PDA

View Full Version : White House Releases Consumer Privacy Bill of Rights



vangogh
02-24-2012, 07:27 PM
Yesterday the White House releases a document called Consumer Data Privacy in a Networked World (PDF) (http://www.whitehouse.gov/sites/default/files/email-files/privacy_white_paper.pdf). It's subtitled A Framework for Protecting Privacy and Promoting Innovation In the Global Digital Economy.

It aims to be a bill of rights for consumer privacy. At the moment the proposal is voluntary, but the White House is asking Congress to enact laws based on the protections mentioned.

From the executive summary of the proposal


Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
Respect for Context: Consumers have a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personal data.
Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights


You'll probably agree most of these sound like good things for consumers. There probably aren't going to be laws enacted any time soon, though, especially given that we're in an election year. Next year, maybe.

This is going to affect most of us not only as consumers, but as site owners since we'll need to comply with any laws that are eventually passed.

Law or not I think the proposal is something worth reading so we can better understand our rights and responsibilities should the above become law. At the very least it can open a discussion about privacy online.

tmerrill
05-11-2012, 08:49 AM
I saw this ted video about privacy and websites which you haven't visited getting your personal information. Here's the video: Gary Kovacs: Tracking the trackers | Video on TED.com (http://www.ted.com/talks/gary_kovacs_tracking_the_trackers.html). It helped open my eyes and make me realize we need more laws on this subject. And as a website owner, I would gladly comply with any reasonable (emphasis on reasonable) law that Congress passed.

jimr451
05-14-2012, 07:10 AM
I haven't formed a strong opinion on this subject - but I see a couple of issues with the current direction:

1. Small business websites - what will the burden be on them? Most sites today collect information in some way, from basic email forms, to e-commerce transactions. So it would seem that they'll have to go beyond a simple "privacy policy" or "terms of service" going forward. Will basic "hobbyist" sites (forums, small ecommerce sites, etc.) be able to afford to comply?

2. It seems this might render "terms of service" somewhat useless - For instance, if you give google (via gmail) to scan and index all your personal emails in return for a great free email account, that seems to violate items 3,5, & 6 above.

As Tomas indicates above, "reasonable" is the keyword here.

-Jim

vangogh
05-14-2012, 11:10 AM
Interesting video Tomas. It is scary how much we're being followed online. I feel the same way Gary Kovacs does. It's not so much the sites we visit and give information to. It's all the other sites listening in while we do that we don't know about. Sometimes those are sites we have visited. Google and Facebook for example are tracking us everywhere, especially if we stay logged in. Facebook is testing a new program that will serve ads to you around the web and Google's been doing that for years. It's obviously not just the two of them.

I hadn't seen the video before, but I did come across collusion a few weeks back and installed the extension. I haven't used it a lot, though it's been interesting when I have.

@Jim - I don't think any of this is actual law yet. Just early stages if I'm remembering correctly. I would think businesses would need to be more open about where any data they collect is used and goes and offer visitors ways to opt out, whether that's from all things or only some things. With gmail you're probably right about #3. I think people do have the ability to change their data (#5). It depends on what data is meant. I'm thinking about the ability to change your basic account information. I don't know if this is referring to the content of the emails themselves.

#6 is interesting. I don't think any of us really knows the extent to which Google uses the data.

I'm just glad there are discussions going on about privacy. We live in a world that's getting more and more connected and I don't think we'll ever see a time again where nothing we do is being tracked. There should be some safeguards in place though. I don't think we should allow anyone to track our every movement around the internet.

KristineS
05-14-2012, 12:55 PM
Number 3 is the one that interests me. Who determines the context? That's such a nebulous sort of word, and I'm sure arguments could be made for collecting all sorts of data that might not necessarily be relevant.

This is the bit that I found interesting: "The Respect for Context principle calls on companies that collect data to act as stewards of data in ways that respect their consumers.

That's kind of like trusting the fox to guard the hen house. It would have to be enforced but large companies have tons of lawyers on retainer who I'm sure could argue for the contextual relevance of almost anything.

vangogh
05-14-2012, 11:39 PM
But foxes make such excellent guards. :)

I think a couple of things are important to remember. This bill isn't specifically meant to be a law. It was written a few months ago as something that was voluntary and also as something Congress could use as a guideline to enact laws. Much of this wouldn't prevent people's privacy being violated, but if turned into law would allow violators to be prosecuted.

I dug a little deeper into the document looking for mentions of the word context. Here's a quote of reasonable length.


Key elements of context include the goals or purposes that consumers can expect to achieve by using a company’s products or services, the services that the companies actually provide, the personal data exchanges that are necessary to provide these services, and whether a company’s customers include children and adolescents. Context should shape the balance and relative emphasis of particular principles in the Consumer Privacy Bill of Rights.

The sense I get is that this bill would ask companies to be more transparent about what data they collect and what they do with that data and let customers know prior to them handing over that data. Where not explicitly mentioned the data use shouldn't be more than reasonable expectations. For example giving an email address to Facebook you wouldn't expect that email be sold as part of an email marketing list.

To me it's at least encouraging that this kind of discussion is taking place. We do gain some things by giving up a certain amount of personalization in that websites can customize part of their experiences for us. There has to be a balance though in how much data is collected and what ultimately happens with it. Conversation about privacy is a good thing.

KristineS
05-15-2012, 12:05 PM
Oh, I agree that it is a good thing that a discussion is taking place. A lot of these issues are brand new issues, and no one really knows how to handle them yet. It's a tough line for everyone to walk. Some people say we should just accept that there is no privacy. Others say there are ways to ensure privacy, but some of those might not be strictly legal. Companies are making tons of money off selling their customer's data. It's all kind of on the honor system right now. I'm not sure how that all gets sorted out, but I'm glad people are at least thinking about it.

vangogh
05-15-2012, 10:44 PM
What I've been seeing over the last few years is more and more people just accepting there's no such thing as privacy and I think that's troubling. I do think we all have a right to privacy and expectations of privacy. Not at all times of course. If you post information online it stands to reason someone else is going to see it. However if you post it in an area of a site that's behind a paywall or under the setting private then you should be able to expect it'll remain that way unless you give permission for it to be made public.

I think we also have a right to know who's tracking us around the web and hold the right not to be tracked. There are valid reasons why companies track what we do and it can be to do things beneficial to us. Some people want sites like Google and Facebook to know more about them so when they do serve ads they're more relevant. Other's don't. I think more of that should be in our control or at the very least our awareness.

KristineS
05-16-2012, 11:57 AM
I agree there should be a difference between public and private online. If you're paying for something to be kept private, or available only to a certain group of people, then that expectation of privacy is valid and should be met.

As for the whole losing privacy issue, that's a tough one. I do think we have less privacy than we used to do, but part of that is by choice or necessity for a lot of us. All of us are essentially in public relations now. We all have to be aware of what we're saying and how we're saying it because once it's out there, it's out there. There's also the whole issue of what you say and what others say about you, all of which contributes to your online profile. How do you monitor that, who's responsible for making sure it's accurate and fair, and what do you do when something negative happens?

vangogh
05-17-2012, 12:21 AM
All of us are essentially in public relations now.

Yep. The catchphrase I hear all the time is "every company is a media company."

We're definitely losing privacy. That's neither good nor bad on its own. We're gaining something back in exchange for a certain amount of privacy. This conversation wouldn't happen if it weren't for the internet. Tomas and I live close enough to run into each other, but otherwise the rest of us wouldn't likely meet or talk. However the conversation is in public. It's a fair exchange. On the other hand say you and I are exchanging private messages here. Private is in the name. We'd both have a reasonable expectation the conversation would remain private. Things could happen. Someone gains access who shouldn't have it or something screws up and private areas of the forum become visible. I think we understand enough to know those things could happen. However I wouldn't expect you to think that one day I might decide that all private messages were now public and made them all visible.

One other way our private conversation here could become public is if either of us told other people, though that could equally happen offline. The difference is everything could get amplified like we've been talking about in your social media thread.

Where companies like Facebook and Google are concerned both have areas of there site that provide for private conversation. Those conversations should never be made public without our permission. I can't say I trust either Google or Facebook to always do that though. That's one way a privacy bill of rights can serve a purpose.

billbenson
05-17-2012, 02:32 AM
What I've been seeing over the last few years is more and more people just accepting there's no such thing as privacy and I think that's troubling. I do think we all have a right to privacy and expectations of privacy. Not at all times of course. If you post information online it stands to reason someone else is going to see it. However if you post it in an area of a site that's behind a paywall or under the setting private then you should be able to expect it'll remain that way unless you give permission for it to be made public.

I think we also have a right to know who's tracking us around the web and hold the right not to be tracked. There are valid reasons why companies track what we do and it can be to do things beneficial to us. Some people want sites like Google and Facebook to know more about them so when they do serve ads they're more relevant. Other's don't. I think more of that should be in our control or at the very least our awareness.

Facebook isn't scary. You put stuff there on purpose. Plenty of people put stuff there that they shouldn't, but that's an educational thing.

What I don't like is that someone can pay $20 dollars and get my SS number, address, etc. That information is compiled from government databases, your government registered company info, whois,, ... and sold to the highest bidder. There are companies out there collecting info from wherever they can and selling it. That's pretty scary.

vangogh
05-17-2012, 11:05 AM
You put stuff there on purpose.

Yes, but sometimes you put it there and set the controls to deliver what you're posting to a small and select group of people. When you do, you shouldn't have to worry that communication you sent privately through the rules of the system was suddenly made public because the rules of the system changed.

I completely agree that the scarier aspect is that people are buying and selling data about us. Some of that data has always been bought and sold, though. Things like our address have always been public. It gets scary because the internet now makes it so easy to connect all these different data points and build much larger profiles about us. I think we're going to have to accept some of this and it doesn't have to be entirely bad. Connecting all the data could help doctors in an emergency or it could help you find a missing person. A more common scenario is ads are targeted to us based on things we're more likely to be interested in. I'd rather not have all my data collected to get more relevant ads, since I'm still going to ignore them, but there are lots of people who view it as if they're going to see ads anyway they'd prefer the ads be more relevant to them.

Where I think it goes too far is that companies are tracking us where they shouldn't be. If you remain logged into Facebook or Google then those sites are following you around the web and tracking what you do wherever you go. I think that goes beyond what's reasonable. It's fair game to track what I do on your site. It's not fair game for you to track what I do on someone else's site.

billbenson
05-17-2012, 12:20 PM
Yes, but sometimes you put it there and set the controls to deliver what you're posting to a small and select group of people. When you do, you shouldn't have to worry that communication you sent privately through the rules of the system was suddenly made public because the rules of the system changed.

Agreed.

It even gets scarier. Gangs in Central America and probably elsewhere are using the internet to find people living here with families living in Central America. They then kidnap the family members in Central America because they assume the person living in the US has money and will pay it. The kidnap victim usually ends up dead.

KristineS
05-17-2012, 12:51 PM
I have to agree with Bill that the whole buy a profile on someone for 20 bucks thing is a little scary. I've searched my name a couple times and just the free information they give out has my address and previous addresses, my fill name things like that. I can't imagine what a report I paid for would look like. I'm tempted sometimes to pay for a report just to see.

Now, I do realize that I live a lot of my life online, so my name will pop up a lot, but there's a difference between stuff I voluntarily put out there and stuff like my school history, my address history, my phone number, things like that. I'm not sure how comfortable I am with the fact that anyone can Google me and find out exactly where I live. That's a little scary.

I also agree with Vangogh that when you can reasonably have an expectation of privacy, like through private messaging, you have a right to that privacy. Changing TOS or something should not be done without a fair warning, so that people who do not want their private stuff made public can delete what they don't want others to see.

vangogh
05-18-2012, 12:51 AM
the free information they give out has my address and previous addresses

That stuff has been available for a long time though and people have been able to buy and sell it. The internet does make it all easier to happen, but it's been happening prior to the internet.

There was some interesting news today about privacy from Twitter. They announced they would implement a do not track privacy option (http://bits.blogs.nytimes.com/2012/05/17/twitter-implements-do-not-track-privacy-option/). They're doing this by enabling a do not track feature in Firefox, which Mozilla recently introduced. I think FF basically sends a request to a site not to track and it's up to the site to honor it or not. Twitter will be honoring it. That's the good news.

The bad news comes from a Twitter blog post about how Twitter is tracking you (http://blog.twitter.com/2012/05/new-tailored-suggestions-for-you-to.html) to better tailor suggestions for who you might be interested in following on Twitter. Dustin Curtis had a follow up post, Twitter is tracking you on the web (http://dcurt.is/twitter-is-tracking-you-on-the-web) pointing out that if you land on a site with a tweet this button or a Twitter hover card it fans Twitter knows and is recording the information. Twitter replied that it's only for the who to follow recommendation and that the information is deleted from their servers after a maximum of 10 days. And again Twitter is providing an opt-out of this tracking through Firefox.

As Dustin points out, Facebook is likely doing the same thing. I would add most any site that can track you like is. While the opt-out is nice, this stuff should all be opt-in. If you think being tracked benefits you then by all means opt-in. If you prefer your privacy no action needs to be taken. That's how it should work.