The National Academies Press

Currently Skimming:

Pages 303-346

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 303... ... Part IV Findings and Recommendations 0 Read the entire page →
From page 305... ... For example, informational privacy involving political and religious beliefs raises different issues than does health information with respect to a contagious disease. A conversation with one's attorney is different from a speech in a public park or a posting on an Internet bulletin board. Read the entire page →
From page 306... ... of personal information in question (e.g., Social Security number, medical information, publicly available information) and the circumstance and means of its capture; • Data storage, which includes the time period for which data will be retained and available for use and the circumstances and means of storage (e.g., media used) Read the entire page →
From page 307... ... • How are decisions made when there are competing interests regarding personal information, for example, public health needs versus individual privacy or national security versus civil rights interests? • What are the informational norms in question? Read the entire page →
From page 308... ... Loss of priacy often results in significant tangible and intangible harm to indiiduals and to groups. In one obvious example, protecting the privacy of one's personal information helps to make one safer from crimes such as fraud, identity theft, and stalking. Read the entire page →
From page 309... ... Consider: • A person whose personal information (name, address, Social Security number, and so on) may have fallen into the hands of identity thieves may not in fact suffer from an actual fraudulent purchase made in her name. Read the entire page →
From page 310... ... • Through the analysis of a variety of personal information, the U.S. government has placed many individuals on "watch lists" as suspected terrorists who should be denied airplane boarding privileges or entry into the United States. Read the entire page →
From page 311... ... But for most situations in which one provides personal information, the basis for trust is less clear. Children routinely assert privacy rights to their personal information against their parents when they do not trust Read the entire page →
From page 312... ... Adults who purchase health insurance often assert privacy rights in their medical information because they are concerned that insurers might not insure them or might charge high prices on the basis of some information in their medical record. Many citizens assert privacy rights against government, although few would object to the gathering of personal information within the borders of the United States and about U.S. Read the entire page →
From page 313... ... For example, the rapidly decreasing cost of storing information has meant that personal information on an individual, once collected, may generally be available for potential use forever unless special measures are taken to destroy it (Chapter 3) Read the entire page →
From page 314... ... Today, the automated recognition of facial images taken by such cameras is difficult and unreliable -- but the technology of facial recognition will almost certainly improve in the future. As the technology improves, and databases of facial images are populated, it is entirely possible that businesses and government will develop new ways of exploiting personal information that is not identifiable today. Read the entire page →
From page 315... ... Convicted felons in a number of states must provide DNA information for entry into a database to which law enforcement officials have access. Convicted sex offenders must register with law enforcement authorities, and communities must be notified about the presence of such individuals living therein. Read the entire page →
From page 316... ... But there are many situations in which people disclose personal information without realizing it. Most individuals who make toll-free calls do not realize that the numbers from which they are calling are provided to the called party, and caller-ID services operate without notice to callers. Read the entire page →
From page 317... ... Some regard this imbalance as dangerous and improper, and infer that external limits are thus necessary to constrain the ability of government officials to act improperly, even if such constraints complicate or impede the task of law enforcement agencies. Others trust that government officials will use such power only 2 Emily Bazar, "Suspected Shooter Found Sex Offenders' Homes on Website," USA Today, April 18, 2006, available at http://www.usatoday.com/news/nation/2006-04-16-maine-shootings _x.htm. Read the entire page →
From page 318... ... That is, some people are highly concerned about the imbalance between individuals and private organizations, and thus infer that regulation is thus necessary to constrain their ability to act in ways that harm individuals, even if such constraints complicate or impede their business and operational missions. Others believe that the power of the marketplace is sufficient to constrain their behavior, and reject external constraints because they would complicate or impede their business and operational missions. Read the entire page →
From page 319... ... A similar tradeoff occurs when researchers seek to obtain statistical information from large aggregations of personal information from many individuals. For example, epidemiologists often use personal health information of many individuals to understand patterns of disease propagation. Read the entire page →
From page 320... ... From an analytical perspective, Sections 10.1 and 2.4 (see Box 2.2) describe one process -- the use of anchoring vignettes -- for coming to terms about meaning, and there are of course other ways of doing so as well. Read the entire page →
From page 321... ... A program that collects the personal information of Elbonian-Americans has definite privacy implications. But if the goal of the program is to enable the identification of Elbonian-Americans for possible deportation, it may make sense for the nation to assess whether or not the deportation of Elbonian-Americans is a good or a bad policy goal. Read the entire page →
From page 322... ... But the potential infringement on privacy may well come from the long-term retention of such information -- and so restructuring the system to erase that information after it is no longer necessary (e.g., after an hour, when it is no longer needed to manage the building heating and air conditioning system) might mitigate the privacy concerns substantially without damaging the goal of conserving energy. Read the entire page →
From page 323... ... But there is one type of solution that is worth special notice -- the approach in which privacy-reducing actions are employed as a last rather than a first resort. Before demanding solutions that require that citizens provide more personal information, policy makers crafting solutions to problems would do well to fix problems by making more effective use of the personal information to which they already have access. Read the entire page →
From page 324... ... , taking these nuances into account will often be necessary if common ground is to be found. Without context and nuance, the debate quickly polarizes into "pro-privacy" and "anti-privacy"/"pro-X" camps.7 (For X, substitute any issue of public importance -- security, law enforcement, the economy, for example.) Read the entire page →
From page 325... ... Thus, organizations that handle personal information are well advised to invest up front in adequate technological privacy protection from the very beginning. 10.5.2 Individual Actions Finding 15. Read the entire page →
From page 326... ... and options for not receiving postal or electronic mail; • Put credit freezes or fraud alerts on their credit reports; and • Avoid using toll-free numbers and block caller-ID when making calls. To monitor one's online privacy, individuals can: • Search the Internet periodically for sensitive personal information, such as one's Social Security number or an unlisted phone number from an anonymized account or a computer that cannot be traced to the individual. Read the entire page →
From page 327... ... In such instances, the only privacy-enhancing measure that one can take as an individual is to provide false or incomplete information when personal information is requested. Of course, providing false information has other consequences. Read the entire page →
From page 328... ... Self-regulation is limited as a method for ensuring priacy, although it neertheless offers protections that would not otherwise be aail able to the public. Organizations that use technology to manage large volumes of personal information (both in the private sector and in government) Read the entire page →
From page 329... ... An important next step is the enforcement of a declared privacy protection policy. This is a non-trivial task, and even the most stringent privacy policies cannot provide protection if they are subverted by those with access to the personal information, either legitimate access (the insider threat) Read the entire page →
From page 330... ... Red-teaming in a privacy context refers to efforts undertaken to compare an organization's stated privacy policy to its practices. In general, red-teaming for privacy will require considerable "insider" access -- the ability to trace data flows containing personal information. Read the entire page →
From page 331... ... Organizations that deal with personal information would benefit from some kind of institutional advocacy for privacy, as many healthcare-providing organizations have done in response to the Health Insurance Portability and Accountability Act of 1996 (Section 7.3.4) Read the entire page →
From page 332... ... website."16 Bell Canada has designated a privacy ombudsman to oversee compliance with the Bell Code of Privacy.17 A number of companies have created the position of chief privacy officer. In those companies where this title does not primarily designate a public relations position that puts the best face on company privacy practices or a legal position that merely ensures compliance with existing privacy laws, the chief privacy officer can serve as an effective organizational advocate who ensures high-level management attention to privacy issues, serves as a liaison to other privacy expert stakeholders, and anticipates future needs. Read the entire page →
From page 333... ... Perhaps more importantly, actions and decisions of governmental entities on a variety of issues are likely to have significant privacy impacts. Whether it is something as obvious as decisions or policies concerning national security or as seemingly minor as making public-record information available on the World Wide Web, a great many actions taken by governments have privacy implications. Read the entire page →
From page 334... ... This review should address: • Areas of overlap and conflict in current national privacy law and regulation -- special attention should be paid to the relationship of national law to state and local law extensively enough to generate a representative picture of those relationships; • Assessment of the nature and extent of gaps between stated policies and implementation, and the causes of such gaps; • Areas of privacy concern that the current legal and regulatory framework leaves unaddressed, such as the gathering, aggregation, and use of personal information by companies and other organizations that are currently not covered to any significant degree by any form of privacy regulation; • A clear articulation of the value tradeoffs that are embedded in the current framework of laws and regulation, especially where those tradeoffs were not made explicit at the time of adoption; • The economic and social impact, both positive and negative, of current privacy law and regulation; • The extent to which the personal information of Americans held by various parties is covered by the principles of fair information practices; • The interplay between state and federal privacy laws, taking into consideration matters such as the scope and nature of state laws as compared to federal laws; and • The interplay between domestic and foreign privacy laws, taking into consideration matters such as the scope and nature of flows of personal information to and from the United States and instances in Read the entire page →
From page 335... ... For example, a number of laws provide for the confidentiality of data collected by certain federal agencies (e.g., the Census Bureau, the Internal Revenue Service, and so on) Read the entire page →
From page 336... ... Private sector gathering and use of personal information have expanded greatly since the early 1970s, and many private sector organizations that manage personal information, such as data aggregators (Section 6.5) , are not covered by fair information practices, either under the law or under a voluntary privacy policy based on these principles. Read the entire page →
From page 337... ... Principles of fair information practice should be extended as far as reasonably feasible to apply to private sector organizations that collect and use personal information. Although some of the restrictions on government regarding the collection and use of personal information are not necessarily applicable to the private sector, the values expressed by the principles of fair information practice should also inform private sector policies regarding privacy. Read the entire page →
From page 338... ... While repurposing is not necessarily privacy invasive (e.g., medical information gathered for clinical decision making can be used to conduct epidemiological research in ways that are privacy preserving) , there is an unavoidable tension between a principle that one should know how personal information collected from him or her will be used before it is collected and the possibility that information collectors might want to use that information in the future for a purpose that cannot be anticipated today. Read the entire page →
From page 339... ... As noted in Chapter 6, government use of private sector organizations to obtain personal information about individuals is increasing. Fair information practices applied to data aggregation companies would go a long way toward providing meaningful oversight of such use. Read the entire page →
From page 340... ... Department of Homeland Security (DHS) , whose mission is to minimize the impact of departmental activities on the individual's privacy, particularly the individual's personal information and dignity, while achieving the mission of the DHS.19 The DHS Privacy Office is the focal point of departmental activities that protect the collection, use, and disclosure of personal and departmental information. Read the entire page →
From page 341... ... Dynamic environments require continuous attention to privacy issues and readiness to examine taken-for-granted beliefs that may no longer be appropriate under rapidly changing conditions. Of significance is the likelihood that the effects of changes in the environment will go unnoticed by the public in the absence of some well-publicized incident that generates alarm. Read the entire page →
From page 342... ... Grounded in the information technology environment of the early 1970s, the principles of fair information practice generally presume that the primary source of personal information about an individual is that person's active and Read the entire page →
From page 343... ... Historically, privacy regulation in the United States has focused on personal information -- information about and collected from individuals. Issues related to groups have generally been addressed from the important but nevertheless narrow perspective of outlawing explicit discrimination against certain categories of individuals (e.g., categories defined by attributes such as race, religion, gender, sexual orientation, and so on) Read the entire page →
From page 344... ... . Because this educational role would be institutionalized, it is reasonable to expect that the information such an office provided would be more comprehensible than the information offered by sources and parties with an interest in minimizing public concern about threats to privacy (e.g., difficult-to-read privacy notices sent by companies with economic interests in using personal information to the maximum extent possible) Read the entire page →
From page 345... ... , those in a position to act inappropriately tend to be more careful and more respectful of privacy policies that they might inadvertently violate. Read the entire page →
From page 346... ... These comments apply whether the source of the violation is in government or in the private sector, although the nature of appropriate recourse varies depending on the source. In the case of government wrongdoing, the doctrine of sovereign immunity generally protects government actors from civil liability or criminal prosecution unless the government waives this protection or is statutorily stripped of immunity in the particular kinds of cases at hand. Read the entire page →

From page 303...

... Part IV Findings and Recommendations 0

Read the entire page →

From page 305...

... For example, informational privacy involving political and religious beliefs raises different issues than does health information with respect to a contagious disease. A conversation with one's attorney is different from a speech in a public park or a posting on an Internet bulletin board.

Read the entire page →

From page 306...

... of personal information in question (e.g., Social Security number, medical information, publicly available information) and the circumstance and means of its capture; • Data storage, which includes the time period for which data will be retained and available for use and the circumstances and means of storage (e.g., media used)

Read the entire page →

From page 307...

... • How are decisions made when there are competing interests regarding personal information, for example, public health needs versus individual privacy or national security versus civil rights interests? • What are the informational norms in question?

Read the entire page →

From page 308...

... Loss of priacy often results in significant tangible and intangible harm to indiiduals and to groups. In one obvious example, protecting the privacy of one's personal information helps to make one safer from crimes such as fraud, identity theft, and stalking.

Read the entire page →

From page 309...

... Consider: • A person whose personal information (name, address, Social Security number, and so on) may have fallen into the hands of identity thieves may not in fact suffer from an actual fraudulent purchase made in her name.

Read the entire page →

From page 310...

... • Through the analysis of a variety of personal information, the U.S. government has placed many individuals on "watch lists" as suspected terrorists who should be denied airplane boarding privileges or entry into the United States.

Read the entire page →

From page 311...

... But for most situations in which one provides personal information, the basis for trust is less clear. Children routinely assert privacy rights to their personal information against their parents when they do not trust

Read the entire page →

From page 312...

... Adults who purchase health insurance often assert privacy rights in their medical information because they are concerned that insurers might not insure them or might charge high prices on the basis of some information in their medical record. Many citizens assert privacy rights against government, although few would object to the gathering of personal information within the borders of the United States and about U.S.

Read the entire page →

From page 313...

... For example, the rapidly decreasing cost of storing information has meant that personal information on an individual, once collected, may generally be available for potential use forever unless special measures are taken to destroy it (Chapter 3)

Read the entire page →

From page 314...

... Today, the automated recognition of facial images taken by such cameras is difficult and unreliable -- but the technology of facial recognition will almost certainly improve in the future. As the technology improves, and databases of facial images are populated, it is entirely possible that businesses and government will develop new ways of exploiting personal information that is not identifiable today.

Read the entire page →

From page 315...

... Convicted felons in a number of states must provide DNA information for entry into a database to which law enforcement officials have access. Convicted sex offenders must register with law enforcement authorities, and communities must be notified about the presence of such individuals living therein.

Read the entire page →

From page 316...

... But there are many situations in which people disclose personal information without realizing it. Most individuals who make toll-free calls do not realize that the numbers from which they are calling are provided to the called party, and caller-ID services operate without notice to callers.

Read the entire page →

From page 317...

... Some regard this imbalance as dangerous and improper, and infer that external limits are thus necessary to constrain the ability of government officials to act improperly, even if such constraints complicate or impede the task of law enforcement agencies. Others trust that government officials will use such power only 2 Emily Bazar, "Suspected Shooter Found Sex Offenders' Homes on Website," USA Today, April 18, 2006, available at http://www.usatoday.com/news/nation/2006-04-16-maine-shootings _x.htm.

Read the entire page →

From page 318...

... That is, some people are highly concerned about the imbalance between individuals and private organizations, and thus infer that regulation is thus necessary to constrain their ability to act in ways that harm individuals, even if such constraints complicate or impede their business and operational missions. Others believe that the power of the marketplace is sufficient to constrain their behavior, and reject external constraints because they would complicate or impede their business and operational missions.

Read the entire page →

From page 319...

... A similar tradeoff occurs when researchers seek to obtain statistical information from large aggregations of personal information from many individuals. For example, epidemiologists often use personal health information of many individuals to understand patterns of disease propagation.

Read the entire page →

From page 320...

... From an analytical perspective, Sections 10.1 and 2.4 (see Box 2.2) describe one process -- the use of anchoring vignettes -- for coming to terms about meaning, and there are of course other ways of doing so as well.

Read the entire page →

From page 321...

... A program that collects the personal information of Elbonian-Americans has definite privacy implications. But if the goal of the program is to enable the identification of Elbonian-Americans for possible deportation, it may make sense for the nation to assess whether or not the deportation of Elbonian-Americans is a good or a bad policy goal.

Read the entire page →

From page 322...

... But the potential infringement on privacy may well come from the long-term retention of such information -- and so restructuring the system to erase that information after it is no longer necessary (e.g., after an hour, when it is no longer needed to manage the building heating and air conditioning system) might mitigate the privacy concerns substantially without damaging the goal of conserving energy.

Read the entire page →

From page 323...

... But there is one type of solution that is worth special notice -- the approach in which privacy-reducing actions are employed as a last rather than a first resort. Before demanding solutions that require that citizens provide more personal information, policy makers crafting solutions to problems would do well to fix problems by making more effective use of the personal information to which they already have access.

Read the entire page →

From page 324...

... , taking these nuances into account will often be necessary if common ground is to be found. Without context and nuance, the debate quickly polarizes into "pro-privacy" and "anti-privacy"/"pro-X" camps.7 (For X, substitute any issue of public importance -- security, law enforcement, the economy, for example.)

Read the entire page →

From page 325...

... Thus, organizations that handle personal information are well advised to invest up front in adequate technological privacy protection from the very beginning. 10.5.2 Individual Actions Finding 15.

Read the entire page →

From page 326...

... and options for not receiving postal or electronic mail; • Put credit freezes or fraud alerts on their credit reports; and • Avoid using toll-free numbers and block caller-ID when making calls. To monitor one's online privacy, individuals can: • Search the Internet periodically for sensitive personal information, such as one's Social Security number or an unlisted phone number from an anonymized account or a computer that cannot be traced to the individual.

Read the entire page →

From page 327...

... In such instances, the only privacy-enhancing measure that one can take as an individual is to provide false or incomplete information when personal information is requested. Of course, providing false information has other consequences.

Read the entire page →

From page 328...

... Self-regulation is limited as a method for ensuring priacy, although it neertheless offers protections that would not otherwise be aail able to the public. Organizations that use technology to manage large volumes of personal information (both in the private sector and in government)

Read the entire page →

From page 329...

... An important next step is the enforcement of a declared privacy protection policy. This is a non-trivial task, and even the most stringent privacy policies cannot provide protection if they are subverted by those with access to the personal information, either legitimate access (the insider threat)

Read the entire page →

From page 330...

... Red-teaming in a privacy context refers to efforts undertaken to compare an organization's stated privacy policy to its practices. In general, red-teaming for privacy will require considerable "insider" access -- the ability to trace data flows containing personal information.

Read the entire page →

From page 331...

... Organizations that deal with personal information would benefit from some kind of institutional advocacy for privacy, as many healthcare-providing organizations have done in response to the Health Insurance Portability and Accountability Act of 1996 (Section 7.3.4)

Read the entire page →

From page 332...

... website."16 Bell Canada has designated a privacy ombudsman to oversee compliance with the Bell Code of Privacy.17 A number of companies have created the position of chief privacy officer. In those companies where this title does not primarily designate a public relations position that puts the best face on company privacy practices or a legal position that merely ensures compliance with existing privacy laws, the chief privacy officer can serve as an effective organizational advocate who ensures high-level management attention to privacy issues, serves as a liaison to other privacy expert stakeholders, and anticipates future needs.

Read the entire page →

From page 333...

... Perhaps more importantly, actions and decisions of governmental entities on a variety of issues are likely to have significant privacy impacts. Whether it is something as obvious as decisions or policies concerning national security or as seemingly minor as making public-record information available on the World Wide Web, a great many actions taken by governments have privacy implications.

Read the entire page →

From page 334...

... This review should address: • Areas of overlap and conflict in current national privacy law and regulation -- special attention should be paid to the relationship of national law to state and local law extensively enough to generate a representative picture of those relationships; • Assessment of the nature and extent of gaps between stated policies and implementation, and the causes of such gaps; • Areas of privacy concern that the current legal and regulatory framework leaves unaddressed, such as the gathering, aggregation, and use of personal information by companies and other organizations that are currently not covered to any significant degree by any form of privacy regulation; • A clear articulation of the value tradeoffs that are embedded in the current framework of laws and regulation, especially where those tradeoffs were not made explicit at the time of adoption; • The economic and social impact, both positive and negative, of current privacy law and regulation; • The extent to which the personal information of Americans held by various parties is covered by the principles of fair information practices; • The interplay between state and federal privacy laws, taking into consideration matters such as the scope and nature of state laws as compared to federal laws; and • The interplay between domestic and foreign privacy laws, taking into consideration matters such as the scope and nature of flows of personal information to and from the United States and instances in

Read the entire page →

From page 335...

... For example, a number of laws provide for the confidentiality of data collected by certain federal agencies (e.g., the Census Bureau, the Internal Revenue Service, and so on)

Read the entire page →

From page 336...

... Private sector gathering and use of personal information have expanded greatly since the early 1970s, and many private sector organizations that manage personal information, such as data aggregators (Section 6.5) , are not covered by fair information practices, either under the law or under a voluntary privacy policy based on these principles.

Read the entire page →

From page 337...

... Principles of fair information practice should be extended as far as reasonably feasible to apply to private sector organizations that collect and use personal information. Although some of the restrictions on government regarding the collection and use of personal information are not necessarily applicable to the private sector, the values expressed by the principles of fair information practice should also inform private sector policies regarding privacy.

Read the entire page →

From page 338...

... While repurposing is not necessarily privacy invasive (e.g., medical information gathered for clinical decision making can be used to conduct epidemiological research in ways that are privacy preserving) , there is an unavoidable tension between a principle that one should know how personal information collected from him or her will be used before it is collected and the possibility that information collectors might want to use that information in the future for a purpose that cannot be anticipated today.

Read the entire page →

From page 339...

... As noted in Chapter 6, government use of private sector organizations to obtain personal information about individuals is increasing. Fair information practices applied to data aggregation companies would go a long way toward providing meaningful oversight of such use.

Read the entire page →

From page 340...

... Department of Homeland Security (DHS) , whose mission is to minimize the impact of departmental activities on the individual's privacy, particularly the individual's personal information and dignity, while achieving the mission of the DHS.19 The DHS Privacy Office is the focal point of departmental activities that protect the collection, use, and disclosure of personal and departmental information.

Read the entire page →

From page 341...

... Dynamic environments require continuous attention to privacy issues and readiness to examine taken-for-granted beliefs that may no longer be appropriate under rapidly changing conditions. Of significance is the likelihood that the effects of changes in the environment will go unnoticed by the public in the absence of some well-publicized incident that generates alarm.

Read the entire page →

From page 342...

... Grounded in the information technology environment of the early 1970s, the principles of fair information practice generally presume that the primary source of personal information about an individual is that person's active and

Read the entire page →

From page 343...

... Historically, privacy regulation in the United States has focused on personal information -- information about and collected from individuals. Issues related to groups have generally been addressed from the important but nevertheless narrow perspective of outlawing explicit discrimination against certain categories of individuals (e.g., categories defined by attributes such as race, religion, gender, sexual orientation, and so on)

Read the entire page →

From page 344...

... . Because this educational role would be institutionalized, it is reasonable to expect that the information such an office provided would be more comprehensible than the information offered by sources and parties with an interest in minimizing public concern about threats to privacy (e.g., difficult-to-read privacy notices sent by companies with economic interests in using personal information to the maximum extent possible)

Read the entire page →

From page 345...

... , those in a position to act inappropriately tend to be more careful and more respectful of privacy policies that they might inadvertently violate.

Read the entire page →

From page 346...

... These comments apply whether the source of the violation is in government or in the private sector, although the nature of appropriate recourse varies depending on the source. In the case of government wrongdoing, the doctrine of sovereign immunity generally protects government actors from civil liability or criminal prosecution unless the government waives this protection or is statutorily stripped of immunity in the particular kinds of cases at hand.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.