Privacy Lives joins eight groups in submitting comments (pdf) to the Federal Communications Commission recommending stronger consumer privacy protections. The FCC sought comments (pdf) “on the use of personal information, identity management services, and privacy protection against broadband applications.” The groups said that “substantial threats to our privacy and related consumer protection issues” can arise from the business practices and policies of broadband, mobile and other advertising companies.
The consumer advocacy groups said: “(1) There are significant problems concerning the collection and use of personal data by companies, especially sensitive data and children’s data; (2) The FCC should not rely on industry self-regulatory models because they do not adequately protect consumer privacy; and (3) The principles and standards that should serve as the foundation of consumer privacy protection should be the Fair Information Practices, especially as they are implemented in the OECD Guidelines on data privacy.” The Fair Information Practices were created in 1973 by the U.S. Department of Health, Education and Welfare. “Congress has reaffirmed its commitment to the Fair Information Practices numerous times. Congress used the Fair Information Practices as the basis of the Privacy Act of 1974, which restricts the amount of personal data that Federal agencies can collect and requires agencies to be transparent in their information practices. When Congress created the Department of Homeland Security’s Privacy Office several years ago, Fair Information Practices were included in the establishing legislation,” the groups said.
In explaining point (2), the groups said that both sets of self-regulatory guidelines by the U.S. Interactive Advertising Bureau (“IAB”), the online marketing industry’s principal trade and lobbying group, [guidelines here (pdf)] and Network Advertising Initiative [guidelines here (pdf)] have narrow definitions for “sensitive information” and “personally identifiable information,” focusing on the traditional ideas of identification numbers or addresses.
But even the Federal Trade Commission has expanded its idea of “personally identifiable information.” “Indeed, in the context of online behavioral advertising, rapidly changing technologies and other factors have made the line between personally identifiable and non-personally identifiable information increasingly unclear,” FTC staff said in a report (pdf) last year. The consumer advocacy groups said, “Individuals should be protected even if the information collected about them in behavioral tracking cannot be linked to their names, addresses, or other traditional ‘personally identifiable information,’ as long as they can be distinguished as a particular computer user based on their profile.”
The groups noted that “the marketing industry continues to hide behind the cloak of data ‘anonymization’ or ‘de-identification,’ stating that this protects consumer privacy while allowing companies to build profiles on consumers. However … it has proved relatively easy to link anonymized or de-identified data back to personally identifiable information of individuals.” For example, “Carnegie Mellon professor Latanya Sweeney has been researching the issue of de-anonymization or re-identification of data for years. In 1998, she explained how a former governor of Massachusetts had his full medical record re-identified by cross-referencing Census information with de-identified health data.” In 2006, “Philippe Golle at the Palo Alto Research Center revisited Sweeney’s Census research, using 2000 Census data, and found that ‘disclosing one’s gender, ZIP code and full date of birth allows for unique identification’ revealed the identity of 63 percent of the U.S. population.” The groups noted that the Department of Health and Human Services is also investigating the efficacy of data anonymization.
The groups concluded:
So-called “anonymization” or “de-identification” should not be used as a cloak for data collectors to hide behind. Anonymization should be left behind. Instead, the definition of personally identifiable information of individuals should be changed. We believe that personally identifiable information is data that can be linked to an individual. “An individual” includes any: (a) person identified by name, address, account number, or other identifying particular assigned to the individual; and b) user of any online service or facility who is targeted (1) based on information obtained in more than a single transaction, online encounter, or other online activity; (2) notwithstanding the absence of a name, address, account number, or other identifying particular about the user known to the behavioral targeter; and (3) when the behavioral targeter has any reason to believe that the user being targeted is a particular user about whom the behavioral targeter obtained information in the past or from another source, including the use of IP addresses, browser cookies, and other persistent user identifiers or tracking methods.
The groups urged the FCC to consider all avenues it may use to protect consumers, “including exercising its ancillary jurisdiction to address broadband privacy issues, and working with Congress and the Federal Trade Commission (“FTC”), which has substantial expertise in consumer privacy protection.”
The groups in the coalition are:
American Civil Liberties Union
Center for Digital Democracy
Consumer Federation of America
Privacy Rights Clearinghouse
U.S. Public Interest Research Group