Technology Law Column

This page has been speech-enabled for Macintosh owners using the Talker Netscape Plug-in. Hit Escape to discontinue speech.

Published in the Chicago Daily Law Bulletin, November 9, 1995 at p. 6.


Task Force Develops Privacy Principles

Copyright 1995 by David Loundy

Growth in the "Information Infrastructure" is producing a growth in concern over personal privacy. With the increasing use of computer technology comes an increasing ability to gather, store, match and retrieve personal information.

Some of this is information people would like to keep private. Some of the information is not sensitive in and of itself, but can lead to detailed, potentially intrusive, and uncontrollable profiles when many individual pieces of information are collected into a coherent picture.

Privacy on the National Information Infrastructure (NII) (which encompasses the Internet, cable, television, and telephones) is enough of a concern that the U.S. Department of Commerce formed the Information Infrastructure Task Force Privacy Working Group (the "Privacy Working Group") to look at how certain information about NII users should be protected. At the end of October, the Privacy Working Group released a "White Paper" entitled "PRIVACY AND THE NII: Safeguarding Telecommunications-Related Personal Information" (available over the Internet at gopher://www.ntia.doc.gov:70/00/policy/privwhitepaper.txt).

This report is concerned largely with only a subset of information, specifically Telecommunications-Related Personal Information (TRPI). TRPI refers to information such as: to whom you have made phone calls, when, and for how long, but does not include the contents of the call. It would include what movies you request by pay-per-view cable. It would also include the "header" information from an e-mail message, but not the message itself. In some cases, as the Privacy Working Group points out, the distinction between transactional and actual content information may be meaningless-- if you know the title of the movie watched on cable, you may already have a fairly good idea about its content.

The Privacy Working Group report points out that, without a certain level of protection, people will not want to use the NII, and thus the communications networks will not advance, bringing all of the wonders we have been promised that they will bring. The report also points out that, while protections exist for some types of transactional data, often the level of protection is either inadequate, nonexistent, or does not apply uniformly to all types of service providers-- even when the services provided are essentially the same.

For example, federal law protects access to lists of what movies you have rented (18 U.S.C. ¤2710), but arguably this protection does not extend to movies ordered by wireless cable, direct broadcast satellite, or perhaps by any Internet delivery mechanisms which may be developed in the future. Unequal privacy obligations may also put one type of service provider at a competitive disadvantage compared to another competitor providing a similar service, but employing a different medium.

Another limitation is that the Privacy Working Group report addresses only private sector collections of information. This is a significant limitation, especially in light of the perception that more people fear privacy invasions by the government much more than they fear privacy invasions by the private sector.

The Privacy Working Group report states that there are two principles which should be employed when examining privacy protection on the National Information Infrastructure. Using these principles, discussed below, voluntary industry compliance should be solicited, and only if that fails should legislation be passed which establishes at least a minimum level of privacy protection.

The first principle is "provider notice." This principle states that each service provider should inform its customers about what TRPI is being collected and for what purposes that information will be used. Once this disclosure is made, the provider could use this customer information in any way already disclosed, and the customer can either accept the degree of disclosure, or do business with a provider who will ensure a greater level of privacy.

For the notice to be adequate, the Privacy Working Group found that the notice should (i) be conspicuous, (ii) be in language the particular consumer can understand, and (iii) provide sufficient information to allow the consumer to decide whether or not to accept service under the given terms. Any notice by a provider should also clearly instruct the customer that a choice about his or her privacy is required, and it should allow the customer time to respond before the customer's information is used for a purpose other than any use which may be required to provide service.

The second principle is "customer consent." This principle states, in order for a provider to use sensitive information, explicit customer consent should first be required from the customer. Any consent requirement, and any provisions as to how this consent is to be given, should depend on the type of TRPI at issue.

For sensitive information, such as health care and financial information, authorization to use the information should be obtained before the information is used-- an "opt in" approach. For less sensitive information, the customer should be given notice that the information will be used unless the consumer takes active steps to prevent its use-- an "opt out" approach.

By using these two methods, the Privacy Working Group believes that industry will allow consumers greater protection for their most sensitive information, yet it will also keep transaction costs lower for NII providers. The Privacy Working Group said that by encouraging industry to employ the notice and consent principles, market forces will see that consumer's privacy needs are met. Further, this will happen with a minimum of government intervention while providing a maximum of flexibility for service providers, which, in turn, will promote the growth of the NII. The Privacy Working Group refers to this as its "contractual approach" to privacy protection.

While the Privacy Working Group's principles would provide a good minimum level of protection, even the Privacy Working Group itself acknowledges that this approach may not ultimately work. This voluntary approach assumes that the marketplace will be sufficiently competitive to allow customers to chose an alternative provider, an option that may not be readily available in the current market for services such as video and local telephone service.

The contractual approach would also break down when privacy is available to NII users only at a premium, thus excluding poor and low income consumers. For these reasons, the Privacy Working Group suggests that, if industry will not comply with its two privacy principles voluntarily, then the principles should be imposed on the service providers through legislation. Unfortunately, by making the notice and consent minimums voluntary, consumers will know only that their privacy rights have been violated once it is too late.

The Privacy Working Group report even cites examples of companies not following their own privacy protection guidelines. Merely asking for compliance in developing privacy policies-- when most customers will not even be able to tell who has violated such policies-- does not provide enough protection. It is also important that other privacy concerns be addressed which were not discussed in the Privacy Working Group white paper.

The Privacy Working Group's principles are good ones, but they may not carry enough bite, and they must be applied to more than just private companies if users are to feel their privacy is protected when transacting business and communicating over the NII.


[Technology Law] [E-Law Web Page]