- will not be collected without consent;
- will not be used for secondary purposes;
- will be held in secure databases; and
- will not be retained for unnecessarily long periods of time.
- Privacy Complaints
The strength of the internet is the unfettered freedom of participants on the Web to engage in communications without government interference. In this case, especially E-commerce, which is essentially the buying and selling of goods and or services over a network such as the Internet, is, according to many experts, the major business trend of the future. While exact figures are hard to determine, it has been estimated that in 1998 alone, e-commerce transactions totaled US$ 8 Billion. This figure is expected to rise to US$ 327 billion in the year 2002 (eMarketer, July 1998).
However, concerns over privacy emerge when companies request personal details (name, address, age, income, credit status, etc) as part of a transaction and then use (or sell) this information as part of its marketing strategy. In this case, privacy abuses do not necessarily come from the storage of such personal information but more from the threat that such a database may be subject to a security breach that reveals a user's personal information. Worse yet, some companies view personal information obtained from customers as a corporate asset that can be sold during bankruptcy proceedings.7
This already points out one of the many threats that the information age has created over recent years. Other threats and so- called Internet crimes include information gathered from children, identity theft, organized terrorism, hackers attacking government agencies, and hackers attacking business.
3.3 Internet Crimes
The capabilities and opportunities provided by the internet have transformed many legitimate business activities, augmenting the speed, ease, and range with which transactions can be conducted while also lowering many of the costs. Criminals - who can prey upon the unsuspecting while hiding behind the anonymity of the Internet - have also discovered that the internet can provide new opportunities multiplier benefits for illicit business. The dark side of the internet involves cyber crimes such as:
3.3.1 Identity Theft
Identity theft is a crime wherein an imposter, with remarkably accurate personal information, is successful in causing E-merchants to believe that they are someone they are not. The imposter freely executes commercial transactions, charging them to the victim who has no idea what is going on until the bills arrive. The crime inevitably results in a destruction of credit reputation and aggressive, sometimes unrelenting collection efforts against the wrong person (Shelley M. Liberto).
3.3.2 Credit Card Fraud
Millions of dollars may be lost annually by consumers who have credit card and calling card numbers stolen from on-line databases. Security measures are improving, and traditional methods of law enforcement seem to be sufficient for prosecuting the thieves of such information. Bulletin boards and other on-line services are frequent targets for hackers who want to access large databases of credit card information.
3.3.3 Computer Sabotage
Computer sabotage is the use of the Internet to hinder the normal functioning of a computer system through the introduction of worms, viruses, or logic bombs is referred to as computer sabotage. Computer sabotage can be used to gain economic advantage over a competitor, to promote the illegal activities of terrorists, or to steal data or programs for extortion purposes.
3.3.4 Internet Crimes against Children
The Internet is a great learning tool, but it can also be a dangerous place for children. Criminals can find access to kids through chat rooms, IRC (Internet Relay Chat) and instant messaging. Even sites directed at children can fall short in protecting children's privacy. Eighty-nine percent of sites directed at kids collect personal information from the child, and only 23% of those sites tell children to seek consent from their parents before giving out personal information online.8
4. Legislation vs. Self-Regulation
In ruling the Communications Decency Act of 1996 unconstitutional, U.S. District Court Judge Dalzell stated: ". . . the strength of the Internet is chaos, so the strength of our liberty depends upon the chaos and cacophony of the unfettered speech the First Amendment protects." The strength of the Internet is, as the judge describes, the unfettered freedom of participants on the Web to engage in communications without government interference. This point, having been recognized by the courts and Congress in its commitment not to tax the Internet, has one exception: The protection of the consumer privacy. 9
In this case, the real issue with regard to consumer privacy on the Internet is not whether privacy protections are warranted, but how they can and should be implemented. As expected, the debate now raging is whether to allow government intervention by way of regulation or, alternatively, to rely on Internet access services to regulate privacy issues themselves.
Proponents of self-regulation claim that there is a clear unity of interest between online businesses and their potential customers. Businesses want to provide a safe and pleasant online experience and consumers want to have one. If businesses neglect their customers, their profits will decline, shareholders will be unhappy, and ultimately the firm will go out of business. Since these incentives exist, the argument that government must step in to aid e-commerce is wrong. Ann Cavoukian, information and privacy commissioner for Ontario, Canada, who has been influential in promoting this viewpoint in Canada and the U.S. says, “If you’re in the information business today, you’ve got to lead with privacy because privacy is good for business”. 10
This ‘self-regulatory’ attitude might sit well with a majority of Americans, but European cultural norms dictate a different interpretation of the facts. If anything, the history of self- regulation is not very compelling. The Direct Marketing Association (DMA) advocates self-regulation, but its own regulatory record is poor indeed. A 1996 study by Professor Joel Reidenberg and Professor Paul Schwartz found that fewer than half of DMA members complied with the association's own modest guidelines. A study conducted by EPIC in 1998 found that only a handful of new DMA members met the DMA's privacy principles, even after the DMA made compliance a condition of membership. 11
Advocates of privacy regulation argue that the profit motive of businesses contradicts privacy interests, and since businesses care more about profits than consumers, self-regulation will never work. Consumers want their rights protected in the online world, just as they are protected in the offline world. Hence, privacy protection should not end where the Internet begins. The 1998 Harris poll on Internet privacy found that just over half of those surveyed "favour government passing laws to regulate how personal information can be collected and used on the Internet." 12
This also explains why in the UK the Home Office is ready to enact legislation that provides individuals with a baseline of privacy protection on the Net by codifying the fair information principles. In other words, the Home Office is pressing for new measures to establish a clear set of rules about how personal information is collected and used online.
Such principles and policies should be displayed in a prominent place on a company's Web site and should explain to consumers13:
what personal information is being collected;
why it is being collected;
how it will be used;
who will have access to it;
how long you will retain it;
how you will dispose of it;
who in the organization to contact for more information about the policy.
If, however, these principles are ignored by certain companies, the government should simply ban any activities that involve the use of private information regardless of when and how it is obtained. The Home Office suggests that some activities be criminalized such as the use of the lists to perpetrate fraud, exposure of personal information to persons and organizations who would harm its users such as children, identity theft, and invasion of the doctor-patient confidentiality relationship. Legislation which targets the use of personal information, combined with a private-sector certification program, would seem to be the best first step toward protecting consumer privacy on the Internet.
5. Government Laws to Protect Privacy
The state of affairs in the UK has now caused the Home Office to enact a set of laws that protect privacy through the development of a national scheme backed by legislation. These legislations aim to give individuals greater control over the electronic storage of their personal details.
In 1995, the European Union (EU) passed the Data Protection Directive,14 which sets out privacy-protection rules for personal information held by both government and private-sector entities and aims to harmonize data-protection rules in the EU. The directive also establishes rules designed to ensure that data (i.e., personal information) is only transferred to countries outside the EU, where continued privacy protection is guaranteed.
The 15 member states of the EU were required to implement the directive into national law by October 25, 1998. This so- called Data Protection Act 1998, which replaced and greatly extended the 1984 Data Protection Act covers how information about living identifiable persons is used. Perhaps the single biggest impact of the newer Act is that it extends to data that is held in non-electronic form. Thus, businesses should review not only their computer systems but other, manual, storage systems as well.
The act covers eight 'Data Protection Principles', which state that all data must be:15
- Processed fairly and lawfully
- Obtained & used only for specified and lawful purposes
- Adequate, relevant and not excessive
- Accurate, and where necessary, kept up to date
- Kept for no longer than necessary
- Processed in accordance with the individuals rights (as defined)
- Kept secure
- Transferred only to countries that offer adequate data protection
Note: The Data Protection Act is mandatory and all organisations that hold or process personal data must comply. Basically, everyone who stores or processes information should register with the Data Protection Commissioner. Failure to do so is an offence.
6. Technologies to Protect Privacy
Privacy has become one of the most important human rights issues of the modern age. At a time when computer based technology gives government and private sector organisations the ability to conduct mass surveillance of populations, privacy has become a crucial safeguard for individual rights.16 Especially, the emergence of new technologies is causing new concerns about the protection of privacy. Many of these technologies were being adopted and implemented outside legal protections.
Ivan K. Fong, the Senior Counsel for E-Commerce and Information Technology for the General Electric Company, predicted that technology will continue to drive the debate over privacy, noting that privacy-protective technologies can however be often developed in response to privacy-invasive technologies.17 In the UK the Home Office, therefore, also promotes new privacy-enhancing techniques, such as methods for anonymity and virtual identities that could be particularly effective for protecting privacy online. This method of shielding information works well when combined with government regulations because it stops sites from getting the information in the first place.
In general, web sites have the ability to view things like your Internet protocol (IP) address and where you click on a site. Likewise, it is important to remember that sending email is about as secure as sending a postcard in the mail—unless the sender uses encryption. Since this is the case, users who want to keep their information concealed can use the following technologies:
6.1 Cookie Control
A cookie is a software application that enables a site to customise its services to the interests of the user. This is achieved by tracking the user's navigation of the site and storing that information on the user's hard drive. Web site operators use this information to determine what parts of sites are most popular so they can better serve the needs of consumers. Nevertheless, if users don’t like the idea of giving web sites a look into their browsing habits, they can turn off cookies in their browser
6.2 Email Control
To protect the privacy of electronic documents, people can scramble their messages using a mathematical tool called encryption, and even ensure that messages expire after a period of time.18
6.3 Anonymous Digital Cash
DigiCash is another state-of-the-art technology that has the strongest privacy protection of any deployed payment system--it uses sophisticated cryptographic protocols to guarantee that the payer's privacy is not compromised by the payment protocol even against a colluding bank and payee. Thus, DigiCash has many of the privacy properties of real cash; most other deployed payment systems have only about as much privacy as checks or credit cards.19
However, the success of these new technologies is invariably linked to public acceptance. Consumers will not accept a new form of technology if it is costly, difficult to use or violates their rights to fair use, freedom of expression and privacy.
7. Conclusion
Even staunch privacy advocates seem to accept that new legislation and powers that specifically target terrorists may be needed in the aftermath of the September 11th attacks. However, it seems that in the U.S. and elsewhere a whirlwind of new and re-treaded proposals are being quickly passed into law with little if any debate.
In Europe the reactions have been mixed. One the one hand France is apparently re-thinking its recent decision to eliminate the requirement for 3rd-party key escrow. On the other, the European Parliament ignored a request from President Bush and passed a EU Directive on enhanced protection of privacy in the electronic communications – Bush had sought a number of changes in the proposal to allow for data retention of telephone calls and internet messages.20 In England, the British Government has increased police powers to detect crime in the new digital age. However, critics already claim the individual’s right to privacy could be harmed and that a balance should be found between the nation's security interests and individual privacy concerns.
In conclusion, the author therefore argues that the lack of appropriate and enforceable privacy norms poses a significant threat to democracy in the Information Age. Indeed, information privacy concerns are the leading reason why individuals not on the internet are choosing to stay off.21 The recent Children’s On-line Privacy Protection Act is a good example of how serious government is about the issue of privacy and how the government will use substantial financial penalties to enforce compliance. By introducing legislations and regulations the government aims to promote consumer confidence in the Internet and E- commerce. Thereby, technologies that promote anonymity can be the most efficient way to protect privacy and are increasingly considered the future of privacy protection.
Finally, the European Convention of Human Rights, soon to be incorporated into British domestic law, accords privacy and freedom of speech as equal rights. In our modern society they are compatible, not conflicting. Those who seek to set one against the other are serving self interest before the public good.
8. Endnotes
-
Home Office UK website; Online at:
-
BBC World Service/ Human Rights, Right to privacy in home, family and correspondence; Online at:
-
Warren, S. & Brandeis, L.D. The Right to Privacy, Originally published in 4 Harvard Law Review 193 (1890); Online at:
-
Information and Privacy Commissioner/Ontario, Privacy and Digital Rights Management (DRM): An Oxymoron?, October 2002; Online at:
-
Dyson, E. Privacy Protection: Time to Think and Act Locally and Globally; Online at:
-
Arrison, S. Consumer Privacy A Free Choice Approach; Online at:
-
Some examples include , , and Toysmart
-
Federal Trade Commission, Privacy Online: A Report to Congress, June 1998; Online at:
-
Liberto, S.M. Government Regulation of Web Privacy: Congress takes a first Step,
From the November 1998 issue of ;
-
Lester, T. The Reinvention of Privacy, Atlantic Monthly, March 2001; Volume 287, No. 3; pp. 27-39. Online at: .
- For Privacy, New Laws By Marc Rotenberg - Issue Date: Dec 04 1998
-
Givens, B. Privacy Expectations in a High Tech World, Santa Clara University, Symposium on Internet Privacy - Computer and High Technology Law Journal;
February 11-12, 2000; Online at:
-
Information and Privacy Commissioner/Ontario, Privacy and Digital Rights Management (DRM): An Oxymoron?, October 2002; Online at:
-
Online at:
-
The Data Protection Act. A Guide To The Data Protection Act, Online at:
-
Davies, S. New Techniques and Technologies of Surveillance in the Workplace, Computer Security Research Centre - The London School of Economics; Online at:
-
RAND Conference Asks: How Do Emerging Technologies Impact Privacy and Privacy Policy?; Online at:
-
For more on what encryption is see:
-
Chaum, D. Blind Signatures for Untraceable Payments, CRYPTO 82, Plenum, pp. 199-203.
-
Meller, P. European Union Set to Vote on Data Law, New York Times ,13 Nov 2001;
Online at:
-
See A Little Privacy, Please, BUS. WK., March 16, 1998, at 98 [hereinafter BUSINESS WEAK Poll]
9. Bibliography/ References
To clarify my arguments, I have used quotations and references from a number of books, web articles and extracts. To help in further reading, a complete bibliography has, therefore, been provided by the author.
For excerpts reproduced in this report, acknowledgement is made to the following resources:
-
Home Office UK website; Online at:
-
BBC World Service/ Human Rights, Right to privacy in home, family and correspondence; Online at:
-
Warren, S. & Brandeis, L.D. The Right to Privacy, Originally published in 4 Harvard Law Review 193 (1890); Online at:
-
Information and Privacy Commissioner/Ontario, Privacy and Digital Rights Management (DRM): An Oxymoron?, October 2002; Online at:
-
Dyson, E. Privacy Protection: Time to Think and Act Locally and Globally; Online at:
-
Arrison, S. Consumer Privacy A Free Choice Approach; Online at:
-
Federal Trade Commission, Privacy Online: A Report to Congress, June 1998; Online at:
-
Liberto, S.M. Government Regulation of Web Privacy: Congress takes a first Step,
From the November 1998 issue of ;
-
Lester, T. The Reinvention of Privacy, Atlantic Monthly, March 2001; Volume 287, No. 3; pp. 27-39. Online at: .
- For Privacy, New Laws By Marc Rotenberg - Issue Date: Dec 04 1998
-
Givens, B. Privacy Expectations in a High Tech World, Santa Clara University, Symposium on Internet Privacy - Computer and High Technology Law Journal;
February 11-12, 2000; Online at:
-
Information and Privacy Commissioner/Ontario, Privacy and Digital Rights Management (DRM): An Oxymoron?, October 2002; Online at:
-
The Data Protection Act. A Guide To The Data Protection Act, Online at:
-
Davies, S. New Techniques and Technologies of Surveillance in the Workplace, Computer Security Research Centre - The London School of Economics; Online at:
-
RAND Conference Asks: How Do Emerging Technologies Impact Privacy and Privacy Policy?; Online at:
-
Chaum, D. Blind Signatures for Untraceable Payments, CRYPTO 82, Plenum, pp. 199-203.
-
Meller, P. European Union Set to Vote on Data Law, New York Times ,13 Nov 2001; Online at:
-
Holtzman, D. Digital privacy: A curmudgeon’s guide, News.Com; July 2002; Online at:
-
Privacy Coalition press release, The Privacy Coalition Announces New Privacy Initiative: The Privacy Pledge Sets Standard for Privacy Proposals in Congress, February 12, 2001. Online at: