Privacy Concerns in the Digital Era


Advocating for more security from our government:

Privacy Concerns in the Digital Era by Daniel Corotti Kanya

 

Executive Summary

As I was writing my last paper about Snapchat and the rise of ephemeral social network sites, a dilemma concerning information privacy arose. This dilemma was created when a third party app that allowed users to save Snapchat pictures without the company’s permission experienced leakage of several thousand snaps. Massive damage to personal privacy took place, as nude images of both adults and minors got leaked over the internet. While, Snapchat was fined and no amendments took place towards the citizens.

I separate this white paper in three parts –society, business, and government – in order to illuminate the reader with the existing problems at each level and the solutions that I propose are the following:

Society: The growing gap evolving between children and parent use of technology has to stop growing. Parents are more aware of the dangers of the Internet and should therefore strive to educate their children who are more innocent minded and naïve. Schools should also educate students in the dangers of the Internet and the issues it poses on their privacy. Both of these measures should be adopted nationwide, as they concern the whole nation.

Business: Social networking sites have to explore with a greater emphasis different technological solutions to better protect their users. Facebook’s measures of overhauling its privacy settings to give a tighter control to its users is not even close to being enough. Businesses should be aware that consumers are kings and thus it is bad marketing to steal their information. Unless they take further measures, repercussions will come and those companies that have not taken early measures will suffer the most.

Government: The legal solutions to privacy issues are simply unacceptable. The fact that there is no nationwide law which addresses individuals’ privacy is shocking, especially considering that the U.S is supposed to be a leading nation. Just like the EU has a law that applies to the whole continent so should the US create and federalize its own privacy law. In addition, there needs to be a specific authoritative organization in charge of implementing the privacy of citizens and corporation, which takes me to my next point. A fine of $100 to $1000 for a privacy violation might as well be a $0. In order to be taking seriously, fines need to increment exponentially.

Table of Contents

Title Page 1

Executive Summary 2

Table of Contents 3

Privacy

A brief history 4

Privacy in Society 5

Privacy in Business 7

Privacy in Government

Overview: 10

                        Data Protection Authority: 12

                        Internal Controls: 12

                        Data Forms: 12

                        Consequences of breaches: 12

                        Marketing oriented privacy laws: 12

 

 

Privacy: A brief history

 

Although it is hard to pinpoint the conception of the term privacy, it is thought to date back to the tribal societies (200, 000 to 6,000 B.C). In these societies, privacy took the shape of sexual privacy since there were no other realms in which privacy affected the everyday life of people – as they lived together for survival purposes. At this point of time, privacy seems to be an instinctive aspect of everyday life, as people preferred to have sex outdoors away from the presence of the rest of their community. However, due to the need for survival, privacy was usually undermined as a secondary necessity in these days[1].

This situation changed as societies become more developed and increasingly educated in the art of construction. Between the 6th and 4th centuries AD, Greeks started using complex geometry to build housing that limited public exposure to the private life of their citizens while maximizing the available light. However, a desire to showcase wealth, reputation, and honor endangered privacy from those days all the way to today, as we shall see when we talk about social networks. In Greece, this desire materialized in the gentry turning their houses into public museums in order to exhibit their wealth, even though this meant that their homes, lives, and secrets would be vulnerable and accessible to others[2].

The concept of privacy as we know it today emerged during the early middle ages (4th century – 1,200 AD). This modern concept of privacy is centered around seclusion, and evolved from the early Christian beliefs that morality involved not only our actions, but also our intents. Under these beliefs, the most faithful removed themselves from the agitation of the civilization to focus on cleansing from their inner demons. By the late middle ages and the beginning of the Renaissance, “moral governance had shifted inward, to a private space that no longer had anything to do with the community” (Peter Loy). This came in par with the invention of the printing press that created a shift from communal, public readings to private, individualized, readings[3].

This shift towards individualism intensified in other realms of life as the pre-industrial revolution (1600-1840) came around. This was especially true between the wealthier sectors of the society who would increasingly have private rooms to meditate and write. It is with this increase in writing letters to family and acquaintances that the first privacy law in the Unites Stated came around: the 1710 Post Office Act, which banned officers from screening through mail. In addition to this act, we can see the growing concern for privacy exemplified in the words of John Adams who stated: I am under no moral or other Obligation…to publish to the World how much my Expenses or my Incomes amount to yearly[4].

 privacy-busybodies-down-the-ages1

 

Privacy in society

 However, the rise of privacy got eclipsed by the explosion of information technology. From the postcard, to the telephone, to the Internet, Americans have incessantly chosen whichever technology was either cheaper or more convenient; thus, positioned privacy as a second concern. In spite of that, I believe that in reality individuals do not have much of a choice. When a new technology comes into play it is first the wealthier sector that has access to it (Chart 1). This sector is more educated and with time understands the dangers it poses and adapts its behavior in a way that minimizes the privacy concerns (Chart 2). Consequently, technologies take time to reach the mass of the population. Yet, when they do reach, most citizens still lack the necessary technological knowledge to understand the dangers it poses on their privacy and go on using it due to convenience. This is true for all technologies, from postcards, to phones, social networks, etc. It is only at this time, when a wide movement for privacy rights takes place and policies are enacted[5]. I think we have reached this moment.

            Today, there are 7.4 billion people in the world, out of which 3.4 billion are internet users. In addition, a 31percent of the world are active social media users and 51 percent use a mobile phone. This is not to say that it has reached its peak. In fact, it is still growing rapidly. In the year 2015, 332 million people started being active users of internet and 283 million people starting using mobile social network sites. In the U.S alone, 75 percent of the population uses social networking sites, 98 percent out which are young adults. However, as it can be seen in my paper 2 about Snapchat, the growth is now becoming more steady, especially in Facebook users (Charts 3-6). In fact, there has been a decline of people using Facebook in the U.S. The reason why Facebook has experienced a decline in active users is due to a generational shift in its usage; while older people have increased usage, youngers have decreased it. Thus, the question arises of where did this younger market go and whether the reason they left can explain why many remained using Facebook. This question’s explanation is rooted in privacy beliefs. 

On the one hand, as we can see from the rise of Snapchat and other ephemeral media sites, there has been an increasing amount of young adults who have shifted to these types of sites. The reason for this shift is that traditional social media sites have become overcrowded and thus more public. This increase in the use of Facebook by older generations has led younger users seeking a more personal and private way to live their online life. Young adults, for example, have increasingly felt the threat of their parents, employers, and others, monitoring their profiles.

On the other hand, we have those who did not care about this generational shift and never felt their privacy affected in this way. The study of the Pew Research Center tells us that only a 9 percent of teens are “very” concerned about their privacy[6] and that 60 percent set their Facebook profiles to private. Out of these people, more than half (56%) report that it is not “difficult at all” to keep their profiles unavailable to the rest of the Internet and say to be proactive about their privacy. Considering the amount of data mining that continuously takes place in social networks, it is evident that their assumption is not true.

What both groups have in common is their realization that with the increase of e-commerce linked to social media sites come new privacy concerns. This becomes evident, as 98 percent of internet users have reported to be afraid of online hackers stealing their identities and causing financial damages. In fact, it is thought that above 9 billion dollars will be lost due to payment card fraud, due to the card not being physically used in the purchase of goods[7]. This raises the question of whether users should be proactive about their e-commerce behavior or whether somebody else should be responsible for protecting their interests, such as the businesses or the government. The answer is straightforward: citizens should not have to deal with breaches in their privacy without their permission. However, as we shall see in continuation, government agencies and companies have gone in a completely different direction for a variety of purposes[8]

comic.gif

Privacy in Business.

The increase in Internet usage by the population that we talked about previously created an opportunity for innovative businessman who realized that the Internet can grant businesses with unlimited information to be used to improve their services for their consumers and optimize their business strategies. However, in order to be able to get hold of this data, they have to breach the online privacy of the consumers. Through Facebook, for example, different companies collect “static private information” such as age, ethnicity, gender, name, affiliations, hobbies, etc. In addition, they collect “dynamic personal information,” such as which pages you’ve liked, what products you’ve viewed, your online social network… (Huaiqing, Wang). This breach of privacy is so significant that it is not even limited to the more well-known junk mail or web cookies. Rather, it consists on a wide variety of marketing activities that are essential for companies, especially for those who sell consumer databases for direct marketing purposes! In addition to these two breaches of privacy, as we may able to see in the following table[9], there is a wide variety of Internet marketing activities that present privacy issues. 

Screen Shot 2016-05-10 at 6.20.30 PM.png

In this table, we are able to see that, as soon as our information is out in the Internet, companies explicitly have admitted to access it, collect it, monitor it, analyze it, and transfer it improperly. After this process is completed, they use that information however they want. As a Bloomberg research points out: they use it to create a more personalized and pleasurable experience; to customize promotions and special offers; to improve their products and services; to identify new product/service opportunities; to improve customer service and support; to build better pricing models; identify new customers; spotting additional revenue in existing customers; and overall, to reduce the time spent in marketing[10].

In order to truly understand the situation, it is important to look at some examples of firms that have explicitly admitted to partake in this behavior. Facebook, for example, purchased data in 2012 on 70 million households, from a data mining company called Data Logix, and now knows what we’re buying. In addition, Facebook likes reveal personality traits and it is scary how accurate they are (check youarewhatyoulike.com). Twitter, on the other hand, is allowing advertising company WPP to analyze real time consumer behavior. on another note, some department stores such as Nordstrom use your smartphone’s WIFI to track your heatmap and learn about your behavior in the store. Finally, and known for this, Amazon uses cookie tracking to watch what you look at online (CNN)[11].

These are just some of the ways in which companies are using Big Data today. However, if we look at the prospect of data mining, it is quite unsettling. To truly grasp how much companies will be using this kind of information, one just has to look at the forecasted revenue of Big Data in 2020, which is expected to be 56 billion dollars that year[12]. In addition, according to a study of McKinsey, 65 percent of executives say that big data is a priority in their firms[13]. In addition, an increasing number of reports are coming out advocating the many benefits that Big Data has, such as the Forbes article The Potential of Big Data. This article highlights that Big Data works, that companies felt they were exceeding their goals when using it, that executives felt they were using Big Data enough when they weren’t, and that systems that generate data quickly and can account for changing consumer behavior will be essential in the coming future[14]. As we are able to see from these examples, Big Data is here to stay since companies have found many incentives to compile this data, even if acquiring it means infringing the privacy of the citizens, since there is a lack of regulation and policies that address and limit this behavior.

cartoon-halloween-big-data-privacy

Privacy in Government

Overall

This lack of regulations, policies, and implementing mechanisms is obvious as soon as we take a look at the U.S legal framework that deals with privacy. In order to do this, we will take a look at the Data Protection & Privacy report issued in 2014 and expand on it with other sources.

In this report, we are able to see the legal framework set around privacy in 26 jurisdictions worldwide and the first thing that catches our attention is the fact that the U.S does not have a dedicated data protection law such as the one that the EU has. This division in the approaches taken towards securing personal information originated with the creation of the 11973 report titled Computers and the Right of Citizens, written by the US Department of Health Education, and Welfare (HEW). It argued for 5 main practices, such as the ban of secret databases of personal information, mandate access to data about oneself, forbid use of personal data without consent for purposes other than those it was collected for, requires a way to correct information about oneself, and impose a duty to protect personal data from abuse or misuse[15].

This report was used in different ways in Europe and in the US. In Europe, the OECD and the RAPPD lay the foundations of data privacy, by arguing that all personal data should be protected by default and by providing the law field with several significant terms such as the concept of data subject[16] and data controller[17]. The US used the HEW report, as well, which recommended a Code of Fair Information Practices (FIPs)[18], and came up with the Privacy Act of 1974. However, this law changed a main aspect of the HEW recommendations. Even though the recommendations envisioned a law that applied to “all automated personal data systems”[19], the final version of the US legislation limited it to federal agency databases[20]. This way the protection of PII (personally identifiable information) takes the form of a patchwork. In other words, the US does not have a dedicated data protection law, but privacy is regulated by industry in a sector-by sector basis. This limitation was a major victory for lobbyists representing commercial interests and showcases a fact that is, sadly, quite well known by now in the US: “interests other than those of the individual have tended to prevail in U.S privacy legislation, specifically the interests of commerce and those of state security agencies committed to a ‘collect everything’[21] approach to electronic surveillance”[22]

Data protection authority

In addition, there is no single regulatory authority dedicated to oversee data protection law in the US – since there is no law in the first place. Rather, depending on the matter being observed, regulatory authorities are responsible for overseeing it. In the finance industry, regulators are in charge of imposing the standards of the Gramm-Leach Bliley Act (GLBA – since everything in law abbreviated). In the healthcare industry, the Department of Health and Human Services is responsible of the industry behaving under the Health Insurance Portability and Accountability Act of 1996.[23]

Internal Controls

In the US, the appointment of a data protection officer is not mandatory; yet, some organizations choose to appoint a Chief Privacy Officer. Despite this, his role is limited as its responsibilities lie to the company rather than the well behavior of the firms. Of a similar nature is the norm of record keeping in these companies, as there are no legal requirements to maintain records or document data handling.

 

Data forms

As the US does not have an overarching law dedicated to data protection, as mentioned in the overview, it does not have either a broad definition of the concept of data. While in some contexts, information can mean an individual’s name, SSN, driver’s license, and financial account number, in other contexts in can apply only to electronic information or just about any other mediums[24].

Consequences of breaches

If any breaches of data protection take place in any of the states, the punishments are civil rather than criminal. There are only two known exceptions to this norm, which is when there is a violation of the Electronic Communications Privacy Act or a violation of the Computer Fraud and Abuse Act. Both of these violations can lead to criminal prosecutions, just as well as serious HIPAA violations, since they are considered under the category of surveillance activities or computer crimes[25]. If individuals are affected by breaches of the law, they are entitled to monetary damages. The amount of the compensation depends on the specific situation of the individual and can range from $100 to $1,000 per violation, plus punitive damages, attorneys’ fees, and court costs. All of these violations are analyzed by the judicial system.

Marketing oriented privacy laws

There are not many laws that are specific to electronic marketing and those that exist are specific to a determined marketing channel. For example, commercial email is regulated by the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003; and telemarketing, text messaging and fax marketing is regulated by the Telephone Consumer Protection Act of 1991, Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Federal Communications Commission[26].

Other privacy laws

There are other federal and state laws that address privacy concerns. These regulations focus on consumer report information (Fair Credit Reporting Act and Fair and Accurate Credit Transactions Act); children’s information (Children’s Online Privacy Protection Act); driver’s information (Driver’s Privact Protection Act); video rental records ( Driver’s Privacy Protection Act); and federal government activities (Privacy Act 1974)[27].

Data Holding

In the US, there is no law that limits the retention of data or that questions the legitimacy of holding it, nor are there different rules for data of a sensitive nature. Nonetheless, there are some laws that indirectly address certain types of information. For example, for any organizations that hold certain information about individuals – SSN, driver’s license, financial account numbers – it is required that they issue a notification if this data is accessed by an unauthorized entity. Also, consumer report information that concerns the creditworthiness and standing of consumers is protected by the FCRA, who limits the reasons for which this information may be shared; and by consumer reporting agencies that verify the reasons for any report request’s. In addition, the FCRA restricts the inclusion of certain public records during background screening reports when performed by consumer reporting agencies. Besides this, the HIPAA deals with health information protection, the COPPA with Children’s information, and numerous laws impose obligations with respect to SSNs.

Responsibilities towards citizens

Once again there is no broad law that applied to the whole U.S territory; however, there are some laws that apply to certain circumstances and states. In California, for example, the California Online Privacy Protection Act requires organizations to let individuals know when their information if being collected online and on mobile contexts. In the financial industry, the GLB has to provide “an initial notice to customers by the time the customer relationship is established.” With respect to children under 13, the Children’s Online Privacy Protection Rule orders website operators and online service providers to provide a report to the parents, describing the information, its handling, and its sharing. In additional, the HIPPA requires entities to provide individuals with a notice of the company’s privacy practices and the individual’s rights[28].

Individual’s rights to access information

First of all, there is no general law that grants US citizens with a right to access the personal information about them that is held by an organization. However, there are some specific laws that address this concern. According to the HIPPA, for example, an individual has the right to access his own Personal Health Information, unless the organization has a valid reason for denying the access. Also, the COPPA allows parents to obtain access to any personal information that was collected from their children.

53b76584de806.image 

 

Conclusion

Throughout this paper, we have witnessed many of the problems that privacy poses on all realms of our world. We are able to see how powerless our citizens are when trying to have privacy. In addition, we are able to see companies that are self-regulated and that decide how to treat our information based on how much surplus they can make out of us. However, the guiltiest of this whole analysis is without a doubt the government. In the U.S, legislation has failed to keep up with technological advances. Considering the exorbitant percentage of the population that uses Internet and spends an enormous amount of their time on it, data information privacy is as much a right as any other. It is obvious that privacy laws will change, there simply is no other alternative. The question is how much personal damage do citizens have to experience before the legislation catches up?

7004058c7600f918e6676035a7dbe93c.jpg

 

Thank you for reading!!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Charts

 

Chart 1: Global Web Index                          Chart 2: Global Web Index

 

 

Chart 3: Global Web Index                          Chart 4: Global Web Index

 

Chart 5: Global Web Index                          Chart 6: Global Web Index

 

 

[1] Ferenstein: The Birth and Death of Privacy.

[2] Ferenstein: The Birth and Death of Privacy.

[3] Ferenstein: The Birth and Death of Privacy.

[4] Ferenstein: The Birth and Death of Privacy.

[5] Ferenstein: The Birth and Death of Privacy.

[6] Madden, Mary; Lenhart, Amanda, Teens, Socia Media, and Privacy. Pew Research Center.

[7] Dredge, Stuart, Americans fear hackers more than the government over online privacy. The Guardian.

[8] Barnes, Susan, A privacy paradox: Social networking in the United States, Volume 11, Num 9-4, First Monday.

[9] WEB: http://delivery.acm.org/10.1145/280000/272299/p63-wang.pdf?ip=134.82.184.229&id=272299&acc=ACTIVE%20SERVICE&key=A792924B58C015C1%2EA39995AE0586E3B7%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35&CFID=783666080&CFTOKEN=40907324&__acm__=1462917302_77d6e20d1a4f8c153006fcfb7c7f6cdb pp 65 (unable to access again for some reason)

[10] Bloomberg Businessweek: Turning Big Data into Big revenues. Pp2.

[11] Broderisk, Ryan; Grinzberg, Emanuella, 10 Ways you give up Data without knowing it.

[12] Statista. Big Data Market Size Revenue Forecast Worldwide.

[13] Bloomberg Businessweek: Turning Big Data into Big revenues. Pp2.

[14] Forbes Insights, The Big Data Potential of Big Data pp 4.

[15] Ware, W. H. (1973) Records, Computers, and the Rights of Citizens, RAND. Available at https://www.rand.org/content/dam/rand/pubs/p apers/2008/P5077.pdf (accessed 11 May, 2016).

[16]Key definitions of the Data Protection Act https://ico.org.uk/for-organisations/guide-to- data-protection/key-definitions/

[17]95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ Official Journal of the EC, 23(6).

[18]Waldo, J., Lin, H. and Millett, L.I. (2007) Engaging privacy and information technology in a digital age. Washington, DC, USA: National Academies Press.

[19]Ware, W. H. (1973) Records, Computers, and the Rights of Citizens, RAND. Available at https://www.rand.org/content/dam/rand/pubs/p apers/2008/P5077.pdf (accessed 29 November, 2015).

[20] Regan, P.M. (1984) ‘Personal information policies in the United States and Britain: The dilemma of implementation considerations’ Journal of Public Policy, 4(01): 19-38.

[21] Robinson, J. (2014) The Snowden Disconnect: When the Ends Justify the Means’ SSRN. Available at: http://dx.doi.org/10.2139/ssrn.2427412 (accessed 13 December 2015).

[22] Cobb, Stephen, Data Privacy and data protection: US law and legislation Pp 2.

[23] Hunton&Williams LLP: Data Protection&Privacy 2014.

[24] Hunton&Williams LLP: Data Protection&Privacy 2014.

[25] Hunton&Williams LLP: Data Protection&Privacy 2014.

[26] Hunton&Williams LLP: Data Protection&Privacy 2014.

[27] Hunton&Williams LLP: Data Protection&Privacy 2014.

 

[28] Hunton&Williams LLP: Data Protection&Privacy 2014.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s