Internet Privacy and Personalization

Legal and Ethical Issues, Debates, and Government Policies

 

Group 7

Joseph Nyanjom
Oliver Olson
Jeannette Osbaldeston
Rose Qu
Jason Reasor

 

29 April 2002

Introduction

In order to tailor a website to be more helpful to its users, companies have begun asking consumers for personal information.  For example, a company like Yahoo! may ask a user for his or her sex, age, zip code and birth date.  This way, whenever they log in to the site, relevant information such as local maps, local news, music reviews or horoscopes can be displayed.  This adds to the user’s overall experience of the website.  However, several issues have arisen regarding what companies are legally allowed to do with this information, and what they should do with it from an ethical standpoint.  Can they sell the information to other websites to turn a profit?  How can information be protected in order to keep people from stealing it?  How much information is too much information?  These are just a few of the questions regarding the collection of user data on the Internet.  Several legal and ethical issues are to be explored, as well as current debates and international issues on the subject.

 

Legal Issues

Laws regulating e-commerce and personal privacy rights are evolving.  Several exist to protect consumers and the information they share with businesses on the World Wide Web.  The Computer Fraud and Abuse Act, Code 18 U.S.C.S. Sec 1030, the Wiretap Act, Code 18 U.S.C.S. Sec. 2510 and the Stored Communications Act, Code 18 U.S.C.S. Sec. 2701 are the most recent additions that have been successful in business-to-business privacy issues. 

The Computer Fraud and Abuse Act protects computer users from unauthorized access and access exceeding that which was permitted.  The offenders are subject to criminal and civil charges with punishment ranging from a fine to no more than ten years in jail.  EF Cultural Travel BV sued Explorica, Inc. for breech of CFAA in the State of Massachusetts and was granted an injunction May 30, 2001.[1]  EF Cultural Travel, the world’s largest student travel corporation established for 35 years, claimed that Explorica, founded in 2000 by ex-EF employees, illegally obtained their proprietary information through Zefer, a third party consultant.  Zefer created a program (a “robot”) based on the tour codes known by ex-employees that were able to obtain all of EF’s pricing data.  Robots are commonly used by search engines like Alta Vista and Yahoo to filter content or return listings for user searches.  In this instance, the robot was written to explicitly obtain information primarily from EF’s website.  This data enabled Explorica to undercut EF’s prices and compete in the student travel market.

The Court cited 18 U.S.C. Sec 1030(a)(4) when finding in favor of EF.  This section states:

Whoever... knowingly with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value... shall be punished.[2]

 

EF’s server was accessed 30,000 times on two separate occasions when the robot was run.  This clearly violated the CFAA and that decision was upheld in the United States Court of Appeals.

Many organizations have been formed to help businesses abide by privacy guidelines through self-regulation.  Online Privacy Alliance is one such group, and member businesses must adopt the following privacy guidelines:

·        Adoption and implementation of a privacy policy by the company

·        Notice and disclosure of said policy to its customers

·        Choice and consent must be available and made by the user

·        Data obtained must be safe-guarded from abuse

·        Quality and access of the data must be ensured 

 

The Online Privacy Alliance then aids members in successful self-regulation by monitoring, resolving complaints and educating their clients and partners.[3]  Such organizations are created to help ensure that consumers and business have their privacy protected.

The rights of consumers have also been championed through the courts. On September 14, 2001 Internet users were granted a summary judgment against their provider for placing a cookie on every user’s computer without authorization or user knowledge.[4]  Cookies are used by providers and web-companies to store an electronic file once a user has accessed a particular site.  When the user comes online again, the ISP and the businesses can use the cookies stored in the user’s RAM to obtain information without the user’s knowledge.  In the State of California, Internet users effectively filed suit against Intel for violation of the Stored Communications Act for the use of cookies.[5]  Intel violated this Act through their intentional access of the cookies.

As cyberspace continues to grow, so will the laws that govern it.  Privacy will remain at the center of most issues because information is so accessible.  Hopefully, businesses that self-regulate will prosper, and the privacy of consumers will be upheld.

 

Ethical Issues

Internet privacy is more than just a question of law; it is also an ethical issue.  Everyone knows the frustration of receiving unsolicited mail and phone calls at home.  We have become fairly accustomed to “junk mail” since it is so easy to throw away.  A “junk call” (our own phrase) is much more disturbing, since it requires an individual to respond.  “Junk e-mail” is a newer nuisance.  The initial ethical conclusion is that any firm that would create “junk” mail and calls would not have a problem creating “junk e-mail”.  We have already seen the legal aspect of Internet privacy, but what ethical obligations exist is not codified.

There appears to be two types of discussions related to the ethics of Internet privacy: intentional and unintentional lack of ethics.  Intentional lack of ethics related to Internet privacy involves firms or individuals that seek opportunities to skirt the law and find loopholes in the law.  Unintentional lack of ethics would apply to those firms or individuals that fully intend to follow the law, but either has poor communication within their firms about the implementation of the privacy policy or are not technologically advanced enough to implement the privacy rules that they have set for themselves.

Many firms genuinely want to protect the privacy of their customers, but often find themselves at odds with technology.  Many firms do not create their own websites.  Rather, they contract out portions of the website (or the entire website) to other companies.  It can be difficult for a non-tech savvy company to control the implementation of their own stated privacy policies, as referenced in the following quotes:

“… it appears that the browser extension vendors have no interest in capturing such personal data, but that careless software programming is to blame.”[6]

 

“My take on this situation, is that we are looking at a classic case of miscommunications. The people who are responsible for writing privacy policies do not really understand the technical and business processes that are in place.”[7]

 

Thus, it is important to understand that Internet privacy issues cannot be addressed by legislation alone.  There must also be a concerted effort by all parties that are genuinely interested in protecting the privacy of their customers to fully understand the workings of the data that they collect.

Intentional lack of ethics is much harder to define and control.  These could be the firms that are unlawfully gathering and using information.  Also included in this category are firms that make use of loopholes in the law, of which there is no shortage.  An example of a dramatic legal loophole would be in regards to privacy in the healthcare industry.  Currently, federal rules protect visitors to the websites of health care providers, health insurance plans and health care clearinghouses.  However, if personal information is provided to a pharmaceutical company, fitness and nutrition websites, sites that sell non-prescription drugs or sites that offer mental health counseling, there are no specific laws regarding the distribution of this data. [8]  The customer must rely on the ethics of the website operator. A consumer could easily be misled into thinking they are providing information to a regulated site, when in fact they are not.

 

Debates

As more and more firms expand their operations onto the Internet, the topic of

privacy has become a hotly debated issue. The debate between groups advocating strict internet privacy laws and companies who feel that additional restrictions would hamper their operations rages on.  People who feel additional regulations to ensure higher levels of Internet privacy cite many disturbing statistics.  For example, over 142 million users worldwide spend over $50 billion per year with Internet companies; credit card payments account for 90% of all transactions.  According to FBI statistics, 1 million credit card numbers are stolen each year from online firms. [9]  Even more alarming is the fact that 70% of companies currently operating online have sites that are vulnerable to breaches, including large firms like AOL & Citibank.  The Internet, by providing a cheap and easy way to acquire personal information through giant databases, has helped to fuel an increase in identity theft (estimated 500,000 to 700,000 victims in 2001). [10]  Criminals are able to purchase an individual’s personal information such as a social security number or credit history for as little as $20.  Over 72% of Internet users feel there should be new laws to protect privacy on the Internet; 82% of users object to the sale of personal information on the net. [11]  Consumers have voiced their opinions clearly - protect their privacy on the Internet.  However, according to companies operating on the web, information sharing is the driving force for Internet evolution.  These companies cite cookies, which essentially trace the path of a web user memorizing all transactional information as a time saving device to benefit the user.  By storing this information, a customer would not have to transmit their credit card numbers over the internet multiple times or re-input their profile each time they enter the site.  Companies have also stated that it is the consumer’s choice to accept or reject cookies since free blocking software programs are readily available on the net.  When a user enters information about their credit card or any other information, internet sites have disclaimers stating that their site is secure and requires users to accept that they have read the terms and conditions.

According to a Georgetown University survey of the top 100 Websites, 93% of

web sites posted at least one type of privacy disclosure, while 59% posted both a privacy policy notice and an information practice statement.  They have also made a comparison of Internet information sharing to those completed by traditional retailers.  For example, many grocery stores offer saver cards, which require personal information from the consumer.  Each time these cards are used, the stores are gathering valuable marketing and inventory information.  The U.S. government seems to have sided with the consumers on subject of Internet privacy.  In 1999, Congress passed the Gramm-Leach-Bliley Act, which affirms obligation of financial institutions to respect the privacy of their customers and to protect the security and confidentiality of a customer’s nonpublic personal information. [12]  The Online Privacy Protection Act and Consumer Privacy Protection Act are currently in the development stages.

 

Government Policies

Privacy is a fundamental right and is recognized in all major international treaties and agreements on human rights as is evidenced in many government policies. Internet privacy broadens the traditional definition of invasion of privacy as it relates to human rights. The main issues pertaining to invasion of privacy include searches and seizures, unsolicited e-mail, defamation, secrecy and creation of databases consisting of personal information including that of minors.[13]  As technological advancement begins to foster global e-commerce and information disbursement, privacy protection is becoming a growing concern and privacy violations threaten the growth of global and local e-commerce.

Because of the global nature of the Internet and its enabling of business transactions across national borders and continents, the need for international laws and standards is becoming critical.  For instance, the violation of privacy of a consumer in China transacting business on a European company website poses a dilemma if legal recourse is to be pursued.  Is he protected under Chinese or European privacy laws?  In light of all the new technologies and their enhancing effects to the global Internet presence, there is a growing trend towards the enactment of comprehensive privacy and data protection acts around the world.  As several consumer-oriented websites, especially in the U.S. and Europe, ignore international privacy standards, a rash of new privacy legislation has been introduced.  Over 40 countries and jurisdictions are in the process of passing privacy protection acts. [14]  In 1999 during the 106^th session of Congress, nine Internet privacy bills were introduced, none of which had been passed by year 2000. [15]  The European Union parliament recently rejected an EU directive requiring communication data retention for Irish and member states law enforcement agencies despite encouragement from President Bush as part of global terrorist protection.  South Africa has had its Internet Censorship and Monitoring Act challenged in Parliament. [16] In many former Soviet block and communist nations in Eastern Europe and Asia, the whole concept of privacy and basic human rights has been drastically under-practiced.  New constitutions and laws in these nations are addressing privacy issues concerning the Internet.

The impasse surrounding most debates around such legislation is self-regulation of the Internet versus government regulations through laws and acts.  Another proponent is market regulation evidenced by AT&T versus MCI WorldCom’s use of personal data. The latter is notorious for its use of personal data for solicitation of business, at the expense of market share. The rate of passage of bills that protects the local and the global communities on the Internet has been slow and their enforcement questionable.  Many organizations and activists are needling legislature in many countries to enact and enforce protective measures.  Government regulation comes at a cost to tax payers and the key to enforcement will depend on the extent of the penalties and the ability to make violating concerns pay across sovereign borders. The idea of self-regulation is appealing especially in light of the protections afforded consumers in the U.S. where many companies have posted consumer privacy rights and policies on their websites.

 

Conclusion

As one can see, there are many issues still to be worked out in order to guarantee a user’s privacy on the Internet. Even when laws are in place (both locally and globally), ethical issues regarding private information will remain. The good news is that the Internet and the laws surrounding it are in their infancy and will continue to improve. It will take a concerted effort between consumers, companies and governments to ensure a safe and private environment.