Privacy and data protection have become extremely important topics in the internet domain in the last few years. This has primarily been due to the fact that customer information stored and used has led to concerns about the
- a. Manner in which this information is collected
- b. Manner in which this information is analyzed to predict profiling and trends
- c. Multiple fallouts of the propagation of private data across internet for use by corporations, governments and internet organizations.
- d. Unprecedented evolution of technology and its usage in our environment
- e. Incapacity of the Legal framework to keep up with and understand the technological advances
The year 2011 was a turning point for issues involving storage, repurposing, usage and propagation of information collected from the users of the internet. Information Security, privacy and compliance have become important issues for Governments, Corporations and individuals. 2011 saw companies like Facebook and Google battling over issues surrounding privacy policies to concerns over what information your mobile phone actually knows about you. However, technology keeps evolving, and privacy issues are sure to follow.
Privacy can involve Personally Identifying Information (PII) or non-PII information such as a user’s behavior on a website. Data about age and physical address alone could identify who an individual is without explicitly disclosing their name, as these two factors are distinctive enough to identify a definite person. The disclosure of IP addresses, non-personally-identifiable profiling, and similar data might become adequate exchanges for the accessibility that users could otherwise lose with the alternatives needed to suppress such details scrupulously.
The IP addresses passed with interactions through the Internet are no longer unique to a specific end-user device. Due to a shortage of IP addresses, some Internet Service Providers (ISP’s) are adopting a practice called Network Address Translation (NAT) to assign and manage IP addresses. When NAT is used, the IP address passed with a communication to its destination (and perhaps documented at the destination point) is different from the IP address that the ISP assigns to the consumer on the “private” side of its network. The public- facing IP address is therefore shared by many users. Therefore associating the public-facing IP address with the unique private address information that the service provider assigns to its users can be further complicating the situation.
An HTTP cookie is data stored on a user's computer that assists in programmed access to websites, or other information required in intricate web programs. Cookies are also used for user-tracking by storing singular web usage history data. The creation of cookies envisioned that only the website that distributed cookies to user systems could retrieve them so that only data relevant to the usage of that site be collected. In practice programmers can evade this constraint leading to:
· inclusion of a personally-identifiable tag in a browser to facilitate web profiling of the user of that computer, stealing information from the cookies by cross-site scripting or other techniques
Then there is the PIE (Persistent Identification Element). PIEs unlike cookies cannot be easily deleted or detected and can reinstate any deleted cookie. PIEs also hold a sufficient amount more data than a cookie can. These are used to transmit browsing habits on the go and make a user experience more personalized.
The information posted on the Internet is long-lasting. This includes comments written on blogs, pictures, and Internet sites, such as Facebook and Twitter. It is propagated into the cyberspace and once it is posted, anyone can discover it, read it, reuse it and propagate it.
The Privacy Act prohibits the disclosure of personal information, no matter how this information is gathered. The consumers’ control and knowledge applied to on the internet come under two categories- purchasing and surfing. The legal protection law for individual privacy in the United States has been passed fairly recently, and limits the protection of data. Data collection methods have raised concerns about consumer privacy. The FTC, in their efforts to ensure success, has developed principles that would protect consumers and the information they choose to display. The USA PATRIOT Act was put in to effect in reaction to the 9/11 Terrorist attacks. To prevent terrorism in the United States by keeping an eye on communication around the country, the Government felt that terrorism could be diminished. This Act gives the Government powers to disregard privacy concerns of the citizens in the face of national security concerns.
Electronic Communications Privacy Act (ECPA) lays the precincts for law enforcement having access to personal electronic communiqué and electronic records like emails, documents, pictures etc. With the immense growth in the use of computers, many people store copious data on servers that can be visible to many parties in the infrastructure business. The ECPA protects this material from being accessed by law administration. The exclusions to this law allows the ISP to view private e-mail if the sender is suspected of attempting to damage the internet system or attempting to harm another use, the ISP can reveal information from a message if the sender or recipient allows disclosure or in the event of a court order or law enforcement’s subpoena.
Most case law holds that employees do not have a reasonable expectation of privacy with respect to work related electronic communications. A federal court held that employees can affirm the existence of attorney-client privilege with respect to communications on company laptops.Courts have acknowledged that an employee has a right to privacy in his workplace computer. However, the Court also found that an employer can consent to any illegal searches and seizures.
In the recent Google Spy case, where Google mobile cars were running software to collect personal data over unencrypted networks for analysis; the company was fined and asked to cease collecting, storing and using information that has not been directly provided to them with user consent.