Schneier on Security
A blog covering security and security technology.
« The Topology of Covert Conflict |
| Embedded RFID for VIP Status »
February 6, 2006
A Model Regime of Privacy Protection
Last year I blogged about an article by Daniel J. Solove and Chris Hoofnagle titled "A Model Regime of Privacy Protection."
The paper has been revised a few times based on comments -- some of them from readers of this blog and Crypto-Gram -- and the final version has been published.
A series of major security breaches at companies with sensitive personal information has sparked significant attention to the problems with privacy protection in the United States. Currently, the privacy protections in the United States are riddled with gaps and weak spots. Although most industrialized nations have comprehensive data protection laws, the United States has maintained a sectoral approach where certain industries are covered and others are not. In particular, emerging companies known as "commercial data brokers" have frequently slipped through the cracks of U.S. privacy law. In this article, the authors propose a Model Privacy Regime to address the problems in the privacy protection in the United States, with a particular focus on commercial data brokers. Since the United States is unlikely to shift radically from its sectoral approach to a comprehensive data protection regime, the Model Regime aims to patch up the holes in existing privacy regulation and improve and extend it. In other words, the goal of the Model Regime is to build upon the existing foundation of U.S. privacy law, not to propose an alternative foundation. The authors believe that the sectoral approach in the United States can be improved by applying the Fair Information Practices -- principles that require the entities that collect personal data to extend certain rights to data subjects. The Fair Information Practices are very general principles, and they are often spoken about in a rather abstract manner. In contrast, the Model Regime demonstrates specific ways that they can be incorporated into privacy regulation in the United States.
Definitely worth reading.
Posted on February 6, 2006 at 12:21 PM
• 5 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
At a conference a couple of weeks ago, I asked Dan Solove how his proposal represents a way forward given the failings we already know of Fair Information Practice laws. The Fair Credit Reporting Act has existed for more than 30 years, for example, and credit reporting is rife with unfairness.
A model law is one thing, but what can actually be passed into law is quite another. My sense is that the FCRA protects credit bureaus more than consumers. Any new federal law will inevitably come with preemption of state laws that might address the issues better. Indeed, the reason they will pass, if they do, is because of those business-friendly provisions.
I have advocated for common law causes of action such as negligence (in the case of data breaches that permit identity fraud) and commercial defamation or interference with prospective economic advantage (in the case of bad data). Dan has made clear to me (and he's right) that I owe the world more thinking on this.
There is general agreement on using liability to get data aggregators and data holders to internalize the risks their activities create, but I encourage people to withhold judgment on whether that liability should come through prescriptive bureaucratic regulation, or something else, such as common law remedies.
As much as I'd like to see something like this put into place, I don't see much hope. I'd certainly support an effort to change the laws to be more like the suggestions made.
One aspect that I believe is consistently underrated how low the data brokers will go to protect their business. The companies selling cell phone records are a good example of the way these companies generally operate. Companies can cross country boundaries to obscure legal limitations on what can be done with the data.
The tactics used to collect data are underhanded in many cases, illegal in others. If you've ever filled out a mail in rebate or product registration card, that information is already in one of these companies' databases. In effect, you sold your own information without knowing it. I've seen an example where one of the big data brokers is using government data in a questionable manner(pretending to be the person to confirm their data in a particular database) to augment their databases. My wife gets a ton of junk mail to one misspelling of her name that was used once with one credit card company and obviously sold to numerous sources since.
I have tried the SSRN web site and get an error page for 'abstract not found' and then go to their search page and get many more errors. Can anyone validate this? I have tried to get a free user ID on the site and can't get that to work either - more Cold Fusion problems...
(Detailed error reporting too - hmmm...
An error occurred while evaluating the expression:
Session.AL_BMANAGEISSUES = "#AL_BMANAGEISSUES#"
Error near line 608, column 13.
Error resolving parameter AL_BMANAGEISSUES
ColdFusion was unable to determine the value of the parameter. This problem is very likely due to the fact that either:
1. You have misspelled the parameter name, or
2. You have not specified a QUERY attribute for a CFOUTPUT, CFMAIL, or CFTABLE tag.
The error occurred while processing an element with a general identifier of (CFSET), occupying document position (608:7) to (608:61).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.