U.S.-E.U. Data Privacy Deal Near

Duckie01 writes: "There's an interesting report about a deal being made between the European Union and the U.S. concerning companies collecting customer information on the Web. Right now privacy protection under EU laws is much stricter than under U.S. laws. With this 'Safe Harbor' deal, companies that choose to comply are to police themselves. Can you say 'sellout' and 'conflict of interest'?" In other words, says EPIC, "the fox guarding the hens." The pact must still be approved by the European Parliament.

Re:Stoppable?

[Jon+Peterson]

"One would presume that the European Parliament is in some fasion amenable to public pressure"

HA HA ha ha ha ha ha ha Ohhh ho ho ho ho ho tee hee heee heee *splutter* Oh my sides Ho ho ho ho ha Ha ha ha ha ha.

You don't live in Europe do you? The European Parliament is in some fashion amenable to corruption, large expense accounts, glorying in its own power and self importance and congratulating itself on being the driving force of the amazing new wonderful federal Europe.

That said, they sure don't like the U.S. because the EU to some extent defines itself as being not American. So yes, they may well put up a fight, and I hope they do, but don't for one moment think that it's because they listen to public opinion!

General Questions I have

[orpheus]

I oppose the Safe harbor proposal, and the FTC seens to agree that American companies deserve an overwhelmingly failing grade.

Ordinarily, I'd hope that the European users, having a clear choice between privacy in Europe and blatant abuse in the US, would avoid American sites, and send a strong message that American companies might understand. I tend to favor free market solutions, and this might stand as a backup if we don't succeed in regulating US companies in their use of a commodity that does not truly beling to them: our personal info and patterns.

However, as a practical matter, it's not always easy to know when you're dealing with an American company: .com doesn't mean "American", and many foreign TLDs may actually point to servers in the US and other "non-private" jurisdictions.

I suppose that a privacy leak anywhere is a threat to privacy everywhere.

The fact that far too few people fully appreciate their privacy, or personal info protections, can only make things worse. It would hardly be the first time a right ot privilege was not appreciated until it wa attenuated or gone.

However, I must say that, privacy advocate that I am, I am still troubled by a paradox I've never been able to resolve: is privacy fundamental? Keep in mind that "urbanization" is a relatively ne phenomenon -- until the Great Depression (or a little later) most Americans lived in small towns or rural environments (I presume Europe was similar) and people rarely moved, compared to today. In a small town, a lot of what we now consider basic privacy was impossible. "Everyone knew your business": your salary, work history, the embarrassing things you did in third grade. Perhaps this is why our Founding Fathers did not address 'privacy' in the Constitution, though they seem to have a prescient awareness of other crtitical issues

Perhaps the key is that the companies buy, sell, and use *our* information anonymously. They do not tell us exactly what they do, nor do we have any right of consent. Once the information is 'out', it is considered "their" property, not ours.

Still, "privacy" is an important concept, if only because it is a major legal tool (in the American system) for defending and arguing for rights that were not mentioned in the Constitution, partly because wholesale violation was unthinkable before today's mindless technology evolved.

------------------
"Dum spiro, spero. Dum vivimus, vivamus."
(While I breathe, let me hope. While I live, let me live)

Objections to privacy as a natural right

[Kaa]

In a small town, a lot of what we now consider basic privacy was impossible. "Everyone knew your business": your salary, work history, the embarrassing things you did in third grade.

That's a common objection to privacy as a right -- "we didn't have any before urbanization". It has a bit of validity, but not much. Some problems with it:

(1) Just because something hasn't always been a right does not mean it's not what we consider a "natural right". For example in ancient Greece personal freedom was not a basic right -- you could become a slave by being captured, by not paying your debts, etc. In medieval Europe (and in the Soviet Union until early 90s, that's 1990's) people could not freely change their place of living, though most American consider the right to settle anywhere to be a "natural right".

(2) Even if you had no privacy against other inhabitants of your village, you had privacy against the world. A stranger coming into the village and asking about you would gain little information. Compare to contemporary situation where anybody with the right tools and access can get what's available.

(3) The village's information-gathering system was highly imperfect. Some information was known by all, some by few, some by nobody. Yes, everybody knew what you did and how much you made, but goings-on inside the house were generally private. Nowaday the ability to concentrate information in one place is much higher.

(4) The village's storage of information was short-term. Human memory is selective and lossy. Nobody remembers your third-grade grades or the fact that you were expelled from the class five times for being disrespectful to a teacher. Compare to now -- databases never forget.

(5) The villagers would not generalize about you because they had too little information about people like you (and too little processing capability, too). Today it's perfectly feasible to make the following chain of connections: "This guy buys a lot of red meat and butter and we see no gym payments anywhere -- we know that statistically such people die early from heart disease -- so let's target this guy for cholesterol-lowering medication and raise his life insurance rates".

So, no, "we all lived in villages with no privacy" is not a good argument.

Kaa

How about class action suits

[Paul+Johnson]

I'd have thought that class action suits would be an effective deterrent. Its fairly easy to track misuse of marketing data if you try: just give a false name, and log who you give it to. So once someone has evidence that his name has been sold on in violation of the rules, it follows that lots of other people have as well. These people are a Class in whose name a class action suit can be brought. And the defendent has a handy list of their names and addresses too...

In effect this privatises the enforcement side. All it takes is a few lawyers who make a practice of signing up for things under false names and tracking the resulting spam. When they find a violation they can sue and pocket a fee.

This leaves open two issues:

1. Establishing damage. Its hard to argue that you are damaged by receiving snail spam. You might be able to sue for the cost of reading it, deciding its not important, and disposing of it. But if you price your time at $20/hour (probably too optimistic), and it takes you 1 minute to open the envelope, scan it and decide you don't want it, then thats just 33 cents per "victim". Even with punitive damages its still only a dollar. This probably requires a separate law.
2. Setting rules which can then be enforced. This could be done by government, but it could also be done by market pressure if we can just educate people. The people to do this educating are the same lawyers who will be bringing the class action suits. They just need to tell people to look for the TrustE logo on a web site, or whatever.

Paul.

Privacy Crumbles

[Chasuk]

A quote from the article:

The U.S. Commerce Department favors this type of industry self-regulation, and President Clinton, together with EU officials, lauds the accord as a milestone in international e-commerce that will encourage economic growth.

The words e-commerce and economic growth should be emblazoned in red. Note that the word privacy does not appear in this paragraph. Privacy isn't important in the world of e-commerce, unless it is a product unto itself. Companies will sell you software to help violate someone else's privacy, and software to protect your privacy, which means that privacy itself is for sale.

The only interest of a commercial company is self-interest. Self-interest equals profit. Unless protecting my privacy becomes profitable, companies will sell my details to the highest bidder.

This leads to the question: is there a way to guarantee that it is in Company X's best interest to protect my privacy? Can public pressure and the threat of diminishing sales make all companies champions of privacy, hypocritically or otherwise?

If not, I see privacy crumbling before our eyes.

Re:Communications Privacy

[G27+Radio]

I just had a thought regarding DoubleClick. Right now most of us just block their cookies. Instead it might be interesting if false information would be returned instead. Over time, if enough people were returning false data, it would pollute their databases badly enough that they'd be useless.

To extend the idea a little further, maybe there are other ways to flood DoubleClick and collectors of private information with fake data. Maybe some kind of distributed system where people set up little daemons that run in the background, pretend to be surfing, but are really just sending cookies designed to destory the integrity of their data. Would this be legal? hmmm...

numb

Communications Privacy

[octalman]

Information "mining" by DoubleClick et al is the moral equivalent of physical wire tapping of one's telephone. It seems amazing that this has never occured to any government entity. If it it is illegal to make a physical wire tap on a telephone to intercept messages, why ought it be legal to intercept other's messages or information through a legal physical messaging connection? No telephone subscriber would ever allow these people to "listen" to voice communations for the purpose of information mining. One may only record voice communication with permission of the sender. Data communication should be held to a like test.