Privacy Rules


Washington - The burgeoning News Corp. phone-hacking scandal has shined a spotlight on the issue of privacy in recent days.
For cable operators, programmers and advertisers, though, the issue has long been under the klieg lights, thanks to an inescapable recognition that we - and our kids - are living in the online space these days.

Privacy legislation has been kicking around Washington for almost a decade, generally caught in the ideological gap between Democrats' desire for government involvement and Republicans' defense of free-market forces. That was before broadband became the buzzword on every policy­maker's lips and revelations piled up about how cutting-edge technology was slicing into privacy rights.

There has never been as much activity on the privacy policy front in the nation's capital as there is today. A raft of bills have been introduced in the House and Senate, with more on the way; the Justice Department and Federal Trade Commission are conducting investigations; and a pair of advisory reports are due from the FTC and the Obama administration, by way of the Commerce Department.

Multichannel News cover story image for the August 1, 2011 edition

All of these efforts seek to provide citizens with basic protections from hackers, thieves and unwanted marketers. The subject of security is also under serious study and scrutiny by corporations, think tanks and legislators. Service providers, online advertisers and marketers - whose digital sales tools peer ever deeper into consumers' lives by recording channel choices and keystrokes - have a lot at stake in how the government chooses to bulk up online privacy protections.
The biggest momentum among privacy protectors in Washington is for some kind of online do-not-track mechanism, protections against sharing of sensitive personal information, and safeguards for kids online as social networks replace geographical proximity in the new definition of neighborhood. One of the biggest pushes is for an online privacy "bill of rights," enforceable either by industry or by the FTC.
Just last week, there were new hearings on government cyber-security that raised issues about government tracking of iPhone users, and on child-pornography legislation that includes data-retention requirements that could require ISPs to retain online customer ID information for up to a year and make that available to law enforcement.
Individuals of all political stripes are concerned about how information is being collected and shared when they hit the Internet to talk to friends, rent a movie, buy a book, or play a game. If the stories about data breaches and information collection are any indication, they have good reason to feel that way.
Collection Malfunctions
Contributing to the push for new privacy legislation have been revelations about how insecure consumer data seems to be, or how little people know about how it is being used.
• At a Capitol Hill hearing, Rep. Mary Bono Mack
(R-Calif.) called the breaches of Sony's PlayStation Network online-gaming platform and Sony Online Entertainment websites earlier this year - which affected some 100 million consumers - "ground zero" in the war to protect online information. She criticized the company for not having more robust protections in place and for taking too long to tell consumers about a breach revealed in April of this year, involved the hacking of account information-names, addresses, e-mail addresses, possibility billing addresses and purchase histories - from tens of millions of PSN users.
• Google, whose stated aim is to collect and organize all the world's information, generated plenty of concern from the Hill and the headlines after it told key congressmen in a letter released June 11 that it had mistakenly collected payload data, including potentially personal information, from unencrypted Wi-Fi networks. But Google said it believed that action was not illegal, which only added an exclamation point for to calls for legislation to clear such issues up.
Just last week, CNET reported that Google had not only collected data from access points like wireless routers, but from "millions" of client devices, including phones and laptops.
In addition, the FTC has confirmed it is investigating Google's search features and ad-ranking technology.
• Apple added to the location-tracking concerns after reports that its iOS mobile operating system, which
powers iPhones and iPads, as well as Google's Android mobile operating system, have been collecting and
storing unsecured personal location data. Apple said it had a fix for the problem. Apple said it was not sharing any consumer location information from iPhones or iPads with service provider AT&T, with which it had an exclusive deal at that time, or with other telecommunications carriers. Apple said it does not include any personally identifying
information linking it to a particular device or user.

The Commerce Department, Federal Trade Commission and Democratic legislators are in sync when it comes to giving Web surfers more control over who can follow their online movements and why, or what the FTC calls "privacy by design."
Virtually all of the do-not-track proposals include a carve-out for transactional information, like the names and addresses that speed online purchases, but beyond that, the trick becomes how to allow surfers to opt out of data sharing (or not opt in) without kneecapping the targeted advertising that supports all of that free online content.
• The FTC is preparing a final report on its recommendations for an industry-driven do-not-track regime. It released a preliminary report last fall recommending a voluntary, browser-based system. It has not weighed in on whether do-not-track should be mandated by law, as some legislators have proposed.
It is not proposing a database system like its do-not-call registry, but a flexible approach. It also wants more authority to oversee a self-regulatory regime.
• On the legislative front, Sen. Jay Rockefeller (D-W. Va.) has introduced a bill that would create a do-not-track mechanism for online information and give the FTC authority to enforce consumer preferences for what online surfing information is not tracked.
Violators, whom the FTC would pursue under its unfair and deceptive practices authority, could be fined up to $16,000 a day, to a total of $15 million per violation.
The bill charges the FTC with establishing standards within a year for a mechanism allowing Web surfers to "simply and easily" indicate to providers (including providers of mobile apps and services) if they want their information tracked. The other would "prohibit providers from collecting personal information from those individuals who have expressed such a preference."
Both are necessary because of reports that some trackers are not taking "no" for an answer.
• Rep. Ed Markey (D-Mass.) teamed with Rep. Joe Barton (R-Tex.) to circulate a "do-not-track kids" bill that would make it illegal to use personal info from teens or kids for targeted marketing. It would also give parents an "eraser button" by requiring companies to permit users to eliminate publicly available personal information content when "technologically feasible."
qIn June, bipartisan bills were introduced in the House and Senate that, among other things, would prevent geolocation service providers from sharing that information with third parties without users' consent and would create criminal penalties similar to those for wiretapping. The bills were partly a reaction to criticism of Apple for its location-based data-collection policies, which were subsequently modified.

But it's not just Markey and Barton who are worried about kids.
A June Consumer Reports survey found that 20 million minors actively use Facebook, with more than 7 million of those users under 13, having bypassed the site's 13-and-older age requirement.
With more than 5 million of those kids under 10 and with accounts largely "unsupervised" by parents, according to CR, it is no wonder that many in Washington have made a priority of figuring out how they are communicated to online.
The FTC is working on recommended revisions to the Children's Online Privacy Protection Act of 1998 (COPPA). Those could include boosting online privacy protections for teens. The law currently only applies to those 12 and under.
• Two weeks ago, a group of privacy and child advocates led by the Center for Digital Democracy called on the administration to make sure that Commerce White Paper said they want the administration to recommend passage of new legislation that "protects adolescent privacy." They also want the FTC to strengthen COPPA by applying its privacy protections to mobile devices, online gaming sites and other platforms not addressed in the 1998 law.
• The FTC has collected information for a food-
marketing expenditure study that, according to one online privacy advocate, for the first time asked food companies for details on their digital marketing plans. Those answers could have privacy implications, depending on how those firms planned to market to kids.

There are growing calls, including from the Obama Administration, for a general set of principles establishing the parameters for a right to online privacy.
• The Commerce Department plans by the end of the year, if not sooner, to release its white paper recommendations on privacy. Unlike the FTC, it recommended in its working paper on the report that legislation was likely needed to establish "a clearer set of rules for the road." Commerce Department general counsel Cameron Kerry has been instrumental in that privacy advisory effort, and his brother, Sen. John Kerry (D-Mass.) has introduced a bill that would provide those guidelines.
• Sens. Kerry and John McCain (R-Ariz.) in April introduced a bill that would include a combination opt-out/opt-in regime for the use of online surfers' information, opt-out for information used in behavioral targeted marketing, opt-in for sharing sensitive personal data or changes in privacy policies. The goal is to come up with enforceable voluntary privacy codes of conduct, with the FTC overseeing compliance.
At a privacy roundtable discussion he hosted two weeks ago, Richard Boucher, the former Democratic chairman of the House Communications Subcommittee, said he thought the Kerry-McCain bill had a "critical nexus of opportunity to become law this Congress."
qBoucher teamed with Rep. Cliff Stearns (R-Fla.) eight years ago to introduce what Boucher has called the first bill of defined privacy rights for Internet users. The issue is now "front and center" in Congress after that long period of gestation, Boucher said.
Boucher and Stearns reintroduced that bill in the last Congress, and Stearns has teamed in this Congress with Rep. Jim Matheson (D-Utah) to introduce it yet again. It would, among other things, require companies to establish protection policies for "collection, sale, disclosure for consideration, or use of the consumer's information," and such policies be easily available to consumers. It would not give the FTC as much power to oversee that self-regulatory regime as would the Kerry-McCain bill.

Data security is a separate but related issue. While privacy is about the rules for protecting when and how people share information, data security is about preventing and pursuing those who violate information safeguards.
About half a billion records have been breached since 2005, according to the Privacy Rights Clearinghouse, with tens of millions of those breaches occurring in 2011.
The House Commerce Subcommittee two weeks ago marked up the Secure and Fortify Electronic Data (SAFE) Act. That would require companies to notify affected customers and the federal law-enforcement officials of any breach of personal information. If the breach an Internet-service provider, it would be responsible for the notification and for preventing further occurrences. The FTC would be charged with developing data-security regulations requiring companies to come up with safeguards. Violators could be fined up to $5 million for failing to do so, and another $5 million for security breaches.
The bill now heads to full committee, where there is likely to be some wrangling over which types of personally identifiable information should get extra protection. Republicans generally want a narrower definition of personal information, while Democrats say its definition should include such items as e-mail messages, photos and videos uploaded to such social-networking sites as Facebook, as well as information aggregated by data brokers.
Virtually all parties, except for the hackers, agree that there need to be uniform data protection standards that supersede a "patchwork" of state laws, but Democrats want strong FTC oversight if those state laws are to be superseded