Schneier on Security
A blog covering security and security technology.
« JetBlue Captain Clayton Osbon and Resilient Security |
| James Randi on Magicians and the Security Mindset »
April 5, 2012
Helen Nissenbaum, Privacy, and the Federal Trade Commission
Posted on April 5, 2012 at 12:42 PM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Is that the right link? It's something about keyless entry.
Bruce, is there something wrong with the link? I get an article on keyless vehicle entry systems...
(You can delete this if I'm wrong or tiresome, or when the link is fixed)
The problem with Ms Nissebaum's ides as presented in the Atlantic article is it lacks the dimension of time.
Time has two main effects,
1, Data holders change.
2, Societal norms change.
Under current US law your PII belongs to the entity (any person legal or natural) who collects it and it becomes their "asset". If the entity enters into a contract of some form or another and defaults then the entities assets can be transfered to the other party in the contract. However the law does not require the new holder of the asset to abide by any limitations placed upon the assets use by the original collection process.
Thus the idea of her "norms" has to have a major effect on the laws relating to the transfer of assets to have a chance of working. It would be simpler to stop the data collecting entity from "owning the PIIC" but that would in many peoples eyes make the data worthless as it is nolonger a negotiable asset.
The second problem is that social norms change with time sometimes quite quickly. If I agree to the release of some of my PII under the norm prevalent at the time of release, what happens to it when the norm changes and I wish to stick to the original norm?
Again because it's an asset of the data collecting entity I've lost the right under her norms model.
The solution is simply to stop PII being an asset to anyone other than to whom it pertains. This however would put a major dent in most Internet business models.
But the idea of "owning your PII" in it's self is problematic as some PII like your phone number or address are only your PII for the duration they relate to you.
One suggestion that has been made is that the collecting organisation does not own the PII but has a non transferable "lease" on it that lasts only as long as you continue to use their service. However this has other issues.
PII is a complex and thorny problem which has many hidden pitfalls many of which will not or cannot be resolved by Ms Nissenbaum's norms model as presented.
From the article:
"...Congress has to provide clear ways for companies to continue profiting from data tracking."
NO! Companies should NOT do data tracking. It is not their data to do with as they please. Further, they often go beyond the data for the transaction and/or the customer experience and collect even more, then database that information, aggregate it, and further add to it from other sources (building a dossier), then use that data in ways that are beyond expectations for the transaction and/or customer experience. Companies become intrusive and use your data for their profit. Foul! The author seems more interested in protecting the company data collection for profit than protecting the user's data.
Clive: I was formulating my post while your entry was being posted. Good assessment. Thank you.
My guess is that the mania for collecting so much tracking information (for "legitimate" reasons, not crime), will dissipate before long. Marketers always think (hope) that there is a "silver bullet" that will solve their sales problems - web tracking is the latest fad. It won't work, and they'll move on to the next fad. It will never entirely disappear, but it will become substantially irrelevant.
Peter: except when you consider the NSA data collection center in Utah. From that perspective, it becomes the ONLY thing.
@Clive: "The solution is simply to stop PII being an asset to anyone other than to whom it pertains. This however would put a major dent in most Internet business models."
That poses additional problems too, because a lot of PII is difficult to attribute to exactly one party. If its a record of a transaction between two parties, do they both get a say in how it can be used? E.g. a retailer using a third-party payment system to receive payment from a customer (PayPal, visa, ..) or something like E-bay or craigslist, that arranges transactions between parties where either party might be an individual, a tiny 1-2 person company, or a larger company. If the rules require "at least one party must allow the use" then its useless, because the large retailer will do whatever it wants and individual customer will get screwed. But if the rules require "all parties must agree to each use" then it will effectively prevent so many usage scenarios as to be unworkable in practice.
I think there needs to be more thinking about the collection, ownership, and control of Personal Data(PII). Companies want it to sell you stuff you want, or not sell you some stuff, like life insurance to sick people. Governments want it to catch criminals and watch and anticipate opponents. Social movements want it to identify donors and supporters.
Currently, it mostly belongs to the collectors (end-collectors, or others in the chain or listening) who publish sweeping privacy statements that tend to include any conceivable use, including giving it or selling it to anyone, silently.
Some countries have some rules, like Canada and the EU, but if the data is collected offshore....
We can defend ourself, using Ghostery, NoScript, various cookie controls, BetterPrivacy, AdBlock, HTTPS-Everywhere, Certificate Patrol, and other plugins for Firefox or Chrome at the cost of some functionality or work. No one has made them illegal - yet.
But a fundamental rethink & discussion needs to be held. Personal Data needs to be more visible to and under the control of the person who it is about so they can control how it is used, for or against them.
We are rapidly becoming a “big brother” society where our every movement is captured on cameras and by cellphone tracking. ISPs and Echelon record and track our emails, correspondents, and the information we send and receive.
Every cellphone can become a secret spy, listening in on us and taking pictures unbidden, to deliver to persons unknown. Our PC webcams can be turned on remotely so prurient watchers can record our bedroom activities - or wherever the camera is.
1984 had eyes in home walls. Now the eyes and ears travel with us, hidden in a maze of circuits and code.
Whither privacy? Wither privacy.....
One thing is for sure, most western countries have much stronger data privacy and protection policies than the US.
The US is essentially owned by the big corporations and the rights of the individual come a distant second to corporate interests.
This looks quite a lot (to me, at least) like the standard privacy principles that apply in countries other than the US, except that the idea of "purpose" has been generalized to include some idea of the purposes that people are used to in the personal world.
The idea that data is not just a currency (over which you lose control as soon as it passes out of your hands) bears interesting parallels as well with the european notions of artists' and authors' rights, where even if someone has sold their work, they still have rights to protest its use in contexts that bring them into disrepute.
@moo: How about each party owns the information that directly relates to that party and a non-transferrable lease on the remainder.
Example: I purchase DVD X from BigCo.
BigCo owns the fact that X was sold at this date, time and for what amount and which customer number in their DB purchased X. (I think anonymized info tracking of which customer buys what things is fine and dandy.)
I own my name, the fact that I bought X at what amount, date and time.
I have a nontransferrable lease on my CC account info (my CC company owns that) but I also have a license to present that information to another company for payment purposes. I, however, own my address. The CC company only has a non-transferrable lease on that from me.
I have a nontransferrable lease on the name of the company I bought this DVD from. I assume most companies will boiler plate this into a license stating that I can talk about my transactions with them. Some companies may not their names dropped as providers of some product.
Company BigCo has a non-transferrable lease on such things as my name (for when they send me email). BigCo also is licensed through the license by my CC company to transmit to the CC company my account info and name/address for reimbursement. They're probably also licensed to transmit my shipping info to the shipping company.
There are probably quite a few more corner cases to worry about, but I feel like similar to how we have GPL2/3, BSD, etc. as standard licenses someone should create a standard set of transaction agreements and let companies choose which ones they want to adhere to. Then we can just look for the right trademarked icon when making purchases online.
I immediately notice that your idea would allow BigCo to prevent you from publicly evaluating their service or product without their permission. Thus is becomes more difficult for other people to know which companies to avoid.
I think, however, that it would make sense for the consumer to have protection that the producer/retailer don't. One way would be to say that the person paying owns the transaction.
Any collection of PII should be justified and openly stated why particular part of PII is collected/required to conduct/complete particular transaction.
The presumption should be that all PII is provided for particular transaction and related to that particular transaction activities only, e.g. payment collection, shipment, etc.
All other usage of collected PII should be prohibited (except court order) by law (not self regulation) without person's approval in advance for such usage by collector. That right could not be waived as condition of particular transaction, meaning colletor could not twist hands of person provided PII.
All other models just unfair.
Are there Laws (federal or state) which regulate information brokers activities (e.g. legitimate sources of information collected, legitimate usage/distribution of profiles created, etc.) or it is just Wild West area?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.