WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Laws and Business International Report

You are here:  WorldLII >> Databases >> Privacy Laws and Business International Report >> 1999 >> [1999] PLBIRp 28

Database Search | Name Search | Recent Articles | Noteup | LawCite | Download | Help

New privacy wizard announced at a US conference [1999] PLBIRp 28; (1999) 49 Privacy Laws and Business International Report 8

New privacy wizard announced at a US conference

THE NINTH ANNUAL CONFERENCE on Computers, Freedom and Privacy sought answers to the dilemma of freedom of speech and privacy online. While there is new evidence of serious privacy intrusions, there are also more solutions than before.

Global surveillance systems, Internet censorship versus harmful content and lack of online anonymity were just some of the topics that were explored during the two-day conference Computers, Freedom and Privacy (CFP). The conference, which took place in Washington D.C between 6-8th April, generated interesting discussions on the future of the Internet and the protection of personal data in the online environment. A truly global view was on offer: speakers covered privacy and freedom of speech issues in Asia, Africa, North-America and Europe. Another dominant theme was new technologies and the opportunities they provide for protecting privacy online.

LATEST NEWS FROM THE USA

The conference was chaired by Marc Rotenberg, Director of the Electronic Privacy Information Center, and attended by 500 delegates from 20 countries. Among them was Peter Swire, the newly-appointed US Chief Counsellor of Privacy, who immediately had to answer questions about his post. The fact that he is posted in the White House Office of Management and Budget, and not in a separate office, raised some questions about the reasons behind the decision.

Mr Swire explained that any collection of personal data by government agencies has to be referred to this office for approval, and it was therefore the appropriate place for a privacy counsellor. He saw some real potential to take new privacy protection measures, and also predicted that President Bill Clinton will make additional privacy statements in the future (for latest on this, see p. 22).

DIFFERENT APPROACHES TO ONLINE PRIVACY

The opening plenary debated freedom and privacy on the Internet. The United States Commerce department representative, Paula Bruening, Special Counsel for Electronic Commerce, reiterated the well-known US policy about self-regulation and codes of conduct.

This was indirectly criticised by the Hong Kong Privacy Commissioner Stephen Lau, who made the point that, under the Hong Kong data protection law, actions that are illegal offline are also illegal online. His office has already published two guidelines on data protection in the Internet environment, and will interpret the data protection law to apply to Internet activities.

Another speaker in favour of selfregulation was a US Federal Trade Commissioner Mozelle Thompson. He said that it is possible, however, that regulatory measures will be needed at some point.

Congressman Ed Markey (Rep.) suggested that US privacy policy should consist of industry selfregulation, technological tools, and government enforced privacy rules. He intended to introduce a Privacy Bill of Rights in the US Congress during May.

Barbara Simons, President of the US Association for Computing Machinery, stressed that sometimes the Internet community can benefit from viruses that reveal the system's vulnerability. For example, the Melissa-virus, which did a lot of damage, demonstrated that security on the Internet needs to be improved.

GLOBAL SURVEILLANCE SOON A REALITY

While there are already surveillance systems such as US-UK joint operation Echelon, Governments plan to establish more systems, which could result in a global surveillance network. Steve Wright of the UKbased Omega Foundation described how the Echelon system has been used for industrial espionage, and warned about another system which is jointly led by the EU and the FBI.

In addition, European police forces gather telecoms data in order to catch criminals. However, as they have wide powers in some countries, harmless calls will inevitably get wiretapped in the process. For example, in Austria the police are allowed to wiretap without a judicial order.

However, European co-operation also works to protect privacy. A system is being planned to track down websites that host illegal or harmful content. The European Commission is planning a network of hotlines, which will take calls from individuals who wish to notify it about these sites. In Germany, a watchdog organisation already monitors illegal content within Germany.

Sergei Smirnov from Human Rights Online, Russia, told the conference delegates that, in future, the Russian secret service will be enabled to control Internet traffic in Russia. This will be possible under a Ministerial Act that does not even have to be debated in Parliament. Although the human rights organisations are aware of these developments, they are not organised well enough to take action.

NEW PRIVACY WIZARD HELPS TO CREATE PRIVACY STATEMENTS

On the positive side of technological developments, Microsoft and the Electronic Frontier Foundation announced a new technology to help small businesses create online privacy statements. The joint proposal, which has been forwarded to the World Wide Web Consortium, aims at giving companies the tools to publish their privacy statements in both human and machine readable format.

At the moment, it is up to the individual to read the website privacy policies and make a decision on whether they are willing to release any personal data. However, the proposed guidelines encourage companies to create P3P-ready privacy policies. P3P is a Privacy Preferences Project (PL&B Sep '98, p.21), which enables websites to express their privacy practices in Extensible Markup Language. These P3P privacy statements can then be "read" by computer software.

In order to make it easier, especially for small companies, to adopt online privacy statements, the P3P application has been made available on the Internet in form of a privacy wizard (available at http://privacy.linkexchange.com).

The wizard, which was developed by Microsoft and TRUSTe, is a selfassessment survey, which generates, in about 15-20 minutes, a privacy policy document based on the answers given.

Saul Klein, Group Program Manager at Microsoft, told Privacy Laws & Business that even though the programme has been designed for small businesses, there is nothing stopping major companies from using the wizard as well. "The wizard can be used to design multiple policies for companies that operate in several marketplaces," he said.

The Director of the World Wide Web Consortium, Tim Berners-Lee, summarised the impact of the P3P privacy preferences project: "Privacy policies are essential, but P3P will make the choice for an individual automatically according to his preferences."

ANONYMITY SOUGHT AFTER AND FOUGHT AGAINST

Although not known to most Internet users, it is possible to use the Internet anonymously. Lance Cottrell, CEO of Anonymizer Inc, stated that the company has been providing commercial anonymity services since 1996. However, not everyone is pleased with the product: the Governments of Singapore, China and United Arab Emirates have blocked access to the anonymiser service on the Internet.

Mike Reiter of Lucent, another anonymity provider, talked about a new technology called LPWA (Lucent Personalized Web Assistant). Initially, the user needs to give his e-mail address and password to LPWA. LPWA then creates for the user a consistent unique identity for each website that he wants to access. Importantly, LPWA does not store either the user's real name or his pseudonyms.

CASE STUDIES: JUDGING PRIVACY

The last day's panelists had to tackle some imaginary privacy problems that may occur in the future. One of the questions asked the panelists to explain what measures they would take with regard to complaints about international transfers of data. In the example, a magazine subscription bought over the Internet in England from a Canadian publisher was causing concern to the subscriber who was now flooded with direct marketing from Canada. As Canada has no jurisdiction over the private sector, the Canadian Privacy Commissioner had recommended that the person should seek help from the UK Data Protection Registrar's office. The question put to the Registrar, Elizabeth France was: does the UK law apply here?

The Registrar explained that as the company was based in Canada, in legal terms, there was nothing she could do. She stressed the role of education; Europeans should not buy goods over the Internet from companies located in countries where a European standard of data protection law would not apply.

Stephanie Perrin, Senior Adviser of Industry Canada, explained that Canada is about to adopt a federal privacy law which will cover some of the private sector. The law, which was expected to be adopted in June, will apply in three years time, and is based on the principle of individual consent.

The importance of education was also emphasised in another panel discussion by David Sobel, General Counsel of the Electronic Privacy Information Center (EPIC). "In the USA, almost no effort has been put into Internet education. In the long run, neither laws nor self-regulation are going to protect childrens' privacy effectively. The best option is to make people aware of privacy risks," he said.

Fore information about CFP99, and to make suggestions for CFP2000, look at http://www.cfp.org. Next year's CFP will be chaired by Lorrie Faith Cranor of AT&T Labs Research, e-mail: lorrie@acm.org


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1999/28.html