“ Pr i vac y Today”

Ove r vi e w
• What is privacy
• Ways to protect privacy
– Technology
– Law
– Markets
– What you do yourself
• 4 types of privacy harms
• Fair information practices
• Conclusion
 I . What i s Pr i vac y?
• “Privacy is the claim of individuals, groups
or institutions to determine for themselves
when, how, and to what extent
information about them is communicated
to others”
– Alan Westin: Privacy & Freedom,1967

• Privacy is not an absolute

• We disclose, and we keep private

 Pr i vac y as a Pr oc e s s

“Each individual is continually

engaged in a personal adjustment
process in which he balances the
desire for privacy with the desire for
disclosure and communication….”

- Alan Westin, 1967

 We s t i n’ s f our s t at e s
of pr i vac y

• S olitude
– in divid ua l s e pa ra te d from th e g rou p a n d fre e d
fro m th e o b s e rva tio n o f o th e r p e rs o ns
• Intima c y
– in divid ua l is pa rt o f a s m a ll un it
• Anonymity
– in divid ua l in p u b lic b ut s till s e e ks a nd fin d s
fre e d o m from id e n tific a tion a nd s u rve illa n c e
• R e s e rve
– th e c re a tio n o f a p s yc h olog ic a l b a rrie r a g a ins t
un wa nte d in tru s io n - h old in g b a c k c om m u nic a tion
 II. Ways t o Pr ot e c t Pr i vac y

• There are four basic ways to protect

privacy:
– Technology
– Law
– Markets
– Your choices as an individual
 Exampl e :
Re duc i ng Spam
• Unwanted e-mail can be an intrusion on your
privacy and can reduce the usefulness of e-mail
• Technology: Spam filters
• Law: the CAN-SPAM Act
– Illegal to send commercial email with false
headers
– You can unsubscribe from the sender
• Markets: you choose an email provider that does
a good job of reducing spam
• Your choices: you decide not to open that
e-mail with the unpleasant header
 I I I . 4 Type s of Pr i vac y Har ms

• We’ll look more closely at 4

categories of privacy harms:
– Intrusions

– Information collection

– Information processing

– Information dissemination
Pr i vac y Har ms
 I nt r us i ons

• “They” come into “your” space and

contact you or tell you what to do
• Examples:
– Unwanted email (spam)
– Unwanted phone calls
• Technology: Caller ID to screen calls
• Law: National Do Not Call list
– Parents entering a teen’s room without
knocking
– Government saying what you can or can’t do
with your own body or property
 I nf or mat i on Col l e c t i on

• “They” watch what you are doing, more than they

should
• Surveillance & Interrogation
– Visual, such as peeping Toms
– Communications, such as wiretapping your phone or
email
– Government, employers, or parents ask you “private”
information
• Example of protections: with a warrant, the
government can wiretap or search your house.
Having to get a warrant is a protection, though,
against too much information collection.
 I nf or mat i on Pr oc e s s i ng
• “They” have a lot of data, and do things with it
• Identification: they learn about your “anonymous”
actions
• Data mining: they learn patterns, to decide if you
are a good customer or a suspected terrorist
• Exclusion: they decide you are not a good potential
employee or customer, or go on the no-fly list at
the airport
• Secondary use: they collect the data for one
reason, but use it for others
• Note: Information processing can be helpful, when
it “personalizes” and gives you better service. But
it can invade your privacy when it goes too far or
is used in ways that break the rules.
 I nf or mat i on Di s s e mi nat i on
• “They” disclose data, perhaps more than “you”
think they should
– Breach of confidentiality: a doctor or lawyer
discloses more than you wish
– Transfer to third parties: a company or
government shares data about you to persons
you don’t expect
– Public disclosure of private facts: an intimate
photo of you, or disclosure of intimate facts
– Disclosure of untrue facts: you are put in a false
light
– Appropriation: they use your name or picture
without your permission
 Re vi e w: 4 Type s
of Pr i vac y Har ms
 I V. Fai r I nf or mat i on Pr ac t i c e s
• We will examine five Fair Information
Practices have been developed to protect
against these sorts of privacy concerns

• The Federal Trade Commission principles:

– Notice/awareness
– Choice/consent
– Access/participation
– Integrity/security
– Enforcement/redress
 Not i c e / Awar e ne s s

• Individuals need notice to make an

informed choice about whether to provide
information
– Who is collecting the data
– Uses for which the data will be used
– Who will receive the data
– The nature of the data and the means by
which it is collected if not obvious
– The steps taken to preserve confidentiality,
integrity, and quality of the data
 Choi c e / Cons e nt
• Choice may apply to “secondary uses” – uses beyond
the original reasons you provided your data
• Sometimes choice is “opt in” – they won’t share your
data unless you say you want them to
– HIPAA medical privacy rule – don’t share your data
unless you give consent
• Sometimes choice is “opt out” – they can share your
data or contact you, but you can tell them not to
– Do Not Call list – no telemarketing if you sign up at
www.donotcall.gov
– Many web sites will not share your data if you “opt
out” (tell them not to share)
 Ac c e s s / Par t i c i pat i on

• Individuals in some instances can

access the data held about them,
and correct any inaccuracies
– Fair Credit Reporting Act: no-fee credit
report at www.annualcreditreport.com
(some other sites advertise “free”
reports that aren’t free)
– Privacy Act: right to see records held
about you by the federal government
 I nt e gr i t y/ Se c ur i t y

• Data should be secure and accurate

– Without security, can have good privacy
policies but hackers gain entry
– Without accuracy, wrong decisions are
made about individuals

• We should expect reasonable technical,

physical, and administrative measures
 Enf or c e me nt / Re dr e s s
• There is great variety in the ways that privacy
principles are enforced
• Increasingly, companies and government
agencies have Privacy Professionals to
comply with their privacy promises
• Companies can be fined if they break the
promises in their privacy policies (Section 5
of the FTC Act)
• For some kinds of data (medical, financial,
stored communications), there is additional
enforcement by individuals or government
agencies
 V. Conc l us i on

• Some themes from today:

– The link between privacy and freedom – a
zone where “they” do not intrude upon
“you”

– The challenges of protecting privacy in our

emerging information society

– The need for the right mix of technology,

laws, and markets
 Fi nal l y:
• The emergence of privacy professionals
– A growing profession focused on managing
privacy in the information economy
• We’re here
– To ensure protection of privacy while also
– Helping create the many ways you want
information to be used in our information
society
• Thank you for your attention
 Presentation written by:

Professor Peter P. Swire

Ohio State University
Center for American Progress
www.peterswire.net

On behalf of the

International Association of Privacy Professionals

www.privacyassociation.org
 Cr e at i ve Commons Li c e ns e

This work is licensed under the Creative Commons

Attribution 3.0 Unported License. To view a copy of this
license, visit http://creativecommons.org/licenses/by/3.0/
or send a letter to Creative Commons, 171 Second Street,
Suite 300, San Francisco, California, 94105, USA. Any use
of these materials requires attribution to the IAPP and
Peter Swire.