Compliance

The DHS has a very specific privacy compliance process. The DHS Privacy Office is responsible for the assessment of all new or proposed Department activities in order to ensure responsible handling of personally identifiable information (PII) and to mitigate privacy risks.

The following explores the methods by which the Privacy Office ensures compliance in all departmental activities:

• Privacy Threshold Analysis (PTA) – The PTA is a required document that serves as the official determination by the Privacy Office in order to determine if a DHS program or system has privacy implications. Also, PTAs are used to determine of additional privacy compliance documentation is required. PTAs are designed into all DHS processes for technology investments and security. They expire every three years.

PTAs serve the following objectives:

• Identify privacy-sensitive programs and systems
• Demonstrate inclusion of privacy considerations during the review of a program or system
• Provide the Privacy Office with a record of the program or system, as well as its privacy requirements
• Demonstrate compliance with privacy laws and regulations
• Privacy Impact Assessment(PIA) – The PIA is a decision-making tool that is used to identify and mitigate privacy risks at the start, as well as throughout the development lifecycle of a program or system. PIAs aid the public in understanding what PII the DHS is collecting, why the information is being collected, and how it will be used, shared, accessed and stored.

PIAs are required for the following reasons:

• When developing or procuring any new DHS program or system that will handle or collect PII
• For budget submissions to the Office of Management and Budget (OMB) that affect PII
• With pilot tests that affect PII
• When developing program or system revisions that affect PII
• When issuing a new or updated rulemaking that involves collection, use and maintenance of PII
• System of Records Notice(SORN) – A `system of records’ is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual. A SORN is a formal notice to the public that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (i.e. routine uses) and how to access or correct any PII maintained by the DHS.

DHS Privacy Office

The DHS Privacy Office is the first statutorily created privacy office in the Federal government. The Office operates under the direction of the Chief Privacy Officer, a position that is discussed in further detail in the following section. The mission of the Privacy Office is: “… to preserve and enhance privacy protections for all individuals, to promote transparency of DHS operations, and to serve as a leader in the privacy community.”

The Privacy Office carries out the following activities:

• Requires compliance with the letter and spirit of Federal laws that protect privacy
• Centralizes FOI and Privacy Act operations to provide policy and programmatic oversight and to support operational implementation within the DHS components
• Provides education and outreach to build a culture of privacy and adherence to the Fair Information Practice Principles (FIPPs) across the DHS
• Provides transparency to the public through published materials, formal notices, public workshops and meetings

The Privacy Office is made up of the following operational teams:

• International Privacy Policy
• Departmental Disclosure and FOIA
• Privacy Compliances
• Privacy Policy (includes communications and training)
• Privacy Incidents and Inquiries
• Privacy Technology and Intelligence
• Legislative and Regulatory Analysis

Chief Privacy Officer, DHS

The Chief Privacy Officer (CPO) is a position within the DHS, appointed by the US Secretary of Homeland Security. The CPO also serves as the Chief Freedom of Information Act (FOIA) Officer at the DHS Privacy Office.

According to Section 222 of the Homeland Security Act of 2002, the CPO is primarily responsible for the privacy policy at the DHS. Duties include:

• Assuring that technologies used by the DHS to protect the US sustain, rather than erode, privacy protections related to the use, collection and disclosure of personal information
• Assuring that the DHS complies with fair information practices set out in the Privacy Act of 1974
• Conducting privacy impact assessments (PIA) of proposed rules at the DHS
• Evaluating legislative and regulatory proposals involving the collection, use and disclosure of personal information by the Federal government
• Preparing an annual report to Congress on DHS activities that affect privacy

Summary

This article takes a look at the privacy policies and practices at the US Department of Homeland Security (DHS). In addition to compliance with federal privacy legislation, the DHS also has its own privacy guidance, which include security methodologies, as well as a Privacy Office that is responsible for the oversight of systems and programs that deal with personally identifiable information. The article takes a closer look at the DHS Privacy Office, the first statutorily created privacy office in the US federal government, as well as the unique role of the Chief Privacy Officer/Chief Freedom of Information Act (FOIA) Officer.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Policy Approaches – Department of Homeland Security (II.A.e.ii.3.)

US Census Bureau: Data Stewardship

The Census Bureau’s objective is to produce accurate, relevant statistics on US economy and population. It is legally and ethically obligated to protect the privacy and confidentiality of the individuals who offer their data. According to the Bureau’s mission statement, “We honor privacy, protect confidentiality, share our expertise globally, and conduct our work openly.” One of the Bureau’s strategic goals is to “Foster an environment that supports innovation, reduces respondent burden, and ensures individual privacy.” The approach that the Census Bureau takes to maintain the trust of US citizens is referred to as “Data Stewardship.”

Data stewardship is the formal process by which the Bureau remains responsible and accountable for data protection throughout the data lifecycle. This is the time which someone responds to a survey, all the way to the release of statistical data products. Each survey and program under the Census Bureau’s responsibility is required to comply with data stewardship policies at every step in the process.

There are three ways that the Bureau protects personal information:

1. Federal Law – Federal law protects personal information. Title 13 of the US Code protects the confidentiality of all information provided to the Bureau. Violation of Title 13 results in severe penalties.
2. Privacy Principles – In addition to federal legislation, the Bureau has developed its own set of privacy principles, which are guidelines for all its activities. Privacy principles include the Bureau’s responsibilities to protect personal information, as well as individuals’ rights as survey respondents.
3. Statistics Safeguards – These include methods to ensure that statistics released by the Bureau do not identify individuals or businesses. All data products are extensively reviewed and analyzed. Disclosure avoidance methodologies (e.g. data suppression, data modification) are also applied.

IRS: Privacy Office

Like other federal agencies, the IRS is committed to protecting Americans’ privacy rights. It notes that individuals’ privacy rights are protected by the following:

• Internal Revenue Code
• Privacy Act of 1974
• Freedom of Information Act
• IRS policies and practices

In addition to adhering to the above, the IRS also has a Privacy Office, which ensures that personal information entrusted with the IRS is protected appropriately. The Office addresses questions regarding IRS privacy policies and concerns regarding how the IRS uses and collects personal information.

Department of Defense: Privacy Policy

The Department of Defense (DoD) provides a website as a public service by the Office of the Assistant Secretary of Defense – Public Affairs. Like other websites, there are options for individuals to offer the DoD personal information and the DoD is responsible for treating this information appropriately. The Dod maintains a wide variety of physical, electronic and procedural safeguards to protect personal information from unauthorized disclosure or data breach.

According to the DoD’s website Privacy Act Statement:

“If you choose to provide us with personal information… we will only use that information to respond to your message or request. We will only share the information you give us with another government agency if your inquiry relates to that agency, or as otherwise required by law. We never create individual profiles or give it to any private organizations. Defense.gov never collects information for commercial marketing.”

Summary

This article takes a look at approaches to privacy protection at various agencies of the US federal government: the US Census Bureau, the Internal Revenue Service (IRS) and the US Department of Defense (DoD). Each department or agency is guided by federal privacy legislation, as well as internal policies and practices.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Policy Enforcement – Sample Approaches (II.A.e.ii.)

Apple’s Location Database

It’s common knowledge that Apple’s iPhones and 3G-enabled iPads have been keeping track of their users’ location data. While Apple has publicly acknowledged that its iOS devices send location data back to the company, researchers have also revealed that the devices can record the history of the users’ movements for a year or more. Researchers found that Apple devices have been storing the location data in an unencrypted database, which was then backed up onto whatever computer the iPhone or iPad was syncing to.

This raised concerns, especially as this location database has been accessible to law enforcement and computer forensics communities as of last year. These communities have been using the database to gather evidence on individuals’ movements.

In response to the collection, there was understandable outrage over privacy violations. To many, it seemed unclear if users had agreed to this collection. Others also wondered where the information was ultimately being stored, how it was being used and why it hadn’t been protected better.

Other reactions were more positive. Many rushed to download the iPhone Tracker, an open-source app that maps the location data being collected by users’ devices. Such users seemed unconcerned about the potential invasion of privacy, instead wanting to share their personal information with other users.

Not really a surprise?

Privacy concerns about Apple’s products are not new. Last June, Congress took the opportunity to question Apple CEO Steve Jobs over the company’s privacy policy and the collection of personal information. This was in response to Apple’s updated privacy policy, which stated that their devices will collect location data and share the data with third parties. The text read:

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

Proponents of location-based apps argue that such data can have legitimate uses and don’t necessarily have to be privacy-sensitive, if the information is anonymized properly. For instance, location data can be filtered to provide traffic data for navigation apps and to map Wi-Fi access points, in order to facilitate quick location fixes.

The case for collection…

In a recent interview given at the end of April 2011, Apple CEO Steve Jobs said the iPhone database that had many consumers up in arms was actually a piece of a global crowdsourced database that Apple uses to deliver location-based information. According to Jobs, “We haven’t been tracking anyone. The files they found on these phones, as we explained, it turned out were basically files we have built through anonymous, crowdsourced information that we collect from the tens of millions of iPhones out there.”

Jobs did admit that the company had found a bug in the program, which led to the location data cache to be stored on phones that had their location data switched off. He promised that this would be corrected in a future update and that a smaller amount of data would be stored on the phone. It was stressed that Apple did not track iPhone users’ locations, but instead, users needed to turn on their location-based information as well as allow such collection for each application. Jobs pointed out users had a way to see which applications have been using their location information, currently as well as over the past 24 hours.

Summary

This article takes a look at the privacy concerns raised when researchers discovered the collection and storage of location-based data on Apple’s iPhones and 3G iPads, during April 2011. This discovery resulted in a number of responses from the public, ranging from outrage and fear to interest in the possible apps that could be developed utilizing such information. Apple CEO Steve Jobs explained that the devices were not tracking users; rather the location database was built from anonymous crowdsourced information.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Personally Identifiable Information – PII (I.A.a.)
• Methods of Data Collection (I.B.a.)
• Consumer Privacy Concerns (II.A.a.)
• Phone-Home Software (II.A.l.i.)
• Prominent & Inconspicuous Notice (IV.A.)
• Location-Based Services (VI.E.)

It’s important to ensure that website privacy policies correctly address specific legal issues and technical implications of the company. There are numerous types of privacy policies out there, some of which apply to online data; others apply to data collected by financial institutions; others that deal with the collection of information from children under the age of 13; and other policies that apply to individuals protected under foreign laws. There is no ‘one size fits all’ approach to developing a sound privacy policy.

Enterprise Privacy Programs

Developing and maintaining enterprise-wide privacy programs require top-down cooperation and collaboration of the different individuals in an enterprise.

According to United States privacy legislation, all companies involved in obtaining, maintaining, using and/or disclosing personal information about consumers ought to adopt a privacy policy. Privacy policies are documents in which companies state their information practices. Such documents keep organizations accountable to a set of formal privacy policies. Companies may be the subject of an FTC action or a lawsuit if their privacy practices do not accurately reflect those stated in their privacy policy.

Standardization of enterprise privacy programs is becoming more and more of an issue in recent years. Even though the primary objective of enterprise privacy policies is for internal use, standardization of such policies brings numerous advantages:

• Technical parts of regulations could be encoded into a standardized language
• Enterprises with heterogeneous repositories of personal data could develop consistent enforcement tools to ensure compliance with internal privacy practices

Components of a Privacy Policy

There are three main categories of information in a privacy policy:

1. 1. Policy Identification Details

This section defines the policy name, version and description.

1. 2. P3P-Based Components

This defines policy attributes that would apply if the policy is exported to a P3P format. Such attributes would include: policy URLs, organization information, PII access and dispute resolution procedures.

1. 3. Policy Statements and Related Elements: Groups, Purposes and PII Types

Policy statements define the individuals able to access certain types of information, for certain pre-defined purposes.

Another way to classify the components of a privacy policy is outlined below.

• Notice – Companies should provide consumers with clear, conspicuous notice that accurately describe their information practices.
• Consumer Choice – Companies should provide consumers with the opportunity to decide (in the form of opting-out) if it may disclose personal information to unaffiliated third parties.
• Access and Correction – Companies should provide consumers with the opportunity to access and correct personal information collected about the consumer.
• Security – Companies must adopt reasonable security measures in order to protect the privacy of personal information. Possible security measures include: administrative security, physical security and technical security.
• Enforcement – Companies should have systems through which they can enforce the privacy policy. This may be managed by the company, or an independent third party to ensure compliance. Examples include BBBOnLine and TRUSTe.

Consumer’s Point of View

From a consumer’s point of view, just because a website has a privacy policy doesn’t necessarily guarantee the security of the personal information. No privacy policy can definitely ensure the security of your information, or bind a company to those specific practices; however, there are certain policies that are better than others. A privacy policy should provide the consumer with a sense of transparency regarding the company.

Some important things that a consumer should consider when looking for good privacy policy include:

• What personal information is being collected?
• How will your personal information be used?
• How will your personal information be stored?
• Are there security measures protecting your personal information?
• How long will your personal information be kept by the company?
• Will your personal information be shared with others?
• How can you contact the company?

Summary

This article takes a look at the importance of an enterprise privacy policies and privacy programs. While policies alone cannot prevent data breaches or misuse of personal information, they are a good step in ensuring transparency and privacy-friendly practices. A privacy policy should contain the following key components: notice; consumer choice; access and correction; security; and enforcement. The article also lists some considerations consumers should take when assessing the reliability of a company’s privacy policy.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Personally Identifiable Information (PII) (I.A.a.)
• Consumer privacy concerns (II.A.a.)
• Organizational privacy practices (II.A.b.)
• Prominent notice and opt-in consent (II.B.b.)
• Privacy mechanisms – privacy by policy (III.A.)

FTC and Fair Information Practices

The Federal Trade Commission developed a set of guidelines to govern the collection, use, maintenance, and disclosure of personal information in order to protect personal privacy. While the principles in themselves are not law, they have been incorporated into many privacy laws which allow the principles to be enforced. The Gateway Learning Company was found to be in violation of the first two principles, notice and consent.

The Fair Information Practice Principles require:

• Notice to the individual regarding the privacy policies of the organization including how information is used and any disclosure to third parties. Notice must also be provided to the individual for any alteration in the privacy policies.
• Consent from the individual regarding the use of their information for secondary uses and its disclosure to third parties.

Allegations

The FTC brought the following allegations against the Gateway Learning Company:

• That they violated their own privacy policies by renting personally identifiable information (PII) collected from customers to third parties without the customer’s consent.
• That they violated their own privacy policies by renting personal information (age/gender) about children under the age of 13 to third parties without the customer’s consent.
• They committed unfair trade practices by retroactively applying a new privacy policy to information collected under the old privacy policy.
• They committed unfair trade practices by failing to provide adequate notice to consumers regarding privacy policy changes.

The Privacy Policies in Question

The original privacy policy stated:

We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive a customer’s explicit consent. We do share information with third parties that help us run our operations or provide services to customers (e.g., credit card processing and shipping companies), but only to the extent necessary to provide these services.

It also stated the following regarding children’s personal information:

The Site does not sell products for purchase by children; we sell children’s products for purchase by adults. Children under 13 years of age may not submit personal information without the consent of their parents. We do not provide any personally identifiable information about children under 13 years of age to any third party for any purpose whatsoever.

We may in the future offer products to be used by children online, some of which may require you to enter additional information such as a child’s age, gender or reading ability in order to deliver a quality experience. A child’s participation in such a program will be entirely at your discretion. Again, no personally identifiable information about children under 13 years of age will be shared with any third party for an purpose whatsoever.

It also stated the following regarding changes to the privacy policy:

If at some future time there is a material change to our information usage practices that affect your personally identifiable information, we will notify you of the relevant changes on this Site or by email. You will then be able to opt-out of this information usage by sending an email to: webmaster@hop.com. You should also check this privacy policy for changes.

In April, 2003 the Gateway Learning Company violated its privacy policies by disclosing, name, address, telephone numbers, purchasing history, and the names and ages and genders of the customer’s children with telemarketers and direct mail marketers.

On June 20, 2003 a new privacy policy was placed in effect:

The new privacy policy did not alter its policies regarding the use of children’s personal information or providing notice regarding changes to the policy. It did however change the policies regarding sharing information with third parties.

From time to time, we may provide your name, address, and phone number (not you e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at webmaster@hop.com with the word do-no-share in the subject line.

Despite their stated privacy policies, no email was sent or special notices posted to the website to alert customers to a change in the policies.

On July 17, 2003 another revised policy was posted:

The new policy changed the process for opting out of third party disclosures.

From time to time, we may provide your name, address, and phone number (not you e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at do-not-rent@hop.com with your full name in the subject line. Please be sure to include your first name, last name, address, city, state, zip code and phone number to ensure we can process your request. We will process your request promptly. Please be aware that  you may receive another contact before your name removal takes effect. We regret any inconvenience this may cause.

The new policy also changed its statement regarding children’s privacy.

The Site is not targeted to children, and we not knowingly collect personally-identifiable information from children under the age of 13 on this site. We do not sell products for purchase by children; we sell children’s products for purchase by adults. This site is entirely aimed at adults.

FTC Consent Agreement

After investigations, the FTC found the Gateway Learning Corporation to have used unfair and deceptive trade practices and brought enforcement actions against the company. The Consent Agreement was the settlement reached to resolve the issue.

Bar on Misrepresentation

The bar on misrepresentation reinforces the rules regarding the Fair Information Practice principles which the company had violated. Under the agreement, Gateway Learning was banned from:

• Misrepresenting the use of collected information including whether it is sold, rent, or loaned to third parties
• Misrepresenting whether information about children under the age of 13 will be disclosed to third parties
• Misrepresenting how customers will be notified by changes to privacy policies
• Misrepresenting how the company will collect, use or disclose information

Ban on Disclosure of Personal Information to Third Parties

The ban on disclosure reinforced the protection of privacy for consumers whose personal information was collected prior to June 20, 2003 when the privacy policy was changed. The ban requires:

• Express, affirmative (opt-in) consent of the individual prior to the disclosure of any information to third parties
• The new privacy policies may not be applies to information collected prior to the June 20, 2003 policy change without the express affirmative consent of the individual.

Maintenance of Relevant Documents

This part of the agreement set up a way to ensure compliance for a period of 5 years. Under this provision, Gateway Learning must provide the FTC with the following documents:

• A copy of each different privacy statement or communication including the date, full text, URL and graphics
• A copy of the document sent to consumers to obtain their express affirmative consent and any documents provided by customers confirming their consent
• All invoices, communications and documents that relate to the disclosure of personally identifiable information to third parties.

Delivery of Order

This part of the agreement dealt with the administrative task of ensuring enforcement in the work force.  The Gateway Learning companies was required to deliver a copy of the FTC agreement to all present and future employees with managerial responsibility related to the subject matter of the order.

Reporting

This part of the agreement requires Gateway Learning to notify the FTC 30 days before a corporate change which might affect compliance with the order. It also required Gateway Learning to file a report with the FTC setting forth their compliance within 60 days of service of the order and periodically after that, as requested.

Duration

Unless otherwise indicated, the order terminates after 20 years. Each violation of the final order may result in a civil penalty of up to $11,000

Fine

Gateway Learning was fined $4,608 which was the total profits received from the renting of personal information.

In Conclusion:

The Gateway Learning Case holds a significant place in privacy law because it demonstrated that the Federal Trade Commission is willing to pursue and enforce privacy violations. Since the Gateway Learning Case the FTC has continued to enforce privacy issues, especially any violations of the Children’s Online Privacy Protection Act which protects the personal information of children.

A website operator must be concerned with COPPA compliance if:

• The website targets children under the age of 13 through its subject matter, audio/visual content, advertising or use of other child-oriented features.
• The website targets a general audience but has a separate child oriented section.
• The website targets a general audience and children under the age of 13 are known to access the site.
• The website is maintained outside the U.S. but targets children under the age of 13 in the U.S.
• The website is operated by the Federal Government. Under the Office of Management and Budget, the U.S. Federal Government is required to comply with COPPA on all of its websites targeting children

COPPA Compliance

COPPA primarily uses the fair information practice principles of Notice and Consent to protect children’s information.

In order to comply with COPPA, a website operator must:

1.  Provide parents with information about the website’s information collection and privacy practices. A privacy policy must be placed on the home page and on every page where data is collected in order to ensure adequate notice

2.  Obtain verifiable parental consent prior to collecting personal information

3.  Provide parents with a mechanism to access the information on record for their child and the ability to change consent options for future or third party use and disclosure

4.  Participation on the website may not be limited by requiring the collection of information that is not reasonably necessary

A COPPA compliant privacy notice must include:

1. Legitimate contact information for the website operator/data owner
2. The type of information that is collected
3. How the information will be use
4. Notice of any third party disclosure

Verifiable Parental Consent:

Depending on the information that is being collected and its intended use, different levels of parental consent must be obtained.

Prior parental consent is not required to collect a child’s name and email address only if:

• The information is obtained in order to provide notice to the parent or obtain parental consent
• The information is collected to respond once to a specific inquiry by the child and not used for further communications
• The information is used to ensure the safety of a child and is not used for any other purposes
• The information is used to protect the security of the website, protect against liability, participate in a law enforcement investigation or any other matters relating to public safety

In all cases, parental consent should be obtained shortly after the information is collected. If parental consent cannot be obtained, the information may not be used for purposes other than those outlined above and the information must be deleted (with exceptions for ensuring the safety of the child)

Parental Consent for Public Disclosure

If the website publicly links a child’s name or email address with their screen name in chat rooms, message boards, personal home pages, pen pal services or other similar social networking features they must obtain verifiable parental consent of public disclosure. This also applies to site which may disclose personal information to third parties for secondary uses and marketing purposes.

Consent options include:

• A printable form that can be signed then mailed or faxed back to the website operator
• Obtain a parent’s credit card information in connection with a transaction which may include subscription fees, purchases or a credit card processing fee.
• Provide a toll free line staffed by professionals to which parents may call and provide verbal consent
• Obtain consent through an email that contains a digital signature that uses a public key that has been verified by one of the above methods.

Parental Consent for Internal Use

If the website does not publicly disclose the child’s information either through disclosure to third parties or through the posting of information to chat rooms, message boards or similar features then the information will only be used within the site to contact the child.

Consent options include:

• Any of the methods used for public disclosure
• The Email Plus option in which:
  • An initial email is sent containing the privacy notice and asking the parent to respond with a phone, fax or mailing address to confirm consent through one of those methods; or
  • After a reasonable length of time has passed, a second email is sent asking for the parent to confirm consent. The privacy notice should again be included. This email informs the parent that their consent is implicit through their lack of response. The email should provide the the parent with information on how to revoke their consent.

Enforcement of COPPA

COPPA is enforced by the Federal Trade Commission and through the a state’s Attorney General’s Office under SEC. 1305. COPPA allows for the creation of Safe Harbor programs which encourages industry self regulations.

There are several online assurance programs that offer a COPPA compliant Safe Harbor Program including:

• TRUSTe
• The Children’s Advertising Review Unit
• The Entertainment Software Rating Board

Unlike other information privacy laws, the FTC has been diligent in enforcing COPPA. It has a history of investigating privacy complaints and taking action against website and companies violating the rule.

Summary

COPPA protects the privacy of personal information for children. It does not prevent children from accessing mature content. COPPA uses parental notice and consent to prevent the wrongful collection and misuse of children’t personal information. Any website that may be frequented by children under the age of 13, must comply with the COPPA ruling if personal information is collected.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including COPPA (I.B.a.ii.)

http://twitter.com/link_click_count?url=http%3A%2F%2Fbit.ly%2F3omd6p&linkType=web&tweetId=3541772256&userId=12798452.

If you look at this link, it turns out that twitter is redirecting to bit.ly.  Apparently, these links previously were completely handled by bit.ly.  bit.ly is a “simple link shortener”, that “offers URL redirection service with real-time link tracking”.  In addition, it includes a complete history of links shortened. Why would Twitter look to track links when they have a perfectly working relationship with their URL redirection provider?

At 140 characters, tweets don’t provide much past commentary.  While you may update your location or time of arrival in such a small space, you won’t be writing War and Peace or unveiling details of the latest scientific finding.  You do use it to add a bit of social commentary to a YouTube video – “check this out, it’s funny”, or “shhh, don’t tell wifey” while sending a picture.

Tracking links fits in to the company’s long term goals, where Twitter will provide business services including market research and customer prospecting.   Information analysis only works when you hold the data. In order to provide some of the analytical services, such as which marketing tweets are promoting customer interest, Twitter will need to pull the bit.ly services in house.

Is collecting this information, and better still providing it to a third party outside a violation of a customer’s privacy?  We are not going to have the agreement between Twitter and bit.ly – they simply don’t publish those things.  However, we can examine selected passages from Twitter’s privacy policy to glean the types and uses of information they collect, and a bit of what they may transfer to 3rd parties including bit.ly.

Let’s delve a little deeper into Twitter’s privacy policy…

Selections from Twitter’s privacy policy

By using our Site you are consenting to our processing of your information as set forth in this Privacy Policy now and as amended by us. “Processing” means using cookies on a computer or using or touching information in any way, including, but not limited to, collecting, storing, deleting, using, combining and disclosing information,

Twitter may slice, dice and distribute any information you put into their system to anyone, anywhere.

all of which activities will take place in the United States. If you reside outside the U.S. your personally identifiable information will be transferred to the U.S., and processed and stored there under U.S. privacy standards. By visiting our Site and providing information to us, you consent to such transfer to, and processing in, the US.

Twitter is very clear that all information collected and processed occurs in the United States.  This allows citizens of the European Union and other like minded countries notice that they are opting in to monitoring and marketing – the protections afforded by local EU Data Protection Directive style laws will not apply.

Information Collection and Use

Our primary goals in collecting personally identifiable information are to provide you with the product and services made available through the Site, including, but not limited, to the Service, to communicate with you, and to manage your registered user account, if you have one.

“The Service” is quite broad, and likely includes provisions for third party tracking and marketing (i.e. bit.ly).  Obviously, when Twitter introduces their own business services, this will extend “the Service” definition.

Information Collected Upon Registration. If you desire to have access to certain restricted sections of the Site, you will be required to become a registered user, and to submit certain personally identifiable information to Twitter. This happens in a number of instances, such as when you sign up for the Service, or if you desire to receive marketing materials and information. Personally identifiable information that we may collect in such instances may include your IP address, full user name, password, email address, city, time zone, telephone number, and other information that you decide to provide us with, or that you decide to include in your public profile.

This section does imply that you must opt-in to receive marketing materials.  Obviously, anything placed on a public profile is not longer private, but apparently information it will not be disclosed.  Your user ID is not considered PII.

Additional Information Your full user name and your photo, if you decide to upload one … you may provide additional information in the profile section, including but not limited to your bio, your location, as well as your personal web site, if you have one. Providing additional information beyond what is required at registration is entirely optional, but enables you to better identify yourself and find new friends and opportunities in the Twitter system. If you activate the mobile phone options per the Terms of Service at www.twitter.com/tos, we will collect your cellular phone number account information. … If you contact us by email through the Site, we may keep a record of your contact information and correspondence, and may use your email address, and any information that you provide to us in your message, to respond to you.

Again, anything provided past the required registration username is optional, but will be recorded and associated with the non-identifiable information Twitter collects.

Use of Contact Information In addition, we may use your contact information to market to you, and provide you with information about, our products and services, including but not limited to our Service. If you decide at any time that you no longer wish to receive such information or communications from us, please follow the unsubscribe instructions provided in any of the communications.

This suggests an opt-out for marketing and additional product information.  This seems like it may be in conflict with the earlier opt-in statement.

Log Data When you visit the Site, our servers automatically record information that your browser sends whenever you visit a website (“Log Data” ). This Log Data may include information such as your IP address, browser type or the domain from which you are visiting, the web-pages you visit, the search terms you use, and any advertisements on which you click. For most users accessing the Internet from an Internet service provider the IP address will be different every time you log on. We use Log Data to monitor the use of the Site and of our Service, and for the Site”™s technical administration. We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service

Here’s the part directly affecting bit.ly and the new click redirect service.  You do not own the clicks – Twitter will record your Log Data, and although not directly associated with your PII, your IP address could be put together with your user ID, which does not constitute PII.

Cookies

Like many websites, we also use “cookie” technology to collect additional website usage data and to improve the Site and our service…

Google recently faced scrutiny regarding their behavioral advertising using cookies, and Facebook’s Beacon program, which used a more nefarious technique, caused quite a stir late in 2008.

Information Sharing and Disclosure

Service Providers We engage certain trusted third parties to perform functions and provide services to us, including, without limitation, hosting and maintenance, customer relationship, database storage and management, and direct marketing campaigns. We will share your personally identifiable information with these third parties, but only to the extent necessary to perform these functions and provide such services, and only pursuant to binding contractual obligations requiring such third parties to maintain the privacy and security of your data.

This is where bit.ly (for now) comes in.   PII will be transferred, and the information updates will likely flow down to these third parties.  It does not mention anything regarding third parties updating Twitter’s information.

Business Transfers Twitter may sell, transfer or otherwise share some or all of its assets, including your personally identifiable information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy. You will have the opportunity to opt out of any such transfer if the new entity’s planned processing of your information differs materially from that set forth in this Privacy Policy.

This is a big one.  The registered traveler program that allowed people to move through a special, faster line at the airports, hosted by the company Clear, went bankrupt. They want to sell the information they collected on users to the original parent company, Verified Identity Pass, or possibly a third party.  They are being fought tooth and nail by the users, for the simple fact that this is not just a user name, password and IP address or phone number.  Clear collected information such as Social Security Numbers, and even biometric info, like fingerprints and iris scans.  These data allowed Clear to perform such risk mitigation strategies as background investigations, criminal history checks and government watch list comparisons.  It is unclear what will happen to the data for users of Clear, but according to their privacy policy, the information may only be used for a similar registered traveler program.

Our Policy Towards Children

The Site is not directed to persons under 13. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us at privacy at twitter dot com. We do not knowingly collect personally identifiable information from children under 13. If we become aware that a child under 13 has provided us with personal identifiable Information, we will delete such information from our files.

Twitter, as well as any other online business, must follow the Federal Trade Commission’s COPPA, the Children’s Online Privacy Protection Act.  The idea being children will easily share much more information than necessary, potentially placing themselves in danger.

In all, Twitter’s well within their privacy policy and terms of service when sharing information.  Now, it’s just a question of how many people actually read it, or just skip it because it’s cool to be on Twitter.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  Privacy as a factor in business risk management (Foundations: I.C.a.i.2),  Elements of Effective Privacy Management (Foundations: I.G.b.i) and Threats & Vulnerabilities
• Online Privacy:  Cookies (III.B.g.i) and Web Beacons (III.B.g.ii)

Seems Amazon has not been reading up on their recent history.  For some reason, most consumers don’t like it when you quietly make changes without asking.  In 2005, the Sony rootkit debacle was a case study of how not to deal with customers.  It was 2007 when Microsoft decided their Windows Update service should update itself, even with auto-update permissions turned off.  Now, here we are two years later, and Amazon is re-learning the lesson through their Kindle electronic book readers and Whispernet service.   Unauthorized copies of Orwell made their way onto the Kindle store through a provider self-service option.   The provider, MobileReference, posted “1984″ and “Animal Farm” apparently without proper copy rights.

“When we were notified of this by the rights holder, we removed the illegal copies from our systems and from customers’ devices, and refunded customers,” said Drew Herdener of Amazon.

This did not win Amazon any fans.  Angry users noted that when they connected to Kindle’s Whispernet archive/bookshelf service, books were removed from their devices.  A customer using the nickname “Caffeine Queen” sarcastically warned,

“I wonder if Amazon will sent representatives to customers’ houses to retrieve dead tree copies? Orwell fans, lock your doors!”

One user, Brian Wheeler, did give advice on how to avoid the situation entirely.

“Actually, if you want to ensure that you are able to keep ALL copies of your Kindle books, make sure to ALWAYS download copies of your Kindle book purchases to your computer. That way, even if Amazon removes a book from your Kindle at any point that you have Whispernet on, you can reload that book onto your Kindle via the copy from your computer. Now, if it’s a pirated book that should never have been sold in the first place, that’s up to your own good conscientious as to what you should do. ”

The main issue should be that Amazon’s terms of service says nothing of deleting purchases or removing files from customer devices.  In fact, customers are granted a “permanent copy of the applicable digital content.”

“It illustrates how few rights you have when you buy an e-book from Amazon,” said Bruce Schneier, computer security expert and chief security technology officer for British Telecom. “As a Kindle owner, I’m frustrated. I can’t lend people books and I can’t sell books that I’ve already read, and now it turns out that I can’t even count on still having my books tomorrow.”

In addition to the changes in their publisher processes, Amazon has publicly said that in the future, when they are notified of an unauthorized book, they will remove it from the online store, but not remove it from archives or Kindle devices.

This should serve as a lesson in customer policy on two fronts.  First, did it make sense to reach past the store – most people probably would have considered the real world analog.  If a customer buys a counterfeit product unknowingly through legitimate channels, there is not manner to forcibly remove it from their possession.  Second, Amazon’s terms of service did not match their actions.  This is a real sticking point with the Federal Trade Commission, especially in situations where privacy policies are not followed.

Lastly, it is interesting that this isn’t the first time Amazon issued refunds and removed books from customers.  More importantly, why are third party rules and agreements would allow this to repeatedly happen.  It’s too bad it took a high profile, intrusive incident before they reviewed corporate procedures.  If they had simply put a trust/credibility status on providers before they could use the self service option, this whole debacle would probably have been avoided.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics found in this post including:

• Privacy policy development (Foundations:I.G.b) and Managing third parties (Foundations:II.G.c)
• Enforcement of US Privacy & Security Laws (CIPP: II.B)