Like Phones, Privacy Policies Should be Easy to Use, with a Complex Infrastructure

Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what normal people say in 300 and a handshake. At the risk of defending verbosity, it turns out that behind each handshake contains a wide range of non-standard assumptions. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are more complex than we thought.

Consider the telephone—an elegant piece of equipment which is exceedingly easy to use. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about the millions of miles of copper and fiber, routers, substations and central offices. The infrastructure isn’t a “necessary evil,” it’s just necessary.

Creative Commons is the legal equivalent of the telephone. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Surely the work of a lawyer who needed to justify his existence, right?

Not so fast. The full license covers a range of essential topics that people don’t usually take time to think about.  These include media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, limitation on author’s liability, and termination, just to name a few. Creative Commons is simple on the surface, but the elegance is supported by a complex legal framework. Saying that the legalese version of a Creative Commons License is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

Privacy Policies: Not a “Necessary Evil,” Just Necessary

Like telephony infrastructure and the Creative Commons licenses, Privacy Policies aren’t a “necessary evil,” they’re just a necessary part of running a business. If your business has customers or employees, then you need to safeguard and use personal information. Your business must develop privacy practices unique to your business. Laws mandate that you protect personal information, but they do not usually establish privacy practices. That’s why you need a privacy policy.

Writing a privacy policy is a tall order because it must address the broad range of activities in which your company engages, and be as simple to use as a telephone.

Privacy policies should cover online as well as offline uses of personal information, because each use carries unique challenges.  As you establish Privacy Practices and your Privacy Policy, consider the following activities:

• Goods and Services Activities: Does your privacy policy cover the information collected at point-of-sale, your iPhone app, online store, and through PayPal? Does your software periodically send licensing, version, or other information to your centralized servers? Do you collect or share purchase history, preferences, and demographic information with employees, other people, users, or other companies?
• Employer Activities: Does your company have employees? How do you protect health, financial, employment, and personnel information? What contractual and technical protections do you offer employees?  Where is the information stored, and do you have physical and legal control over the servers?
• Customer Feedback Activities: Does your company conduct surveys, or invite customers to “Contact Us?” What might you do with that information?
• Financial Activities: Do you accept online payments? Do your retail outlets comply with all industry standards? Do you store credit card information?
• Education Activities: Does your company sell education material, or conduct certifications?
• Social Networking Activities: Does your company have a corporate blog that accepts user comments? Do you post to Twitter and YouTube? Does your company have a Facebook page? Do you gather aggregate usage information?  What information about your users, fans, commenters and online guests might you collect, and what inferences do you draw from the information?
• Network Provider Activities: Do you offer internet access to employees? Do you monitor your network activity or restrict access to certain sites?  Do your employees understand what they should consider private and what is accessible to the company?
• Government Activities: Companies which accept government contracts may be required to comply with a wide range of requirements, including background checks and increased security. What impact to these regulations have on your consumer and employee privacy policies?
• Healthcare Activities: Whether your company creates medical technology or devices, or merely provides healthcare insurance for employees, consider what types of information pass through your systems, and how it is protected?
• Non-Networked Activites: Even if your company is a locally owned Mom-and-Pop restaurant, a mechanic, or corner grocery store with no internet connectivity, what customer information do you collect and use? How do you store and safeguard your paper records? Do you properly shred or destroy old records?

You should cover each of these topics in a customer-facing Privacy Policy or an employee-facing Privacy Policy in your employee handbook.

Beyond the Basics

Once you’ve brainstormed the possible uses of personal information, you must be aware of some little-known US and EU regulations which can affect your privacy practices and policies.

Privacy in the Cloud. Cloud computing gives small companies instant access to Fortune-500 quality infrastructure at a fraction of the cost. Just like any sort of out-sourcing, Cloud computing may simplify your business model, but unless you’re careful, it may also seriously complicate your handle on intellectual property and personal information. You should determine what, if any, contractual obligations downstream service providers have to you. Also consider that the service providers may be located in a jurisdiction which has additional privacy regulations.

State Laws. A few state laws give specific guidance on what you should include in your privacy policy. For example, California law requires any company which collects personally identifying information over the Internet to conspicuously post a privacy policy. The privacy policy must identify the categories of personal information collected, how consumers will be notified of changes, and how to update personal information. Texas has similar requirements for any company which requires the disclosure of a social security number. Massachusetts requires encryption of personal information in certain circumstances.

Federal Law. The Children’s Online Privacy Protection Act (COPPA) puts stringent burdens on companies which knowingly collect personal information about children under 13. In order to avoid COPPA liability, companies must take active steps to avoid collecting personal information from kids. This means, for example, that if you ask for your users’ date of birth, you must deny access to those who indicate that they are under 13 years old. Your company should have procedures for preventing users from signing up using a different birth year, if the company finds out they are under 13.

European Union. Unlike the United States, which has adopted narrow privacy regulations aimed at mitigating specific threats, the European Union regulates privacy on a much broader basis. If your company transfers information from the EU to the United States, you must either comply with EU law or the EU “safe harbor” principles. The U.S. Commerce Department promulgates guidance on what to include in your privacy policy, to comply with the EU safe harbor provisions.

Copyright Law. Believe it or not, even copyright law can have an impact on privacy. The Digital Millennium Copyright Act (DMCA) includes a takedown procedure which can require site owners and service providers to report information about infringers to copyright holders, under certain circumstances. Even though the DMCA does not require companies to disclose their DMCA practices, it’s a good idea nonetheless.

This is by no means an exhaustive list of privacy statutes or regulations, but it should remind you that a privacy policy is more than just a formality.

7 Reasons

So to summarize, here are the 7 reasons you need a privacy policy:

1. If you have customers or employees, you need to safeguard personal information.
2. Laws do not usually establish Privacy Practices.  Privacy Policies create Privacy Practices.
3. Privacy Policies are often required by law or regulation.
4. Your business faces privacy challenges which nobody else faces.
5. Cloud Computing, Social Media, Goods and Services, Employer, and other activities pose unique challenges to handling personal information.
6. You must comply with specific regulations if you have customers or employees in specific states or the EU, or if your servers (or the servers of a subcontractor) reside in the EU.
7. Your company has affirmative privacy obligations with respect to minors under 13 years old.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy.
2. Brainstorm. Using the list above, brainstorm all the activities, types of personal information your company collects (whether personally identifiable or not), and identify which jurisdictions through which the information may flow.
3. Evaluate and Update. Evaluate your privacy policy and employee manual to make sure that they cover the range of possible privacy implications.

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Imagine that your boss tells you, “I need a widget. I’m sure other people in the open source community have done similar things. Just go grab some code and slap it together by the end of the day.” Of course, that’s crazy. You can’t just slap code together. In what language is the code written? Will it play well with existing code? How complete is the API? What are the requirements? What about security? What about debugging?

Yet this is exactly how we treat privacy policies. We go grab some “open source” or “boilerplate” privacy policy, slap it together with a boilerplate Terms of Service, and think we’re good to go. But unlike poorly-written code which will cause an error as soon as it is compiled, you won’t know whether you’ve created a Legal 500 error for months or years—long after it’s too late to fix.

Privacy Policy Principles

The purposes of a privacy policy are to: 1. Help inform and train your employees about your privacy practices, 2. Inform your customers about your privacy practices, and 3. Avoid liability and FTC action. As I explained previously, adhering to the following principles will allow you to accomplish all three goals:

• Be Honest. Your mamma was right: Honesty is the best (privacy) policy.
  • Don’t Over-Promise. Statements like “privacy is our top priority” may be enforced by the FTC as a privacy promise. Don’t box yourself into a corner.
  • Don’t Under-Promise. Under-promising can violate regulations and more importantly, scare off customers.
  • Tell the Whole Truth. Failure to talk about less-desirable privacy practices may be a misleading business practice.
• Be Complete and Conspicuous.
• Adapt to Changing Business Practices. A privacy policy which was accurate six months ago may not be today.
• Get it Right the First Time. Allowing yourself room to change will save headaches long-term, as material changes to privacy policies require additional consent.
• If you Say it, Do it. Generally no magic words are required in privacy policies. The best approach to avoid liability is to stick to your policy.
• It’s Your Business. As an executive, it’s your responsibility to make sure that your privacy policy is accurate and complete.

Custom Programming Your Privacy Policy

Nobody, especially the legislature, has solved your problems for you. If you create an innovative product or service, then it will raise new questions of law, ethics, and privacy which have never been asked or answered. You can’t expect that somebody else’s recycled privacy policy will meet your needs, any more than you can expect that recycling old code will yield innovation. Imagine for a moment that you have just developed an iPhone app. The app communicates with a smart scale using Bluetooth technology, then interfaces with the Google Health API to transfer a user’s weight history to the Weight Watchers website, then optionally posts the summarized results of the user’s weight loss to his Facebook page and Twitter account. Which of the following is true:

1. You can adopt HIPPA as your privacy policy. HIPPA privacy rules apply.
2. The FTC is interested in your privacy policy and practices.
3. You can later use the weight & contact information to market your next iPhone app, “Smart Dieter.”

The answers may surprise you:

1. False on both accounts: 1. HIPPA is not a privacy policy. Nobody, especially Congress has written your privacy policy for you. 2. Your customers are not protected by HIPPA regulations, because they probably don’t apply to you.
2. True. The FTC is always interested in your privacy policies and practices, and even passing assurances of privacy like “Privacy is our Number 1 Priority” may be enforced as a privacy promise.
3. Probably Not. Unless you have written a clear privacy policy that puts your customers on notice, you may be prohibited from reusing their personal information for any reason, even if they would have consented to such a use.

Your privacy policy must reflect your unique business processes, your unique business model, and your unique user needs. If you think that Congress (or anybody, for that matter) have answered the new questions of privacy raised by your iPhone app, then I have a bridge in Brooklyn I’d like to sell you. Even if HIPPA privacy regulations applied (which they don’t), I can guarantee that they were not written with your app in mind. Likewise, if you are doing anything truly innovative, any canned privacy will fail to meet your needs.

Boilerplate legal documents can get people and companies in trouble. Although sometimes there are magic words from a statute or regulation that should be quoted to order to protect your rights, most boilerplate is not magic—it’s lazy. Lawyers do a lot of legal debugging, because improper boilerplate language can be downright harmful. Unless you do your own legal programming to meet your individual needs, you are sure to accidentally waive a right, break the law, incur the ire of the FTC, or create a contradiction and cause a “Legal 500 Error.”

A Living Document

Because technology, business needs, and information demands constantly change, you must consistently update your privacy policy to reflect those changes. Fortunately, privacy policies are extremely flexible documents, with very few formal legal language or “magic words” requirements, so updating them is easy… if you remember to do it. CEOs often find that adapting a business plan to changing market conditions is time-consuming, and privacy policies can fall by the way side.

Before you update your privacy policy, though, keep in mind that there may be consequences to making material changes. When you revise a policy, information collected under the former policy must still be treated according to the terms of the original Privacy Policy, unless you get some sort of assent from your customers, or face the potential ire of the FTC. It is always better to get it right the first time.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy. First, do you understand what the policy means? Second, how does the privacy policy translate to concrete business practices in each of your departments? Third, does the policy match actual practice? Fourth, what is missing from your privacy policy that a reasonable customer would want to know about? Fifth, what changes must you make to your business practices (or the privacy policy) to make them the same?
2. Regularly Update Your Privacy Policy. Many companies have internal processes to regularly review and update business plans, department objectives, security, and compliance. Make sure that your privacy policy is on your list of documents to review.
3. Do a Privacy Policy Legal Review. Avoid a “Legal 500 Error” by making sure that your privacy policy is complete and compliant.

Your meeting was supposed to last just 45 minutes, but the first 35 have been devoted to the first agenda item.  Most eyes have glazed over and you are the only one speaking. Just as tired as everyone else you say, “OK, so we all agree that we’re going to do that?” Hearing no objection, you move on to the next subject.

You are relieved to move on, but don’t be surprised when you have to rehash the same subject at the next meeting. Do not mistake movement for progress; your discussion was an utter failure because it lacked the fundamental element to any progress: An Action Item.

Every action item is comprised of three things:

• A Person
• A Deliverable
• A Date

Absent one of these three things, a decision is not an action item. It is a wish. All would-be “action items,” “goals,” or “decisions” which  fail to include one or more of these components were a waste of your breath and their time. Action items must be clear, measurable, and have accountability. Unless you want to rehash the same issue at the next meeting, never walk away without identifying a person, a deliverable and a date for each action item, regardless of the subject matter. Let’s analyze some would-be “action items” from actual meetings:

Assignment 1: “Development of a power point presentation to train staff.”

The three components of action are a person, a deliverable, and a date. Here’s your assignment: Next time you lead a meeting, don’t rest until you identify the three elements of action for every assignment. It’s the single most effective thing you can do to shorten meetings and avoid rehashing the same issue again in the future.

So let’s evaluate my assignment:

Privacy Policies and Practices are like Ying and Yang. Image under license from stock.xchange.

Writing a privacy policy is a careful balance: Being realistic about what you can perform, protecting and instilling confidence in your customers, facilitating business growth and adaptation, complying with law, and above all, being honest.

Your privacy policy and security practices are the subject of federal, state and international laws, as well as FTC regulation. The FTC regulates unfair and deceptive consumer practices, and has a history of privacy policy enforcement actions. In fact, it is currently hosting a series of “Privacy Roundtable” discussions, focusing on behavioral advertising, social networking, mobile marketing, data aggregation and correlation, data brokering, cloud computing, and other now-common practices.

With increasing scrutiny on privacy policies and practices, here are six things every CEO should know about their company’s privacy policy.

Be Honest

Your mamma was right: Honesty is the best (privacy) policy. Be up front about what you do (or may do in the future) with your customer’s personal information. Many privacy policies make one of three “honesty” mistakes: 1. Over-Promising, 2. Under-Promising, 3. Omission. Each carries liability, so it is better to avoid any of the three.

Don’t over-promise. Your company may be held responsible for the representations in your privacy policy. Look out for phrases like “state-of-the-art,” “everything in our power,” or “our highest priority.” If your company really does use “state-of-the-art” technology to protect privacy, good for you. But you probably don’t, so be honest about it. While you may think that such phrases are just feel-good fluff, the FTC has brought actions against companies who fail to provide the state-of-the-art consumer protections they promised, even though they used otherwise reasonable practices.

Don’t under-promise. FTC guidelines and many state laws require that your company takes reasonable and appropriate measures on a case-by-case basis. It may be tempting to try and disclaim all duties to protect your customers, especially if you’ve had a breach. But this approach has pitfalls. First, it is impossible to disclaim all duties to your customers’ privacy. Second, you may scare away potential customers, or invite scrutiny (as Facebook well knows). Third, FTC actions have indicated that businesses cannot take a “wait-and-see” approach to consumer privacy. Instead, companies have a duty to act reasonably and detect problems before they cause loss, particularly if the they have made privacy promises to their employees or customers.

Tell the whole truth. Another temptation is to remain conveniently silent on a privacy issue you’d rather not talk about. This is also a risky strategy, because state laws (such as California, Texas, and soon-to-be Massachusetts, to name a few) impose specific disclosure requirements. Whether or not required by law, failure to disclose important privacy practices can spark FTC enforcement action as a deceptive consumer practice.

Be Complete & Conspicuous

Aside from potential FTC action, California law requires any company which holds personal information about a Californian to identify the types of information it collects about customers, explain how the consumer may change or update the personal information, and identify an effective date. The law also imposes an affirmative duty to disclose whether information will be disclosed to third parties for marketing purposes. California law also requires that a link to your company’s privacy policy be conspicuous. Most of the time, a link from the home page or in the footer will be sufficient.

A privacy policy is legally compliant when it addresses all of the various legal and regulatory requirements, but it is only complete when it addresses the full range of your unique business practices. For some organizations, that may be broader than you think. For example, a typical University engages in educational, financial, healthcare, network provider, non-profit, and goods and services activities on behalf of their students. That’s why there can be no such thing as a “boilerplate” privacy policy.

Privacy Policy Must Reflect (Changing) Practices

Like Ying and Yang, privacy Policy and Practice are complementary and inseparable. One consistent pattern of FTC actions is that updated information security practices are necessary to protect consumers’ privacy. As FTC guidelines indicate, “Good security is an ongoing process of assessing risks and vulnerabilities… Your business practices and privacy policy must be consistently updated to reflect current best practices and available technology.”

Get it Right the First Time

Even though your privacy policy must adapt to changing business needs, privacy policies cannot be retroactively modified. This issue is important in the following scenario: Suppose that your company decides it wants to sell customer personal information to marketers, but your privacy policy states that personal information “will not be shared with third parties without [customers'] explicit consent.” Changing the policy to allow you to sell personal information may apply prospectively, but new policy provisions will not apply to existing customers, without their consent. This can even apply to a transfer of personal information in a bankruptcy proceeding.

That’s why it’s important to get it right the first time. Your company’s privacy policy must allow you enough wiggle-room to adapt to future conditions, be complete, and still protect your customers. If you need to materially change your policy, make sure that you have the infrastructure to determine which version of your policy applies to which customer. It matters.

If You Say it, Do it

We’re all familiar with the Miranda phrase, “anything you say can and will be used against you …” by the FTC. If you make a representation in your privacy or security policy, you’d better be able to live up to it. FTC enforcement actions demonstrate that website owners must adhere to any statements of privacy or security, whether the statement is made online or offline.

Each representation about privacy or security is treated as a “privacy promise.” Feel-good marketing fluff does not belong in a privacy policy, because even “fluff” can create duties or liability, even if the duty is not required by law. Explicit security-related promises (such as a promise to use “state-of-the-art technology”) requires that the company take affirmative and ongoing steps to ensure that sufficient security is provided.

For example, in 2004 Gateway Learning Corp found itself the target of an FTC Deceptive Practice enforcement action for renting its customer list to marketers, even though their privacy policy said they wouldn’t. In recent years the FTC has taken similar action against Eli Lilly & Co., Microsoft, Guess, Inc., Tower Records, and Petco.com to name a few.

If your privacy policy says it, then do it.

It’s Your Business

As a soon-to-be attorney, I can say * that you should have a lawyer review your privacy policy. Lawyers help the privacy policy comply with legal and regulatory requirements, but it’s your responsibility to make sure that the policy is complete. In fact, I would go so far as to say that 30% of a privacy policy is compliance, and the other 70% is completeness.

If those numbers are any indication, they mean that your privacy policy should have 70% of its input from the Customer Service Department, the Accounting Department, Sales, Marketing, and perhaps even R&D. Without their feedback it will be impossible to document your important privacy practices and create a complete privacy policy. Privacy policies are not legalese and magic words. They are a blueprint of vital business processes. There is one sure way to get in trouble: Relegate your privacy policy to the legal department, and fail to get cross-departmental participation in its drafting. Banishing your privacy policy just to the lawyers may get you in trouble because the end result may be compliant, but incomplete And ironically, an incomplete privacy policy is a non-compliant policy.

Take Charge

As a CEO, COO, or Managing Director, you should do three things:

1. First, read your privacy and security policy. If it confuses you, it will confuse your customers. If it confuses your customers, it might be interpreted as deceptive by the FTC.
2. Second, make sure you can live up to your privacy policy. Watch out for buzzwords like “state-of-the-art,” “everything within our power,” “always,” and “never.” Make sure that you haven’t painted yourself, your customers, or your employees into a corner.
3. Third, update your privacy policy to reflect your business practices, or update your business practices to match your policy. Being honest and complete about your business practices is tough work, but will pay dividends long-term.

* No bias, and a healthy dose of sarcasm. In this case the author wishes to think of his opinion on the lawyers as an expert opinion rather than a biased one. In the author’s experience, there is occasionally little difference between “expert” and “biased” opinions.

by Aaron Titus

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
2. Tell Your Bloggers: See above.
3. Watch Your Bloggers: See above.

Tips for Bloggers:

1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

by Aaron Titus

“Unconferences” (hat tip to identitywoman) are great opportunities to network, gather and share information.  They attract bleeding-edge leaders on emerging problems and technologies. My most recent unconference was Congress Camp 2009, organized by the Open Forum Foundation. The gathering focused (broadly) on social networking tools and Web 2.0 for government. It was well attended by advocates who want to reach Congress, and over-worked hill staffers who use IE6 and must cope with information overload. We also got a preview of GovLuv.org. If you have an interest in social networking and government, I highly recommend looking at some of the blog articles.

Here’s my report: Don’t hold your breath for Congress to go Social-Web crazy in the immediate future.

I hosted a discussion on developing a Privacy Commons framework for government. In short, Privacy Commons will be a series of Privacy Policy Frameworks: A list of required, optional, and prohibited subject matter for privacy policies. Each framework will be tailored to particular industries (i.e., medical, financial, goods and services, social media, government, etc.). Adoption of a Privacy Commons Framework will require that your Privacy Policy address all subject matter in the framework, and make certain high-level disclosures in the form of iconography (i.e., a “$” symbol to indicate that you sell personal information to third parties).

I already knew that a government Privacy Commons policy would have to include disclosures about how personal information may be transmitted to other federal agencies, for example. But I was surprised to hear from staffers that Congressional privacy policies should also disclose how personal anecdotes may be used. Many constituents e-mail their elected representatives with poignant personal stories that often support draft legislation. Staffers must decide whether they can or should use the stories in a press release, on the House or Senate floor, or whether they can use the story and change the names.

A government Privacy Commons framework will also need to address the different rules that elected officials and their campaigns must follow. Elected officials must follow strict rules governing sharing personal and contact information. In contrast, campaigns (which may run full-time, even after an official is elected) can do almost anything with personal information. The distinction between “Congressman Jones” and “Congressman Jones’ Campaign” may be lost on the average constituent; but the effects on privacy might be substantial.

As I make the transition to full-time attorney (after I pass the bar… wish me luck), I’ll be able to continue developing Privacy Commons. In fact, at Congress Camp I hooked up with the ECitizen Foundation, which might help host Privacy Commons working groups. Stay tuned.

by Aaron Titus

As a privacy and consumer advocate, it ruffles my feathers when otherwise legitimate companies force the public to disregard common-sense online safety practices in order to use their services. Among the many safety tips are:

1. Only give confidential personal information to people you affirmatively contact, never to anyone who spontaneously contacts you.
2. Don’t click on URLs in unsolicited e-mails.
3. If you want to click on an e-mail link, never click “dishonest” links – links that don’t match the displayed URL.

Bad Practices

American Student Assistance (ASA) is a non-profit organization which helps students keep track of their student loans. It’s also an example of a legitimate organization with some irresponsible privacy practices.

Earlier this year I received an unsolicited e-mail from the ASA. I had never heard of the ASA, but the e-mail insisted that they were “the guarantor of [my] federal student loans.” To this day my bank has not introduced me to the ASA. Of course, this spontaneous contact from an “authoritative” organization made me suspicious. Red Flag 1: Unsolicited e-mail claiming to be from an authoritative source.

The letter instructed me to follow a link to log in with my FAFSA PIN. I was also notified that I have a “Profile,” and was invited to Update my profile by clicking on a link. The link took me to an insecure and unbranded website which automatically filled out my name, e-mail address, and indicates that I have been opted-in to receive a newsletter. Red Flag 2: Unsolicited authoritative e-mail, requesting that you “log-in” using sensitive information on an unsecured, no-name server. Spam newsletters are a bonus.

But before clicking on the links, I moused over each of them to see where they led to. A link which purported to go to “www.amsa.com/bor” actually links through “http://click.email-asa.org/?qs=33c40ef691b275c8d3b7e7d0430ce34d0980241c6c7eb313b745465bb515d8d5″. In fact, each of the eight links in the e-mail were “dishonest,” in that the actual URL was different from the displayed URL. Red Flag 3: Dishonest links.

This e-mail screamed “Phishing Scam,” so I called the toll-free phone number listed in the e-mail. A woman answered the phone. She immediately asked for sensitive personal information. I gave her my first and last name, but refused to give her any additional information since they had contacted me and I had no way to verify who they were. Red Flag 4: Unsolicited third party requesting personal information over the phone.

ASA’s Privacy Policy contains the following promises:

We do not disclose any nonpublic personal information about you or our other current or former customers, except as permitted by law…. We restrict access to nonpublic personal information about you to our employees, contractors, and agents who need to know the information in order to provide service to you…. We maintain physical, technical, and administrative safeguards in compliance with federal regulations to safeguard your nonpublic personal information. (Accessed August 27, 2009.)

But ASA’s privacy policy didn’t translate to privacy practices. After I refused to share personal information the lady on the phone asked, “Is your name Aaron [X] Titus, or Aaron [Y] Titus?” Uncomfortable, I replied, “Aaron [X]…” She asked for my date of birth. When I refused to give it to her, she read it to me over the phone. When I refused to give her my address, she  repeated my full address including street, number state and zip code.   She told me which school I attended and that she had access to my social security number on her screen. Red Flag 5: A representative sharing sensitive personal information over the phone without first authenticating.

Since I had no idea who this organization was I asked, but never got a straight answer. She and her supervisor variously described the organization as a “government agency,” “not a government agency,” “a non profit government agency,” and a “non profit organization which receives federal funds.” They relied on some relationship with the federal government to gain credibility. Red Flag 6: A fishy and inconsistent story designed to earn your trust.

My Advice: Quit it

After filing a complaint with the company, I talked with ASA’s Privacy and Compliance Director, Betsy Mayotte. Ms. Mayotte was kind enough to apologize for the behavior of her organization, and convinced me that the ASA is a legitimate organization, albeit one with uneducated and dangerous privacy practices. Apparently the representative was re-trained. But they did not plan to change anything else.

The dishonest links were designed to measure click-throughs: A common marketing practice. The unbranded and insecure server which asked me to update my “profile” was the result of bad practices, laziness or poor training. The other blatant violations of their privacy policy and outrageous behavior by the representative was more of the same.

I wish I could say that this is an unusual event. But unfortunately I’ve seen similar behavior by my bank, and even former employers. When legitimate companies force consumers to be irresponsible, the online public becomes irresponsible. Forcing consumers to ignore common-sense safety practices may save you a buck in the short run, but they make your customers irresponsible and erode overall online public safety. So here’s my advice to legitimate companies who behave like phishing rings:

Quit it.

Seriously, stop training the public to be irresponsible. If you want to track click-throughs for an e-mail marketing campaign, set up a virtual redirect on your main server. If you got sensitive personal information through a third party, make sure to have that third party introduce you to the customer. Don’t send unsolicited e-mail, and don’t cold-contact potential customers to request that they share personal information. Once and for all, encrypt your website. If your marketing department isn’t all that tech-savvy, hire someone who is. Train your customer service representatives never to give out personal information without first authenticating the identity of the person on the other end of the line.

Privacy policies are not just legal boilerplate which you can write and forget. Make sure that your privacy policy matches your privacy practices. This means that your customer service representatives should be as familiar with it as your general counsel.

Privacy Bar Camp DC

Image based on Three Poppies by Federico Ferrari.

by Aaron Titus

In late June, 2009 I attended the Privacy Bar Camp DC (Twitter: @PrivacyCampDC) organized by Shaun Dakin with support from the Center for Democracy and Technology, and conducted at the Center for American Progress. I confess that I attended primarily to aid my job search (psst… that was a shameless, self-promoting plug), but ended up having a great time. Bar camps have an ingenious format which promotes a high degree of participation, interaction, and brainstorming. They have nothing to do with a state legal bar, nor camping. And the genius is, they don’t have an agenda.

About 50 people showed up Saturday morning, and after a brief round of introductions, everyone interested in leading a discussion pitched their ideas to the group. Then each discussion was placed on a grid schedule with four rooms, each with four sessions. The “camp” ran all day, and each attendee chose which combination of the 16 sessions they wanted to attend. Each session was highly interactive, spontaneous, and collaborative.  The topics ranged from Government and Web 2.0 to “Empowering Big Brother,” to Open ID, to lock-picking (my personal favorite). Thomas “cmdln” Gideon and I hosted a session on “Personal Information as Property and the Platform for Privacy Preferences (P3P).” During the discussion, the concept of “Privacy Commons” came up, and several of the session participants agreed to work on the idea.

Privacy Commons

We soon had a group interested in developing the idea, and have been working on it since. Modeled in the spirit of Creative Commons, Privacy Commons (PC) aims to help individuals and organizations clarify privacy expectations, practices, rights, and mutual responsibilities by providing a series of comprehensive model privacy policies.

I admire what the Creative Commons movement has done for copyright. With its easy-to-understand concepts and clear iconography, Creative Commons is successful because it embodies commonly held cultural notions of intellectual property and copyright, which are otherwise absent from the law itself. Creative Commons fills the gap between what the law is, and what many think the law should be. Likewise, Privacy Commons will be successful only when it can identify, articulate, and empower under-served cultural expectations of privacy with easy-to-understand concepts and clear messages.

The Need for Complete, Informative, and Enforceable Privacy Policies

Privacy policies in the United States suffer from several deficiencies. First, they are often unsophisticated and incomplete. They often fail to protect an appropriate scope of information or individuals. Second, many privacy policies waive, rather than confer, privacy rights. But most importantly, courts have consistently interpreted privacy policies as unbinding notices, rather than contracts. In other words, privacy policies are unenforceable, and a victim of a privacy policy breach usually has no enforceable rights. As a result, privacy policies can have the unfair effect of creating an expectation of confidentiality, privacy, special technological protections, or even fiduciary responsibility even where there is none.

Protecting Personal Information via Contract vs. Intellectual Property

Intellectual property (IP) law is not an appropriate legal framework to protect personal information because nobody owns personal information. Personal information are facts, which are not copyrightable. Unless a person is famous, a name or SSN can’t be trademarked. An address probably does not qualify for trade secret protection, and a date of birth is certainly not patentable. Even if some sort of property right accrued to personal information, it would most logically belong to the originators of the information. For example, parents would logically “own” a child’s name and date of birth, since they created them. The government creates social security numbers, and the credit card companies create credit card numbers. The post office creates addresses, and the phone company creates phone numbers. Even third parties create gossip (beneficial or harmful), and it would be difficult to draw a line distinguishing a person’s ownership interest in gossip or other third-party-created personal information.

In contrast to Creative Commons (which operates under IP licensing law), Privacy Commons is structured around principles of contract, where two parties can bind themselves to mutual obligations through offer and acceptance. Each model privacy policy would exist between a Data Steward (Steward), and a Data Subject (Subject). A PC Policy may be converted into a contract when the Steward and Subject formalize the policy through contract principles of offer, acceptance, and consideration.

What do you think?

There is an ad-hoc working group and a Privacy Commons Wiki, which is starting work on the project, and has already published a few articles on mission, scope, and approach. The wiki is closed (to prevent spam), but logins are liberally granted with a simple e-mail. I, for one, find the project pretty exciting.

by Aaron Titus

Georges-Pierre Seurat was a 19th century French painter credited with starting Neo-impressionism and developing a painting technique called “pointillism.” His famous painting, La Parade, contains the detail on the right: A complicated series of blue, orange, pink, red, black, and yellow dots that together create a man’s profile.

This detail is the single best visualization of your “Data Self” I have seen. Your Data Self is a collection of your credit report, Facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Like pointillism techniques, which juxtapose contrasting dots to create vibrant masses of shaded tones, each piece of personal information is a single dot. Perhaps one is your address, your middle name, your pet’s name, or your favorite color. Maybe some represent your family, and others represent your friends or religious beliefs. Some represent your travels, magazine subscriptions, and purchase habits. Still others are intimate thoughts.

Taken individually or in small groups, they do not mean much- they may even seem to contrast or contradict one another. But all together they form your profile, or Data Self: A pretty good, but not 100% accurate representation of who you are. And this profile is exactly what data brokers, government actors, and marketers (among others) are trying to determine.

We leave trails of dots as we interact with others, especially online. As Gregory Conti, a computer science professor at the United States Military Academy at West Point, explained, “Free Web services aren’t free. We pay for them with micropayments of personal information.”

Since your Data Self is a digital alter-ego, with the power to enter contracts, grant access to your financial assets, have surgery, or commit crimes, you should actively shape and control access to your Data Self.

Hat tip: Daniel Solove

by Aaron Titus

If you have nothing to hide, why do you need privacy? This question, famously attributed to the McCarthy era, has gained currency again in this era of terrorism and national security. The question implies that privacy is a form of dishonesty, that the things people want to hide are the very things others should know about.

I admit that I bristle every time I hear someone say, “You have nothing to worry about if you have nothing to hide.” Baloney. I have everything to hide! When someone says, “I have nothing to hide,” it’s simply not true. What he really means is, “I have nothing to be ashamed of,” which may be true. But shame is only one, limited reason for confidentiality. Confidentiality is not an admission of guilt.

I have much to hide, for one simple reason. I cannot trust people to act reasonably or responsibly when they are in possession of certain facts about me, even if I am not ashamed of those facts. For example, I keep my social security number private from a would-be criminal, because I can’t trust that he’ll act responsibly with the information. I’m certainly not ashamed of my SSN. Studies have shown that cancer patients loose their jobs at five times the rate of other employees, and employers tend to overestimate cancer patients’ fatigue. Cancer patients need privacy to avoid unreasonable and irresponsible employment decisions. Cancer patients aren’t ashamed of their medical status—they just need to keep their jobs.

A person may share intimate secrets with an ecclesiastical leader that they would keep private from parents, because they fear the parents may not act reasonably or rationally when presented with the same information. During World War II, the government acted unreasonably and irresponsibly with Census data about the location of Japanese-American citizens. Privacy from government entities is paramount.

In addition, can you imagine how much damage you would impose on innocent people if you spoke every thought that came into your head? Or if doctors, lawyers, and accountants disclosed everything they knew about you?

The need for privacy is the recognition that most individuals, organizations, or institutions cannot be trusted to act reasonably, responsibly, in the best interest of the person, or in the best interests of society, when in possession of certain types personal information. Humans are biased. We have limited cognitive and analytical abilities, and never know all of the facts. We are infamously poor judges of character. We change our minds, and come to conflicting conclusions. So, the next time someone asks whether you have something to hide, do not hesitate to say, “Yes, of course I do.”

Most of us know how to use the internet, without actually understanding how it works. In five minutes, this video gives some of the fundamentals of how the Internet works. Most importantly, the internet is not a fuzzy cloud. The internet is a wire, actually buried in the ground. Computers connected directly to the internet are called “Servers,” while the computers you and I use are “clients,” because they are not connected directly to the internet, but through an Internet Service Provider. Routers shuttle packets of information across the internet, and transmit e-mail, pictures, and web pages.

By Aaron Titus

Colleges and universities store employment data, financial records, transcripts, credit histories, medical histories, contact information, social security numbers and other types of personal information. Although higher-education institutions should be forums where information and knowledge are easily exchanged, “sometimes the free flow of information is unintentional.” Here are eight policies and behaviors that put personal information at risk:

1. Administrative Decentralization
2. Naive Office Culture
3. Unprotected “Old” Data
4. Shadow Systems
5. Unregulated Servers
6. Unsophisticated Privacy Policies
7. Improper Use of the SSN
8. Unsanitized Hard Drives

Administrative Decentralization

In a university setting each college, each department, and often each professor operates nearly autonomously. In an environment where knowledge must flow freely, decentralization is a must. However, it means that new centralized policies to address information security are difficult to implement.

Naive Office Culture

A closely related risk factor is office culture. Staff turnover makes training an ongoing struggle, despite strict policies governing information control. Accidental information leaks can occur, even in the most secure IT environment. In addition, all office cultures resist changing any process, no matter how inefficient. In one example, I called my law school to discuss financial aid. After identifying myself by only my last name, the staff member automatically read my social security number over the phone.

Unprotected “Old” Data

Colleges do a pretty good job of guarding current personal information, but fail to protect older information, which is especially risky if the old data includes social security numbers.

Almost every week a faculty member backs up an old hard drive to his personal web space, unaware that the hard drive contained legacy student grades and social security numbers. Occasionally the professor is aware of the information but mistakenly believes that his university-provided Web space is not available to the public. Often the data sit on the institutional server for up to five years undetected and forgotten—until the information turns up on Google.

Shadow Systems

“Shadow Systems” are copies of personal information from the core system which professors, colleges, departments, and even student organizations maintain independently. Shadow systems can be sophisticated databases under high security or simple Excel spreadsheets on personal laptops. They multiply at an alarming rate because faculty members with administrative access can create their own databases at any time.

Thus, even though a small army of information-technology professionals may guard a college’s core systems, the security perimeter extends much further. And despite strict policies governing information control, employee turnover makes training about privacy and security issues a continual struggle.

Unregulated Servers

Often faculty members and third-party vendors also set up their own unregulated servers outside university firewalls, often for legitimate academic use. Those servers are particularly vulnerable to hackers and accidental online exposure. In one security audit, a private university uncovered 250 unauthorized servers connected to its public internet network, each containing sensitive student information.

Unsophisticated Privacy Policies

Colleges’ privacy policies often demonstrate a basic lack of understanding of the law and, more importantly, how the institution carries out the law through internal processes. Many policies basically say nothing more than “We follow the law,” without explaining what the law is or how they follow it. Even worse, some simply say, in essence, “Trust us, we’ll be good.”

Many institutions’ privacy policies also erroneously mimic commercial policies, which are narrowly tailored to cover only information collected online. Those policies are deficient in a college setting because just a small fraction of personal information that colleges maintain is collected online.

Further, a single institution may have dozens or hundreds of separate privacy policies, each dealing with a different, and incomplete, set of issues. For example, at some highly decentralized institutions, each college, department, and even some facilities like student unions have their own privacy policies. While privacy policies should reflect the practices of each group, inconsistent policies can create confusion among staff members who must explain or carry them out.

Improper Use of the SSN

Even though many colleges don’t now use social security numbers to identify students, they once did. Those old records sit like land mines on old servers. In addition, some universities print them on academic transcripts and official documents. Even though the American Association of Collegiate Registrars and Admissions Officers recommends printing the social security number on transcripts, my January 2007 study indicates that fortunately, most don’t.

Unsanitized Hard Drives

Deleted files remain almost unchanged on the hard drive until it is overwritten or physically destroyed. Once unsanitized hard drives are re-sold, sensitive personal and corporate information can be easily retrieved. Though most universities have a sanitization protocol when retiring old hard drives, enforcing the policy can be challenging.

Solutions

College administrators should consider the following:

• Regularly scan institutional networks for sensitive information, such as social security numbers, grades, and financial information. Use a combination of public search engines, and internal text- and file-scanning software.
• Automatically retire “old” data on institutional servers but allow faculty members to un-retire old data they still use. Forgotten information is dangerous information.
• Establish a “radioactive date,” which is when your institution last used social security numbers as an identifier. Files last modified before this date should be presumed dangerous.
• Create permissions-based access to core systems. Sensitive personal information should be available to faculty members and departments only on a need-to-know basis.
• Establish a data-retention-and-access policy by balancing threat, benefits and risks of maintaining the data.
• Coordinate interdepartmental privacy and security practices with a special committee of information security professionals.
• Update your privacy policy to reflect all privacy issues arising in a university setting. Explain privacy rights and practices that protect offline employment information and sensitive student records. Also explain work-flow protections (for example, “only director-level employees have access to social security numbers”) and technical practices (for example, “employee data is stored on encrypted hard drives”). Privacy policies should deal with more than just cookies and Web forms.
• Eliminate social security numbers from official records where possible, or establish a policy whereby students can opt to omit their numbers from transcripts or other records.
• Physically destroy all old hard drives.

Institutions of higher education must promote the free exchange of ideas while protecting sensitive personal information. Although the academic environment can seem at odds with information security, appropriate practices and procedures can balance information freedom and personal privacy.

Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch. A version of this article originally appeared in the October 24, 2008 edition of the Chronicle of Higher Education, and is republished here by arrangement.

By Aaron Titus

I have personally discovered more than a hundred data breaches by schools, companies, doctors’ offices, tax professionals, government agencies, and individuals over the past several years. Unfortunately, very few of the breaching entities proactively announce an average breach, regardless of the law. Here are the most common reasons:

1. Failure to Detect
2. Market Devaluation of Privacy
3. Poor Communication
4. Ignorance of Law
5. Notification Difficulty

Failure to Detect

Many organizations do not have proper diagnostic processes to detect breaches when they occur, and many do not keep proper logs. Thus, when a press releases reads, “we have no evidence that the sensitive information was accessed…” it may simply mean that they did not keep any records, and thus literally have “no evidence.”

Market Devaluation of Privacy

The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. Doing a simple cost/benefit analysis, organizations often come to the logical conclusion that the PR ‘costs’ of announcing a breach (especially when no hard proof of access exists) far outweigh any benefits.

In addition, most data breach notifications laws only require an organization to say, “Oops.” If the organization is feeling nice, they’ll say, “Oops, sorry.” And if they’re feeling gregarious, they’ll say, “Oops, sorry, and here’s a free report of how much damage has been done to your credit. You’ll still be at risk for years to come, though, so stay vigilant. Good luck.” But they have no responsibility to help you recover from financial identity theft, medical identity theft, or criminal identity theft. Merely getting a credit report does not protect against any of these risks.

Poor Communication

A cruel irony of data breaches is that the only source of information about a breach is filtered, packaged, and presented by the organization with the most incentive to skew the details. The breaching entity’s concern is to minimize perceived liability; therefore it is in their best interest to restrict the flow of information about the breach as far as possible.

I have read dozens of breach announcements, and they almost write themselves: “On X date, we discovered that some personal information was compromised. We acted immediately to make the information unavailable, and we have no evidence that anyone accessed it for inappropriate reasons. You should get a credit report as a precaution.” Keeping a victim in the dark about the details protects only the breaching entity.

Ignorance of Law

Even in states where breach notification laws exist, smaller organizations often assume that the law only applies in limited circumstances, to larger companies, or to particularly large breaches.

N

For the most part, organizations which choose not to report breaches get away with it. But even under good circumstances, 100% victim notification is impossible. People move, phone numbers change, or addresses are incomplete or not on file. Letters that do arrive at the proper address may be ignored. Multiple contact strategies should be applied over long periods of time to reasonably ensure that most victims are notified.

I have suggested solutions to some of these problems here and with the creation of National ID Watch

Aaron Titus is the Privacy Director for the Liberty Coalition, and runs National ID Watch.

Starting with California’s 2003 law, all but a hand full of states have now enacted breach notification laws (BNLs). Though each is subtly different, all notification laws recognize that a if your identity, or Data Self, is treated as mere chattel, it is subject to fraud and abuse. These laws require data stewards to notify an individual when his identity has been lost or kidnapped.

Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused.

Measures of BNL Success

With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.”

I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways:

1. Decreased Incidence of Identity Theft
2. Increased Awareness and Identity Control
3. Decreased Risk Behaviors and Incidence of Breach
4. Increased Victims’ Rights

1. Decreased Incidence of Identity Theft

Q: Do breach notification laws decrease identity theft?
A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft.

2. Increased Awareness and Identity Control

Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities?
A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements:

• Who: The class of victims affected by the breach.
• What: A complete list of exposed information, not just the ones required by law.
• Where: Exposing entity’s contact information.
• How and When: Sufficiently detailed information about the how and when the breach occurred.
• How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster).
• What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim.

Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large.

3. Decreased Risk Behaviors and Incidence of Breach

Q: Do breach notification laws decrease individual risk behavior?
A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds inaction.

However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up.

An alert is only effective when it empowers a person to act. Typical breach announcements usually do nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy.

Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes.

It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time.

Q: Do breach notification laws encourage organizations to improve behavior?
A: Probably yes. The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing.

4. Increased Victims’ Rights

Q: Do Breach Notification Laws Create New Rights for Consumers?
A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking.

Legislative Improvements

Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are six legislative suggestions to effectively protect and empower consumers:

1. “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” This change would help sharpen the distinction between Data as Self versus Data as Property, and emphasize that third parties can’t “own” a Data Self. When Self is Data and Data is Property, then we run the risk that Self becomes Property.
2. Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach.
3. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution.
4. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, and violation of selfhood. They would also help counteract the market’s failure to value privacy
5. Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach.
6. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit.

Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback.

Footnotes

Cal. Civ. Code §§ 1798.82-84.
See, e.g. N.H. Rev. Stat. § 359-C:2.
See, e.g. Ga. Code § 10-1-910(4),(7).
See, e.g. Cal. Civ. Code § 1798.81.5.(a).
Tenn. Code § 47-18-2102(1).

A colleague recently asked me, “When did my personal information become someone’s property?” It’s a question with a vital answer, because if my personal information belongs to someone else, then they can do whatever they want with it. If data is property, then they can buy, sell, license, or give away my identity without my consent. This puts me at risk, because I must rely on the good will of a third party to keep my identity secure.

But if personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner paints it purple or runs it into a tree, it’s not my problem. But we all know that if I sell my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. Unless you enter the witness protection program, you’re stuck with your identity no matter how many times you sell it, and no matter how many times it is crashed.

Data is Property

Data behaves like property because 1. Data has value, like property. 2. Data is fungible, like property, and 3. Data is alienable, like property. For most types of information (ie, trade secrets, copyrightable or patentable information, etc) Intellectual Property law treats data like property with no problems, because trade secrets and patents are valuable, fungible, and alienable.

However, the analogy between data and property breaks down when we get to personal information, primarily because personal information is NOT alienable. Consequently, Intellectual Property law does not generally treat personal information as property.¹ Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable.² You can’t patent personal information,³ and it certainly isn’t a trade secret.⁴ In short, nobody “owns” my name, including myself. And if someone could “own” my name, it would most logically be my parents, since they created it. But my mom can’t copyright my date of birth, and the government can’t patent my social security number. My phone number is not an AT&T trade secret, nor is it mine.

Personal information is valuable and fungible. Entire multi-billion dollar industries thrive on the sale and exchange of personal information. United States election law requires candidates disclose the value of all in-kind campaign donations, including databases of potential voters.⁵ Other federal and state statutes, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, require corporations to account for the fair market value of assets, which may include customer data. And personal information is extremely fungible, as information in databases can be shared, sold, licensed, stolen, or lost with remarkable efficiency.⁶

Because personal information is valuable and fungible, it is often treated like property. Tort law implies that some forms of privacy come from a trademark-like ownership of one’s name and likeness.⁷ Even breach notification laws seem to assert that companies which collect personal information “own” it.⁸

But that isn’t the whole story. Unlike every other form of property, personal information is not alienable, (such as bank account numbers, credit scores, social security numbers, or police reports) even if a third party creates it. And unfortunately, you don’t have any constitutional right of privacy when you give your personal data to a third party.⁹

Because personal information is not alienable, it is sufficiently different from traditional “property” that IP law does not provide a helpful framework for managing it.

Self is Data

In the Information Age, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.”¹⁰ In other words, a person may now be defined as just a few pieces of data. This data is your Data Self. Your Data Self is a collection of your credit report, facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Your Data Self is a digital alter-ego, with its own personality, dispositions, fallacies and mortality. Your Data Self also has the power to enter contracts, grant access to your financial assets, have surgery, commit crimes, or be kidnapped.

When your Data Self belongs to someone else, it can be forced to act against your will. If someone makes your Data Self sign a contract, you are bound by it. If your Data Self is convicted of a crime, you can go to jail. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance. If your Data Self is abused, stolen, sold, manipulated, or forced to act against its will, you suffer the consequences. In this sense, “Identity Theft” might be more descriptively defined as “Digital Kidnapping.” Identity Theft is when someone pretends to be you by “kidnapping” your Data Self, doing something bad, and you get blamed.

Self is Property

In my view, this is a startling development. As long as my Data Self is a third party’s possession, then they can also treat me like property. In other words, if Self is Data and Data is Property, then Self is Property. The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, “Identity Theft” epitomizes the problem with treating personal information as property: The very term recognizes that you have an alter-ego digital “identity” or Data Self. It also acknowledges that your Data Self can be stolen and abused, like property.

Fortunately the 13th Amendment ended human trafficking, and human muscle, once required for agriculture and labor, does not command the same economic premium in a post-industrial society. Instead, a person’s economic value now lies in his access to financial assets and credit. Our Data Selves are easy to coerce, and people are now worth more in bytes than in flesh and blood. As long as Data Selves are digital property, new crimes similar to identity theft will continue to arise, and our society runs the sinister risk of a new form of human trafficking: A type of Digital Slavery, where third parties can own, abuse, and force Data Selves to act against their will.

Facing the possibility of this new class of crimes, the law should neither permit personal information to be treated as property, nor can we afford to go down that path.

Aaron Titus is the Privacy Director for the Liberty Coalition, runs National ID Watch, and welcomes feedback.

Footnotes

1. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8
2. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. “As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.”)
3. 35 U.S.C.A. §§ 101-102.
4. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.
5. 2 U.S.C.A § 431(8)(a).
6. Identity Theft Resource Center, Press Release – 2007 Breach List; Privacy Rights Clearinghouse, A Chronology of Data Breaches.
7. “Tort” law is common- or judge-made law that allows people to sue others for doing bad things. For example, the tort of Appropriation of Name or Likeness is when someone uses a person’s name or picture for financial gain: Rest. 2d Torts § 652C cmt a. (1977) (The Tort of Appropriation of Likeness gives the individual “exclusive use of his own identity, in so far as it is represented by his name or likeness, and in so far as the use may be of benefit to him or to others. Although the protection of his personal feelings against mental distress is an important factor leading to a recognition of the rule, the right created by it is in the nature of a property right, for the exercise of which an exclusive license may be given to a third person, which will entitle the licensee to maintain an action to protect it.”);
8. See, e.g. Cal. Civ. Code § 1798.81.5(a).
9. United States v. Miller, 425 U.S. 435, 443-44 (1976) (Holding that bank records have no fourth amendment protection, and are subject to government subpoena with no infringement of an individual’s rights).
10. Solove, Daniel J., The Digital Person. New York University Press, New York. 2004. p. 2

As the Privacy Director for the Liberty Coalition, I have discovered and documented roughly 100 breaches on our website, SSNBreach.org. There, any member of the public can search for his or her name to find out whether their personal information was exposed, under what conditions, and who’s responsible. The vast majority of these breaches are unintentional. Except breaches by criminal ID theft rings, most breaches are due to ignorance, recklessness or plain stupidity, but not maliciousness.

Inside the Breach

I recently announced such a breach by East Burke High School in the small North Carolina town of Connelly Springs. In short, a staff member had placed personal information online for more than five years. The victims included 163 teachers, bus drivers, custodians, and others who worked at East Burke High School in 2003. The information exposed included names, social security numbers, addresses, phone numbers, job titles, e-mail addresses, and a few unlisted phone numbers.

I notified the school, which removed the file within 20 minutes, and also worked to clear search engine caches. I then worked directly with the Superintendent, David Burleson, who asked for my help drafting a letter to victims, which I was happy to do. As I drafted the letter I put factual assumptions in [brackets], and for the sake of expediency omitted some of the instructions, replacing them with asterisks. I handed him the letter and said told him to review it for factual accuracy and run it by his legal counsel. In addition to the brackets and asterisks, my draft of the letter committed the school district to do five things, including contracting with an identity theft protection company to provide free credit protection services to victims.

Days after I sent the letter to the school district, the Hickory Record ran a copy of the letter as sent by the school district, and I had to chuckle when I saw all of my brackets and asterisks still in the final copy. For example, “As of now, [we don't have any evidence that anyone with bad intentions has seen your personal information].” I also wanted their general counsel to confirm whether North Carolina allowed for credit freezes. The final copy encourages victims to get a credit freeze, with a note to the general counsel: “[Note: Not all states allow a credit freeze].” And this omission for sake of expediency, “visit www.ftc.gov, and click on “***” for more information.” The Hickory Record has since done some copy editing on behalf of the school district, and edited out the brackets.

Therefore, What?

Now in their defense, I’ve got to give the school district credit for making a good faith effort to notify their employees of the breach. And I can’t be too critical of their failure to edit the letter, especially in a small school district with limited resources.

On the other hand, it turns out they did edit the letter. The school district conveniently removed the promise to provide identity theft protection services to victims. This selective editing is symptomatic of systemic problems with protecting consumer privacy:

• The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. This means that there is a strong financial incentive to do as little as possible to prevent, announce, or clean up a breach. The result is victims often don’t get all of the facts or protections they need.
• The fox is guarding the hen house. A cruel irony of data breaches is that the responsible organization has a strong incentive to hide or skew the details. Many breaches are under-reported or unreported, regardless of applicable law. With very few exceptions, even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark.
• Privacy Naivety. If you have ever asked customer service, “does your organization ever share my personal information with other organizations,” the answer is always (and incorrectly) “no.” Unfortunately, consumers incorrectly assume that laws and privacy policies protect their personal information. Employees incorrectly assume that their privacy practices are sound, while company policies often amount to little more than a privacy waiver. An environment of naivety breeds carelessness and increases the risk of breaches.

Consumers should always read breach announcements with a skeptical eye, and press the breaching organization for as much detail as possible.