept. of Commerce maintains signatory list http://www.export.gov/safeharbor/ • Signatories must provide notice of data collected, purposes, and recipients choice of opt-out of 3rd-party transfers, opt-in for sensitive data access rights to delete or edit inaccurate information security for storage of collected data enforcement mechanisms for individual complaints Approved July 26, 2000 by EU • reserves right to renegotiate if remedies for EU citizens prove to be inadequate Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 31 Privacy self-regulation Since 1995, the US FTC has pressured companies to “self regulate” in the privacy area Self regulation may be completely voluntary or mandatory (or somewhere in between) Self-regulatory programs and initiatives • • • • • Seals CPOs Privacy policies Platform for Privacy Preferences (P3P) Project Industry guidelines Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 32 Voluntary privacy guidelines Online Privacy Alliance http://www.privacyalliance.org Direct Marketing Association Privacy Promise http://www.thedma.org/library/ privacy/privacypromise.shtml Network Advertising Initiative Principles http://www.networkadvertising.org/ CTIA Location-based privacy guidelines http://www.wowcom.com/news/press/body.cfm?record_id=907 Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 33 Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 34 Chief privacy officers Companies are increasingly appointing CPOs to have a central point of contact for privacy concerns Role of CPO varies in each company • • • • Draft privacy policy Respond to customer concerns Educate employees about company privacy policy Review new products and services for compliance with privacy policy • Develop new initiatives to keep company out front on privacy issue • Monitor pending privacy legislation Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 35 Seal programs TRUSTe – http://www.truste.org BBBOnline – http://www.bbbonline.org CPA WebTrust – http://www.cpawebtrust.org/ Japanese Privacy Mark http://privacymark.org/ Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 36 Seal program problems Certify only compliance with stated policy • Limited ability to detect non-compliance Minimal privacy requirements Don’t address privacy issues that go beyond the web site Nonetheless, reporting requirements are forcing licensees to review their own policies and practices and think carefully before introducing policy changes Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/ 37