Tag Archive | Information Privacy

FCC Seeks Public Comment on Mobile Carrier Privacy Policies Following Data Collection Controversy

In re-launching the inquiry into carriers’ data privacy and security practices, the FCC argues that not informing customers about the software or its data practices may have violated the carriers’ responsibility pursuant to Section 222 of the Communications Act of 1934 to protect customer data “that is made available to a carrier solely by virtue of the carrier-customer relationship.”  The law allows such data to be used only in “limited circumstances,” a term which is not defined in Section 222.  It appears that one of the goals of the renewed inquiry is for the FCC to define the scope of the “limited circumstances.”

View the entire entry:

Stranger than Fiction: A Few Words About An Ethical Compass for Crisis Mapping

by Patrick Meier, iRevolution, February 12, 2012

The good people at the Sudan Sentinel Project (SSP), housed at my former “alma matter,” the Harvard Humanitarian Initiative (HHI), have recently written this curious piece on crisis mapping and the need for an “ethical compass” in this new field. They made absolutely sure that I’d read the piece by directly messaging me via the @CrisisMappers twitter feed. Not to worry, good people, I read your masterpiece. Interestingly enough, it was published the day after my blog post reviewing IOM’s data protection standards. …

For full text of the article, visit Stranger than Fiction: A Few Words About An Ethical Compass for Crisis Mapping | iRevolution.

Basic Principles of European Union Consent and Data Protection

by Christina Hultsch, Technology Law Source, July 25, 2011

Any US company that receives data about individuals living in the European Union must be familiar with the basic principles of consent and data protection within the EU to avoid costly mistakes that are easily made in obtaining consent, should the validity of such consent be challenged by the EU data protection agencies. While certain exemptions may apply that allow receipt of data into the US without consent, companies need to analyze their receipt of such data in light of the new consent opinion discussed below. … Contrary to law in the US, in the EU, obtaining the consent of the individual (the “data subject”) has always played a key role in the European Union’s data protection efforts. The Article 29 Data Protection Working Party, an independent European advisory body on data protection and privacy, issued an opinion in July, 2011 addressing the consent principles currently in place as well as providing insight into a possible and likely expansion of consent requirements

For full text of the article visit Basic Principles of European Union Consent and Data Protection : Technology Law Source.

Mobile Location Privacy Opinion Adopted by Europe’s WP29

Official logo of the European Data Protection ...

Image via Wikipedia

Posted by Boris Segalis, May 19, 2011

Summary: On May 16, 2011, EU’s Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services. WP29 is comprised of representatives from the EU member states’ data protection authorities (DPAs), the European Data Protection Supervisor and the European Commission. …  Not surprisingly, WP29 has concluded that geolocation data is “personal data” subject to the protections of the European data protection framework, including the EU Data Protection Directive 95/46/EC. The Working Party also determined that the collection, use and other processing of geolocation data through mobile devices generally requires explicit, informed consent of the individual. …

For highlights of  the opinion, view the Information Law Group Blog entry:

For full text of the opinion, click on Opinion 13/2011 on Geolocation Services on smart mobile devices [PDF].

Panel debates ways to update surveillance to new technologies – Nextgov

Panel debates ways to update surveillance to new technologies

By Juliana Gruenwald, National Journal, NextGov 02/17/2011

The FBI came to Congress Thursday to outline the problems law enforcement officials are increasingly facing in executing court ordered wiretaps, but did not offer a proposed solution for lawmakers to consider. During a hearing before the House Judiciary Crime, Terrorism and Homeland Security Subcommittee, even critics acknowledged law enforcement faces a problem but there was much debate over what should be done to address it. Under the 1994 Communications Assistance for Law Enforcement Act, telecommunications companies are required to develop and deploy solutions to enable court-ordered wiretaps. …

Full article available via Panel debates ways to update surveillance to new technologies – Nextgov.

Consumer Privacy, Energy Use Data, and Trust | The Energy Collective

Elster A3 ALPHA type A30 single-phase kWh smar...

Image via Wikipedia

Consumer Privacy, Energy Use Data, and Trust

Posted January 31, 2011 by Christine Hertzog

Consumer privacy concerns are an important focus of many Smart Grid conversations.  Everyone agrees that consumers need to be educated about the entirely new types of energy use data that can be created with Smart Grid technologies.  While we must ensure that consumers are aware of their rights and responsibilities regarding energy use data, there is less conversation ongoing about educating utilities and vendors to deploy programs to ensure data privacy, and there are no conversations ongoing about who owns the value of that energy use data. …

For full text of the article via Consumer Privacy, Energy Use Data, and Trust | The Energy Collective.

Geographical Information as “Personal Information”

Source: Teresa Scassa , University of Ottawa, Faculty of Law, Common Law Section, August 8, 2010
The rapid proliferation of applications using geographical information combined with the growing accessibility of vast quantities of data of all kinds has given rise to a number of data protection challenges. Information is placed in geographic context by governments, private sector actors, and even by individuals; compilations of data may be sole-authored or crowd-sourced, and are frequently made available over the internet. This paper explores a key question in the data protection context: when is information placed in geographical context personal information? Particular challenges in answering this question include the way in which geographical information may be a key to re-identifying de-identified data, and how it can be used to link aggregate demographic data to specific individuals. For full text of the article on the Social Science Research Network, click here.

Social Security Numbers, Public Records and Privacy

Unaturhorized access to social security numbers is a hot issue in Wisconsin, as it is all over the country. Over the last few years, state agencies in Wisconsin have inadvertantly disclosed citizens’ social security numbers ina number of high profile cases, including:

2006 – A Wisconsin Department of Revenue contractor mailed Wisconsin tax booklets to 170,000 residents with their social security numbers printed on the address label;

2007 – The University of Wisconsin-Madison published the names, e-mail addresses, and social security numbers for two hundred faculty and staff of the UW-Madison’s Division of Information Technology in an online database; and,

2008 – The Wisconsin Department of Health and Family Services sent a mailing to 260,000 Medicaid participants with their social security numbers printed above their names on the address labels.

Appallingly, some individual’s social security numbers were released not once, but twice during this time.


Social Security Numbers and Public Property Records

Unauthorized access to social security numbers also is an issue for the geospatial community as public property records are published over the Internet, often in combination with searchable online mapping applications. In 2006, the Public Records Industry Association (PRIA) developed model legislation and a set of best practices for the handling of social security numbers on property records.


Will Proposed Wisconsin Legislation “Fix” the Problem of Unwanted Disclosure of SSNs?

In Data Privacy Fix Broader Than Social Security Number,  published in Wiscconsin Technology Network (WTN) on May 3, 2008, attorney Mark Foley provides an important critique of proposed Wisconsin Assembly bill AB 771, which is intended to protect our privacy against unauthorized disclosure of our social security numbers by the government; a quick snapshot of his article follows:

 On March 5, the Wisconsin Assembly passed Bill AB 771, which prohibits any state agency from using a Social Security number as an identifier unless such use is required by state or federal laws or regulations, or is otherwise authorized by law. If enacted by the Senate and signed by the Governor, this bill will join many other laws in Wisconsin and elsewhere that limit the use of SSNs, but the issue involved is broader than SSNs alone. The passage of this bill should remind everyone of the need to apply the “Use Limitation Principle” to all information technology activities. …  If the purpose of AB 771 is to prevent similar disclosures of SSNs in the future, it is not likely to succeed. This is because both state agencies involved are authorized or required by law to collect and use SSNs for their activities. These agencies will still have the SSNs and the data will still be at risk. The problem, and the solution, lie elsewhere.

Useful limitations

Unauthorized uses or disclosures of SSNs often result from violation of the “Use Limitation Principle.” That is, to best protect privacy interests, data should be collected only for a specified limited purpose and not used for any other purposes. … The “Use Limitation Principle” would bar the use of a SSN for anything but its original purpose. Although you might still need the SSN somewhere in your payroll database to report earnings and tax withholding to the government, you would not use the SSN as your primary employee ID and would not use it to link various subcategories of data. Rather, you would develop one or more unique employee identifiers that do not include and are not based on the SSNs. Then, if data containing your identifiers are lost or stolen, the risks of data compromise are limited to your own database, and the risks of identify theft or other misuse are much reduced. And you would not allow, much less encourage, use of a SSN as a user ID or password. …

Source: Wisconsin Technology Network

For the full text of the article, visit: http://wistechnology.com/articles/4730/
For the full text of Wisconsin bill AB 711, visit: http://www.legis.state.wi.us/2007/data/AB-771.pdf

Call for Comprehensive Data Privacy Law


Bruce Schneier, security guru and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World, calls for U.S. comprehensive data privacy law in his article, “Our Data, Our Selves” (Wired Magazine, May 15, 2008). Nellwal, another data security expert and whistle blower, concurs in the “The Whislter Ear” blog; “[n]ational legislation,” Nellwal comments, “is slow in coming, the court systems are refusing to punish negligent companies that lose consumer data, and the agencies who regulate data protection and trafficking do little if anything to protect us.” See also Schneier’s blog: http://www.schneier.com/blog/

Unfortunately, as a nation, we seem to be complacent about out privacy. When asked, we express the desire to protect our privacy; but in action, we share our information freely for coupons at the grocery store. As individuals, we don’t take the time to question whether we are required by law to provide our information, to evaluate how this information will be used and aggregated, and to consider who will have access to it. When I talk to friends and colleagues about the issue, they frequently presume that our privacy rights are protected under the law and by the courts. After reading court opinions, however, they are shocked. The law has not kept up with technological change, and the courts frequently assume that technological change – “progress” – is always good. Further, the courts do not thoroughly consider cultural, gender, generational or personal differences in what is considered a “reasonable expectation of privacy,” which is often the relevant legal standard by which the courts base their opinions.


As data professionals, we collect more information than we need because we can. Then, we get function creep (e.g., see yesterday’s posting on license plate tracking)! We have lots of data at our fingertips, so we inevitably use it for purposes other than that for which it was originally collected. We need to recognize that the policies we establish to handle data are as important in protecting our information as the technical controls we implement (e.g., Anderson, R., Security Engineering: A Guide to Building Dependable Distributed Systems). 


We may have competing values and interests, such privacy, the public’s right to know, free speech, value of public information, demand for convenient access, ease of Internet publication, tools for data mining, integration, and analysis, ability to profile and locate individuals, and the need for emergency management (Holland, W., Tension- Individual Privacy in the Age of the Internet and Insecurity, Fair & Equitable, February 2007, p. 12; see also Regan, P., Legislating Privacy); but, as a society, we need to do a better job of balancing these interests. We must recognize that privacy is a necessary ingredient of autonomy and freedom. 

Location / Spatial Privacy

Over the next decade, information collected through RFID and micro/nano-sensor technologies will be analyzed and displayed using geospatial technologies and served up over the Internet (e.g., distributed sensing through Sensor Web), impacting our privacy in new ways.

For a great sociological and legal discussion of privacy as it relates to geospatial information and technology, refer to Michael R Curry’s “Chapter 7: The Digital Individual in a Visible World” in his book Digital Places: Living with Geographic Information Technologies; for a historical perspective, check out Mark Monmonier’s Spying with Maps: Surveillance Technologies and the Future of Privacy. Also see Kevin Pomfret’s discussions on spatial privacy on his blog Spatial Law.


For more on data privacy, also see the following books:

  • Agre, P., and Rotenber, M., Technology and Privacy: The New Landscape
  • Albrecht, K. and McIntyre, L., Spychips: How Major Corporations and Government Plan To Track Your Every Purchase and Watch You Every Move
  • Branscomb, A., Who Owns Information: From Privacy to Public Access
  • Garfinkel, S., Database Nation: The Death of Privacy in the 21st Century
  • Holtzman, D., Privacy Lost: How Technology is Endangering Your Privacy
  • O’Harrow, R., No Place to Hide
  • Regan, P.,  Legislating Privacy: Technology, Social Values, and Public Policy
  • Rule, J., Privacy in Peril
  • Solove, D., Rotenberg, M., and P. Schwartz, Privacy, Information, and Technology
  • Solove, D., The Digital Person: Technology and Privacy in the Information Age
%d bloggers like this: