----------------------------------------------------------------------
PRIVACYnotes Digest
Security Protecting Privacy is Good for Business
----------------------------------------------------------------------
Published by:
Mike Banks Valentine PrivacyNotes
privacy@privacynotes.com www.privacynotes.com
----------------------------------------------------------------------
May 2, 2002 Issue # 008
----------------------------------------------------------------------
SEND POSTS: mailto:privacy@privacynotes.com
----------------------------------------------------------------------
.....IN THIS DIGEST.....
// -- MODERATOR COMMENT -- //
"EU Privacy Comparison" ~ Mike Banks Valentine
// -- NEW DISCUSSION -- //
"Reality or Perception?" ~ Anonymous ~ Moderator Comment
// -- CONTINUING DISCUSSION -- //
"Digital ID" ~ Anonymous
"Define Opt-In" ~ Anonymous
"Digital Databases" ~ Will Bontrager
// -- PRIVACY NEWS -- //
"The Latest in Privacy Issues"
----------------------------------------------------------------------
// -- MODERATOR COMMENT -- //
I'm just back from the InternetWorld 2002 conference in Los
Angeles where I had the opportunity to attend two valuable sessions
on privacy. The first was given by Jorian Clarke of Spectracom
whose company had the misfortune of being one of the first attacked
for COPPA (Childrens' Online Privacy Protection Act) violations
by a consumer rights organization. She has graciously made available
a copy of her powerpoint presentation from InternetWorld discussing
how companies can protect themselves from being targeted for privacy
violations.
The second presentation included a dramatic illustration of
European Union privacy standards for companies that operate internationally,
by speaker Coeta J. Chambers, HR Attorney for greater Europe,
Intel Corporation. She pointed out that the EU has just released
a 48 page (pages are very short) EU Privacy Audit Guide for companies
doing business in the 15 countries represented under EU privacy
guidelines. Ms. Chambers has also graciously made that document
available to me. To facilitate easy access to the information,
I've posted that document (in full) to my web site where it will
remain available for review by companies who do business online
with the EU. Simply visit the following URL to be the first on
your block to read these guidelines in English. ;-)
http://website101.com/Privacy/EU_privacy_audit_guide.html
U.S. companies complaining about our privacy laws who do business
in the EU know that they have dramatic freedom to exploit Americans
privacy rights and seem to be whining just to maintain those excesses
they currently enjoy. Europeans can sue for damages if ANY of
their personally identifiable information is improperly exposed
publicly or released to anyone with unauthorized access. It's
an enlightening comparison that has been discussed very little.
What do you think?
~ Mike Banks Valentine
// -- NEW DISCUSSION -- //
==> TOPIC: REALITY OR PERCEPTION?
From: Anonymous
Hi Mike,
I just noticed your sig at the bottom of your recent epub post:
RE: [epub] RE: Losing Subscribers?
It says: "Privacy is Good for Business"
It piqued my interest.
I understand the importance for the *consumer* to protect their
privacy. So I'm curious: how is it good for business?
I'm not referring to a company which creates the *appearance*
of protecting privacy, which is good PR (whether it's true or
not).
So - I'm wondering: how is privacy is good for business?
Anonymous
[ Moderator Comment ]
Anonymous,
I am completely convinced that a company that differentiates
itself by PROMOTING their respect for privacy will be able to
draw from that nervous 60% of Americans that haven't made a purchase
online and convert them to very willing buyers that may have been
previously reluctant or entirely unwilling to buy their products
or services online.
Clearly the discussion on YAHOO! illustrates that those who
DON'T respect privacy will lose business since many of us are
searching for alternatives to YahooGroups.com for our lists.
My official discussion list tag line is a variation on the TRUSTe
slogan and they indicate your suggested "appearance of privacy"
in that statement. TRUSTe says simply,
"Privacy is Good Business" Adding "Protecting" and "FOR" changes
that idea dramatically. You've convinced me I need to change my
sig line, but my advocacy for respecting customer privacy is growing
daily as I see abuses and blunders abound.
Mike
// -- CONTINUING DISCUSSION -- //
===> TOPIC: DIGITAL ID
From: Anonymous
Great discussion going on about IDs and central ID databases.
I'm living in Belgium; and we're having national numbering:
one for social security and one to be known as a Belgian, the
so-called national registration number. Both are assigned when
you're born. People getting Belgian nationality receive both numbers
at that time.
We even have a pin card for the social security system that
need to be used in the pharmacy, when you subscribe for a job
claim and other social related topics. As a result, the government
tracks the social spending on medication and the prescription
behavior of doctors and hospitals with the ultimate hope to decrease
the social budget... and the taxes?
Having a strong background in databases and internet technology,
I can assure that it scared me off at first.
Currently I'm doing a project for a government agency where
we're using the national registration number and I must agree
that it isn't that simple to get all data what you would expect
to be present in the 'centrally' linked database. In fact, we're
not allowed to ask for data, we can only verify whether the data
we collected ourself is valid against the centrally known data.
Doing this project, it showed me that the old adagio still is
valid. Data in itself is worthless. You need a context to turn
it into information (Privacynotes :) ).
Reading the discussion whether to or to not battle the national
ID shouldn't be the baseline. The question should be what data
is stored together and what data is allowed to be combined.
Hope this'll fuel the discussion.
Kind regards, Anonymous
Comment? mailto:privacy@website101.com
===> TOPIC: DEFINE OPT-IN
From: Anonymous
Thanks to Anonymous for a fascinating post concerning the definition
of opt-in, and a glimpse in to the future of email.
First, I find I am compelled to agree with Anonymous' logic
that so long as the user is somehow told that their address is
going to be sold, then it's certainly within my definition of
opt-in. Steven has been able to clearmindedly look below the surface
of my own definitions of opt-in and see weaknesses that haven't
occurred to me in 6 years of daily work with them.
Can we agree that the truth will have to be obscured from users
in some manner in order for this process of gathering addresses
for resale to work?
After all, really, who is going to submit any sign up form that
states, in clear concise language, next to the email submission
field, that their address will be sold to third parties, who will
sell it to fourth parties, and so on until the end of time? Also,
don't forget dear user, this will result in you receiving many
mailings that have nothing whatsoever to do with the topic you
are currently requesting information about.
The reality is that these disclaimers will likely be buried
in lengthy, small print, legalistically worded, privacy policies
a link or two away from the sign up form itself. And of course
few users will read policies that were designed specifically not
to be read.
So the fact of permission will achieved, but not the spirit.
We can reach beyond the kind of simple, common sense understandings
of permission our users think in terms of if we wish, and no one
can sue us if we are clever. But readers don't need to sue publishers,
they have a simpler remedy. They'll just walk away from email
if it stops being fun and useful. Breaking trust with readers,
as they understand that trust, is like eating one's seed corn.
However, maybe eating one's seed corn, cashing in one's chips
if you will, makes sense if what we're seeing here is a glimpse
of how classic big corporation thinking will impact our email
space when it finally arrives in force. Isn't finding these kinds
of clever loopholes pretty much how the smart people with big
money go about getting bigger?
A useful analogy might be to think of our email space as a natural
resource that is about to be mined for all it's worth by the largest
corporations, in a completely legal way, until there is nothing
left to pull out of the ground. That's a pretty well established
routine, yes?
The sad irony is that the same pioneers who have the experience
to see this train coming are those tied to the tracks. If the
tactics we're discussing here are accepted as a smart strategy
by the big boys, user response to bulk email will continue to
drop, along with ad rates. The big boys will burp and move on
to the next clever opportunity, leaving the humble working folk
who built the tracks to mop up the mess.
Hopeless point of view? Completely wrong perhaps, sure, I hope
so. But not hopeless.
Real hope doesn't come from clinging to some pleasant reality
we hope is static, when we know change is the only constant. It
comes from applying the best logic we can muster to the facts,
as best we can understand them.
When experienced people like Anonymous are shining an insightful
flashlight on the road ahead it would be hopeless not to look
as clearmindedly as we can at what's being illuminated.
Comment? mailto:privacy@website101.com
===> TOPIC: DIGITAL DATABASES
From: Will Bontrager <william@willmaster.com>
Anonymous said:
>> Larry Ellison stated 'The single thing we could do
to make life tougher for terrorists would be to ensure that all
the information in myriad government databases was integrated
into a single national file.'
I agree. What was left unsaid was that will also make life tougher
for every single person, not just terrorists. All of us equally.
<<
Wait a minute. That wouldn't make life tougher for terrorists,
it would make it *easier*
Instead of needing to break into each one of the "myriad government
databases", now terrorists only need to break into the central
one.
Theoretically, the central database would be easier to break
into than any of the myriad would have been. Every person who
now has to access one of the myriad would need access to the central
one -- the number of people needing access to the central database
would be the average number currently requiring access to individual
databases multiplied by "myriad."
With all info in a central repository, a terrorist needs only
one access instead of access to a myriad of databases. People
get careless, inadvertently compromising access codes or otherwise
disclosing unauthorized information.
And on a different slant, who would control the database? Sure,
"the government," but who would the government appoint to do the
job? Maybe an MS security advisor? Larry Ellison? Where is the
government going to find someone with no hidden agenda, or will
that even be considered?
Will
Sooner or later you need CGI. Then you need WillMaster. http://WillMaster.com/
Comment? mailto:privacy@website101.com
// -- PRIVACY NEWS -- //
Free-speech group Peacefire.org has won a legal round in its
fight against unsolicited e-mail, invoking Washington state's
anti-spam law. The King County District Court in Bellevue, Wash.,
on Monday granted Peacefire $1,000 in damages in each of three
complaints filed by Peacefire Webmaster Bennett Haselton. The
small-claims suit alleged that Red Moss Media, Paulann Allison
and Richard Schueler sent unsolicited commercial messages to Haselton
that bore deceptive information such as a forged return e-mail
address or misleading subject line.
http://news.com.com/2100-1023-868332.html
Disguise your desk and keep your boss out of your office if
you want any privacy. Personal spaces such as offices and bedrooms
are an "incredibly rich" source of information about people's
personalities, according to new research by psychologist Samuel
Gosling of the University of Texas and his colleagues. Their study
found people are "remarkably accurate" at guessing some aspects
of others' personalities -- in particular whether they tend to
be open and conscientious -- based only on a look at either their
offices or their bedrooms.
http://austin.bizjournals.com/austin/stories/2002/04/29/focus2.html
A Senate effort to limit what businesses can do with information
they collect online from their customers is under attack from
Internet companies and getting tepid support from consumer advocates.
The proposed online privacy legislation, introduced last week
by Sen. Ernest Hollings, D-S.C., would require businesses to tell
visitors to their Web sites what information is being gathered
on them and how it will be used. Online businesses would then
have to get consumers' permission before sharing with third parties
sensitive information such as bank accounts, medical information,
political or religious affiliation or Social Security numbers.
Anyone who finds sensitive data was misused and can prove harm
could sue for up to $5,000 for each use of the information.
http://seattlepi.nwsource.com/business/68203_privacy27.shtml
Microsoft and other technology makers struggling to define new
Web services business models have another obstacle: consumer distrust
of online authentication systems. A new Gartner study indicates
that despite compulsory sign-up programs, consumers aren't interested
in online identity and authentication accounts--such as Microsoft's
Passport and AOL's Screen Name service--and won't be anytime soon.
Moreover, few people trust Microsoft and AOL to safeguard the
personal or financial information necessary for conducting online
transactions.
http://zdnet.com.com/2100-1105-892838.html
Seven months after terrorism trumped privacy as a Congressional
concern, bipartisan alliances in both houses are seeking to rekindle
the issue. In the House, Representatives Bob Barr, Republican
of Georgia, and Jerrold Nadler, Democrat of Manhattan, ideologically
as far apart on other issues as two members can be, are pushing
legislation to require government regulators to include a "privacy
impact statement" in any new regulatory proposals. Such statements
listing the privacy consequences of any regulation could then
be the subject of court battles, delaying the rule-making process.
http://www.nytimes.com/2002/04/28/politics/28PRIV.html
(Free membership required to read. Review the Privacy policy first!)
Federal regulators Monday fined the Web site operator for the
Etch-A-Sketch toy and sent warning letters to more than 50 other
Internet operators regarding children's privacy online. The Ohio
Art Company, which makes the children's doodling toy, has agreed
to pay $35,000 to settle charges it violated the Children's Online
Privacy Protection Rule, the Federal Trade Commission said. The
site was collecting information from children before obtaining
parental or guardian consent, the FTC said in a statement. Companies
must make their privacy policies compliant with the law.
http://news.com.com/2100-1023-888340.html?legacy=cnet&tag=lthd
ISPs oppose Minnesota Web privacy bill A controversial bill
before the Minnesota state legislature would limit how Internet
service providers (ISP) use consumers' private information, and
a lobbying group warned that ISPs will pull out of the state if
the bill becomes law. The bill would prevent ISPs from collecting
data on customers' Web surfing habits and then selling that data
to other companies.
http://www.computerworld.com/storyba/0,4125,NAV47_STO70301,00.html
