Know Your Online Rights
The Internet enables us to improve communication, erase physical barriers, and expand our education. Its absorption into our society has been extraordinary. It touches nearly every part of our lives from how we apply for jobs and where we get our news, to how we find friends. A few Web sites have virtually replaced some things, like the encyclopedia and the phone book.
But with acceptance comes a decrease in skepticism. You may assume that the same laws or societal rules that protect your privacy in the physical world apply to the digital world as well. But the Internet remains largely unregulated and the policies governing it underdeveloped. Laws concerning online privacy are still being developed.
To date, the U.S. Supreme Court largely has taken a hands-off approach to regulating the Internet and online privacy in favor of free speech. However, the federal government is increasingly interested in regulating the Internet, for example through child pornography and gambling laws. One important thing to keep in mind when relying on the law to protect you is that if U.S. law is broken in another country, prosecuting the criminal may prove difficult or impossible.
Knowing how to navigate the Internet safely is essential to maintaining your privacy online.
1: What Internet Activities Reveal My Personal Information?
When you are online, you provide information to others at almost every step of the way. Often this information is like a puzzle that needs to be connected before your picture is revealed. Information you provide to one person or company may not make sense unless it is combined with information you provide to another person or company. Below is a summary of the more common ways you give information to others when using the Internet.
Signing up for Internet service
If you pay for the Internet yourself, you signed up with an Internet Service Provider (ISP). Your ISP provides the mechanism for connecting your computer to the Internet. There are thousands of ISPs around the world offering a variety of services.
Each computer connected to the Internet, including yours, has a unique address, known as an IP address (Internet Protocol address). It takes the form of four sets of numbers separated by dots, for example: 123.45.67.890. It’s that number that actually allows you to send and receive information over the Internet. Depending upon your type of service, your IP address may be "dynamic", that is, one that changes periodically, or "static", one that is permanently assigned to you for as long as you maintain your service.
Your IP address by itself doesn’t provide personally identifiable information. However, because your ISP knows your IP address, it is a possible weak link when it comes to protecting your privacy. ISPs have widely varying policies for how long they store IP addresses. Unfortunately, many ISPs do not disclose their data retention policies. This can make it difficult to shop for a “privacy-friendly” ISP.
E-mail. When you correspond through e-mail you are no doubt aware that you are giving information to the recipient. You might also be giving information to any number of people, including your employer, the government, your e-mail provider, and anybody that the recipient passes your message to. The federal Electronic Communications Privacy Act (ECPA) makes it unlawful under certain circumstances for someone to read or disclose the contents of an electronic communication (18 USC § 2511).
But, the ECPA is a complicated law and contains many exceptions. ECPA makes a distinction between messages in transit and those stored on computers. Stored messages are generally given less protection than those intercepted during transmission. Here are some exceptions to the ECPA:
- The ISP may view private e-mail if it suspects the sender is attempting to damage the system or harm another user. However, random monitoring of e-mail is generally prohibited.
- The ISP may legally view and disclose private e-mail if either the sender or the recipient of the message consents to the inspection or disclosure. Many ISPs require a consent agreement from new members when signing up for the service.
- If the e-mail system is owned by an employer, the employer may inspect the contents of employee e-mail on the system. Therefore, any e-mail sent from a business location is probably not private. Several court cases have determined that employers have a right to monitor e-mail messages of their employees. (See PRC Fact Sheet 7 on employee monitoring, www.privacyrights.org/fs/fs7-work.htm.)
- Services may be required to disclose personal information in response to a court order or subpoena. A subpoena may be obtained by law enforcement or as part of a civil lawsuit. The government can only get basic subscriber information with a subpoena. The government needs a search warrant to get further records. A subpoena as part of a private civil lawsuit may disclose more personal information.
- The USA PATRIOT Act, passed by Congress after the terrorist attacks of September 11, 2001, and amended in 2006, makes it easier for the government to access records about online activity. In an effort to increase the speed in which records are acquired, the Act eliminates much of the oversight provided by other branches of the government. And it expands the types of records that can be sought without a court order. For additional information about the USA PATRIOT Act, visit the Web sites of the American Civil Liberties Union, www.aclu.org, the Center for Democracy and Technology, www.cdt.org, the Electronic Frontier Foundation, www.eff.org, and the Electronic Privacy Information Center, www.epic.org.
In U.S. v Warshak (decided December 14, 2010), the Sixth Circuit Court of Appeals ruled that although an ISP has access to private e-mail, the government must obtain a search warrant before seizing such e-mail. The issue that the court dealt with in this case was the expectation of privacy that is afforded to e-mail hosted on a remote server. The court stated:
Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection.... It follows that email requires strong protection under the Fourth Amendment; otherwise the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve....
The decision is particularly important to the extent that it could spur Congress to update the federal statutes that, in some cases, do allow warrantless searches of e-mail.
E-mail discussion lists and list-serves. When participating in online discussion groups, which are sometimes called "list-serves," remember that either the sender or the recipient can consent to the inspection or disclosure of the e-mail. Additionally, if you are concerned about junk e-mail, forwarded messages, or other unsolicited mail, you should note that you are giving your e-mail address to numerous people.
On many of these discussion lists, the e-mail address of members is readily available, sometimes on the e-mails sent and often through the group’s Web site. Although a subscription and sometimes a password is required to use the list, there’s nothing to prevent another member of the list to collect and distribute your e-mail address and any other information you post. In addition, some message boards and list-serves may be archived.
Browsers. Although it may not seem like you are giving very much information, when you browse the Internet you are relaying personal information to Web sites. Your browser likely provides your IP address and information about which sites you have visited to Web site operators. As you move from site to site online, numerous companies utilize sophisticated methods to track and identify you. The Web Privacy Census measures trends in internet tracking at the 25,000 most popular websites.
Almost all browsers give you some control over how much information is kept and stored. Generally, you can change the settings to restrict cookies and enhance your privacy. Note that if you choose a high privacy setting, you may not be able to use online banking or shopping services. Most major browsers now offer a "Private Browsing" tool to increase your privacy. However, researchers have found that "Private Browsing" may fail to purge all traces of online activity. Many popular browser extensions and plugins undermine the security of "Private Browsing". http://crypto.stanford.edu/~dabo/pubs/abstracts/privatebrowsing.html.
Search engines. Most of us navigate the Internet by using search engines. Search engines have and use the ability to track each one of your searches. They can record your IP address, the search terms you used, the time of your search, and other information. We encourage you to closely review your search engine's privacy policy.
You may also inadvertently reveal information through your search strings. For example, you might do a search to determine if your Social Security number appears on any Web sites. You might enter the search terms " Jane Doe 123-45-6789." The Google search string might look like this: http://www.google.com/#hl=en&source=hp&q=Jane+Roe+123-45-6789&btnG=Googl... Retention of that search string would mean that your search engine has a record of your name and Social Security number.
Major search engines have said they need to retain personal data, in part, to provide better services, to thwart security threats, to keep people from gaming search ranking results, and to combat click fraud scammers. However, major search engines often have retained this data for over a year, seemingly well beyond the time frame necessary to address these concerns. Some search engines have reduced the time that they retain users' IP addresses. Major search engines delete or anonymize IP addresses according to the following schedule:
- Yahoo-18 months
- Bing (formerly MSN/Windows Live)-6 months
- Google-9 months
Startpage (www.startpage.com), a search engine operated by Ixquick, based in The Netherlands, does not record users’ IP addresses at all. The privacy policy was created partially in response to fears that if the company retained the information, it would eventually be misused. The company concluded, “If the data is not stored, users privacy can't be breached.” Startpage will remove all identifying information from your query and submit it anonymously to Google.
Online Privacy Tip: It's a good idea to avoid using the same web site for both your web-based email and as your search engine. Web email accounts will always require some type of a login, so if you use the same site as your search engine, your searches can be connected to your email account. By using different web sites for different needs -- perhaps Yahoo for your email and Google for your searches -- you can help limit the total amount of information retained by any one site. Alternatively, log out of your email and clear your browser's cookies (see Cookies below) before going to other sites, so that your searches and browsing are not connected to your email address.
Online Privacy Tip: Avoid downloading search engine toolbars (for example, the Google toolbar or Yahoo toolbar). Toolbars may permit the collection of information about your web surfing habits. Watch out that you do not inadvertently download a toolbar when downloading software, particularly free software.
Online Privacy Tip: Google combines information about you from most of its services, including its search engine, Gmail, and YouTube. Be sure to disable automatic sign-ins by following the instructions at http://support.google.com/accounts/bin/answer.py?hl=en&answer=39273. Also be sure to clear your browser's cache and cookies by following the instructions at http://support.google.com/accounts/bin/answer.py?hl=en&answer=32050. While you must be signed in to access Gmail, most Google services can be used without being signed in to your account.
For more information on search engines you can read:
Cookies. When you visit different Web sites, many of the sites deposit data about your visit, called "cookies," on your hard drive. Cookies are pieces of information sent by a Web server to a user's browser. Cookies may include information such as login or registration identification, user preferences, online "shopping cart" information, and so on. The browser saves the information, and sends it back to the Web server whenever the browser returns to the Web site. The Web server may use the cookie to customize the display it sends to the user, or it may keep track of the different pages within the site that the user accesses.
For example, if you use the Internet to complete the registration card for a product, such as a computer or television, you generally provide your name and address, which then may be stored in a cookie. Legitimate Web sites use cookies to make special offers to returning users and to track the results of their advertising. These cookies are called first-party cookies.
However, there are some cookies, called third-party cookies, that communicate data about you to an advertising clearinghouse which in turn shares that data with other online marketers. These third-party cookies include "tracking cookies" which use your online history to deliver other ads. Read more about tracking cookies at http://www.pcworld.com/printable/article/id,257603/printable.html.
Your Web browser and some software products enable you to detect and delete cookies, including third-party cookies. For illustrated instructions on how to delete cookies in popular web browsers, read http://www.pcworld.com/article/242939/how_to_delete_cookies.html. You can also download a Windows PC cleaning tool such as CCleaner at http://www.piriform.com/ccleaner.
You can also opt-out of the sharing of cookie data with members of the Network Advertising Initiative by going to www.networkadvertising.org/consumer/opt_out.asp.
Flash cookies. Many websites have begun to utilize a new type of cookie called a "flash cookie" (sometimes also called a "supercookie") that is more persistent than a regular cookie. Normal procedures for erasing standard cookies, clearing history, erasing the cache, or choosing a delete private data option within the browser will not affect flash cookies. Flash cookies thus may persist despite user efforts to delete all cookies. They cannot be deleted by any commercially available anti-spyware or adware removal program. However, if you use the Firefox browser, there is an add-on called "BetterPrivacy" that can assist in deleting flash cookies: https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/.
During July and August 2010, three class action lawsuits were filed against several companies for their use of flash cookies. These companies are alleged to have knowingly tracked users in a way that was not adequately disclosed in their privacy policies. Defendants include major media companies (MySpace, ABC, ESPN, Hulu, MTV, and NBC Universal Disney, and Warner Brothers) and online advertising companies (Quantcast, Specificmedia, and Clearspring). http://www.zdnet.com/blog/btl/ad-network-at-center-of-third-flash-cookie-lawsuit/38346. The lawsuits were settled in June 2011. Under the terms of the settlement, the defendants will cease respawning cookies and amend their privacy policies. They also paid a $3.2 million monetary settlement. http://www.privacyandsecuritymatters.com/2011/06/court-approves-settlement-of-flash-cookie-class-action/.
For more information about flash cookies you can download UC Berkeley School of Law's paper entitled "Flash Cookies and Privacy" at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862 and "Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning" at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1898390.
Fingerprints. A device fingerprint (or machine fingerprint) is a summary of the software and hardware settings collected from a computer. Each computer has a different clock setting, fonts, software and other characteristics that make it unique. When a computer goes online, it broadcasts these details to other computers that it communicates with. These details can be collected and pieced together to form a unique "fingerprint" for that particular device. That fingerprint can then be assigned an identifying number, and used for similar purposes as a cookie.
Fingerprinting could eventually replace the cookie as the primary means of tracking computers. Tracking companies are embracing fingerprinting because it is tougher to block than cookies. Cookies are subject to deletion and expiration, and are rendered useless if a user decides to switch to a new browser.
You can tests your browser to see how unique it is based on the information that it will share with the sites that you visit. Panopticlick will give you a uniqueness score, letting you see how easily identifiable you might be as you surf the web. A paper reporting the statistical results of Panopticlick submissions titled How Unique Is Your Browser? explains he degree to which modern web browsers are subject to "device fingerprinting" through the information that they transmit to websites upon request.
Unfortunately, fingerprinting is generally invisible, difficult to prevent, and semi-permanent. There's no easy way to delete fingerprints that have been collected. Computer users determined to prevent fingerprinting can block JavaScript on their computer. However, some parts of a website (for example, video and interactive graphics) may not load, resulting in a blank space on the webpage. One way to block JavaScript is to use the Firefox browser with the “add-on” program called NoScript, available at http://noscript.net/getit. The combination of Firefox and NoScript can stop JavaScript on websites.
Interactive use: Instant messages (IM) and social networks
Instant messages (IM). IM conversations have a feel of casualness about them, which can lead some to let down their guard. Although seemingly informal, IM conversations can be archived, stored, and recorded on your computer as easily as e-mails.
The rule that "delete does not mean delete" applies to IM conversations as well as e-mail. Virtually all IM programs have the ability to archive and the IM program may automatically turn this feature on. Archiving IM conversations simply means saving the conversation in a text file just like you would any other file, such as a Word document. Some of these IM programs automatically save your chats unless you select otherwise.
It is important to realize that your conversation can be saved onto a computer even if only one person agrees. When you are talking to a person over IM, they do not need to tell you if they are recording and saving your conversation. If you want to make sure that your Google Talk conversation partner is not saving your chat on their computer you can select the feature called "off the record."
Similar to e-mail, workplace IM can be monitored by your employer. More on workplace monitoring can be found in our Fact Sheet 7, www.privacyrights.org/fs/fs7-work.htm.
IM has become a new target for spammers. “Spim,” usually involves get-rich-quick scams or pornography. Often the spimmer will include a link in the message, which could cause spyware to be installed on your computer if you click on the link. You can reduce your exposure to spim by adjusting your IM account to only allow messages from specified people.
Social networks. Online social networks are websites that allow users to build connections and relationships to other Internet users. Social networks store information remotely, rather than on a user’s personal computer. Social networking can be used to keep in touch with friends, make new contacts and find people with similar interests and ideas. These online services have grown in popularity since they were first adopted on a large scale in the late 1990s.
Many people besides friends and acquaintances are interested in the information people post on social networks. Identity thieves, scam artists, debt collectors, stalkers, and corporations looking for a market advantage are using social networks to gather information about consumers. Companies that operate social networks are themselves collecting a variety of data about their users, both to personalize the services for the users and to sell to advertisers.
Our Fact Sheet 35- Social Networking Privacy: How to be Safe, Secure and Social provides information about the advantages and disadvantages of using social networks, what kind of information may be safe to post and how to protect it, as well as who is able to access different types of information posted to these networks.
Domain names. Many individuals obtain their own Web site address or URL (Uniform Resource Locator), called domain names. For example, our domain name is www.privacyrights.org. Individuals may use their own name or a variant, such as www.johndoe.com. Domain registrations are public information unless you pay an additional fee to make your domain name private. (Search on private domain registration to find providers of this service).
Anyone can look up the owner of a domain name online by using a service such as www.domainwhitepages.com or www.internic.net/whois.html. To see how easy it is to find out who owns a Web address, use one of these services to check our domain name, privacyrights.org.
If you set up your own Web site, you will need to provide an address where the registration service can reach you. You may be able to use a P.O. Box which would reduce the amount of information someone sees if they look up your domain name. In addition you may want to choose an e-mail account that does not reveal unnecessary information, such as where you attend school. An e-mail address from a free Webmail service might be preferable to one with a .edu domain for example.
Blogs. Web logs, or “blogs,” are journals (or newsletters) that are frequently updated and intended for general public consumption. Depending on the service you use to post your blog, your private information may be available. Generally blog services will allow you at least some control over how much personal information you make public. Read the service agreement carefully to determine exactly what is required and what will be revealed.
Most blogs also allow comments by readers. Although some allow you to comment anonymously, others require registration and at least an e-mail address. Consider carefully how much information you’re willing to give and if you want your personal information linked to your comments or posts forever. Most blogs will record your IP address, which may enable them to determine your identity. In addition, if the blog has placed a cookie on your computer, it may be able to associate your post with other comments that you have made.
In addition to information you may be providing through signing up for the blog, the contents of your blog are published for everyone, including employers, to see. There have been reports of employers firing employees for blogging. The content does not even necessarily have to be about the employer.
Online Privacy Tip: Determine who you want your audience to be. If you are writing only for friends and family consider making your blog accessible only by password. Using a pseudonym can help hide your identity, but if your blog becomes popular people may try to uncover your true identity. To limit this possibility you can keep Google and other search engines from listing your blog. To find out how and for other tips, read the Electronic Frontier Foundation’s (EFF) tips on safe blogging, available at www.eff.org/Privacy/Anonymity/blog-anonymously.php. EFF has also written a free legal guide for bloggers, at www.eff.org/bloggers/lg.
Managing your financial accounts and online banking
Being able to check your balances, transfer money between accounts, pay your bills, and track your checks online is a great convenience. But online banking requires you to transmit a lot of sensitive information over the Internet. While it makes sense for the bank to have that information, you don’t want anyone else to get it.
Most banks and other financial institutions use a system of passwords and encryption to safeguard your information. Be sure to use a different password for online banking (and for any other online financial accounts) than you use on any other website. Make sure that your password is random and cannot be easily guessed. See PRC's Alert "10 Rules for Creating a Hacker-Resistant Password".
Make sure that any computer used for managing your financial account has an up-to-date operating system, firewall, and software (Including antivirus and anti-malware programs). Otherwise, your login credentials could be stolen. Read more about maintaining your computer's security in PRC's Fact Sheet 36, "Securing Your Computer to Maintain Your Privacy".
Never login to your financial accounts from a public computer. Keyloggers or other malware could steal your login credentials. Likewise, it's not a good idea to login from a public Wi-Fi hotspot, since your communications might be intercepted. Read more about Wi-Fi safety at https://www.privacyrights.org/fs/fs36-securing-computer-privacy.htm#wifi.
When managing your financial accounts online, be careful that you are giving your information to the proper institution. Many fraudulent sites have been set up to look like the real thing. Beware of “phishing” e-mails, which typically ask you to update your account information, but are really looking to steal your personal information. Never respond to unsolicited requests for passwords or account numbers, no matter how realistic they look.
Consumer (but not business) bank accounts generally are protected by the Electronic Funds Transfer Act, which limits consumer losses for online theft to $50, as long as the consumer reports the loss within 60 days after the fraudulent transfer appears on the statement. Your rights are explained in more detail at http://www.bankrate.com/finance/savings/could-bank-hackers-steal-your-money-1.aspx.
Each bank has its own privacy policy. It’s up to you to determine if that policy meets your needs. Some banks will share some of your information with others for marketing purposes unless you specifically notify them not to. Generally this is referred to as an “opt out” option. To read more about these options and financial privacy, check out Fact Sheet 24: Protecting Financial Privacy in the New Millennium: The Burden Is on You, available at www.privacyrights.org/fs/fs24-finpriv.htm.
For additional tips on how to bank online safely, see http://www.fdic.gov/bank/individual/online/safe.html and http://www.us-cert.gov/reading_room/Banking_Securely_Online07102006.pdf.
2: How Do Others Get Information about Me Online?
The Internet can be useful to businesses for marketing purposes. Through the Internet, businesses can sell and communicate with customers. The Internet also allows businesses to identify and learn about their customer base.
Additionally, many customers expect that a company they interact with in the physical world will also have an online presence. What consumers may not be aware of is how all of these purposes interact. When a business meets your need of having a Web site with store hours and directions, it may also meets its need of determining how many customers may want to go to a particular store branch.
Web bugs. Many Web sites use Web bugs to track who is viewing their pages. A Web bug (also known as a tracking bug, pixel tag, Web beacon, or clear gif) is a graphic in a Web site or a graphic-enabled e-mail message. The Web bug can confirm when the message or Web page is viewed and record the IP address of the viewer.
An example you might be familiar with is an electronic greeting card. Hallmark and other companies allow you to request that you be notified when the recipient views your card. The Web sites likely employ Web bugs to tell them when the recipient viewed the card.
Unfortunately, users have little control over the data collection by Web bugs on most sites. Furthermore, Web bugs placed by third-parties are not governed by a web site's privacy policy. For more information about Web bugs, see http://knowprivacy.org/web_bugs_recommendations.html and http://knowprivacy.org/web_bugs.html.
Online Privacy Tip: You can defeat e-mail Web bugs by reading your e-mail while offline, an option on most e-mail programs. Some e-mail systems avoid Web bugs by blocking images that have URLs embedded in them. You might have seen the message “To protect your privacy, portions of this e-mail have not been downloaded.” This message refers to Web bugs. You can choose to allow these images to be downloaded, but they likely contain Web bugs.
Direct marketing. Consumers may notice that online newspapers and other businesses have boxes asking you if the Web site can save your account information for future transactions. Whether it asks you for permission to save your information or not, you can bet that your information is being stored and used by the marketing department.
Web sites have increased their use of direct marketing. Direct marketing is a sales pitch targeted to a person based on prior consumer choices. For example, Amazon may recommend books that are similar to others you have purchased.
Another example is Google’s e-mail service, Gmail. Gmail scans incoming e-mails and places relevant advertisements next to the e-mail. For example, if your grandmother sends you an e-mail with a chicken noodle soup recipe, when you open your inbox you can read your grandmother’s e-mail and also see advertisements for www.cooks.com or Chicken Little stuffed animals. If your recipient uses Gmail, Google will scan your message and provide advertisements to the recipient even if you, the sender, do not use Gmail.
Use of your information for marketing is not limited to companies you do business with. Many companies sell or share your information to others. If you sign up for a free magazine subscription, the company may share your information with affiliates. This is similar to what happens with traditional junk mail, but since you have entered the information yourself into an electronic system, sharing with other businesses can be done rapidly and cheaply.
To avoid spam laws, most Web sites ask your permission to send you future information and offers. However, this permission is often presumed and the permission box already checked. To avoid the use of your information this way, always uncheck boxes that state that you agree to receive periodic offers and information.
Behavioral marketing or targeting refers to the practice of collecting and compiling a record of individuals' online activities, interests, preferences, and/or communications over time. Companies engaged in behavioral targeting routinely monitor individuals, the searches they make, the Web pages they visit, the content they view, their interactions on social networking sites, the content of their emails, and the products and services they purchase. Further, when consumers are using mobile devices, even their physical location may be tracked. This data may be compiled, analyzed, and combined with information from offline sources to create even more detailed profiles.
Marketers can then use this information to serve advertisements to a consumer based on his or her behavioral record. Ads may be displayed based upon an individual's web-browsing behavior, such as the pages they have visited or the searches they have made. Advertisers believe that this may help them deliver their online advertisements to the users who are most likely to be influenced by them.
Behavioral information can be used on its own or in conjunction with other forms of targeting based on factors like geography or demographics. Marketers have developed an array of sophisticated data collection and profiling tools which monitor and analyze our online activity.
Typically, behavioral targeting will place a cookie (a file that tracks users as they visit various sites) on the user’s computer. The cookie might link the user to categories based on the content of the pages they visit. For example, a user may be pegged as a golfer, a reader of mystery novels, or someone interested in taking a vacation in Las Vegas. The cookie can then be used to show people ads that are relevant to their interests, regardless of the sites they are visiting. Google, Microsoft, and Yahoo all engage in some form of behavioral targeting.
For more information about cookies, and how to delete them, read the section entitled "Cookies" at www.privacyrights.org/fs/fs18-cyb.htm#Browsing.
Behavioral marketing is much more sophisticated than so-called “contextual marketing” by which marketers target users with ads that are served based solely upon on a given Web page's content. In February 2009, Federal Trade Commission (FTC) issued a report, “Self-Regulatory Principles for Online Behavioral Advertising.” The report is available at www.ftc.gov/os/2009/02/P085400behavadreport.pdf. The report examines behavioral marketing and proposes principles to govern industry self-regulatory efforts. The FTC’s principles generally provide for:
- transparency and consumer control;
- security and limited data retention for consumer data;
- affirmative express consent for material changes to existing privacy promises; and
- affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising.
Examining these principles, the key issue concerns how online advertisers can best protect consumers' privacy while collecting information about their online activities. The report discusses the potential benefits of behavioral advertising to consumers, including the free online content that advertisers generally supports and personalization that many consumers appear to value.
The FTC report also discusses the privacy concerns that the practice raises, including the invisibility of the data collection to consumers and the risk that the information collected - including sensitive information regarding health, finances, or children - could fall into the wrong hands or be used for unanticipated purposes.
In March 2012, the FTC issued a report setting forth best practices for businesses to protect the privacy of American consumers and give them greater control over the collection and use of their personal data. In the report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, the FTC also recommended that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.
The March 2012 FTC report calls on companies handling consumer data to implement recommendations for protecting privacy, including:
- Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy
- Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities
- Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them.
Most privacy advocates believe that self-regulatory principles are weak and are not likely to result in meaningful protection for consumers. According to the World Privacy Forum (WPF), self-regulation has been a proven failure. www.worldprivacyforum.org/pdf/WPF_FTCcomments04112008fs.pdf. The WPF published a report documenting and analyzing various issues regarding the current self-regulatory regime. www.worldprivacyforum.org/pdf/WPF_NAI_report_Nov2_2007fs.pdf.
Online Privacy Tip: You can visit www.privacychoice.org to opt out of tracking cookies from dozens of behavioral tracking networks. Tracking companies that offer an opt out provide a cookie that tells their systems not to record your behavior when your browser communicates with their servers. Instead of visiting each individual network to opt out, the PrivacyChoice site will collect opt out cookies in your browser from the participating tracking networks. If you use the Firefox browser, the Privacychoice add-on can tell when cookies are deleted from your browser, and in that event it re-writes all of the opt-out cookies.
For further discussion of behavioral targeting issues, see:
- www.democraticmedia.org/current_projects/privacy
- www.worldprivacyforum.org/behavioral_advertising.html
Official use: Court records / employers / government (law enforcement and foreign intelligence)
Court records. When you file a lawsuit for divorce or are a party to a civil lawsuit or criminal case, court records are accessible to the public. As the government increasingly moves to eliminate paper records in favor of electronic records, your personal information could end up on the Internet.
There are two ways public records are accessible electronically. Some jurisdictions post them on their government Web sites, thereby providing free or low-cost access to records. Government agencies and courts also sell their public files to commercial data compilers and information brokers. They in turn make them available either online or through special network hookups. The following are examples of public records containing personal information that may be available (availabilty may vary from state to state):
- Property tax assessor files. Typical records contain name of owner, description of property, and the assessed value for taxation purposes. Some systems even provide blueprints and photographs of the property.
- Motor vehicle records. Registration, licensing, and driver history information
- Registered voter files
- Professional and business licenses
- Court files
- Case indexes
- Tax liens and judgments
- Bankruptcy files
- Criminal arrest and conviction records, and warrants
- Civil court recordings
- Registered sex offenders
You should also be aware that old newspaper articles are often available online. One potential risk is that an article containing inaccuracies about you may be found, but a corresponding correction or later article will not be readily apparent.
Employers. Individuals who access the Internet from work should know that employers are increasingly monitoring the Internet sites that employees visit. Be sure to inquire about your employer's online privacy policy. If there is none, recommend that such a policy be developed. If you are unsure of what the policy is or if there is no policy, assume everything you do on your work computer is being monitored. In most states there is no law requiring your employer to tell you if it monitors e-mail or Internet usage. In Delaware and Connecticut, an employer must advise employees in a “conspicuous manner” that monitoring is occurring. In Connecticut there is a limited exception for investigations of illegal activity.
See these PRC guides for more information:
- Employee monitoring, www.privacyrights.org/fs/fs7-work.htm.
- Responsible information-handling practices, www.privacyrights.org/fs/fs12-ih2.htm.
Government. The government may want your personal information for law enforcement purposes as well as for foreign intelligence investigations. Various laws govern these procedures. Below is an overview of some of the ways the government may obtain your personal information. Many of the laws are in flux and are being reinterpreted. Additionally, news reports have alleged that the National Security Agency has been wiretapping phone calls and e-mails without specific statutory authority. The legal implications of this program are unclear at this time.
Law enforcement access. Law enforcement generally can access your electronic communications and records in two ways: through wiretapping or through subpoena.
The Electronic Communications Privacy Act of 1986 (ECPA) provides some protection against government access to email and other online activities. ECPA is a difficult law to understand and apply, because the law relies upon outdated practices and technology. ECPA does reflect a legislative recognition that some Internet activities deserve protection. The difficulty is figuring out to which Internet activities these protections apply. Case law continues to address the proper application of ECPA.
Law enforcement can also use a pen/trap tap to get the following information from your ISP:
- e-mail header information other than the subject line,
- your IP address,
- the IP address of computers you communicate with, and
- possibly a list of all Web sites you visit.
A pen/trap is defined in the Patriot Act as “a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication.” To read more on the definition go to www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00003127----000-.html. In order to use a pen/trap wiretap, law enforcement only needs to establish that such information is relevant to an ongoing investigation. This is a lower standard than the probable cause standard required for a search warrant.
To learn more about how the Patriot Act has expanded the power of the government and law enforcement, go to the ACLU’s Web site at www.aclu.org/safefree/general/17326res20030403.html.
The Electronic Frontier Foundation examined the policies of 18 major Internet companies (including email providers, ISPs, cloud storage providers, and social networking sites) to assess how well they publicly commit to standing with users when the government seeks access to user data. Read their report When the Government Comes Knocking, Who Has Your Back? (May 2012) for details.
Foreign intelligence investigations. Under the Foreign Intelligence Surveillance Act of 1978 (FISA) the government is supposed to get a search warrant from a secret court for this type of surveillance. The government is required to show that the target of the surveillance is a foreign power or the agent of a foreign power.
Criminals can capture your information online in various ways, but one distinguishing factor is that in some cases you give them the information yourself. And sometimes criminals use technology to steal your personal information without your knowledge. It is important to recognize that theft occurs both ways. Even if you pride yourself on being wary of scams and never give your personal information to strangers, you should not overlook security steps for your computer.
Increasingly these activities may lead to financial losses. Losing money from computer crime can be especially devastating because often it is very difficult to get the money back. Because of the remote nature of the Internet, computer crime presents at least three challenges: (1) locating the criminal, (2) finding a court having jurisdiction, and (3) collecting the money. In fact many cyber criminals operate in other countries. Although law enforcement is becoming increasingly aware of computer crime, you should largely rely on yourself for protection.
Many of these scams are complicated, and criminals are always likely to come up with new tricks to stay ahead of the law. If you are buying over the Internet or setting up online accounts, be aware that these risks are out there.
Shopping online. Use a credit card for online financial transactions. Debit cards do not provide as much protection from fraud as credit cards. If a criminal uses your debit card, your entire checking account can be wiped out. With a credit card you are able to see the charges before you pay for them, which gives you an opportunity to dispute the charges.
When you provide your credit card account number to a shopping site, you want to be sure that the transmission is secure. Look for the unbroken padlock at the bottom right of the screen. You can right click on the padlock to make sure the security certificate is up-to-date. If it is not, you should not order from that Web site. Also make sure the Web address has the letter 's' after http in the address bar at the top of the page. The ‘s’ indicates that your financial information will be encrypted during transmission. For additional online shopping tips, read the PRC's e-commerce guide at www.privacyrights.org/fs/fs23-shopping.htm.
Online auctions. Online auction fraud takes many forms. Some forms of fraud are difficult to avoid, while others can be avoided by taking smart precautions. Fraud can occur when the seller doesn’t ship what was bought or the product is not as good as promised. This type of fraud can be frustrating and hard to avoid. Buyers should pay close attention to fraud alerts posted by the online auction companies. If you pay with a credit card, your credit card company may be able to reimburse you for the fraud.
Never use a wire transfer to pay for something from an online auction site. The FTC issued an alert warning about the dangers of wire transfers. The full alert is available at www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt169.pdf.
Fraud also occurs when a buyer sends a seller a check for more than the amount of the product and asks the seller to wire the buyer the difference. This fraud can be particularly devastating. As the FTC points out in its alert, once you wire money it is virtually impossible to get the money back – even in the event of fraud.
To protect yourself, never accept a check for more than the cost of the product. Even if the bank “clears” your check and deposits the funds in your account, that does not mean the check is legitimate. If it turns out the check is fraudulent, your bank will expect you to cover the funds that were put into your account. Consumers who suspect an online auction transaction is fraudulent should report it to the FTC at www.ftc.gov and to the auction company.
Nigerian 419 letters. Nigerian 419 letters, also called advance-fee scams, are sent via e-mail to millions of people. The letters typically relay a story of a foreign person who has inherited a windfall of money, but needs help in getting the money out of the country. The sender offers the recipient a share of the money for help in transferring the money. The assistance required is usually to front money to pay for "taxes," "attorneys costs," "bribes," or "advance fees.” Although this scam sounds far-fetched the FBI reports that the average financial loss from these scams is $3,000. The FTC has an alert warning of these scams at www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt117.shtm. You can also find information at www.lookstoogoodtobetrue.com.
It is very easy to get duped into clicking on a malicious link. If you click on a malicious link, you will most likely be taken to a site that tricks you into providing personal information that can then be used to steal your money, or even worse, your identity. Clicking on a dangerous link could also cause malware to automatically download onto your computer.
Malicious links may look like they were sent by someone you trust, such as:
- A friend or someone who you know.
- A legitimate-looking company selling a product or service.
- A bank or other business that you have an existing account with.
Most people think that malicious links arrive by email. But, criminals are finding even sneakier ways to trick you into clicking on a dangerous link. You could receive the malicious link in an instant message, a text message, or on a social networking site like Facebook or Twitter.
Malicious links are hard to spot. They often:
- Are ever-so-slightly misspelled versions of well-known URLs.
- Use popular URL shortener sites to hide the real URL.
- Use simple HTML formatting to hide the real URL. This is the most common method for emailed dangerous links. You think you’re clicking on a trustworthy link, but you are redirected to a dangerous link.
To protect yourself from malicious links, consider the following tips:
- Do not click on a link that appears to be randomly sent by someone you know, especially if there is no explanation for why the link was sent, or if the explanation is out of character for the sender (i.e. horribly misspelled or talking about what a great deal they discovered).
- Do not click on a link that was sent to you by a business you don’t know that is advertising a great deal. Instead, perform an online search for the business, make sure it’s legitimate, and go directly to the business’ website to find the deal yourself.
- Do not click on a link that was sent to you by a business you have an existing account with. Either go to the business’ site yourself, or call up the business and confirm the legitimacy of the link. (Note that some businesses may require that you verify your email address as part of a registration process, which requires you to click on a link contained in an email. Typically, the link will be emailed to you immediately after you register online with the business. It’s a good idea to check your email right after you register with a business.)
It is difficult to come up with a precise definition of cloud computing. In general terms, it’s the idea that your computer’s applications run somewhere on the “cloud”, that is to say, on someone else’s server accessed via the Internet. Instead of running program applications or storing data on your own computer, these functions are performed at remote servers which are connected to your computer through the Internet or other connections.
In telecommunications, a “cloud” is the unpredictable part of any network through which data passes between two end points. In cloud computing the term is used to refer generally to any computer, network or system through which personal information is transmitted, processed and stored, and over which individuals have little direct knowledge, involvement, or control.
With more reliable, affordable broadband access, the Internet no longer functions solely as a communications network. It has become a platform for computing. Rather than running software on your own computer or server, Internet users reach to the “cloud” to combine software applications, data storage, and massive computing power.
It’s interesting to note that cloud computing is really nothing new. It's the modern version of the 1960’s-era computer timesharing model. That model was based upon the high cost of computers at that time. With computer and data storage prices plummeting, it seems odd that there would be a return to that sort of model.
Who provides cloud computing services and what services do they provide?
It’s a bit easier to understand the concept of cloud computing by providing examples. Google operates several well-known cloud computing services. It offers its users applications such as e-mail, word processing, spreadsheets and storage, and hosts them "in the cloud"--in other words, on its own servers, not yours. So, for example, you can type a document without maintaining any word processing software on your computer. You can use Google’s software “in the cloud”. All you need is an Internet capable device. It doesn’t even need to be a computer.
Cloud computing services also may allow you to synchronize files between your Internet accessible devices, so that you can see a file from your home or office computer on a mobile device. Some of best known consumer-oriented cloud services include:
- Google Drive
- Dropbox
- Microsoft Skydrive
- Apple iCloud
Other examples of cloud computing include:
- Web-based email services such as Yahoo Mail
- Photo storing services such as Google’s Picassa
- Spreadsheet applications such as Zoho
- File transfer services such as YouSendIt
- Online medical records storage such as Microsoft’s HealthVault
- Social networking sites such as Facebook
- Applications associated with social networking sites such as Farmville
- Tax preparation services such as H & R Block
- Word processing services such as AjaxWrite
- Accounting and payroll services such as Intuit
The above services are ready to use “out of the box”. In addition, many cloud computing companies offer customized cloud computing services tailored to the specific needs of businesses and other organizations.
Some of the major players in cloud computing include:
- Yahoo
- Microsoft
- IBM
- Amazon
- Salesforce
- Sun Microsystems
- Oracle
- EMC
- Intuit
- Apple
What are the risks of cloud computing?
When users store their data with programs hosted on someone else's hardware, they lose a degree of control over their sensitive information. The responsibility for protecting that information from hackers, internal breaches, and subpoenas then falls into the hands of the hosting company rather than the individual user. This can have many possible adverse consequences for users.
The privacy policy and terms of service of the hosting company should always be read carefully. While generally lengthy and sometimes difficult to understand, they will provide a good outline of what the host can and cannot do with your information. However, it is important to realize that most privacy policies and terms of service can and do change. In fact, you may not have an opportunity to remove your information from the hosting site before such a change.
The location of the host’s operations can significantly impact a user’s rights under the law. The location of the records might not be disclosed in the terms of service or might be changed without notice. This could have substantial legal consequences.
Government investigators or civil litigants trying to subpoena information could approach the hosting company without informing the data's owners. The hosting company generally does not have the same motivation as the user to defend against disclosure of the information.
Some companies could even willingly share sensitive data with marketing firms. So there is a privacy risk in putting your data in someone else's hands. Obviously, the safest approach is to maintain your data under your own control.
There is also a risk that the host might shut down its operations, declare bankruptcy, or sell the business to another provider. What might happen to your data if that were to happen?
Unexpected service disruptions can prevent cloud computer users from accessing their data or performing vital business functions. For example, in June 2010, Intuit suffered a massive site disruption interrupting its Quicken and QuickBooks services. Customers were unable to access Quicken sites for an extended period of time. http://www.pcmag.com/article2/0,2817,2365179,00.asp
One of the problems with cloud computing is that technology is frequently light years ahead of the law. There are many questions that need to be answered. Does the user or the hosting company own the data? Can the host deny a user access to their own data? And, most importantly from a privacy standpoint, how does the host protect the user’s data?
So, before you utilize any cloud computing services, be aware of the potential risks. And make sure that you carefully read the privacy policy and terms of service of the hosting company to become aware of your rights.
Who is legally responsible for data breaches in the cloud?
If, through no fault of your own, information stored in the cloud were breached, who would bear responsibility for the consequences? The standard contract from the major cloud providers puts the responsibility for any data loss on the person or business placing the information in the cloud. Of course, it might be possible for a large business to negotiate the terms of the standard contract. As a consumer, you probably have no control over whether an organization you do business with places your personal information in the cloud.
Where can I find out more about cloud computing?
Read the World Privacy Forum's report on cloud computing (Feb. 2009), available at www.worldprivacyforum.org/cloudprivacy.html. The title is Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, by Robert Gellman.
For more information on the privacy implications of cloud computing, see Ann Cavoukian, Privacy in the Clouds-A White Paper on Privacy and Digital Identity: Implications for the Internet (Information and Privacy Commissioner of Ontario), www.ipc.on.ca/images/Resources/privacyintheclouds.pdf
Other nonprofit privacy organizations
Several nonprofit public interest groups advocate on behalf of online users. They also provide extensive information about privacy issues on their Web sites.
American Civil Liberties Union
Find your local ACLU chapter: www.aclu.org/affiliates/
Web : www.aclu.org
Consumer Federation of America, Fake Check Scams, www.consumerfed.org/index.php/consumer-privacy/fake-check-scams
Electronic Frontier Foundation
454 Shotwell St., San Francisco, CA 94110
Voice: (415) 436-9333
E-mail: information@eff.org
Web : www.eff.org.
Also see EFF's "Surveillance Self-Defense" project: https://ssd.eff.org/
Electronic Privacy Information Center
1718 Connecticut Ave. N.W., Suite 200, Washington, DC 20009
Voice: (202) 483-1140
E-mail: epic-info@epic.org
Web : www.epic.org.
PrivacyActivism
E-mail: info@privacyactivism.org
Web : www.privacyactivism.org
World Privacy Forum
Voice: (760) 436-2489
E-mail: info2005@worldprivacyforum.org
Web: www.worldprivacyforum.org
Government agencies
The Federal Trade Commission is the federal government's primary agency for online privacy oversight. Its Web site provides a great deal of information on public policy matters as well as consumer tips.
Federal Trade Commission
600 Pennsylvania Ave. N.W., Washington, DC 20580
Web : www.ftc.gov/privacy/index.html
The FTC’s Onguard Online Web site offers tips for avoiding Internet fraud, securing your computer and ways to protect your personal information. www.onguardonline.gov
Several federal agencies and public interest groups have sponsored the online Consumer Computer Privacy Guide at www.consumerprivacyguide.org. This site offers extensive tips, a glossary of terms, and video tutorials with step-by-step instructions on how to take advantage of privacy settings for the programs you use online.
Federal law enforcement and industry representatives have joined together to produce a Web site called Looks Too Good to Be True, which educates consumers about Internet scams. www.lookstoogoodtobetrue.com
The U.S. Computer Emergency Readiness Team (U.S. Cert) provides numerous computer security resources on its website at http://www.us-cert.gov/index.html. It provides downloads to a number of valuable publications at http://www.us-cert.gov/reading_room/
The Internet Education Foundation in cooperation with consumer groups and industry associations, has developed GetNetWise, a Web site for parents, children, and anyone wanting basic information on Internet safety. Visit this useful resource at www.getnetwise.org.
The FBI publishes a Parent’s Guide to Internet Safety, available at www.fbi.gov/publications/pguide/pguidee.htm.
The Federal Trade Commission offers extensive resources for children and parents. Visit www.ftc.gov/bcp/conline/edcams/kidzprivacy/index.html. To learn more about the Children's Online Privacy Protection Act, go to www.ftc.gov/privacy/index.html.
PRC Fact Sheet 21, "Children in Cyberspace" at www.privacyrights.org/fs/fs21-children.htm.
PRC Fact Sheet 36, "Securing Your Computer to Maintain Your Privacy" at http://www.privacyrights.org/fs/fs36-securing-computer-privacy.htm.
Priveazy offers videos, quizzes, and lessons to help you maintain your online privacy at https://www.priveazy.com/.
The National Conference of State Legislators maintains a list of Selected State Laws Related to Internet Privacy.
- GetNetWise, www.getnetwise.org/glossary
- UC Berkeley Library, www.lib.berkeley.edu/TeachingLib/Guides/Internet/Glossary.html
- CNET, www.cnet.com/Resources/Info/Glossary/index.html
- WebMonkey, www.Webmonkey.com/guides/glossary/
Please note: We have provided the names and Web addresses of several commercial and freeware products in this guide. Such mention does not imply endorsement.
Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.
- Printer-friendly version
- Log in to post comments
- 14797 reads