Earlier this week, I had the pleasure of participating on a panel about location-based services at the FTC’s town hall meeting, Beyond Voice: Mapping the Mobile Marketplace. Now that the number of U.S. consumers who own a mobile device has outpaced the number of U.S. Internet users, the policy issues in the mobile space are taking on increased importance. And with numerous new technologies that can determine the location of a mobile device – not to mention a government mandate that mobile phones should be locatable for 911 emergency purposes – location privacy issues are sure to be front and center.

In a separate proceeding at the FTC, the Commission recently asked for input about what kinds of data should be considered “sensitive” in the behavioral advertising context, where consumers’ online activities are tracked for the purposes of displaying relevant advertisements to them. CDT suggested that geographic location information should be considered as a sensitive data category that deserves special protections, in part because of the unique privacy challenges that location information presents.
(more…)

Nine days ago, Sophia Cope blogged about how Homeland Secretary Secretary Michael Chertoff suggested that REAL IDs cannot be skimmed, in sharp contrast to DHS REAL ID Regs, which clearly say that the REAL ID is at risk of skimming. Today, CDT Fellow Peter Swire blogged on the Center for American Progress Web site about a new Chertoff statement where he said that “fingerprints aren’t ‘Personal Data.’” Swire shows that this comment lies in sharp contrast to DHS’ stated policy that fingerprints are “personally identifiable information.”

It is now time for DHS to make clear, is Chertoff purposely suggesting changes to existing policy or are these both misstatements?

Advertisers have long characterized the Internet as a marketing gold mine, with an abundance of granular data about the things we like, who we are, and what we shop for. The key has always been in harnessing this data, and online network advertising companies are continually seeking to cast wider and wider nets to learn more about individual users’ tastes and preferences. In recent months, however, a new breed of companies has started tapping into the ultimate source of online information about you – your Internet Service Provider (ISP).

The basic operating model for these new kinds of ad networks goes something like this: they strike deals with ISPs that allow the ad networks to collect and categorize individual Internet traffic streams – so if you do Web searches for airline flights and basketball scores, the ad network might tag you as a traveler and sports fan. As you surf the Web, you will then start to see travel or sports-related ads on sites where the network has purchased advertising space. How much information the ad networks keep, how long they keep it for, and how they go about scrubbing the data to remove personal information varies from company to company.

Given the amount and scope of data that ISPs are beginning to share with these companies, this model raises some serious privacy questions (which I spoke briefly about at the FTC’s recent behavioral targeting town hall meeting). And the early experiences of these companies are starting to prove just how difficult it will be to implement these systems in a privacy-protective manner – if it’s possible at all.

(more…)

This week, I was fortunate to moderate a panel called White House 2.0 at the Politics Online Conference in Washington this week. The panel asked the question — If Web 2.0 technology has pervaded the campaigns this year, how will the technology be used to govern in the future? Panelists had a diversity of views — Tom Steinberg of My Society demonstrated that this has already been done to widespread approval in the UK with No. 10 Downing Street’s popular petition Web site; Ellen Miller of the Sunlight Foundation suggested that there was so much that could be done in the name of accountability because the Bush Administration has done so little; Former Rep. Rick White said that elected officials really don’t run on technology issues and that is part of the reason that they are slower to use them; and Former White House Internet and E-Communciations Director for the Bush Administration, David Almacy, who now works for Waggner Edstrom, regaled us with tales of how difficult it actually is to get anything accomplished on the whitehouse.gov Web site. Ideas such as a US petition site and a Wiki budget site were raised as well.

Andrew Feinberg took nice photos and political consultant David All got David Almacy’s ideas on what the next president should do up on YouTube for your viewing pleasure.

The Internet has been abuzz in recent days (see the New York Times, Ars Technica, and the Google Public Policy Blog) with the question of whether Internet Protocol (IP) addresses collected by online companies should be considered as “personal data” (in European Union terminology) or “personally identifiable information” (in U.S. terminology) that can be used to identify an individual. A central issue in the debate is whether the same IP address is assigned to the same computer every time the computer connects to the Internet. Some ISPs use “static” IP addresses which are fixed over time, allowing all the Internet traffic generated by a particular computer on the network to be associated with the same IP address. Others use the Dynamic Host Configuration Protocol (DHCP) to assign “dynamic” addresses that change each time a computer connects to the network. Although there are other reasons why a computer’s IP address may change over time, DHCP is certainly one of the most prominent.

Curiously absent from the discussion thus far has been the prospect of transitioning from our current IP addressing structure – known as IPv4 – to the next-generation IPv6 standard. IPv6 was developed over a decade ago to deal with several shortcomings of the IPv4 standard, most notably a potential shortage of IP addresses (only about one third of the original pool of useable IPv4 addresses remain available).

One of the new features in IPv6 is known as “stateless autoconfiguration,” which allows a computer to generate its own IP address and eliminates the need for DHCP. In some implementations of IPv6, the same computer will always generate the same IP address for itself, much in the same way that static IPv4 addresses remain consistent over time. Although not all implementations will necessarily operate this way, from a technical networking perspective there are many reasons why maintaining the same IP address over time may be attractive. Thus, as IPv6 is rolled out on a large scale – which it most certainly will be at some point down the line, perhaps as early as this year in China – it’s possible that many more Internet users will have static IP addresses, and thus many more IP addresses will be more easily relatable to individuals. This is surely important to keep in mind as we navigate future questions about IP addresses as personal data.

The debate about the privacy of IP addresses is far from over. As our thinking on this issue evolves, we continually find ourselves coming back to the EU’s Article 29 Data Protection Working Party opinion on the concept of personal data, issued last summer. As perhaps the most thorough exploration to date of what “personal data” means in an online context, we recommend that anyone interested in this topic give it a close read.

Two recent papers published by the Pew Internet and American Life Project highlight the continued growing concern about privacy.

In Privacy Implications of Fast, Mobile Internet Access, Susannah Fox suggests that consumers are reluctant to share personal information when they are given control over disclosure:

More generally, consumers are now expressing a more consistent interest in control over personal information: for, example, 59% of adults have refused to provide information to a business or company because they thought it was not really necessary or was too personal. Still, many people are uploading their work histories to LinkedIn, or their photos to Flickr, or their personal musings MySpace, choosing to connect their online identities with these key pieces of personal information.

John Horrigan’s report on online shopping reinforces this finding:

Most online Americans have high levels of concern about sending personal or credit card information over the internet.

While the number of e-shoppers continues to grow, there is still widespread concern in the internet population about the safety of financial and personal data online.

75% of Internet users either agree (39%) or strongly agree (36%) with the proposition that they do not like giving out their credit card number or personal information online.

It is becoming clear that new Internet business models are beginning to make online consumers in America even more uneasy about their privacy than they already were.

In May, we wrote a widely circulated policy post highlighting the privacy issues involved in an Internal Revenue Service (IRS) proposal that would require “brokers” — including online auction sites like eBay — to collect the Social Security numbers of millions of users. The plan was part of the Bush budget proposal to Congress last year. Fortunately, Congress did not take it up last year, thanks in part to the leadership of retiring Rep. Tom Davis, (R-VA).

It seems that the Administration got the message and has not included the same proposal in this year’s budget. Since the Administration has been the main proponent of the proposal, it seems unlikely that it will pop up this year without that budget push. We can hope, this being the last budget of the Bush Administration, that this spells the death of this proposal, but we always have to be alert for zombies that rise from the dead, no?

Just five days after the Department of Homeland Security released the final regulations to implement the REAL ID Act, DHS Assistant Secretary for Policy Stewart Baker suggested yet another terrifying use of the controversial ID card: to buy Sudafed. This followed the Department’s official position in the final rules that it has no intention of turning REAL ID into a national ID card, and will limit its required uses to those called for in the law. But Baker’s suggestion is just the sort of mission creep that worries us here at CDT.

In the final regulations, DHS appropriately limited the required use of REAL ID to just three situations: boarding commercial airplanes, entering federal buildings, and entering nuclear power plants. However, Baker suggested that REAL ID could also help combat methamphetamine production: “If you have good ID… you make it much harder for the meth labs to function in this country.” Listen to Baker’s speech at the Heritage Foundation.
(more…)

CDT is still considering the policy implications of Microsoft’s unsolicited takeover offer for Yahoo. Clearly, this would have a major impact on the Internet.

Our colleague, and CDT Fellow, Peter Swire has a detailed summary that he posted to the Center for American Progress Web site.

He also sent us this quick overview:

Privacy Issues Will be Key in Review of Microsoft/Yahoo Deal

Privacy issues will be central to the forthcoming antitrust merger review of today’s $44.6 billion bid by Microsoft Corp. for Yahoo Inc. U.S. antitrust authorities have already studied these privacy issues in connection with the proposed merger of Google Inc. and DoubleClick, which is still under review in Europe. U.S. and European authorities will almost certainly investigate the privacy aspects of today’s proposed merger more fully than any other merger in history.

Although more issues may emerge over time, the market for search looks like it will be the focus of privacy issues of the proposed Microsoft/Yahoo merger. The two companies are probably No. 2 and No. 3, respectively, in the enormous global market for search. The companies will likely argue that their merger will make them a more effective competitor against market leader Google.

The privacy concern is that the merger could reduce competition for privacy in search. We have seen major privacy initiatives in search engines in the past year. Microsoft announced new privacy protections last fall. Google did the same during the merger discussions. And the fourth-largest search company, Ask.com, recently rolled out its “AskEraser” privacy-enhanced search.

Antitrust authorities thus need to investigate the effects on competition for search privacy from the proposed Microsoft/Yahoo merger. Based on the Commissioners’ statements in the Google decision, it seems highly likely that the FTC would conduct that investigation if it reviews this merger.

This year, North America joins 27 European countries to celebrate Data Privacy Day. Beginning January, 28th, the week-long event is punctuated by several efforts looking to raise the visibility of privacy issues at home and abroad. The International Association of Privacy Professionals has put together some nice resources for the occasion.

CDT will be involved in several relevant events:

CDT is participating by co-sponsoring today’s conference at Duke University entitled Data Privacy in Transatlantic Perspective.

CDT President Leslie Harris will moderate a panel on Health IT discussing medical privacy issues at the Congressional Internet Caucus Advisory Committee’s State of the Net Conference on Wednesday.

On Thursday, CDT will also host the 4th Anti-Spyware Coalition Public Workshop.