8 questions about online privacy

 

The United States and Europe are worlds apart when it comes to online privacy. There are very strict guidelines in Europe when it comes to capturing and storing personally identifiable information and also draconian laws protecting the sharing of information. Not so in the United States, where the interests of those organizations sharing personal information are staunchly defended by well-paid lobbyists in Washington.

 

Proxy services and tools to obfuscate the identities of those online and their activity are growing in number. Tools like Tor have been developed to protect privacy and prevent network surveillance. Recent announcements by companies like Mozilla, with their Track Me Not tool, indicate that it is good public relations to allow online users a modicum of privacy.

 

The Senate Commerce Committee is holding a hearing on online privacy on Wednesday, March 16. One point of reference will be proposed legislation from Senators John McCain (R-Ariz.) and John Kerry (D-Mass) that would create an “online privacy bill of rights.”

 

It seems unlikely that any dramatic changes will pass this Congress, however, given the political clout of large organizations like Google and Facebook who depend on using personally identifiable information to sell to marketing companies. With billions of dollars at stake, don’t expect large corporations to stop tracking your online activity.

 

Here are some questions that senators – and reporters – should be asking:

 

Q.  What is driving the push for new legislation?

 

The Federal Trade Commission (FTC) appears to have initiated this discussion. Do proponents view online privacy as a constitutional issue or primarily as a move to reduce identity theft?

 

Q.  Where will the focus of preventing online tracking be?

 

It is important for us to know where online privacy will be enforced. For example, will our privacy be protected at the web browser level or at online retailer level? Will cellphone service providers be subject to online privacy laws? If a new system is introduced, like the do-not-call list that the FTC has referred to, then the assumption is that an individual can opt-out in one central place. How practical is that given the number of ways we access the Internet and the variation in the type of information that is collected?

 

Q.  Will there be any similarities to the European Union’s (EU) laws pertaining to online privacy in any proposed legislation?

 

The EU already has severe laws about personal privacy. For example, a U.S. employer can easily monitor employee activity. In the EU you must ask the employee permission before you start to read through e-mails sent from the corporate e-mail server. Now the EU is proposing even tougher legislation to protect the privacy of those online. If approved, the new rules would allow people to correct, delete or block their personal information. There would also be stricter penalties, like criminal charges against violators of the proposed legislation. The proposed laws will provide greater control for social networking participants over their personal profiles. It appears that the Kerry-McCain initiative will not go nearly as far. Additionally, we do not know what type of penalties are being contemplated. We need to find out.

Q.  Will individuals be opted-in for personal data collection by default?

 

Anti-spamming laws were supported by spammers because individuals are opted-in by default until they opt-out. Spammers simply need to include a link at the bottom of the page to allow a user to opt-out. Until that link is clicked, the spam keeps coming.

 

Q.  What will the impact of this new legislation be on businesses like DoubleClick?

 

The business model of companies like DoubleClick (which is now a subsidiary of Google) largely relies on the use of HTTP cookies to track the websites that Internet users go to. Will companies like that be able to survive? It is hard to envision companies like Google and Facebook, who largely depend on monitoring online users and using that information to benefit advertisers, will  simply accept a new do-not-track system. I am sure that there will be powerful lobbyists on Capitol Hill fighting against this legislation to protect the billions of dollars derived from identifying Internet users and their preferences.

 

Q.  What will stop companies who do not agree with these new privacy policies from simply moving their servers outside of the U.S.?

 

We cannot prevent U.S. residents from using online gambling services because these companies maintain their servers outside of the U.S. Companies who are opposed to this legislation may leave. Other companies may access personally identifiable information from tracking companies with servers located abroad.

 

Q.  What will the impact of online privacy legislation be on computer forensics?

 

Computer forensics examiners often rely on the longevity of Internet history on a suspect’s computer or on Web servers that they have communicated with. This legislation may reduce the amount of personally identifiable information and potentially hinder access to incriminating evidence.

 

Q.  What will be the impact of the recent ruling, involving online privacy, on the Sony Computer Entertainment America case?

 

In the recent case of Sony Computer Entertainment America LLC v. Hotz, et al., the judge has granted Sony access to personally identifiable information of individuals who visited Hotz’s website, Twitter account, YouTube video and blog. (Hotz is alleged to have provided a jailbreak solution for Sony’s PS3 gaming console, thereby allowing its users to install software that has not been sanctioned by Sony.) Sony claims that Hotz has breached the Digital Millennium Copyright Act by providing consumers with a circumvention device. It would be interesting to hear McCain and Kerry’s opinion on that ruling.