I will be speaking on Thursday at the European Commission’s Workshop on the Economic Benefits of Privacy-enhancing Technologies in Brussels. With many calling for a revamping of ideas using metadata to help protect privacy, I felt that it was important to use the occasion to write a short paper entitled “Looking Back at P3P: Lessons for the Future,” which details the successes and failures of P3P (The Platform for Privacy Preferences).

P3P is a standard of the World Wide Web Consortium (W3C), the main standard setting body for the Web. It was created to allow privacy policies to be expressed as machine-readable statements. The history of P3P dates to a period when the privacy debate, in the United States and elsewhere, began to focus on encouraging companies to post human-readable privacy policies. As criticism increased about the complexity of those notices, there was a call to simplify them through standardization. If policies could be narrowed down to the equivalent of a multiple-choice set of options, then they could be made machine-readable.

The theory held considerable promise, if such statements would provide a clear, standardized means of rendering potentially complex privacy policies into a format that could be automatically parsed and instantly acted upon. Consumers could compare policies, enterprising companies or individuals could use P3P to develop more accurate means of rating and blocking sites, and governments could use the policies to instantaneously enforce data privacy laws.
(more…)

Today, CDT and 28 other organizations sent a letter to the White House asking that the Privacy and Civil Liberties Oversight Board (PCLOB) be reconstituted. The 9/11 Commission recommended the creation of PCLOB in order to oversee the protections to civil liberties and privacy within the federal government, but the board has not been active since early last year. The board has a vital role as an independent advisor to the President and executive branch agencies in policy matters around privacy and civil liberties and providing oversight. However, the board has not been active since early 2008.

PCLOB was established in 2004 and had one term, starting in 2006 – but the terms of the members of the board expired in January of last year, and President Obama has not nominated new members to the board. This letter asks President Obama to nominate members to the board quickly. Once members to the board are nominated, they must be confirmed by the Senate, and the office will need to be set up and staff must be hired. All in all, it will take months to reconstitute the board before it can begin advising the President and agencies.

Currently, the federal government lacks independent privacy oversight. Reconstituting PCLOB is one of the ways that privacy and civil liberties can be better protected by the federal government. In fact, the Cybersecurity Policy Review specifically called for PCLOB to be reconstituted, and possibly to expand its purview to include more cybersecurity topics, as an important oversight body. As an existing mechanism to protect privacy and civil liberties, it is an important and relatively simple way to provide oversight and advice for the government.

Last week, I attended the 31st International Conference of Data Protection and Privacy Commissioners in Madrid. Government data privacy officials representing 46 countries were there, as well as hundreds of lawyers, corporate privacy officers and advocates from around the globe.

There were plenary sessions and panels on every possible privacy issue but at the center of much of the discussion were the complex and seemingly unanswerable questions about global data flows in an era of cloud computing: What is the right way to protect privacy in an Internet cloud where data flows don’t respect borders? When consumers from around the world place their data in a social networking site based in the United States, which data protection laws should apply? Who should be accountable for data privacy and security when data is collected by one entity and then stored with cloud providers offering storage, processing and software as a service? When those cloud providers move data from server to server, often in multiple jurisdictions, which data protection rules apply and which country may assert jurisdiction over the data when other substantive legal questions arise?
(more…)

An eye-opening new study out of Fordham Law’s Center on Law and Information Privacy finds that state educational databases are lacking when it comes to protecting the personal information of K-12 children. Some states hand off the storage of this information to outside firms and do so without any restrictions on use or confidentiality for the children’s information, the study found.

The information on children collected in these electronic data warehouses includes matters related to teen pregnancies, mental health and juvenile crime; the report says that this information is often stored in a manner that “violates federal privacy mandates,” the study says.

From the report’s summary:

“Some striking examples are that at least 32% of the states warehouse children’s social security numbers, at least 22% of the states record children’s pregnancies, at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records, and almost all states with known programs collect family wealth indicators.”

The study isn’t all finger pointing, it also outlines several critical recommendations to help increase the privacy, transparency and accountability of these databases. The study comes just as Congress is considering expanding and integrating the data collection process among the 43 states that currently collect this type of information on K-12 children.

Recently, CDT’s Adam Rosenberg authored a guest blog post for Wired.com’s GeekDad blog, a parenting blog for tech-savvy parents. The post is the first in what will be a series of “how-tos” on raising an Internet savvy child and discusses some of the issues parents confront when setting up a child’s first email address. CDT has been outspoken about the importance of child safety online and it’s clear that the tips for keeping children safe could apply to adults as well. The blog post is a timely, informative read and comes a few days after a great New York Times piece on guarding your kids online. Thanks to WIRED for the opportunity.

CDT and TRUSTe recently hosted “Social Networking: The Challenges of Privacy and Openness,” a discussion in their continuing Internet Policy Series. A five-minute video recapping the highlights of the event can be found here.

Held on the Google Campus in Mountain View, CA, on Oct. 7, the discussion was moderated by Fred Vogelstein of Wired Magazine and included a potent lineup of speakers: Chris Conley, Technology and Civil Liberties Fellow at ACLU Northern California; David Glazer, Engineering Director at Google and Board member of OpenSocial Foundation; and Tim Sparapani, Director of Public Policy at Facebook.

The speakers discussed the tensions that exist between privacy and openness in a social networking environment that is primarily intended for people to share information.

The discussion touched on trust between users and social networking sites, new definitions of privacy in the social networking world, the continuing evolution of users’ privacy expectations, and the limitations of giving users granular control of their personal information.

I had the honor of participating in my first Oxford-style debate at The Economist’s Media Convergence Forum in New York City on Wednesday. The proposition before us was: Consumers have more to gain than lose from sharing personal information. Dave Morgan, Chief Executive Officer of Simulmedia joined me on the ‘Con’ side of the debate. Matthew Wise, President and CEO of Q Interactive and Jeff Jarvis, author of “What would Google do?’ and the Buzz Machine Blog led the pro side.

Before the debate started the audience was polled and voted 75% to 25% in favor of the proposition. I was not surprised considering that many attendees of the conference were new media marketers. Clearly, Dave and I had our work cut out for us.

Jeff and Matt gave a spirited argument that sharing information was good for business and good for those consumers who willingly chose to share their data. Dave and I responded that we agree that, if users did control their data today, they might be better off choosing to share it, unfortunately, law, technology and corporate policy are often at odds today with providing users anything resembling control. Obviously, I’m vastly summarizing all arguments here, but this gives you a taste.

In the end, there was a revote that went 42% to 58% opposed to the proposition.

A lot of things account for the change of heart of the crowd. First and foremost, Dave Morgan was clearly a good partner as a veteran and well-respected leader in the online behavioral targeting industry who believes that we can have both targeted ads and privacy. Second, I believe that most industry players understand that the Web 2.0 world demands that individuals be granted greater control be given over their information. They know that we have simply outgrown of the 1980s direct marketing world that says that the company owns the consumer’s data.

When presented a coherent argument that is pro-advertising and pro-privacy, even those who earn their money as advertisers but don’t represent the industry in policy debates are willing to support it.

Recently Syracuse University, my alma mater, took steps to increase campus security by installing a video-surveillance system in all entrances and exits of residence halls and one academic building. This took two years of planning for the 168 new cameras being installed on campus, but it is unclear how the University is ensuring the privacy of students as they begin to monitor the campus over video.

When implementing a video surveillance system of this scale, people often forget that it’s not just the “bad guys” and criminals that end up on the tape, it’s every person walking through the building. Every day, these tapes will archive the movements of thousands of students, faculty and staff members at the university, most of which will never be involved in a crime.

Students may worry that “big brother” is watching them even as they go about the mundane details of their day, moving in and out of their buildings, but they should also be aware of data retention issues associated with this system and demand answers and that appropriate privacy policies be put in place. Before they are surveilled, students need to know how long the tapes are kept if no crime is involved, what steps are taken to prevent theft of the footage, and who has access to the footage for what purposes. Will the footage be used only for criminal investigations, or will the scope of the project creep as new groups want to use it?

The issues surrounding the surveillance project become less about whether or not students are safer on campus and more about students taking back the right to their privacy by being able to protect themselves and their identities from unwarranted third party involvement. The more hands a student’s information or image passes through, the more this project grows in scope.

With the allure of all of this information, suddenly it’s not just public safety viewing the images, it’s also the health office or the student judiciary office or the scholarship office. Without clear guidelines noting who can or cannot access these videos, students have essentially given the school a blank check on their privacy rights – with no limit on who can access their information.
(more…)

Digital signage media – video displays on screens ranging from TV-sized monitors in stores to roadside billboards – is maturing into an offline version of behavioral advertising. What effect will this have on consumers’ expectation of privacy in public spaces?

Recently, in the UK, a fresh example arose of the growing conflict between these digital signs and privacy laws. Castrol, the maker of motor oil, launched an advertising pilot in which roadside cameras scanned the license plates of passing cars and then digital billboards displayed the license numbers along with the grade of motor oil Castrol recommends for that type of car. The system was able to discern the make and model of each vehicle by running the license number through a database, containing the personal information of tens of millions of drivers, purchased from the British equivalent of the Department of Motor Vehicles.
(more…)

Earlier today, Judge Denny Chin approved an aggressive schedule for the parties in the Google Books lawsuit to submit an amended settlement agreement. Michael Boni, speaking for all parties, indicated that the parties have been hard at work since the Department of Justice raised concerns about the original settlement (arrived at after years of negotiation), and that a revised settlement will be ready in early November. Judge Chin consequently set a deadline of November 9. While no other court dates were set, the parties did indicate that the deadline for rightsholders to claim their copyright interest in works that Google has scanned would be extended from January 5, 2010 to June 5, 2010.

Boni argued that extensive additional notice to the class of rightsholders will not be necessary, as the amendments will all benefit the class. Based on this, he asserted the parties’ desire to have a final fairness hearing—formerly scheduled for today—in late December or early January. It will be interesting to see if Judge Chin agrees upon seeing the revised settlement, especially since much of the commentary on the settlement, including that of the DOJ, has raised questions about the adequacy of the prior notice to the class members, given the sheer size of the class.
(more…)