{"id":1186,"date":"2011-04-13T07:10:08","date_gmt":"2011-04-13T15:10:08","guid":{"rendered":"\/?p=1186"},"modified":"2011-04-16T05:25:03","modified_gmt":"2011-04-16T13:25:03","slug":"privacy-bill-of-rights-establishes-device-identifiers-as-pii","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1186","title":{"rendered":"Privacy Bill of Rights establishes device identifiers as PII"},"content":{"rendered":"

In my view\u00a0the Commercial Privacy Bill of Rights<\/a>\u00a0drafted by US Senators McCain and Kerry\u00a0would significantly\u00a0strengthen the identify fabric of the Internet\u00a0through its proposal\u00a0that\u00a0“a unique persistent identifier\u00a0associated with an individual or a networked device used by such an individual”<\/strong>\u00a0must be\u00a0treated as\u00a0personally identifiable information<\/strong> (Section 3 – 4 – vii).\u00a0\u00a0 This clear and central statement marks a real step forward.\u00a0 Amongst other things, it covers the MAC addresses of wireless devices and the serial numbers and random identifiers of mobile phones and laptops.<\/p>\n

From this fact alone the bill\u00a0could play a key role in limiting\u00a0a number\u00a0of the most privacy-invasive practices used today by Internet services – including location-based services.\u00a0\u00a0For example, a company like Apple could no longer\u00a0glibly claim, as it does in its current iTunes privacy policy<\/a>,\u00a0that device identifiers\u00a0and location information are “not personally identifying”.\u00a0 Nor\u00a0could\u00a0it profess, as iTunes also currently does, that this means it can\u00a0“collect, use, transfer, and disclose”\u00a0 <\/em>the information\u00a0“for any purpose”.\u00a0 <\/em>Putting\u00a0location information\u00a0under the firm control of users is a key legislative requirement addressed by the bill.<\/p>\n

The bill\u00a0also contributes both to the security of the Internet and to individual privacy\u00a0by unambiguously embracing\u00a0“Minimal Disclosure for a Constrained Use” as set out in Law 2 of the Laws of Identity<\/a>.\u00a0\u00a0Title III explicitly establishes a “Right to Purpose Specification;\u00a0Data Minimization; Constraints on Distribution; and Data Integrity.”<\/p>\n

Despite these real positives, the bill as currently formulated leaves me eager to consult a bevy of lawyers – not a good sign.\u00a0\u00a0This may\u00a0be because it is\u00a0still\u00a0a “working draft”, with numerous provisions that\u00a0must be clarified.\u00a0<\/p>\n

For example,\u00a0how would the population at large ever understand the byzantine interlocking of\u00a0opt-in and opt-out clauses described in Section 202?\u00a0 At this point, I don't.<\/p>\n

And\u00a0what does the\u00a0list of exceptions to Unauthorized Use in Section 3 paragraph 8 imply?\u00a0 Does it mean\u00a0such uses can be made without notice and consent?<\/p>\n

I'll be looking for comments by legal and policy experts.\u00a0 Already, EPIC has expressed <\/a>both support\u00a0and reservations:<\/p>\n

Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the “Commercial Privacy Bill of Rights Act of 2011,”<\/a> aimed at protecting consumers’ privacy both online and offline. The Bill endorses several “Fair Information Practices,” gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information.<\/p>\n

But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a “Safe Harbor” arrangement that exempts companies from significant privacy requirements.<\/p>\n

EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies’ to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz<\/a>. For more information, see EPIC: Online Tracking and Behavioral Profiling<\/a> and EPIC: Federal Trade Commission<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

But despite real positives, the bill as currently formulated leaves me eager to consult a bevy of lawyers…<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,17,3,40,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1186"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1186"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1186\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}