Privacy - MIT - MIT Computer Science and Artificial Intelligence
advertisement
A FRAMEWORK FOR PRIVACY PROTECTION
Christian Baekkelund
David Kelman
Ann Lipton
Alexander Macgillivray
Piotr Mitros
Teresa Ou
December 10, 1998
TABLE OF CONTENTS
EXECUTIVE SUMMARY ........................................................................................................ i
DANGER ........................................................................................................................... i
GOALS ............................................................................................................................. ii
PROPOSAL ...................................................................................................................... iii
INTRODUCTION ....................................................................................................................1
SCOPE ..............................................................................................................................3
GOALS ..............................................................................................................................4
CURRENT AND PROPOSED REGULATORY FRAMEWORKS ..................................................6
TECHNOLOGY ..................................................................................................................7
Internet Protocol (IP) ................................................................................................7
IP Logging ...............................................................................................................9
The Future of IP Logging ..................................................................................10
IP Version 6 ...................................................................................................10
Anonymizing Routers ....................................................................................11
Anonymizing Proxies.....................................................................................12
Hypertext Transfer Protocol (HTTP) ....................................................................13
Cookies...................................................................................................................14
An Alternative to Cookies: Client-Side Targeting ............................................16
Other Web Technologies .........................................................................................17
Lightweight Directory Access Protocol (LDAP) Databases .................................17
JavaScript and VBScript ........................................................................................18
Java and ActiveX....................................................................................................19
E-Commerce .............................................................................................................20
Payment..................................................................................................................20
Digital Cash Protocol Type 1.............................................................................21
Digital Cash Protocol Type 2.............................................................................21
Delivery ..................................................................................................................23
P.O. Boxes .........................................................................................................24
Cryptographic Delivery .....................................................................................24
Trusted Third Party ............................................................................................24
Case Study: A Technological Solution ...................................................................25
Platform for Privacy Preferences (P3P)................................................................26
P3P Strengths .....................................................................................................28
P3P Problems .....................................................................................................31
LAW ...............................................................................................................................34
Constitutional Law and Common Law ..................................................................35
Common Law ...........................................................................................................37
Tort Law .................................................................................................................38
Contract Law .........................................................................................................39
Federal Statutes and Common Law .......................................................................41
Privacy Act of 1974 ................................................................................................43
Privacy Protection Act (PPA) of 1980 ...................................................................43
Electronic Communications Privacy Act (ECPA) of 1986 ....................................44
Legislative Outlook ................................................................................................47
The European Data Directive .................................................................................48
MARKETS AND SOCIAL NORMS ....................................................................................51
Case Study: A Norms Solution ...............................................................................56
TRUSTe Strengths ..................................................................................................59
Problems ................................................................................................................60
PROPOSAL ..........................................................................................................................64
ENTITLEMENT TO INDIVIDUALS....................................................................................64
THREE EXCEPTIONS:.....................................................................................................66
Operational and Aggregated Data .........................................................................66
Opt-In by Contract ..................................................................................................66
AUTONOMOUS COMPUTER CONTRACTING PRIVACY TECHNOLOGY (ACCPT).........67
CRITIQUE ...........................................................................................................................73
TECHNICAL AND LEGAL COMPLEXITY ADDED BY ACCPT ........................................73
Technical Complexity for the Programmer...........................................................73
Technical Complexity for End-Users .....................................................................74
Legal Complexity for Programmers ......................................................................75
Legal Complexity for End-Users ............................................................................76
Public Access ............................................................................................................77
A Slower Internet .....................................................................................................77
LIMITATIONS OF ACCPT .............................................................................................78
International Conflict of Laws ................................................................................78
Profiling ....................................................................................................................80
Operational Data ......................................................................................................81
"Race to the Bottom" ..............................................................................................82
PHILOSOPHICAL CRITICISMS OF ACCPT ....................................................................82
No Data Collection ...................................................................................................82
Less Regulation ........................................................................................................84
CONCLUSION .....................................................................................................................87
APPENDIX A: TABLE OF PROPOSED LEGISLATION
APPENDIX B: EXAMPLE P3P PROTOCOL
A Framework for Privacy Protection
Executive Summary: Page i
EXECUTIVE SUMMARY
DANGER
The current direction of the information revolution threatens personal privacy.
According to the Federal Trade Commission, 92% of websites collect personal
information from their users. Add Internet Protocol (IP) address logging and that number
nears 100%. However, industry self-regulation has been an unqualified disaster with
very few sites providing notice of their data practices and default settings on devices
which implicate personal privacy set at their most lenient. Users do not own their
personal information and current informational practices point towards more abuse of
personal information rather than less.
Most large websites handle advertising through one of several large brokers. To
better target advertising, those brokers commonly track what websites a person visits, and
what that person does on each site. For instance, the first time a user downloads an ad
from DoubleClick (which handles ads for Altavista, Dilbert and many of other popular
websites), DoubleClick sets a cookie on the user’s hard drive. This cookie is used to
track the sites a user visits, keywords from Altavista searches and other information. If a
user makes a purchase on a site subscribing to DoubleClick, DoubleClick can potentially
match the user’s name to the cookie, and sell that profile to direct marketers. All of this
typically happens without the user’s consent or even knowledge.
Advertising and information brokers are not the only abusers. Individual
A Framework for Privacy Protection
Executive Summary: Page ii
companies store data on their customers and are free to use that data how they see fit.
Amazon.com, for example, keeps a record of all books individuals purchase. With
modern data mining techniques, Amazon.com could collaborate with other companies to
form a detailed profile of a person. As electronic commerce spreads, the amount of
information in these profiles will become increasingly complete, and the business of
buying and selling this information will become increasingly profitable. The more
comprehensive these profiles become, the greater the potential for misuse of the
information they contain.
GOALS
In the face of these threats to privacy, the current legal framework offers
insufficient protections to personal privacy, particularly against private entities. Our
proposal attempts to create a legal and technological architecture that addresses this
problem while satisfying the following goals:
1. Protect Individual Privacy: In the straightforward words of Al Gore, "You
should have the right to choose whether your personal information is
disclosed."
2. Enable Electronic Commerce: Electronic commerce is becoming a significant
part of the U.S. economy with sales expected to reach close to five billion
dollars this year and as much as one and a half trillion dollars by the year
2002.
3. Enfranchise Everyone: Too often privacy is only for the elite. Web privacy
A Framework for Privacy Protection
Executive Summary: Page iii
should be available regardless of wealth, technological, or legal savvy.
4. Encourage Diversity: We recognize that diversity and competition are the
lifeblood of the growth of the Internet and the World Wide Web. Any privacy
protection framework should encourage a diversity of technological solutions.
Similarly, a good privacy protection framework should not dictate the level of
privacy afforded each person. Since people have different privacy preferences,
any proposed framework should allow for a wide range of competing privacy
policies.
5. Enable Collective Privacy Choices: Communities have an interest in
protecting the privacy of their members and so should be able to make and
administer collective privacy choices.
Our proposal is limited in scope based on several assumptions. We do not
consider governmental privacy violations; issues relating to children’s privacy; sniffing,
snooping and other transmittal privacy violations. We do not expect to solve related
problems dealt with by other subject matter white papers, such as international
sovereignty issues, but do hope to identify how those problems affect our proposal.
Furthermore, our proposal relies on a number of technological and legal structures. For
example, we assume that certification and encryption can make users identifiable and
contracts verifiable. These are further detailed in the text of our proposal.
PROPOSAL
Our proposal entitles individuals to ownership of personal information. We
A Framework for Privacy Protection
Executive Summary: Page iv
provide a legal and technological framework such that personal information cannot be
used by any other entity without permission from the individual. We further propose that
"default" settings on computer programs should not reveal personal information and that,
for a user to enter into a contract where the user’s information is given to an entity, the
user must be aware (either explicitly or through a transparent agent) of the terms of that
contract and be able to enforce those terms.
We begin by envisioning a legal framework whereby the use of information,
without permission, carries a statutorily determined minimum penalty. A user who feels
his or her rights have been violated may sue the offending company. This might be
administered through a government agency responsible for investigating the source of the
privacy violation -- an individual, for example, might only know that he or she had
received a solicitation without knowing which of the several companies with which he or
she had interacted had released information. Alternatively, the user could initiate her own
suit through a private right of action.
If a company wishes to use personal information about an individual, it is the
company’s responsibility to enter into a contract with that individual by asking for
permission to use the information and disclosing the intended purposes of the data
collection. This can be done either by personal, "manual" interaction, or through the use
of a computerized agent. In order for the contract formed by the computerized agent to be
legally binding, there must be some evidence that the client was aware of, and authorized,
choices made by its agent. If no such evidence exists, then the contract, or certain
provisions therein, would not be enforceable and the company would be potentially liable
A Framework for Privacy Protection
Executive Summary: Page v
for use of the personal information.
In order to remove some confusion about which autonomous agent contracts will
be enforced, we propose the Autonomous Computer Contracting Privacy Technology
(ACCPT) guidelines as a framework for enabling users to negotiate privacy preferences
with websites. In a basic ACCPT transaction, the client and server negotiate to reach a
mutually acceptable set of privacy practices. If no agreement is reached in an ACCPT
transaction, the server can log a failed attempt and sample proposals, but no additional
information about the transaction (the user’s IP address, etc.).
ACCPT incorporates the elements necessary to ensure that users are aware of the
activity of the computerized agents. To the extent that negotiation is governed by a set of
preferences entered by the user when the technology is first installed, the ACCPT
guidelines require that the agent informs users who choose the default settings of the
ramifications of the choice, and requires users to assent to that choice. Any company
interacting with an agent that identifies itself as ACCPT compliant can rely on the
validity of contracts made with that agent despite potential differences between the user’s
personal preferences and the preferences as expressed by the computerized agent. That
liability would be shifted to the authors of agents pledging ACCPT compliance (under
negligence standards for deviations from the ACCPT guidelines). If a program does not
identify itself as ACCPT compliant, the contracting parties retain liability for reliance on
invalid contracts. In that way, a company which collects information from an agent that
does not pledge ACCPT compliance is at its own peril and authors of agents that falsely
pledge ACCPT compliance are also in peril.
A Framework for Privacy Protection
Executive Summary: Page vi
Our proposal also encourages the development of other privacy protecting
technologies, such as a framework for anonymous browsing and electronic commerce.
This includes an addition to IPv6 for connecting to servers without disclosing one’s IP
address, an anonymous payment protocol and an anonymous shipping protocol (for
delivering goods ordered on-line).
A Framework for Privacy Protection
Page 1
INTRODUCTION
New technology must not reopen the oldest threats to our basic rights:
liberty, and privacy. But government should not simply block or regulate
all that electronic progress. If we are to move full speed ahead into the
Information Age, government must do more to protect your rights - in a
way that empowers you more, not less. We need an electronic bill of rights
for this electronic age.1
-Vice President Al Gore
The World Wide Web has grown exponentially from its proposal in March of
1989 as a way for physicists to keep track information at the European Laboratory for
Particle Physics (CERN).2 More than one hundred and fifty million people now use the
Web3 and any effort to count the number of individual sites is doomed to be outdated
before finished.4 Those sites represent a wide range of interests and ways of using the
Web but almost all share at least one characteristic: the collection of information. Ninetytwo percent of websites recently surveyed by the United States Federal Trade
Commission (FTC) collect information from their users.5 Add Internet Protocol (IP)
1
Al Gore, New York University Graduation Address (May 15, 1998) (last visited December 3, 1998)
<http://www.techlawjournal.com/privacy/80515gore.htm>.
2
See Tim Berners-Lee, Information Management: A Proposal (last visited December 7,
1998)<http://www.w3.org/History/1989/proposal.html> (proposing a hypertext system called "Mesh"
which was later renamed the "World Wide Web"). See also A Little History of the World Wide Web (last
visited December 7, 1998) <http://www.w3.org/History.html>.
3
See Nua Internet, How Many Online? (last visited December 8, 1998)
<http://www.nua.ie/surveys/how_many_online/index.html>. See also Gregory G. Gromov, History of the
Internet: Part 8 – Statistics, (last visited December 8, 1998)
<http://www.internetvalley.com/intvalstat.html> (estimating the number of US Internet users at 57 million
but admitting that there is some dispute about that figure).
4
But see Tony Rutkowski, Internet Trends <http://www.genmagic.com/Internet/Trends/> (last visited
December 8, 1998) (estimating the number of Internet hosts at ten million in early 1997).
5
See Testimony of Robert Pitofsky before House Subcommittee on Telecommunications, Trade and
Consumer Protection Consumer Privacy on the World Wide Web (July 21, 1998)
<http://www.ftc.gov/os/1998/9807/privac98.htm>.
A Framework for Privacy Protection
Page 2
address logging and that number nears one hundred percent. The U.S. government
believes in industry self-regulation but thus far self-regulation has been an unqualified
disaster. Fewer than fourteen percent of the sites surveyed by the FTC even give notice of
their privacy policies.6 The default privacy settings on the two most popular web
browsers are set at their most lenient. Users do not own their personal information and
current informational practices point toward more abuse of personal information rather
than less.
Consider the hypothetical surfer, Alfred. Alfred surfs from home and goes to a
wide variety of sites. Alfred checks the performance of his favorite technology stocks on
TheStockTickerWeb.Com. Being an older man, Alfred looks for information on the
hereditary nature of prostrate cancer at ProstrateInfo.Com and checks out the job listings
at a web publishing site called CabledNews.com. He buys a few books on gardening at
Books4U.com and has them delivered. Even if Alfred has been careful, a large quantity
of personal information has been collected from these sites and others. Alfred may be
surprised when he receives an e-mail from TradeEase.com telling him that anyone who
invests in tech stocks should subscribe to their insider’s guide. Or, come Monday
morning, when he finds the company policy on job-seeking while still employed on his
desk. Or when he receives advertisements for a new prostrate cancer wonder drug by
mail at his home. Or when his HMO calls him in and talks about raising his rate if
prostrate cancer is in his family. However, all of these nightmare scenarios could come
true today. Technology enables it, law allows it, the market encourages it, and social
6
See FTC, PRIVACY ONLINE: A REPORT TO CONGRESS (1998), available in
<http://www.ftc.gov/reports/privacy3/exeintro.htm#Executive Summary>.
A Framework for Privacy Protection
Page 3
norms constrain only the most flagrant privacy violations, and then only as long as the
public’s attention affords.
This paper will describe the current privacy framework in the United States and
outline why neither technology, nor law, nor the market, nor social norms adequately
regulate the privacy practices of data collectors. It will examine two current privacy
solutions as case studies of how the current privacy framework is inhospitable to personal
privacy. It will propose a new framework for privacy protection and discuss some
possible critiques of the proposed framework. But first we must be clear on the scope of
the project and the goals we hoped to achieve in crafting this proposal.
SCOPE
This white paper puts forward a privacy framework that would protect the privacy
of individuals on the World Wide Web. As such, it has a wide focus but does not attempt
to solve every problem of individual privacy. In particular, we do not discuss workplace
privacy, as it is a rapidly evolving field with issues specific to the workplace that have
already been well commented on by many authors.7 We do not discuss governmental
invasions of privacy because some protection already exists in this area.8 We likewise do
not attempt to provide a framework for the protection of personal data from interception
in transit or unauthorized access in storage because these too are covered by existing
7
See, e.g., Kevin Kopp, Comment: Electronic Communications In The Workplace: E-Mail Monitoring And
The Right Of Privacy, 8 Seton Hall Const. L.J. 861 (1998); Kevin J. Konlon, The Kenneth M. Piper
Lecture: Privacy In The Workplace, 72 Chi.-Kent. L. Rev. 285 (1996); Kevin J. Baum, Comment: E-Mail
In The Workplace And The Right Of Privacy, 42 Vill. L. Rev. 1011 (1997).
8
See infra text accompanying notes 73-85, 109-110.
A Framework for Privacy Protection
Page 4
privacy regulations.9 We also do not specifically target children’s privacy issues which
have received much attention in this Congress, though our proposal is adaptable to their
needs. Instead, this paper aims to propose a framework for individual privacy protection
from private entities who collect data on the World Wide Web.
GOALS
Within the scope of individual privacy on the World Wide Web, there are many
possible frameworks that would reflect different goals. The current government stance on
privacy has allowed the goals of business to be the basis for the privacy framework in this
country. Our proposal follows directly from a different set of goals. These goals reflect
our biases and are listed below in order of their importance to us in crafting this proposal.
1. Protect Individual Privacy: In the straightforward words of Al Gore, "You
should have the right to choose whether your personal information is
disclosed."10
2. Enable Electronic Commerce: Electronic commerce is becoming a significant
part of the U.S. economy with sales expected to reach close to five billion
dollars this year11 and as much as one and a half trillion dollars by the year
2002.12
9
See infra text accompanying notes 111-116
10
See Gore, supra, note 1.
11
See NUA Internet, Online Porn Industry Facing Crisis (last visited Dec. 8, 1998)
<http://www.nua.ie/surveys/?f=VS&art_id=905354484&rel=true> (citing Forrester Research).
12
See NUA Internet, Paradigm Shifts (last visited December 8, 1998)
A Framework for Privacy Protection
Page 5
3. Enfranchise Everyone: Too often privacy is only for the elite. Web privacy
should be available regardless of wealth, technological, or legal savvy.
4. Encourage Diversity: We recognize that diversity and competition are the
lifeblood of the growth of the Internet and the World Wide Web. Any privacy
protection framework should encourage a diversity of technological solutions.
Similarly, a good privacy protection framework should not dictate the level of
privacy afforded each person. Since people have different privacy preferences,
any proposed framework should allow for a wide range of competing privacy
policies.
5. Enable Collective Privacy Choices: Communities have an interest in
protecting the privacy of their members and so should be able to make and
administer collective privacy choices.
<http://www.nua.ie/surveys/analysis/weekly_editorial/archives/issue1no49.html> (quoting Nicholas Lippis,
an industry analyst).
A Framework for Privacy Protection
Page 6
CURRENT AND PROPOSED REGULATORY FRAMEWORKS
Cyberspace is regulated in a variety of ways.13 Law obviously can affect behavior,
even in cyberspace, as the courts are becoming more familiar with the space. Sites react
to lawsuits14 and courts dictate the ways in which certain sites function.15 Market forces
affect the space too. Popular sites get financial backing and can afford to hire the best
graphic designers. Similarly, lucrative content16 or business models17 breed many sites.
Social norms further affect the space as sites appear to serve different communities18 and
fads dictate website style.19 Finally, the most important effect on cyberspace is that of its
13
See Lawrence Lessig, CODE, AND OTHER LAWS OF CYBERSPACE, unpublished circulating draft (1998).
14
See, e.g., Washington Post Co., et al. v. TotalNews, Inc., 97 Civ. 1190 (S.D.N.Y. Feb. 2, 1997). In early
1997, TotalNews.com, a clearing house site for current news stories from a variety of online media sources,
was sued by some of those companies, including the Washington Post. See id. The plaintiffs objected to
the TotalNews.com’s "framing." A "framed" site is a site whose content is opened within another sites’
pages. TotalNews framed the Washington Post’s stories within its own pages so that users saw Washington
Post stories as well as Total News advertisements and menus in the same web browser window. The
plaintiffs alleged unfair competition, misappropriation, trademark dilution and infringement and other
violations. As part of a settlement, TotalNews.com agreed to stop framing the plaintiffs' sites.
15
See e.g. Shetland Times Ltd. v. Wills, Scot Sess-Case, 1 EIPLR 723 (1996). In late 1996 The Shetland
Times sued its former editor, Dr. Jonathan Wills, over links from his new web based newspaper, The
Shetland News, to stories on the Shetland Times site. See id. See also Simulation of Shetland News Pages
(last visited Nov. 21, 1998) <http://www.shetland-times.co.uk/st/newsdemo/index.htm> (showing how the
Shetland News page of October 14, 1996 linked to Shetland News Articles). An interim judgement held
that it was prima facie arguable that using headlines from the Shetland Times’ website to link to the stories
on that site could be a breach of copyright. See J.P. Connolly et al, Fair Dealing in Webbed Links of
Shetland Yarns, 1998 J. INFO. L. & TECH. 2. A settlement after the ruling allowed The Shetland News to
continue deep linking to individual stories on the Shetland Times site as long as the News identified the
stories as being from the Times website in the link text. See id.
16
Pornography revenue is expected to top one billion dollars this year. See NUA Internet, supra note 11.
17
The portal frenzy is just on example of this phenomenon. See Daniel Rimer, Let the Portal Games Begin,
C-NET NEWS, June 23, 1998 <http://www.news.com/Perspectives/Column/0,176,211,00.html>.
18
See, e.g., Planet Out: Land On It! (last visited December 8, 1998) <http://www.planetout.com/> (whose
slogan is "The Number One Online Community of Gay, Lesbian, Bi and Trans People Worldwide"); Why
America Online Sucks (last visited December 8, 1998) <http://www.aolsucks.com/>.
19
The ill-fated Netscape HTML extension <BLINK> tag is a good example of this as is the C-Net multicolumn look that has spawned vast number of similar layouts. See Brian Wilson, Index Dot HTML: Blink
A Framework for Privacy Protection
Page 7
technical architecture. Those characteristics that differentiate the web from chat or a realspace library are functions of its unique architecture.
It is important to realize that all of these forces are fluid, and, in the next section,
we propose changes to the legal regime and technical architecture in order to effect
changes in the market and social norms. However, we must first understand why the
current technical, legal, market and social forces do not offer sufficient protection for
individual privacy and that is the subject of this section.
TECHNOLOGY
The current state of Internet and World Wide Web technology provides ample
opportunity for the collection of personal information about a user. More importantly, the
user possesses relatively little control over the flow of this information. One of the most
obvious privacy threats comes from information freely handed over by the user – filledout surveys, purchases with credit cards and mailing addresses, etc. This information,
amassed, stored, and traded, can present a significant privacy threat. Other less visible
privacy threats, that users may or may not be aware of are embodied in the technical
architecture of the Internet and the World Wide Web.
Internet Protocol (IP)
Internet Protocol (IP), as its name suggests, is the fundamental protocol of the
Internet. Any computer connected to the Internet, despite the nature and composition of
(last visited December 8, 1998) <http://ec.msfc.nasa.gov/html/tagpages/b/blink.htm>; Welcome to CNET!
(last visited December 8, 1998) <www.cnet.com>.
A Framework for Privacy Protection
Page 8
the computer’s local subnet (the local network of which it is a part) has an IP address. A
computer on the Internet may have a static IP address, in which case it is always the same
unique address. Alternatively, a computer may have a dynamically allocated IP address,
which is assigned (usually on a per-session basis) from a pool of addresses available to
the computer’s subnet.
IP addresses currently consist of four one-byte (i.e., ranging from 0 to 256)
numbers, normally delimited by periods (e.g., "127.0.0.1"). A subnet may use IP
addresses that are either Class A, Class B, or Class C addresses. The class of the
addresses determines how many total IP addresses a subnet possesses. In a Class A
address, the first one-byte number in the address is identical for all machines on the
subnet (e.g., all MIT IP addresses start begin with the number 18). In a Class B address,
the first two numbers in the address are identical for all machines on the subnet. In a
Class C address, the first three numbers are identical.20
IP addresses are equivalent to the U.S. Post Office’s ZIP code plus four digits
numbering system; at any one time, only one computer should have any one address, and
anything sent to that address should not end up anywhere else instead. IP addresses are
used to ensure that data on the Internet is sent to the correct computer. For this reason, a
computer must indicate its IP address when making a request for data, or the responding
computer will not know where to send its reply.
20
See Gopher Menu (last visited Dec. 9, 1998) <gopher://gopherchem.ucdavis.edu/11/Index/Internet_aw/Intro_the_Internet/intro.to.ip/>
A Framework for Privacy Protection
Page 9
IP Logging
Computers that users interact with, such as web servers, will obtain the IP
addresses of their visitors. In most cases, these IP addresses are written to a log file. The
server machine can also easily indicate what IP address queried for what page. More
sophisticated IP logging systems might tie this information to other queries and data
acquired by other collection technologies, which are discussed below.
An IP address may betray certain information about a computer. At the very least,
in a subnet where IP addresses are dynamically allocated, an IP address will indicate the
general location of a computer. For instance, an IP address may indicate that a user is
from AOL or MIT. In many cases, with static IP address, an IP address alone can indicate
the identity of a user and tie him to other data collected about him.
One hypothetical scenario might run as follows: On one day a user with a static IP
address goes to Playboy’s website and looks at a playmate pictorial but does not do
anything to identify himself in any other way. His IP will still be tied to his picture
viewing session later on. If, at another time, he revisits the Playboy site but "only reads it
for the articles," and he decides to give his name and mailing address so that he can
receive Playboy’s new free "just the articles" mailing, he has really revealed his identity
for every visit to the site. Playboy’s server can now associate a certain name and mailing
address with the IP address it originated from. Thus, the user’s name can be associated
with the pictorial-viewing web session of the previous day. IP correlated profiles are not
foolproof, however. Under this method, the IP address only identifies the computer; a
A Framework for Privacy Protection
Page 10
different user of the computer may have visited the site for the pictorial query.
The Future of IP Logging
IP Version 6
The Internet is currently undergoing a major technological change. Many of the
protocols designed when the Internet was a fraction of its current size are beginning to
show signs of wear. The current version of IP (Internet Protocol Version 4) only has
provisions for 32 bit IP numbers.21 This places an upper limit on the number of
computers with unique IP addresses on the Internet at once. Although 232 is a fairly large
number, the assignment is fairly inefficient by design. For instance, MIT has more than
16 million IP numbers for less than 16 thousand people. The end result is that there is a
severe shortage of IP numbers. IP numbers sell for as much as $150 per year in some
areas.
To correct this (and several smaller problems), the Internet will convert to a new
version of IP, known as IPv6 (Internet Protocol version 6). IPv6 is a complete revamp of
the most fundamental layers of the Internet. IPv6 will increase IP size to 128 bits, giving
the astronomical number of 2128 IP addresses. It includes other improvements useful for
automatic configuration of machines, better routing of Internet traffic, better multicasting
(transmitting the same data to a large number of machines), better machine mobility,
maintaining large networks, transmitting encrypted data and a host of other tasks.22
21
See INFORMATION SCIENCES INSTITUTE, INTERNET PROTOCOL: DARPA INTERNET PROGRAM PROTOCOL
SPECIFICATION (1981), available in <http://info.internet.isi.edu:80/in-notes/rfc/files/rfc791.txt>
22
See NETWORK WORKING GROUP, INTERNET PROTOCOL, VERSION 6 SPECIFICATION (1998), available in
<http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2460.txt>.
A Framework for Privacy Protection
Page 11
With the introduction of IPv6, there will be about 3.4*1038 IP numbers. Within a
few years, almost all computers will have unique IP addresses. Businesses like
DoubleClick will no longer need cookies (see below) to track individual machines. The
proposals below attempt to counter this by allowing users to connect to servers without
disclosing their IP addresses.23
Anonymizing Routers
It has been suggested that the adoption of IPv6 should also include an
anonymizing router technology to allow anonymous connections. Each router between
the client and the server would mangle the IP by marking what router it came from,
adding a few random bits, and encrypting it with a private key. When the web server
responded, each router would unmangle the IP, pick out the bits indicating what router it
came from, and send it to the previous router. Keys (and their corresponding mangled IP
addresses) would expire after a preset amount of time (~24 hours). Alternatively, instead
of encrypting, routers could store IP addresses in memory, and replace them with a
reference to the IP’s location in memory.
Although mangling and unmangling IP addresses may seem like an unnecessary
burden on routers, encryption and decryption is fast, and the actual difference in cost
would be marginal. Some Cisco routers can already encrypt packets (although not for the
purpose of anonymity),24 and there are extensions to most operating systems that allow
23
24
See Eric Osborne, Linux IPv6 FAQ/HowTo (last visited Dec. 9, 1998) <http://www.terra.net/ipv6/>.
See Cisco Encryption Technology (last visited Dec. 9, 1998)
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt4/scencryp.htm>.
A Framework for Privacy Protection
Page 12
for ordinary computers to do the same.25 Simple encryption chips easily achieve speeds in
excess of 177 Mbits/sec.26 On the low-end, instead of encryption, IP addresses could
easily be stored in random slots in a cheap memory table.
The adoption of anonymizing routers could potentially cause the tracking of
"crackers" (individuals that break into other computers) to be significantly more difficult.
Right now, IP logs can be used to track many attacks. With anonymizing routers, law
enforcement would need to ask (or possibly subpoena) every router between the cracker
and the compromised machine to unmangle the IP and figure out where the attack
originated. However, experienced crackers already conceal or erase their IP addresses
from logs. It does not take long for amateur crackers to pick up techniques from experts.
Anonymizing Proxies
Anonymizing proxies serve the same purpose as anonymizing routers, but use a
different technology. Instead of connecting directly to a web server, the web browser
connects to a trusted proxy and asks it to retrieve a web page. The proxy retrieves the
web page, and sends it back to the browser. The web server only knows the proxy’s IP,
and not the user’s. Since anonymizing proxies are shared by a number of users and do not
transmit any individually identifying information, web servers have no way of tracking
users going through proxies.
There are a number of disadvantages to anonymizing proxies. A malicious or
25
See S/Wan Online Interoperability Test (last visited Dec. 9, 1998)
<http://www.rsa.com/rsa/SWAN/swan_test.htm>.
26
BRUCE SCHNEIER, APPLIED CRYPTOGRAPHY 264 (1994).
A Framework for Privacy Protection
Page 13
compromised proxy could log all of its user's transactions. Although there are free
anonymizing proxies available on the web, they are not very popular for a number of
reasons. To begin with, few people know about them. Of those that do, most opt not to
use them because there is a noticeable lag, and making the appropriate configurations on
the web browser is a hassle. Further, because there are twice as many requests for every
page retrieved when proxies are used, universal adoption could significantly increase
traffic on the Internet. And if a significant number of individuals start using them, people
will no longer be able to afford to operate proxies for free.
However, proxies are already used in a number of places for other reasons.
Filtering proxies censor certain types of web content in libraries, schools, small
oppressive countries, and large oppressive businesses.27 Caching proxies remember pages
that were recently accessed by users, and can quickly retrieve them for other users,
increasing speed and reducing bandwidth.28 Firewalls that filter all packets sent to the
Internet frequently provide proxies for web content.29 Converting an existing proxy to
remove identifying information is easy, and anonymizing proxies are an excellent option
for places where another form of proxy is already in use.
Hypertext Transfer Protocol (HTTP)
Hypertext Transfer Protocol (HTTP) is the protocol used by web servers to fulfill
27
See e.g. FILTERING ASSOCIATES, PROXY SERVER FILTERING SOLUTIONS FOR ISP AND BUSINESS
NETWORKS (last visited December 9, 1998) <http://www.filtering.net/Products/Servers/servers.html>.
28
See THE NATIONAL JANET WEB CACHE SERVICE, INTRODUCTION TO WWW CACHING (last visited
December 9, 1998) <http://wwwcache.ja.net/intro.html>.
29
See e.g. UNICOMP TECHNOLOGIES, FIREWALL SECURITY (last visited December 9, 1998)
<http://www.firewallsecurity.com/microsoft/>.
A Framework for Privacy Protection
Page 14
user requests for web pages. One of the distinguishing features of HTTP (as opposed to
File Transfer Protocol or Telnet) is its instantaneous nature. There is no real connection
between a web server and browser during an HTTP session. The browser makes a
request, the server fills it and moves on to its next request. When your browser makes
another request, it does so as if it had never made the first. This is a good thing because it
reduces server load (the server does not need to keep a connection open with your
computer while you browse a page) but it is a bad thing because your browser must make
a new connection for every request and the server treats every request as unrelated to any
other. So-called "stateless" protocols are a problem for features like shopping carts or
password saving because such features require some memory of what happened in
previous requests from the same browser.
Cookies
Cookies were created to add “state” to HTTP. They are bits of information,
generally text, that may be stored on either a user’s computer (client-side cookies) or on a
web server that the user is visiting (server-side cookies). Client-side cookies may be
specified to be readable by only a particular machine (e.g., personal.lycos.com), only
machines in a certain domain (e.g., preferences.com), or any computer. The readability
scope of server-side cookies depends on the network and architecture of the server site
(for instance, data may be stored in a central LDAP database, discussed below).
Users, in general, have very little control over the use of cookies. Some web
browsers allow users to completely disable cookies (which prevents the user from taking
A Framework for Privacy Protection
Page 15
advantage of a large number of useful sites and services in the web industry), to accept or
reject them one by one (which can become very tiresome very quickly), or to accept
cookies which may only be read by the specific server which issued them. Users have no
control over server-side cookies. Although website providers have more control over
server-side cookies, they generally use client-side cookies for several reasons. To begin
with, web browsers automatically save client-side cookies between web sessions, and
browsers often keep a different set of cookies for each user on a computer. The
maintenance of server-side cookies between sessions, by contrast, generally requires a
user to log in to the server at the beginning of each session to identify himself, although
IP address logging, which may not indicate the same computer across multiple sessions,
may eliminate this requirement. Additionally, increasing the scope of readability for a
client-side cookie (e.g., for a whole domain) is much easier than for a server-side cookie.
Sharing server-side cookies often requires a larger investment in a particular server
architecture and intranet.30
Because of their persistence, as well as their user-level targetablility, client-side
cookies serve as excellent tools to track users and to tie together various pieces of data
collected about them. A server may assign a user a unique ID in a cookie. This may serve
the same basic identifying function as an IP address, but the ID is more likely to be
traceable to a single, unique user – although, unlike an IP address, a technically savvy
user may reject or even edit/hack client-side cookies. Once a user has a unique cookie ID,
he may be tracked across a site or even multiple sites in a domain. Then, if at any of these
See NETSCAPE, CLIENT-SIDE STATE – HTTP COOKIES (last visited Dec. 9, 1998)
<http://home.netscape.com/newsref/std/cookie_spec.html>.
30
A Framework for Privacy Protection
Page 16
sites a user provides other information about himself, such as an address, as in the
Playboy scenario, or an interest in a certain book on Amazon.com (by adding it to his
"shopping cart"), the new information can be tied together with the user ID and any other
information collected.
An Alternative to Cookies: Client-Side Targeting
DoubleClick, Preferences.com, and other targeted web advertisement companies
use cookies to direct ads at individuals based on their browsing habits. An alternative to
this system would be one in which the web browser would log browsing habits and pick
ads itself. Targeted ad companies would no longer need knowledge about individuals to
target advertising.
In the simplest version, an ad company would send multiple ads with lists of
keywords. The browser would pick the one most appropriate for the user based on
browsing habits and tell the ad provider which ad it picked through an anonymous
protocol, like the survey protocol described above.
In more advanced versions, an ad company could send a bit of Java bytecode that
the browser would run to decide between ads. The browser could also have a profile of
the user filled out by the user when the browser initially runs. If connections to the ad
provider are properly anonymized, the provider could have a conversation with the
browser to pick the best ad.
Guaranteeing that an ad company cannot tie back ad choices to individual
browsers is very important; otherwise, this technology could be more dangerous than
A Framework for Privacy Protection
Page 17
cookies. An ad company could ask very specific questions, log the results, and build a
much more detailed profile.
Other Web Technologies
Lightweight Directory Access Protocol (LDAP) Databases
Lightweight Directory Access Protocol (LDAP) was designed to provide quick
access to a directory or database of information over a network. An LDAP database, like
any database, can store information in, and look up information based upon, various
fields. Thus, an LDAP database might store users, their e-mail addresses, preferences,
mailing information, etc. LDAP is useful for collecting personal data on the Internet
because multiple servers within a website provider’s intranet may easily and quickly
access a central system of LDAP database servers. Because most modern-day, industrialstrength websites, actually involve multiple mirrored front end servers and multiple
layers of computers behind the front end in order to handle heavy loads, an LDAP-style
system allows users’ personal information to be collected, distributed, and stored more
easily.31
This technology has important implications for collection of private data. As
stated, LDAP databases can store a wealth of information, and the LDAP front end
protocol and implementation allows for rapid storage and retrieval of this information.
These properties alone greatly reduce the cost of collecting private information.
Additionally, because LDAP allows many machines to easily centralize data, collected
31
See Lightweight Directory Access Protocol (last visited Dec. 9, 1998)
<http://www.umich.edu/~dirsvcs/ldap/>.
A Framework for Privacy Protection
Page 18
personal information can be made available to a larger number of server machines and
websites. In essence, LDAP is a technology that provides a backbone for large scale
collection and sharing of users' private information. Without a technology like LDAP,
several servers, on the same site or different sites, might collect a large amount of
information about a user, but the machines would unable to easily collate the data. Such a
situation would be somewhat like the "fog of war," where many events are observed in
many different places, but the communication of information from various battlegrounds
to the generals in the army headquarters is difficult. LDAP provides the roads and
couriers to bring the information to the headquarters.
JavaScript and VBScript
JavaScript and VBScript are two similar technologies (the former developed by
Netscape, the latter by Microsoft), that direct web browsers to perform certain functions
and transfer certain information. When a user downloads a page from a server, that page
may contain these technologies, which instruct the browser to perform certain tasks either
automatically or upon certain user actions. Most data-collection methods that utilize these
technologies rely on bugs in the implementations and specifications of the scripts.
Although most or all of these bugs have been corrected in the latest versions of the
browsers that support JavaScript and/or VBScript, a large number of people are still using
versions that harbor security weaknesses. Thus, a brief discussion of these weaknesses is
warranted as part of the current state of technology.
Scripts can obtain information about a user by reading their web caches (pools of
A Framework for Privacy Protection
Page 19
recently visited web pages that a browser often keeps for better performance) or reading
data about a computer type or the files within it. This data is often sent back to the server
through a hidden form similar to a typical HTML form, except that all of the fields are
invisible. Needless to say, these methods for collecting personal data are sufficiently
shady that most or all mainstream commercial websites do not utilize them. Despite this,
the potential risk of privacy violations through script security holes is very high.
Java and ActiveX
Java and ActiveX are two somewhat similar (for our purposes) technologies (the
former developed by Sun, the latter by Microsoft) that allow small, contained programs
(applets or components), originating from a web server, to be executed on a user’s
computer. Java programs are usually restricted by a sandbox or a security manager. The
former is a sealed off environment on the user’s computer which contains no personal
data or files, and the latter is a more granulated system that allows programs to request -and be allowed or denied -- access to various personal computer resources to the extent
that they cannot collect any useful personal data. However, if the user explicitly grants
permissions to the Java programs, they may read or manipulate files and settings on the
user's computer, as well as send information to another machine on the Internet. Only the
latest versions of Java implementations provide a full security manager as opposed to a
sandbox.
ActiveX is based on the all-or-nothing web of trust system. A user downloads an
ActiveX component onto his system, and if he allows it to run, it has free reign on his
A Framework for Privacy Protection
Page 20
computer. ActiveX components can be signed by a "trusted entity" that vouches for the
identity of the original author, and sometimes, the security of the component. It is up to
the user to decide whether he trusts the author and the "trusted entity."
Despite the potential for extra security protection in the latest versions of Java and
ActiveX, the ability of a site to collect private information is still quite strong. In the end,
a user must trust those sites to which he does grant special access to protect the
confidentiality of the information they collect. Non-technological standards, such as
TRUSTe (see below), help to alleviate this problem to some extent.
E-Commerce
Payment
Credit cards are the most common method of payment on-line, but they have a
number of problems associated with their use. Users must disclose their names, card
numbers, and card expiration dates. Furthermore, credit cards leave an audit trail; the
credit card companies have a log of almost all purchases made on-line. To solve the
privacy problem (and more importantly, the potential problems of on-line credit card
fraud), cryptographers have come up with a number of secure, on-line payment protocols.
The goals of such protocols, as defined by T. Okamoto and K. Ohta, are:
ï‚·
Independence: Does not depend on physical location or objects (can be used online).
ï‚·
Security: Cannot be copied.
ï‚·
Privacy: No one can trace users.
A Framework for Privacy Protection
Page 21
ï‚·
Off-Line Payment: Does not require a permanent network connection for use
ï‚·
Transferability: Can be transferred between users (merchants no different from
normal users).
ï‚·
Divisibility: A large e-bill can be split up into smaller e-bills (and the reverse). 32
DigiCash, once the dominant player in this field, recently filed for Chapter 11
bankruptcy. Several other companies are currently developing smart cards, and in the
process, digital cash. Two proposed payment protocols for protecting privacy under a
digital cash regime are outlined below.
Digital Cash Protocol Type 1
In the first protocol, each denomination is tied to a public/private key pair.
Owners of that denomination hold the private key and a banking institution holds the
public key. When a buyer makes a purchase, the seller creates a private/public key pair,
and shows the buyer the public key. The buyer sends an anonymous, encrypted
instruction to the financial institution, requesting that the money be transferred to a new
public key. He signs the request with the old private key. The financial institution
publicly broadcasts a signature of the transaction, so the seller knows the money is
available under his private/public key pair.
This protocol meets the needs of independence, security, transferability,
divisibility, and privacy. It fails for smart cards and off-line payment.
Digital Cash Protocol Type 2
See T. Okamoto& K. Ohta, Universal Electronic Cash, in ADVANCES IN CRYPTOLOGY – CRYPTO '91
PROCEEDINGS 324-337 (1992).
32
A Framework for Privacy Protection
Page 22
Most cryptographic protocols designed work with smart cards are based on a
physical scheme:33 Alice prepares 1000 money orders for $100. She puts each, together
with a piece of carbon paper, in a different envelope. She hands the 1000 envelopes to the
bank. The bank verifies that 999 of the envelopes contain a money order for $100,
deducts $100 from Alice's account, and blindly signs the last one. Alice gives the money
order to a merchant. The merchant verifies the bank's signature, and accepts the money.
The merchant takes the money order to the bank, which verifies its own signature, and
gives the merchant the money.
Note that electronically, the bank can sign an "envelope" by signing a one-way
hash of the money order -- the "closed envelopes." The bank '"opens" them by requesting
that Alice show a money order, and verifying the hash on that order.
This protocol meets five of the six goals. Though Alice can easily copy the money
order and use it over, this can be corrected by adding a random uniqueness string to each
money order. When the bank receives a money order, it can verify that it has not received
a money order with the same uniqueness string before.34
Although this protocol prevents Alice and the merchant from cheating the bank, it
does not identify whether it was the customer or Alice who tried to cheat the bank. There
is an additional protocol that verifies this, although it is impossible to explain in detail
without a presenting a stronger cryptographic background. The basic idea is:
33
34
See SCHNEIER, supra note 26, at 117-18.
See id. at 118-19.
A Framework for Privacy Protection
Page 23
Alice, in addition to putting a uniqueness string on the money order, places on it a
series of 100 "identity pairs," designed in such a way that any one element of a pair does
not reveal her identity, but any matching pair can be combined to give her identity (name,
address, etc.). When Alice makes a purchase, the merchant asks Alice to reveal a specific
half of each identity string ("Show me the second string from the first pair, the first from
the second pair ..."). If Alice tries to cheat and copy her money order, the second time she
tried to use the money order, the merchant would ask for a different set of identity strings
(the chances of asking for the same set are one in 2100). The bank could match up two
identity pairs and confirm that Alice tried to cheat. If a merchant tries to cheat, he would
only have one set of identity strings, and the bank could tell it was the merchant.35
Perfect digital cash allows for significant abuses. For instance, with any one of the
protocols in the second set, consider the perfect crime:
Alice kidnaps a baby. Alice sends the law enforcement authorities an anonymous
note with the hashes of 1000 money orders, and a request that a bank sign them and
publish the signatures in a newspaper (or else the baby dies). The authorities comply.
Alice frees the baby. Unlike physical systems, there is no way to track Alice. She is free
to spend the money.36
Delivery
When goods are ordered on-line, they need to be delivered. Traditional delivery
35
36
See id. at 120-22.
See S. von Solms & D. Naccache, On Blind Signatures and Perfect Crimes, 1992 COMPUTERS &
SECURITY 581-83.
A Framework for Privacy Protection
Page 24
methods require the user to disclose his name and address. A number of anonymous
delivery methods exist that are designed to circumvent this problem. Notice the similarity
in the three methods to status quo, anonymizing proxies, and anonymizing routers for
delivering packets on the Internet.
P.O. Boxes
Classically, anonymous delivery has been handled through post office boxes. The
user is assigned a unique, untraceable number by the post office. Deliveries can be sent
by that number without disclosing the user’s identity.
But post office boxes are a poor solution. They are expensive, and most people
cannot afford to have a unique box for each transaction. Eventually, a person's box may
be tied back to his identity, and all of the previous transactions are compromised.
Cryptographic Delivery
The post office publishes a public key every month. When a user gives out his
address, he encrypts it, together with an expiration date and a few random bits, with the
post office’s public key. The post office can decrypt it and deliver to that address, but the
sender cannot trace it down to a specific person. Further, unsolicited mail can only be
sent for a short time, because the address expires. The encrypted data could also contain
the merchant’s name and address, so the post office would only deliver packages sent by
the merchant.
Trusted Third Party
A Framework for Privacy Protection
Page 25
The product is sent to a trusted third party, which forwards the product to the
intended recipient. This doubles the cost of shipping, and it is often not possible to find a
trusted party offering this sort of service.
Case Study: A Technological Solution
In recent times, the lack of good privacy on the Internet has been spotlighted and
examined following the pressure from numerous sources. The general Internet user’s
desire for stronger privacy protection as he uses the Internet37 and the impending
possibility of governmental intervention to help create stricter privacy controls38 have
driven many individuals, corporations, and organizations to try to create solutions to the
expressed privacy concerns. For example some individuals have created anonymizing
remailers for anonymous e-mail,39 and others have created anonymizing browsers or
proxies.40 Due to the difficulties users encounter trying to find websites’ privacy
practices, many individuals and organizations have made proposals to control the release
of their personal information.41
In June of 1997, Netscape Communications, Inc., FireFly, LLC., and Verisign,
Inc., proposed the Open Profiling Standard (OPS) to address concerns about privacy on
37
See Pitofsky, supra note 5.
38
See id.
39
See Ian Goldberg, David Wagner, & Eric Brewer, Privacy Enhancing Technologies for the Internet (last
visited Dec. 9, 1998) <http://www.cs.berkeley.edu/~daw/privacy-compcon97-www/privacy-html.html>.
40
See, e.g., Anonymizer, Inc. (last visited Dec. 9, 1998) <http://www.anonymizer.com>.
41
See FTC, supra note 6.
A Framework for Privacy Protection
Page 26
the web.42 OPS required that when a user goes to a website, the website may (via HTTP,
as was proposed) ask the user’s computer for information about that user. Any piece of
information about the user can be marked by the user as something his computer is
always allowed to freely distribute (ALLOW), something that should never be distributed
(DENY), or something the user should always be prompted to decide upon at the time of
request; this information would be kept locally on his/her computer on a "virtual business
card" or vCard,43 which contains certified information about the user as the user
chooses.44
Platform for Privacy Preferences (P3P)
While OPS has for the most part fallen by the way-side, another proposal under
development during and after the wake of OPS, adopting many of its features, is the
Platform for Privacy Preferences (P3P).45 This proposal, sponsored by the World Wide
Web Consortium (W3C), has been in development since October of 1997 and is still
under development today. The concept behind P3P is that one can set up a flexible
software agent to represent the user’s privacy interests that will then interact with
websites as user moves around the WWW to create agreements as to what information
the user agent, and thus the user, will give to a website, as well as how the website can
42
See NETSCAPE, OPEN PROFILING SPECIFICATION SUBMISSION (1997), available in
<http://www.w3.org/Submission/1997/6/>.
43
vCards are a technology created by Verisign, and thus constitute Verisign's main role in the OPS
relationship.
44
45
See Netscape, supra note 42.
See W3C, Platform for Privacy Preferences Project (last modified July 16, 1998)
<http://www.w3.org/P3P/>.
A Framework for Privacy Protection
Page 27
use this information.
Figure 1: A P3P pseudonymous interaction with a service46
A P3P session begins when a user makes a request for a URL (see Figure 1,
above). The contacted server then replies to the user with one or more machine-readable
P3P proposals encoded in Extensible Markup Language (XML)47 as part of the HTTP
headers. In this proposal, the organization maintaining the server makes a declaration of
its identity and privacy practices. This proposal, applicable only to the requested URL
and similar sites,48 lists what data elements the server would like to collect from the user
while the user is connected, how those data elements are to be used, and specifically,
46
JOSEPH REAGLE AND LORRIE FAITH CRANOR, CACM PLATFORM FOR PRIVACY PREFERENCES, (last
visited December 10, 1998) <http://www.w3.org/TR/1998/NOTE-P3P-CACM-19981106/>.
47
For more information on XML, see W3C, Extensible Markup Language (last modified Nov. 11, 1998) <
http://www.w3.org/XML/>.
48
Also called a realm.
A Framework for Privacy Protection
Page 28
whether those data elements will be used in a personally identifying manner.49
The proposal is then parsed by the user’s agent, which would most likely be an
extension of the user's browser/client software. The agent would compare the proposal to
the user’s privacy settings. If the user already has settings that would agree with the
proposal, the proposal may be automatically accepted If the user has no settings
appropriate to the proposal, the user’s agent may present the user with the proposal and
prompt for a response, reject the proposal outright, create an alternative proposal
(counter-proposal) and send it to the server, or ask the server for an alternative proposal.
Once a mutually acceptable proposal is found between the user’s agent and the server, an
agreement/contract is met, and the user will gain access to the service.50
P3P Strengths
P3P has a number of important, inherent strengths. Many of these strengths stem
from the fact that P3P was designed with flexibility in mind. In this respect, P3P is very
different than many of the other W3C meta-data activities, such as the Platform for
Internet Content Selection (PICS). PICS is used in the privacy domain to statically define
privacy practices (as well as content), and the only room for control based upon a PICS
tag would be a complete accept or a complete reject.51 P3P allows for far greater
freedom to negotiate, for multiple proposals may be sent by the service, and multiple
49
See Appendix B: Sample P3P Proposal
50
See W3C, Platform for Privacy Preferences (last modified Nov. 6, 1998)
<http://www.w3.org/TR/1998/NOTE-P3P-CACM-19981106/>.
51
See W3C, Platform for Internet Content Selection (last visited Dec. 9, 1998)
<http://www.w3.org/PICS/>.
A Framework for Privacy Protection
Page 29
counter-proposals and requests may be made by the user’s agent before an acceptable
contract is reached. There are also a number of points in the use of P3P where additions
or changes are possible. For example, one important possible addition is for the user
agent to store the proposal IDs (also called propIDs) that are transmitted on the
agreement of a proposal.52 The next time the user tries to access the site, the saved
propID need merely be sent with the user’s request for the service to show that a previous
contract has already been struck between the user and the service and the user desires to
use the same contract again.53
Another boon brought about through flexibility is the fact that the P3P
specification defines a standard set of base data elements54 that all P3P related software
should acknowledge, but provides a mechanism that will let services create new data
elements for users to consider. Also, the fact that the W3C is making P3P's design
generally available will encourage its adoption and improvement, fostering competition
and innovation.
During a P3P negotiation, the creation of Temporary Unique IDs (TUIDs) is a
mechanism that allows P3P to keep track of the state of the current negotiation: basic
information required to determine the current state of the negotiation, such as who had
last "spoken" (the user’s agent, the service, etc.) and the IP address of the user (such that
the service knows where to send data), etc. These TUIDs are necessary for the
52
See W3C, supra note 50.
53
See supra, Figure 1.
54
See W3C, P3P Base Data Sheet (last visited Dec. 6, 1998) <http://www.w3.org/TR/WDP3P/basedata.html>.
A Framework for Privacy Protection
Page 30
connection and negotiation to occur but are especially useful to websites trying to collect
aggregate information on the users that connect to their website.55 Pairwise Unique IDs,
or PUIDs, are an additional mechanism with which to give information to be collected in
aggregate to the service. If a user sets up his user agent to use PUIDs, additional
information about the agreement that has been reached will be transmitted to the service
for collection and aggregation.56 The combined use of PUIDs and TUIDs are a possible
improvement on the current cookies mechanism with which the website can collect
information in aggregate about its users. Also, to facilitate the communication of
personal information when it is desired by both the website and the user, such as in the
process of making an on-line purchase, the P3P user agent will store a base set of user
data elements locally that can then be sent easily while connected to a website via P3P.
In fact, the combined use of a data repository with PUIDs and TUIDs to replace cookies
is actually highly beneficial to businesses desiring to collect information on their users.
The cookie structure as it currently exists only allows cookies to exist for three months.
The use of these P3P features would offer a website more precise and longer lasting
information on the users of their service57, and it would do so, unlike cookies, in a
manner which the user will find acceptable – or it won't be done at all.
Another positive point in the design of P3P is its use of current existing
technological standards. The proposed transport mechanism of the P3P proposal and data
55
See W3C, Platform for Privacy Preferences Syntax Specification (last visited Dec. 6, 1998)
<http://www.w3.org/TR/WD-P3P/syntax.html>.
56
57
See id.
Telephone Interview by Christian Baekkelund with Joseph M. Reagle, Jr., Resident Fellow, Berkman
Center for Internet & Society, Harvard Law School (Dec. 3, 1998).
A Framework for Privacy Protection
Page 31
elements is an extension of HTTP 1.1, the standard protocol used for WWW information
transport.58 P3P also makes use of XML for "creating elements used to structure data"
and thus to communicate the machine-readable P3P proposals and counter-proposals.
The Rich Data Format (RDF)59 is used to provide a "model for structuring data such that
it can be used for describing Web resources and their relations to other resources" for the
data elements in the proposal.60 The use of these standards will make the development of
servers and user agents capable of making P3P negotiations come about more quickly
and easily. Also, the use of a harmonized vocabulary for the proposals means that there
will be no misinterpretation between the public and a service about what the privacy
practices described in the proposal actually mean, and will also enforce the requirement
of certain basic privacy practices to be revealed.61 Furthermore, the use of P3P does not
inhibit the use of other technological privacy solutions, such as anonymized browsing.62
P3P Problems
P3P has a number of faults as well, however. The design for P3P,63 now in its
58
For more information on HTTP, see NETWORK WORKING GROUP, HYPERTEXT TRANSFER PROTOCOL
(1996), available in <http://info.internet.isi.edu/in-notes/rfc/files/rfc1945.txt>.
59
For more information on RDF, see W3C, Metadata and Resource Description (last visited Dec. 9, 1998)
<http://www.w3.org/Metadata/>.
60
See W3C, supra note 50.
61
See W3C, P3P Harmonized Vocabulary Specification (last visited Dec. 7, 1998)
<http://www.w3.org/TR/1998/WD-P3P-harmonization.html>.
62
63
See W3C, supra note 50.
See W3C, Platform for Privacy Preferences Specification (last visited Dec. 6, 1998)
<http://www.w3.org/TR/WD-P3P/>.
A Framework for Privacy Protection
Page 32
third revision, has grown somewhat overly large, complicated, and unwieldy.64 This
excessive verbosity in the definition of the P3P communication syntax will be a burden
on the shoulders of developers desiring to write software to be used in P3P transactions,
and may even be a deterrent to some developers to begin to write such utilities at all.
Also, the extra amount of communication that must occur before a user accesses a
website in a "normal" fashion will create a much greater amount of network traffic and
load on web servers that will inhibit the overall speed and growth of the Internet. The
fact that P3P communications are not encrypted or protected in any other way also leaves
the user data transmitted via P3P open to third party interception.65
Implementation of P3P servers and agents, and issues regarding the penetration of
P3P, trouble the success of P3P. If agents are not easy to use, people will not want to
bother with the initial setup of a P3P user agent,66 nor will they want to deal with
proposals that cannot be decided by their agent and that request dialog from them. The
authors of popularly used user agents will be in an extremely important position in the
creation of the default profile with which the agents are distributed. Currently, Microsoft
and Netscape dominate the WWW browser market,67 and if either was to create a user
agent built into their browser, the default profile with which that browser/agent was
submitted would drastically change the privacy practices of the entire Internet. Finally,
64
Telephone Interview by Christian Baekkelund with Joseph M. Reagle, Jr., Resident Fellow, Berkman
Center for Internet & Society, Harvard Law School (Dec. 3, 1998).
65
See KENNETH LEE & GABRIEL SPEYER, PLATFORM FOR PRIVACY PREFERENCES PROJECT & CITIBANK
(1998), available in <http://www.w3.org/P3P/Lee_Speyer.html >.
66
67
See id.
See Stever Lohr & John Markoff, Netscape Bid Seen by America Online, N.Y. TIMES, Nov. 23, 1998, at
A1.
A Framework for Privacy Protection
Page 33
the biggest problem impeding the desired penetration of P3P is the lack of any
enforcement of the P3P negotiated contracts for privacy policy. Essentially P3P assumes
that after having reached an acceptable contract with a service, the user will then trust the
service to abide by that contract – an assumption that simply cannot be made.68
On a more basic level, the fact remains that websites currently have no incentive
to adopt P3P – the current legal regime allows them to collect information at-will,69 and
so they have no reason to expend time, effort, and resources to form contracts with
particular users to obtain their data. As long as websites do not adopt P3P, users will not
push for the product – and so long as users do not push for it, websites will not feel
pressure to adopt it. This point is discussed in more detail in the Markets and Norms
section.
If the market's current resistance to the adoption of P3P can be overcome, P3P has
a great chance of achieving its desired goals – to better protect the privacy of users while
supplying websites with a clean and fair amount of information on the user. In fact, both
Microsoft and Netscape have made numerous public statements as to their "commitment
to privacy," and it is widely believe that companies would create user agents for P3P,
upon the completion of the P3P specification. The most popular web server being used
today, Apache, has made statements affirming its commitment to P3P, as well.70 With
some mechanism in place to encourage these, and other sites, to make good on their
68
See LEE & SPEYER, supra note 65.
69
See Legal Section.
70
Interview by Christian Baekkelund with Daniel Weitzner (Dec. 8, 1998).
A Framework for Privacy Protection
Page 34
commitments, P3P could likely succeed.
LAW
There are currently no legal limits on the use of information gathered through the
methods described above in the absence of an explicit promise by the website to limit the
use of such data.71 To date, federal governmental response to the possibility of privacy
violations on the Internet has been to recommend industry self-regulation.72 However, a
review of the current legal patchwork regarding informational privacy provides some
insight as to how privacy is traditionally conceived, and protected, in the United States.
Moreover, the erratic development of privacy law in the "real world" may be indicative of
future difficulties with protecting privacy in cyberspace.
In the United States, privacy is protected by three mechanisms of law:
constitutional law, case or common law, and statutes. As the supreme law of the land,
the Constitution provides the framework within which the limits of privacy protection
71
For instance, Deirdre Mulligan from the Center for Democracy and Technology, pointed out this exact
problem before the Senate Committee on Commerce, Science, and Transportation, Subcommittee on
Communications. She states:
The Federal Trade Commission's jurisdiction over deception generally comes into play
where a company has inaccurately stated its information practices to consumers.
Therefore, those who make no statements about how the handle data are less likely than
those who inform consumers of data use to be prosecuted. While the FTC's legal
framework is likely to discourage self-regulatory activities, the FTC, the Department of
Commerce and the White House have actively encouraged and prodded industry to take
steps to protect privacy or be subject to legislation. The recent Geocities settlement offers
an example of the problem. Geocities was found to be in violation of their privacy policy.
Had they not posted a privacy policy it seems unlikely that the FTC would have sought
them out for action.
FDCH Congressional Testimony, September 23, 1998.
72
See Beth Givens, A Review of the Fair Information Principles: The Foundation of Privacy Public Policy
(last visited Dec. 7, 1998) <http://www.privacyrights.org/ar/fairinfo.html>.
A Framework for Privacy Protection
Page 35
operate. Federal and state statutes, operating within the confines of the Constitution,
explicitly regulate behavior and provide protection for privacy as conceived by the vox
populi. State and federal courts interpret statutes and apply constitutional principles,
generating case or common law, which, by precedent, govern future legal decisionmaking.
Constitutional Law and Common Law73
In 1791, the Bill of Rights was created to protect the people of the United States
from the government.74 Primarily through the First, Third, Fourth, and Fifth
Amendments, various "zones of privacy" are protected from federal75 government
intrusion.76 Although the right to privacy may not have been explicitly stated as a right
of U.S. citizens, various courts have interpreted several Amendments77 to provide
73
Because constitutional law by its nature requires interpretation by courts, it is almost impossible to
provide a coherent analysis of constitutional doctrine without cases applying the principles. Thus, the
discussion of constitutional law is supplemented by some case discussion.
74
Because the Bill of Rights was created to protect from the abuses of government power, it provides little
to no protection from private actors, although there is a small exception for when a private entity is
essentially acting in a governmental capacity. See e.g., Norwood v. Harrison, 413 U.S. 455 (1973)
(affirming that "a state may not induce, encourage or promote private persons to accomplish what it is
constitutionally forbidden to accomplish").
75
Although our focus is on efforts by the federal government to protect privacy, it is noteworthy that nine
states explicitly guarantee the right to privacy within their constitutions: Alaska, Arizona, California,
Florida, Hawaii, Illinois, Louisiana, Montana, and Washington. See Comment, E-mail in the Workplace
and the Right of Privacy, 42 VILL. L. REV. 1011, 1018-19 (1997) [hereinafter Workplace]. Of these nine
states, only California, extends protection of the right to privacy to not only public employees, but private
employees. See id at 1019.
76
77
See Griswold v. Connecticut, 381 U.S. 479 (1965).
Further discussion of the Third and Fifth Amendments are not necessary, as their context is rather
limited. For example, the Third Amendment is a prohibition against the quartering of soldiers in homes
without consent, i.e. protecting the privacy/sanctity of a citizen's home. See U.S. CONST. amend. III. The
Fifth Amendment protects an individual's right against self-incrimination – again, the right to withhold
speech. See U.S. CONST. amend. V. The Ninth and Fourteenth Amendments are also often included in
discussions of constitutional amendments protecting privacy. See Center for Democracy and Technology,
CDT's Guide to Online Privacy (visited Dec. 1, 1998)
A Framework for Privacy Protection
Page 36
important ancillary protections for privacy.
The First Amendment78 is the authority behind freedom of speech. Although the
constitutional prohibition on the regulation of speech usually concerns the freedom to
speak, the doctrine also includes the freedom not to speak.79 Although the right to
anonymity -- the right to withhold speech identifying oneself -- has been repeatedly
upheld in the context of the print media, it is still unsettled whether this protection will be
extended to on-line media.80 The First Amendment also provides for the right to free
assemblage. It has been interpreted to protect the "freedom to associate and privacy in
one's associations."81 For example, this has been extended to privacy in one's marital
relations.82
<http://www.cdt.org/privacy/guide/basic/index.html>.
78
"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise
thereof; or abridging the freedom of speech, or of the press, or the right of the people peaceably to
assemble, and to petition the Government for a redress of grievances." U.S. CONST. amendment I.
79
See McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995) (affirming the right to conduct
anonymous political leafletting).
80
In 1996, the Georgia legislature enacted a statute prohibiting online users from using pseudonyms or
communicating anonymously over the Internet. See GA. CODE ANN. § 16-9-93.1 (Supp. 1997). In
response, the ACLU and the Electronic Frontier Foundation brought suit in September 1996 in the Federal
District Court for the Northern District of Georgia, and obtained a preliminary injunction against
enforcement of the statute. See ACLU v. Miller, No. (N.D. Ga. June 20, 1997). For more information, see
Jeff Kuester, Unconstitutional Georgia Internet Police Law (visited Dec. 2, 1998) <http://
www.kuesterlaw.com/kgalaw.htm>.
81
NAACP v. Alabama, 357 U.S. 449 (1958) (ruling unconstitutional an Alabama statute requiring the
registration of the NAACP membership list with the state).
82
Although courts have generally been reluctant to intrude on the right of privacy in one's bedroom, this
right has been, and continues to be, the subject of many battles. See Griswold v. Connecticut, 381 U.S.
479, 484 (1965) (striking down a Connecticut statute forbidding the use of contraceptives because it
conflicts with the exercise of the right to marital privacy); see also Roe v. Wade, 410 U.S. 113 (1973). But
see Bowers v. Hardwick, 478 U.S. 186 (1986).
A Framework for Privacy Protection
Page 37
The Fourth Amendment83 protects people from searches based on a "reasonable
expectation of privacy" test84 by excluding from criminal trials evidence obtained by an
unconstitutional search. While the vagueness of the term "reasonable expectation" has
foreseeably led to much litigation, the translation of the Fourth Amendment to the on-line
world adds additional wrinkles to the debate over the meaning of the Fourth Amendment.
Harvard Law School Professor Lawrence Lessig has lectured about this problem,
pointing out that technology will soon make it possible to conduct "burdenless"
searches.85 The Fourth Amendment prohibits "unreasonable" searches – and the newest
advances now bring to light the latent ambiguity behind the term. Does "unreasonable"
really refer to expectations of privacy or to the burden upon the individual searched?
Common Law
The Constitution provides protection for private citizens from the government; for
intrusions of privacy from non-state actors, common law has conferred some protection
as well.86 Two basic areas of common law have been invoked to preserve people's right
to privacy: tort law and contract law. Tort law involves wrongs committed by one person
to another; the courts have long recognized the tort of invasion of privacy. Contract law
83
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable
searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause,
supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or
things to be seized." U.S. CONST. amendment IV.
84
See Katz v. US, 389 U.S. 347 (1967) (establishing the reasonable expectation of privacy test).
85
Professor Lawrence Lessig, Lecture for Cyberspace and Social Protocols, Fall 1998.
86
At its earliest conceptions, however, the right to privacy was not widely accepted. See Roberson v.
Rochester Folding Box Co., 64 N.E. 442, 443 (N.Y. 1902) (rejecting right to privacy because past
American courts had not yet recognized a right to privacy, preferring instead to defer to the legislature's
power to create such a right). Later courts realized that a right to privacy did exist, emanating the various
guarantees in the U.S. Constitution. See supra text accompanying notes 73-85.
A Framework for Privacy Protection
Page 38
involves agreements between parties and may govern the level of privacy granted, either
explicitly (as in a contract for data that includes privacy provisions) or implicitly (as in an
informal employment contract).
Tort Law
William Prosser, the original draftsman of the Restatement (Second) of Torts,
delineated the four actions in tort for invasions of privacy as:
1) intrusion upon the plaintiff's seclusion or solitude, or into his private affairs;
2) public disclosure of embarrassing private facts about the plaintiff;
3) publicity which places the plaintiff in a false light in the public eye; and
4) appropriation, for the defendant's advantage, of the plaintiff's name or
likeness.87
There are many exceptions and defenses to the above claims,88 and it is often difficult in
the privacy realm to specify what damage resulted from the wrong,89 making these
doctrines very difficult to use in court.
According to Joel Reidenberg, most state courts recognize actions for at least one
87
See William Prosser, The Right of Privacy, 48 CAL. L. REV. 383, 389 (1960).
88
For example, information voluntarily disclosed or readily available from public sources is not protected
under any of these actions. See Joel R. Reidenberg, Privacy in the Information Economy: A Fortress or
Frontier for Individual Rights? 44 FED. COMM. L.J. 195, 223-24. (1992). Moreover, plaintiffs may have to
meet the standard of "offensiveness," i.e., the information revealed/publicized/misappropriated was
extremely private, or of showing that the information was publicly distributed. In the context of the privacy
violations envisioned by this White Paper, such a threshold is extremely difficult to overcome.
89
See id.
A Framework for Privacy Protection
Page 39
of these privacy invasions90 and some have codified aspects of the four actions in both
civil and criminal statutes.91 Yet Reidenberg notes that this is not the case in the majority
of states. New York, for example, only allows the misappropriation claim,92 and
Minnesota is reputed to disallow all four actions for privacy intrusion.93
Contract Law
Whereas tort law awards compensation for intrusions on privacy after the fact,
contract law attempts to set the terms of the "intrusions" beforehand. Most of the
measures suggested to protect online privacy, either by technology or by statute,
inherently rely on contract law – that is, they envision people contracting to "sell"
information about themselves in exchange for access. This means that all of these
measures are limited by all of the flaws that exist in contract law, like informed consent,
unequal bargaining power, and mandatory non-negotiable contracts (also known as
contracts of adhesion). For example, some websites offer basic (and superficial)
90
See Restatement (Second) of Torts, 652A app. reporter's note (1989 & Supp. 1990). See also Kelly v.
Franco, 391 N.E.2d 54, 57-58 (Ill. App. Ct. 1979) (holding that Illinois protects only against the
misappropriation of a person's name or likeness for commercial purposes); Strutner v. Dispatch Printing
Co., 442 N.E.2d 129, 134 (Ohio Ct. App. 1982) (holding that Ohio has not adopted false light privacy tort);
Kalian v. People Acting Through Community Effort, 408 A.2d 608 (R.I. 1979) (holding that Rhode Island
recognizes only limited common law rights of privacy), all cited in Reidenberg, supra note 88.
91
See, e.g., CAL. CIV. CODE @ 3344 (West Supp. 1991); FLA. STAT. ANN. @ 540.08 (West 1988); KY. REV.
STAT. ANN. @ 391.170 (Michie/Bobbs-Merrill 1984); MASS. ANN. LAWS ch. 214, @ 3A (Law. Co-op.
1986); NEB. REV. STAT. @@ 20-201 to -211 (1987); N.Y. CIV. RIGHTS LAW, @@ 50, 51 (McKinney
1990); OKLA STAT. ANN. tit. 21, @ 839.1 (West 1983); R.I. GEN. LAWS @@ 9-1-28 to 9-1-28.1 (1985);
TENN. CODE ANN. @@ 47-25-1103, 47-25-1105 (1988 & Supp. 1990); UTAH CODE ANN. @ 45-3-3
(1988); WIS. STAT ANN. @ 895.50(2) (West 1983), all cited in Reidenberg, supra note 88.
92
See, e.g., Gautier v. Pro-Football, Inc., 107 N.E.2d 485, 487-88 (N.Y. 1952); Anderson v. Strong
Memorial Hospital, 531 N.Y.S.2d 735 (N.Y. Sup. Ct. 1988)., cited in Reidenberg, supra note 88.
93
See ROBERT ELLIS SMITH, A COMPILATION OF STATE AND FEDERAL PRIVACY RIGHTS 29 (1988), cited in
Reidenberg, supra note 88.
A Framework for Privacy Protection
Page 40
information about their privacy policies and warn the user that use of the site is
conditioned upon acceptance of these practices.94 However, there is no opportunity for
the user to bargain over the terms of the contract – the terms are offered on a take-it or
leave-it basis. Because most sites have similar policies, or do not delineate their practices
at all, the user generally has only the choice between surfing on the terms of website
owners or not surfing at all. Further, there is little point to a user rejecting a particular
website over its privacy policies, as many other sites – which do not reveal their policies
– may use the user's data, and so any particular transaction has little value to the user.95
However, in real space, the legal issues involved in cases revolving contract terms
with explicit privacy protections are relatively uninteresting. Rather than presenting
novel issues of law, the translation of contract law from the real world to the cyberworld
would seem to lead to consistency and present little difficulty.96
In those cases where terms governing the protection of privacy have not been
explicitly delineated in contracts or agreements, the courts have been more divided.
Privacy implied in contracts mostly surfaces as an issue in workplace privacy, where
employees may or may not have waived their right to privacy implicitly by agreeing to
94
For example, at the FX Networks site, the privacy policy reads: "Use and participation in FX's Internet
sites is contingent upon your acceptance of the following terms and rules. By using our sites, you accept
these terms. In addition, your continued use of this site after a change has been made to the policies of our
sites implies your assent to those changes." FX Networks, Terms, Conditions, and Privacy (last visited Dec.
7, 1998) <http://www.fxnetworks.com/fxm/htmls/copyright.html>.
95
See Jerry Kang, Information Privacy in Cyberspace Transactions, 50 STAN. L. REV. 1193, 1253-1255
(1998).
96
Granted, there is the current furor over the proposed UCC Article 2B. See, e.g., Brenda Sandburg, UCC
Talks Falling Apart, IP Magazine (Oct. 8, 1998) <http://www.ipmag.com/dailies/981008.html>. However,
this is outside the scope of the paper.
A Framework for Privacy Protection
Page 41
work for an employer.97 However, the trend appears to be that the courts will allow most
monitoring on the theory that there is no "reasonable expectation of privacy" in the
workplace.98 Techniques include video surveillance, keystroke monitoring, and
monitoring of e-mail and Internet usage.99
Federal Statutes100 and Common Law101
In 1977, recognizing the danger posed by new technology, Congress established
the Privacy Protection Study Commission in order to conduct an extensive study of
privacy rights in a world with computers.102 The Commission focused on record-keeping
in eight different areas: (1) consumer-credit; (2) the depository relationship; (3) mailing
lists; (4) insurance; (5) the employer-employee relationship; (6) medical care; (7)
investigative reporting agencies; and (8) education.103 The study concluded that, even
within the limits of law, privacy was not sufficiently protected from government, nor
from private industry.104 Despite this early warning, it is only recently that Congress
97
See Susan Stellin, Privacy in the Digital Age, CNET (May-June 1996)
<http://www.cnet.com/Content/Features/Dlife/Privacy/ss05.html>.
98
See Michael A. Smyth vs. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa 1996).
99
As explained earlier, see Introduction, this is largely outside the scope of our focus. For a more complete
explanation, see Workplace, supra note 75.
100
For a good discussion of state laws protecting privacy, see Reidenberg, supra note 88, at 227-37.
101
In a manner similar to the above discussion of constitutional law, an analysis of disembodied statutes
and regulations is largely meaningless without application to real-life scenarios. Thus, case law discussing
the application of statutes is included in this section.
102
See U.S. PRIVACY PROTECTION STUDY COMMISSION, PERSONAL PRIVACY IN AN INFORMATION SOCIETY
(1977).
103
104
See id. at xiii.
See id.
A Framework for Privacy Protection
Page 42
began to move towards more protection of privacy.105
While the substantial number of Internet bills introduced recently in Congress
seems promising,106 very few bills have actually been enacted, suggesting that the
government is reluctant to make many changes to its policy on the Internet.
Unfortunately, Congress' inaction, particularly in the area of privacy, does not mean that
the status quo will prevail. The currently allowed level of "legitimate" access to
information allows a great deal of room for the quickly improving methods of collecting,
aggregating, organizing, storing and "mining" data. Without a radical move by the
legislature, novel cases and controversies will continue to arise, the legal vacuum will
have to be filled in "on a piecemeal basis by ad hoc judicial decisions, initiatives by state
attorneys general and other state and local regulators, and by restrictions imposed on the
United States from abroad"107 – providing little consistency and even less peace of mind
for online participants.
Legislation regarding privacy has been scarce and fairly spotty; legislation
regarding privacy online is even rarer. The government deals with particular areas on an
ad hoc basis, largely in response to public outrage,108 or as an afterthought in legislation
105
See Reidenberg, supra note 88, at 196-98. (1992).
106
While in the 104th Congress, only fifty bills directly related to the Internet were introduced, that number
has approximately doubled for the 105th Congress. See Nicholas W. Allard, Privacy On-Line: Washington
Report, 20 HASTINGS COMM. & ENT. L.J. 511, 515 (1998). In addition, and perhaps more illustrative of the
growing governmental interest in the Internet, Strom Thurmond (R-S.C.), the oldest member of the Senate,
became the 100th member of the bicameral Congressional Internet Caucus. See id.
107
108
See id.
For example, theVideo Privacy Protection Act of 1988, Pub. L. No. 100-618, 102 Stat. 3195 (1988) was
enacted to protect information about movie videos people buy or rent after such information was disclosed
during the confirmation process of Supreme Court nominee Robert Bork.
A Framework for Privacy Protection
Page 43
dealing mainly with other bodies of law. Moreover, most of the legislation has been in
reference to the government intruding on an individual's privacy. Very little protection
has been added for intrusions by private actors.
Privacy Act of 1974
Probably the earliest important piece of privacy legislation was the Privacy Act of
1974 (amended).109 It granted individuals the right to see, copy, and correct their federal
agency records, as well as to restrict disclosures of the information without consent. The
limitation is that the Privacy Act only applies to government actors.
Privacy Protection Act (PPA) of 1980
The government made another important move with the enactment of the Privacy
Protection Act (PPA) of 1980.110 The PPA prohibits law enforcement from searching or
seizing "work product" and "documentary" materials from journalists and publishers
unless they have probable cause to believe the person possessing the materials is involved
in a crime, and the materials sought are evidence of the crime. Thus, online systems and
their users are protected by the PPA "to the extent they act as publishers and maintain
publishing-related materials on the system." Again, this was a limitation against
government action, yet provided almost no protection from private entities.
109
Privacy Act of 1974, 5 U.S.C. §§ 552a-559 (1994).
110
Privacy Protection Act of 1980, 42 U.S.C. §§ 2000aa et. seq. (1980).
A Framework for Privacy Protection
Page 44
Electronic Communications Privacy Act (ECPA) of 1986
With the Electronic Communications Privacy Act (ECPA) of 1986, the
government finally took steps to limit the reach of private actors. Enacted to amend Title
III of the Omnibus Crime Control and Safe Streets Act of 1968, which limited the use of
telephone wiretapping, the ECPA covers all forms of digital communications, including
private e-mail. Title I of the ECPA111 prohibits unauthorized interception and Title II
governs unauthorized access to stored communications. The distinction between
messages in transmission and stored messages is important because transmitted messages
are afforded a much higher level of protection than stored communications; Title II
provides for lower fines, higher burdens of proof, and lower requirements for security.112
Courts, following the foundational case of Steve Jackson Games v. United States Secret
Service,113 have interpreted Title I very narrowly, leaving stored e-mail -- even where a
111
18 U.S.C. § 2510 et seq. (1998). See especially § 2510(4)("interception" includes the "acquisition of the
contents of any … electronic communication"); §2510(17)(defining "electronic storage" to include
electronic temporary, intermediate and backup storage); §2511(Title I)(prohibiting interception of
electronic communications); and, § 2701 (Title II)(prohibiting unauthorized intentional access to stored
electronic communications). See also § 2702(a):
(1) a person or entity providing an electronic communication service to the public shall not
knowingly divulge to any person or entity the contents of a communication while in electronic
storage by that service; and
(2) a person or entity providing remote computing service to the public shall not knowingly
divulge to any person or entity the contents of any communication which is carried or maintained
on that service…
But note that §2702(a) is narrowly construed such that only entities who provide electronic communication
services to the public at large (not just employees) qualify for the prohibition. See Andersen Consulting
LLP v UOP, 991 F. Supp. 1041 (N.D. Ill. 1998)(UOP’s divulging Anderson Consultant’s e-mail does not
fall within 2702 because UOP is not a e-mail provider to the public).
112
See Nicole Giallonardo, Casenote: Steve Jackson Games v. United States Secret Service: The
Government's Unauthorized Seizure Of Private E-Mail Warrants More Than The Fifth Circuit's Slap On
The Wrist, 14 J. MARSHALL J. COMPUTER & INFO. L. 179 (1995)(government can get stored e-mail with a
warrant but would need a court order for interception).
113
36 F.3d 457 (5th Cir. 1994)
A Framework for Privacy Protection
Page 45
user has not yet accessed it -- only Title II protection.114 It is questionable whether e-mail
packets "stored" on routers en-route between mail servers would get Title I protection,
but the courts have not yet discussed this issue.
Courts have been extremely reluctant to find that messages were intercepted
during transmission. Moreover, employers may avoid liability under Title I by showing
that the employee consented to the interception either expressly or by implication. Under
the "ordinary course" exception, an employer may intercept an employee's e-mail
communications in the ordinary course of its business if it uses "equipment or [a] facility,
or any component thereof" furnished by the provider of the electronic communication
service in the ordinary course of its business. However, legitimate purposes may include
monitoring to reduce personal use.115
A person violates Title II of the ECPA, the Stored Communications Act, if he or
she "intentionally accesses without authorization a facility through which an electronic
communication service is provided." Such unlawful invasions are more severely
sanctioned when the violation was motivated by "commercial advantage, malicious
destruction or damage, or private commercial gain." There are, however, two major
exceptions. There is no violation of the Stored Communications Act when the conduct is
authorized "by the person or entity providing a wire or electronic communications
service." Many legal commentators warn that this exception may be interpreted by the
114
See id; see also A. Michael Froomkin, The Metaphor Is The Key: Cryptography, The Clipper Chip, And
The Constitution, 143 U. PA. L. REV. 709, 864, note 676 (1995) (discussing the Steve Jackson case as
troubling in its narrow interpretation of the ECPA denying Title I protection to the e-mails, but pointing out
that the e-mails would still be protected by Title II of the EPCA).
115
See Susan Stellin, Privacy in the Digital Age, CNET (May-June 1996)
<http://www.cnet.com/Content/Features/Dlife/Privacy/ss03.html>.
A Framework for Privacy Protection
Page 46
courts to mean that private employers who maintain a computer system have the ability to
browse employee e-mail communications without violating the ECPA Title II.
Under the user exception or consent exception, the Stored Communications Act
does not apply to conduct authorized "by a user of that service with respect to a
communication of or intended for that user." Such authorization may be expressly given,
and in some cases, reasonably implied from the surrounding situation.
One final exception to the ECPA may be required by the Constitution. Since the
jurisdiction of Congress is limited to interstate commerce, the definition of "electronic
communications" under the ECPA is limited to communications and systems which
"affect interstate or foreign commerce." Therefore, a computer system which does not
cross state lines may not be covered by the ECPA. This would seem to exempt companyowned, internal e-mail systems.116
These acts and other similar laws protect areas as broad and diverse as the
interception and disclosure of electronic communications,117 protection for governmentmaintained databases,118 regulation of credit reports119 and financial records,120
116
There has been more written regarding employer monitoring of e-mail. Most articles conclude that
employees have little recourse and cite Bosses With X-Ray Eyes, for evidence that employers monitor email. See Charles Piller, Bosses With X-Ray Eyes, MACWORLD, July 1993, at 118 (21% of employers search
employee files, over 66% who do, don’t tell the employees). The best, most recent discussions are Anne L.
Lehman, Comment: E-Mail in the Workplace: Question of Privacy, Property or Principle? 5 COMM. LAW
CONSPECTUS 99 (1997) and Thomas R. Greenberg, Comment, E-Mail And Voice Mail: Employee Privacy
and the Federal Wiretap Statute, 44 AM. U.L. REV. 219 (1994).
117
See Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2701 (1986).
118
See Privacy Act of 1974, 5 U.S.C. §§ 552a-559 (1994).
119
See Fair Credit Reporting Act of 1970, 15 U.S.C. §§ 1681-1681t (1994).
120
See Right to Financial Privacy Act, 12 U.S.C. §§ 3401-3422 (1995).
A Framework for Privacy Protection
Page 47
telemarketing,121 and the "Bork law" that protects video rental records.122 Unfortunately,
the industry-specific approach taken thus far by the government has not produced a
general protection for personal data online. Moreover, some experts contend that existing
provisions are inconsistent if not contradictory.123
Legislative Outlook
Unfortunately, it appears that a general protection for online information will not
be created any time soon. Except for a few pockets, such as encryption legislation124 or
protection of children,125 the probability of congressional action on any number of
privacy bills is rather low. Echoing the thoughts of other commentators, Nicholas Allard
conjectures that:
The immediate impact on Congress of the FTC's decision to give industry
(IRSG) self-regulation a chance to work, and the uncertainty over how this
approach can be reconciled with the European Union's privacy rules,
121
122
See Telephone Consumer Protection Act of 1991, 47 U.S.C. § 227(b)(1) (1991).
See Video Privacy Protection Act of 1988, Pub. L. No. 100-618, 102 Stat. 3195 (1988).
123
See Robert O'Harrow, Jr., Laws on Use of Personal Data Form a Quilt With Many Holes, WASH. POST,
Mar. 9, 1998, at A12, cited in Allard, supra note 106, at 529.
124
For example, "Secure Public Networks Act," see S. 909, 105th Cong. (1997), was passed by the Senate
Commerce Committee on June 19, 1997 and later amended slightly. The bill would require the registration
of keys with key recovery agents. On the other side of the spectrum, the Security and Freedom Through
Encryption Act (SAFE), see H.R. 695 105th Cong. (1997), opposes control over encryption and attempts to
impose key recovery; this bill has 249 cosponsors and has been placed on the calendar.
125
Despite industry opposition, several bills which would protect children appear close to being passed. In
the House, H.R. 1972, the Children's Privacy Protection and Parental Empowerment Act, see H.R. 1972,
105th Cong. (1998), would criminalize the selling of personal information about a child absent consent
from a parent. This measure currently has 52 cosponsors and is pending before the House Crime
Subcommittee. Moreover, S. 771, for example, mandates the labeling of advertisements and requires that
Internet service providers make available blocking software to filter out advertisements. See S. 771, 105th
Cong. (1997). The idea behind this legislation is that children are not able to discern between program
content and advertising. This measure is pending before the Senate Communications Subcommittee.
A Framework for Privacy Protection
Page 48
probably will derail any action on privacy legislation this year. 126
Regardless of the expectations for enactment, most of the currently proposed
legislation concerning privacy, abundant thought it may be, would not create a general
protection for online information. Instead it replicates the past governmental pattern of
providing industry-specific measures.
The proposed on-line privacy legislation can be divided up into five main
categories:127
1) Protection of Children
2) Protecting Personal Identification Data
3) Protecting Medical Records
4) Regulating Direct Marketing and Unsolicited E-Mail
For a more complete description of the proposed legislation, please see Appendix, Table
of Pending Legislation.
The European Data Directive
While the U.S. has been moving slowly on the issue of privacy, this is not solely a
domestic issue – and the U.S. needs to consider its role in the global information market.
126
127
Allard, supra note 106, at 533.
Encryption is not being addressed here. Bills and proposals regarding encryption are numerous enough
to warrant a separate paper.
A Framework for Privacy Protection
Page 49
The most urgent consideration, the European Union Data Directive,128 went into effect
October 25 of this year. The Directive sets out privacy standards to be observed in the
collection, processing, and transmission of personal data (standards that are rarely
observed in the US). European countries are also directed to prohibit transfer of personal
data to countries that do not "ensure adequate levels of protection."129 Although the
Directive was passed in 1995, it was only this past summer that U.S. government and
industry began to seriously entertain the thought that European Union would actually find
U.S. practices not up to European standards of data protection, and consequently restrict
data flow.130 In fact, until very recently, the U.S. response had been to lobby European
countries to convince them that the current U.S. policies were adequate.131
Article 25 of the Directive has caused a stir in the United States because it
prohibits transfers to countries that do not have similar privacy regulations giving
"adequate protection" to consumers. The most basic provisions of the Directive are quite
contrary to the status quo in the United States. For example, the Directive, if enacted into
law by an EU member state, would require that data collectors provide advance notice of
128
See European Parliament, Directive 95/46/EC (Oct. 24, 1995) [hereinafter Directive]
<http://www2.echo.lu/legal/en/dataprot/directiv/directiv.html>.
129
See id. at Article 25
130
See David Banisar, The Privacy Threat to Electronic Commerce, COMM. WEEK INT'L, June 1, 1998
<http://www.totaltele.com/cwi/206/206news13.html>.
131
See id. According to Banisar, in fact, the lobbying could have unfortunate results:
In order to put pressure on Brussels, the White House has sent envoys around the world to push
other countries, such as Japan, to not adopt privacy laws. They have threatened to take the EU to
the World Trade Organization, even though GATT specifically exempts privacy laws. It is hard to
imagine that Brussels would not find these actions and statements highly provocative and they
may respond strongly in October.
A Framework for Privacy Protection
Page 50
their intent to collect and use an individual's personal data;132 in addition they give that
individual access to her data,133 the means to correct it,134 and the ability to object to its
transfer to other organizations.135 Moreover, the enacted Directive would require that
data collectors maintain the security and confidentiality of the personal data and only
process personal data for specified, explicit, and legitimate purposes.136 More
particularly, the common use of Internet cookies in the U.S. may be especially
troublesome to the European Union Privacy Commission, which has previously stated
that "transfers involving the collection of data in a particularly covert or clandestine
manner (e.g. Internet cookies) pose particular risks to privacy."137 In theory, conflicts
such as these could keep the United States off the Privacy Commission's White List of
countries that provide adequate privacy protection.
Recognizing these dangers, various U.S. parties have begun to reconsider their
privacy policies. The Commerce Department proposed guidelines138 to help U.S.
companies meet the European Union's new privacy rules. The proposed guidelines
include: notifications to individuals about the collection and use of personal information;
132
See Directive, supra note 128, at art. 10.
133
See id. at art. 12.
134
See id. at art. 10.
135
See id. at art. 14.
136
See id. at art. 6.
137
The European Commission, First Orientations on Transfers of Personal Data to Third Countries:
Possible Ways Forward in Assessing Adequacy (last modified June 26, 1997)
<http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp4en.htm>.
138
See C-Net News.com, U.S. Proposes Privacy Principles (Nov. 9, 1998)
<http://www.news.com/News/Item/0,4,28510,00.html?owv>.
A Framework for Privacy Protection
Page 51
instructions about how to limit or stop the use of that information; being told when
information is being sold, rented, or shared with a third party; disclosure about how
secure that information is from being stolen or misused, and instructions to individuals
about accessing any and all information a company has obtained about them.139 As of
late November, perhaps in recognition of the possible embargo in information, the Direct
Marketing Association had agreed to endorse conditionally a series of guidelines
proposed by the Commerce Department.140 What is encouraging is that these changes
have come about despite the fact that the European Union had agreed to allow
information to flow unimpeded between U.S. marketers and its member nations.141 How
long this state of affairs will last, however, is unknown.142
MARKETS AND SOCIAL NORMS
When Secretary of Commerce William Daley admonished businesses earlier this
year that protecting privacy was in their best interest, he was talking about the threat of
government regulation, not market forces.143 Businesses interested in collecting and
139
However, the administration and the EU still disagree on enforcement. The administration proposal
suggests the creation of independent' entities to resolve disputes between individuals and companies. It also
includes unspecified "consequences'' for firms not adhering to the guidelines. See id.
140
See Directnewsline, DMA Tentatively Backs Commerce Dept. EU Privacy Guidelines (last modified
Nov. 23, 1998)
<http://www.mediacentral.com/Magazines/DirectNewsline/Archive/1998112303.htm/Default>.
141
See Directnewsline, EU Agrees Not to Interrupt Data Flow for Time Being (last modified Oct. 28, 1998)
<http://www.mediacentral.com/Magazines/DirectNewsline/Archive/1998102801.htm/Default>. Despite
this concession, however, the EU has chosen to reject the proposed Commerce Department principles as
sufficient in the long run. See Fox News, EU Rejects U.S. Data Privacy Protection Plan (last modified
Nov. 23, 1998) <http://www.foxmarketwire.com/wires/1123/f_rt_1123_18.sml>.
142
For news as it becomes available in regard to the effects of the European Data Directive, see The
Privacy Page <http://www.privacy.org/> (last visited Dec. 7, 1998).
143
William Daley, Speech at Commerce Department Conference on Internet Privacy, June 23, 1998 (last
A Framework for Privacy Protection
Page 52
sharing personal information about their site visitors have never had it so good. The
collection, storage, analysis and sharing of information is cheap in today’s economy and
consumers willingly part with personal data in a market where divulging that data
without privacy protection is the norm.
As discussed above, all currently available web server software logs IP addresses
and various other pieces of information about every HTTP request it processes. In order
to collect additional information from web users, all a site operator needs to do is code an
HTML fill out form and CGI script to process its results. Many form examples and
tutorials are available on the web144 but form processing CGI programming used to be an
impediment to some users.145 Since free services now e-mail responses directly to the
form author, even that barrier has been eliminated.146 That means that setting up a
website that collects personal information is now no more expensive than setting up a
website that doesn’t.147 "Cookie" processing, as described above, is slightly more
visited December 1, 1998) <http://www.techlawjournal.com/privacy/80623dal.htm> (last visited December
1, 1998).
144
See Web Communications, HTML Form Tutorial (last visited Dec. 3, 1998)
<http://www.webcom.com/~webcom/html/tutor/forms/>.
See National Center for Supercomputing Aplications (NCSA), A Beginner’s Guide to HTML
<http://www.ncsa.uiuc.edu/General/Internet/WWW/HTMLPrimer.html> (last visited Dec. 3, 1998) (stating
that forms are not covered in this widely known primer because of the "of the need for specialized scripts to
handle the incoming form information").
145
146
See Response-O-Matic: Free Form Processor (last visited Dec. 3, 1998) <http://www.response-omatic.com/>.
147
Website set up and maintenance costs have also fallen sharply. Many website hosting companies charge
less than twenty dollars a month for unlimited access sites while other websites will host individual pages
for free. See HostSearch (last visited Dec.3, 1998) <http://www.hostsearch.com/> (listing many web
hosting packages under twenty dollars). See also Geocities (last visited Dec. 3, 1998)
<http://www.geocities.com/> (offering up to eleven megabytes of free web page space).
A Framework for Privacy Protection
Page 53
complicated but again free scripts are available on the web148 and the subject is covered
in many introductory programming books.149
Storage of the collected information is also very cheap and getting cheaper.
Storing the name, social security number, address, phone number, income, birthday, and
last 100 pages requested by a user would take approximately 5,000 bytes without any
compression.150 Using data compression algorithms, that number could be as low as 500
bytes.151 Current prices for hard drives mean that the data for approximately 8000 users
can be saved for every dollar spent.152 In short, the collection and sale of data is easy,
cheap, and extremely profitable.
Under the current legal regime – or lack thereof – and the current state of the
technology, information essentially "belongs" to whatever entity has access to it. The
user has little control over what information is revealed or how it is used, and very often
has only the choice between handing over information or not using the Internet at all. In
this way, the United States' lack of a legal framework has awarded to website owners an
"entitlement" to all information that they can obtain – leaving it to users to "buy back"
that information, if they can.
148
See e.g., Matt Wright, HTTP Cookie Library README (last visited Dec. 3, 1998)
<http://www.worldwidemart.com/scripts/readme/cookielib.shtml>.
149
See e.g., SHISHIR GUNDAVARAM, CGI PROGRAMMING ON THE WORLD WIDE WEB 202 (1996).
This number was arrived at using a group member’s personal data. Granted the number used for salary
saved some data space, however it was made up for by the excessively long name. The page references
used were the first ten pages referenced in this section of text.
150
151
152
PKWare’s PKZIP program was used for this example.
Based on storing an uncompressed 5,000 bytes per user and a hard drive cost of $25 per gigabyte which
is the current average price for large drives at Compu Tech USA, a computer retailer. See Compu Tech
A Framework for Privacy Protection
Page 54
In a perfect market, users would, theoretically, be able to "repurchase" their
information so long as the users valued the information more than the website did.153 In
the absence of transaction costs, users would be able to negotiate with each website to
persuade that site not to use the data it had collected. Unfortunately, the transaction costs
in this instance are huge: users cannot easily coordinate their efforts so as to exploit their
market power, websites are not actual "people" and so cannot be negotiated with (leaving
the users in a flat take-it-or-leave-it position), the costs of investigating the policies of
individual websites are high, and even if a user is able to "repurchase" information from a
single website, there will still be a myriad of other websites that the user will have to
negotiate with in order to truly "own" his or her information – otherwise, the individual
contract formed with the single website is valueless, because other websites will still be
able to trade the information freely.154
Industry self-regulation has been remarkably unsuccessful in large part because of
these basic realities.155 Though the Federal Trade Commission has long advocated a
system of self-regulation and has provided guidelines to industry to assist it in this
effort,156 the FTC reports that fewer than 14% of websites surveyed even posted basic
information about their privacy practices, and fewer than 2% actually had developed
USA (last visited Dec. 3, 1998) <http://www.computechusa.com/>.
153
See A. MITCHELL POLINSKY, AN INTRODUCTION TO LAW AND ECONOMICS 11-12 (1989).
154
See Kang, supra note 95, at 1256.
155
See FTC, supra note 6.
156
See FTC, Consumer Privacy on the World Wide Web (last visited Dec. 8, 1998)
<http://www.ftc.gov/os/1998/9807/privac98.htm>.
A Framework for Privacy Protection
Page 55
"comprehensive" privacy policies.157 The Electronic Frontier Foundation has also noted
that despite guidelines issued by the Direct Marketing Association regarding web user
privacy, most websites are stubbornly noncompliant.158 Given the profitability of
collecting personal information, as well as the costs of implementing a system of privacy
protections,159 these results are hardly surprising. In fact, whenever a particular company
does make basic assurances about protecting users' privacy, it is merely opening itself up
to liability should these policies be violated.160 A perfect example can be found in the
Geocities case: Geocities, a large provider of free web space, promised its customers that
their data would not be sold to any other entity. As it turned out, the data was sold, and
the Justice Department forced Geocities to modify its policies in exchange for dropping
the lawsuit. However, rather than simply agreeing to abide by its original privacy policy,
Geocities chose instead to discontinue its privacy guarantees.161
Some attempts have been made to solve these problems and allow for greater user
control over personal information. P3P, described above, is one such proposal.
Unfortunately, P3P on its own suffers from the fact that the current "free-market" regime
is very beneficial to corporate interests. Commercial websites own the information now
– this leaves consumers with precious little to bargain with, and it leaves websites with no
157
See id.
158
See EPIC, Surfer Beware II: Notice is Not Enough (last visited Dec. 8, 1998)
<http://www.epic.org/Reports/surfer-beware2.html>.
159
See Joseph M. Reagle, Jr., Boxed In: Why U.S. Privacy Self-Regulation Has Not Worked, Dec. 4, 1998.
160
See id.
161
See Joel Brinkley, Website Agrees to Safeguards in First On-Line Privacy Deal, N.Y. Times, August 14,
1998, at A15.
A Framework for Privacy Protection
Page 56
incentive to adopt P3P technology. Though, in theory, widespread consumer demand for
P3P might entice websites to begin to use it, such coordinated demand is unlikely arise
given general consumer ignorance, inertia, and the entrenched commercial interests that
have a stake in ensuring the system remains unchanged.
Case Study: A Norms Solution
In early 1996, Internet privacy concerns became so great and widespread that the
U.S. government began to consider possible legislation regulating privacy practices on
the Internet. Businesses on the Internet clearly did not think that this was in their best
interest, fearing that governmental intervention would not be researched properly, would
be too heavy handed, and would be too strict for businesses desires. Instead, efforts to
create privacy self-regulation came about in an effort to head off the need for
governmental intervention.162 After hearing a talk at Esther Dyson's PC Forum in March
1996, Lori Fena, Executive Director of the Electronic Frontier Foundation (EFF), and
Charles Jennings, founder and CEO of Portland Software, formed TRUSTe.163
TRUSTe is an effort to change the norms with regards to privacy on the Internet.
The idea is to create a "trustmark" that can be displayed by websites which acts as a
certification to the Internet public. TRUSTe is attempting to create a social norm that
162
See TRUSTe, For Web Publishers (last visited Dec. 9, 1998)
<http://www.truste.org/webpublishers/pub_privacy.html> ("The federal government is dead serious about
enacting stringent privacy legislation if the industry doesn't show NOW that it can self-regulate effectively
.... If you don't take advantage of self-regulatory measures such as the TRUSTe program for protecting
users' privacy, it is only a matter of time before government regulation takes over. Federal intervention will
absolutely translate into less flexibility and more costly privacy implementation measures for Websites
across the board.").
163
See TRUSTe, About TRUSTe (last visited Dec. 6, 1998)
<http://www.truste.org/about/about_truste.html>.
A Framework for Privacy Protection
Page 57
dictates if a user visits a site with the TRUSTe trustmark, he should feel confidence in the
stated privacy practices of that website. This desire to shift the norms to have people feel
secure while using the Internet, specifically while accessing a website that is a member of
the TRUSTe organization, is even present in TRUSTe’s trademarked motto: "Building a
Web you can believe in."164 The two key principles that TRUSTe is founded on are that
"users have a right to informed consent" and "no single privacy principle is adequate for
all situations."165
This shift of norms must be accomplished on two fronts: websites must join the
TRUSTe organization and abide by their rules, and users must understand what TRUSTe
is, what the trustmark means, and desire to access websites with the TRUSTe mark. To
join TRUSTe, websites must put together an easily-accessible public description of their
privacy practices that is linked to a clearly-displayed TRUSTe mark, and they must agree
always to abide by those privacy practices. TRUSTe members then pay a fee
proportional to their company’s annual revenue to the TRUSTe organization and thus
become official TRUSTe sites.166 TRUSTe sites are periodically audited by TRUSTe to
make sure they are in accordance with the TRUSTe rules and regulations, for it is in
TRUSTe’s best interest to promote faith in its mark by ensuring that the websites bearing
the mark be truthful and honest.
A TRUSTe site’s posted privacy statement must at a minimum describe seven
164
See id.
165
See id.
166
See TRUSTe, How to Join the TRUSTe Program (last visited Dec. 5, 1998)
<http://www.truste.org/webpublishers/pub_join.html> for details on how websites join TRUSTe and how
much money they must pay to join.
A Framework for Privacy Protection
Page 58
different areas of that website’s privacy policy.167 The first section explains what
information can or will be gathered about the user (e.g., e-mail address, site pages
visited), and the second section clearly identifies the entity that is making the collection .
The third section explains how any collected information will be used (e.g., for
anonymous, aggregate statistics, for personalization, for ad targeting). The fourth section
explains with whom the information might be shared (e.g., only divisions of the company
running the site, particular outside companies, the highest bidder). The fifth section
describes the "opt-out" policy of the site; this policy deals with those services and
collection schemes in which the user may not to participate. The sixth section explains
how a user may update or correct any information collected about him. The seventh
section explains the "delete/delist" policy. This policy deals with how a user may remove
his information or registration from a site.168
For TRUSTe to be successful, it must make the Internet public aware of, and
watchful for, the TRUSTe mark. Through public dissemination of information, such as
that easily accessible at the TRUSTe website,169 Internet users must be made to have faith
that websites will be true to their declared privacy practices. TRUSTe is continuously
striving to make people aware of what the trustmark means in an effort to have users
167
For good and interesting examples of this posted privacy policy, see C-NET (last visited Dec. 9, 1998)
<ttp://www.cnet.com/privacy.text.html>; Disney (last visited Dec. 9, 1998)
<http://www.disney.com/Legal/privacy_policy.html>; Prizes.com (last visited Dec. 9, 1998)
<http://www.prizes.com/privacy.phtml>; Wired (last visited Dec. 9, 1998)
<http://www.wired.com/home/digital/privacy/>; and Verisign (last visited Dec. 9, 1998)
,http://www.verisign.com/truste/>.
168
See TRUSTe, TRUSTe Program Principles (last visited Dec. 6, 1998)
<http://www.truste.org/webpublishers/pub_principles.html>.
169
See TRUSTe, The TRUSTe Program: How it Protects Your Privacy (last visited Dec. 7, 1998)
<http://www.truste.org/users/users_how.html>.
A Framework for Privacy Protection
Page 59
desire to use websites with the mark.170 The aforementioned minimum privacy practices
are advertised to the Internet public, as well as the fact that if any TRUSTe member
website is in breach of their declared privacy policies, the user should contact TRUSTe to
seek action against the website’s publishing organization.171
TRUSTe Strengths
A few key strengths exist in TRUSTe’s proposed plan of self-regulation and
manipulation of World Wide Web norms. First, the fact that adoption of TRUSTe is
technology independent and does preclude other technological solutions.
Anonymization, encryption, and similar technological solutions can coexist with
TRUSTe. In fact, P3P provides the possibility for "assuring parties" to mark the privacy
practices of a particular website to boost users' faith in the value of their contracts. 172 A
second advantage is that, unlike P3P, no new technology is needed to be used by the
websites and users. Third, as TRUSTe wishes to maintain the credibility of its mark,
TRUSTe will engage in extra effort to audit the TRUSTe websites and ensure that they
abide by the rules and guidelines. Finally, TRUSTe claims that it will negotiate the
settlement of any breaches of stated policy between a website and user, providing the
170
See id. ("The trustmark is awarded only to sites that adhere to established privacy principles and agree to
comply with ongoing TRUSTe oversight and consumer resolution procedures.").
171
See TRUSTe, The TRUSTe Watchdog (last visited Dec. 7, 1998)
<http://www.truste.org/users/users_watchdog.html>.
172
See W3C, The Platform for Privacy Preferences (last visited Dec. 7, 1998)
<http://www.w3.org/TR/1998/NOTE-P3P-CACM-19980731/> ("The P3P proposal may also contain other
information including the name of an assuring party and disclosures related to data access and retention ....
The assuring party is the organization that attests that the service will abide by its proposal. Assurance may
come from the service provider or an independent assuring party that may take legal or other punitive
action against the service provider if it violates an agreement. TRUSTe (discussed elsewhere in this issue)
is one such organization that has provided Website privacy assurances, even before the development of
P3P.")
A Framework for Privacy Protection
Page 60
user a path of recourse if a website does not adhere to its promises. A user might
otherwise have no easy remedy against a website who had broken its privacy promises.
Problems
However, TRUSTe has many problems, current and potential, that are impeding
its effect on the privacy norms of the Internet. For one, it is designed primarily as a
solution for businesses to self-regulate and thereby ward off governmental
intervention,173 and as such, many of the fundamental principles of TRUSTe do not apply
well to small web publishers. TRUSTe’s proposed solution simply does not make it
simple and useful for a private individual or small web publisher to register as a TRUSTe
website. In fact, TRUSTe may even raise possible anti-trust issues, as TRUSTe's privacy
requirements may act as a barrier to entry in the e-commerce market for smaller
companies.174 An additional detriment to smaller organizations trying to adopt TRUSTe
is that it increases the liability of the company. A company would not necessarily wish to
subject itself to possibly having to pay fines via TRUSTe for a breach of privacy for
actions that, but for its adoption of the TRUSTe mark, are perfectly legal and without
penalty.175
Another serious problem is that the TRUSTe mark does not mean anything other
than that the website adheres to its stated policies – it is not an endorsement of the
173
See TRUSTe, supra note 162 ("The electronic commerce industry stands to miss out on billions of
dollars in revenue if Websites don't address consumer privacy.").
174
See Reagle, supra note 159.
175
See id.
A Framework for Privacy Protection
Page 61
policies themselves, and the mark itself does not alert the user as to what those policies
might be.176 There is the potential for confusion among users, who might easily
understand the mark to signal the presence of a certain level of privacy protection, and
who might therefore willingly hand over information to a site with practices abhorrent to
the user. When TRUSTe was first launched, it issued three different types of marks
signaling associations to standardized TRUSTe privacy policies. However, many
websites did not like the codifying scheme, and it was switched to a single mark.177
For TRUSTe to be effective, the user must examine the privacy policy of every
website visited and determine, case-by-case, whether each website's practices are
tolerable. This process is cumbersome and complicated, and most users will not want to
be bothered to do it (though such manual checking and rechecking would be greatly
reduced through the use of a technology such as P3P). Also, TRUSTe does not allow for
any negotiation – users must either accept a site's policies or leave the site. Again, the
addition of a technological solution such as P3P would provide some help in this regard.
176
For instance, Classifieds2000 bears the TRUSTe mark, and describes its privacy policy as:
Occasionally we ask you to provide us information such as your name, e-mail address, or
what your interests and hobbies are. You never have to answer these questions although
this may limit what services we can offer you .... We use a feature of your browser called
a "cookie" to assign a "User ID." Cookies, by themselves, cannot be used to find out the
identity of any user. Your Classifieds2000 User ID automatically identifies your
computer - but not you - to our servers when you visit our site. Unless you specifically
tell us, Classifieds2000 will never know who you are, even though we assign your
computer a cookie. Other companies which place advertising on our site also have the
ability to assign a different cookie to you in a process that Classifieds2000 does not
control. But since cookies aren't useable for identifying individuals (you'll be just a
number to them), these advertisers will never know who you are - and Classifieds2000
will never tell them!
Classifieds2000 (last visited Dec. 9, 1998) < http://www.classifieds2000.com/cgicls/display.exe?c2k+na_PrivacyPolicy#gathered>.
177
Telephone Interview by Christian Baekkelund with Joseph M. Reagle, Jr., Resident Fellow, Berkman
Center for Internet & Society, Harvard Law School (Dec. 3, 1998).
A Framework for Privacy Protection
Page 62
Though TRUSTe is still largely unknown to Internet users, it recently signed on
some very visible sites. Many of the large commercial Internet sites have joined
TRUSTe, including America OnLine, IBM, Yahoo!, CNET, and Infoseek. In October
1998, TRUSTe started a special children’s related trustmark, and further dealings with
the Federal Trade Commission helped TRUSTe reaffirm its significance.178 These steps,
however, are relatively small and simply not enough. Of the many millions of Internet
sites that collect information about their users, only 215 are currently TRUSTe
certified.179
It is interesting to note that a very similar approach to TRUSTe’s is about to be
launched in early 1999 by the Better Business Bureau (BBB). The BBB is attempting to
accomplish the same goals as TRUSTe with its own mark, the BBBOnline Privacy
Seal.180 The BBBOnline programs have almost all the requirements and stipulations of
TRUSTe, with a few more base level of privacy requirements to join, such that the user
has a little bit more reassurance upon seeing the Privacy Seal.181 BBBOnline, however,
will probably be subject to many of the faults of TRUSTe’s attempt at shifting public
norms regarding privacy on the Internet.
The future of TRUSTe is bleak. Plagued with numerous problems that inhibit its
178
See TRUSTe, supra note 163.
179
See TRUSTe, Look Up a Company, (last visited December 9, 1998)
<http://www.truste.org/users/users_lookup.html> (listing all TRUSTe certified web sites).
180
See BBBOnline, Online Privacy Self-Regulation Program (last visited Dec. 8, 1998)
<http://www.bbbonline.org/privacy/fr_bd2_1.html>.
181
See BBBOnline, The BBBOnline Privacy Program (last visited Dec. 8, 1998)
<http://www.bbbonline.org/privacy/index.html>.
A Framework for Privacy Protection
Page 63
mass adoption, it is not likely that TRUSTe will have the penetration that is necessary to
shift social norms and effect personal privacy on the web. Ultimately, both TRUSTe and
P3P suffer from the same problem – the lack of incentive by website owners to adopt
strict privacy policies. Both are measures to improve contracting – P3P lowers
transaction costs while TRUSTe distributes information – but, as was stated above, web
users currently have no assets to contract with. Any information they can offer to a site is
generally available to that site without a contract at all, and the web's exponential growth
demonstrates that, despite fears about lack of privacy protections, users are willing to risk
their personal information for Internet access. Until this state of affairs has changed,
there is no reason to expect any proposal that depends on industry initiative, will be
widely accepted.
A Framework for Privacy Protection
Page 64
PROPOSAL
As discussed in the previous section, the current privacy protection framework
does not protect individual privacy. In this section we outline a radically different privacy
framework where individuals own their personal information and data collectors must
contract with users for access to it. We impose sanctions on most uses of an individual's
personal information not explicitly authorized by the individual and we suggest a
technical solution to the high transaction costs of getting authorization.
ENTITLEMENT TO INDIVIDUALS
We start with the assertion that the current set of entitlements is wrong, from a
distributional and efficiency standpoint.182 From distributional and moral standpoint, we
do not believe that there is any justification for allowing personal information to "belong"
to a commercial entity merely because that entity has access to it – such a rule, in fact, is
analogous to a real-space rule that allows anyone to break into an apartment and steal the
television set so long as the homeowner left the door unlocked. Though, given the ease
of locking one's door, we might have little sympathy for the homeowner careless enough
to fail to take precautions, this does not mean that we have handed over the property
rights in the homeowner's possessions to all passers-by. The case for refusing to hand
over property rights to information gatherers in cyberspace is even stronger, as, given
today's technology, it is virtually impossible for a user to "lock" his or her doors against
182
See Guido Calabresi and A. Douglas Melamed, Property Rules, Liability Rules, and Inalienability: One
View of the Cathedral, 85 HARV. L. REV. 1089 (1972) (explaining the use of distributional and efficiency
considerations for allocating entitlements).
A Framework for Privacy Protection
Page 65
invasion in the first place. There are also unpleasant distributional effects to awarding
commercial websites, rather than individuals, the right to gather information – users, who
may be composed of individuals of widely varying economic resources, may, as a group,
be less able to afford to make the purchase than would be commercial entities which are,
by and large, a better organized and wealthier group.
From an efficiency standpoint, the current set of entitlements is unsatisfactory, for
all of the reasons set forth in the previous section. If users are too disparate and
widespread a group to effectively coordinate with each other, they cannot easily buy back
their information even if they desire to do so and even if such an ultimate allocation of
resources would be efficient. Industry, with its superior resources, organization, and
information, can most easily initiate requests, determine appropriate "price levels," and
generally prevent the harm that comes from unconstrained use of personal information. It
is therefore better to grant the entitlement to the user and thus force industry to "reveal"
its superior information through the process of contracting.
We propose, therefore, a new legal framework awarding the entitlement of
information to the individual, rather than the current system which awards the entitlement
to the party which can build the better locks.183 This framework would set the default
rule at privacy for users, with three basic exceptions.
183
Cf Kang, supra note 90, at 1245 ("[R]elying upon technologies alone may have unfavorable
distributional consequences, which favor the computer savvy and well-educated.").
A Framework for Privacy Protection
Page 66
THREE EXCEPTIONS:
Operational and Aggregated Data
The first exception would be to allow websites to collect that information that is
functionally necessary for the communication to occur (in the form of TUIDs184) – for
instance, the user's IP address for the time it takes to transmit data. The second exception
would allow the collection of information held in the aggregate (which would be
recorded in the history of TUIDs and also transferred in the form of PUIDs185 if the user
so desires). Because websites often want information about the demographic
characteristics of their own users, and because such information represents no privacy
threat to individuals so long as all data that would connect the information to a particular
person is erased, websites will be permitted to gather this information without users'
permission.186 However, websites would bear the burden of proving that use for
aggregation was not individually identifiable.
Opt-In by Contract
The final exception would be to allow parties to "opt in" to a less-restrictive
system through the use of contract. Our new standard would require that to gather
information beyond the exceptions mentioned above, websites first gain the explicit
184
See the P3P Case Study, in Technology Section, for more information on TUIDs.
185
See the P3P Case Study, in Technology Section, for more information on PUIDs.
186
We would recommend that, as a penalty for misuse of data, websites be subject to a statutorilydetermined minimum penalty, either in the form of a fine or in the form of liability in tort. We also
recommend the creation of an agency to investigate complaints of privacy violations, as a user might only
know that his or her information was compromised, without being aware of which of the many companies
the data was released to was responsible for the violation.
A Framework for Privacy Protection
Page 67
permission of an individual. Further, if the website wants to do more than simply use the
data internally – that is, if the website wishes to sell the data to other businesses –
permission would also need to be obtained.187
AUTONOMOUS COMPUTER CONTRACTING PRIVACY TECHNOLOGY (ACCPT)
The granting of such permission on a case-by-case basis, though legal, would, of
course, be extremely unwieldy. Therefore, given this new legal regime forbidding
websites to collect information without permission, a technological and legal solution
must now be created to allow websites to easily contract into an agreement with a user as
to the privacy policy to be used. We call our proposed guidelines for these agreements
the Autonomous Computer Contracting Privacy Technology (ACCPT). The Platform for
Privacy Preferences (P3P) proposal being developed at the W3C provides an excellent
basis for what ACCPT is to try to accomplish and is adopted as the sample technological
foundation for ACCPT; the technological structure of ACCPT is simply to be a P3P
framework extended and revised with an eye to the legal concerns inherent in agency
contracting in order to ensure fair and enforceable contracts. It is worth noting at the
outset that for ACCPT to be adopted and work successfully, it must be both very simple
for the none-too-savvy user, as well as have a large range of configureability for the
power user. This range of ease of use and flexibility will hopefully come about in the
research and development of user agents by businesses, independent organizations, and
187
A third exception might be necessary to allow websites to ascertain the real-space location of the user
employing modified TUIDs, with this record of location ultimately being erased unless the user later
explicitly agrees to its storage. See infra text accompanying notes 193-196.
A Framework for Privacy Protection
Page 68
private individuals, as is the intended goal with P3P.188
One of the major difficulties, from a legal standpoint, of allowing computerized
agents to contract away real users' privacy is the possibility of a disjunction between a
user's preferences and the "deals" made by the agent. Where there is no meaningful
assent on the part of the user, there is no contract.189 With no contract, under our
proposal, the website is potentially in violation of the law for having used the information
without permission. In order, then, to make sure that ACCPT transactions are legally
binding – and that they provide protection from liability for websites – we propose that
all ACCPT programs operate with a certain degree of transparency. Novice users may
not wish to delve into the bowels of the program in order to set their particular
preferences, and default settings may be devised for them; however, the ACCPT program
must require that the user affirmatively assent to basic aspects of these default profiles,
using clear and easily-understood explanations of what the settings actually mean.190 It is
only by this sort of transparency that a user can be said to have truly assented to the
contract formed by the agent.
Websites negotiating with agents identifying themselves as ACCPT compliant
could, therefore, rely on those contracts as representing the will of the user, whereas they
would enter into contracts with non-ACCPT technology at their peril. If the ACCPT
agent employed by a particular user then turned out to be faulty in some way – say it was
188
Interview by Christian Baekkelund with Daniel Weitzner (Dec. 8, 1998).
189
See Restatement (Second) of Contracts § 21.
190
A less technical and more user-friendly readable version of the harmonized vocabulary would be widely
distributed to promote user understanding and awareness of terms.
A Framework for Privacy Protection
Page 69
not transparent about its defaults, or did not properly "follow" user instructions – liability
for the resulting privacy violations would lie on the maker of the faulty ACCPT
technology, using a negligence standard. In this way, websites would have an incentive
only to bargain with agents that truly do express the preferences of the user, while
programmers would have an incentive to ensure that their products are accessible, and
comprehensible, to less-skilled consumers.
P3P contains a number of beneficial characteristics that it would be wise for
ACCPT to adopt.191 ACCPT utilizes P3P's entire flexible negotiation between user and
service to contract as to privacy practices. As it is designed for P3P, this flexible
negotiation, with possibilities for multiple proposals sent by the service and counterproposals sent by the user, allows for a good and appropriate agreement to be readily and
easily found. P3P's adoption of already defined and used technological standards such as
HTTP, XML, and RDF is another benefit worth noting; it is important to use popular
standards to promote the adoption of ACCPT solutions by businesses. The use of a
harmonized vocabulary is an advantageous step towards universal acceptance and
understanding of P3P, and ACCPT proposes to use the same technique, and in fact retain
the original vocabulary.192 Additionally, the open and non-proprietary nature of the
development of P3P by the W3C is another important point to maintain in ACCPT, for
not only does open development engage well with the developmental nature of the
Internet, it helps foster better and more secure technologies as well as further enable and
191
See the P3P Case Study, in the Technology Section, for more information on the following listed
benefits of P3P.
192
See W3C, supra note 61.
A Framework for Privacy Protection
Page 70
encourage market adoption.
The actual technical differences between the adopted ACCPT base protocol, P3P,
and ACCPT itself are small, but important. First, as stated above, ACCPT requires that a
certain degree of transparency in its operation to ensure that users do not object to the
activities of the agent . Second, ACCPT requires that the individual have some basic
digital certification verifying at least key characteristics such as age and relevant
geographical location.193 This is necessary because ACCPT envisions that sovereigns –
national governments, local governments, and even parents – may wish to restrict an
individual's ability to reveal certain pieces of information. In an effort to enable this
possibility, ACCPT will transmit in the TUID of an ACCPT negotiation the location of
the user making the negotiation as it is represented in their digital certificate.194 Upon the
beginning of a P3P negotiation, the server would collect the profiles from the necessary
sources according to the location of the user. For example, if a user in Pompano Beach,
Florida, makes a request from an ACCPT server, the server may be required to retrieve
the privacy requirements of the city of Pompano Beach, Broward county, Florida state,
and the United States before continuing with the negotiation with the user’s agent.
Which profiles the server must retrieve would be dependent upon the location of the user
193
It is important to note that how individuals attain these certificates and how the certificates are assuredly
true is beyond the scope of our proposal. Our proposal is simply based in a setting where this is the case.
The server would make use of a language to be proposed similar to P3P’s APPEL (A P3P Preference
Exchange Language). For more information on APPEL, see W3C, A P3P Preference Exchange Language
(last visited Dec, 8, 1998) <http://www.w3.org/TR/WD-P3P-preferences>. APPEL is to be used in P3P to
exchange privacy preference profiles between two entities and a language similar to, but more secure than,
APPEL would be used in ACCPT to exchange privacy profiles in a similar manner. This APPEL-similar
tool will also be helpful for users that desire to use the privacy practices of a certain organization, such as
their employer or a civil rights group, for they need merely set up their agent to pre-fetch these privacy
preferences.
194
A Framework for Privacy Protection
Page 71
and applicable laws.195 These profiles would then be used in conjunction with the
server’s privacy desires in the continuation of the ACCPT negotiation. The actual
ACCPT negotiation would then proceed in the same method as it would under P3P.196
Ultimately, if the user failed to authorize the release of the geographical (or age-related)
data, the website would be required to erase it from its files.
ACCPT would also adopt many of the optional P3P related features. To enable
the aggregate collection of information by websites even in the event of failed
negotiations, the use of PUIDs and TUIDs as described in P3P will be used by ACCPT in
the manner mentioned earlier in the proposal. The creators of user agents will be heavily
recommended to make use of propIDs and PUIDs as well as the necessary TUIDs; the
use of a storage of a base set of information on the user on the user’s computer such as is
possible with P3P will be encouraged as well.197 The use of propIDs will increase
accountability of past formed contracts as well as provide a network to the overall
structure, and the use of PUIDs combined with data repositories on the users computers
will be very beneficial to businesses due to the desire to collect data on user preferences,
in a manner to somewhat similar to, but as a replacement for, cookies.198 Also, in
We do not attempt, for the purposes of this paper, to determine which laws those would be – rather, we
just assume that some set of laws applies, and we propose that ACCPT be capable of enabling them. We
further do not make geography based checking of the collective choices of a community a requirement for
the current proposal. Rather we leave the ability for communities to require such a mechanism.
195
196
Servers maintaining the privacy requirements for a locale must be created and maintained by the
appropriate organizations and lists of such servers must be publicly and easily accessed for server
administrators to use to update their server configuration with. In the creation and adoption of ACCPT, it
will be a necessity to help foster the creation and knowledge of these servers. With a properly designed
ACCPT system, a cache of such pre-fetches should be created and used frequently to minimize the network
traffic.
197
See the P3P Case Study, in the Technology Section, for information on data repositories and vCards.
198
Interview by Christian Baekkelund with Daniel Weitzner (Dec. 8, 1998).
A Framework for Privacy Protection
Page 72
ACCPT, all propIDs would be digitally signed upon creation to "provide irrefutable
evidence of an agreement."199 Unlike P3P, there would be no fear on the part of the user
of unenforceability of the web agreement, for with ACCPT, the trust would lie in the fact
that the user knows there are hard legal backings to the ACCPT agreement.
199
See W3C, supra note 50.
A Framework for Privacy Protection
Page 73
CRITIQUE
Although the legal and technical framework that we propose as ACCPT has many
advantages and benefits, in this section we identify and discuss some of the potential
problems with the proposal.
TECHNICAL AND LEGAL COMPLEXITY ADDED BY ACCPT
Technical Complexity for the Programmer
First of all, although relatively simple, ACCPT does add an additional level of
complexity. On the technical side, for example, ACCPT adds considerable technical
complexity to the HTTP protocol. Unfortunately, the additional technical complexity
could lock out smaller programmers, which, if history is any indication, would probably
slow down the rate of development and advancing innovations of the web. Right now,
the web is powered by software, written by smaller programmers and academics, and
released for free public use and modification. According to a December 1998 Netcraft
survey, over half of all web servers are powered by Apache, a free web server written by
an ad-hoc group of volunteers.200
Complicated protocols can lock out small programming teams from being able to
innovate. This might mean that large corporations will dominate the ACCPT compliant
agent software market. As the infamous Halloween Memo, an internal Microsoft
200
See Netcraft, The Netcraft Web Server Survey (visited Dec. 9, 1998) <http://www.netcraft.com/survey/>.
Microsoft's own Hotmail service runs on Apache, on top of the FreeBSD operating system (developed in
the same fashion), despite Microsoft's repeated attempts to move to NT/Microsoft-IIS. See id.
A Framework for Privacy Protection
Page 74
document, stated:
OSS [free software] projects have been able to gain a foothold in many
server applications because of the wide utility of highly commoditized,
simple protocols. By extending these protocols and developing new
protocols, we can deny OSS projects entry into the market. 201
ACCPT is an extension of the HTTP protocol and one with complex legal issues
at that. Currently HTTP is trivial to implement. Even law student hackers can write
HTTP clients without much trouble, particularly with the wealth of free software libraries
available to help.202 Incorporating ACCPT will be more complicated but we expect that
similar libraries would be developed following the ACCPT guidelines and that the extra
complexity of the ACCPT protocol would eventually be masked from most programmers.
Technical Complexity for End-Users
In addition to the added intricacy on the programming end, ACCPT agents are
will require installation, either as part of a browser or separately. Users may be reluctant
to set (or even read and accept) their ACCPT preferences.
In counterpoint, however, it would only be fair to recognize that the ACCPT
proposal only requires certain settings for installations in order for a website to be certain
that a computerized agent is authorized by the user. The installation of most computer
programs requires an initial time commitment to set up preferences and the like.
Moreover, the protocol could make the process of installing the browser as easy and
201
Open Source, {Halloween I -- 1.10}: Open Source Software (visited Dec. 9, 1998)
<http://www.opensource.org/halloween1.html>.
202
See e.g. LIBWWW - PERL - 5 (last visited December 9, 1998) <http://www.cpan.org/modules/bymodule/Bundle/libwww-perl-5.41.readme> (describing the World Wide Web functions PERL library
which implements many HTTP methods).
A Framework for Privacy Protection
Page 75
efficient as possible. Just as the additional technology required by ACCPT can add
complications, technology can also eliminate those complications, as we expect it will.
Legal Complexity for Programmers
ACCPT places legal liability for buggy software on small programmers. Although
the legal framework is not excessively complicated, it may still discourage small
programmers from entering the space for fear of suit. The use of a "negligence standard"
may mitigate that effect but application of that standard is unlikely to be easily
understood by programmers. The negligence standard is not a standard that is delineated
by law or statute, but one that is given its force by the courts, as cases and controversies
with concrete facts are decided. Thus, it is really only as problems come up that the
standard is fleshed out. Given the importance of the free software movement, it is
possible that such an ambiguous standard, with the accompanying penalties, will be
highly discouraging to programmers. It is unlikely that they are willing to be guinea pigs
for the legal system when they often receive little benefit for making their programs
available to the public gratis.
However, such an argument ignores the fact that the ACCPT legal framework
proposed is actually simpler than the legal framework that now exists. The current legal
framework is a patchwork of industry-specific statutes and difficult-to-follow common
law which varies by state.203 The main innovation of ACCPT is the "flipping" of the
entitlement to information. Rather than the automatic disclosure of information, with the
burden on the user of the site to negotiate with the site in order to regain his or her
203
See supra Law Section.
A Framework for Privacy Protection
Page 76
information, ACCPT would help the user to "own" his or her information, requiring the
site to negotiate with the user for access to the information. Rather than adding a layer of
legal complexity, ACCPT may be better analogized to an inversion of the current
framework. Moreover, the complexity of the "legalese" can be minimized by those who
write the law. Given the alternative mosaic of common law rights and industry specific
statutes, of which it is unlikely that programmers are any more aware, the more
comprehensive and general legal backdrop proposed by this paper is preferable.
Legal Complexity for End-Users
Aside from the legal complexity presented by ACCPT to programmers, there may
also be residual effects on end-users. Under ACCPT, users are allowed to customize
privacy preferences in extreme detail. Upon installation, the user may feel overwhelmed
by "legalese," and may be discouraged from participating in on-line transactions
altogether. In an analysis of P3P, this same problem was cited. Citibank expressed their
opinion that:
>From a consumer standpoint using P3P may be quite confusing, as the
user may feel inundated with "legalese" and too many choices. . . . The
user may feel inundated with too many choices about too many pieces of
information when configuring P3P. If the user does not choose to fill in
the information beforehand, there will be a point when the user is
transacting with a website operator, that he/she would need to fill in that
information. The user would then have to decide under what sort of
conditions he/she would like to have personal information given out. . . .
Nevertheless, there is a possibility that P3P will discourage neophytes
from transacting or interacting online altogether. 204
In reality, we believe that proper user interface implementation can avert this
204
LEE & SPEYER, supra note 65.
A Framework for Privacy Protection
Page 77
problem. Most browsers will probably lump privacy settings into large, easily
understandable groups, and only advanced users will engage in further customizations.
Furthermore, the facilitation of collective privacy choices through the APPEL-like
functionality of a well designed ACCPT agent will allow users to use settings constructed
by groups instead laboriously constructing their own.
Public Access
Also important to note is that fact that the technical complexity added by ACCPT
may have unintended secondary effects on public access. For instance, many schools and
libraries have public access web terminals. It would be unwieldy for each user to
customize the ACCPT preferences on these machines. At the same time, without
ACCPT, users may not be able to view a potentially large part of the content on the
Internet. ACCPT may make be sacrificing some amount of public access for the sake of
flexibility.
Services for the remote storage of ACCPT profiles should arise to solve this
problem in much the same way Yahoo currently stores many people’s calendars.205 This
would again make use of our proposal for APPEL-like language for transferring privacy
preferences.
A Slower Internet
An additional problem with the use of ACCPT is the network traffic that it would
create. Due to the necessary negotiation that must occur before a user can access data
205
See e.g. Yahoo Calendar (last visited December 8, 1998) <http://calendar.yahoo.com/>.
A Framework for Privacy Protection
Page 78
from a website, more data must be transmitted back and forth to a website before a user
can gain access to it creating both a noticeable delay in the time it takes to initially
receive information from a website, as well as an over all increase in the amount of data
that it will create in general. This overall increase in data transmission will in fact slow
down other users on the Internet as well especially at points of low bandwidth. This
problem would be further exacerbated by ACCPT's use of regional profiles to enforce
legal standards due to the even further elevated level of necessary network traffic. This
problem, however, may become moot in the future as the average Internet user's
bandwidth increases at the same rate it has in the past.
LIMITATIONS OF ACCPT
While the above criticisms constitute commentary about the problems with the
implementation of our proposal for ACCPT, legitimate objections may be made in that
perhaps ACCPT does not go quite "far enough." Though ACCPT has addressed many of
the problems in government policy towards the protection of information, other areas of
concern also exist which we have not fully addressed.
International Conflict of Laws
A major limitation of our proposal is its domestic nature, when the problem with
information privacy is a global one. Most likely, not all nations will pass laws requiring
or even supporting ACCPT. Since the ACCPT proposal does not require its international
adoption – though we would welcome it –international websites could lie about the level
of privacy they provide without there being an easy recourse for consumers. Some
A Framework for Privacy Protection
Page 79
nations could provide safe haven for websites that wished to collect information without
accepting limitations on its use. 206 As long as other countries can break ACCPT
contracts without repercussions, then the proposal may be adding very little in the way of
protection of privacy.207 The U.S. government can "forbid" users to contract away data
without particular guarantees if it so chooses, but if the other end of the party breaks the
deal, there is no recourse. Some argue that a completely technical solution may be the
only way to deal with this problem.
However, a "complete technical solution" cannot be the only answer to the
question. As with our proposal, the problem is that technology doesn't exist in a vacuum
-- there must be legal standards in place to encourage the adoption of the technology.
This is particularly true on the international level, where other countries might actively
pass laws preventing its adoption. On the other side, this is also a question of sovereignty
– treaties, conflicts of law principles, and the like step into the gaps, just as in "real
world" conflicts.208 Granted, technology may provide a partial solution. If the United
States adopts a code-based solution, it is likely that Europe will follow. Since packets go
through several routers in the U.S., it will guarantee at least partial privacy for U.S.
citizens.
If TCP/IP is modified in such a way that websites cannot collect IP addresses,
electronic payment is completely anonymous and shipping is completely anonymous, no
206
See Sovereignty Presentation for Cyberspace and Social Protocols, Harvard Law School (Nov. 24,
1998).
207
208
See id.
See generally, Jack Goldsmith, Against Cyberanarchy (visited Dec. 8, 1998) <http://wwwswiss.ai.mit.edu/6805/articles/goldsmith-against-cyberanarchy.html>.
A Framework for Privacy Protection
Page 80
companies could collect personal information. If anonymizing routers were implemented
as part of IPv6, countries would have to adopt it to avoid being cut off from the rest of the
Internet. Regardless, ACCPT does not preclude the additional protection of a code-based
framework to protect privacy.
Profiling
Another criticism of ACCPT is that it does not address the collection of "public"
information into detailed profiles. Currently, much information is available for legal
collection. There is no current U.S. provision,209 nor is there any provision in ACCPT, to
prevent the selling of this information. An individual or organization is legally allowed
to collect information from the United States postal system, phone directories, tax
information, family lineages/geneologies, real estate records, as well as collecting all
posts, web pages, or any other on-line "traces" made by individuals.
This problem is one that should definitely be considered by the legislature and
courts. Even if ACCPT becomes widely accepted, it is indisputable that such endeavors
would be still technically be legal, yet may be a more serious violation of privacy than a
website keeping a record of IP addresses. Surely ACCPT will slow the collection and use
of this data as ownership would have to be established and the information collected
without any help from the individual being profiled. However, ACCPT does not retrieve
information currently public nor regulate the collection of information about users in the
real world.210
209
See supra Law.
210
For example, what if Alice discloses information, yet decides she wants it back 15 years later? Perhaps
A Framework for Privacy Protection
Page 81
Operational Data
Another problem with a legal structure that prevents collecting any information
without permission is that of data that needs to be collected for normal server operations.
Although the law includes provisions the collection of operational data for use in
fulfilling transactions (IP addresses used to send requested pages), frequently, servers
need or want to collect additional operational data for security purposes. Currently, the
operational use exception does not include security use under our proposal. Indeed what
would constitute a legitimate security use is unclear. Presumably, an officer with a
warrant could obtain the operational logs in spite of a user’s privacy interest in them.
However, though there was significant discussion over the tradeoff between privacy and
accountability, our proposal errs on the side of privacy and does not provide a specific
security use exception.
If introduced, anonymous browsing, shipping, and payment technologies may
make a potential security use exception much less important as much operational data
could be revealed with minimal privacy loss. Our proposal encourages further work in
these areas.
as a 21-year-old college student, she traded some information when ordering a rubber chicken to save 50
cents. Now she is 39, has discovered cold fusion, is under a lot of media attention, and doesn't want it to
become public that she has a chicken fetish. There is some flexibility here in an ACCPT negotiation where
a site might state as a privacy practice that it deletes all records after 2 years or some other similar period of
time. However, without law mandating such a requirement, it is hard for a user to require it. Although it is
easy for a website to state something, and a user to accept it or not, under ACCPT, it is more difficult for
the user to make a counter-proposal with certain stipulations. The website may not even recognize some of
the user's proposals/requests.
A Framework for Privacy Protection
Page 82
"Race to the Bottom"
Finally, a potential problem unaddressed by our proposal is that ACCPT may not
result in a diversity of privacy policies if various websites collude. This may become
especially problematic if the websites only allow access to their pages upon the
disclosure of information; if a "floor" develops, such that all pages require a minimum of
information, then the privacy of users may not be significantly protected by ACCPT.
This is an issue which we recommend government closely monitor. In the event that a
floor on information does develop, Congress may reanalyze the issue, perhaps
distinguishing between information which can be exchanged and information that is
inalienable.
PHILOSOPHICAL CRITICISMS OF ACCPT
In addition to the various criticisms thus far discussed, there are several debates
which occur at a more basic level. ACCPT is based upon the acceptance of several
assumptions and basic beliefs about privacy.211 Yet, there are various other frameworks
within which alternative proposals could be suggested.
No Data Collection
An even more extreme view is that there is no need at all for data collection.
Despite the initial impressions, there are a fair number of arguments made in its favor.
First, while data collection may bring in a significant amount of revenues, e-commerce
211
See supra Introduction.
A Framework for Privacy Protection
Page 83
may actually increase with a prohibition against collection of data.212 Second, the
argument maintains that most respectable websites do not engage in privacy violations;
thus, the only sites it would potentially harm provide minimal positive value to society.213
Moreover, larger revenues do not necessarily lead to good content. Many websites with
quality content are created by people interested in more than money, such as public
interest organizations,214 musicians,215 academics,216 etc., more so than content from
212
The FTC states that:
[Although] the online marketplace is growing rapidly, there are also indications that
consumers are wary of participating in it. Surveys have shown that increasing numbers of
consumers are concerned about how their personal information is used in the electronic
marketplace. . . . In fact, a substantial number of online consumers would rather forego
information or products available through the Web than provide a Web site personal
information without knowing what the site's information practices are. According to the
results of a March 1998 Business Week survey, consumers not currently using the
Internet ranked concerns about the privacy of their personal information and
communications as the top reason they have stayed off the Internet. . . . These findings
suggest that consumers will continue to distrust online companies and will remain wary
of engaging in electronic commerce until meaningful and effective consumer privacy
protections are implemented in the online marketplace. If such protections are not
implemented, the online marketplace will fail to reach its full potential.
FTC, supra note 6.
213
The Direct Marketing Association takes issue with this assertion. It states :
A Website that provides no opportunity for interaction is not interesting to consumers,
adds little or no value to their dialogue with marketers, and therefore is of little value to
businesses. Some may need to simply track the number of persons who are visiting their
sites. Others may encourage visitors to ask questions as a way of improving their services
or building their customer base. Others may provide a product for free that they charge
for in the traditional world. In return, it seems reasonable for a publisher to ask a Website
visitor to register before providing that person with the same material that could cost him
on a newsstand.
Direct Marketing Association, FTC: Consumer Privacy Comments Concerning The Direct Marketing
Association--P954807 (July 16, 1997 )
<http://www.ftc.gov/bcp/privacy/wkshp97/comments2/dma027a.htm>
214
For example, much of the research for this paper was conducted on the web. Many cites in this paper
were pulled from public interest organizations such as the Electronic Frontier Foundation, which has also
been ranked as one of the four most-linked-to sites by Webcrawler. See Electronic Frontier Foundation
(last visited Dec. 9, 1998) <http://www.eff.org/>.
215
For instance, Lycos lists among its Top 5% Websites The Recorder Home Page. See Lycos, Best of
Web (visited Dec. 9, 1998) <http://point.lycos.com/index.html>. Although the creator never says he is a
recorder player himself, he provides a non-commercial site containing an incredibly detailed historical
A Framework for Privacy Protection
Page 84
overcommercialized sites. Rather than simply encouraging growth and more content on
the Web, perhaps we should be encouraging better quality or discouraging the minimally
beneficial websites. Finally, marketing and data collection uses resources, but
contributes little of substance back to society. In the long run, if human resources are
reallocated from data collection or marketing to productive work, the output and average
standard of living for society as a whole may rise. Although in the short run, this may
hurt e-commerce, it may help other industries just as much in the long run.
An Internet where data collection was prohibited is some people’s view of a
Utopian cyberspace. However, our proposal took a different stance because we believe
that the technology is not mature enough for this to be practical goal. Furthermore, we
recognize that different people have different privacy concerns and would be best served
by different privacy policies. Thus in fulfilling our goals of protecting individual privacy
but also enabling electronic commerce and encouraging a diversity of privacy policies,
we took a more moderate approach.
Less Regulation
On the opposite side of the spectrum, there are advocates for the philosophy that
there should be little to no regulation of data collection and storage. 217 The argument
background, extensive list of links, and a discussion of the cultural role of the recorder in all its forms, from
medieval pipe to the contemporary plastic kid's noisemaker. See Nicholas S. Lander, The Recorder Home
Page (last updated Nov. 30, 1998) <http://iinet.net.au/~nickl/recorder.html>.
216
Lycos also lists multiple university libraries that provide on-line access to their resources. See Lycos,
supra note 212. Moreover, many academics will public their books and articles on-line before "paper"
publication. See, e.g., Simson Garfinkel, 2048: Privacy, Security and Community in the Next Century
(visited Dec. 9, 1998) <http://simson.net/2048/>.
217
See OSCAR H. GANDY, JR., THE PANOPTIC SORT: A POLITICAL ECONOMY OF PERSONAL INFORMATION
A Framework for Privacy Protection
Page 85
assumes that as long as the information is obtained legally, i.e. no trespass or fraud is
involved, then the user has no more power over what is done with that information. The
basic assumption underlying this theory is about entitlements – if a website has the
technological ability to obtain information about the user, then the website owns that
information.
For the advocates of this argument, the force comes from the First Amendment.
In support of the theory that collectors of legally obtained data can do whatever they like
with that data, some have argued that the primary constitutional issue is free speech,
rather than privacy; once information is freely released, any restrictions on corporate
speech, such as customer lists, should be disfavored.218 However, the ACCPT proposal
does not present an absolute ban on the speech. Instead, it suggests that the government
implement constitutionally permissible "time, place, and manner restrictions"219 – that the
government simply regulate the manner in which this "speech" is conducted.
More importantly, this seems to be a misleading application of the First
Amendment. Rather than the right to free speech, it seems more closely analogized to the
limited right to appropriate or use other people's speech – in this case, an individual’s
private information. Copyright, trademark, and patents are all examples of instances
where the government has legitimately stepped in to protect the rights of the original
66-68 (1993).
218
219
See id. at 107.
Even if direct marketing were held to use public forums, which have the strictest standards for
regulation, the ACCPT proposal passes strict scrutiny and would be held permissible. See Ward v. Rock
Against Racism, 491 U.S. 781 (1989) (holding that if the regulation is content neutral, narrowly tailored to
serve a significant government interest, and leaves open alternative channels of communication,
government regulation is permissible).
A Framework for Privacy Protection
Page 86
"speaker." Alternatively, ACCPT can be seen as an extension of the government's right
to regulate interstate commerce.220 Given that the most vocal proponents of this structure
of "less regulation" are from the direct marketing camp,221 it is unlikely that they would
deny that interstate commerce is involved.
Moreover, a world with this structure would degenerate into a cat-and-mouse
game, with the user trying to technologically stay one step ahead of commercial websites.
And this is a game that most users of the web are likely to lose, given their lesser
resources and access to technological innovations, as well as problems with collective
action.
220
See e.g., U.S. v. Darby, 312 U.S. 100 (1941) (affirming the federal government's right to regulate
interstate commerce).
221
See GANDY, supra note 217, at 66-68.
A Framework for Privacy Protection
Page 87
CONCLUSION
The introduction of this paper discussed Alfred, the hypothetical web surfer. In
the sections that explained the current technical, legal, market and social norm
frameworks we saw how Alfred’s privacy could be violated in surprising ways. We saw
that Alfred could be tracked by IP address or cookie and information given to one site
could be easily correlated with his name and address given to another. In the market and
social norms section, we saw that the technology to collect, store, analyze and share
Alfred’s information was cheap. We also saw that although people are concerned about
their personal privacy online, Alfred was likely to give up his information anyway.
Finally, in the legal section explained that Alfred’s video rental receipts are likely to
receive more privacy protection than his concerns over prostrate cancer. We discussed
P3P and TRUSTe as potential solutions to Alfred’s privacy problems but saw that the
background legal and technical regimes prohibit the success of both of these potential
solutions.
In response, we proposed the ACCPT legal framework and technical guidelines.
These would ensure that Alfred would be aware of the way in which his private
information might be used before he agreed to divulge it. If Alfred didn’t want his visit to
ProstrateInfo.Com to be logged or given to other entities, he could either come to that
agreement with ProstrateInfo.Com, or find another site that would agree to those terms.
However, as discussed in the critique section, Alfred’s privacy comes at a price.
Companies will need to be more careful about how they handle information. Individuals
A Framework for Privacy Protection
Page 88
will need to install agents and assent to their defaults. Web sites will open themselves to
liability for the using information in ways that currently do not carry any potential
penalty. Computer programmers wanting to write browsers with ACCPT compliant
agents will find it technically more challenging and also open themselves up to potential
liability which is not present under the current framework. Furthermore, our proposal
does not solve thorny internationalization issues or completely eliminate profiling.
Privacy regulation is a balancing act. This proposal strikes that balance in favor of
the individual. ACCPT protects individual privacy while enabling electronic commerce
and providing a new market for information where the players are on more even ground.
ACCPT attempts to enfranchise everyone, not only the rich or tech-savvy. Furthermore,
ACCPT is flexible enough to encourage diversity in implementation and privacy policies
while still allowing collective action.
As the Information Revolution chugs on its course, the United States has
demonstrated an extreme reluctance to offer legislative guidance as to how it should
proceed. Other than pledging protection for its own records, and enacting a few stop-gap
protection measures that correspond to the day's headlines, the federal government has
adhered to its rosy view of industry whereby a few fierce words from an extremely probusiness administration will prompt businesses to forego an extremely easy and
profitable activity. If it was not clear before now that such an approach had little
likelihood of success, the FTC's report to Congress should have been the final nail in the
coffin of the idea of self-regulation.
America's reluctance to take drastic action may not be entirely predicated on the
A Framework for Privacy Protection
Page 89
influence of moneyed interests in Washington. The United States has a very long
tradition of freedom of information, and that norm might be one that legislators are
reluctant to disturb. It is a shocking thing to say in America, "You have access to the
knowledge, but you cannot use it." Though it would not be the first time such a thing
was done – as was mentioned earlier, we have protection for copyrights, for trade secrets,
and a host of other intellectual properties – ultimately what we are proposing to protect
here is information that an individual parts with in the real world on a daily basis, without
any expectation that that such information will be controlled. Our names, our addresses,
our phone numbers, our favorite television shows, our buying habits – we simply are not
used to thinking about these things as "private." When we see, however, the potential
harm caused by the unrestricted flow of this information in vast databanks, it becomes
clear that our traditional ideas about privacy must be radically altered to fit this new
world.
Our proposal is the first step in this process – it is intended to function as a
redefinition of what information is private. This is a context-sensitive redefinition: if the
man at the newspaper stand on the corner remembers that Alice buy the Washington Post
every morning, that is not a privacy violation – but if Altavista "remembers" this
information without her consent when Alice searches for the Post online, or DoubleClick
remembers it because DoubleClick hears through Altavista, or Barnes & Noble
remembers it because Alice followed a link to its website – these are, indeed, violations
of her privacy. The problem certainly extends beyond the web – we are living in an age
where vast stores of data about every person in this country are freely available, by going
A Framework for Privacy Protection
Page 90
down to the courthouse, or a Hall of Records. Without a workable, context-sensitive
definition of privacy, our willingness to make those records available publicly on paper
will translate to a willingness to make those records available publicly in electronic form
– which, because of the ease with which electronic records can be accessed and searched,
may very well have a qualitatively different meaning of "public" than was present in the
case of a public record in a file in a cabinet in the basement of City Hall. Our proposal
lays the groundwork for this new understanding variations of "public" and "private"
depending on who has access to the information, how it is used, and how much control
the individual has over it, but there is still much to be done. We must alter our
understanding of "public" and "private" from how these terms were meant 200 years ago,
when basic decisions about the structure of our legal architecture were made, to what
those terms mean now, when our technological architecture has reached a place that no
one could have envisioned when the rules were created. As the web and use of
computers continues to grow, the importance of this process cannot be underestimated –
and it requires more direction from our government than a simple hope that ultimately,
everything will work itself out. Our proposal has the courage to take a stand and suggest
ways that the government can help to protect personal privacy. We answer Al Gore’s
challenge for an electronic bill of privacy rights – the only question now is whether
government will have the courage to follow.
A Framework for Privacy Protection
Appendix A : Page 1
APPENDIX A: TABLE OF PROPOSED LEGISLATION
DURING THE 105TH CONGRESS222
Protection of Children
H.R. 1972
Children's Privacy Protection and Parental Empowerment Act of 1997
Prohibits "list brokers" from selling, purchasing info about children without written
consent of parent. Requires marketers to give access about child to parent, prohibits using
prison inmate labor to process children's' information. Requires marketers to give lists to
National for Missing and Exploited Children for data matching purposes. The bill has 52
cosponsors.
H.R. 2368
Data Privacy Act of 1997
Interactive computer services may not collect any information about a child or disclose
this information without notifying the child, in advance of collection or use, that the
child should not provide any information without the consent of his or her parent. No
person shall solicit or collect information from a child regarding his or her parents. Part
of a more comprehensively conceived protection.
H.R. 2815
Protecting Children From Internet Predators Act of 1997
Criminalizes sending sexually explicit messages to people under 16, even if sender is
under that age.
H.R. 3494
Child Protection and Sexual Predator Punishment Act of 1998
Criminalizes sending sexual material to a minor. Minimum prison term for using
computer is 3 years. Allows use of subpoenas to obtain evidence instead of warrants.
S. 504
Children's Privacy Protection and Parental Empowerment Act of1997
Prohibits the sale of personal information about children without their parents' consent.
222
All information from EPIC Online Guide to 105th Congress Privacy and Cyber-Liberties Bills (Last
visited Dec. 3, 1998) <http://www.epic.org/privacy/bill_track.html >.
A Framework for Privacy Protection
Appendix A : Page 2
S. 1965
Internet Predator Prevention Act of 1998
Prohibits the publication of identifying information relating to a minor for criminal sexual
purposes.
S.1987
Child Protection and Sexual Predator Punishment Act of 1998
Increases penalties for transmitting obscene materials to minors, contacting minors using
net "for the purpose of engaging in any sexual activity".
Protecting Personal Identification Data
H.R. 98
Consumer Internet Privacy Protection Act of 1997
Interactive computer services may not disclose personally identifiable information
provided by their subscribers to third parties without subscriber's written consent, which
may be revoked at any time. Upon subscriber's request, service must provide the
subscriber's personally identifiable information maintained by the service to the
subscriber for verification and correction purposes. Upon subscriber's request, service
must inform the subscriber of the identity of the third party recipients of the subscriber's
personally identifiable information. Additionally, this act would prohibit knowing
disclosure of falsified information.
H.R. 1287
Social Security On-line Privacy Protection Act of 1996
Interactive computer services may not disclose Social Security account numbers or
personal information that is identifiable to an individual by means of his or her Social
Security number without the individual's written consent, which may be revoked at any
time. See "Regulating On-Line Databases."
HR 1330
American Family Privacy Act of 1997
Prohibits Federal officers and employees from providing access to social security account
statement information, personal earnings and benefits estimate statement information, or
tax return information of an individual through the Internet or without the written consent
of the individual, and to establish a commission to investigate the protection and privacy
afforded to certain Government records.
A Framework for Privacy Protection
Appendix A : Page 3
HR 1331
Social Security Information Safeguards Act of 1997
Requires the Commissioner of Social Security to assemble a panel of experts to assist the
Commissioner in developing appropriate mechanisms and safeguards to ensure
confidentiality and integrity of personal Social Security records made accessible to the
public.
H.R. 1367
Federal Internet Privacy Protection Act of 1997
Federal agencies may not make available through the Internet any record with respect to
an individual. For the purposes of this act, records include information with respect to
education, financial transactions, medical history, or employment history that contains
the name or identifier assigned to the individual.
H.R. 1813/S. 600
Personal Information Privacy Act of 1997
Persons may not buy, sell, or trade Social Security account numbers or use social security
account numbers for identification without written consent of the individual. Individual
must be informed of all purposes for which the number will be used and all persons to
whom the number will be known.
H.R. 2368
Data Privacy Act of 1997
This act creates an industry working group to establish guidelines to limit the collection
and commercial use of personally identifiable information obtained from individuals
through any interactive computer services. The guidelines shall apply to those Providers
or persons who voluntarily agree to such applicability. These guidelines shall require
interactive computer services to inform subscribers of the nature of the information
collected and allow subscribers to prevent disclosure of this information. Upon
subscriber's request, service must provide the subscriber's personally identifiable
information maintained by the service to the subscriber for verification and correction
purposes. Part of a more comprehensively conceived protection.
H.R. 2581
Social Security Privacy Act of 1997
Limits use of Social Security number. Requires disclosure of uses of SSN by businesses.
Protecting Medical Records
H.R.1815
Medical Privacy in the Age of New Technologies Act of 1997
Protects the privacy of health information in the age of genetic and other new
technologies.
A Framework for Privacy Protection
Appendix A : Page 4
H.R.2198
Genetic Privacy and Nondiscrimination Act of 1997
Would limit use and disclosure of genetic information by health insurance companies;
prohibit employers from attempting to acquire, or to use, genetic information, or "to
require a genetic test of an employee or applicant for employment" or to disclose the
information.
HR 2215
Genetic Nondiscrimination in the Workplace Act
Amends Fair Labor Standards Act to restrict employers in obtaining, disclosing, and
using of genetic information.
HR 2216
Genetic Protection in Insurance Coverage Act
Limits the disclosure and use of genetic information by life and disability insurers.
Prohibits insurers from requiring genetic tests, denying coverage, setting rates based on
genetics, using or maintain genetic info.
H.R. 2368
Data Privacy Act of 1997
No person may use, for commercial marketing purposes, any personal health or medical
information obtained through an interactive computer service without prior consent of the
individual. No person may display the social security account number of an individual,
through the use of an interactive computer services, except when part of a government
record available to the general public or pursuant to industry guidelines. Part of a more
comprehensively conceived protection.
H.R. 3755
Prescription Privacy Protection Act of 1998
Restricts disclosure of pharmacy records.
H.R.3900
Consumer Health and Research Technology (CHART) Protection Act
A bill to establish Federal penalties for prohibited uses and disclosures of individually
identifiable health information, to establish a right in an individual to inspect and copy
their own health information, and for other purposes. Allows disclosure to government
without warrant and researchers with little need.
H.R. 4250
Patient Protection Act of 1998
Republican Health Care bill. Sets weak standards for privacy, prohibits states from
passing stronger protections. Approved by the House 216-210 on July 24.
S. 89
Genetic Information Nondiscrimination in Health Insurance Act of 1997
Prohibits denial of insurance based on genetic information. Prohibits insurance
companies from requesting genetic information. Prohibits disclosing genetic information
without written consent.
S. 1368
Medical Information Privacy and Security Act
General medical privacy bill.
A Framework for Privacy Protection
Appendix A : Page 5
S. 2352
The Patient Privacy Rights Act
Repeals the "unique medical identifiers" requirement of the Health Insurance Portability
Law of 1996 (HIPAA).
Regulating Direct Marketing and Unsolicited E-Mail
HR 1748
Netizens Protection Act of 1997
Persons may not send unsolicited advertisements to an electronic mail address of an
individual with whom they lack a pre-existing or ongoing business or personal
relationship, unless the individual provides express invitation or permission. Persons
may not send unsolicited advertisements without providing the identity and the return
electronic mail address of the business or individual sending the message at the beginning
of the unsolicited ad.
H.R. 2368
Data Privacy Act of 1997
Persons may not send unsolicited advertisements without providing the identity, the
physical address, the electronic mail address, and the phone number of the initiator of the
message. The business or trade name must appear in the subject line of the message.
The guideline must provide a method by which an individual may choose to prohibit the
delivery of unsolicited commercial electronic mail. Part of a more comprehensively
conceived protection.
H.R. 4124
E-Mail User Protection Act of 1998
Anti-Spam bill
H.R. 4176
Digital Jamming Act of 1998
Anti-spam bill.
S. 771
Unsolicited Commercial Electronic Mail Choice Act of 1997
Persons sending unsolicited electronic mail advertisements must include the word
"advertisement" in the subject line of the message and include the sender's electronic mail
address, physical address, and telephone number in the body of the message. Interactive
computer services must provide a system for blocking any electronic mail that contains
the word "advertisement" in its subject line and inform its subscribers of this service.
Once such a blocking system is in place, interactive computer services must block
unsolicited advertisements at the request of the individual subscriber and may block
these advertisements upon its own initiative.
A Framework for Privacy Protection
Appendix A : Page 6
S. 875
Electronic Mailbox Protection Act of 1997
Persons may not transmit unsolicited electronic mail messages from an unregistered
electronic mail address or disguise the source of unsolicited electronic mail messages.
Persons may not send unsolicited electronic mail to individuals who have requested no
further messages and may not distribute that individual's electronic mail address to others
who intend to use the address for sending unsolicited electronic mail. Persons may not
send unsolicited electronic mail messages in contravention of the rules of an interactive
computer service or access the server of such a service to collect the electronic mail
addresses of its subscribers for the purpose of sending unsolicited electronic mail
advertisements.
Regulating On-Line Databases
H.R. 1226
Taxpayer Browsing Protection Act
Criminalizes "browsing" of taxpayer files by IRS employees. Passed by the House April
15, 1997. Placed on the Calendar in the Senate (CR S3346) on 4/17/97. Signed August 7,
1997 (PL 105-35).
HR 1287
Social Security On-line Privacy Protection Act of 1996
Prohibits computer service (such as Lexis-Nexis) from disclosing person's SSN without
permission. See "Protecting Personal Information."
H.R.2652
Collections of Information Anti-Piracy Act
Creates property right in databases of information, even if public domain information.
Approved by House on voice vote on May 19. Referred to Senate Judiciary Committee.
S.2291
Collections of Information Anti-Piracy Act
Creates new form of intellectual property for databases. Unfortunately, does not protect
individuals from whom information is collected, except from 3rd parties who would
misappropriate database from collector.
A Framework for Privacy Protection
Appendix B - Page 1
APPENDIX B: EXAMPLE P3P PROPOSAL
The following code should be placed in your default Web site page. This HTML
proposal will allow your visitors' browsers to read and understand the human readable
proposal which follows it.
<PROP
agreeID=“d273e4b4dc86577621ad58feaea0704e”
realm=“http://web.mit.edu/draco/www/group3/”
entity=“Group3-privacy”>
<USES>
<STATEMENT
VOC:purp=“0,1,2,3”
VOC:recpnt=“0”
VOC:id=“0”
consq=“It will help us better serve your interests as
you browse our website.”>
<DATA:REF
category=“1”/>
<WITH>
<PREFIX name=“User.”>
<DATA:REF name=“Home.Online.Email”
category=“1”/>
<DATA:REF name=“Home.Online.URI”
category=“1”/>
<DATA:REF name=“Business.Online.Email”
category=“1”/>
<DATA:REF name=“Business.Online.URI”
category=“1”/>
</PREFIX>
</WITH>
</USES>
<USES>
<STATEMENT
VOC:purp=“0,1,2,3”
VOC:recpnt=“0”
VOC:id=“1”>
<DATA:REF
category=“4”/>
</USES>
<USES>
<STATEMENT
VOC:purp=“0,1,2,3”
VOC:recpnt=“0”
VOC:id=“0”>
<WITH>
<PREFIX name=“ClickStream.”>
<DATA:REF
name=“Client_”
category=“5”/>
</PREFIX>
</WITH>
A Framework for Privacy Protection
Appendix B - Page 2
<WITH>
<PREFIX name=“Form.”>
<DATA:REF
name=“StoreNegotiation_”
category=“6”/>
<DATA:REF
name=“SearchText_”
category=“6”/>
</PREFIX>
</WITH>
<DATA:REF
category=“9”/>
</USES>
<VOC:DISCLOSURE
discuri=“http://web.mit.edu/draco/www/group3/privacypolicy.html”
access=“3”
other-disclosure=“0,1”>
<ASSURANCE org=““/>
</PROP>
GROUP3-PRIVACY'S PRIVACY STATEMENT
Group3-privacy makes the following statement for the Web pages at
<http://web.mit.edu/draco/www/group3/>. This is the human readable version of the
above P3P proposal.
Online Contact Information
Group3-privacy may collect the following data regarding a user's home:
an e-mail address or a URI.
Group3-privacy could collect information regarding a user's business:
an e-mail address or a URI.
Group3-privacy makes a statement regarding how a user might benefit by providing this
information:
"It will help us better serve your interests as you browse our website."
Group3-privacy uses this information for the purposes of completion and support of
current activity, Web site and system administration, customization of a Web site to an
individual and research and development.
This information may be distributed to ourselves and our agents.
Computer Information
We collect information about a users computer system and associate this information
with other identifiable information collected from the user. Group3-privacy uses this
information for the purposes of completion and support of current activity, Web site and
system administration, customization of a Web site to an individual and research and
development.
This information may be distributed to ourselves and our agents. Moreover, this
information could be used in such a way as to personally identify a user.
A Framework for Privacy Protection
Appendix B - Page 3
Clickstream and Navigation Data Information
Group3-privacy may collect the following types of passively gathered data: click stream
data collected on the server. Group3-privacy uses this information for the purposes of
completion and support of current activity, Web site and system administration,
customization of a Web site to an individual and research and development.
This information may be distributed to ourselves and our agents.
Transaction Data
Group3-privacy may collect the following types of information generated through
explicit transactions (i.e. search queries): stored negotiation history data or search query
data. Group3-privacy uses this information for the purposes of completion and support of
current activity, Web site and system administration, customization of a Web site to an
individual and research and development.
This information may be distributed to ourselves and our agents.
Content Data
Our Web site contains elements that would allow a user to communicate with another
user or to post information so that others may access it at
http://web.mit.edu/draco/www/group3/. Group3-privacy uses this information for the
purposes of completion and support of current activity, Web site and system
administration, customization of a Web site to an individual and research and
development.
This information may be distributed to ourselves and our agents.
General Disclosure
No user access to identifiable information is given.
Group3-privacy makes a disclosure in our policy posted at
http://web.mit.edu/draco/www/group3/ regarding the capability for a user to cancel or
renegotiate an existing agreement at a future time.
Group3-privacy makes a disclosure in our policy posted at
http://web.mit.edu/draco/www/group3/ regarding how long data is retained.
