Personal Privacy vs. the Internet

Introduction

Beginnings of an ethical issue

Information-gathering as profit driven

The increasing practice of information intrusion practiced by the business community (Stefik, 1999) for profitability conflicts is a core issue in the debate of personal privacy and the Internet.Consumers fear these data-mining techniques for direct mail market purposes implying that marketing procedures inhibit their control over the distribution of their personal information.In addition, the Internet is criticized for shifting the control of personal information from the consumer over to businesses.

Why is personal information so valuable to an individual?

“ Information is the means through which the mind expands and increases its capacity to achieve its goals, often as the result of an input form another mind. Thus, information forms the intellectual capital from which human beings craft their lives and secure dignity.”

How does the Internet differ from other forms of information gathering practices?

Globalizes access to information

Diffusion of a centralized unit of control to govern flow of information

Ability to collect information

How is privacy invaded on the Internet?

Personal information provided on the Internet

Online transactions

One assumption concerning e-mail messages is that it is a relatively secure means of communication.However, when compared to a postal letter, e-mail messages are unencrypted and travel through an unregulated and unpredictable environment whereas a letter is only handled by the postal service (Berman & Mulligan, 1999).When e-mail or any of other form of information is sent online from one area to another, it is disassembled into different parts called “packets” that may take different paths through the network to arrive at the final destination (Hancock, 2001).There is, therefore, the possibility that an eavesdropper called a “packet sniffer” may intercept the “packets” and reassemble the message, resulting in a deliberate invasion of privacy.

c)Online commerce

E-commerce websites are also capable of invading personal privacy through the method of user self-divulgence (Gindin 1997).Consumers self-divulge personal information to merchants in order to: proceed with purchasing goods or services, sign into a website, and obtain free merchandise.Although, self-divulgence of information by the consumer may appear as a voluntary practice, this procedure is considered a threat to privacy.Since consumers are highly unaware of the various consequences. It is important to highlight that consumers should not have to surrender sensitive personal information in exchanging payment for goods or services (Kelly & Rowland, 2000).

d)Search engines

Search engines use “robots” to filter through information on the Web and Usenet newsgroups. Usenet postings may appear to be a “collegial and confidential exchange of information” (Gindin 1997:8) and are archived during Internet-wide distribution.Search engines invade an Internet-users privacy through their ability to capture information preserved on Usenet postings and archived listserv postings (Gindin 1997).Therefore, an individual must be cautious when writing personal information on Usenet postings.

Government records

A major initiative in North America is to make government records readily available to the public through online practices (Berman & Mulligan 1999).This initiative is becoming a reality in Canada as the federal government prepares to implement an online government service called the Secure Channel (Hancock 2001).The Secure Channel consists of an online network enabling citizens to perform transactions such as paying taxes, applying for benefits and starting business.The goal of the Canadian government is to have an electronic government in place by the year 2004 that permits citizens to conduct transactions by computer and through wireless devices such as personal digital assistants.

The obvious concern for the Internet-user regarding the Secure Channel initiative is the safety and encryption of transactions online.The Internet is not impermeable to “hackers” since even the most secure online facilities and databases of the military and financial institutions have been penetrated (Givens 2001).In addition, the presence of an e-government online produces an incentive for cybercriminals to develop new programs and software in order to penetrate such e-facilities.

Importance of safeguarding personal material 

“IBM Corp. Chairman and Chief Executive Louis Gerstene recently noted in a wide-ranging keynote speech how many Internet consumers now regularly give false personal details such as name, address, age and income level on the frequent questionnaires required to enter many websites. “They say they’re Albert Einstein with an income of $5 and an E-mail address of E=MC squared.Worthless data. (Hinde 2001a:22)"

Finally, ensuring data protection during Internet use increases trust during e-commerce transactions.As Gindin (1997) indicates, many consumers are nervous about electronic privacy and conducting retail transactions online.It is in the best interest for organizations to comply or produce privacy policies in order to build trusting relationships with consumer to drive e-commerce transactions.

There is a slight paradox present, however, where the augmentation in e-commerce sales over the years has not developed as a result of privacy policy implementation but the adaptation of aggressive information collection strategies.Although, this practice allowed companies to gain considerable profits, it the cause of the huge mistrust and apprehension that consumers maintain over e-commerce.In the near future, it will be interesting to note the proportion of companies willing to change their information practices with the introduction of privacy legislation.

Methods of privacy protection

a)Government protection through legislation

·Opinions, evaluations, comments, social status, or disciplinary actions

·Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant.

This act comes into effect over three stages where the primary stage involves federal works, undertakings and businesses such as banks, airlines, telecommunications, radio and television broadcasting.Effective January 1, 2002, the Act protects personal health information such as health services provided, tests and examinations from federal organizations.The final stage will be implemented in January 1, 2004 effecting any commercial activity occurring within provinces not governed by any personal information privacy policies.At present, Quebec is the only province with personal information privacy legislation and other provinces and territories are only considering implementing similar policies.

The provisions of the act can be disregarded when information collection clearly benefits an individual whole consent cannot be obtained within a timely manner. Unfortunately, there are no examples provided by the source George Radwanski (2001), the Privacy Commissioner of Canada to illustrate this situation. In addition, this act does not apply to law enforcement agencies requiring information for investigative purposes.

United States 

Currently, there is no single comprehensive federal law governing privacy rights of personal information in online and offline activities (Kelly and Rowland 2000, Gindin 1997).According to Erbschloe & Vacca (2001), privacy laws vary widely without a single federal government privacy entity attempting to control or guide them.The United States does not possess any privacy offices that are present in European countries and Canada (Givens 2000).The most analogous federal agency is the Federal Trade Commission (FTC) that has assumed the role of privacy watchdog and enforcement agency.Although, the FTC is unable to enforce any comprehensive federal legislation governing all organizations on the issue of online privacy, the agency is able to exhibit its regulatory powers upon individual corporations. In 1998, the FTC sued GeoCities for unfair and deceptive practices, alleging that this corporation gathered information on its customers including childr
The settlement led to GeoCities posting a comprehensive privacy notice indicating its information gathering practices, what the information will be used for and how individuals could access and remove the data.

Numerous privacy laws have been introduced into state and federal legislature and have been killed effectively by industries whose actions might have been constrained them (Kling 1995).Private enterprise advocates dispel privacy legislation by suggesting these practices hamper the competitiveness of businesses or the efficiency of government (Kling, 1995) The repeated rejections of privacy laws by industries might explain the Clinton administration’s preference of industrial self-regulation as the means of dealing with online privacy (Kelly and Rowland 2000). The laws that do exist within federal and state legislation realms are rather specific and range from anti-stalking ordinances to the prohibition of Web cams in public areas (Erbschloe & Vacca 2001).Most legislation has been introduced at the State and/or sectoral level. In 2001, there have been at least over 50 bills introduced into State legislature addressing privacy concern with only two Bills (Utah and California) relating to data protection standards for the Internet (Hinde 2001b).

The closest practice towards privacy legislation indirectly related to the Internet by the federal U.S. government thus far is an updated version of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.The Department of Health and Human Services introduced explicit rules, “if you manage, store, or move any personal medical information, you must ensure the privacy and security of that data, or face possible jail time” (Hinde,2001a:21).

European Union 

The European Union (composition of members illustrated in Table 1) introduced the Directive on Data Protection legislation effective October 25, 1998. This policy enforcesmember countries to enact comprehensive laws governing the processing of personal data within12 years.Organizations that collect data must identify to the individual the controller or collector of the data, the purposes of information processing, which data is voluntary and which are obligatory (Stefik, 1999).In addition, individuals have the right to veto information-collecting practices if desired (Cyberspace Law, 1999).

Furthermore, European companies that fall within this privacy legislation are prohibited from transmitting personal data to countries that do not ensure privacy protection similar to the European directive (Kelly & Rowland, 2000). This development poses great economic trade issues between European organizations and those located in foreign countries that have not introduced similar privacy laws. Canada does not fall into this category with the recent introduction of the Personal Information Protection and Electronic Documents Act. However, European legislation poses difficulties for American commerce due to the lack of comprehensive privacy laws in the United States.In reaction to this economic barrier, the United States has introduced the Safe Harbor proposal in order for American companies to be considered “safe” to European countries (Cyberspace Law, 1999, Hinde 2001b).The Safe Harbor initiative is as follows,

“To be considered “safe” organizations must either a) enlist in a privacy protection

program, b) be under regulatory laws of certain industries that have adopted protection

policies, or c) to incorporate the principles in the agreements for information transfer

directly with the European member countries (Cyberspace Law 1999:6)”

The Safe Harbor proposal developed as a voluntary reaction to address continual commercial pressure to maintain trade negotiations with Europe (Hinde 2001b).The reactionary development of the Safe Harbor initiative suggests that U.S. government operates in favour of its commercial sector over its citizens with regards to data protection.An obvious insight since congress is slow to initiate cyber laws to protect citizen’s online privacy protection despite public pressure (Hancock, 2001).

One problem associated public privacy laws is that its expansion at the national and international levels may result in overlapping rules and direct conflict developing uncertainty to the record keepers and subjects (Gellman 1997a).These overlaps and conflict are the result of regulatory strategies that vary widely from one country but not another.An excellent example is the conflict between the U.S. and European legislations over personal information privacy.For instance, United States endorses industry self-regulations whereas Europe favours government legislation of data protection to benefit their citizens.

Another problem associated with government legislation is the difficulties in enforcing these policies over a broad target (Gellman 1997b). There are many institutions, public and private affecting the personal privacy of consumers illustrating the broad range of targets affected by legislation. In addition, the target changes daily where many new sites created daily causing difficulty in surveillance where it is inefficient and costly.Finally, the global nature of the Internet poses difficulties in the active enforcement of these policies.According to Gellman (1997b), individual enforcement does not work well.

Furthermore, it is important to highlight the presence of legal “loopholes” in current privacy legislation as illustrated in the Canadian act.The “loopholes” are associated with surveillance undertaken by employers and law enforcement agencies.Most legislation is geared towards protecting the personal information of a citizen in the commercial realm.

For example, current public privacy legislation does not safeguard the transmission of messages sent through a company e-mail system.In a recent poll, 84% of employees admitted to sending personal e-mails through work systems in order to balance busy work and home lives (Bovee & Thill, 2000). Companies are allowed to review the contents of e-mail by indicating that employees sending e-mail or surfing are stealing time from work to deal with personal matters.In addition, employees are stealing computer resources to send and store personal messages.In these situations, it is the employers who implement their own privacy policies.

Another situation involves law enforcement agencies that are allowed to monitor individuals without their consent if they are not suspect but essential for investigative purposes.Many privacy advocate groups argue that surveillance methods in these realms are forms of social control infringing on an individual’s privacy right (Lyon, 1994).
 

b)Industrial self regulation – private sector enforcement of regulated policies and practices

to implement and regulate statutory privacy rules (Gellman, 1997a).Policies are developed by information industry groups with the goal of initiating fair guidelines to assist the corporate sector (Gindin, 1997).These organizations have developed in response to the increasing marketplace and governmental pressures over the right of information privacy.

One such group is Online Privacy Alliance created in June 1998 comprised of more than 50 U.S. computer, media, marketing companies and trade associations (Kelly & Rowland 2000).The goal of the Online Privacy Alliance is to develop comprehensive privacy policies for Web merchants.If a merchant conforms to the alliance’s guidelines, they will receive a “seal of approval” to display on their web sites.

Industry self-regulation may be advantageous over government legislation, as these policies might be easier to implement within a limited number of selected individual sites with constant supervision. In contrast, government laws are rather hard to enforce over a broad scale of sites with new ones developed daily.

However, the introduction of private laws in place of public laws has been criticized as ineffective in protecting the online privacy rights of citizens.Most of the sites with privacy policies only provide a general notice that information is being collected from the visitor (Kelly & Rowland 2000).The FTC concluded from a 1998 study of 1402 web sites that self-regulation had fallen short of what was required to protect consumer privacy (Kelly & Rowland, 2000).In fact, 92% of web sites surveyed gathered information with only 14% of these sites informing the consumer of these practices (Hinde 2001a).

Another issue related to industry self-regulation is the immediate change that a industry regulated privacy policy may undergo within the course of day as the consequence of situations such as bankruptcies.For instance, Givens (2000) reports how the bankruptcy of Toysmart.com allowed its database to be sold as a company asset.On the whole, consumers must be cautious when relying on industry self-regulations for enforcement of privacy protection since it is the private sector they are trying to protect themselves from. To rely on these companies to set privacy policy ground rules might be harmful to the consumer in the end as these rules can change immediately without notice.
 

c)Self-protection with the assistance of the corporate sector

PETs do offer a sense of personal information protection for a consumer.However, these methods should not be relied upon as the sole means to guaranteeing privacy.The reality is that “hackers” are forever present to steal information (Givens 2000).Furthermore, there are far more technologies available than PETs that are able to collect, store, manipulate, and retrieve data (Kling 1995).In addition, PETs do not affect companies in their offline practices of information gatherings in contrast to government legislation policies that can protect against these practices (Givens 2000).Finally, a reliance on technology further removes the human in the struggle for protecting their human right to privacy (Givens 2000).
 

d)Self-protection without any assistance

Conclusion

Cooperative effort is also required from all parties involved in privacy protect to find adequate solutions.More importantly, citizens must maintain the pressure they have exerted on public and private sectors to ensure privacy protection on and offline.Interestingly enough, the Internet has facilitated the collection of personal information resulting in outcry for privacy protection. It is, however, with the assistance of the Internet where consumers have built substantial pressure by voicing their concerns over this global medium.

Table 1.Countries participating in the European Union.Taken from (Erbschloe & Vacca,

2001).

BIBLIOGRAPHY

Bernal, J. (1999). Big Brother is On-line: Public and Private Security in the Internet. Retrieved, from the World Wide Web: http://www.socio.demon.co.uk/magazine/6/enfopol_echelon.html

Boveé, C. L., & Thill, J. V. (2000). E-Business in Action. Toronto: Pearson Company.

Cavoukian, A., & Tapscott, D. (1995). Who knows: Safeguarding your privacy in a networked world. Toronto: Random House of Canada.

CyberspaceLaw. (1999). Personal Privacy in the Computer Age. Retrieved, from the World Wide Web: http://www.lclark.edu/~loren/cyberlaw99/projects/kdavid/projhome.htm.

Erbschloe, M., & Vacca, J. (2001). Net Privacy: A Guide to developing and Implementing an Ironclad EBusiness Privacy Plan. New York: McGraw-Hill.

Gellman, R. (1997a). Conflict and Overlap in Privacy Regulation: National, International, and Private. In B. Kahin & C. Nesson (Eds.), Borders in Cyberspace . Cambridge: The MIT Press.

Gellman, R. (1997b). Does Privacy Law Work? In P. Agre & M. Rotenberg (Eds.), Technology and Privacy: The New Landscape . Cambridge: The MIT Press.

Gindin, S. (1997). Lost and Found in Cyberspace. Retrieved, from the World Wide Web: http://www.info-law.com/lost.html

Givens, B. (2001). A Review of Current Privacy Issues. Retrieved, from the World Wide Web: http://www.privacyrights.org/ar/Privacy-IssuesList.htm.

Givens, B. (2000). Eight Reasons to be Skeptical of a "Technology Fix" for Protecting Privacy. Retrieved, from the World Wide Web:http://www.privacyrights.org/ar/8skeptical.htm.

Hansell, S. (August 16, 1998). Big Web Sites to Track Steps of Their Users. New York Times, pp. A1.

Hancock, B. (2001). Security Views. Computers and Security, 20, 348-363.

Hinde, S. (2001). 2001: A Privacy Odyssey. Computers and Security, 20, 21-27.

Hinde, S. (2001). The Search for Privacy. Computers and Security, 20, 127-131.

Johnson, D., & Post, D. (1997). The Rise of Law on the Global Network. In B. Kahin & C. Nesson (Eds.), Borders in Cyberspace . Cambridge: The MIT Press.

Kelly, E., & Rowland, H. (2000). Ethical and Online Privacy Issues in Electronic Commerce. Retrieved, 2000, from the World Wide Web: http://special.northernlight.com/ecommerce/issues.htm

Kling, R. (1995). Information Technologies and the Shifting Balance Between Privacy and Social Control. In R. Kling (Ed.), Computerization and Controversy: Value Conflicts and Social Choices (pp. 1-17). San Diego: Academic Press.

Lyon, D. (1994). The Electronic Eye: The Rise of Surveillance Society. Minneapolis: Polity Press.

Mason, R. (1986). Four Ethical Issues of the Information Age. Management Information Systems Quarterly, 10(1), 1-13.

Navrette, A. (1998, ). Going Private. PC World, September issue.

Quick, R. (August 14, 1998). GeoCities Broke Privacy Rule, FTC Declares. Wall Street Journal.

Rule, J., McAdam, D., Stearns, L., & Uglow, D. (1980). The Politics of Privacy: Planning for Personal Data Systems. New York: Elsevier North Holland.

Radwanski, G. (2001). What is the Personal Information Protection and Electronic Documents act? . Ottawa: Supply and Services.

Stefik, M. (1999). The Digital Keyhole: Privacy Rights and Trusted Systems, The Internet Edge: Social, Legal, and Technological Challenges for a Networked World (pp. 197-232). Cambridge: The MIT Press.