Presentation on theme: "Consumer Privacy and Information Access Professor Matt Thatcher."— Presentation transcript:
Consumer Privacy and Information Access Professor Matt Thatcher
2 Last Class l Essential concepts and theoretical background of newly vulnerable markets –easy to enter, attractive to attack, and difficult to defend l The case of Capital One Financial –what happened? why did it happen? can it keep happening? l Where else can it happen? –recording industry? newspaper industry? l Other examples of newly vulnerable markets?
3 Today l What is the right to privacy? l Have we created a panopticon? –the role of IT and privacy-invasive technologies l Consumer privacy on the Internet –is technology destroying consumer privacy rights? –how should firms handle consumer data? –what are some solutions to protecting consumer privacy? (technology, marketplace, industry norms, law)
4 Defining Information Privacy l the right of individuals to determine for themselves when, how, and to what extent information about them is communicated to others l Basis of privacy rights 4 th Amendment of the Bill of Rights –protects people from unreasonable search and seizure –requires probable cause to get a warrant and search and a specification of the place to be search and what will be seized
5 What is a Panopticon?
6 Has IT Created a Panopticon? l IT has changed the: –scale of information collected –kind of information collected –scale of information exchanged and distributed l IT has also: –magnified the effect of erroneous information –enabled the combination and analysis of data –made the invisible collection of data without user knowledge easier
7 Privacy-Invasive Technologies l Databases –collect, store, retrieve info quickly and cheaply –customer data digitized customer profiles l Networks –easy transmission of stored data over internet and private networks l Algorithms –complex analysis and data integration l Covert monitoring –cookies, 3rd party cookies –web bugs (web beacons)
8 What Should Firm Privacy Policies Look Like? FTC Consumer Fair Information Practices l Notice (awareness) –who, what, where, how l Choice (consent) –opt-in vs. opt-out l Integrity (security) –data should be protected from theft, modification, unauthorized access, or disclosure l Access (participation) –consumer should be able to review/access personal information, challenge its correctness, and have it changed l Enforcement (redress) –compliance verification, dispute resolution, and remedy l Accountability (not mentioned by FTC but by others) –responsible for ensuring that the above principles are met
9 Potential Solutions l Protecting consumer’s information privacy –technology and education (consumer) –privacy policies (firm, marketplace) –privacy norms (industry) –laws (government)
10 Privacy Protection (Privacy-Enhancing Technologies) l Data encryption –Pretty Good Protection (PGP) encryption program l Cookie cutters l Anonymous ers –Anonymizer (www.anonymizer.com)www.anonymizer.com l P3P and identity managers –Platform for Privacy Preferences (P3P) –http://www.w3.org/TR/P3P/http://www.w3.org/TR/P3P/ l Automated privacy audits l Electronic cash (anonymous)
11 Privacy Protection (Invisible Hand and the Marketplace) l Pressure from customers –FTC survey 1998 vs. Georgetown Univ survey 1999 l Pressure from competitors l Privacy policies (firm-level) l Is this enough? l Are consumers sufficiently informed on the issue to take decisive action? l What about enforcement?
14 Privacy Protection (European Comprehensive Laws) l Data Protection Directive: Directive 95/46/EC –the protection of individuals with regard to processing of personal data and the free movement of such data –opt-in –accountability »requires firm-level data controller and a dedicated government privacy agency l Safe Harbor Program –list of participants –http://export.gov/safeharbor/index.htmlhttp://export.gov/safeharbor/index.html
15 Safe Harbor Principles l Notice l Choice l Sensitive information (opt-in requirement) l Onward Transfer –can only give info to firms that have same level of privacy protection l Security l Data integrity l Access l Enforcement l No requirement for national agency or data controller for Safe Harbor participants
17 Rationale for Comprehensive Laws by Europe l To remedy past injustices l To promote electronic commerce l To ensure laws are consistent with Pan- European laws
18 Europe vs. U.S. l European prescription for privacy –comprehensive laws l U.S. prescription for privacy –legislation for sensitive data »e.g., HIPAA, Children’s Online Privacy Protection Act, Gramm-Leach-Bliley Act –industry self-regulation with technology support for click stream / purchase data »P3P, audits, privacy seal programs, anonymous ers, cookie cutters
19 Example l Students who live in a dormitory on a college campus are given cards with a magnetic strip that opens the front door of the dorm. Students are not told that each card contains the individual student identifier and that a record of each use of the card is stored. –What are the possible good purposes of such record keeping? –Is it right? –Is it OK if students are told? –Give arguments and examples to support your answers
21 Summary l We have a right to privacy l IT invades that right l How do we protect it? –technology and education (consumer awareness and action) –privacy policies (firm, marketplace) –privacy norms (industry self-regulation) –laws (government)