Privacy in the digital world: Towards international legislation
First Monday

Privacy in the digital world: Towards international legislation by Nour S. Al–Shakhouri and A. Mahmood



Abstract
In today’s digital world, personal privacy has become the number one issue for consumers (Benassi, 1999). Consumers’ confidence in personal privacy is directly affecting and limiting the growth of Internet commercial development. Therefore, it is necessary to address the privacy concerns of consumers for the interests of all parties involved. Examples of the different ways of penetrating consumer privacy are reviewed. National and international efforts to formulate regulatory and self–regulatory programs to protect consumer privacy are examined. Different privacy enhancing technologies are treated. The problems of current national and international efforts to protect consumer privacy, including privacy enhancing technologies, are addressed. We conclude that international efforts are needed with a role for the United Nations (UN). The complexity and the multidimensional factors that affect our proposed international legislation are discussed.

Contents

Introduction
How is consumer privacy being violated?
How should consumer privacy be protected?
Towards international privacy legislation
Conclusion

 


 

Introduction

Privacy can be defined as “the condition of being secluded or isolated from view of or from contact with others.” (Morris, 1991). Clarke (1999) defined privacy as “the interest that individuals have in sustaining a personal space, free from interference by other people and organisations.” In terms of human rights, privacy can be defined as “the right to be let alone.” (Wang, et al., 1998) Milberg, et al. (1995) defined personal information privacy as “the ability of the individual to personally control information about himself.”

However, with the phenomenal increase in the use of the Internet, privacy has become a major concern (Guynes, 1996; Meeks, 1997; 1999). According to U.S. Federal Trade Commission (FTC), 85 percent of all Web sites collect personal information from consumers; however, only 14 percent have posted their privacy practices (Cranor, 1998). A Business Week/Harris survey concluded that privacy is the number one issue facing the Internet. The same survey mentioned, if privacy practices were exposed, 78 percent of Internet users would increase their use of the Internet and 61 percent of the non–Internet users would likely use the Internet (Benassi, 1999). These numbers shows that concern for privacy is highly affecting electronic commerce.

Milberg, et al. (1995) studied the relationships between nationality, cultural values and privacy concerns. However, this study did not address relationships between human rights and privacy legislation. Wang, et al. (1998) presented a suite of “privacy principles,” specifically focusing on the situation in the U.S. Hence, the issue was not treated as a global concern.

Cranor (1999) proposed a variety of regulatory and self–regulatory privacy protection approaches but the issue of enforcement was not addressed. Clarke (1999) discussed the problems inherent in an absence of a unified privacy framework and proposed a unified alternative. However, Clarke’s framework did not address enforcement and related problems.

This brief and incomplete sampling of privacy studies certainly demonstrates that there is a problem with consumer privacy on the Internet. There is an obvious need to address this problem holistically on a global scale, rather than on a national or regional level.

Therefore, it has become necessary to address privacy concerns for all of the parties involved. This paper will examine the ways in which privacy is being violated and existing efforts that have been made to protect consumer privacy on the Internet. We will also review different privacy–enhancing technologies. The problems of current national and international efforts attempting to provide privacy protection will also addressed. We will then propose a role for the United Nations (UN) in creating international privacy legislation.

 

++++++++++

How is consumer privacy being violated?

Wang, et al. (1998) proposed a taxonomy for consumer privacy concerns. This taxonomy consisted of four main classes — improper acquisition, improper use, privacy invasion and improper storage of personal private information without prior approval of consumers.

Improper acquisition

This taxonomy includes inappropriate access to the computers of consumers, leading to the collection of private information and monitoring of Internet activities without the knowledge of consumers. As an example, RealNetwork used to monitor users identities of users as well as their preferences and Internet activities with RealJukebox (Dekleva, 2000).

Improper use

A variety of tactics fall under this category including the transfer of private information about consumers without their acknowledgment. For example, DoubleClick.net at one point tracked how individuals surfed Web advertisements, noting their preferences (Wang, et al., 1998). In another case, Universal Image sued Yahoo for US$4 billion for its failure to disclose user information (Dekleva, 2000).

Privacy invasion

Private information about specific consumers can be transferred to a second party without the consent of individuals, leading to spam and other problems. For example, ReverseAuction.com collected personal information about eBay customers, using this data to gather customers improperly from its rival (Dekleva, 2000).

Improper storage

There are enormous security issues over stored digital information and especially safeguards for this data. For example, in 2003, about 59,000 social security numbers and personal data were collected from the University of Texas at Austin computer system by hackers (Privacy.org, 2003).

There are myriad other issues of concern to consumers such as privacy at workand the privacy of children. The Center for Media Education found that only 25 percent of surveyed popular children sites are trying to get permission from the children's parents before the information is collected (Dekleva, 2000).

 

++++++++++

How should consumer privacy be protected?

Consumer protection should include the following elements (Wang, et al., 1998; Dekleva, 2000):

  • Coordinated law enforcement against fraud and deception;
  • Public and private partnerships promoting self-regulation and codes of practice; and,
  • Consumer education and individual use of privacy enhancement tools.

There are two complementary approaches for the protection of consumer privacy — regulatory and privacy enhancement technologies.

Regulatory approach

This approach includes regulations at the national or international level.

Governmental and national efforts

In U.S., the Federal Trade Commission (FTC) plays an important role to strongly encourage online industries to adapt and implement acceptable privacy principles. In addition, the U.S. Department of Commerce (DOC) provides businesses with information, guidelines, and practices for effective implementation of regulations. A group of more than 60 organizations formed the Online Privacy Alliance (OPA) in order to introduce and promote practices which provide a trusted environment for the digital marketplace through the protection of personal privacy. In part, this prganization was created because the European Union and the U.S. could not agree on an appropriate approach to privacy protection. The U.S. supported self–regulatory approaches while the EU favored privacy protection directives (Benassi, 1999).

In Canada, the Personal Information Protection and Electronic Document Act (PIPEDA) was implemented starting in 2001. PIPEDA requires consent in advance of the collection or disclosure of personal information.

In 2000, the Congressional Privacy Caucus (CPC) set principles for protecting consumer privacy with a goal of a U.S. standard for consumers (Dekleva, 2000).

The European Union released Directive 95/46/EC which prohibits EU member countries from sending personal data to other countries which lack adequate privacy protection practices. In addition, the European Commission decided to allow the EU consumers to sue foreign suppliers in local courts. In May 2000, the EU approved the “framework directive” which established online standards across member countries. In addition, the EU reviewed a legal directive which covers all aspects of electronic commerce including the validity of electronic contracts, liability, dispute settlement, consumer protection, privacy, freedom of speech, advertising, and sales promotions (Cranor, 1998; Dekleva, 2000).

International efforts

In 1980, the Organisation for Economic Co–operation and Development (OECD; http://www.oecd.org/) issued guidelines on protecting personal data. In 1985 OECD issued a declaration on transborder data flows addressing personal data transfer across national borders. In 1998, a declaration on the protection of privacy in global networks was issued. In 2001 the OECD issued guidelines for privacy protection which established a global foundation for protecting privacy. These guidelines included earlier recommendations issued in 1980 and 1985 (Clarke, 1999; OECD, 2001).

OECD’s guidelines consist of principles that cover all media including the collection, storage and transfer of personal information on local computers and networks of all scales.

The basic principles of OECD’s privacy guidelines for member countries are summarised in Table 1 (OECD, 2001).

 

Table 1: Summary of OECD’s basic privacy principles.
PrincipleDescription
1. Collection limitationThere should be a limit to the collection of personal data and any such data should be obtained by lawful and fair means.
2. Data qualityCollected personal data should be relevant, accurate and up–to–date.
3. Purpose specificationThe purpose for which data is collected should be specified at the time of collection and serve an agreed upon purpose.
4. Use limitationPersonal data should not be disclosed or used for other purposes.
5. Security safeguardsPersonal data should be protected by reasonable security measures against risks.
6. OpennessThere should be a general policy of openness about the development, practices and policies concerning personal data.
7. Individual participationIndividuals have the right to access and control their information.
8. AccountabilityData collectors should be accountable for complying with principles measures.

 

In response to these guidelines, OECD member countries should:

  • Consider domestic policies when processing and re–exporting personal data from other member countries;
  • Take appropriate steps to ensure that transborder flows of personal data are secure;
  • Should desist from restricting transborder flows of personal data between themselves and other countries which do not observe privacy guidelines or conflict with domestic privacy legislation; and,
  • Avoid creating legislation in the name of personal data protection which actually create obstacles to transborder flows of personal data.

When implementing OECD’s guidelines, member countries should ensure that privacy legislation is compatible with other member countries. In addition, member countries should communicate with other member countries about legislative matters related to privacy. Member countries should participate in the development of overall principles governing personal data protection and transborder data flows (Dekleva, 2000).

Technical approach

A variety of different organisations and companies enhance consumer privacy and protection with different applications and tools (Curphey, et al., 2002).

Sealing and self–regulatory principles

Certain Web sites audit their practices of collecting, using and transferring personal private information by a third party. These programs provide consumers with confidence that a given site maintains a personal privacy policy that is assured by an independent third party.

TRUSTe (www.truste.org) addresses user privacy concerns by providing a maintained and cost effective privacy solution to Web publishers. Web sites approved by TRUSTe must comply with program principles. Another example is the Better Business Bureau’s BBBOnLine (http://www.bbb.org/online/) with over 50,000 sites meeting BBB’s guidelines (Wang, et al., 1998; Cranor, 1998; Dekleva, 2000).

Empowerment and enhancement principles

Privacy seals only provide the consumer with awareness and assurance that collected information is handled according to specific Web site policy. The Platform for Privacy Preference Project (P3P at http://www.w3.org/P3P/) provides users with controls to exercise privacy preferences on the Web. Privacy preferences are controlled by users through a P3P–enabled Web browser that automatically previews policies of specific sites, allowing users to accept or reject policies (Cranor, 1999; Reagle and Cranor, 1999).

P3P provides users with facilities to exercise individual privacy preferences but it does not provide an ability to surf the Internet anonymously. There are several tools which permit anonymous Web use by masking Internet Protocol (IP) addresses of which the most well known is Anonymizer (www.anonymizer.com). Other options include Crowds (Reiter and Rubin, 1998), Onion Routing (Goldschlag, et al., 1996), and the Lucent Personalised Web Assistant (LPWA at http://www.bell-labs.com/project/lpwa/).

The Open Web Application Security Project (OWASP)

OWASP (www.owasp.org) provides a centralised learning space for Web application developers and security professionals to build secure applications or to test the security of their products. In 2002, the OWASP issued a guide to building secure Web applications (http://www.owasp.org/index.php/Category:OWASP_Guide_Project). It provides a variety of privacy guidelines for Web applications.

 

++++++++++

Towards international privacy legislation

This section describes the problems with the existing frameworks and argues for enforced international privacy legislation.

Problems with existing regulations and technologies

OECD’s motives have always been economic rather than social. There has been considerable pressure from some member countries to ease restrictions on the handling of personal data. Additionally, there has been an increase in the number of cross–border jurisdictional disputes based on online interactions. Finally, OECD’s guidelines cover only 30 countries; personal data is collected globally (Clarke, 1999; Wang, et al., 1998: OECD, 2003). Indeed, OECD provides only suggestions to member countries about personal privacy protection and its enforcement; there is no defined mechanism to bring legislation into effect. Many of the problems surrounding enforcement are related to the cross–border nature of the problems.

Self-regulatory programs are problematic in the absence of widely recognised and accredited standards. Many privacy–enhancing tools are not well integrated, easy to use, or follow standards .

Clarke (1999) argued that self–regulatory and privacy–enhancing technologies are not sufficient and that there is a need for legislative provisions, centralised enforcement. According to Wang, et al. (1998), there is a need for a framework for enforcement as well as self–regulation, legislation, and other factors. Perritt (1996) suggested that existing institutions regulate their conduct on the Internet and the establishment of an international administrative agency for Internet jurisdiction.

Vastine (1999) commented on OECD’s guidelines, proposing that the governments should resolve consumer protection laws and standards, assisting consumers in foreign jurisdictions as well as educating consumers on privacy matters.

In order to secure a co–regulatory privacy protection regime, the following issues must be satisfied (Clarke, 1999):

  • Establish information privacy principles that impose responsibility;
  • Create a privacy protection agency to ensure that these principles are followed globally; and,
  • Provide individals with the tools to safequard their information.

A proposed international privacy framework

Table 2 describes a proposed framework with assigned responsibilities and enforcement. The responsibility for enforcing the regulations and legislation need to be distributed to all parties including the United Nations, individual governments, Internet service providers, and consumers. All parties are responsible for enforcing their responsibilities in the framework.

 

Table 2: A proposed international privacy framework.
PartyResponsibilities
Human rightsOpen marketPluralistic democracySealing BodyArbitrationRegulatory enforcementPrivacy legislationPrivacy enhancement
United NationsEnforcementEnforcementEnforcementInternational enforcementInternationalInternationalInternationalInternational standard
Nations/countriesRespectImplementationImplementationNational sealing bodyNational arbitrationNational regulatory enforcementNational privacy legislationNational enforcement
Hosts/ISPs   Sealing AwarenessAwarenessEnforcement
Web sites   Sealing AwarenessAwarenessAwareness
ConsumersSelf–education Self–educationSelf–educationSelf–educationSelf–educationSelf–educationUsing privacy–enhancing technologies

 

In order to implement OECD’s guidelines globally, there should be an enforcement mechanism. Such enforcement can only be only done through an existing or new United Nations agency. Since information privacy relates to human rights, the United Nations has established organisations which monitor and enforce human rights and related issues. Some responsibilities can be delegated to other organizations like the World Wide Web Consortium but should be monitored and validated to ensure consistency. UN enforcement ultimately should provide certification that a given country has executed a variety of privacy protection practices over time.

The role of the United Nations

In order to ensure that the privacy protection practices are implemented within states, a given country needs to have legislation in place as well as enforcement. In addition, national arbitration needs to be compatible with international arbitration, as well as harmonization on a variety of other levels related to privacy. In turn a given state is responsible for enforcing privacy guidelines on national hosts and service providers.

The Role of hosts

Web hosts and service providers are responsible for certifying their servers, providing privacy enhancement technologies and privacy awareness.

The role of Web sites

Web sites are responsible for protecting their sites, educating consumers through documentation about their privacy practices, and providing details to their users about their rights including arbitration.

The Role of consumers

Consumers are responsible for understanding their rights, supporting legislative initiatives, and using privacy enhancing technologies.

In summary, the UN is responsible for enforcing overall international privacy principles, providing international arbitration and consumer protection legislation, and establishing and monitoring technical standards. In turn, these requirements will be enforced in different states through efforts with Internet hosts. Finally, Internet hosts will enforce legislative mandates and responsibilities on specific Web sites.

 

++++++++++

Conclusions

Consumer privacy limits the growth of commercial Internet development. Although this issue has been addressed for more than two decades, the complexity and the multidimensional nature of consumer privacy prevents the development of appropriate holistic consumer privacy protection programs.

An international legislation framework for protecting consumer privacy is required. Enforcement at a variety of international and national levels will ensure a reduction in privacy related problems and encourage the further development of the Internet in myriad ways. End of article

 

About the authors

Noor S. Al–Shakhouri is Director of AFI Technologies, www.afi.com.sa.
E–mail: nour1 [at] mac [dot] com

A. Mahmoud is Assistant Professor in the Department of Computer Science at the University of Bahrain.

 

References

P. Benassi, 1999. “TRUSTe: An online privacy seal program,” Communications of the ACM, volume 42, number 2, pp. 56–59.http://dx.doi.org/10.1145/293411.293461

R. Clarke, 1999. “Internet privacy concerns confirm the case for intervention,” Communications of the ACM, volume 42, number 2, pp. 60–67.http://dx.doi.org/10.1145/293411.293475

L. Cranor, 1999. “Internet privacy,” Communications of the ACM, volume 42, number 2, pp. 28–38.http://dx.doi.org/10.1145/293411.293440

L. Cranor, 1998. “Internet privacy: A public concern,” netWorker, volume 2, number 3, pp. 13–18.http://dx.doi.org/10.1145/280506.280512

M. Curphey, D. Endler, W. Hau, S. Taylor, M. Smith, A. Russell, G. McKenna, R. Parke, K. McLaughlin, N. Tranter, A. Klien, D. Groves, I. By–Gad, M. Huseby, M. Eizner, and P. McNamara, 2002. “A guideline to building secure Web applications: The Open Web Application Security Project,” at http://prdownloads.sourceforge.net/owasp/OWASPGuideV1.0.pdf?download, accessed 6 March 2003.

S. Dekleva, 2000. “Electronic commerce: A half–empty glass?” Communications of the AIS, volume 3, pp. 1–99.

D. Goldschlag, M. Reed, and P. Syverson, 1996. “Hiding routing information,” Proceedings of Information Hiding: First International Workshop, Lecture Notes in Computer Science, number 1174. Berlin: Springer–Verlag, pp. 137–150.

C. Guynes, 1996. “Privacy and societal issues on the Internet,” Computers and Society, pp. 11–13.http://dx.doi.org/10.1145/229403.229409

William Morris (editor), 1991. The American Heritage dictionary. Boston, Mass.: Houghton Mifflin.

B. Meeks, 1999. “The privacy hoax,” Communications of the ACM, volume 42, number 2, pp. 17–19.http://dx.doi.org/10.1145/293411.293425

B. Meeks, 1997. “Privacy lost, anytime, anywhere,” Communications of the ACM, volume 40, number 8, pp.8–13.http://dx.doi.org/10.1145/257874.257876

S. Milberg, S. Burke, H. Smith, and E. Kallman, 1995. “Rethinking copyright and ethics on the Net,” Communications of the ACM, volume 38, number 2, pp. 65–74.http://dx.doi.org/10.1145/219663.219683

Organization for Economic Co–operation and Development (OECD), 2003. Report on compliance with, and enforcement of, privacy protection online. Paris: OECD.

Organization for Economic Co–operation and Development (OECD), 2001. OECD guidelines on the protection of privacy and transborder flows of personal data. Paris: OECD.

H. Perritt, 1996. Law and the information superhighway: Privacy, access, intellectual property, commerce, liability. New York: Wiley.

Privacy.org, 2003. “Hackers steal personal data from UT Austin computer system”, at http://www.privacy.org/archives/001090.html, accessed 31 May 2003.

J. Reagle and L. Cranor, 1999. “The platform for privacy preferences,” Communications of the ACM, volume 42, number 2, pp. 48–55.http://dx.doi.org/10.1145/293411.293455

M. Reiter and A. Rubin, 1998. “Crowds: Anonymity for Web transactions,” ACM Transactions on Information and System Security, volume 1, number 1, at http://avirubin.com/crowds.pdf.http://dx.doi.org/10.1145/290163.290168

R. Vastine, 1999. “Comments on the OECD Guidelines for Consumer Protection in the Context of Electronic Commerce (DSTI/Cp(98)4/REV5),” at http://www.uscsi.org/publications/papers/oecd_consumer_protection_g_.pdf.

H. Wang, M. Lee, and C. Wang, 1998. “Consumer privacy concerns about Internet marketing,” Communications of the ACM, volume 41, number 3, pp. 63–70.http://dx.doi.org/10.1145/272287.272299

 


Editorial history

Paper received 10 March 2008; accepted 14 March 2009.


Creative Commons License
“Privacy in the digital world: Towards international legislation” by N. AL–Shakhouri and A. Mahmood
is licensed under a Creative Commons Attribution–Noncommercial–Share Alike 3.0 United States License.

Privacy in the digital world: Towards international legislation
by Nour S. Al–Shakhouri and A. Mahmood
First Monday, Volume 14, Number 4 - 6 April 2009
http://www.firstmonday.org/ojs/index.php/fm/article/view/2146/2153





A Great Cities Initiative of the University of Illinois at Chicago University Library.

© First Monday, 1995-2017. ISSN 1396-0466.