Privacy-by-policy and privacy-by-architecture are two concrete approaches to privacy engineering. While they are often seen as separate practices, privacy researchers Sarah Spiekermann and Lorie Faith Cranor argue that they may actually be complementary, where a privacy-by-policy approach comes in to fill the gaps where a privacy-by-architecture strategy cannot be implemented.

Privacy-by-Policy

The privacy-by-policy approach to privacy protection is mainly a “notice and choice” approach, with a foundation in the FTC’s Fair Information Practice Principles (FIPs). These principles are focused more on end user notice and choice, rather than other strategies, such as minimizing collection of data, or limiting acceptable uses of data. This approach acknowledges that companies are unlikely to stop collecting or using customer data, while at the same time recognizing that individuals want to retain control over how their data is being used. For this reason, the privacy-by-policy approach has been implemented by many businesses, as it is largely non-intrusive.

The objectives of the FIPs are summarized below:

- Inform users on data being collected

- Present choices for sharing data (e.g. secondary uses of data)

- Give users access to data for review/correction/removal purposes

- Protect security of data

Criticisms of a Privacy-by-Policy Approach

The privacy-by-policy approach is founded on trust-based mechanisms that protect sensitive data from accidental disclosure or misuse. However, this is based on the assumptions that companies can be trusted to handle individuals’ personal information and that privacy policies/regulations are enforceable. Policies and regulations can fail to deter stronger attackers, for instance, malicious hackers, or companies that may financially benefit from data mining. Critics have also pointed out that privacy-by-policy approaches can sometimes amount to privacy promises that a company may or may not keep.

Another shortcoming of the FIPs and the privacy-by-policy approach is that they are effective only in systems that collect personal data. The FIPs lose relevance as soon as they are introduced into systems that collect little or no personal data, or in systems that were designed with privacy-friendly architectures.

Finally, critics argue that not all individuals will share the same privacy preferences. Some variables include place, social context (i.e. situation, identity, time) and culture, which all influence the way an individual will value and give meaning to the notion of privacy.

Privacy-by-Architecture

While a privacy-by-policy approach fails to consider the potential for strong attacks (e.g. identity thieves, hackers, etc.), a privacy-by architecture approach is designed with such risks in mind. The goal of a privacy-by-architecture approach is to design for the non-identifiability of users and provide strong guarantees of privacy. In this model, even if attackers gain access to the data, no personally identifiable information can be created with reasonable effort. The privacy-by-architecture approach offers users higher levels of privacy, in a more reliable manner.

The privacy-by-architecture approach relies on the following techniques:

a) Anonymity-based techniques – Such techniques are focused on making an individual’s identity or personal information not identifiable. However, these techniques do not guarantee that pseudonyms cannot be linked back to the individual with some effort.

b) Obfuscation-based techniques – In order to make it more difficult to link de-identified information back to individuals, obfuscation-based techniques disguise location and time information by decreasing precision/accuracy and adding confusion to the data.

Characteristics of a system designed with a privacy-by-architecture approach include:

- No unique identifiers across databases

- No common attributes across databases

- Random identifiers

- Contact information is not stored with profile/transaction information

- Collection of long-term person characteristics on a low level of granularity

- Technically-enforced deletion of profile details at regular intervals

Summary

This article takes a look at two approaches to privacy protection: privacy-by-policy and privacy-by-architecture. The former approach relies on the Fair Information Practice principles (FIPs) to offer users privacy information and privacy choices. Privacy-by-architecture approaches utilize stronger privacy protections and technologies based on anonymity and obfuscation techniques to secure user data. While these approaches have their differences, experts suggest that hybrid solutions may be practical, satisfying the needs of businesses, while minimizing the privacy risks of individuals.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Fair Information Practice Principles in System Design (I.G.)
• Privacy Protection Mechanisms: Privacy by Policy (III.A.)
• Notice and Choice (III.A.a.)
• Privacy Protection Mechanisms: Privacy by Architecture (III.B.)
• Anonymization (III.B.a.i.)
• Pseudonymization (III.B.a.ii.)
• Privacy-Enhancing Technologies (III.B.c.)

It’s important to ensure that website privacy policies correctly address specific legal issues and technical implications of the company. There are numerous types of privacy policies out there, some of which apply to online data; others apply to data collected by financial institutions; others that deal with the collection of information from children under the age of 13; and other policies that apply to individuals protected under foreign laws. There is no ‘one size fits all’ approach to developing a sound privacy policy.

Enterprise Privacy Programs

Developing and maintaining enterprise-wide privacy programs require top-down cooperation and collaboration of the different individuals in an enterprise.

According to United States privacy legislation, all companies involved in obtaining, maintaining, using and/or disclosing personal information about consumers ought to adopt a privacy policy. Privacy policies are documents in which companies state their information practices. Such documents keep organizations accountable to a set of formal privacy policies. Companies may be the subject of an FTC action or a lawsuit if their privacy practices do not accurately reflect those stated in their privacy policy.

Standardization of enterprise privacy programs is becoming more and more of an issue in recent years. Even though the primary objective of enterprise privacy policies is for internal use, standardization of such policies brings numerous advantages:

• Technical parts of regulations could be encoded into a standardized language
• Enterprises with heterogeneous repositories of personal data could develop consistent enforcement tools to ensure compliance with internal privacy practices

Components of a Privacy Policy

There are three main categories of information in a privacy policy:

1. 1. Policy Identification Details

This section defines the policy name, version and description.

1. 2. P3P-Based Components

This defines policy attributes that would apply if the policy is exported to a P3P format. Such attributes would include: policy URLs, organization information, PII access and dispute resolution procedures.

1. 3. Policy Statements and Related Elements: Groups, Purposes and PII Types

Policy statements define the individuals able to access certain types of information, for certain pre-defined purposes.

Another way to classify the components of a privacy policy is outlined below.

• Notice – Companies should provide consumers with clear, conspicuous notice that accurately describe their information practices.
• Consumer Choice – Companies should provide consumers with the opportunity to decide (in the form of opting-out) if it may disclose personal information to unaffiliated third parties.
• Access and Correction – Companies should provide consumers with the opportunity to access and correct personal information collected about the consumer.
• Security – Companies must adopt reasonable security measures in order to protect the privacy of personal information. Possible security measures include: administrative security, physical security and technical security.
• Enforcement – Companies should have systems through which they can enforce the privacy policy. This may be managed by the company, or an independent third party to ensure compliance. Examples include BBBOnLine and TRUSTe.

Consumer’s Point of View

From a consumer’s point of view, just because a website has a privacy policy doesn’t necessarily guarantee the security of the personal information. No privacy policy can definitely ensure the security of your information, or bind a company to those specific practices; however, there are certain policies that are better than others. A privacy policy should provide the consumer with a sense of transparency regarding the company.

Some important things that a consumer should consider when looking for good privacy policy include:

• What personal information is being collected?
• How will your personal information be used?
• How will your personal information be stored?
• Are there security measures protecting your personal information?
• How long will your personal information be kept by the company?
• Will your personal information be shared with others?
• How can you contact the company?

Summary

This article takes a look at the importance of an enterprise privacy policies and privacy programs. While policies alone cannot prevent data breaches or misuse of personal information, they are a good step in ensuring transparency and privacy-friendly practices. A privacy policy should contain the following key components: notice; consumer choice; access and correction; security; and enforcement. The article also lists some considerations consumers should take when assessing the reliability of a company’s privacy policy.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Personally Identifiable Information (PII) (I.A.a.)
• Consumer privacy concerns (II.A.a.)
• Organizational privacy practices (II.A.b.)
• Prominent notice and opt-in consent (II.B.b.)
• Privacy mechanisms – privacy by policy (III.A.)

Google’s Continuous Data Collection

In April, Google was forced to address user concerns about the location data it collects from its Android phones. Security experts, researchers and hackers, learned that certain Android phones were covertly sending streams of location data back to Google. This was counter to previous beliefs that the phones sent back occasional pings from specific location-based apps.

According to Samy Kamkar, security researcher and hacker, the information Google was collecting was not anonymous, rather it contained a unique identifier tied to the user’s phone. The data is then used by the company to build its database about Wi-Fi router locations, which is then used to get location fixes by other Android phones. The location-based data is also used to add traffic data to Google Maps.

Responses & Challenges

According to a Google spokesman, “We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices.” Google has also acknowledged the scope of information it collects from users, which includes GPS current location, timestamps, nearby Wi-Fi network addresses and device IDs. The company pointed out that all these practices were opt-in and it was possible for users to disable the GPS feature. However, functionality of their location-based services would significantly diminish.

In a May 2011 US Senate subcommittee meeting on mobile data collection, Alan Davidson, Google’s director of public policy for the Americas said that his company supports the development of a legal privacy framework that can “ensure broad-based user trust and that will support continued innovation.”

The company has also pointed out that the location data it collects is completely anonymized, contrary to reports that such data contains a unique identifier that is tied to the phone. In response, Google said the identifier is tied to the location, rather than the handset. However, the company admitted that the identifying number can be changed by doing a “factory reset” of the Android device, which means that this number remains consistent until that happens. Until the phone is reset, this number is effectively an identifier for the phone.

Reactions

In response to Google’s practices, two women from Michigan filed a lawsuit in US District Court in Detroit on April 26, 2011. The $50 million lawsuit is an attempt to stop Google from selling phones with location-tracking software. According to Steven Budaj, the lawyer representing the case on behalf of plaintiffs Julie Brown and Kayla Molaski, the tracking of Android owners’ locations “puts users at serious risk of privacy invasions, including stalking.” The plaintiffs are also seeking class action status for their lawsuit. Thus far, Google has not commented on the lawsuit.

Worldwide Reaction

In South Korea, Google Inc.’s office was raided in early May, based on suspicions that AdMob (Google’s mobile advertising unit) was illegally collecting user collection data without consent. According to a South Korean police spokesperson, “We suspect AdMob collected personal location information without consent or approval from the Korean Communication Commission.”

A spokesman from Google confirmed that the police did visit the Seoul office and the company was cooperating with the investigation. This event highlighted recent and growing concerns in South Korea about the potential misuse of private information, along with the increased use of mobile devices, such as smartphones and tablets. Furthermore, Google has been the subject of a number of law enforcement investigations in the United States, Britain, France, Singapore and Switzerland, over its controversial data collection practices.

Summary

In April 2011, Google was at the center of public scrutiny, after security experts, researchers and hackers revealed that its Android mobile devices were continuously collecting user’s location data. Contrary to Google’s claims, it was discovered that this information was tied to a numerical identifier. This article looks at numerous responses to this discovery, in the US and abroad.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Personally Identifiable Information – PII (I.A.a.)
• Methods of Data Collection (I.B.a.)
• Consumer Privacy Concerns (II.A.a.)
• Phone-Home Software (II.A.l.i.)
• Prominent & Inconspicuous Notice (IV.A.)
• Location-Based Services (VI.E.)

In a statement on its Developer Blog, Facebook said:

“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready.”

Data-Sharing Decision & Responses

The original decision to share user information came on Friday, January 14 2011. Facebook pointed out that the new feature would allow a user to “easily share your address and mobile phone with a shopping site to streamline the checkout process, or sign up for up-to-the-minute alerts on special deals directly to your mobile phone.”

The surprising decision triggered public backlash against Facebook’s privacy practices. Although app developers could only gather contact information if users had allowed them to do so, observers pointed out users are often confronted with too many apps that are deceptive about allowing access.

It is also commonly known that many users will click through permission dialogue boxes without pausing to read their contents. As a result of being inundated with too many permissions requests, users will respond to constant dialog boxes by agreeing to everything without considering potential negative consequences.

Critics responded strongly to Facebook’s new data-sharing practices. The marketing and media site The Drum commented:

“[This] raises questions as to how an organization, which ought to have been sensitive to privacy concerns following previous controversies, could have launched such an unheralded change, on a Friday evening, without fully thinking through the consequences.”

Graham Cluley, a technology consultant with the IT security firm Sophos called the new practices a “recipe for disaster,” pointing to the array of scam applications that have overrun the social network.

Suggested alternatives

Commenters suggested that Facebook ought to pre-approve developers before they are able to gain access to users’ information. The suggested approval process would be similar to the compulsory verification system for iPhone apps. According to a recent Sophos poll, over 95% of respondents supported the idea of Facebook verification of all apps before they are released to users. Currently, Facebook app developers only need to verify their accounts by confirming their mobile number or credit card information. After this process, they can write and release any application they like.

While Facebook does not currently offer this feature, many recommend that the network check applications written for its platform to ensure that they are not malicious. As this verification is not done, it is common to see many “rogue applications” appear across the social network. Such apps include revenue-generating survey scams, redirection of users’ browsers to malicious sites, spamming from a user’s account or stealing personal information.

Others suggested that users’ contact information could only be accessed if it was necessary for the purposes of the application. At the very least, the application should specifically request users’ permission before gathering their information. Facebook’s announcement on Friday evening led to many users removing their home address and mobile number from their profiles, as an immediate measure.

Summary

This article takes a look at Facebook’s January 14, 2011 decision to share user data with its applications developers. In the face of negative media coverage and public outcry, the social networking site was forced to reverse the changes only three days later. Many users and critics were uncomfortable with the fact that developers were able to access personal information such as their home address and mobile numbers. This article also looks at why this practice is especially problematic, especially in light of Facebook’s developer and applications policies.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Concerns – Organizational Practices (II.A.b.)
• Privacy Expectations – Prominent Notice & Opt-In Consent (II.B.b.)
• Social Networking Services – System Designs (VI.C.i.)
• Social Networking Services – Privacy Controls (VI.C.ii.)

What is Identity Theft?

Identity theft is the unauthorized use of personally identifiable information (PII) by an individual to commit fraud, usually financial related fraud. This is achieved either by using financial account information or using an individual’s Social Security Number (SSN) to open new financial accounts. Identity theft is a serious problem costing American citizens millions of dollars every year. As one of the largest collectors of information, the U.S. Government must implement strong measures to reduce the risk of security breaches leading to identity theft.

The President’s Identity Theft Task Force made the following recommendations:

Data Breach Planning

Effective information security requires building contingency plans in the event a data breach occurs. Each agency should select a number of appropriate individuals to be part of a data breach response group that convenes after any potential or confirmed data breach has been found.

This group should include at minimum:

• Chief Information Officer
• Chief Legal Officer
• Chief Privacy Officer
• Senior management official
• Agency’s Inspector General

This group should meet initially to develop basic contingency plans to be automatically implemented when a breach occurs and reconvene as necessary in response to security incidents.

Identifying an Incident that Presents Identity Theft Risk and the Level of Risk Involved

Not all data breaches may result in an identity theft risk. When a security breach occurs, agencies must determine on a case by case basis if there is a risk of identity theft and the level of that risk.

What constitutes an identity theft risk?

• Unauthorized disclosure of an individual’s Social Security Number
• Unauthorized disclosure of an individual’s name, address or telephone number with
  • a government identifier (ie: driver’s license)
  • a biometric record
  • a financial account number with the pin or security code
  • any information that particularly identifies an individual such as a relationship with a financial institution or club membership

When such information has been compromised the following criteria should be used to determine the level of risk of identity theft:

• the level of difficulty an unauthorized individual would have to use the information
• how the data loss occurred including whether it may be considered or related to criminal activity
• the ability of the agency to counteract or prevent abuse of the information
• evidence that the information that has been compromised is used to commit fraud related to identity theft

Reducing Risk After Disclosure

When a data breach has occurred and a risk of identity theft has been determined, measures should be taken by both the affected individual and the agency to minimize the abuse of the information. Responses may vary depending on the type of information compromised and the level of risk determined by the agency.

Individual actions may include:

• Closing affected financial accounts
• Monitoring financial accounts
• Requesting and monitoring their credit report
• Placing a fraud alert with the credit bureaus
• Placing a credit freeze on their credit account
• Increasing identity theft awareness by watching for criminals offering credit assistance who may just be attempting to obtain more PII

Agency actions may include:

• Notifying banks if government authorized credit cards or government payments are involved
• Perform data breach analysis to determine whether a data breach has resulted in identity theft
• Provide credit monitoring services to affected individuals.
• Notification to law enforcement officials

Providing Notice to Those Affected

Agencies are not required to notify affected individuals after any data breach has occurred. However, agencies must notify individuals when a breach has occurred that poses a significant risk of identity theft so that suitable countermeasures may be taken.

Providing notice for all data breaches is not an effective response to data breaches because:

• Notification is costly
• Counter measures, such as closing financial accounts, placing fraud alerts and obtaining new ID documents is too costly to both the public and private sector to be undertaken with every data breach
• Frequent public notices may confuse the public as to what constitutes a minor or major threat and what actions must be taken

If an agency has determined that the risk of identity theft is large enough to warrant notification, the following guidelines should be used in providing notice:

• Timing– Affected individuals must be notified at the correct time. Individuals should be notified as early as possible to allow protective measures to be implemented. However, information regarding identity theft, if released too early may exaggerate the threat, or impede an investigation. Agencies must confer with law enforcement officials to make sure that notification is made at the time appropriate to the actions that must be taken
• Source– Individuals must be given the name of the responsible party from where the breach occurred. The breach may not always occur within an agency, for instance, if an outside contractor handles the information on behalf of an agency and the breach occurred in their system. The agency still maintains liability for the information and an agency official should be cited as the contact person.
• Contents– Individuals should be told in clear, easy-to-understand terms:
  • brief description of the data breach
  • the type of information that may be compromised
  • brief description of the agency’s actions to investigate and mitigate the breach and prevent further problems in the future
  • contact information to ask questions including a toll free number, web address and postal address
  • the actions an individual should take to mitigate the threat of identity theft
• Method of Notification–Notification methods should be chosen based on how the majority of affected individuals can receive the information. A mailing address should be the primary means of communication.
• Preparing for follow-on inquiries– Agencies must be prepared to handle the volume of follow-up inquiries they may receive, especially after a public announcement. Officials may choose to delay public notice of data breaches to allow an agency adequate time to prepare a response plan for such requests.
• Preparing counterpart entities that may receive a surge in inquiries– agencies should alert other entities such as affected financial institutions or the credit bureaus if they may see a significant increase in requests due to notice of a data breach.

Summary

The Government is one of the largest consumers of personally identifiable information. As such, it is at significant risk for data breaches and unauthorized disclosure of sensitive data. In addition to implementing adequate security measures, agencies must be prepared to notify individuals when significant data breaches occur. While a data breach may be considered something of an embarrassment, agencies are required by law to report such incidents and alert affected individuals that may face significant threat of identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum, September 20, 2006: Recommendations for Identity Theft Related Data Breach Notification Guidance (II.A.c.2.i)

The Fair Information Practice Principles

Notice/Awareness

Individuals should receive notice of an entity’s privacy practices prior to the collection of personally identifiable information. Notice allows individuals to make informed choices regarding the use of the personal information. A privacy notice must include:

• A legitimate name and physical address of the entity collecting the data
• The type of data collected
• How collected data will be used
• Any potential third party disclosure of personal information
• Any potential secondary use of personal information

Choice/Consent

Individuals must be able to consent or reject to certain uses of their personal information, particularly with regard to secondary uses and marketing purposes. Two main mechanisms are used to provide consumer with consent options:

• Opt in: Require affirmative consent from the individual. In other words, action must be taken by the individual to START the processing of personal information for secondary uses or disclosures. This may include signing up to receive marketing newsletters, special offers and similar types of communications.
• Opt Out: Requires the implicit consent of the individual. Here consent is assumed because the individual has not stated a desire otherwise. In other words, action must be taken by the individual to STOP the processing of personal information for secondary uses or disclosures. This may include opting out of third party advertising

An individual must be able to view their consent options and change them at any time. Changes should be honored within a reasonable length of time.

Access/Participation

An individual must be able to view the data an entity has on record. They must also be allowed to correct an incomplete or false information contained in their file. Access to data must be granted within a reasonable time frame and at a minimal cost.

Integrity/Security

Data must be accurate, up-to-date, complete and not stored longer than necessary. Security of data must be maintained using physical, technical and administrative safeguards to protect against unauthorized access, use, disclosure and destruction. Safeguards should be implemented in proportion to the security risk or threat, with greater risks or threats using greater resources and stronger protections.

Enforcement/Redress

An individual must be able to file complaints with the entity have their issues addressed.   Furthermore there should be a mechanism in place to ensure compliance with the above standards, either through self or government regulation.

Enforcement of Privacy Practices

The Fair Information Practice Principles are suggestions to guide the use of personal information in connection with business activities and transactions. They are not in themselves a law that must be followed, and as such are not enforceable. However, there are many privacy laws(see below) which make use of the Fair Information Practices to protect personal information.

The United States supports the use of self-regulation to enforce Fair Information Practices. Theoretically, informed consumers will choose to use businesses that implement the Fair Information practices and ensure the protection of their information, forcing those business that do not guarantee such protections out of business. Services such as the Better Business Bureau and online assurance programs build trust between businesses and consumers by providing consumers with a directory of businesses whose privacy practices have been assessed and found to provide adequate protection.

The Fair Information Practice Principles have been criticized because they do not require the creation of a general privacy authority and rely largely on self-regulation, which at times falls short of adequately regulating consumer protection. At the same time, many businesses believe implementing stronger guidelines or regulations would be too costly and detrimental to the growth of business. For now, the United States continues to use a sectoral approach, developing privacy laws as needed.

Laws Using the Fair Information Practice Principles to regulate Privacy

• Fair Credit Reporting Act– Regulated by the Federal Trade Commission, the Fair Credit Reporting Act regulates the use of consumer reports. Requires Notice of disclosure and adverse action, as well as the ability for a consumer to access and rectify inaccuracies in their consumer reports.
• Right to Financial Privacy Act– Protects the privacy of customers using financial institutions from government searches (with exceptions.) RFPA restricts government access to financial records without the individual’s consent or meeting one of the specified exemptions from the rule.
• Children’s Online Privacy and Protection Act–Protects against the collection, use and disclosure of the personal information of children under 13 without parental notice and consent.

Summary:

The Fair Information Practice Principles form the backbone of privacy laws in the United States. Though the principles put forth by the FTC are only considered guidelines, there are some laws that have turned the guidelines into law and even more businesses which choose build trust with consumers by ensuring their privacy through self regulation of the Fair Information Practice Principles. Understanding the principles and their implementation is one of the core concepts all privacy professionals need to know.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy Principles and Definitions including Fair Information Principles(I.B.a.i.)