ThePrivacyPlace.org is currently conducting a survey to gauge user comprehension and views on privacy policies. While conducting the survey, we’ve received several pieces of valuable feedback from our participants. One particular area of interest is the lack of enforceability of privacy policies. Many respondants expressed concerned that privacy policies are useless because the privacy practices of an institution may not be in compliance with their privacy policy. Furthermore, the privacy policy may not be a consideration when the business is sold or goes bankrupt.

This is a very good point. However, we cannot abandon privacy policies because of current lack of enforcement. We will need to maintain privacy policies for those mechanisms that are in place, or being put into place, to ensure compliance of the policies. For example, consider the UK Information Commisioner’s Office’s recent unveiling of their new enforcement strategy. David Smith, the new deputy information commissioner, has announced that his office will bring enforcement actions against businesses that deliberately or repeatedly ignore their responsibilities under the Data Protection Act of 1998.

Privacy policies are necessary policies because we require accountability. We need to hold organizations accountable for their privacy practices, and one such way of doing so is to ensure that companies are keeping their promises (via the privacy policies) to consumers.

Read more about the Information Commisioner’s Office’s new Strategy here.

Slashdot posted a blurb about a Raleigh, NC WRAL.com news article detailing how a Google search has been used in a criminal case. Apparently, the defendent searched Google for the words “neck”, “snap”, “break”, and “hold” before the death of his wife. The evidence was found on the defendent’s computer after a search of his home.

The slashdot blogger asks questions such as: “Should police be able to search through your search history for “questionable” searches before you’ve been arrested for a crime, and what effect would this have on the health of society?”

It seems to me that the debate here is about the confidentiality of your online activities and whether the lack thereof would compromise the health of society. Personally, I believe that, with probable cause and a warrant, Google searches and search histories are fair game. It seems no different than rifling through your videotapes, mail, and magazines to see what you’ve been reading about lately. If all of these media are admissible, I don’t see why Google searches wouldn’t be. The fact that it is in digital form and easily accessible would seem irrelevant.

As privacy researchers, we are interested in protecting the rights of individuals. However, this must be tempered with common sense and an overarching goal of benefiting society. In this case, it seems that this particular invasion of privacy is legal and probably just.

Read more about the article and commentary here.

The fears and discussions of identity theft have increasingly flooded news sites and blogs in 2005, yet it is not always clear exactly what constitutes identity theft when data breaches and frauds are discussed. For example, the oft-discussed ChoicePoint data breach involved the fraudulent acquisition of over 145,000 people’s personal information, yet less than 1,000 individuals have been reported to have suffered any direct losses as a result. Back on February 18, Cox News Service reported that “the criminals collected enough financial data to begin buying everything from jewels to consumer electronics … at least 765 such crimes have come to light so far” (the article, “ChoicePoint boss keeps low profile amid crisis”, is available on Lexis/Nexis). So is it proper to say that 765 people were identity victims, or 145,000? The media has not particularly attempted to distinguish the 765 victims from the 145,000 exposed to risk. To the media, all have been victims of identity theft - is this an accurate claim?

Wikipedia defines identity theft as “the deliberate assumption of another person’s identity, usually to gain access to their finances or frame them for a crime.” The same Wikipedia entry goes on to quote Javelin Strategy & Research founder James Van Dyke as arguing for two separate terms:

• identity theft: unauthorized access to personal records;

• identity fraud: unauthorized use of personal records.

This distinction helps to explain how a data breach can lead to identity theft, which may or may not result in identity fraud for each victim. Given Van Dyke’s interpretation of identity theft and identity fraud, I think we can more accurately express the various elements of data privacy. A data breach, such as the one befalling ChoicePoint, has undoubtedly led to 145,000+ victims of identity theft, where at least 765 of those people also suffered identity fraud.

A recent AP article highlights how the term ‘identity theft’ has been “too broadly defined and often misunderstood.” The risk, according to the article, is that “lawmakers and companies might be misdirecting their anti-fraud energies” and that consumers end up overly fearing Internet activities. The biggest problem with the term ‘identity theft’ ends up with how the misuse of an existing credit card is classified. If a criminal simply getting your existing credit card number and embarking on a shopping spree is identity theft, then 40 million people were put at risk of identity theft by the CardSystems breach. If instead, we limit identity theft to the exploitation of personal information (more in line with the Wikipedia entry), then those victims become simply inconvenienced individuals. While they may face fraudulent charges on their account, U.S. citizens rarely have to pay up for those charges: there is a $50 limit on personal liability, regardless of the amount fraudulently charged. Instead, it is when criminals possess enough information to obtain a new credit card that we are victims of identity theft and threatened by identity fraud.

Every communications medium brings with it the potential for misuse, and the government has always been eager to have some sort of ‘backdoor’ access into that medium so as to avoid being left in the dark. Sometimes the only way to catch criminals/terrorists in the act has been to tap their communications - be it on traditional phone lines, cell phones, or email. Now with the recent surge in VoIP (Voice over IP) usage, the government once again seeks to ensure its ability to ‘tap the lines’ and monitor any suspected criminal activity.

CALEA, the Communications Assistance for Law Enforcement Act, came into effect 11 years ago as a way for the federal government to wiretap ‘telecommunications carriers’; the government now wants to expand that act’s coverage to include VoIP providers and ISPs carrying VoIP traffic. The current push is to get CALEA extended in full force to Internet phone traffic in the next 18 months. A new C|Net article details the government’s position, as well as some of the challenges being raised to this expansion. The challenges, however, largely focus on seeking exemptions for particular groups, such as universities, from having to add such backdoors to their systems.

Upon some basic review, it seems that the government’s position is a difficult one to maintain. The desire for wiretapping is understandable: in theory, wiretapping is reserved for when the government cannot gather evidence in other ways but has verifiable suspicion of wrongdoing. Granting exemptions to several groups may, however, simply result in criminals using those systems for their activities; if all universities are exempt from providing backdoor access to their systems, then surely those networks would be the logical place to conduct (illegal) business. From a privacy perspective, in gaining this expansion the government would be extending a very broad net of backdoor access to Internet traffic. It is also unclear whether CALEA was ever meant to extend into the online world. An earlier C|Net article covered many of the privacy and legal arguments raised by VoIP providers and concerned advocacy groups.

The Electronic Frontier Foundation reports that Sony has been shipping CDs that infect computers with a Rootkit. A rootkit is a set of programs or tools, generally installed by hackers, that run stealthily in the background. Sony’s rootkit, called XCP2 and developed by First 4 Internet, “protects” music from being illegally copied. However, the software also seems to prevent legal uses of the CDs such as listening to the songs on your iPod. It also reportedly slows down PCs and makes computers more susceptible to attacks. Unfortunately, the software hides itself, so you may not even know you are infected.

To Sony’s credit, you can distinguish which CDs have this software by the noting the “CONTENT-FILTERED” label on the left transparent spine of the CD case and the fine print on the back of the CD case. Although, I might take that back. Given the stealthy nature of the software, and the fact that Sony is unwilling to disclose a list of the CDs with this software installed on it, it seems that Sony is only disclosing as much information as is required. Privacy doesn’t just deal with the confidentiality of information, it also concerns the availability of your information. In this instance, Sony is abusing the inherent trust a consumer has in their newly purchased product.

To read more about this or to obtain a list of the known infected CDs, click here to read the EFF article.

Apparently, laywers in California has filed a class-action lawsuit against Sony to prevent them from selling CDs with this software on it. Furthermore, California is seeking monetary damages for its consumers. A suit in New York is expected to be filed later today.

According to a Washington Post article, the FBI can issue a letter to an Internet Service Provider (ISP) or Financial Institution forcing them to hand over information on their customers. The Post article describes a situation where George Christian, who manages digital records for libraries in Connecticut, was approached by the FBI who demanded he turn over information about usage on a specific computer. They also warned him not to tell anyone about the demand, ever.

The Washington Post explains the nature of the letters:

The FBI now issues more than 30,000 national security letters a year, according to government sources, a hundredfold increase over historic norms. The letters — one of which can be used to sweep up the records of many people — are extending the bureau’s reach as never before into the telephone calls, correspondence and financial lives of ordinary Americans.

Issued by FBI field supervisors, national security letters do not need the imprimatur of a prosecutor, grand jury or judge. They receive no review after the fact by the Justice Department or Congress. The executive branch maintains only statistics, which are incomplete and confined to classified reports. The Bush administration defeated legislation and a lawsuit to require a public accounting, and has offered no example in which the use of a national security letter helped disrupt a terrorist plot.

The most disturbing part about this, to me at least, is the lack of checks and balances in place. This gives the FBI carte blanche to invade the privacy of any individual, at any time, for any reason, leaving individuals with little to no recourse.

Read more in the Washington Post article here.

The Concurring Opinions Privacy Blog had a very descriptive and informative post that explains how Microsoft Word documents may give away information about you that you are unaware of. They point out that Microsoft Word documents contain “metadata” that encodes information about the authors and editors of each document. They also cite a few examples of how this can come back to haunt you.

Similarly, according to this article, the Electronic Frontier Foundation has cracked a secret printer code with the Xerox DocuColor line of laser printers. Apparently, this is the word of the U.S. Secret Service. Encoded in each document printed from the laser printer is the date and time the document was printed, as well as the serial number of the printer.

The point is, your privacy may be at risk in ways you aren’t aware of.

According to a Washington Post article, in an eight-page document released on Capitol Hill today, Microsoft outlined a series of steps it would like to see Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information.

To many of us, this is shocking news. However shocking, though, it is good news for privacy advocates. Microsoft is proposing that data keepers notify consumers when the institution’s privacy policy has changed, as well as allowing users to be able to view information that companies hold about them. If such legislation is enacted, and if no provisions are written in to prevent it, consumers can query data keepers such as ChoicePoint as to what information they have aggregated about the themselves.

Personally and professionally, I believe this would be a step in the right direction and a victory for privacy advocates. It also helps that a large company such as Microsoft is advocating on our behalf. Maybe now that the corporations are lining up, Congress will listen to us.

The allure of posting thoughts, feelings, and commentary online has generally been fueled by the freedom and (at least pseudo) anonymity that the Internet provides. A person can start a blog or post on numerous social networking sites without fear of reprisal, as he/she will generally use a pseudonym or simply leave an anonymous comment. However, as the Internet has become more mainstream, companies and organizations are increasingly trying to discover the identities of such posters and hold them accountable for their words, actions, or portrayed behavior. Two recent situations receiving news coverage illustrate this trend.

The first example involves an employee who posted an anonymous comment (which included a racial slur) to a Yahoo! message board discussing his company. The company, Alleghany Energy Service, discovered the post and sued to reveal the identity of this anonymous poster. The company eventually received a subpoena and compelled Yahoo! to reveal the poster’s identity, and then fired the poster for the racial slur. The employee is countersuing for wrongful termination, among other claims. GWU law professor Daniel Solove, in his blog Concurring Opinions, discusses this situation in greater detail, including analyzing the legal situation surrounding the original suit and the countersuit.

On a college level, many students are now members of a site called the Facebook, which describes itself as “an online directory that connects people through social networks at schools”. Students can post pictures and personal details, as well as engage in discussions about anything and join groups for common interests. However, not just students are taking note, and some students have found themselves held accountable for the pictures and words posted online. A student paper at Boston College, The Heights, covers in this article how students have been subject to disciplinary action and, in one case so far, expulsion at the hands of university officials. You can use the print feature to view all article text without having to register for the site, as clicking to view the next page will force you into a registration process. The article summarizes the situation with this statement: “Students at schools across the country have recently been charged with everything from alcohol related infractions to making threatening comments to a campus police officer - all from photos or information posted on the Facebook.”

Both of these stories show the difficulty of maintaining any sort of private online identity, separate and distinct from the real world. In both cases, the actions of the company/university are somewhat questionable, as they involve pursuing the employee/student outside of the work environment and into that individual’s actions at home. In the case of the university, though, the students’ homes may be university property, in which case different rules may apply.