Privacy

Historically, have consumers been concerned about their privacy?

millions of consumers choose to have their phones listed in their last name only (to avoid revealing their gender)

tens of millions more (30% of households!) choose to have an unlisted phone number

others use private mailbox services to avoid revealing where they live

Today we live in an "information economy"

can check credit card and bank balances on the phone or by computer

can pay bills over the phone or by computer

can order gifts or clothes or airplane tickets online

can borrow $20,000 from a complete stranger and drive home a new car

Convenience comes at a cost: there's a lot more personal information out there than ever

Why should we be concerned about it? Misuse of the information can result in1. Risks to physical security sexual predators use the internet to identify

children women may not want their address known to

potential stalkers

2. Risks to economic security unauthorized charges to credit card unauthorized withdrawals from

bank/investment accounts viruses that attack our computers identity theft

3. Unwarranted intrusions into our personal lives

telephone calls disrupt our home and work lives

spam litters our computers with solicitations some including pornography and other

objectionable goods or services

Internet Privacy

Ziff-Davis Media, Inc. (August, 2002) company's online security system failed due to a

coding error allowed anyone surfing the internet to access about

12,000 subscription orders for the magazine Gaming Monthly.

many had used credit cards to pay for their subscriptions

a number reported that their accounts were used fraudulently

information remained easily available for about a month before "good samaritans" who viewed the material alerted subscribers via e-mail.

Double-Click (March, 2000)

What are “cookies”? files created by an internet site to

store information on your computer your preferences when visiting that site

(e.g., airline itineraries) a record of the pages you looked at

within the site

Good news: cookies only contain information that the user volunteers and cannot infiltrate a user's hard drive and siphon personal information E.g., credit card numbers

Bad news: cookies can also store personally identifiable information that can be used to contact you name e-mail address home or work address telephone number

Cookies permit advertisers to target customers whose previous visits to web sites might suggest an interest in its goods or services.

For example, if you check out the Celtics home page a couple of times, the next time you open a search engine you might encounter an ad from a sporting goods store that sells Celtics clothing

DoubleClick handles advertising for about 1,500 web sites

initially it claimed it would only use "anonymous profiling" when collecting data on individuals.

However, DoubleClick in fact used "pseudonymous" tracking i.e., when it placed cookies on consumers'

computers, it assigned each cookie a unique number this would permit the company to merge the

information with consumers' names if it wished but which it had not yet done when this controversy

arose.

Examples of the kinds of information the DoubleClick kept that had privacy implications included

health inquiries travel plans the names of videos in which the consumer showed

an interest information could, in theory, be useful to video stores

to pitch movies or travel companies to pitch a vacation

could also be used to the consumer's detriment e.g., when applying for insurance

Privacy advocates feared DoubleClick would sell this information to telephone and mail-based direct marketers, health organizations, insurance companies, etc.

After a number of states and the FTC opened privacy investigations, DoubleClick agreed not to link personally identifiable information to anonymous user activity across web sites

some consumer advocates argue that the law should go further

Propose that web sites should be prohibited from placing cookies on consumers' computers without express permission an "opt in" provision

The advertising industry has set up several web sites that allow computer users to "opt out" of having their personal data collected and profiled when they visit commercial internet sites.

Network Advertising Initiative

Financial Privacy

Financial institutions (banks, insurance companies, securities firms) collect substantial personal ("non-public") information, including names, addresses and phone numbers bank and credit card account numbers income credit histories social security numbers

In the 1990's privacy advocates became concerned when financial institutions began selling customer account information to third parties (e.g., telemarketers) for purposes of marketing non-financial services Discount buying clubs Roadside assistance Credit card loss protection Dental plans

Often kept a percentage of sales

In 1999 Congress passed the "Gramm-Leach-Bililey Financial Modernization Act“ (GLBA)

The Act applies to all "financial institutions," including companies that offer financial products or services, like loans, financial or investment advice, or insurance

1. Affiliation

GLBA repealed Glass-Steagall Act depression-era law that prohibited

banks, securities firms, and insurance companies from affiliating

2. Privacy

GLBA requires financial institutions to protect information collected about individuals

key provisions require them to: disclose to customers their policies and

practices for protecting the privacy of non-public personal information

provide customers annually an opportunity to opt out of having information shared with non-affiliated third parties e.g., telemarketers

notice must offer a reasonable way for the consumer to express choice to opt out

Generally done by providing consumer with either toll-free telephone number; or detachable form with a pre-printed

address

Vermont's Rules on Financial Privacy

Vermont law provides greater protection for consumers than does the federal law

rules adopted by Vermont's Department of Banking, Insurance, Securities and Health Care Administration (BISHCA) use an opt-in provision

financial institutions must obtain a consumer's consent before private financial and health information can be sold to or shared with other companies

BISHCA's rule was challenged by five insurance industry trade groups on First Amendment grounds

February, 2004 a Vermont trial court rejected the challenge to the law

Court referred to financial companies as "high volume traffickers of consumers' intimate personal information"

3. Pretexting

"Information brokers" (also known as individual reference services) gather public information about consumers addresses, licenses, aliases, listed phone

numbers also gather non-public information

unlisted phone numbers, credit card numbers, social security numbers

sell the information.

services provide numerous benefits help law enforcement do their job help lawyers find witnesses help consumers find lost relatives help collection agencies find debtors

Problem is that the availability of this information increases risks of crimes such as identity

theft thwarts consumers' efforts to protect

their privacy (Americanada ad) inaccurate information can result in

problems Florida election results

some information brokers called banks and other financial institutions, under the pretext of being a customer

obtained the customer's account numbers and balances and other personal information

GLBA makes it a crime to engage in pretexting

Credit Reporting consumers’ credit reports contain

significant amounts of personal information credit card numbers social security numbers bank account numbers

federal Fair Credit Reporting Act (FCRA) and Vermont's Fair Credit Reporting Act (VFCRA) provide for the accuracy and privacy of consumer credit reports

FCRA assures privacy by limiting who has access to a credit report

credit reports can only be used or collected for one of the following five “permissible purposes”

for credit for employment for insurance to a governmental agency (e.g., for a license or other

benefit) to a person with a legitimate business need for the

information in connection with a transaction with the consumer

credit reporting agencies generally require the user of the report to certify the purpose for which the report is going to be used.

may also check user's references, visit its place of business, etc.

credit reporting agency must disclose on the report the identity of all parties receiving the information

files must be made available to consumers free if the request comes within 30 days of

denial of credit

VFCRA further protects privacy by requiring that the consumer give

permission before his or her credit report can be accessed

allowing Vermont consumers to receive a copy of their report once a year free of charge

Radio Frequency Identification (RFID) System

What is RFID? What are some of the current uses of

RFID systems? What are some possible future uses of

RFID systems? What are the privacy concerns related

to the use of RFID systems?