Centre for Internet and Society

Public Statement to Final Draft of UID Bill

elonnai — 2012-03-22T05:48:00Z

The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill.

On 8 November 2010, the UID Authority issued the final draft of the UID Bill that will be submitted to the Lok Sabha for review and approval. Earlier this year in June 2010 the Authority issued a draft UID Bill to the public for comment and review. Civil Society responded with a detailed summary and high summary of points that amended the draft or were missing in the draft Bill. We are disappointed that none of the concerns raised by Civil Society, including those listed below, were addressed.

Architecture

The centralized architecture of the UID project is unnecessary. A federated and decentralized structure to the UID project would achieve the same goal of providing identity, authentication, and delivery of benefits.

Scope

The scope of the Bill is overboard. Though the main purpose of the Bill is to facilitate the delivery of benefits to residents, the loose language and intermixing of terms creates a threat that data will be collected and used beyond delivery of benefits

Voluntary and not Mandatory

The Bill should prohibit the denial of goods, services, entitlements, and benefits for lack of a UID number- provided that an individual furnishes equivalent ID, thus ensuring that the Aadhaar number is truly voluntary.

Inadequate Privacy Safeguards

The Bill inadequately elaborates on the principles of privacy relating to identity and transaction data. The protections needed should be self-contained within the Bill. Thus, the UID Bill itself should be clear and concise about data collection, transfer, retention, security, and dissemination.

Unwarranted Data Retention

The Bill does not provide adequate privacy protection for transaction data. In particular section 32(2) empowers the Authority to determine the duration that data is to be retained for.

Lack of accountability for all Actors

The Bill holds only the Authority accountable for violations. Rather the Bill needs to hold enrolling agencies, registrars, and other service providers accountable. Furthermore, the Bill does not provide adequate regulations or accountability for the data that are outsourced.

Lack of Exceptions

The Bill does not detail the circumstances and categories of people who will be excused or accommodated with respect to the issuing of Aadhaar numbers or authentication of transactions.

Lack of Anonymity

The Bill does not provide adequate specificity as to the situations in which anonymity will be preserved and/or an Aadhaar number should not be requested.

Inadequacy of Penalties

The penalties provided in the Bill are inadequate, because they do not cover several types of misuse.

Unaffordability of Fees

It is incompatible with the Bill’s stated purpose of inclusion to require an individual to pay to be authenticated.

Lack of Rollback and Ombudsman Office

The Bill does not provide adequate redress for system/transaction errors and fraud.

Inappropriate Structure and Governance

The Bill does not provide appropriate judicial and parliamentary oversight.

Upon comparison of the draft Bill and the final Bill, CIS finds the following changes the most significant:

Definition of Resident

Section 2 (q): “resident” means an individual usually residing in a village or rural area or town or ward or demarcated area (demarcated by the Registrar General of Citizen Registration) within ward in a town or urban area”

Comment: This section clarifies the definition of ‘resident’ from the draft Bill, which defined resident as an “individual usually residing within the territory of India”. By specifying that individuals in demarcated areas will not receive UID numbers, the definition of resident is brought into line with the scope of the Bill as laid out in the preamble. We see this change as a positive revision.

Prohibition of Dissemination of Information

Section 30 (3): “Notwithstanding anything contained in any other law and save as otherwise provided in this Act, the Authority or any of its officer or other employee or any agency who maintains the Central Identities Data Repository shall not, whether during his service as such or thereafter, reveal any information stored in the Central Identities Data Repository to any person”

Comment: This section prohibits the dissemination of any information that is stored in the Central Identities Data Repository. This prohibition extends to anyone or any entity that handles information, and supersedes other laws that might permit dissemination of information. We see this change as a positive revision.

Disclosure of Information in the Case of a National Security

Section 33 (b):“Any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer or officers not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government”

Comment: This section is a minor improvement on the previous draft since it requires specific authorization from the Central Government (rather than from a Minister in charge). Unfortunately, however, it retains the undesirable language of "national security" from the previous draft which, as we had previously pointed out, is not currently clearly defined under Indian law. An alternative phrase that we recommend instead is the Constitutional vocabulary of "public emergency" which already has a considerable volume of judicial reasoning that has elaborated what it means. Eg. in Hukam Chand v. Union of India (AIR 1976 SC 789) it was held that a public emergency "is one which raises problems concerning the interest of public safety", the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or the prevention of incitement to the commission of an offence."

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID

Consumer Privacy - How to Enforce an Effective Protective Regime?

elonnai — 2012-03-21T10:06:04Z

In a typical sense, when people think of themselves as consumers, they just think about what they purchase, how they purchase and how they use their purchase. But while doing this exercise we are always exchanging personally identifiable information, and thus our privacy is always at risk. In this blog post, Elonnai Hickok and Prashant Iyengar through a series of questions look through the whole concept of consumer privacy at the national and international levels. By placing a special emphasis on Indian context, this post details the potential avenues of consumer privacy in India and states the important elements that should be kept in mind when trying to find at an effective protective regime for consumer privacy.

Who is a consumer?

According to the Consumer Protection Act,1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. In the typical sense, when people think of themselves being a consumer, they might think about what they purchase through a physical exchange of money for goods or services, ranging from things as simple as fruit or grain to home appliances to cable television, either in a store or through an online exchange where you enter in your credit card information and receive your purchase. Certain services that consumers use may, by their very nature, put an extraordinary amount of sensitive personal information into the hands of vendors. Typical examples include hospitals, banks and telecommunications.

What is Consumer Privacy and how may it be breached?

Consumer privacy is concerned with the manner in which information disclosed by a consumer to a vendor is collected and used. Specific issues include: behavioral advertising, spyware, identity management, and data security/breach, Increasingly, data that is collected from consumers is stored in databanks. This is then used for both legitimate purposes (such as marketing, research etc) and illegitimate extraneous purposes (as when this data is sold in bulk to third parties). Additionally, the privacy of consumers may be compromised by actions of third parties that are facilitated by the negligence of the vendors (as for instance hacking into databases). The following international examples illustrate the kinds of privacy threats that the collection of data from consumers may pose[1]

Example 1) Toysmart – an online company- collected personal information from its users, promising to keep it private. In 2000, Toysmart entered bankruptcy and in an attempt to avoid losing everything tried to sell its database despite its strict privacy policy. This example illustrates how vendors may attempt to monetize the personal information of customers exceeding the terms of the contract entered into with them.

Example 2) In 2006 it was found that AOL's research site had a stored file that contained information collected from more than 600,000 users between March to May of 2006. Though the file did not indicate each user by name, it was eventually found that there was enough information to correlate specific individuals to their user number. The example of AOL’s demonstrates the danger of online privacy breaches through either oversight or negligence of the vendor in adopting adequate security measures.

Example 3) Similar to the previous example ChoicePoint – an all-purpose information broker, whose database contains information about nearly every adult American citizen, had its system hacked. The thieves had access to the names, addresses and social security.

How is consumer privacy protected- internationally ?

Broad guidelines: The OECD Privacy Guidelines

Though not a law, the OECD Guidelines drafted in 1980 provide a useful set of ‘fair information practices’ within which privacy of consumers may be evaluated. Briefly, the eight principles declared were: 1) Collection limitation principle (there should be limits to the collection of data), 2) data quality principle (data should be accurate and relevant to the purpose collected), 3) purpose specification principle, 4) use limitation principle, 5) security safeguards principle, 6) openness principle (there should be openness about data policies and changes thereof), 7) individual participation principle (enabling the individual to find out if data is being held about him and to obtain a copy of the data and make corrections) and 8) accountability principle [2].

The EU Data Protection Directive (Directive 95/46/EC)

This is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes, specifically as it relates to processing, using, or exchanging such data. The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. The basic guidelines of the Directive are [3]:

Notice: Data subjects must be notified of the: identity of the collector of their personal information, the uses for which the information is being collected, how the data subjects may exercise any available choices regarding the use or disclosure of personal information, where and to whom information may be transferred, and how data subjects may access their personal information.

Consent: “Unambiguous consent” of a data subject is required before any personal information may be processed. Special categories such as race, religion, political of philosophical beliefs, health, union membership, sex life, and criminal history have additional processing requirements.

Consistency: Controllers and processors may only use information in accordance with the terms of the notice given.

Access: Controllers must give data subjects access to personal information.

Security:Organizations must provide adequate security, using both technical and other means to protect the confidentiality and integrity of the data.

Onward transfer: Personal information may not be transferred to a third party unless that third party has signed a contract with the individual or organization which binds them to use the information consistently with the notice given to the data subjects.

Enforcement: Each EU country has established a Data Protection Authority that has the power to investigate complaints, levy fines, initiate criminal actions, and demand changes in businesses information handling practices.

Specific Sectoral Legislation and privacy policies

The US takes a sectoral approach to protecting consumer privacy. Legislation that protects consumer privacy includes: Gramm-Leach Bliley Act, Health Insurance Portability and Accountability Act, and the Children's Online Privacy Protection Act. Also, the CAN-SPAM Act bans the sending of commercial electronic messages that contain false information. The most comprehensive act for the consumer in the U.S is the Fair Credit Report Act, which was passed in 1970. Enforcement of the Act is vested in the Federal Trade Commission. The FCRA applies to how consumers information is collected and used, and applies to insurance, employment, and other non-credit consumer transactions. Under the FCRA the information that is protected is broadly defined as 1. Consumer Report- any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer' s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumers eligibility for credit, insurance, and employment purposes.

Furthermore the FCRA:

(a) provides the right for consumers to ensure the accuracy of their data.

(b) includes “right to know” provisions to enable consumers to know all information in their files

(c ) grants consumer dispute rights

(d) requires opt-out options [ibid 4]

Consumer Privacy in India

Broadly, there are four potential avenues for the protection of consumer privacy in India.

1. Individual organizations may voluntarily commit to protect the information of their clients through “Privacy Policies” These become a component of the contractual commitments between the service providers and customers and are enforced through ordinary civil litigation.

2. Certain professions and industries have codes of privacy that they must statutorily abide by. This is true of such professions as the medical profession and the legal profession in India and the entire banking industry and the telecom industry. Rigorous privacy norms are set for each of these industries by their respective apex governing bodies. Penalties for breach include derecognition and monetary penalties.

3. Consumer privacy may be enforced by the specialized Consumer Dispute Tribunals under the Consumer Protection Act in India.

4. The newly amended Information Technology Act imposes an obligation on anyone controlling data to indemnify against losses caused by the leakage/improper use of that data.

Each of these mechanisms is discussed in some details below:

Privacy Policies:

Several Indian companies have publicly stated privacy policies that they display on their website. We have profiled the privacy policies of two such companies as a sample.

Airtel: Defines personal information, informs users how their information will be used, describes which third parties will have access to your information, provides the ability to opt-out of commercial SMSs, provides an email address for privacy concerns.

Rediff: Provides email for customer support, states what personal information is collected from you, what information is collected from you by cookies, what information is collected about you and stored, who will collect the information about you, how the information will be used to advertise to you and tailor to your preferences, states the rights that advertisers have to your information, disclaimer of responsibility for any other websites linked to the page, states that the information released in a chat room is considered public information, defines third party usage, defines security measures taken, lays out what choices the consumer has regarding collection and distribution of their information, contains opt-out clauses, defines personal information, defines cookies, explains that consumers have the ability to correct inaccurate information, requires youth consent [5].

Examples of Indian organizations without a privacy policy on websites: Canara bank, Andhra Bank, Indian railways, Air-India, BSNL, State Bank of India.

Note: The International Guide to Privacy suggests the following be included in privacy policies: description of the personal information collected by the website and third party, description of how the information is used and list of parties with whom it may be shared, a list of the options available regarding the collection, use, sharing and distribution of the information, a description of how inaccuracies can be corrected, a list of the websites that are linked to the organization’s site and a disclaimer that the organization is not responsible for the privacy practices of other sites, a description of how the information is safeguarded (both physically and electronically) against loss, misuse, and alteration, consent for use of personal information [6].

Professional/Industrial Regulations

As mentioned above, several professional bodies have privacy guidelines which their members must abide by.

Advocates

Rules of Professional Conduct have been framed under the Advocates Act and establishes a code of conduct to be followed by lawyers in order to protect the confidence, information, and data of a client. It is important to note that the obligation of confidentiality continues even after the client relationship is terminated. The Evidence Act further buttresses the confidentiality of clients by making information passed between lawyer and client subject to a special privilege [7].

Medical Practitioners

Similarly, in 2002, the Medical Council of India notified the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations which contain ethical injunctions backed by disciplinary action in cases of breaches. Several of these relate to privacy, for instance : Every physician is required to maintain medical records pertaining to indoor patients for a period of 3 years from the date of commencement of the treatment [8].

Article 2.2: Requires physicians to maintain Confidences concerning individual or domestic life entrusted by patients to a physician. Defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State. The rule also requires the physician, controversially to evaluate “whether his duty to society requires him to employ knowledge, obtained through confidence as a physician, to protect a healthy person against a communicable disease to which he is about to be exposed”. In such an instance, the rules advice the physician to “act as he would wish another to act toward one of his own family in like circumstances.”

Article 7.14: Enjoins the registered medical practitioner not to disclose the secrets of a patient that have been learnt in the exercise of his / her profession except –

1. in a court of law under orders of the Presiding Judge;

2. in circumstances where there is a serious and identified risk to a specific

person and / or community; and

3. notifiable diseases.

Article 7.17: Forbids a medical practitioner from publishing photographs or case reports of patients without their permission, in any medical or other journal in a manner by which their identity could be made out. If the identity is not to be disclosed, however, the consent is not needed.

Important Case Law

In one of the most important cases to have come up on the issue of privacy, a person sued a hospital for having disclosed his HIV status to his fiancé without his knowledge resulting in their wedding being called off. In Mr. X vs Hospital Z, the Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. The supreme court while affirming the duty of confidentiality owed to patients, ruled that the right to privacy was not absolute and was “subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others.”[9] This case raises certain questions which might be worthwhile to consider:

1. Are there other ways in which the situation could have been handled – such as through proper counselling. Furthermore, it is important to establish what the role of a hospital is, and where their primary interest lies in protecting their patient and their patients data, and take into consideration the importance of consent in handling and disclosing personal information.

2. The argument that there is no absolute for privacy raises questions of who is determining the limits for disclosure of the man's HIV status. If his fiancé should be informed of his results, should his workplace , community, church? Do they face the same risks as his fiancé? Who is to be the judge of this risk?

Banking and Telecom Industry

The Banking and Telecom industry each have regulatory authorities which have periodically issued guidelines seeking to protect the privacy of customers. Thus, for instance, RBI's Customer Service statement obliges bankers to maintain secrecy, and not to divulge any information to third parties. Likewise, the TRAI has issued regulations on unsolicited commercial communications and has initiated steps to monitor confidentiality measures taken by telecom operators. More details are provided in the accompanying briefs that exclusively deal with the banking and telecom industries.

Consumer Protection Act 1986:

The Consumer Protection Act which was enacted with the objective to provide for better protection of the interests of the consumer has emerged as a major source of relief to those who have suffered violations of their privacy {10}.

Important Case Laws

In Rajindre Nagar Post Office vs. Sh Ashok Kriplani a post master was accused of not delivering a registered letter, opening it, and then returning it in a torn condition. It was determined that the tearing of the letter without delivery to addressee was a grave “deficiency in service” on the part of the appellant. It was ruled that the right of privacy of the respondent was infringed upon by the postman. Under the Consumer Protection Act 1986, compensation of Rs. 1000 was awarded as to the mental agony, harassment, and loss arising from the charge of deficiency in service. The importance of this case lies in the willingness of the courts to treat breach of privacy as a “deficiency of service”[11].

In January 2007, the Delhi State Consumer Disputes Redressal Commission imposed a fine of Rs. 75 lakh on a group of defendants including Airtel, ICICI and the American Express Bank for making unsolicited calls, messages and telemarketing. Although this decision was reversed on appeal by the Delhi High Court it confirms a trend of Consumer Dispute Redressal Commissions willing to take up cudgels on behalf of consumers for violations of their privacy.

Information Technology Act 2000 (Amended 2008)

In 2008, the Information Technology Act was amended to include an extremely salutary relief to people when a breach of privacy is occasioned by the leakage of data from computerised databases maintained by corporates. Thus, the newly inserted Section 43A states that if a “body corporate” is possessing, dealing, or handling any “sensitive personal data or information” in a computer resource which it owns, controls, or operates, and is negligent in implementing and maintaining “reasonable security practices and procedures” and thereby causes wrongful loss or wrongful gain to any person, this body corporate will become liable to pay damages as compensation to the affected person.

The Section further stipulates that the Central Government would come up with the reasonable security practices and procedures and would also define what constituted ‘personal sensitive information’.

Likewise, the newly introduced Section 72A declares that if “any person including an intermediary” secures access to any personal information about another person while providing services under the terms of lawful contract, and if he, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses such information without the consent of the person concerned, or in breach of a lawful contract, he is liable to be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both [12].

Conclusion

In conclusion it is important to consider many elements when looking at an effective protective regime for consumer privacy :
1. Is a comprehensive data protection of a sectoral approach more suited to the needs of India?

2. Does India want to become compliant with international standards for data protection ?

3. How will privacy policies be enforced and how will organizations be held accountable for protection of client privacy under the legislation ?

4. Will consumers be notified if their information is breached? If so – what will be included in the breach notification?

5. How can a legislation ensure that consumers are aware of their privacy rights?

6. How can a privacy legislation address the need for different levels of protection for different types of data?

Bibliography:

1. Examples drawn from: Oussayef, karim. Selective Privacy: Facilitating Market Based Solutions to Data Breaches by Standardizing Internet Privacy Policies. 14 B U Journal Sci and Tech Law. 105 2008.

2. Organisation for Economic Co-operatioin and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security , July 25, 2002

3. Directive 95/46/EC of European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processting of personal data and on the ree movement of data

4. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg.34-4

5http://www.rediff.com/w3c/policy.html

6. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg. 161-164

7. The Advocates Act 1961http://www.sharmalawco.in/Downloads/THE%20ADVOCATES%20ACT%201961.pdf

8 Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations. Published in Part III, Section 4 of the Gazette of India, dated 6th April, 2002http://www.mciindia.org/rules-and-regulation/Code%20of%20Medical%20Ethics%20Regulations.pdf.

9. (1998) 8 SCC 296:http://indiankanoon.org/doc/382721/

10. Indian Consumer Protection Act 1986http://www.legalhelpindia.com/consumer-protection-act.html.

11.http://164.100.72.12/ncdrcrep/judgement/80Post%20Master%20Vs%20Ashok%20Kriplani%20(JDK)%2023.03.2009.htm

12. Information Technology Act 2000: Amended 2008http://www.mit.gov.in/content/information-technology-act.

For more details visit https://cis-india.org/internet-governance/blog/privacy/consumer-privacy

American Bar Association Online Privacy Conference: A Report

elonnai — 2012-03-21T10:08:36Z

On 10 November 2010, I attended an American Bar Association online conference on 'Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference'. The panalists addressed many important global privacy challenges and spoke about the changes the EU directive is looking to take.

Introduction

On 10 November, I attended an American Bar Association online conference on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference.” The panel was made up of:

Lisa Sotto, a private practitioner in the US
Billy Hawkes, Commissioner of Data Protection, Ireland
Bojana Bellamy, Director of Data Privacy, London, UK
Hugh Stevenson, Deputy Director of the Federal Trade Commission, US
Jennifer Stoddart, Privacy Commissioner, Canada.

The panelists shared their insight into many issues, including the challenges that cloud computing, behavioural advertising, and cross-border data transfer pose to privacy. The panel also spoke on the need to address concerns of enforcement, data breach, accountability, and harmonization of data protection policies. The conference was very informative, and brought up many points that, as India moves forward with a privacy legislation, should be considered and given thought about.

Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer

When speaking about the concerns of cloud computing, behavioural advertising, and cross-border data transfer – the panel was in agreement that privacy policies need to move beyond paper to practice. They questioned whether broad national law can actually address the privacy concerns associated with these issues, or whether internal, specific policies are more effective at protecting data being outsourced to the cloud, passed through the Internet, and sent across borders. Specifically addressing cloud computing internal policies have the potential to be more effective, because data in the cloud is essentially nowhere; it does not reside in one jurisdiction, and thus it is difficult to establish which countries’ laws apply to the data. Additionally, if there is a breach in data, the onus at the end of the day falls on the company that was in possession of the data the data breach. Though internal policies could also be used to address behavioural advertising, the lack of consumer awareness limits how effective a self-regulating program can be. Hugh Stevenson suggested another possibility - creating a system analogous to the “do not call registry” for websites – something like “do not track.” This would allow consumers to opt out of being tracked by cookies etc. on a websites, and force websites to be transparent about their collection and retention of data. Another solution discussed that could work to move policies beyond paper to practice, was the emerging trend of “privacy by design". “Privacy by design” is a mechanism applied by technology manufacturing and technology providing companies where companies will assess privacy risks before they offer a service, or before a product goes onto the market. This might mean a software company or service provider will need a seal before selling their products that indicates the product or service meets a certain privacy standard. If enforced effectively, the system of a seal could be especially effective, because it creates a visual indicator of privacy - allowing consumers to easily and quickly recognize what products are more privacy risky than others, and easily find reliable and secure data processors. The ability of the privacy seal to be applied to all services and sectors, would be particularly useful in a sectoral system like the US, where companies that collect data, but are not apart of the regulated sectors (financial, health, etc) do not come within the purview of the privacy protecting laws.

Privacy Seals Globally? Privacy Seals in India?

If this system of a privacy seal becomes widely used, it will be interesting to see the effect that it has on the international community, and subsequently – the Indian consumer. Even though India does not have a privacy legislation, nor a heightened concern over personal privacy, the Indian consumer does consume American-developed software, phones, computers and other technologies. Perhaps as a “privacy seal” begins to be seen on foreign products used in India, it will create pressure on domestic manufacturers and service providers to meet similar standards with their products. Furthermore, perhaps foreign countries will not want to engage in trade with a company if that company does not use the “privacy seal". Similar pressure is being placed on Chinese-made technologies. For example, the reputation that Chinese phones have of being dangerous and cheap has led some countries, like Australia, to place bans on the phones coming into their borders. Essentially a privacy seal could provide sufficient economic incentives and pressures on companies globally to ensure that their products and practices adequately protect consumer privacy.

Accountability:

In addition to internal policies and seals as ways to push privacy protection beyond theory and into practice, the panel heavily emphasized the need for accountability. Accountability, according to Bojana Bellamy – the EU Data Privacy Director, is increasingly necessary because data is constantly being sent and processed in multiple countries and places across the globe. How to create a greater level of accountability amongst organizations has been a subject of much discussion. Currently the EU is looking at adding an“accountability principle” to the directive. The directive is defining accountability as: showing how responsibility is exercised and making this verifiable -or in simpler terms – compliance with principles in the data protection field. The accountability principle that is being proposed would be comprised of two requirements. One requirement would obligate the data controllers to implement appropriate and effective measures that made sure the principles and obligations of the Directive were being put into effect by organizations. The second would be to require that data controllers demonstrate that these measures have been taken. In practice, this would translate into scalable programs such as the requirement of a privacy impact assessment,monitoring,sanctions, and internal and external audits The legal architecture of the accountability mechanism would be two-tiered. One tier would consist of the basic statutory requirement that would be binding for all data controllers; the second would include voluntary accountability systems. This would also mean that the data controllers would need to strengthen their internal arrangements. Further accountability measures considered by the Directive working party include: Establishment of internal procedures prior to the creation of new personal data processing operations, setting up written and binding data protection policies to be considered and applied to new data processing operations, mapping of procedures to endure proper identification of all data processing operations and maintenance of an inventory of data processing operations, appointment of data protection officer, offering adequate data protection, training, and education to staff members.

Data Breaches:

The panel next discussed data breaches. From the example of the UK, where in 2007 the government lost 24 million records from the Child Benefit Database – clearly date breaches are a continual, often very serious problem. Few people though, realize the extent to which data breaches happen (on their own personal data) and the actual consequences of the breaches, because countries do not have a well defined data breach policies set in place. There are a handful of European countries, like France and Germany, and some American states, like California, that have included data breach requirements into their laws. Also, Despite this, there are no broad statutes for data breach notification in the US or the EU. Also in 2009 the E-Privacy Directive, which applies to ISPs, telecommunication networks, and other electronic communications services, made it mandatory for certain data breaches to be reported.. Whether data breach notification should be made a requirement through legislation is a question many countries are facing. Some countries, like Canada, rely on self-regulation for enforcement of data breaches. Jennifer Stoddart, the data commissioner from Canada, spoke about how self regulation in Canada works. One of the mechanisms that makes self-regulation so effective is the media. If a data breach occurs, through bad press, the media causes the social and monetary costs to increase, so that companies will want to prevent data breaches. The privacy commission of Canada works to help companies remedy the breaches when they occur, but focuses mainly on working with companies to prevent a breach from taking place at all. Challenges and question that self regulation face are:

Will companies work to be less transparent and avoid notification despite the severity of the breach, because of the repercussions?

How will the balance between over-reporting breaches with under-reporting breaches be maintained?
Even if there is a social incentive to provide notification of breach, is it adequate enough to ensure that the notification is comprehensive and that proactive steps are taken by the organization to prevent further breach?
If bad media is the main form of penalty for companies – is this enough penalty, and is it able to take into consideration the context of each privacy breach?

These questions along with the growing number of breaches that are occurring have pushed the EU and other countries to consider integrating data breach statutes into broad legislation.

E-Privacy Directive Breach Notification:

Under the E-Privacy Directive the definition of a personal data breach is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed in connection with provision of a publicly available electronic communications service in the Community.” Currently the system in the EU is broken down into a two tiered system – a breach notification by the organization to the data controller is the first level. This level includes breaches that have occurred, but do not necessarily harm an individual. The second tier is if the breach impacts the subscriber or individual, than the individual must be notified of the nature of the breach, and recommendations made of measures to mitigate the possible adverse effects of the breach. If the breach is so large that individual notice is impractical, notice of the breach must be posted in the media. Failure to notify or incorrect notification results in sanctions. In the UK, data breach notification must include:

1. The type of information and compromised number of records

2. The circumstances of the loss, release, or corruption

3. Actions taken to minimize or mitigate the effect on individuals involved including whether they have been informed

4. details of how the breach is being investigated,

5. whether any other regulatory bodies have been informed and, if so, their responses

6. remedial actions taken to prevent future occurrences and any other information that may assist the ICO in making an assessment.

Accountability, breach notification: What material should India think about for a legal privacy structure?

Lawrence Friedman once explained that legal systems are living organisms – Bills are constantly being amended, passed, and retracted in order to make the legal structure that governs a society reflect the ethos of that society. Thus, when conceptualizing a new piece of legal legislation it is important to look at what purpose that legislation is going to serve, and if that purpose reflects the ideas, values, attitudes, and expectations that a society has. India is a nation that has enacted statutes and regulations for responding to cultural and economic changes against a backdrop of widely-dispersed population groups with deeply-engrained traditions of government and management. This has led to incongruities, for example, there are strong requirements for government transparency, but at the same time there is a common perception that bribery is necessary to prompt official action. There are laws to protect certain rights, but the average person who takes action will never be afforded redress. Thus, India faces both similar and different challenges that the EU and Western countries are face in concern with privacy. One of the greatest privacy challenges in India today, despite having adopted technology, habits, and practices that put privacy at risk, is the common perception that India does not have any privacy issues. Because it is believed that privacy is not at risk, there is a lack of awareness and understanding as to how to prevent privacy violations. Though the breach notification and accountability components that were discussed in the meeting are very detail-oriented mechanisms, they raise a fundamental question about legal architecture and context. When forming a privacy legislation, a few broad questions that India needs to consider are:

· Does it want a broad legislation, one that could limit business and trade (unless potential trading partners demand such legislation), or sector-based legislations, which risk being too tailored and difficult to harmonize?

· If India wants a broad privacy framework how will this be set up?

· What will be the tools used for civil education?

· How will enforcement take place ?

· Is self regulated accountability or statuary accountability better?

· Will there be a privacy tribunal?

· How will data be categorized?

· Will breaches be notified?

· Will standardized privacy policies be created?

As Hugh Stevenson, the commissioner from the FTC, described - one of the greatest benefits of breach notification was the awareness of privacy that it has brought. As individuals are notified that their information has been compromised, they are becoming more aware of how technologies work and how their information is processed, and what risks are involved and what protective measures they should take. Looking at the prospect of enhanced awareness from making data breach notification mandatory, it seems that it can only be a positive step for India to take towards raising awareness and understanding of privacy. The notification of breach could be required to specifically include a description of why the breach took place, and the steps that individuals could take to further protect their data. A concern that has been voiced - is whether a comprehensive legislation could be implemented? And should India be looking to enact such a comprehensive and detailed legislation when there is no existing privacy legislation to build off of, and no deep culture of privacy? To these concerns I can only speculate that there is always a balance between being overly ambitious in a legislation, and too conservative. It seems that enforcement will in fact always be a challenge in India, and that part of policy-making needs to address this challenge, rather than avoid it.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference

Privacy, Free/Open Source, and the Cloud

elonnai — 2012-03-22T05:50:10Z

A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture.

Introduction

Cloud computing, in basic terms, is internet-based computing where shared resources and services are taken from the primary infrastructure of the internet and provided on demand. Cloud computing creates a shared network between major corporations like Google, Microsoft, Amazon and Yahoo. In this way, cloud systems are related to grid computing systems/service- oriented architectures, and create the potential for the entire I.T. infrastructure to be programmable. Because of this, cloud computing establishes a new consumption and delivery standard for IT services based on the internet. It is a new consumption and delivery model, because it is made up of services delivered through common centers and built on servers which act as a point of access for the computing needs of consumers. The access points facilitate the tailoring and delivering of targeted applications and services to consumers. Details are taken from the users, who no longer need to have an understanding of, or control over the technology infrastructure in the cloud that supports their desired application.

There are both corporate and consumer implications for such a system. For example, according cloud computing lowers the barriers to entry for corporations and new services. It also enables innovative enterprise in locations where there is an insufficient supply of human or other resources through the provision of inexpensive hardware, software, and applications. The consumer, in turn, is provided with information that he or she is projected to be interested in based on information he or she has already “consumed.” Thus, for example: Google has the ability to monitor a person’s consuming habits through searches and to reduce those habits to a pattern which selects applications to display – and consumption of those reinforces the pattern.

Privacy Concerns:

Though cloud computing can be a useful tool for consumers, corporations, and countries, cloud computing poses significant privacy concerns for all actors involved. For the consumer, a major concern is that future business models may rely on the use of personal data from consumers of cloud services for advertising or behavioral targeting. This concern brings to light the fundamental problem of cloud computing which is that consumers consent to the secondary use of their personal data only when they are signing up for services, and that “consent” is almost automatically generated. How can the cloud assure users that their private data will be properly protected? It is true that high levels of encryption can be (and are) used, and that many companies also take other precautionary measures, but protective measures vary, and the secondary sources that gain access to information may not protect it as well as the initial source. Moreover, even strong protection measures are vulnerable to hackers. As well, what happens if a jurisdiction, like the Indian government, gains access to information about a foreign national? India still does not have a comprehensive data protection law, nor does it have many forms of redress for violations of privacy. How is that individuals information protected?

These questions give rise to other privacy concerns with respect to the data that is circulated and stored on the cloud, which are the questions of territory, sovereignty, and regulation. Many of these were brought up at the Internet Governance Forum, which took place on the 16th of September including: Which jurisdiction has authority in cases of dispute or digital crime? If you lose data or your data is damaged, stolen, or manipulated, where do you go? Is the violation enforced under local laws, and, if so, under the law of the violator or the law of the violated? If international law, who can access the tribunals, and which tribunals have this jurisdiction? What if a person's data is replicated in two data centres in two different countries? Are the data subject to scrutiny by the officials of all three? Is there a remedy against abuse by any of them? Does it matter whether the country in which the data centre resides does not require a warrant for government access? And how will a consumer know any of that up front? As a corollary, if content is being sent to one country but resides on a data centre in another country, whose data protection standards apply? For example, certain governments in Europe require data retention for limited amount of time for purposes for law enforcement, but other countries may allow retention of data for shorter or longer periods of time.

How are privacy, free/open source, and the cloud related ?

Eben Moglen, a professor from Columbia law school, and founder and chairman of the Software Freedom Law Center who spoke on cloud computing, privacy, and free/open software at the Indian Institute for science on Thursday September 25, had another solution to the privacy concerns that arise out of the cloud. His lecture explains how the internet has moved from a tool that once promoted equality between people – no servants and no masters – to a tool that reinforces social hierarchies. The reinforcement of these hierarchies is directly related to the language used and communication facilitated between the computer and the individual. Professor Moglen describes how initially, when computers were first introduced to the public, humans spoke directly to computers, and computers responded directly to humans. This open, two-way communication changed when Microsoft, Apple, and IBM removed the language between humans and computers and created proprietary software based on a server-client computing relationship. By removing the language between humans and computers, these corporations dis-empowered individuals. Professor Moglen used this as a springboard to address the privacy concerns that come up in cloud computing. Privacy at its base is the ability of an individual to control access to various aspects of self, such as decisional, informational, and locational. In having the ability to control these factors, privacy consists of a relation between a person and another person or an entity. Professor Moglen postulated that free/open access to code would make the internet an environment where choices over that relationship were still in the hands of an individual, and, among other protections, the individuals could build up their desired levels of privacy.

Is free/open software the solution?

Eben Moglen's solution to the many privacy concerns that arise out of cloud computing is the application and use of free software/open source by individuals. Unlike some applications on the cloud, open source is free, and once an individual has access to the code, that person can control how a program functions, including how a program uses personal information, and thus the person would be able to protect their privacy. Of course, this presumes that the consumer of the internet is sophisticated enough to access and manipulate code. But even putting that presumption aside, is the ability to write code enough to protect data (will help you protect data better – add more security)? Perhaps if a person could create his own server and bypass the cloud, but this does not seem like an ideal (or practical) solution. Though free/open source is an important element that should be incorporated into cloud computing, free/open source depends on open standards. According to Pranesh Prakash, in his presentation at the Internet Governance Forum, the role of standards in ensuring interoperability is critical to allowing consumers to choose between different devices to access the cloud, to choose between different software clients, and to shift between one service and another. This would include moving information, both the data and the metadata, from one cloud to another. Clouds would need to be able to talk to one another to enable data sharing, and open source is key to this, though it is important to note that if one uses free/open source, they must set up their own infrastructure.

Conclusion

Even though Moglen believes that free/open source software brings freedom and provides the solution to protect an individual’s privacy in the context of cloud computing, he was not speaking to the specific context of India. To do that, it is important to expand the definitions that one uses of free/open source and privacy, and then to contextualize them. Looking closely at the words “free/open source,” they are not limited to access to a software's code, even though that is free/open source’s base. For the ideology of free/open source to work, access to code is just a key to the puzzle. A person, community, culture and state must understand the purpose of free/open source, know how to use it, and know how it can be applied in order for it to be transformative, liberating, and protective. There needs to be a shared understanding that free/open source is not just about being able to change code, but about a shared commitment to sharing code and making it transparent and accessible. In the United States and other countries, free/open source did not just enter into American society and immediately fix issues of privacy by bringing freedom, as it seems Professor Moglen is suggesting free/open source will do in India. Though Professor Moglen promises freedom and privacy protection through free/open source, perhaps this is not an honest appraisal of the technology. Free/open source, if not equally accessed or misapplied, protects neither freedom nor privacy. As noted above, even if a person has access to code, he can protect data only to a certain extent. Thus, he might think that he has created a privacy wall around information that actually is readily accessible. In other words, free/open source cannot be the only answer to freedom, but instead a piece to a collective answer.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing

Privacy Concerns in Whole Body Imaging: A Few Questions

elonnai — 2012-03-21T10:09:02Z

Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.

What is Whole Body Imaging?

Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons.

How are These Technologies Being Used - Two News Items to Ponder:

News Item One

In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.

Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.

Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear. For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.

News Item Two

In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car. Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car.

Questions at the Heart of the WBI Debate:

Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating? Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers? Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts? All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency. Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?

How Have Other Countries Responded to Whole Body Imaging and How Should India Respond?

Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.

In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use. It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further. A Nigerian leader also pledged to use full-body scanners.

Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing. From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.” It is not clear which value would be given priority.

The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers. Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies.

For more details visit https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions

No UID Campaign in New Delhi - A Report

praskrishna — 2012-06-20T03:51:45Z

The Unique Identification (UID) Bill is not pro-citizen. The scheme is deeply undemocratic, expensive and fraught with unforseen consequences. A public meeting on UID was held at the Constitution Club, Rafi Marg in New Delhi on 25 August, 2010. The said Bill came under scrutiny at the meeting which was organised by civil society groups from Mumbai, Bangalore and Delhi campaigning under the banner of "No UID". The speakers brought to light many concerns, unanswered questions and problems of the UID scheme.

Since 2009, when the UID Bill was presented to the general public by Nandan Nilekani, the project has been characterized as a landmark initiative that will transform India, bring in good governance, and provide relief and basic services for the poor. The scheme is rapidly being put in place; the draft Bill has been put before the Parliament of India and the resident numbers and data have been collected.

The UID proposes to take the finger prints and iris scans of every resident of India for authentication of each individual. J. T. D'Souza, an expert in free software technology exposed the flaws of the entire technical aspect of the UID project. He presented the risks and loopholes that technology such as iris and fingerprint scanners pose, and the risks in using a biometric system as a form of identification system. Contrary to the claim of the UID authority, that a scheme based on biometrics is foolproof, he explained how fingerprints are not unchanging, both fingerprints and iris scans can be easily spoofed (with a budget of only $10), and there are many ways in which the technology can break, be inconsistent, or be inaccurate.

From a human rights perspective the lack of democracy in the entire project was stressed. Usha Ramanathan reiterated the fact that no white paper was issued, the Bill has not gone through the Parliament and yet citizens’ data is being collected, citizens were given only a two week period to comment on the Bill, and in practice the UID number will not be voluntary for individuals.

The UID authority has posited the scheme as bringing benefits to the poor, plugging leakages in the Public Distribution System and the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), as well as enabling inclusive growth by providing each citizen with a verifiable and portable identity. These claims were debunked. An identity number will not fix the waste of grain that takes place every day, the portability of the number raises new problems of accessibility and distribution of resources, and the MGNREGS system is already working to be financially inclusive with a majority of its members already having a bank account.

In response to hearing the presentations of the speakers and the comments by the audience, senior Member of Parliament of the Revolutionary Socialist Party of India (RSP), Abani Roy called for the launching of a massive campaign to resist this expensive and dangerous project through which several companies will gain massive contracts from the public exchequer.

The campaigners for No UID plans to hold further meetings across the country and lobby Parliamentarians in the coming months.

For more information contact: Mathew Thomas (Bangalore) mathew111983@gmaill.com, Elonnai Hickok (Bangalore) elonnai@cis-india.org , Sajan Venniyoor (Delhi): +91-9818453483 - Bobby Kunhu (Delhi): +91-9654510398

For more details visit https://cis-india.org/internet-governance/blog/no-uid-campaign

Does the Safe-Harbor Program Adequately Address Third Parties Online?

rebecca — 2011-08-02T07:19:34Z

While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.

To date, the EU-US Safe Harbor Program leads in governing the complex and multi-directional flows of personal information online. As commerce began to thrive in the online context, the European Union was faced with the challenge of ensuring that personal information exchanged through online services were granted levels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemeal and sectoral approach to privacy legislation in the United states was deemed incompatible with the EU approach. While the Safe Harbor program did not aim to protect the privacy of citizens outside of the European Union per say, the program has in practice set minimum standards for online data privacy due to the international success of American online services.

While many citizens outside of the US and EU benefit from the Safe Harbor Program, it remains unclear how successful the program will be in an online ecosystem where third-parties are being granted increasingly more rights over the data they receive from first parties. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem. First, I will argue that the safe harbor program does not do enough to ensure that participants are held reasonably responsible third party privacy practices. Second, I will argue that the information asymmetries created between first party sites, citizens, and governance bodies vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US Safe-Harbor Agreement

In 1995, and based on earlier OECD guidelines, the EU Data Directive on the “protection of individuals with regard to the processing of personal data and the free movement of such data” was passed [1]. The original purpose of the EU Privacy Directive was not only to increase privacy protection within the European Union, but to also promote trade liberalization and a single integrated market in the EU. After the Data Directive was passed, each member state of the EU incorporated the principles of the directive into national laws accordingly.

While the Directive was successful in harmonizing data privacy in the European Union, it also embodied extraterritorial provisions, giving in reach beyond the EU. Article 25 of the Directive states that the EU commission may ban data transfers to third countries that do not ensure “an adequate level of protect’ of data privacy rights [2]. Also, Article 26 of the Directive, expanding on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of protection” if the data controller does not enter into a contract that adduces adequate privacy safeguards [3].

In light of the increased occurrence of cross-border information flows, the Data Directive itself was not effective enough to ensure that privacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by the EU Council and the US Department of Commerce as a way of mending the variant levels of privacy protection set out in these jurisdictions, while also promoting online commerce.

Social Networking Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease with which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sites are registered American entities, they continue to attract users not only from the EU, but also internationally. In agreement to the EU law, many social networking sites, including LinkedIn, Facebook, Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector. TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program among social networking sites.

Drawing broadly on the principles embodied within the EU Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor were developed. These principles include Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity and Enforcement. The principle of “Notice” sets out that organizations must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it disclosures the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

“Choice” ensures that individuals have the opportunity to choose to opt out whether their personal information is disclosed to a third party, and to ensure that information is not used for purposes incompatible with the purposes for which it was originally collected. The “Onward Transfer” principle ensures that third parties receiving information subscribes to the Safe Harbor principles, is subject to the Directive, or enters into a written agreement which requires that the third party provide at least the same level of privacy protection as is requires by the relevant principles.

The principles of “Security” and “Data Integrity” seek to ensure that reasonable precautions are taken to protect the loss or misuse of data, and that information is not used in a manner which is incompatible with the purposes for it is has been collected—minimizing the risk that personal information would be misused or abused. Individuals are also granted the right, through the access principle, to view the personal information about them that an organization holds, and to ensure that it is up-to-date and accurate. The “Enforcement” principle works to ensure that an effective mechanism for assuring compliance with the principles, and that there are consequences for the organization when the principles are not followed.

The principles of the program are rather quite clear and enforceable in the first party context, despite some prevailing ambiguities. The privacy policies of most social networking services have become increasingly clear and straightforward since their inception. Facebook, for example, has revamped its privacy regime several times, and gives explicit notice to users how their information is being used. The privacy policy also explains the relationship between third parties and your personal information—including how it may be used by advertisers, search engines, and fellow members.

With respect to third party advertisers, principles of “choice” are clearly granted by most social networking services. For example, the Network Advertising Initiative, a self-regulatory initiative of the online advertising industry, clearly lists its member websites and allows individuals to opt out of any targeted advertising conducted by its members. In Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s opt out features is given, allowing individuals to make somewhat informed choices about their participation in such programs. This point is, of course, in light of the fact that most users do not read or understand the privacy policies provided by social networking sites [4]. It is also important to note that Google—a major player in the online advertising business, does not grant users of Buzz and Orkut the same “opt-out” options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the Safe Harbor Program has also successfully investigated and settled several privacy-related breaches which have taken place on social networking sites. Of the most famous cases is Lane et al. v. Facebook et al., which was a class action suit brought against Facebook’s Beacon Advertising program. The US Federal Trade Commission was quick to insight an investigation of the program after many privacy groups and individuals became critical of its questionable advertising practices. The Beacon program was designed to allow Facebook users to share information with their friends about actions taken on affiliated, third party sites. This had included, for example, the movie rentals a user had made through the Blockbuster website.

The Plaintiffs filed a suit, alleging that Facebook and its affiliates did not give users adequate notice and choice about Beacon and the collection and use of users’ personal information. The Beacon program was ultimately found to be in breach of US law, including the Video Privacy Protection Act, which bans the disclosure of personally identifiable rental information. Facebook has announced the settlement of the lawsuit, not bringing individual settlements, but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to privacy and data-related issues. Other privacy related investigations of social networking sites launched by the FTC under the Safe Harbor Program include Facebook’s privacy changes in late 2009, and the Google’s recently released Buzz application.

Despite the headway the Safe Harbor is making, many privacy related questions remain ambiguous with respect to the responsibilities social networking sites through the program. For example, Bebo reserves the right to supplement a social profile with addition information collected from publicly available information and information from other companies. Bebo’s does adhere to the “notice principle”—as it makes know to users how their information will be used through their privacy policy. However, it remains unclear if appropriate disclosures are given by Bebo as required by Safe Harbor Framework, notably as the sources of “publicly available information” as a concept remains broad and obscured in the privacy policy. It is also unclear whether or not Bebo users are able to, under the “Choice” principle, refuse to having their profiles from being supplemented by other information sources. Also, under the “access principle”, do individuals have the right to review all information held about them as “Bebo users”? The right to review information held by a social networking site is an important one that should be upheld. This is most notable as supplementary information from outside social networking services is employed to profile individual users in ways which may work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe Harbor has improved, and most of these sites now have privacy policies which explicitly address the principles of the Program. It should also be noted that public interest groups, such as Epic, the Center for Digital Democracy, and The Electronic Frontier Foundation, have played a key role in ensuring that data privacy breaches are brought to the attention of the FTC under the program. While the program has somewhat adequately addressed the privacy practices of first party participants, the number of third parties on social networking sites calls into question the comprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhere to the Safe Harbor Program. However, its growing number third party platform members may not always adhere to best practices in the field, nor can Facebook or the Safe Harbor Program guarantee that they do so.

The Safe Harbor Program does require that all participants take certain security measures when transferring data to a third party. Third parties must either subscribe to the safe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may also enter into a written agreement with a third party requiring that they provide at least the same level of privacy protection as is required by program principles. Therefore, third parties of participating program sites are, de facto, bound by the safe harbor principles by the way of entering into agreement with a first party participant of the program. This is the approach taken by most social networking sites and their third parties.

It is important to note, however, that third parties are not governed directly by the regulatory bodies, such as the FTC. The safe harbor website also explicitly notes that the program does not apply to third parties. Therefore, as per these provisions, Facebook must adhere to the principles of the program, while its third party platform members (such as social gaming companies), only must do so indirectly as per a separate contract with Facebook. The effectiveness of this indirect mode of governing of third party privacy practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that third parties use information from Facebook in a manner which is consistent to the safe harbor principles, the company explicitly waives any guarantee that third parties will “follow their rules”. Prior to allowing third parties to access any information about users, Facebook requires third parties to agree to terms that limit their use of information, and also use technical measures to ensure that they only obtain authorized information. Facebook also warns users to “always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information”. Not only are users required to read the privacy policies of every third party application, but are also expected to report applications which may be in violation of privacy principles. In this sense, Facebook not only waives responsibility for third party privacy breaches, but also places further regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to a great degree on enforcement by the private sector. However, it is likely that a self-regulatory framework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook must ensure that the privacy practices of third parties are adequate. However, at the same time, the company may simultaneously waiver their responsibility for third party compliance with safe harbor principles. Therefore, it remains questionable as to where responsibility for third parties exactly lies. When third parties are not directly answerable to the governing bodies of safe harbor program, and when first parties can to waive responsibility for their practices, from where does the incentive to effectively regulate third parties to come from?

While Facbeook may in fact take reasonable legal and technical measures to ensure third party compliance, the room for potential dissonance between speech and deed is worrisome. Facebook is required to ensure that third parties provide “at least the same level of privacy protection” as they do. However, in practice, this has yet to become the case. A quick survey of twelve of the most popular Platform Applications in the gaming category showed that third parties are not granting their users the “same level of privacy protection”[5]. For example, section 9.2.3 of Facebooks “Rights and Responsibilities” for Developers/Operators of applications/sites states that they must “have a privacy policy or otherwise make it clear to users what user data you are going to use and how you will use, display, or share that data”.

However, out of the 12 gaming applications surveyed, four companies failed to make privacy policies available to users before they granted the application access to the personal information, including that of their friends [6]. After searching for the privacy policies on the websites of each of the four social gaming companies, two completely failed to post privacy policies on their central websites. This practice is in direct breach of the contract made between these companies and Facebook, as mentioned above. In addition to many applications failing to clearly post privacy policies, many of provisions set out in these policies were questionable vis-à-vis safe harbor principles.

For example Zynga, makes of popular games Mafia Wars and Farmville, reserve the right to “maintain copies of your content indefinitely”. This practice remains contrary to Safe Harbor principles which states that information should not be kept for longer than required to run a service. Electronic Arts also maintains similar provisions for data retention in its privacy policy. Such practices are rather worrisome also in light of the fact that both companies also reserve the right to collect information on users from other sources to supplement profiles held. This includes (but is not limited to) newspapers and Internet sources such as blogs, instant messaging services, and other games. It is also notable to mention that only one of the twelve social gaming companies surveyed directly participates in the safe harbor program.

In addition to the difficulties of ensuring that safe harbor principles are adhered to by third parties, the information asymmetries which exist between first party sites, citizens, and governance bodies vis-à-vis third parties complicate this model. Foremost, it is clear that Facebook, despite its resources, cannot keep tabs on the practices of all of their applications. This puts into question if industry self-regulation can really guarantee that privacy is respected by third parties in this context. Furthermore, the lack of knowledge or understanding held by citizens about how third parties user their information is particularly problematic when a system relies so heavily on users to report suspected privacy breaches. The same is likely to be true for governments, too. As one legal scholar, promoting a more laisse-fair approach to third party regulation, notes—multiple and invisible third party relationships presents challenges to traditional forms of legal regulation [7].

In an “open “social ecosystem, the sheer volume of data flows between users of social networking sites and third party players appears to have become increasingly difficult to effectively regulate. While the safe harbor program has been successful in establishing best practices and minimum standards for data privacy, it is also clear that governance bodies, and public interest groups, have focused most attention on large industry players such as Facebook. This has left smaller third party players on social networking sites in the shadows of any substantive regulatory concern. If one this has become clear, it is the fact that governments may no longer be able to effectively govern the flows of data in the burgeoning context of “open data”.

As I have demonstrated, it remains questionable whether or not Facebook can regulate third parties data collection practices effectively. Imposing more stringent responsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would be undue to impose liability on social networking sites for the data breaches of third parties. However, it is not unreasonable to require sites like Facebook go beyond setting “minimum standards” for data privacy, towards taking a more active enforcement, if even through TRUSTe or another regulatory body. If the safe harbor is to be effective, it cannot allow program participants to simply wave the liability for third party privacy practices. The indemnity granted to third parties on social networking sites may deem the safe harbor program more effective in sustaining the non-liability of third parties, rather than protecting the data privacy of citizens.

[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit, A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacy on Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, Rock You!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom, Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing with third parties the information of their friends if they do not specifically opt out of this practice.

[7]See Milina, S. (2003). Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach to Online Profiling. Cardozo Arts and Entertainment Law Journal .

For more details visit https://cis-india.org/internet-governance/blog/does-the-safe-harbor-program-adequately-address-third-parties-online

Does the Social Web need a Googopoly?

rebecca — 2011-08-18T05:06:37Z

While the utility of the new social tool Buzz is still under question, the bold move into social space taken last week by the Google Buzz team has Gmail users questioning privacy implications of the new feature. In this post, I posit that Buzz highlights two privacy challenges of the social web. First, the application has sidestepped the consensual and contextual qualities desirable of social spaces. Secondly, Google’s move highlights the increasingly competitive and convergent nature of the social media landscape.

Last week, and for many a surprise, Google launched its new social networking platform, Buzz. The new service is Google’s effort to amplify the “social nature” of their services by integrating them under one platform, and adding some extra social utility. The social application runs from the Gmail interface, but also links other Google accounts a user may have, including albums on Picasa, and Google Reader. The service also allows for the sharing from external sources, such as photos on Flickr, and videos from YouTube. The service also allows users to post, like, or dislike the status updates of others which may be publicly searchable if the user opts. Before a Gmail user may fully participate in Google Buzz service, a unique Google Personal Profile must be created.

User Consent

Much of the buzz surrounding the new social networking service last week wasn’t paying much lip service to the new application. Instead, an uproar of privacy concerns continued to dominate the Buzz scene, with many critics quickly labeling Buzz a “privacy nightmare”. A formal complaint has been already filed with the US Federal Trade Commission in response to Google’s new privacy violating service. A second-year Harvard Law student has also filed a class-action suit against the company for its privacy malpractices.

Much of the privacy talk thus far has focused on issues of consent, or lack thereof, in this case. Upon Buzz’s launch, Gmail users were automatically subscribed as “opting in” for the service. Google has used the private address books of millions of Gmail accounts to build social networks from the contacts users email and chat with most. To entice users into using the service, Gmail users were set to auto-follow all of their contacts, and in turn, to be followed by them, too. Furthermore, all new Buzz users had been set to automatically share all public Picasa albums and Google Reader items with their new social graph. It is argued that social network services should be opt-in, rather than opt-out, and that Buzz has violated the consensual nature of the social web.

Illuminating the complications of building a social graph from ones inbox is the story of an Australian women, who remains anonymous. As she claims, most of the emails currently received through her Gmail account, are those from her abusive ex-boyfriend. Due to Google’s assumption that Gmail users would like to be “auto-followed” by their Gmail contacts (mirroring Twitters friendship protocol), items shared between herself and new boyfriend through her Google reader account had become public to her broader social graph, including her ex-boyfriend and his harassing friends.

In a blog response directed to Google’s Buzz team, the woman scornfully wrote- “F*ck you, Google. My privacy concerns are not trite. They are linked to my actual physical safety, and I will now have to spend the next few days maintaining that safety by continually knocking down followers as they pop up. A few days is how long I expect it will take before you either knock this shit off, or I delete every Google account I have ever had and use Bing out of f*cking spite”. As this case demonstrates, the people we mail most often may not be our closest friends. As email has replaced the telephone for many as the dominate mode of communication--some contacts may be friends, however, many others may not be.

In response to the uproar, tweaks to Buzz’s privacy features have since been made. Todd Jackson, Buzz’s product manager, has also posted a public apology to the official Gmail Blog late last week for not “getting everything quite right”. The service will now assume the more user-centric “auto-suggest” model, allowing users to selectively choose the contacts they wish to follow, and will also no longer auto-link Picasa and Reader content. However, as the EPIC’s complaint notes, many are still unsatisfied with the opt-out nature of the service, arguing that users should be able to opt-into the service if they so choose, rather than having to delist themselves for a service they didn’t necessarily sign up. Ethical quandaries also still loom over Google’s misuse of the users’ private contact lists to jumpstart their new service.

Contextual Integrity

The attacks on personal privacy resulting from Google’s model are vast. As the case of the Australian woman illuminates, the concept of the “online friend” has completely taken out of context with Buzz’s initial auto-follow model. Many of the contacts we make on a daily basis need not be made public through the Google profile. For most, this Buzz’s privacy breach may be benign or annoying at most. However, those who are engaged in sensitive social or political relationships via their Gmail chat or email accounts, the revelation of common contact could have been potentially damaging for many. A reporter from CNET has cleverly labeled Buzz’ as a “socially awkward networking”, as bringing diverse contacts under one umbrella doesn’t exactly make the most social sense. In response, Gmail users are required to sort through and filter their Buzz followers according, or choose to disable the service all together.

Besides questions of who is stalking whom, the assumptive and public nature of Google’s new move has cast a shadow of doubt among Gmail users regarding the ability of Google to maintain the privacy and contextual integrity of the Gmail account. Should one account be the place to socialize, and “do business”? Gmail is, and should remain, an email service. However, Buzz takes the email experience into new and questionable grounds. Do Gmail users feel entirely comfortable having their personal email, social graph, and chat functions all coming under the auspices of one platform? Many users felt they had been lured into using a social networking service that they didn’t sign up for in the first place.

Social Media Competition

In addition to Google’s attempt to integrate their various service offerings, Buzz is seen as an obvious attempt to bolster competitiveness in the social media market. In 2004, Google released Orkut. While the service has become big in countries such as Brazil and India, it has been overshadowed by sites such as Facebook in other jurisdictions, and has not been able to prove itself as a mainstream space for networking. In the past year, Google had also launched Google Wave, a tool that mixes e-mail, with instant messaging and the ability for several people to collaborate on documents. However, the application failed to completely win over audiences, and was considered one of the top failures of 2009.

With Google unable to effectively saturate the social media ecosystem, Buzz is an attempt to compete with the searchable and real time experiences provided by social media giants, Facebook and Twitter. Increased competition within the social media market could be a positive development for privacy, as social media companies could arguably be compete on their ability to provide users with preferable privacy architectures. To the contrary, however, such competition has thus far had negative ramifications for user privacy, as the recent Buzz and Facebook moves illustrates. Facebook’s loosened privacy settings were a competitive knee-jerk to Twitters searchable and real time experience. Through a Twitter search, individuals can come to know what people are saying about a certain topic, event, or product, and as a result, the service has received a great deal attention from users, and non-users such as advertisers, alike.

In an attempt to one-up, their competition, the “Twitterization” of Facebook followed in two distinct stages. First was with the implementation of the Facebook News Feed, which gave users a real time account of actions their friends on the site. Many argued that this feature invaded user privacy. However, it was argued by Facebook that they only were making available information that was already accessible through individual profile pages. The News Feed, as it happens, effectively took user information and actions on the site out of original context by streaming this information live for others easy viewing. Information users once had to rummage for had become accessible in real time on the homepage of the service.

Secondly, Facebooks’ recent privacy scandal was a step towards making profile information more searchable and accessible to third parties, as is most often the case with the more public feeds on Twitter. As one commentator notes, “Facebook used to be very private but private is not great for search, to have great search you need all of the data to be publicly available as it mostly is on Twitter. Facebook have not quite nailed real time search yet but they are getting there and it will soon be a great way of examining sentiment across different demographics”. As a result, information on Facebook, such as name, profile picture, friends list, location and fan pages have become open access information. In addition, users on Facebook have been subjected to new privacy regime without notice, leaving their profile pages generally more open, and searchable through Google.

Converging the Online Self

The impact Buzz alone can make on the social media landscape remains questionable (Gmail heralds only 140 million accounts, which is a deficient cry from Facebooks’ 400+ million dedicated users). However, despite Googles’ in/ability to become claim hegemony over the social web landscape, the abuse of private information to launch a new service has raised serious debate over the privacy and the future of social networking. The Buzz service marks more than yet another new social networking service that brushes aside the privacy of users. As user control and privacy becomes an increasingly peripheral concern, Google’s shift toward privacy decontrol also signifies a worrisome supply-side shift towards the “convergence” of online identity.

Within this new dominant paradigm, privacy concerns are often interpreted as antithetical to competitiveness in the social media marketplace. Instead of an imagined ecosystem based on user control and privacy preference, it can now be inferred that the competiveness of social networking services will continue to disrupt the delicate balance between the public and private online. Regardless that greater visibility and searchability of the social profile may not be in the public interest, Google’s recent move works to reinforcement of the new status quo of “openness”. Furthermore, it is questionable as to how concentrated and integrated a user may want their online activities to become. A critical discourse of online privacy must, therefore, take into account the ways in which the social web has renders the user increasingly transparent through networks of networking services.

Google’s Buzz illustrates this point quite well. Initially, Gmail was a straightforward email service. Next, the AdWords advertising service and Gmail chat had become integrated into the Gmail experience. Because Google was using the confidential emails of its Gmail users, privacy concerns began to mount upon the launch of the the AdWords service. However, turmoil surrounding AdWords died down, notably as Google continues to reassert that is is bots, not humans, that are scanning the emails in order to provide the AdWords service. Next, there gradually occurred a convergence of Google services under the single social profile, or “email address”. A single Gmail account potentially includes use of with Google reader, calendar, chat, groups and an Orkut account. In terms of behavioral targeted advertising, Google has recently announced that they will be providing personalized search results even to users who have not signed up for Google services. This will be done through the placement a cookie on all machines to provide targeted advertising seamlessly through each Google search and browsing session.

While many argue that the collection of non-personally identifiable information poses no privacy harm, this assumption needs reassessment. As Google comes to offer us more, they also come to learn more, and Buzz signifies this trend towards a Googopolized social web. To add another layer of complexity to Googles hegemony, users of the Buzz service are also required to create a “Google Profile”, which is searchable online and displays real time status updates, comments, and connections from other social network services, such as Facebook and Twitter. As Google recently launched the beta version of the new Social Search, Buzz was just the service required to increase the relevance to the new service by encouraging Gmail users to publish even more personal information. The creation of a personal Google profile, which is indexed and searchable, raises many concerns about privacy and identity, and doubts are continually raised over how much Google should come to know about us.

While Google’s services have arguably made the online social experience more seamless and tailored, it is questionable as to how relevant, or even desirable, such a shift may be. At present, it may appear that Google is wearing far too many hats, and users should be wary of placing all eggs into one basket. As the launch of Buzz has shown us, user consent and the contextual integrity of private personal information can be compromised when a diverse number of online services are integrated and given a social spin. When competition among social web providers drives users to lose control of the private information which is inherently theirs, critical questions surrounding competition, convergence and privacy require critical exploration.

For more details visit https://cis-india.org/openness/blog-old/does-the-social-web-need-a-googopoly

The (in)Visible Subject: Power, Privacy and Social Networking

rebecca — 2011-08-18T05:06:52Z

In this entry, I will argue that the interplay between privacy and power on social network sites works ultimately to subject individuals to the gaze of others, or to alternatively render them invisible. Individual choices concerning privacy preferences must, therefore, be informed by the intrinsic relationship which exists between publicness/privateness and subjectivity/obscurity.
The Architecture of Openness

Through a Google search or a quick scan of Facebook, people today are able to gain “knowledge” on others in a way never once possible. The ability to search and collect information on individuals online only continues to improve as online social networks grow and search engines become more comprehensive. Social networks, and the social web more broadly, has worked to fundamentally alter the nature of personal information made available online. Social networking services today enable the average person, with web access, to publish information through a “social profile”. Personal information made available online is now communicative, narrative and biographic. Consequentially, social profiles have become rich containers of personal information that can be searched, indexed and analyzed.

The architecture of the social web further encourages users to enclose volumes of personally identifiable information. Most social network sites embrace the “ethos of openness” as, by default, most have relaxed privacy settings. While most sites give users relative control over the disclosure of personal information, services such as MySpace, Facebook and Live Journal are far ahead of the black and white public/private privacy models of sites such as Bebo and Orkut. Bebo, for example, only allows users to disclose information to “friends” or “everyone”, granting little granularity for diverse privacy preferences. MySpace and Facebook, on the other hand, have made room for “friends of friends”, among other customizable group preferences. All networking sites also consider certain pieces of basic information publicly available, without privacy controls. On most sites, this includes name, photograph, gender and location, and list of friends. Okrut, however, considers far more information to public—leaving the political views and religions of its’ members public. This openness leaves the individual with little knowledge or control over how their information is viewed, and subsequently used.

Search functionality has also increased the visibility of individuals outside their immediate social network. For example, sites such Facebook and LinkedIn index user profiles through Google search. Furthermore, all social network sites index their users, effectively allowing profiles to be searched by other users through basic registration data, such as first and last name or registered email address. While most services allow users to remove their profiles from external search engines, they are often not able to effectively control internal searches. Orkut, for example, does not allow users to disable internal searches according to their first and last names. LinkedIn and MySpace also maintains that users be searchable by their email addresses.

Through this open architecture and search functionality, social network sites have rendered individuals more “visible” vis-à-vis one another. The social web has effectively altered the spatial dimensions of our social lives as grounded, embodied experience becomes ubiquitous and multiply experienced. Privacy, in the online social milieu, assumes greater fluidity and varied meaning—transcending spatially constructed understandings of the notion.

While the architecture of social networking sites encourages users to be more “public”, heightened control, or “more privacy” is generally suggested as the panacea to privacy concerns. However, the public/private binary of privacy talk often fails to capture the complex nexus which exists between privacy and power in the networked ecosystem. Privacy preferences on social networks, and the consequences thereof, are effectively shaped and influenced by structures of power. In this entry, I will argue that the interplay between privacy and power works ultimately to expose individuals to the subjective gaze of others, or to render them invisible. In this respect, individual choices concerning privacy preferences must be informed by the intrinsic relationship between notions of publicness/privateness and subjectivity/obscurity.

Power and Subjectivity

The searchable nature of the social profile allows others to quickly and easily aggregate information on one another. As privacy scholar Daniel Solve notes, social searching may be of genuine intent – individuals use social networking services to locate old friends, and to connect with current colleagues. However, curiosity does not always assume such innocence, as fishing expeditions for personal information may serve the purpose of judging individuals based perception of the social profile. The relatively power of search and open information can be harnessed to weed out potential job applicants, or to rank college applicants. Made possible through the architecture of the web and social constructions of power, individuals may be subjected to the deconstructive gaze of superiors.

The architecture of social networking sites significantly compliments this nexus between privacy and power. As individual behavior and preferences become more transparent, the act of surveillance is masked behind the ubiquity and anonymity of online browsing. Drawing on Foucault’s panopticism, social networks make for the “containerization” of social space –allowing the powerful to subjectively hierarchize and classify individuals in relation to one another [1]. This practice becomes particularly troublesome online, as individuals are often unable to control how they are constructed by others in cyberspace.

Perfect control is difficult to guarantee in an ecosystem where personal information is easily searched, stored, copied, indexed, and shared. In this respect, the privacy controls of social networking sites are greatly illusory. Googling an individual’s name, for example, may not reveal the full social profile of an individual, but may unveil dialogue involving the individual in a public discussion group. The searchable nature of personal information on the web has both complicated and undesirable consequences for privacy of the person for, what I believe, to be two main reasons.

The first point refers to what Daniel J. Solve describes as the “virtue of knowing less”. Individuals may be gaining more “information” on others through the internet, but this information is often insufficient for judging one’s character as it only communicates one dimension of an individual. In her work, Helen Nissenbaum emphasizes the importance contextual integrity holds for personal information. When used outside its intended context, information gathered online may not be useful for accurately assessing an individual. In addition, the virtual gaze is void of the essential components of human interaction necessary to effectively understand and situate each other. As Solve notes, certain information may distort judgment of another person, rather than increasing its accuracy.

Secondly, the act of surveillance through social networks work to undermine privacy and personhood, as individuals seek to situate others as “fixed texts” [2]. Due to the complex nature of the social self, such practice is undesirable. Online social networks are socially constructed spaces, with diverse meanings assigned by varied users. One may utilize a social network service to build and maintain professional relationships, while another may use it as an intimate space to share with close friends and family. James Rachels’ theory of privacy notes that privacy is important, as it allows individuals to selectively disclose information and to engage in behaviors appropriate and necessary for maintaining diverse personal relationships. Drawing on the work of performance theorists such as Judith Butler, we can assert that identity is not fixed or unitary, but is constituted by performances that are directed at different audiences [3]. Sociologist Erving Goffman also notes that we “live our lives as performers… [and] play many different roles and wear many different masks” [4]. Individuals, therefore, are inclined to perform themselves online according to their perceived audiences. It is the audience, or the social graph, which constructs the context that, in turn, informs individual behavior.

Any attempt to situate and categorize the individual becomes particularly problematic in the context of social networks, where information is often not intended for the purpose for which it is being used. Due to the complex nature of human behavior, judgments of character based on online observation only effectively capture one side of the “complicated self”. As Julie Cohen writes, the “law often fails to capture the mutually constitutive interactions between self and culture, the social constructions of systems of knowledge, and the interplay between systems of knowledge and systems of power”. Because the panoptic gaze is decentralized and anonymous in the networked ecosystem, individuals will often bear little knowledge on how their identities are being digitally deconstructed and rewired. Most importantly, much of this judgment will occur without individual consent or knowledge—emphasizing the transparent nature of the digital self.

Power and (in)visibility

In response to the notion that the architecture of the social web may render individuals transparent to the gaze of others, the need for more “control” over privacy on social network sites has captured the public imagination. Facebook’s abrupt privacy changes, for example, have received widespread attention in the blogosphere and even by governments. While popular privacy discourse often continues to fixate on the public/private binary—Facebook’s questionable move towards privacy decontrol has raised important questions of power and privilege.

A recent blog post by danah boyd nicely touches upon the dynamics of power, public-ness, and privilege in the context of online social networking. As she notes, “Public-ness has always been a privilege… but now we've changed the equation and anyone can theoretically be public… and seen by millions. However, there are still huge social costs to being public…the privileged don’t have to worry about the powerful observing them online…but most everyone else does –forcing people into the public eye doesn’t dismantle the structures of privilege and power, but only works to reinforce them” (emphasis added).

This point touches upon an important idea —that publicity has value. This nexus between visibility and power is one which unfolds quite clearly in the social media ecosystem. One’s relevance or significance could, arguably, be measured relative to online visibility. Many individuals who are seen as “leaders” within their own professional or social circles often maintain public blogs, maintain a herd of followers on Twitter, and often manage large numbers of connections on social network sites. The more information written by or on an individual online, arguably, the more relevant they appear to in the eyes of their peers and superiors alike.

Power and privilege, however experienced, will be mirrored in the online context. While the participatory and decentralized nature of Web 2.0 arguably works challenge traditional structures of power, systemic hierarchies and are often reinforced online –as Facebook’s privacy blunders clearly illustrates. The privileged need not worry about the subjective gaze of their superiors, as boyd notes. Those who may be compromised due to the lack of privateness, however, do. As boyd goes on to argue, “the privileged get more privileged, gaining from being exposed… and those struggling to keep their lives together are forced to create walls that are constantly torn down around them”. As public exposure may over often equate to power, we must critically challenge the assumption that the move towards more privacy control on social networks will best empower its members.

If publicity can potentially have great value for the individual, the opposite also rings true. Privacy, as polemic to publicness, alternatively works to diminish the presence of the individual, rendering them invisible or irrelevant within hyper-linked networks. With greater personal protectionism online, an individual may go unnoticed or unrecognized, fizzling out dully behind their more public peers. Drawing on social network theory, powerful people can be understood as “supernodes” as they connect more peripheral members of a network. As Lior Strahilevitz notes, supernodes tend to be better informed than the peripherals, and are most likely to be perceived as “leaders”.

As the power of the supernode relates to privacy, Strahilevitz states that that “supernodes maintain their privileged status by continuing to serve as information clearinghouses….and, in certain contexts, become supernodes based in part on their willingness to share previously private information about themselves”. It is within the context of visibility and power that the idea of (in)visibility and powerlessness online unfold. Those who have most at risk by going public, may chose not to do so. Those with in comfortable positions with considerably less to lose by going public may be inclined to “open up”. Heightened privacy controls on social network services, therefore, can work to reinforce the very structures of power they seek to dismantle.

This is not to argue, however, that more privacy is necessarily bad, and that less privacy is good, or that users shouldn’t be selective in their disclosures – to the contrary. As personal information has become ubiquitous and tools for aggregating information improve, maintaining privacy online becomes more pertinent than ever. However, the concept of privacy will only continue to become increasingly complex as digital networks continue to deconstruct and reconfigure the spatial dimensions of the public and private. How are we to effectively understand privacy in a social environment which values openness and publicity? Can the fluid and dynamic self gain visibility online without becoming subject to the gaze of superiors? Will those who selectively choose friends and carefully disclose personal information fizzle out, while the powerful and less inhibited continue to reassert privilege? The interplay between power and privacy on the social web is a multiply constitutive and reinforcing synergy –understanding how to effectively strike balance between the right to privacy and self-determination is the challenge ahead.

1. see “Foucault in Cyberspace” by James Boyle

2. Julie Cohen

3. Cohen citing Butler

4. Solve citing Goffman

Document Actions

For more details visit https://cis-india.org/openness/blog-old/the-in-visible-subject-power-privacy-and-social-networking

Centre for Internet and Society

Public Statement to Final Draft of UID Bill

Consumer Privacy - How to Enforce an Effective Protective Regime?

Who is a consumer?

What is Consumer Privacy and how may it be breached?

How is consumer privacy protected- internationally ?

Broad guidelines: The OECD Privacy Guidelines

The EU Data Protection Directive (Directive 95/46/EC)

Specific Sectoral Legislation and privacy policies

Consumer Privacy in India

Privacy Policies:

Professional/Industrial Regulations

Banking and Telecom Industry

Information Technology Act 2000 (Amended 2008)

Conclusion

Bibliography:

American Bar Association Online Privacy Conference: A Report

Introduction

Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer

Privacy Seals Globally? Privacy Seals in India?

Accountability:

Data Breaches:

E-Privacy Directive Breach Notification:

Accountability, breach notification: What material should India think about for a legal privacy structure?

Privacy, Free/Open Source, and the Cloud

Introduction

Privacy Concerns:

How are privacy, free/open source, and the cloud related ?

Is free/open software the solution?

Conclusion

Privacy Concerns in Whole Body Imaging: A Few Questions

How are These Technologies Being Used - Two News Items to Ponder:

Questions at the Heart of the WBI Debate:

No UID Campaign in New Delhi - A Report

Does the Safe-Harbor Program Adequately Address Third Parties Online?

Does the Social Web need a Googopoly?

The (in)Visible Subject: Power, Privacy and Social Networking

Bookmark & Share:

Document Actions