Privacy-by-policy and privacy-by-architecture are two concrete approaches to privacy engineering. While they are often seen as separate practices, privacy researchers Sarah Spiekermann and Lorie Faith Cranor argue that they may actually be complementary, where a privacy-by-policy approach comes in to fill the gaps where a privacy-by-architecture strategy cannot be implemented.

Privacy-by-Policy

The privacy-by-policy approach to privacy protection is mainly a “notice and choice” approach, with a foundation in the FTC’s Fair Information Practice Principles (FIPs). These principles are focused more on end user notice and choice, rather than other strategies, such as minimizing collection of data, or limiting acceptable uses of data. This approach acknowledges that companies are unlikely to stop collecting or using customer data, while at the same time recognizing that individuals want to retain control over how their data is being used. For this reason, the privacy-by-policy approach has been implemented by many businesses, as it is largely non-intrusive.

The objectives of the FIPs are summarized below:

- Inform users on data being collected

- Present choices for sharing data (e.g. secondary uses of data)

- Give users access to data for review/correction/removal purposes

- Protect security of data

Criticisms of a Privacy-by-Policy Approach

The privacy-by-policy approach is founded on trust-based mechanisms that protect sensitive data from accidental disclosure or misuse. However, this is based on the assumptions that companies can be trusted to handle individuals’ personal information and that privacy policies/regulations are enforceable. Policies and regulations can fail to deter stronger attackers, for instance, malicious hackers, or companies that may financially benefit from data mining. Critics have also pointed out that privacy-by-policy approaches can sometimes amount to privacy promises that a company may or may not keep.

Another shortcoming of the FIPs and the privacy-by-policy approach is that they are effective only in systems that collect personal data. The FIPs lose relevance as soon as they are introduced into systems that collect little or no personal data, or in systems that were designed with privacy-friendly architectures.

Finally, critics argue that not all individuals will share the same privacy preferences. Some variables include place, social context (i.e. situation, identity, time) and culture, which all influence the way an individual will value and give meaning to the notion of privacy.

Privacy-by-Architecture

While a privacy-by-policy approach fails to consider the potential for strong attacks (e.g. identity thieves, hackers, etc.), a privacy-by architecture approach is designed with such risks in mind. The goal of a privacy-by-architecture approach is to design for the non-identifiability of users and provide strong guarantees of privacy. In this model, even if attackers gain access to the data, no personally identifiable information can be created with reasonable effort. The privacy-by-architecture approach offers users higher levels of privacy, in a more reliable manner.

The privacy-by-architecture approach relies on the following techniques:

a) Anonymity-based techniques – Such techniques are focused on making an individual’s identity or personal information not identifiable. However, these techniques do not guarantee that pseudonyms cannot be linked back to the individual with some effort.

b) Obfuscation-based techniques – In order to make it more difficult to link de-identified information back to individuals, obfuscation-based techniques disguise location and time information by decreasing precision/accuracy and adding confusion to the data.

Characteristics of a system designed with a privacy-by-architecture approach include:

- No unique identifiers across databases

- No common attributes across databases

- Random identifiers

- Contact information is not stored with profile/transaction information

- Collection of long-term person characteristics on a low level of granularity

- Technically-enforced deletion of profile details at regular intervals

Summary

This article takes a look at two approaches to privacy protection: privacy-by-policy and privacy-by-architecture. The former approach relies on the Fair Information Practice principles (FIPs) to offer users privacy information and privacy choices. Privacy-by-architecture approaches utilize stronger privacy protections and technologies based on anonymity and obfuscation techniques to secure user data. While these approaches have their differences, experts suggest that hybrid solutions may be practical, satisfying the needs of businesses, while minimizing the privacy risks of individuals.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Fair Information Practice Principles in System Design (I.G.)
• Privacy Protection Mechanisms: Privacy by Policy (III.A.)
• Notice and Choice (III.A.a.)
• Privacy Protection Mechanisms: Privacy by Architecture (III.B.)
• Anonymization (III.B.a.i.)
• Pseudonymization (III.B.a.ii.)
• Privacy-Enhancing Technologies (III.B.c.)

What is online tracking?

Online tracking is an advertising method which develops tailored ads based on information that has been gathered about the consumer. Tracking allows advertisers to accurately match consumers to products, thus increasing the effectiveness of the ads. This means that companies to charge a premium for such precisely-targeted ads. According to EMarketer Inc., a New York-based research company, the US market for targeted advertising may grow 21% in 2011, to $1.35 billion, from $1.12 billion in 2010.

In December 2010, the Federal Trade Commission (FTC) issued a report endorsing “Do Not Track” initiatives that would offer users a way to opt out of personalized advertising. While advertising companies that are part of the Network Advertising Initiative (NAI) allow users to opt out of online tracking, once customers clear browser cookies, any settings that have been customized are lost.

Firefox: Do-Not-Track Header

In January 2011, Mozilla proposed a Do-Not-Track feature in Firefox which allows users to inform websites that they would like to opt-out of third party tracking. This is done through the transmission of a Do-Not-Track HTTP header whenever user data is requested from the web. The header can be enabled or disabled when the user wishes, supposedly providing granular control over which websites are allowed to collect data. While any browser can be configured to send a Do-Not-Track header, every website must be modified in order to accept it.

Alex Fowler, Mozilla’s technology and privacy officer commented that the challenge of the Do-Not-Track header “is that it requires both browsers and sites to implement it to be fully effective. Mozilla recognizes the chicken and egg problem and we are taking the step of proposing that this feature be considered for upcoming releases of Firefox.”

Chrome: Online Tracking Tool

On January 24, 2011, Google announced the release of a new tool known as Keep My Opt-Outs, which allows users to opt out of online tracking. The Keep My Opt-Outs browser extension applies to all companies and online ad networks which offer opt-outs as a result of industry self-regulation programs. Currently, over 50 companies are members of such associations that offer opt-outs through such programs. Basically, Google’s extension determines if a cookie originates from a blacklisted targeted advertising provider and either blocks or allows it.

Google’s product managers claim, “We’ve designed the [Keep My Opt-Outs] extension so that it should not otherwise interfere with your web browsing experience or website functionality. This new feature gives you significant control without compromising the revenue that fuels the web content that we all consume every day.”

Internet Explorer: Tracking Protection

Some observers are convinced that Microsoft’s Internet Explorer Tracking Protection is perhaps the most user-friendly method for preventing online tracking. This security feature is planned for the first release candidate of Internet Explorer 9, currently available in beta version. The Tracking Protection feature uses a list to determine which third party page elements can/cannot be blocked from tracking.

In December 2010, Dean Hachamovitch, the head of Internet Explorer development, described how Tracking Protection would work:

“A Tracking Protection List (TPL) contains Web addresses (like msdn.com) that the browser will visit (or “call”) only if the consumer visits them directly by clicking on a link or typing their address. By limiting the calls to these Web sites and resources from other Web pages, the TPL limits the information these other sites can collect.

You can look at this as a translation of the “Do Not Call” list from the telephone to the browser and web. It complements many of the other approaches being discussed for browser controls of Do Not Track.”

Other ways to resist online tracking…

While the FTC assesses the efficacy and usability of tracking-minimizing tools, privacy experts have a number of other recommendations for reducing and resisting online tracking.

• Advertising companies use cookies to track users’ online activity. Remove and block these ad-related cookies.
• Remove Flash cookies, which are a type of supercookie that can contain more information, web beacons and web bugs. Such cookies must be removed through Adobe’s online Flash Player page.
• Use specialized software to remove and prevent tracking programs. Recommended titles include: Taco by Abine; Better Privacy for Firefox; Ghostery for Firefox; CCleaner; and NoScript for Firefox and Chrome.
• InPrivate Filtering, a feature for Internet Explorer 8, prevents data from traveling between users’ computers and third parties who frequently request data.
• Users should be cautious when giving personal information online (e.g. registration forms, social networking sites, surveys). Such information will most likely be used to customize online ads.
• Users can use several search engines to conduct online searches. Users may want to consider using different companies for searching and web-based email services.
• Certain search engines, such as Scroogle.org, enables users to search using Google, without the risk of being tracked and without the inconvenience of viewing ads.
• Use a dynamic IP address, or periodically reset the IP address by disconnecting and connecting the modem.

Summary

This article focuses on online tracking, an advertising practice in which advertising companies use information about users to more accurately match consumers with products. In late 2010, the Federal Trade Commission released a report encouraging the development of do-not-track mechanisms. Three major internet browser providers – Mozilla, Google and Microsoft – have recently responded with their solutions to the problem of online tracking. The article introduces Mozilla’s Firefox do-not-track header, Google’s Chrome online tracking tool and Microsoft’s Internet Explorer Tracking Protection feature, as well as other practices users may consider in order to reduce online tracking.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Sensitive Personal Information (I.A.b.)
• Privacy Concerns – The Consumer Perspective (II.A.a.)
• Unsolicited Marketing (II.A.e.)
• Privacy Protection – Notice and Choice (III.A.a.)
• Web Cookies (III.B.c.i.)
• Web Browser Controls (III.B.c.v.)
• Explicit and Implicit Consent – Opt-In vs. Opt-Out (IV.B.i.1.; IV.B.i.2.)

The Fair Information Practice Principles

Notice/Awareness

Individuals should receive notice of an entity’s privacy practices prior to the collection of personally identifiable information. Notice allows individuals to make informed choices regarding the use of the personal information. A privacy notice must include:

• A legitimate name and physical address of the entity collecting the data
• The type of data collected
• How collected data will be used
• Any potential third party disclosure of personal information
• Any potential secondary use of personal information

Choice/Consent

Individuals must be able to consent or reject to certain uses of their personal information, particularly with regard to secondary uses and marketing purposes. Two main mechanisms are used to provide consumer with consent options:

• Opt in: Require affirmative consent from the individual. In other words, action must be taken by the individual to START the processing of personal information for secondary uses or disclosures. This may include signing up to receive marketing newsletters, special offers and similar types of communications.
• Opt Out: Requires the implicit consent of the individual. Here consent is assumed because the individual has not stated a desire otherwise. In other words, action must be taken by the individual to STOP the processing of personal information for secondary uses or disclosures. This may include opting out of third party advertising

An individual must be able to view their consent options and change them at any time. Changes should be honored within a reasonable length of time.

Access/Participation

An individual must be able to view the data an entity has on record. They must also be allowed to correct an incomplete or false information contained in their file. Access to data must be granted within a reasonable time frame and at a minimal cost.

Integrity/Security

Data must be accurate, up-to-date, complete and not stored longer than necessary. Security of data must be maintained using physical, technical and administrative safeguards to protect against unauthorized access, use, disclosure and destruction. Safeguards should be implemented in proportion to the security risk or threat, with greater risks or threats using greater resources and stronger protections.

Enforcement/Redress

An individual must be able to file complaints with the entity have their issues addressed.   Furthermore there should be a mechanism in place to ensure compliance with the above standards, either through self or government regulation.

Enforcement of Privacy Practices

The Fair Information Practice Principles are suggestions to guide the use of personal information in connection with business activities and transactions. They are not in themselves a law that must be followed, and as such are not enforceable. However, there are many privacy laws(see below) which make use of the Fair Information Practices to protect personal information.

The United States supports the use of self-regulation to enforce Fair Information Practices. Theoretically, informed consumers will choose to use businesses that implement the Fair Information practices and ensure the protection of their information, forcing those business that do not guarantee such protections out of business. Services such as the Better Business Bureau and online assurance programs build trust between businesses and consumers by providing consumers with a directory of businesses whose privacy practices have been assessed and found to provide adequate protection.

The Fair Information Practice Principles have been criticized because they do not require the creation of a general privacy authority and rely largely on self-regulation, which at times falls short of adequately regulating consumer protection. At the same time, many businesses believe implementing stronger guidelines or regulations would be too costly and detrimental to the growth of business. For now, the United States continues to use a sectoral approach, developing privacy laws as needed.

Laws Using the Fair Information Practice Principles to regulate Privacy

• Fair Credit Reporting Act– Regulated by the Federal Trade Commission, the Fair Credit Reporting Act regulates the use of consumer reports. Requires Notice of disclosure and adverse action, as well as the ability for a consumer to access and rectify inaccuracies in their consumer reports.
• Right to Financial Privacy Act– Protects the privacy of customers using financial institutions from government searches (with exceptions.) RFPA restricts government access to financial records without the individual’s consent or meeting one of the specified exemptions from the rule.
• Children’s Online Privacy and Protection Act–Protects against the collection, use and disclosure of the personal information of children under 13 without parental notice and consent.

Summary:

The Fair Information Practice Principles form the backbone of privacy laws in the United States. Though the principles put forth by the FTC are only considered guidelines, there are some laws that have turned the guidelines into law and even more businesses which choose build trust with consumers by ensuring their privacy through self regulation of the Fair Information Practice Principles. Understanding the principles and their implementation is one of the core concepts all privacy professionals need to know.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy Principles and Definitions including Fair Information Principles(I.B.a.i.)

What is Choice/Consent?

Choice/Consent is the second of five Fair Information Practices published by the FTC to guide the collection, use and disclosure of personal information. The FTC states,“At its simplest, choice means giving consumers options as to how any personal information collected from them may be used.”

There are two forms of consent exercised by individuals.

Opt-in requires the affirmative consent of the individual. The user must take action to allow a business to process their information and provide a product or service. For example, a user may visit a website and submit their email or check a box with their registration to receive the site’s email newsletter.

Opt-out requires the implicit consent of an individual. Since a user has not taken action to stop the processing of their information, they are said to give implicit (unspoken or assumed) consent. When a user receives marketing messages in their mailbox they no longer wish to receive, they may unsubscribe from the newsletter. This is consider opting-out.

The use of the choice/consent mechanism as the main regime for protecting personal information has been widely criticized. It is believed that many consumers are not aware or educated enough in privacy law to understand their rights and ability to control information.

Secondary Use of Information

The FTC defines secondary use as “uses beyond those necessary to complete the contemplated transaction.” Companies are required by law to state in their privacy policies any secondary uses of information including whether it may be disclosed to third parties.

The control of personal information with regard to marketing is the most common implementation of choice/consent. It is used to control the receipt of marketing messages, the use and disclosure of information to third parties, and the collection of information through cookies in order to create tailored advertising. Though the disclosure of information may be necessary to complete a transaction with a company, an individual is allowed to object to any and all secondary use or disclosure of their information.

Mandatory vs. Optional Data Collection

Mandatory is any information that is necessary to complete the immediate transaction. Optional information includes any information an entity may wish to collect about an individual for internal purposes, but is not required to complete the immediate transaction. In a web form, mandatory field must be filled in before the form can be submitted. Optional fields may be left blank or unanswered and the form will still process. By completing optional information fields, an individual is giving their consent to the collection and use of such information.

Businesses practicing responsible information privacy will limit the collection of information, especially that which is optional because the more information collected, the greater the risk to privacy.

Choice/Consent and Regulations

The CAN-SPAM Act of 2003 regulates email marketing messages in the U.S. In addition to content regulations, the CAN-SPAM Act requires all marketing messages to have an unsubscribe mechanism at the bottom and that consumer requests be honored with ten days.

The European Data Directive addresses consent in Article 7 which requires data subject consent for the processing of data, though consent is not required for a few, specific situations. It is also addressed in Article 14 which guarantees the data subjects right to object to the processing of data. Furthermore, Article 8 requires the explicit consent of a data subject to process sensitive information such as racial or ethnic origins, political or religious beliefs, sexual orientation, health information, or trade union membership.

Almost all data protection laws allow individuals the opportunity to make choices regarding the use of their personal information.

In Conclusion:

Choice/Consent deals with an individual’s ability to control the use of their information. Because, as of now, the choice/consent regime is the major framework for protecting privacy in many industries, it is the duty of the consumer to read privacy practices and make informed decisions regarding how they wish their information to be used.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• The Collective View of Privacy Principles: Choice/Consent (I.E.ii)
• Privacy Considerations Online including choice and consent, secondary use of data and mandatory vs. optional information. (III.B.c.i-iii.)