Dangerous Access: database technology and privacy

1
Dangerous Access database technology and privacy

• What does privacy mean?
• -similar to other values (such as liberty and
  freedom), theres no universal definition
• the right to be let alone
• right to restrict access to person, property, or
  information
• Why do we value privacy?
• Some people value privacy for its own sake
• Some because it enables other values, such as
• The ability to have intimate relationships, to
  form independent and informed opinions, or to
  form a sense of personhood.

2
The situation today

• Hundreds of commercial companies, and government
  agencies gather the personal information of
  individuals.
• Historically
• Information was never collected on this scale
• Records werent as permanent as digital records
• Information was harder to share
• Today
• An incredible amount of information is collected
• Distribution of information is quick and easy
• Digital records and massive storage capability
  means permanent storage of all collected
  information.

3
How is this information collected?

• Traditional methods-
• Government coercion of information
• Census records, court records, motor vehicle
  registration etc
• Companies solicit information from their
  customers.
• Registration cards
• Discount Shopping programs (example the price
  chopper card)
• Surveys
• New methods of collection
• Internet technology
• Clickstream tracking websites track where you
  travel, and how long you spend on each page
• Cookies
• Spyware
• keyloggers
• Web bugs 1 pixel photos send back information
  when they are viewed
• Digital rights technology

4
Where does the information go after it is
collected?

• After initial collection- the information is
  traded
• Between the government and commercial entities
• Between separate commercial entities
• Sold back to the government and to law
  enforcement
• The availability of this information is
  beneficial. Companies and the government can run
  more efficiently, public safety is improved, and
  consumers receive marketing that is more directed
  towards their wants and needs.

5
The Dangers

• Decisionmaking
• Background checks, employment, credit, rental
  decisions are made based upon information in
  these databases.
• The information cannot contain a complete picture
  of the individual.
• Moreover if the information is incorrect, whether
  by mistake or by identity theft, there are severe
  consequences to individuals
• Vulnerability
• According to the chairman of the FTC, the most
  serious threats
• Safety of women and children (from stalking
  activity)
• Identity theft
• Fear of Abuse
• The knowledge that so much information is going
  to be collected may have a chilling effect on
  speech.
• Profiling the consequences of having the
  information in your file incorrectly cast you as
  a threat to national security are immense.

6
Bureaucracy and Aggregation

• Most pieces of information in the databases would
  not, by themselves be considered highly private,
  such as names, addresses, or phone numbers.
• When combined, the information can paint a
  portrait of where you go, who you see and talk
  to, your health, where you live, what you buy,
  your family, and your job.
• These databases do not release dangerous
  information into the hands of stalkers or
  identity thieves with any malicious intent, but
  instead through lack of care and bureaucracy.

7
What has the law done to protect privacy?

• The law has reacted to technology that threatens
  our privacy.
• In the time of the early settlers of the U.S.,
  social norms, the expenses of typesetting, and
  the distance of rural life protected privacy.
• As the country grew, so did the governments need
  for information. The 1840 census contained
  financial and health questions, and many people
  were concerned about privacy. (the amount of
  information could not have been processed without
  a new technology, the punch card)
• Shortly after, the invention of the instant
  camera, and the growth of the popular press
  inspired an article by Warren and Brandeis
  which is considered the beginning of privacy law
  in the U.S. The article drew on existing law to
  assert a private tort action for privacy.
• The courts responded to this article allowing
  tort actions for situations which were considered
  to violate privacy.

8
Evolution of Privacy Law

• 1960- Prosser reviewed over 300 privacy tort
  cases since the Warrant and Brandeis article, and
  asserted that instead of a single privacy right,
  there were in fact four distinct separate torts.
• Intrusion upon seclusion
• Public disclosure of private facts
• False light
• Appropriation
• These were adopted into the restatement of torts,
  although many states (including New York) do not
  recognize all four tort actions.

9
Advent of the Computer Age

• Computerization of government and commercial
  records began in the 1960s and 70s.
• A public was concern about privacy, focusing on
  surveillance and the increasing use of the social
  security number as an identifier.
• Individuals can have similar or identical
  information, so a way of uniquely identifying
  them is useful. The SS is a uniquely assigned
  nine digit number, many agencies and
  organizations use it.
• Congress responded with the enactment of FOIA in
  1966, and the Privacy Act of 1974
• The privacy act restricts the release of personal
  records held by federal agencies, with
  significant exceptions, and regulates use of SS.
  
• FOIA 1966- allows for more transparency in
  government, however commercial collectors of
  information have used FOIA to collect
  information. There are permissive privacy
  exceptions.

10
Further Privacy Legislation

• Legislative action in the seventies and since has
  consisted of ad hoc legislation restricting
  selected categories of information.
• CCPA 1984 restricted the release of cable
  viewing habits
• FERPA 1974- restricting the release of student
  records
• VPPA 1988 - restricting the release of video
  rental records
• HIPPA 1996- restricts the release of medical
  information
• Some legislation arguably enables the
  dissemination of information
• Fair Credit Reporting Act 1970- allows subjects
  of information to see and correct information in
  their credit reports, allows the sale of credit
  headers containing SS.
• Graham Leach Bliley 1999- restricts the release
  of financial information to unafilliated
  financial institutions- however it allows
  transfer to associates, provides opt-out notices

11
Good examples of legislation

• COPPA- the Childrens Online Privacy Protection
  Act restricts the collection of childrens
  information online.
• DPPA- the Drivers Privacy Protection act
  restricts the ability of states to sell DMV
  information.
• A patchwork of protection
• Some subjects are protected, while others are
  unregulated.

12
Judicial Treatment of Privacy Law

• The Supreme Court recognized a constitutional
  right to informational privacy in Whalen V. Roe
  (1975)
• there may be a lot of laws, but not much
  protection
• The courts have not been effective in protecting
  against the dangers of database technology.
• Tort law is largely directed towards the media,
  which publicizes information. While database
  companies share the information, they have no
  incentive to publicize.
• Two traditional conceptions of privacy have
  influenced judicial decisions on decisions
  involving databases.
• Secrecy/seclusion- information is either private
  or public. Under the conception of secrecy, if
  the information has been revealed, it can no
  longer be protected as private.
• Invasion- The interest to be protected in privacy
  was against invasive action of wrongdoers who
  cause damage. The collection of this information
  is legal, and there is no cognizable damage.

13
FTC action

• The federal trade commission is responsible for
  handling fraudulent and unfair trade practices.
  The FTC allowed commercial entities on the
  internet to self-regulate their data collection
  practices, however with little incentive to limit
  the use, collection, and dissemination of that
  information they have moved on to filing suit.
  Since 1998 they have been attempting to influence
  the collection of information on the internet
  through privacy policies.
• Several high profile cases have settled, however
  the settlements have been light. In many cases
  the punishment was merely a promise to reform.
• The FTC relies upon the existence of a privacy
  policy, and they can only bring suit if the
  website violates that policy

14
Problems not Addressed by the Law

• The law today does not effectively address the
  problems caused by database technology
• The law makes a clear distinction between private
  and public information.
• Opt-out policies (like those involved with GLB)
  and privacy policies create an incentive for
  companies to create notices that are hard to read
  and follow.
• The invasion concept bases privacy violations on
  the harm to the individual by wrongdoing, rather
  than the harm to society as a whole.
• Protection of privacy is a patchwork of
  legislation, with many holes.
• FTC action still relies mostly upon
  self-regulation, and does not punish severely
  enough to deter violations.

15
What can be done?

• Education
• Technology
• Encryption
• Anonymization
• Current legislation to require notification of
  security breaches, require information be secure,
  and punish violations.
• The European Model
• Update judicial conceptions of privacy away from
  the secrecy and invasion conceptions to
  recognize the harms of the collection of personal
  information.