Wednesday, March 30, 2011

Everything you do online reveals your identity

James Nixon,   March 29, 2011 

Identity theft isn't the biggest threat to your privacy online. According to one leading US lawyer, it's the details you give away without realising - and even seemingly anonymous data can be used to piece together your identity.

'Re-identification' - the process of piecing together someone's ID from fragments of anonymous data - could see our darkest secrets in the hands of unscrupulous marketeers, governments and even criminals.

Paul Ohm, Associate Professor of Law at the University of Colorado Law School, should know: he's a former trial attorney in the US Department of Justice's Computer Crime and Intellectual Property Section.

In a recent interview with IT news website Smart Planet, he explained that it was now possible for data on an individual from disparate sources to be pieced together - thanks in part to a boom in processing power, but also due to the new-found willingness of Internet users to give away information about themselves, through interactive services and social networking.

According to research by Ohm, simply deleting personal details such as names and social security numbers is not the "silver bullet" required to disguise our identity from potential snoopers. And it's a problem that is being overlooked not only by regulators, but by so-called 'experts' in data management and privacy.

Ohm explains that anything a user leaves behind on the Internet can be used to piece together their identity - movie ratings, previous purchases: anything that allows snoopers to home in on what Ohm terms their "human uniqueness".

It doesn't even require a great deal of information to identify an individual, says Ohm. Just "six to eight" anonymously posted movie reviews on a site like Netflix could be enough to identify a pinpoint a single user in a crowd.

Ohm says the time has come a fresh look at privacy law that regulates the way in which companies are allowed to draw inferences from the data they hold - a move that could prevent e-commerce sites such as Amazon collecting and using data on a customer's purchase history to make recommendations:

"We have 100 years of regulating privacy by focusing on the information a particular person has. But real privacy harm will come not from the information they have but the inferences they can draw from the data they have. No law I have ever seen regulates inferences.

So maybe in the future we may regulate inferences in a really different way; it seems strange to say you can have all this data but you can't take this next step. But I think that's what the law has to do."

Ohm warns that the consequence of protecting privacy in this way is that some services, which previously traded on their ability to capture and use this information, will no longer be free.

"We have to get used to talking about the price of privacy. People are starting to say, if you have this privacy law, and industry doesn't have access to this big database, your favourite website will no longer be free. I actually think that's the right conversation. Maybe we should give up some of the efficiency and convenience of the Internet if we can protect privacy." The threat of large-scale 're-identification' along the lines Ohm describes appears to be a very real one.

Earlier this month, members of online hacktivist collective Anonymous claimed to have uncovered evidence that the US military is developing software that could be used to control an army of fake profiles on social networks such as Facebook. According to patents revealed by Anonymous, the software could be used to identify users by cross-referencing information such as an author's writing style from different sites.

Privacy: The new generations

Privacy: The new generations

1.      Omer Tene*
The current international legal framework for data protection and privacy is founded on instruments such as the 1980 OECD Guidelines and the European Union Data Protection Directive that date from the 1980s and 1990s.

At the time these instruments were drafted, technologies that have become pervasive today (such as the Internet, social networking, biometrics, and many others) were virtually unknown. Moreover, a new generation of users has grown up in the last few years that has come to integrate online technologies into the fabric of their daily lives.

Privacy legislation has not kept up with these developments and remains based on concepts developed in the mainframe era. Thus, we need a new generation of privacy governance to cope with the implications of the new generation of online technologies, and to protect the new generation of technology users.


Thursday, March 24, 2011

Jeff Jonas: surveillance society is inevitable

If a surveillance society is inevitable, can privacy measures embedded in systems?

Jeff Jonas, chief scientist of IBM’s Entity Analytics group, is a man of big ideas—and the ridiculous amount of data that goes with them.

Jonas, speaking at GigaOm’s Structure Big Data conference in New York, talked data and analytics. Among the general themes:

·       The more data you have the more “enterprise amnesia” you have.
·       Putting context around the data flow is like putting a puzzle together.
·       The hard part is putting those puzzle pieces together.
·       There’s enough data around now to predict where you’re likely to be on a Thursday around 5:53 p.m.

Add it up and the influx of data—cell phones generate a staggering amount of geolocation data, transactions track you and social streams peg your whereabouts in real time—means we are headed to a surveillance society. “You’re going to wish you had an RFID chip,” quips Jonas. Indeed, the hubbub of RFID tracking a few years ago looks ridiculous today. After all, people voluntarily agree to be tracked in their social stream. 

“The surveillance society is inevitable and irresistible,” said Jonas.

The big question is how privacy models will change amid all of the analytics, big data crunching and information (structured and unstructured) keeps flowing unabated.

Jonas is trying to address the problem in an IBM skunkworks project called G2. In a nutshell, G2 is aiming to explore the new physics of big data and produce a system where data finds more data and gives you relevance without asking. This system would eat rows of data for breakfast.

The argument for G2 is that humans aren’t going to be able to ask enough questions to get the most out of data. Instead you’ll get systems that ask the questions of other systems. It’s an algorithm mosh pit that spits out context to us mere humans. Relevance will find you.
Obviously, all of this G2 talk is a bit hard to digest. The biggest worry will be privacy. Jonas noted that G2 will have privacy by design with civil liberties safeguards built in. These features cannot be turned off, said Jonas.

Jonas, who joined IBM via the acquisition of SRD in 2005, got his G2 skunkworks project funded by Big Blue in January. It’s a project worth watching going forward.
This post isn’t going to do G2 justice—I have a lot more to explore—but Jonas outlined the case for G2 and privacy by design in a few blog posts. More reading from Jonas’ blog for the big data wonks in the house:

Stefaan G. Verhulst
Chief of Research
Markle Foundation
10 Rockefeller Plaza, Floor 16
New York, NY 10020-1903
Tel. 212 713 7630
Cell 646 573 1361

Tuesday, March 22, 2011

Privacy Bill of Rights: Could Be a Long Slog

by Rob SpiegelE-Commerce Times 03/21/11 10:46 AM PT

"If a privacy bill passes and has some teeth, it's a good thing," said tech analyst Rob Enderle. "It really depends on what shape it's in when it gets through. A lot of politicians have kids and grandkids who need to be protected, as well as elderly parents who are exposed to attacks. I think the timing is right on this, but Congress tends to move slowly."

The Obama administration's top adviser on communications and information policy, Assistant Secretary of Commerce Lawrence E. Strickling, backed the Federal Trade Commission's proposal for a "Consumer Privacy Bill of Rights," calling for the passage of online privacy legislation last week.

In testimony before the U.S. Senate Committee on Commerce, Science and Transportation, Strickling recommended limiting the power of advertisers while retaining important online freedoms.

"The department has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers, while preserving the innovation and free flow of information that are hallmarks of the Internet," he said.

Strickling talked about different ways that guidelines regarding online advertiser practices could be applied.

"The Administration urges Congress to enact a 'consumer privacy bill of rights' to provide baseline consumer data privacy protections," he said. "Legislation should consider statutory baseline protections for consumer data privacy that are enforceable at law and are based on a comprehensive set of FIPPs (Fair Information Practice Principles).

"Comprehensive FIPPs, a collection of agreed-upon principles for the handling of consumer information, would provide clear privacy protections for personal data in commercial contexts that are not covered by existing Federal privacy laws or otherwise require additional protection," said Strickling.

Strickling recommended the Federal Trade Commission (FTC) handle the duty of implementing the new guidelines.

"Granting the FTC explicit authority to enforce baseline privacy principles would strengthen its role in consumer data privacy policy and enforcement, resulting in better protection for consumers and evolving standards that can adapt to a rapidly evolving online marketplace," said Strickling.

Legislation would follow recommendations published in last December's report by the Department of Commerce. The report recommended that consumers be informed more about why their data is being collected and how it will be used. It also called for more limitations of how companies can use consumer data.

What advertisers see as valuable marketing data, consumers could see as an infringement on their privacy.

"The good news is that Internet advertising can deliver results that are relevant to each consumer's wants and needs," Carl Howe, director of anywhere consumer research at the Yankee Group, told the E-Commerce Times. "But the bad news is that for Internet advertising to do that, it must know who you are and what your wants and needs are. It's that knowledge by advertisers and network operators that makes consumers uncomfortable that their privacy is violated."

New legislation would aim to protect customer rights, but it could be a jolt to the advertising industry. "I think this consumer bill of rights is an excellent first step, but the real challenges will be in how it is implemented," said Howe. "Advertisers will argue that blocking them from collecting consumer data will make Internet advertising less valuable to consumers -- and to businesses -- because without the information, ads will become faceless and generic."hanges in online privacy policies could empower consumers.

"Consumers will want control over which advertisers are allowed to target their needs," said Howe. "They may want the ability to allow the local school to target their children with ads for school supplies, but may not want to release that information to magazine publishers or candy manufacturers. The question is just how much control consumers will have."

New laws would likely try to protect consumers without completely hampering advertisers. "I think the challenge is striking a balance between consumer and advertiser interests," said Howe. "To date, the bias has been to the advertiser being allowed to collect whatever information might be useful. This bill tries to establish rights for the targets of those ads too."
Consumer protection could make the Internet a family-friendlier place to spend time.

"A lot of things that come out of Washington are more of a feel-good statement rather than something serious," Rob Enderle, principal analyst at the Enderle Group, told the E-Commerce Times. "The idea that there would be certain unalienable rights to your privacy is a good thing. Right now everybody and their brother is mining your personal information and making money off it but you."

The administration is trying to avoid the decade-long sluggishness from proposal to law. "Laws typically lag reality by a decade or more. The administration -- to its credit -- is trying to close that gap," said Enderle. "If a privacy bill passes and has some teeth, it's a good thing. It really depends on what shape it's in when it gets through. A lot of politicians have kids and grandkids who need to be protected, as well as elderly parents who are exposed to attacks. I think the timing is right on this, but Congress tends to move slowly."

Saturday, March 19, 2011

A New Internet Privacy Law?

March 18, 2011, NY Times

Considering how much information we entrust to the Internet every day, it is hard to believe there is no general law to protect people’s privacy online. Companies harvest data about people as they surf the Net, assemble it into detailed profiles and sell it to advertisers or others without ever asking permission.

So it is good to see a groundswell of support emerging for minimum standards of privacy, online and off. This week, the Obama administration called for legislation to protect consumers’ privacy. In the Senate, John Kerry is trying to draft a privacy bill of rights with the across-the-aisle support of John McCain.

Microsoft, which runs one of the biggest Internet advertising networks, said it supports a broad-based privacy law. It has just introduced a version of its Explorer browser that allows surfers to block some tools advertisers use to track consumers’ activities online.

It is crucial that lawmakers get this right. There is strong pressure from the advertising industry to water down rules aimed at limiting the data companies can collect and what they can do with it.

Most oppose a sensible proposal by the Federal Trade Commission for a do-not-track option — likely embedded in Web browsers. They have proposed self-regulation instead, and we applaud their desire to do that, but the zeal to self-regulate tends to wane when it is not backed by government rules and enforcement.

Senator Kerry has not yet proposed specific legislation, but he has laid out sound principles. Companies that track people’s activities online must obtain people’s consent first. They must specify what data they are collecting and how they will use it. They need consumers’ go-ahead to use data for any new purpose. They are responsible for the data’s integrity. And consumers should have the right to sever their relationship with data collectors and ask for their file to be deleted.

But there are potential areas of concern. Senator Kerry so far has not called for a do-not-track option. He would allow companies to write their own privacy plans and submit them to the F.T.C. for approval.

That would give companies flexibility to adapt their solutions as technology evolved, but it lacks the simplicity and universality of a do-not-track feature. It could yield a dizzying array of solutions that would confuse consumers about their rights and options and make it more difficult to enforce clear standards. Moreover, it would make it tougher for consumers to keep track of how their information is used and to whom it is sold.

Advertising firms still argue that privacy protections could undermine the free Internet, depriving it of ad revenue by reducing advertisers’ ability to target consumers. This is overstated. Advertisers will still need to advertise. If many people opt out of behavioral targeting, the firms will find other ways to do it.

Privacy protections are long overdue. We hope the swell of support will lead to significant legislation.

Wednesday, March 16, 2011

WSJ: Privacy Measure Draws Support


Sen. John Kerry, a senior Democrat, and technology giant Microsoft Corp. on Wednesday backed the Obama administration's call for broad privacy legislation at a Senate hearing that also exposed hurdles to passing such a law.

"Modern technology allows private entities to observe the activity of Americans on a scale that is unimaginable, and there is no general law" governing the collection and use of that data, Sen. Kerry told the Senate Commerce Committee.

The Massachusetts lawmaker said he was working with others and soon planned to introduce a "privacy bill of rights."

The Commerce Department called at Wednesday's hearing for a privacy law that includes enforceable protections for consumers' personal information and a stronger role for the Federal Trade Commission.

Unlike the European Union, the U.S. doesn't have a federal law establishing a general right to privacy. U.S. laws protect only certain types of information, such as some data about health care or personal finances.

Concerns about the online tracking industry have increased the public's interest in privacy rights. In the past year, The Wall Street Journal's "What They Know" series has revealed that popular websites install thousands of tracking technologies on people's computers without their knowledge, feeding an industry that gathers and sells information on their finances, political leanings and religious interests, among other things.

The FTC and the Commerce Department both have issued recent reports calling for enhanced privacy protections. FTC Chairman Jon Leibowitz told the committee Wednesday that the Journal series "really was a motivation for us to step up our enforcement efforts and write" the report.

He also said one of the articles in the series alerted the FTC to the fact that new tools to stop tracking were technically feasible.

An executive of Microsoft, which makes the most popular Web browser and also operates one of the largest Internet advertising networks, echoed the call for a broad privacy law. The current piecemeal approach to privacy law "is confusing to consumers and costly for businesses," said Erich Andersen, the company's deputy general counsel.

Microsoft is incorporating two additional privacy protections into the new version of its Internet Explorer browser.

The push to enact a federal privacy law remains in its early stages. Sen. Kerry said he has been working on proposed legislation with Sen. John McCain, an Arizona Republican, suggesting support for such a measure crosses party lines.

A spokeswoman for Sen. McCain said he and Sen. Kerry are discussing specific language for the bill.

"Sen. McCain believes that any legislation, if necessary, should respect the consumers' ability to control the use of their personal information, while recognizing the need of companies" to innovate and target advertising to consumers, she said.

Skepticism about the need for a new law also cuts across party lines. Sen. Claire McCaskill, a Missouri Democrat, questioned whether limitations on data collection would hinder the ability of websites to provide free content.

"I just want to make sure that we don't kill the goose that laid the golden egg here under the very laudable rubric of privacy," she said.

Advertisers, too, are wary of new rules. The industry has been promoting an icon that appears on certain ads to alert consumers that they are being targeted, and to let them opt out of the system.

Meanwhile, industry executives have objected to the FTC's call for browser makers to create a "do not track" system that would let Internet users signal they don't want their online movements recorded.

Having both a do-not-track tool and the industry-backed icon could confuse consumers, said John Montgomery, an executive with GroupM Interaction, part of advertising giant WPP PLC.
"It's vitally important to avoid mixed messages," he said.

The FTC's Mr. Leibowitz, however, said a majority of commissioners believe the icon system isn't adequate, because it would allow marketers to continue to collect some data on Web surfers.

"We need to make sure 'do not track' is not an empty slogan," he said.

Read more:

New concern: The social media and privacy divide

"The Digital Divide" has vexed and worried researchers for at least a decade, raising concerns that entire groups of Americans might be left behind, unable to afford the gadgets of the 21st Century.
Perhaps it's the social network divide they should worry about instead.
There is plenty of empirical evidence that those who choose to avoid Facebook, MySpace, and Twitter suffer social consequences: Ask anyone who missed a party -- or for that matter, a wedding -- that was organized on Facebook.
New evidence from a survey conducted exclusively for suggests that divide is becoming a pitched battle, with simmering frustrations between pro- and anti-social network crowds over an issue that is central to the digital age and the future of social networks: Privacy.
The survey suggests that Americans' opinions on privacy are polarizing towards two extremes -- it's become either much more important or much less important -- and the fault line is social media participation.  It was conducted by The Ponemon Institute as part of's recent four-part privacy series.
The series comes as Congress and the Federal Trade Commission weigh a series of legislative initiatives designed to deal with online privacy issues, including the so-called Do Not Track list, modeled after the wildly popular Do Not Call list.  The Senate Commerce Committee is scheduled to hold a hearing on the issue on Wednesday.
Avid Facebook users said they care much less about privacy than they did five years ago, falling deeper into the "I have nothing to hide, so why worry" category; social media avoiders said they care much more now, and are more concerned than ever about their ability "to be left alone."
(For a deeper exploration of these points of view, read Wilson Rothman's piece aimed at the nothing to hide crowd, Helen Popkin's piece for the privacy elite, and my piece for the middle-of-the-road audience.)
Ordinarily, when asked a more/about the same/less question, most survey takers opt for the middle choice, said Larry Ponemon of The Ponemon Institute. In this case, 36 percent said they cared less about privacy than five years ago, and the same percentage said they care more. Only one in four picked "about the same."
"It is a surprising result," he said.  "The fact that the numbers are pulling to each side is an interesting finding.  The fact is there's not a lot of complacency about privacy now.  People are thinking about this."
A look inside the numbers offers an easy explanation for the polarization: Among active social network users, 58 percent said privacy was less important and only 14 percent said its importance was growing. Non-social media users were almost a mirror image in reverse, with 53 percent saying privacy is more important to them, but only 20 percent saying it was less so.
Privacy has been a vexing topic for researchers because consumers for years have said it's important to them, but rarely act out of that concern. They won't often shun supermarket discount loyalty cards, for example. Any survey result in which consumers admit caring less about privacy is intriguing, Ponemon said.
"It's the old convenience argument. I want a reason to do the things I like to do," he said. People who have chosen to use Facebook and its rivals want to believe they are safe; and very few people have experienced any real trouble from their privacy choices.  "People's experience seems to be, 'I went in the water and the shark didn't eat me, so they continue doing what they like to do."
On the other hand, the mere existence of social media tools has pushed non-users to think more seriously about privacy, Ponemon said.
Who doesn't use social networks? You'd be surprised. According to the Pew Internet and American Life Project, 39 percent of U.S. adult  Internet users still aren't on Facebook, Twitter or a similar service.  Non-users tend to be male (44 percent to 33 percent for women), older (56 percent of 50- to 64-year-olds aren't users), have less education (45 percent of non-high school graduates aren't) and less income (40 percent of those earning less than $30,000 aren't), according to Pew.
Privacy concerns are one of myriad reasons why someone might not join a social network.
Of course, you don't have to be a member of a social network to have your privacy violated by the service.  Non-Facebook users, for example, can have their photograph taken, published and shared a million times over on the site.
Alessandro Acquisti, an economist who studies privacy at Carnegie-Mellon University, says the privacy issue may be polarizing because the penalty for avoiding social networks is becoming more severe over time.
"Not having a mobile phone now would dramatically cut you off from professional and personal life opportunities.  It's the same story with social networks," Acquisti said. "The more people use them for socializing and for their professional life, the more costly it becomes for others (who aren't members) to be loyal to their views."
The cost in some ways is basic. Many Facebook users now assume all their posts are common knowledge, and skip old-fashioned ways of communicating even important events now. That leads to awkward, "What do you mean you didn't know I was engaged" conversations.
For some, the consequences are far more serious. It's hard to imagine a more powerful tool for job-search networking that Facebook; it's easy to imagine an unemployed worker suffering for taking a stand against joining the service. This social media usage gap effect could ultimately be as dramatic, or even more so, than the digital divide.
"I don't presume to have a good answer," Acquisti said. "But one can make an argument that protecting privacy in a world where people don't see the value of it is going to become costlier and costlier. That means some people's right to privacy is being rendered more difficult to protect precisely by the right of other people not to care about privacy."
Behind the numbers
The Ponemon Institute survey estimates that 42 percent of U.S. adults call themselves "active users" of social networks.
One interesting finding of the research: While Congress and companies involved extol the virtues of giving "control" of personal data to consumers as a solution to troubling privacy issues, users themselves are under no illusions that they maintain control. By equal amounts, both social network users and non-users overwhelmingly say they have less control over their data today than five years ago -- about 70 percent say they have less control; 18 percent say they about the same control; and only 1 in 7 users say they have more control.
Meanwhile, virtually no one believed the statement: "I am confident that I can protect my personal information when I'm online." Only 4 percent “strongly agreed”; another 14 percent agreed, while 33 percent disagreed and 18 percent strongly disagreed. The results, again, were essentially the same for social media users and non-users.
One in two users said they'd suffered a privacy-violating experience in the past two years, with most of them saying they'd been hit several times. Two-thirds said they'd suffered between four and 10 privacy violations during that time. The results were the same for social media users and non-users.
One in four survey takers said they'd been a victim of identity theft during their lifetime.
Consumers said they trusted the government more than private corporations by a factor of 2.5-1 when it came to protecting privacy, but two-thirds of respondents said they trusted neither.
The Ponemon survey was conducted using an online panel that included a representative sample of U.S. adults and comes with a margin of error of +/- 4.5 percent.

The changing meaning of "personal data"

By William B. Baker and Anthony Matyjaszewski

When FTC Commissioner Julie Brill last year described her vision of privacy in the future, which she dubbed Privacy 3.0, she opined that the distinction between “personally identifiable information” (PII) and “non-PII” is “blurring.” This remark led the IAPP to start an inquiry into exactly what kind of information is “personal information” or “personal data” and how statutory definitions are subject to reinterpretation as technology evolves. The IAPP hopes that this initial effort will lead to further discussions about what should be protected by privacy law.

What is PII: Statutory Definitions
A starting point is a consideration of what constitutes PII under current statutory law. Is PII all information about a person? Does the information need to directly identify a person? Is it only recorded information? Does the information need to be true? Is a “person” only a natural person, or can they be legal persons such as corporations and organizations? If they are natural persons, does it matter if they are dead or alive?

       These and other queries can be answered by examining the definitions of “personal information” or “personal data” in various countries. To begin a conversation about the nature of “data,” the IAPP surveyed the definitions of personal data across 36 data protection laws in 30 countries. A summary of that research is attached.

       Those 36 laws have taken many approaches. Some of these definitions, such as those in the United States, are relatively narrow and often specify particular items, while others, especially those in European Union countries and other laws modeled on their approach, tend to be broader.

       Despite these differences, the statutes generally share a prototypical definition along the lines of “data or information relating to an identifiable person.” All countries employ some variation of the phrasing, data “that allow the identification of a person directly or indirectly.” For example, the European Union Directive on Data Privacy defines PII as data “relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

       Despite this general similarity, laws differ in what actually qualifies for data protection.  Some countries list specific examples of what can constitute personal data; others are satisfied with a more flexible—or ambiguous—definition. Although specific definitions may offer the benefit of greater certainty, they are subject to criticism as rigid and incapable of responding to new developments. Conversely, the flexible definitions do allow for future adaptability but can lead to uncertainty.

        Under these laws, data that do not constitute PII are regarded as “non-PII,” subject to far less, if any, regulation. This concept has often applied to aggregated data and more recently has been extended to “de-identified” data from which identifying information purportedly has been removed.

Applying the Statutory Definitions
Looking abroad, the European Union Article 29 Working Party’s Opinion 4/2007 offers further guidance on the meaning of personal data. The Working Party analyzed first, the type of data or information; second, the relation between the data and its subject; third, the concept of identifiability, and fourth, the person or individual to be protected.

Types of Information
The first step in the Article 29 Working Group’s analysis looks at what types of information are protected. Consider first whether data must be in a recorded form to be protected or whether spoken words could come within the protection of the laws. Curiously, only Australia’s Privacy Act 1988 and the United States’ Health Insurance Portability and Accountability Act (HIPAA) expressly include protection for data that is not recorded either digitally or on paper in their respective definitions of personal data.

The IAPP’s research showed that most countries do not specify whether the data must be recorded—or if it can also be spoken words or opinions—leaving such matters open to interpretation or, perhaps, resolution, in cases involving difficult facts. This leaves open the possibility that not only recorded data but also information of a more ephemeral nature can fall under those nations’ privacy protections. One conjures intriguing possibilities, as privacy laws in those countries that do not address this matter could potentially protect one from having their names or other identifying characteristics spoken out loud. What a way to stop nasty gossip!

       On the other hand, some privacy laws, such as those of Hong Kong and the United Kingdom, mention recorded data only. Singapore’s Model Data Protection Code and the United States’ Children’s Online Privacy Protection Act (COPPA) further limit their reach to digital data or data collected online.

       Must data about a person be true to be protected? Interestingly, only two nations—Australia and Singapore—explicitly state in their definitions of personal information that protection extends to both true and false data. The remaining surveyed laws do not address this matter in their definitions of personal information. Does this mean that these other countries will only provide privacy protection for true data? Most likely not, as may be inferred from other provisions in their privacy laws requiring data controllers to allow a person the opportunity to access and correct any false data pertaining to oneself, especially in the financial or credit sectors. Even though the definition of personal data in the European Union Data Protection Directive also does not deal with the veracity of data, the Article 29 Working Party’s Opinion 4/2007 states that both true and false data, as well as viewpoints, are covered by the directive. As such, the mere omission of a topic from the definition of personal information does not necessarily remove that matter from the scope of privacy protection.

Relationship to a Person
Moving to the Working Party’s second analytical step—the relationship between the data and its subject—certain patterns emerge from the terms used in the various definitions of personal information in the laws researched by the IAPP. Privacy laws include terms such as “referring to,” “relating to,” “about” or “concerning” a person or individual. There is little substantive variance among the definitions, as they all establish a link between the data and the person. After all, there presumably is little need to protect data that have no reference to someone whose privacy is being safeguarded.

       Few problems exist where the relationship is quite straightforward, such as that of a name to a particular person. And this is especially true when the name is relatively distinctive, such as, say, Barack H. Obama. That does not mean, however, that a person necessarily has rights in her name. Ordinarily, the connections between the data and the subject are far more nebulous, and these can present difficult questions in privacy law.

       The Article 29 Working Party’s Opinion 4/2007 provides what is perhaps the most in-depth scrutiny of this factor by reducing it to three elements—content, purpose or result. The content element is perhaps the clearest of the three, as it addresses information about a person, such as their medical history, their contact information or their service record. Such information inherently refers to a particular individual.

       The purpose element stipulates that even data that may otherwise not be considered personal information, such as a corporate call log of a company’s telephones, may become personal information when used to monitor an employee’s telephone activity. In such a case, the Article 29 Working Party would consider the data to be personal data relating to both the employee making the calls and the recipient of the call on the other end of the connection.

       The result element posits that even data not about a particular person—thus lacking the content element—and not used to gain information about a person, lacking the purpose element—may still be considered personal information where a person’s rights or interests are affected. For example, a satellite positioning system being used solely for the purpose of ensuring efficient dispatching of taxis or delivery vehicles would still provide personal information because the location data could potentially result in the monitoring of drivers’ whereabouts and behavior.

       The Article 29 Working Group’s approach seems to leave room for the range of matter deemed to be “personal information” to expand—or shrink—over time in response to developments. The remainder of this article explores some of the issues that may arise in understanding what data and information will fall within the scope of “personal” under these laws.

Types of Persons
Although the meaning of persons who are entitled to privacy protection under these laws is listed fourth in the European Union analysis, we consider it third here. Predominantly, the definitions of personal information apply only to natural persons, or human beings. However, Argentina, Austria, Colombia, Italy and Switzerland also extend privacy protection to legal persons such as corporations, partnerships or other organizations. The potential scope of this presents fascinating questions. Does it mean that corporations cannot be made identifiable, and any information that makes it possible to identify a specific company should be treated as personal information? Or perhaps the protection is meant to protect corporate secrecy or the privacy of the individuals within the corporate structure.

       On the other hand, the Australian Law Reform Commission considered extending privacy rights to corporations but ultimately rejected the idea, stipulating that there are existing statutory protections of intellectual property and business confidentiality that serve the same purpose more effectively. And in Canada, both the Personal Information and Electronic Documents Act (PIPEDA) and the British Columbia Personal Information Protection Act (PIPA) specifically exclude an individual’s business contact information from privacy protection. These types of statutes exist worldwide, and they are perhaps the main reason why more countries have not moved to extend privacy protection to corporations on the same terms as they are applied to individuals. The U.S. Supreme Court on March 1, 2011, ruled that corporations are not “persons” for the purpose of the Freedom of Information Act.

       Even where the definition of “person” is narrowed to human beings, some countries view “personal” as protecting the privacy only of the living, but not the deceased. Again, most of the definitions are silent on this matter. Hong Kong, Ireland, Japan, New Zealand, Sweden and the United Kingdom specify that only the living are entitled to privacy protection, and New Zealand  protects information relating to a death. In the European Union, the Data Protection Directive does not require the extension of privacy protection to the deceased, although individual countries are free to do so at their discretion. The Article 29 Working Party has elaborated their position on data protection for the deceased by stating that such information only requires protection in the event that it can be used to identify living individuals, as would be the case in genetically transmitted diseases such as hemophilia. This demonstrates once more the variance in approaches to defining personal information among the surveyed laws, with some countries preferring a narrower scope while others choose to keep the definition more broad.

The remaining step of the inquiry looks at the substance of the identification requirement of the data subject. As to this point, a consensus appears among the various laws in the surveyed countries. Not one of these laws requires a person actually to become identified. They either leave this as an open-ended possibility, by using the term “identifiable,” or they specify that the data are protected if they can cause the data subject to be “identified or identifiable.” Thus, the mere possibility of identification can be enough for data to become personal information.
       Similarly, none of the laws require a person to be directly identified through the use of the data in question. While nearly half of the definitions of personal information are silent on this matter, many state that possible indirect identification is enough to trigger protection.

Essentially, this means that the information in one’s possession will need to be treated as personal information even if it does not identify an individual, so long as it can be combined with other available information for that very purpose. It should be apparent that determining how readily a person can be identified can be a very fact-specific inquiry, and what is not identifiable one year may, a few years later, be determined to be identifiable.

       An example used by the Article 29 Working Party envisions a newspaper article about a criminal case that describes some of the details but does not directly name any of the individuals. So long as there is publicly available information, either in court records or in other newspaper articles, that allows one to ascertain the identities of the people involved, then even an article that does not identify the individuals would be deemed, at least by the Article 29 Working Party, to contain personal information. American law generally reaches a different result, as a person named as a possible criminal suspect in a U.S. news article typically has little recourse other than a defamation action.

       Applying this “relating to” provision, nonetheless, can be a vexing task in privacy law. It is an area particularly vulnerable to technological developments that place great stress on existing statutory definitions.

In response to laws imposing greater obligations on the custodians of personal information, a practice arose over the years to remove certain information from a compilation of PII in order to “anonymize” or “deidentify” the data so that it could be processed as non-PII. This practice underlies many laws today, which typically require far less protections for “non-personally identifiable information.” For example, in the United States, the Privacy Rule implementing the Health Insurance Portability and Accountability Act specifies 18 different categories of identifying information that must be removed in order to “de-identify” health information. However, enterprising researchers in recent years began to demonstrate that it is often possible to “re-identify” supposedly anonymized data.

       There have been several well-publicized examples. One involved research by LaTanya Sweeney in Massachusetts, who identified then-Gov. William Weld’s medical records using only a state-released “anonymized” data set and a list of registered voters. More recently, Netflix found it appropriate to cancel a second “Netflix Contest” after researchers were able to identify “anonymized” Netflix viewers in the first “Netflix Contest”—in which it offered $1 million to any researcher who could best improve its recommendation engine—from viewer reviews posted on The Internet Movie Database Web site. Among the characteristics that could be identified were the users' political leanings and, in some instances, even sexual orientation.

       These episodes demonstrate that the process of de-identification is not nearly as simple or easy as once may have been believed. Data controllers that wish to de-identify PII are on notice to take greater pains to do so. At this point, however, it is not possible how much is enough, as resourceful researchers will invariably have many tools available to reassemble data if given sufficient motivation. And it is not clear that the answer lies in the “foreseeability” that re-identification is possible, but foreseeability may simply be a function of one’s ingenuity. Note that the tools these researchers used—voter registration lists, Internet databases—were not arcane but were commonplace items that, presumably, were never considered to the de-identifiers as posing a potential risk.

       Indeed, Professor Paul Ohm has gone so far as to declare that data can be “useful or perfectly anonymous but not both.” Time will tell whether Prof. Ohm’s provocative formulation is correct or not, but his aphorism highlights the difficulties of anonymizing PII.

Internet Protocol Addresses
A current topic of hot debate is whether a computer user’s Internet Protocol (IP) address should be considered PII. The law appears in flux at the moment, and complicating matters is that regulators and courts are reaching different conclusions.

       Privacy regulators in the European Union regard dynamic IP addresses as personal information. Even though dynamic IP addresses change over time, and cannot be directly used to identify an individual, the Article 29 Working Party believes that a copyright holder using “reasonable means” can obtain a user’s identity from an IP address when pursuing abusers of intellectual property rights. More recently, other European privacy regulators have voiced similar views regarding permanent IP addresses, noting that they can be used to track and, eventually, identify individuals.

       This contrasts sharply to the approach taken in the United States under laws such as COPPA where, a decade ago, the FTC considered whether to classify even static IP addresses as personal information but ultimately rejected the idea out of concern that it would unnecessarily increase the scope of the law. In the past few years, however, the FTC has begun to suggest that IP addresses should be considered PII for much the same reasons as their European counterparts. Indeed, in a recent consent decree, the FTC included within the definition of “nonpublic, individually-identifiable information” an “IP address (or other “persistent identifier”).” And the HIPAA Privacy Rule treats IP addresses as a form of “protected health information” by listing them as a type of data that must be removed from PHI for deidentification purposes.

       However, courts are more reluctant to do so. For example, the Irish High Court held in April 2010 that an IP address does not constitute “personal data” when being collected by record companies for the purpose of detecting copyright infringement. And a U.S. federal district court in Washington state also held that an IP address is not PII because it identifies a computer rather than a person. The law is far from settled on this point, however, so lawyers must follow developments closely.

Device Fingerprinting
A newer approach to identifying a particular Internet user is device fingerprinting or, in the online context, “browser fingerprinting.” This process focuses on the particular software configuration of a user’s browser—the browser type, fonts and other factors—and it happens that the particular combination of such factors on a user’s computer is often unique to that user. (The Electronic Freedom Foundation has done useful work in this area). Useful to the entity interesting in “tracking” a user is that no cookie or other code is placed on the user’s computer; the tracking is done remotely by using information routinely supplied by the browser to a Web site. The user’s name, by the way, is never disclosed, but her device is uniquely identified and capable of being tracked. This device fingerprinting technology did not even exist just a few years ago. The question, from a legal standpoint, is whether a user’s browser configurations are, or will soon become, “PII” for regulatory purposes.

Smart Grid
The “smart grid” will present similar issues in a few years. Once utility companies are capable of monitoring the usage of particular appliances in particular homes, it will be only a matter of time before telltale “identifying” patterns of usage begin to emerge. Energy companies might provide incentives to use certain appliances at off-peak hours; marketers might have a keen interest in knowing which consumers make frequent use of the microwave. The utility companies will surely have some ability to correlate usage patterns with particular customers, but how will definitions of PII factor into the smart grid.

Questions for the Future
These developments regarding reidentification, IP addresses, browser fingerprinting and the smart grid provide examples of how new technological developments can cause the reidentification of data previously deemed non-PII. Other issues abound, such as the extension of privacy to photographic data, especially as it relates to Google’s Street View map service, as well as geographic location information derived from a new generation of mobile devices. In none of these cases has a legislature changed a statutory definition; each involves the application of a previously-established definition in light of new technology. In this way, the process of re-identification can be said to enable technology to redefine PII.

       Is there a limit to how technology can redefine PII? To how much effort must a re-identifier go, or, put differently, is there some reasonable limit that a de-identifying entity can assume applies when attempting to render data non-identifiable? Or, is the problem a limit on people’s ability to imagine or foresee how a re-identifier might go about her task?

       Existing statutory laws neither ignore this problem nor resolve it. The laws often contain limitations to how practicable such indirect identification must be, and this is where different approaches are taken in the laws surveyed. For example, Hong Kong’s Personal Data Protection Ordinance and Poland’s Act on the Protection of Personal Data stipulate that data will not be protected if indirect identification is not practical or if it requires unreasonable cost, time or manpower, respectively. Of course, practicality and reasonability are unspecific concepts. Again, the Article 29 Working Party offers some guidance on this topic within the European Union by utilizing a cost-benefit analysis. Accordingly, the mere hypothetical possibility of identification is not enough, and one should consider the cost of conducting the search, the expected benefit of identifying the person and the interests at stake in order to determine whether a person is identifiable.

       Still, this leaves many questions unanswered. A calculation of costs and benefits will change as technology creates new ways of combining information or researchers become more clever. Remember that Ms. Sweeney needed only a registered voter list to identify Gov. Weld’s medical records, something plainly not foreseen by Massachusetts authorities but, in hindsight, perhaps not so surprising. How “practical” is device fingerprinting today or will it be in two years?

The different ways that  similar statutory language is applied around the world causes problems in practice. Any business that conducts operations in more than one country faces a continuing challenge of understanding and complying with legal terms that are applied differently across borders. And, after understanding the differing definitions, they must then comply with the corresponding policies that govern data in each country.

       Going forward, with new technological advances being made on a regular basis, these definitions of personal information, and the type of data they cover, will be reshaped, refined and revised. There is a strong likelihood that the driver of these “redefinitions” will be the technological developments themselves. That is, even where statutory definitions provide what legislators intended to be clear classifications, changes in technology may be, in effect, “amending” these statutes without any legislative action. The future course of such “blurring” is a trend worth watching.

       The IAPP hopes that the compendium of laws attached to this article will prove to be a helpful contribution to the discussion.

Tuesday, March 15, 2011

White House to Push Privacy Bill


The Obama administration plans to ask Congress Wednesday to pass a "privacy bill of rights" to protect Americans from intrusive data gathering, amid growing concern about the tracking and targeting of Internet users.

Lawrence E. Strickling, an assistant secretary of commerce, is expected to call for the legislation at a hearing of the Senate Commerce Committee, said a person familiar with the matter.

This person said the administration will back a law that follows the outlines of a report issued by the Commerce Department in December. The administration wants any new rules to be enforceable and will look to expand the Federal Trade Commission's authority, this person said.

Among other things, the December report suggested that companies should ask an individual's permission to use personal data for a purpose other than for which it was collected. The administration also eventually could propose that consumers be given the right to access information about themselves and to have the information stored securely, the person said.

The administration's plan to push for legislation reflects a shifting attitude by the government, which for more than a decade favored a hands-off approach to the Internet. Officials have said the increasing intrusiveness of online tracking has forced them to reassess that approach.

In the past year, The Wall Street Journal's "What They Know" series has revealed that popular websites install thousands of tracking technologies on people's computers without their knowledge, feeding an industry that gathers and sells information on their finances, political leanings and religious interests, among other things.

In December, the FTC called for development of a "do not track" system that would let Internet users avoid having their online activity monitored. And the makers of the two most-popular Web browsers—Microsoft Corp. and Mozilla Corp.—have said they are incorporating do-not-track features in current or future products.

Now, a group of about 30 online-advertising companies is preparing to break with most of the industry and support a proposal for a single do-not-track tool. The group, which includes Exponential Interactive Inc., Burst Media Corp., Audience Science Inc., Casale Media Inc. and Specific Media LLC, said it wants the ad industry to work with browser makers to develop one technology solution that would let Internet users avoid being tracked.

"It is really a simple, explicit and permanent way for the user to indicate their intent not to be tracked. All they have to do is check a simple box in the browser," said Dilip DaSilva, chief executive of Exponential Interactive. The company operates Tribal Fusion, the 13th-largest online-advertising network in the U.S., reaching 146.1 million unique U.S. visitors monthly, according to research firm comScore Inc.

The group's proposal bucks the industry's major trade groups, which have said their members don't know how to accommodate browser do-not-track requests, and have backed alternative ways for Web surfers to elect not to be tracked. In recent months, the industry has been promoting an icon that appears on certain online ads to alert consumers they are being targeted and lets them opt out of tracking by dozens of ad networks.

Tuesday, Mike Zaneis, senior vice president and general counsel of the Interactive Advertising Bureau, said the new proposal was from a "small group of advertising networks." But, he added, "We want to work with all the browser companies to see if this is technically feasible."

The Commerce Department's December report suggested creating a privacy bill of rights but, until now, the administration hasn't called for specific legislation. The person familiar with the matter said officials would "begin a process of working with Congress on defining" the privacy protections to be included in the law.

Several legislative proposals on privacy have been circulated on Capitol Hill in recent weeks. Sens. John McCain, an Arizona Republican, and John Kerry, a Massachusetts Democrat, have been distributing a draft bill that broadly tracks the Commerce recommendations, which were developed in part by Sen. Kerry's brother Cameron.

Write to Emily Steel at

Read more:
Stefaan G. Verhulst
Chief of Research
Markle Foundation
10 Rockefeller Plaza, Floor 16
New York, NY 10020-1903
Tel. 212 713 7630
Treo 646 573 1361

Medical Identity Theft: The Growing Cost of Indifference

Second annual study reveals medical identity theft is on the rise, yet consumers remain unmoved by the risks

IRVINE, Calif., March 15, 2011 /PRNewswire/ -- While consumers grasp the importance of protecting their medical and personal information, few individuals take the necessary precautions to avoid medical identity theft. This finding comes from the second annual National Study on Medical Identity Theft by The Ponemon Institute(1) and sponsored by Experian's ProtectMyID™, a leading, full-service provider of identity theft detection, protection and fraud resolution.  

It is estimated that nearly 1.5 million Americans are victims of medical identity theft, up slightly from last year, according to this comprehensive study.(2) Alarmingly, the average cost to resolve a case of medical identity theft stands at $20,663, up from $20,160 in 2010. Other key findings from the survey include:  

Recognizing the importance of privacy does not equate to action
      Despite consumer desires for medical data privacy and statistical findings of data vulnerability, people are not taking action to protect their valuable health information. Nearly 70 percent of study respondents felt it was important to have personal control over their medical records, and 80 percent felt that healthcare organizations should ensure the privacy of these records.

However, these beliefs do not translate to action, as 49 percent of victims took no new steps to protect themselves after a crime.                              
Consumer indifference is fueled by lack of understanding of repercussions             
Fifty percent of former victims chose not to report the incident to law enforcement at all, up from 46 percent in the 2010 study. The number one reason for this failure to report was the lack of resulting harm and the desire to not make it a big deal (43 percent). In fact, more victims fear embarrassment (37 percent) than the loss of medical coverage (21 percent) or a diminished credit score (18 percent) as a potential result of medical identity theft.              

"Our study shows that the risk and high cost of medical identity theft are not resonating with the public, revealing a serious need for greater education and awareness," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "We also feel these results put an even greater onus on healthcare organizations to make the security of sensitive personal health information a priority in order to protect patient privacy."

 Medical data breach notification fails to protect the consumer        
The risk of medical identity theft lies beyond consumer control, as health care organization data breach accounts for a significant portion of reported incidents. When a breach occurs, the organization normally is required to inform the affected people, depending on state law notification requirements. However, only 5 percent of victims learned of their theft from a data breach notification, which is especially troubling when considering that data breach accounted for 14 percent of all theft instances. This includes breaches involving health care providers, insurers or other related organizations.          

"The results of this study shed a troubling light on not only the pervasiveness and consumer perceptions of medical identity theft, but also the dangers of data breach," said Jennifer Leuer, general manager of Experian's ProtectMyID. "These factors can be unnerving, but luckily there are products like ProtectMyID that give people peace of mind, knowing that they are not alone in the fight to keep their identities safe."

 Consumers are uninformed of new health care reform policies           
The majority of survey respondents (55 percent) are not familiar or have no knowledge of the new policies, and 79 percent are not aware of the creation of a national electronic database of Americans' health information. Furthermore, 33 percent believe that a national electronic database will increase the risk of medical identity theft. The lack of general awareness makes consumer education about medical identity protection all the more critical in the face of shifting policy.              
Medical identity theft is a family affair             
The study also revealed the startling rate at which medical identity theft occurs between family members. In fact, theft of this nature accounted for 36 percent of all victim responses, making it the most common type of theft. The frequency of family-related medical identity theft contributed to the most commonly stated reason (51 percent) why victims elected not to report a given incident: the victim discovered that he or she knew the thief and did not want to report him or her.          

Based on the results of the second annual National Study on Medical Identity Theft, it is clear that the threat of medical identity theft poses a multitude of risks to consumers. In order to combat these risks, ProtectMyID offers assistance that can help victims of medical identity theft. The following features are currently available:

Medical Identity Theft Resource Center — Provides members with valuable information about how to protect themselves, obtain medical reports, understand Explanation of Benefits notifications and much more.

Dedicated Identity Theft Resolution Agents — These agents are trained to notify and work with health care providers on behalf of customers to resolve any theft-related issue. This removes the mystery and uncertainty from dealing with providers.

Lost Wallet Identity Protection — The ProtectMyID Lost Wallet and Card Protection protects members' credit, charge, debit, ATM and medical cards in the event that they are lost, stolen or misused.

Alerts — These inform members quickly when medically related collection actions occur. Forty-six percent of respondents learned of the medical identity theft from a collection letter. This number is up from 40 percent in 2010.

About the study
Fieldwork for this research was concluded in January 2011. More than 1,672 consumers in the United States participated in this study, completing a Web-based survey. Of these, 718 have been victims of identity theft. Fifty-one percent of respondents have private insurance, and 21 percent have Medicare or Medicaid. Fifty percent have a college or advanced educational degree.

About The Ponemon Institute®
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations in a variety of industries.

About Experian's ProtectMyID
ProtectMyID™ is a leading, full-service provider of identity theft detection, protection and fraud resolution. ProtectMyID offers comprehensive identity theft protection products supported by experienced identity theft resolution professionals who deliver personal attention that customers can rely on. is a Website owned by, Inc., an Experian company.

For more information about how ProtectMyID helps consumers protect themselves against identity theft, please visit

About Experian
Experian® is the leading global information services company, providing data and analytical tools to clients in more than 90 countries. The company helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score and protect against identity theft.
Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended March 31, 2010, was $3.9 billion. Experian employs approximately 15,000 people in 40 countries and has its corporate headquarters in Dublin, Ireland, with operational headquarters in Nottingham, UK; Costa Mesa, California; and Sao Paulo, Brazil.
For more information, visit
Experian and the Experian marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the property of their respective owners.
(1) Study was conducted in January 2011 by The Ponemon Institute.
(2) Data extrapolated from survey respondents and current U.S. population multipliers.
Matt Lifson           
Edelman PR            
1 323 202 1047            
Becky Frost           
Experian Consumer Direct              
1 9495676594