A Privacy Bill of Rights proposed for the US

The continuing deterioration of privacy and multi-party security due to short-sighted and unsustainable practices within our industry has begun to have the inevitable result, as reported by this article in the New York TImes.

A Commerce Department task force called for the creation of a ‘Privacy Bill of Rights’ for online consumers and the establishment of an office within the department that would work to strengthen privacy policies in the United States and coordinate initiatives with other countries.

The department’s Internet Policy Task Force, in a report released on Thursday, said the “Privacy Bill of Rights” would increase transparency on how user information was collected online, place limits on the use of consumer data by companies and promote the use of audits and other forms of enforcement to increase accountability.

The new protections would expand on the framework of Fair Information Practice Principles that address data security, notice and choice — or the privacy policies many users agree to on Web sites — and rights to obtaining information on the Internet.

The simple concept of notice and choice is not adequate as a basis for privacy protections,” said Daniel J. Weitzner, the associate administrator for the office of policy analysis and development at the Commerce Department’s National Telecommunications and Information Administration [emphasis mine – Kim].

The article makes the connection to the Federal Trade Commission's “Do Not Track” proposal:

The F.T.C., in its report on online privacy this month, also called for improvements to the practice principles, but focused on installing a “do not track” mechanism that would allow computer users to opt out of having their information collected surreptitiously by third-party companies.

That recommendation caused concern in the online advertising industry, which has said that such a mechanism would hamper the industry’s growth and could potentially limit users’ access to free content online.

[The prospect of an online advertising industry deprived of its ability to surreptitiously collect information on us causes tears to well in my eyes.  I can't continue!  I need a Kleenex!]

The proposed Privacy Policy Office would work with the administration, the F.T.C. and other agencies on issues surrounding international and commercial data privacy issues but would not have enforcement authority.

“America needs a robust privacy framework that preserves consumer trust in the evolving Internet economy while ensuring the Web remains a platform for innovation, jobs and economic growth,” the commerce secretary, Gary F. Locke, said in a statement. “Self-regulation without stronger enforcement is not enough. Consumers must trust the Internet in order for businesses to succeed online.”

All of this is, in my view, just an initial reaction to behaviors that are seriously out of control.  As information leakage goes, the surreptitious collection of information” to which the NYT refers is done at a scale that dwarfs Wiki Leaks, even if the subjects of the information are mere citizens rather than lofty officials of government.

I will personally be delighted when it is enshrined in law that a company can no longer get you to click on a privacy policy like this one and claim it is consent to sell your location to anyone it pleases.

Published by

Kim Cameron

Work on identity.

One thought on “A Privacy Bill of Rights proposed for the US”

  1. Kim,

    I share your frustration at some of the statements included in the recently released Department of Commerce �green paper� on creating a Dynamic Privacy Framework. But I am equally concerned with your closing statement supporting a legislative remedy:
    �I will personally be delighted when it is enshrined in law that a company can no longer get you to click on a privacy policy like this one and claim it is consent to sell your location to anyone it pleases.�
    I am neither anti-government nor of the persuasion that believes that The Market holds the solution to all problems. But in this case, I do hold with the DoC�s concern that legislative/regulatory approaches lack the flexibility to address the dynamic environment of personal privacy protection.

    I believe that the solution lies in the creation of a comprehensive Trust Framework of which Privacy protection is only one component. Other components would include Identity, Notification, and Controls. The Trust Framework would offer Service Assessment Criteria that approved, independent auditors would use to certify various enterprises (and their websites and EULAs) at standardized levels of attainment. Entities could target the certification level that they desire to attain and structure themselves to achieve it. Depending on the type of information each site handles, an enterprise may offer different levels of attainment for different purposes. For example, they may provide stronger protections for employee health data than for customer transaction data.

    Consumers, rather than having to try to understand 35 pages of legalese, would be able to select sites appropriate to their purposes based on the sites� attainment for each of the categories of the Trust Framework (example categories might be Privacy, Identity, Notification, and Controls). And because the levels are standardized, the scores will often be sufficient to allow a consumer to make an informed choice, without having to read any further documentation. This would merely require one-time education for each consumer regarding the minimum standards provided by each certification level.

    Of course, this ideal state is still a few years from attainment. Essentially, creating an environment of mutual trust is a system-of-systems problem. And the various component systems are highly interdependent. Recent identity assurance frameworks that have been provisionally approved by the US government address only the tip of the iceberg because any transaction addresses far more trust relationships than are covered by these current �component� frameworks.

    To address the time lag required to fully articulate and implement a comprehensive trust framework, it may be necessary to use legislative/regulatory measures as a stopgap. I certainly agree with your assessment that current behaviors by many enterprises �are seriously out of control.� But I am wary of relying too heavily on such government solutions. We are already facing conflict between early legal/regulatory implementations that change significantly when a person, a person�s data, or an enterprise crosses jurisdictional boundaries. And in our increasingly globalized world, this is a frequent occurrence. And these current regulations often conflict with one another which, in the long run, is to no one�s benefit.

Comments are closed.