Privacy Green Paper Response

Advice on Current situation: They're in a huge rush to get this turned around and we are trying to get it in by Monday, Jan 31.

Here is a link to the green paper: http://www.commerce.gov/node/12471

Advice About Writing:
 * Be clear - a lackey is reading and summarizing points
 * Keep it short - don't try to answer all the questions they ask, just the ones you care about
 * When you're writing, make each point in a heading, so that if you took out the text it'd still be there
 * Careful about tech mandates (ie, OAuth)

MAIN POINTS: That companies who have transactional data with people should be mandated to make available one-click authentication to support people getting access/linking their records together.

Today, if you look at the steps you have to go through to get your own records now, it is like 6-12 hard steps you have to do manually each month or something.

Dear Secretary Locke,

We are submitting these comments in response to the December 2010 Commerce Department Privacy Green Paper.

We represent a community of end-user advocates and technology innovators focused on individual rights and access to individuals' own personal data, and the business and innovation opportunity that this new user-management and control offers.

First, we should outline where we are coming from, and then we will comment on how this future-oriented view informs our response to the Green Paper and questions for further comment.

Personal Data Storage and Services
A Middle Way between Do Not Track and Business as Usual Stalking

There is a way to deal with users' personal data that most have not yet explored. This alternative approach sits between the two extremes of a familiar spectrum.

On one end of the spectrum is the “Do not track” view, which relies on using technology and a legal mandate to prevent any data collection. In this scenario, cross site behavioral targeting is suppressed because users signal they do not want any information to be collected on them as they move about the web. In this approach the economic value advertisers were getting through higher click-through rates by providing more targetted ads is eliminated and sites that receive revenue from serving targeted ads is reduced if not eliminated. The economic value of the data is not captured by the end-user or the media/advertising/data aggregating complex.

And on the other end of the spectrum is the mode where we leave “Business as usual” in place as it's developed in the last few years. The door is wide open for ever more “innovative” pervasive and intrusive data collection and cross referencing for behavioral targeting, developing profiles - digital dossiers created on billions of people, without their knowledge or consent, based on IP address, device identification, e-mail address etc. The status quo is highly invasive of people’s privacy, linking their activities across contexts they wish to keep separate or private if they chose to do so. In addition, decisions about people's lives are beginning to be made from such data, and they are not aware of it. Economic value is derived, but at the expense of the basic dignity and privacy rights (ie personal control) of the individual.

Personal data storage services are emerging, representing a middle way that provides greater choice and control to the individual AND offer greater economic value to the business community. As envisioned, Personal Data Storage Services allow individuals to aggregate their personal data, to manage it and then give permissioned access to businesses and services they choose -- businesses they trust to provide better customization, more relevant search results, resulting in increased value for the user with their data.

Over the last year, activity in this space has grown tremendously. In this emerging field of innovation, we have identified over ten startups, at least three open source projects, several technical standards efforts in recognized ISO’s along with companies in the web, mobile, entertainment and banking industries considering this model.

One of the most important things about this emerging space is that it has engendered active business development both in the United States and across Europe. In other words, this model is viable across North American and European privacy regimes. Furthermore, this model offers the possibility of achieving global interoperability, one of the key goals articulated by the Commerce Department for this forthcoming set of policies and regulations.

People are the Only Ethical Integration Point for Disparate Data Sets

Today there is a personal data ecosystem emerging in which almost everyone unknowingly participates but without the personal individual controls to afford user centric privacy. People unwittingly emit information about themselves, their activities and intentions, in various digital forms. It is collected by a wide range of institutions and businesses with which people interact directly; then it is assembled by data brokers and sold to data users (ie businesses that exploit our data without including us in the transaction). This chain of activity happens with almost no participation or awareness on the part of the data subject: the individual.

We believe that the individual is the only ethical integration point for this comprehensive and vast range disparate personal data. For example, the list of data types below was put together by Marc Davis for the World Economic Forum talk: Re-Thinking Personal Data event in June of 2010. It highlights the vast range of datasets about an individual that might be in some digital form in some database somewhere.

Identity and Relationships
 * Identity (IDs, User Names, Email Addresses, Phone Numbers, Nicknames, Passwords, Personas)
 * Demographic Data (Age, Sex, Addresses, Education, Work History, Resume)
 * Interests (Declared Interests, Likes, Favorites, Tags, Preferences, Settings)
 * Personal Devices (Device IDs, IP Addresses, Bluetooth IDs, SSIDs, SIMs, IMEIs, etc.)
 * Relationships (Address Book Contacts, Communications Contacts, Social Network Relationships, Family Relationships and Genealogy, Group Memberships, Call Logs, Messaging Logs)

Context
 * Location (Current Location, Past Locations, Planned Future Locations)
 * People (Copresent and Interacted-with People in the World and on the Web)
 * Objects (Copresent and Interacted-with Real World Objects)
 * Events (Calendar Data, Event Data from Web Services)

Activity
 * Browser Activity (Clicks, Keystrokes, Sites Visited, Queries, Bookmarks)
 * Client Applications and OS Activity (Clicks, Keystrokes, Applications, OS Functions)
 * Real World Activity (Eating, Drinking, Driving, Shopping, Sleeping, etc.)

Communications
 * Text (SMS, IM, Email, Attachments, Direct Messages, Status Text, Shared Bookmarks, Shared Links Comments, Blog Posts, Documents)
 * Speech (Voice Calls, Voice Mail)
 * Social Media (Photos, Videos, Streamed Video, Podcasts, Produced Music, Software)
 * Presence (Communication Availability and Channels)

Content
 * Private Documents (Word Processing Documents, Spreadsheets, Project Plans, Presentations, etc.)
 * Consumed Media (Books, Photos, Videos, Music, Podcasts, Audiobooks, Games, Software)
 * Financial Data (Income, Expenses, Transactions, Accounts, Assets, Liabilities, Insurance, Corporations, Taxes, Credit Rating)
 * Digital Records of Physical Goods (Real Estate, Vehicles, Personal Effects)
 * Virtual Goods (Objects, Gifts, Currencies)

Health Data
 * Health Care Data (Prescriptions, Medical Records, Genetic Code, Medical Device Data Logs)
 * Health Insurance Data (Claims, Payments, Coverage)

Other Institutional Data
 * Governmental Data (Legal Names, Records of Birth, Marriage, Divorce, Death, Law Enforcement Records, Military Service)
 * Academic Data (Exams, Student Projects, Transcripts, Degrees)
 * Employer Data (Reviews, Actions, Promotions)

In addition to this list, there is also the emerging wellness, or "quantified self," data that some users are beginning to collect about themselves including daily or more granular statistics about their bodies and wellness activities.

Service Providers Must Work For the End-User Most people do not host their own e-mail servers or websites on servers in their basements; similarly, most individuals will not have the technical skill or desire to actually manage the collection, integration, analysis, permission management and other services needed to derive value from their data. However, the fact that a few users can means the open standards for email and http are available top to bottom.

But mostly, individuals need to be able to trust that the service providers in Personal Data Ecosystem are working on their behalf, given the sensitivity of the data, because most users will rely on personal data service providers. In addition, market models need to emerge that support the Personal Data Store Service Provider making money while working on the users' behalf. The Personal Data Ecosystem Collaborative Consortium has a Value Network Mapping and Analysis project to outline this model and is raising money to do it.

Personal Data is like Personal Money Individuals must be able to move data between service providers, as like today they can move money between banks retaining its value.

End-user choice and the right to transfer data from one service provider to another is key. Just as our money does not become worthless when we move it from one bank to another, the same needs to hold true for individuals’ data.

Consumers need to be able to to Collect and Aggregate Their Data from Product and Service Providers For this Personal Data Ecosystem and Economy to emerge, it is essential that consumers have easy access to their data from the providers they do business with. The steps involved in getting data out of services are tedious and onerous.  [Please see talk page for comments]

1. Where export is available it is often not machine readable. Export involving steps must be manually repeated monthly as statements are issued.

2. Simple Internet Open Standards like OAuth allow for account linking without the dangerous practice of giving a username and password to various service providers. Instead, and OAuth token is issued, and username and PW are passed only to the issuing party.

3. Portability of data is also import where a business fails and people need to move it to an alternative and hopefully more viable provider.

Another reason the persistence and portability feature is important is that services disappear, and along with them, user data and digital assets (like photographs or bookmarks like with Del.icio.us). Users create content and generate data during their usage of sites and they should be able to easily export this from those sites.

??? actually this isn't really true.. either the FTC regulates.. OR.. congress makes a statute.. but the commerce dept doesn't regulate directly.. in the case of an identity standard, they want to 'procure" -- mary The Commerce Department could mandate that companies which store personal data from an individual's use of a private service make it available via with one-click authentication to support accessing and linking their records together.

Create a Level Playing Field around Data Aggregation and Services Which companies can do what with what kinds of data?

Today the regulatory patchwork with associated with data protection means that different types of data are subject to different protections affecting how different industry sectors use and compete in relation to personal data (ie Hipaa data or financial data which are regulated verses other personal data which is not very regulated).

For example, Google and Facebook have vast collections of data about individuals -- resulting from their activities on Google's and Facebook's sites/systems: what user's click on, who they know, what they search for, where they go etc. Sites analyze these data sets and then provide "relevant" ads based on the site's best guess as to the user's their activities.

Today with mobile devices connected to the web, mobile carriers collect a very similar set of data - where an individual goes, who they call and text, where they go to on the web. Yet mobile carriers are subject to very different (and more strict) regulatory regimes which prohibit them from using this data as freely as Google and Facebook.

A model where 1. individuals choose a data service provider where each individual collects and aggregates their data in a “data bank” and 2. can freely consent to providing access to it to 3rd and 4th party service providers, will result in greater individual data control while providing businesses with more accurate and comprehensive personal (at whatever level people choose: anonymous, pseudonymous or named) profiles, creating enormous market and business opportunities because the businesses that want these interactions can count on the data quality and the desire to interact. Right now, advertisers have imperfect data and are forced to "buy" far more reach than is necessary in order to get to those who are interested.

Keeping our Data for a Lifetime, If We Want to What if the individual could choose to retain all or a subset of the information about themselves for as long as they wanted? This is a graph that Marc Davis has publicly presented to explain today's current data environment and a future where people are in control of their own data.

(chart)

The red dot shows us what’s happening today: some data aggregators are necessarily self-regulating by limiting the amount of time they keep data, and governments are limiting data retention and anonymization practices.

The green dot shows us what WOULD happen if people were given the capacity to store and manage their own data – if they could keep as much data as they wanted for as long as they wanted. Digital footprints of a lifetime could be shared with future generations.

In a user-centric model where the individual can aggregate information about themselves, new classes of services -– more specific to the individual, based on data accessed with user permission, can emerge.

The foundation of this eco-system is personal data storage services that are totally under the control of the individual. But a user-centric identity system needs to function in partnerships with it (separate from a PDS) and we will need a regulatory regime that supports both of these technology solutions in user-centric form, where users own and control their own data.

These new data and identity service providers will be more viable if individuals can have simple ways to link their accounts together.

'''The model presented above, a Personal Data Ecosystem where individuals are in control of their own data aligns with the interests of all the stakeholders the Commerce Department is seeking to balance.  Companies who collect personal data win:''' by sharing and synchronizing with people’s personal data stores, companies get more accurate information. New services can be offered on data sets, including data not previously permitted to be used or accessed for providing services (telephone log records or mobile geolocation data, for example).

People win: by collecting, managing, and authorizing access to their own personal data, thereby increasing their trust and use of digital realms. This empowers people to work together in communities and groups more efficiently and effectively.

Regulators, advocates, and legislators win: by protecting people with new frameworks that also encourage innovation and new business opportunities, government can give people useful tools to interact with agencies because user's identities are trusted.

NOTE: AS OF Noon JAN 31, 2011, we have taken the questions out of the wiki, in order to format them for submission today. We'll repost shortly but due to the tight deadline, and the need to submit a word doc with different formatting syntax, we're temporarily not using the wiki. Pls ping kaliya or mary if you want to suggest something to us (we'd love it!!) -- mary

Response to Questions

1. The Task Force recommends adoption of a baseline commercial data privacy framework built on an expanded set of Fair Information Practice Principles (FIPPs). a. Should baseline commercial data privacy principles, such as comprehensive FIPPs, be enacted by statute or through other formal means to address how current privacy law is enforced?

b. How should baseline privacy principles be enforced? Should they be enforced by non-governmental entities in addition to being the basis for FTC enforcement actions?

c. As policymakers consider baseline commercial data privacy legislation, should they seek to grant the FTC the authority to issue more detailed rules? What criteria are useful for deciding which FIPPs require further specification through rulemaking under the Administrative Procedure Act?

d. Should baseline commercial data privacy legislation include a private right of action? 2. To meet the unique challenges of information-intensive environments, FIPPs regarding enhancing transparency; encouraging greater detail in purpose specifications and use limitations; and fostering the development of verifiable evaluation and accountability should receive high priority. a. What is the best way of promoting transparency so as to promote informed choices? The Task Force is especially interested in comments that address the benefits and drawbacks of legislative, regulatory, and voluntary private sector approaches to promoting transparency.

b. What incentives could be provided to encourage the development and adoption of practical mechanisms to protect consumer privacy, such as PIAs, to bring about clearer descriptions of an organization’s data collection, use, and disclosure practices?

c. What are the elements of a meaningful PIA in the commercial context? Who should define these elements?

d. What processes and information would be useful to assess whether PIAs are effective in helping companies to identify, evaluate, and address commercial data privacy issues?

e. Should there be a requirement to publish PIAs in a standardized and/or machine-readable format?

f. What are consumers’ and companies’ experiences with systems that display information about companies’ privacy practices in contexts other than privacy policies?

g. What are the relative advantages and disadvantages of different transparency-enhancing techniques in an online world that typically involves multiple sources being presented through a single user interface?

h. Do these (dis)advantages change when one considers the increasing use of devices with more limited user interface options?

i. Are purpose specifications a necessary or important method for protecting commercial privacy?

j. Currently, how common are purpose specification clauses in commercial privacy policies?

k. Do industry best practices concerning purpose specification and use limitations exist? If not, how could their development be encouraged?

l. What incentives could be provided to encourage companies to state clear, specific purposes for using personal information?

m. How should purpose specifications be implemented and enforced?

n. How can purpose specifications and use limitations be changed to meet changing circumstances?

o. Who should be responsible for demonstrating that a private sector organization’s data use is consistent with its obligations? What steps should be taken if inconsistencies are found?

p. Are technologies available to allow consumers to verify that their personal information is used in ways that are consistent with their expectations?

q. Are technologies available to help companies monitor their data use, to support internal accountability mechanisms?

r. How should performance against stated policies and practices be assessed?

s. What incentives could be provided to encourage companies to adopt technologies that would facilitate audits of information use against the company’s stated purposes and use limitations? 3. Voluntary, enforceable codes of conduct should address emerging technologies and issues not covered by current application of baseline FIPPs. To encourage the development of such codes, the Administration should consider a variety of options, including (a) public statements of Administration support; (b) stepped up FTC enforcement; and (c) legislation that would create a safe harbor for companies that adhere to appropriate voluntary, enforceable codes of conduct that have been developed through open, multi-stakeholder processes. 4. Using existing resources, the Commerce Department should establish a Privacy Policy Office (PPO) to serve as a center of commercial data privacy expertise. The proposed PPO would have the authority to convene multi-stakeholder discussions of commercial data privacy implementation models, best practices, codes of conduct, and other areas that would benefit from bringing stakeholders together; and it would work in concert with the Executive Office of the President as the Administration’s lead on international outreach on commercial data privacy policy. The PPO would be a peer of other Administration offices and components that have data privacy responsibilities; but, because the PPO would focus solely on commercial data privacy, its functions would not overlap with existing Administration offices. Nor would the PPO would have any enforcement authority. a. Should the FTC be given rulemaking authority triggered by failure of a multi-stakeholder process to produce a voluntary enforceable code within a specified time period?

b. How can the Commerce Department best encourage the discussion and development of technologies such as “Do Not Track”?

c. Under what circumstances should the PPO recommend to the Administration that new policies are needed to address failure by a multi-stakeholder process to produce an approved code of conduct?

d. How can cooperation be fostered between the National Association of Attorneys General, or similar entities, and the PPO? 5. The FTC should remain the lead consumer privacy enforcement agency for the U.S. Government. a. Do FIPPs require further regulatory elaboration to enforce, or are they sufficient on their own?

b. What should be the scope of FTC rulemaking authority?

c. Should FIPPs be considered an independent basis for FTC enforcement, or should FTC privacy investigations still be conducted under Federal Trade Commission Act Section 5 “unfair and deceptive” jurisdiction, buttressed by the explicit articulation of the FIPPs? d. Should non-governmental entities supplement FTC enforcement of voluntary codes?

e. At what point in the development of a voluntary, enforceable code of conduct should the FTC review it for approval? Potential options include providing an ex ante “seal of approval,” delaying approval until the code is in use for a specific amount of time, and delaying approval until enforcement action is taken against the code.

f. What steps or conditions are necessary to make a company’s commitment to follow a code of conduct enforceable? 6. The U.S. government should continue to work toward increased cooperation among privacy enforcement authorities around the world and develop a framework for mutual recognition of other countries’ commercial data privacy frameworks. The United States should also continue to support the APEC Data Privacy Pathfinder project as a model for the kinds of principles that could be adopted by groups of countries with common values but sometimes diverging privacy legal frameworks. 7. Consideration should be given to a comprehensive commercial data security breach framework for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows States to build upon the framework in limited ways. Such a framework should track the effective protections that have emerged from State security breach notification laws and policies. What factors should breach notification be predicated upon (e.g., a risk assessment of the potential harm from the breach, a specific threshold such as number of records, etc.)? 8. A baseline commercial data privacy framework should not conflict with the strong sectoral laws and policies that already provide important protections to Americans, but rather should act in concert with these protections. Are there lessons from sector-specific commercial data privacy laws—their development, their contents, or their enforcement—that could inform general U.S. commercial data privacy policy? 9. Any new Federal privacy framework should seek to balance the desire to create uniformity and predictability across State jurisdictions with the desire to permit States the freedom to protect consumers and to regulate new concerns that arise from emerging technologies, should those developments create the need for additional protection under Federal law. a. Should a preemption provision of national FIPPs-based commercial data privacy policy be narrowly tailored to apply to specific practices or subject matters, leaving States free to regulate new concerns that arise from emerging technologies? Or should national policy, in the case of legislation, contain a broad preemption provision?

b. How could a preemption provision ensure that Federal law is no less protective than existing State laws? What are useful criteria for comparatively assessing how protective different laws are?

c. To what extent should State Attorneys General be empowered to enforce national FIPPs-based commercial data privacy legislation?

d. Should national FIPPs-based commercial data privacy legislation preempt State unfair and deceptive trade practices laws? 10. The Administration should review the Electronic Communications Privacy Act (ECPA), with a view to addressing privacy protection in cloud computing and location-based services. A goal of this effort should be to ensure that, as technology and market conditions change, ECPA continues to appropriately protect individuals’ expectations of privacy and effectively punish unlawful access to and disclosure of consumer data. a. The Task Force seeks case studies and statistics that provide evidence of concern—or comments explaining why concerns are unwarranted—about cloud computing data privacy and security in the commercial context. We also seek data that link any such concerns to decisions to adopt, or refrain from adopting, cloud computing services.

b. The Task Force also seeks input on whether the current legal protections for transactional information and location information raise questions about what privacy expectations are reasonable and whether additional protections should be mandated by law. The Task Force also invites comments that discuss whether privacy protections for access to location information need clarification in order to facilitate the development, deployment and widespread adoption of new location-based services.

c. The Task Force seeks information from the law enforcement community regarding the use of ECPA today and how investigations might be affected by proposed amendments to ECPA’s provisions.