Session 4: Consumer Privacy

https://cyber.harvard.edu/olds/ecommerce/privacytext.html

Teaching Fellows: Rita Lin

Guest Panelists:

Blake T. Bilstad, Esq. Keith P. Enright, Esq.

Corporate Counsel, Secretary Principal, TECHNE Consulting
MP3.com, Inc. Executive Director, PrivacyLaw.Net
www.mp3.com/ www.privacylaw.net/

Supplemental Material:

"Memorandum on Privacy Audits and Privacy Policies," Michael Strapp, Harvard Law School.

"Privacy Audit Checklist," Keith P. Enright, Esq.

CONSUMER PRIVACY - TABLE OF CONTENTS

I. Introduction

II. Information Collection

III. Liability for Online Profiling

IV. Developing a Privacy Policy

V. Statutes and Regulations

VI. References

VII. Additional Materials

I. Introduction

Privacy is one of the most complex legal issues facing e-commerce ventures today. Many sites,
such as the one in our case study, have little interest in actively profiling their users or
discovering personal information about them. However, these sites will often collect significant
amounts of pesonally identifiable data that may trigger liability risks.
Some of this data is actively supplied by users. For example, the WGU site collects names,
physical and email addresses, and credit card information through forms. Users may also
voluntarily supply personal information in their threaded discussion messages, which are
archived on the site. On the other hand, some of this data is passively collected. The host server
records routine information about each visit. Some of the site's banner ads allow third-party
advertisers to track users' browsing habits.

Our task in this section is to assess the liability risk of a site's information collection practices.
We can break this task down into four main steps. First, we must determine what information is
collected by the site. Second, we must evaluate the potential liability for those information
collection practices. Third, we must choose whether to develop a privacy policy to disclose those
practices. And, fourth, we must verify our compliance with statutes or regulations. This lecture
will examine each of these four steps.

[Back to top]

II. Information Collection

Many e-commerce sites directly ask users for personal information through forms. However, in
addition to such information, many sites also record data about their users' browsing habits. This
data can be matched with personal and demographic information to create a profile of user
preferences. Sites might use these profiles to target advertising or offer customized services. Or,
sites might engage in weblining, where different users are offered different prices based on their
profiles. Users who have more money or want a product more are charged more; alternately,
reduced prices are denied to users who shop so well for bargains that vendors will make no profit
by selling to them. Business Week has a great article on weblining (Website)(Stepanek).

Attorneys must be cognizant that some e-commerce clients may not always be aware of the
extent to which their site collects data about its customers. At first glance, the site in our case
study might not appear to collect much information. But, if we look deeper, we can see that users
are disclosing information in two important ways: first, data automatically collected by the site's
server software, and second, data collected by third-party advertisers through our site.

In our case study, the server software will almost certainly collect a great deal of information
automatically. Most server software will automatically record a web log of browsing habits: what
pages users visit, the time and duration of those visits, advertisements viewed and clicked on
during those visits, purchases made, query terms entered in search engines, and the referring
website that directed the user to the company's page. Furthermore, most software will
automatically obtain information about each user's IP address, computer name, browser type,
email address (if provided by the user's browser or a "web bug"), network owner, and domain
registration.

In addition to this information, our site does allow third-party advertisers to place cookies on
users' hard drives. Ads on our site are placed through DoubleDealer, a (fictional) advertising
network similar to DoubleClick. DoubleDealer uses cookies to develop long-term profiles of
users' browsing habits across multiple visits and different sites. It has a profile for every user that
has ever looked one of their ads. Every time a user sees a DoubleDealer ad--whether on our case
study website or another site that carries their ads--her computer will send a note to
DoubleDealer indicating what kind of website she's looking at. And DoubleDealer will store that
information in her file, so it knows to send her more ads related to skiing or new age music or
whatever she seems to like. In this sense, DoubleDealer tracks users through our site and all the
other sites on its advertising network. As counsel to the WGU site, it is important that we
recognize DoubleDealer's practices because they could create liability risks and must be
disclosed in our site's privacy policy.

From the example of our case study, we can see the importance of understanding the website's
data collection practices. Automatic software logs and third-party cookie placements are two of
the most easily overlooked aspects of information collection. Many sites have no interest in
actively profiling their customers and might even insist to their counsel that they collect no
personal information. But most of these sites do collect information automatically through thier
server software, and many allow third-party cookie placement. According to a recent FTC
privacy survey, although 57% of the busiest sites allowed third-party cookie placement, only
22% disclosed that fact in their privacy policies (Website) (FTC,Privacy). Before developing
privacy policies or weighing the legal risks of online profiling, online vendors and their attorneys
should be certain that they are aware of the true extent of the site's data collection practices.

A. COMMON TECHNOLOGIES

Cookies

Cookies collect information as a user surfs the web and feed the information back to a web
server. An online vendor's site will send cookies (which is most simply an identification number)
to a user's computer, where it is stored in a file on the user's hard drive and serves as a digital
identifier tag that notifies the vendor whenever that user re-enters the vendor's website. Although
users can configure their browser to disable cookies, some sites require users to accept them
before allowing entry. (TIMES OF INDIA EXPRESSLY ASKS TO ENABLE COOKIES FOR
REVENUE)

Cookies have two main uses. First, by allowing the site to "remember" the user, they can
customize a website by producing special content targeted to a specific user. For example,
cookies are commonly used to automatically supply passwords for users who prefer not to re-
enter their password each time they access a site. Second, cookies are used by network
advertising agencies, such as DoubleClick, to target product advertisements based on long-term
profiles of users' buying and surfing habits. When the advertiser contracts with many different
websites, it can follow the same cookie as that user surfs the web. Advertisers then collate this
information about the user's habits in a central database.

For more information on cookies, see Energy Department's Computer Incident Advisory Council
report (Website) (Energy). Also, check out Cookie Central (Website) (Cookie). Netscape has a
technical specification for cookies as well (Website) (Netscape).

Web bugs (or pixel tags)

Web bugs are images--usually invisible because they are only one pixel wide by one pixel high--
that are embedded in web pages and HTML-formatted emails. Advertising networks often use
web bugs on web pages to add information to personal profiles stored in cookies and to collect
statistics about how many hits the site gets. Ad networks also use web bugs in "junk email"
campaigns to determine how many users read the emails and visited the linked site, to remove
users from the list who did not open the marketing emails at all, or to synchronize cookies with
the user's email address.

The EFF has a great FAQ on web bugs (Website) (EFF, 1999). You can bake your own cookie at
Privacy.net (Website)(Privacy.net).

B. DEVELOPING TECHNOLOGIES

Cookies and web bugs are only the beginning. New technologies are being developed every day
to gather more comprehensive data on consumer behavior. For an overview of some of these new
data-collection technologies, along with some info on privacy-enhancing technologies such as
P3P, see Developing Technologies.

[Back to top]

III. Liability for Online Profiling

Although the FTC has recommended legislation to regulate online profiling (Website) (FTC,
2000), current American privacy law contains almost no general prohibitions against the
collection of consumer data. Today, most privacy initiatives target specific industries or types of
data, such as consumer credit reports, cable TV subscriber information, or personal financial
information. See Protected Categories for more information.

In our case study, the WGU site will almost certainly not face liability based on a sector-specific
federal statute because it does not collect information that falls under any of the protected
categories. The only applicable federal law would be Electronic Communications Privacy Act
(ECPA), which some privacy advocates have argued prohibits the use of cookies without prior
consent. According to this interpretation of the ECPA, our site could be liable for allowing
DoubleDealer to place cookies on users' hard drives. However, this interpretation of the ECPA is
controversial, and few claims have reached final judgment. The site could also face common law
or state law claims.

Before discussing the legal grounds for action, however, it is useful first to get a sense of the
larger public policy concerns behind these arguments. Proponents of online profiling contend
that collecting data about consumers allows sites to improve service. Sites can customize
content, evaluate consumer reaction to products, and target ads to a consumer's interests.
Proponents argue that revenues from targeted ads have subsidized the current wealth of free
content online; without such a subsidy, the web may move toward a fee-based access system that
would price low-income readers out of the market. For more information on these arguments,
visit the Association of National Advertisers (Website) (ANA, 2001) and the Direct Marketing
Association (Website) (DMA, 2001). Legal scholars have also suggested that the expansion of
privacy threatens free speech rights protected by the First Amendment. Solveig Singleton has a
great law review article on this topic (Singleton, 2000).

On the other hand, privacy advocates argue that users should not be tracked without their notice
or consent. These advocates argue that consumers are not adequately informed about passive
information collection technologies. According to a Business Week survey, only 40% of users
have even heard of cookies, and of those, only 25% were able to select the correct definition on a
multiple choice questionnaire (Website) (Business Week, 2000). Furthermore, privacy advocates
contend that even if most of the information currently collected is not personally identifiable, it
poses serious privacy concerns because of the inherently invasive scale of the monitoring. They
also worry that corporations will later decide to combine the currently non-identifiable databases
of browsing habits with personal information from other sources. Finally, advocates have posited
that the consumer discomfort with online monitoring will chill use of resources on sensitive
topics such as abortion, HIV, or depression, and prevent the electronic marketplace from
reaching its full potential.

A. CONSUMER CLASS ACTION SUITS

Due to the absence of specific legislation regulating online profiling, consumer class action suits
have proceeded under many different legal theories. Some plaintiffs have argued that cookies and
web bugs allow unauthorized access to the user's hard drive (where the cookies are stored) and
therefore violate the Electronic Communications Privacy Act (ECPA), (Website) ( 2510-22)
and (Website) ( 2701-11). Others have suggested that passive information collection is
actionable as a common-law privacy tort or trespass. Still others have also pursued their claims
under state laws, such as Texas's anti-stalking statute or California's prohibition against deceptive
and unfair trade practices.

Only one consumer suit filed against online profilers has reached final judgment. In late March, a
United States District Court dismissed a highly publicized consumer class action suit against
DoubleClick (DoubleClick, 2001). The plaintiffs' pleadings alleged that DoubleClick's use of
cookies violated three federal laws: the Electronic Communications Privacy Act, which prohibits
unauthorized interception of electronic communications; the Wiretap Act, which prohibits
wiretapping in some situations; and the Computer Fraud and Abuse Act, which prohibits
unauthorized access to a computer. The court found no violation of the laws because sites
consented to the use of cookies by third-party advertisers. Furthermore, the court held that there
was no evidence that these laws were intended to prohibit cookie use by online advertisers. The
decision has been appealed to the Second Circuit. DoubleClick still faces more suits in Texas and
California based on state privacy and consumer protection laws.

Despite the DoubleClick decision, the legal limits on online profiling remain unclear. A
California district court recently denied a motion to dismiss a class action suit against Intuit and
ruled that Intuit's use of cookies may violate parts of the ECPA (Intuit, 2001). Furthermore, in
many state and federal jurisdictions, the use of cookies or similar technologies to track users'
browsing habits will be an issue of first impression. Although the DoubleClick decision may
prove persuasive to courts, other jurisdictions will not be bound by it. And suits may continue to
proceed under state statutes on privacy and consumer rights.
Electronic Communications Privacy Act (ECPA)

The ECPA, (Website) ( 2510-22) and (Website) ( 2701-11), imposes civil and criminal
penalties for the intentional interception, disclosure, or use of electronic communications that
affect interstate or foreign commerce. Electronic communications are defined as any transfer of
information by means of wire or electromagnetic system. Courts have interpreted the term to
include email (Bochach, 1996).

The major obstacle to using the ECPA to restrict online profiling is that it exempts parties from
liability if they obtain the prior consent from "users" ( 2701) or "parties to communication" (
2511). Based on the "user" exception in 2701, a federal district court ruled in DoubleClick that
the ECPA does not bar the use of cookies by third-party advertisers. The court found that
Websites where ads were placed constitute "users" under the ECPA. As long as the Website
agrees to the use of cookies, the requirement of "prior consent by users" is satisfied and
DoubleClick cannot be held accountable (DoubleClick, 2001). Supporters of the decision have
drawn an analogy to the law governing third-party listening in telephone conversations: if two
people are talking on the phone, either one has the independent authority to consent to listening
by third parties.

However, critics of the decision have argued that only the consumer can give consent to cookie
placement because the consumer's hard drive is the relevant site of stored information. And at
least one California court agrees. In a recent decision regarding a class action suit filed against
Intuit, which owns quicken.com, a California district court refused to dismiss a claim based on
the ECPA (Intuit, 2001). The ECPA has two major parts relevant to online profiling: Section
2701 prohibits unauthorized access to stored communiciations, and Section 2511 prohibits the
interception of electronic communications for tortious or criminal purposes. The court denied
Intuit's motion to dismiss the Section 2701 claim. Although the court did not address
DoubleClick's consent reasoning directly, it emphasized that the users' hard drives were their
own and thus that users alone could consent to cookie use. The court held that if the plaintiffs'
allegations are true, Intuit did violate the stored communications provision of the ECPA by
placing cookies on users' hard drives. However, the court did dismiss the claims under Section
2511 because it saw no evidence that Intuit's purpose was criminal or tortious. The plaintiffs'
argument that cookies violated users' privacy and therefore constituted a common-law privacy
tort were unsuccessful in swaying the court's finding with regard to Section 2511.

In sum, the question of whether the ECPA prohibits cookie placement remains unresolved--
particularly with regard to Section 2701.

Common-law Privacy Tort

The common law doctrine of personal privacy includes four grounds for tort liability
(Restatement1). Susan Gindin wrote a great law review article explaining the application of these
traditional privacy torts to cyberspace (Website) (Gindin, 1997).

1. Unreasonable intrusion upon the seclusion of another

"One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of
another or his private affairs or concerns, is subject to liability to the other for invasion of his
privacy, if the intrusion would be highly offensive to a reasonable person." (Restatement2)

Comment c of the Restatement provision indicates that the section has been applied to wiretaps.
However, like the ECPA, the major difficulty is that the provision applies only to information not
voluntarily provided, which may bar claims where online profiling practices are disclosed in the
terms of use or privacy policy.

2. Unreasonable publicity given to another's private life

"One who gives publicity to a matter concerning the private life of another is subject to liability
to the other for the invasion of his privacy, if the matter publicized is of a kind that (a) would be
highly offensive to a reasonable person, and (b) is not of legitimate concern to the public."
(Restatement (Second) of Torts, 1965)

There are two major obstacles to applying this doctrine to online profiling. First, the private
information must be communicated so broadly that it is "substantially certain to become one of
public knowledge" (comment a). Since most marketing data from online profiling is kept within
the advertising firms, the publication of private information will often not be sufficiently wide to
sustain a tort action under this provision. Second, the private information must not be of public
record. Like the ECPA or the previous privacy tort, this provision bars recovery by users who
provide information voluntarily or seek to protest the dissemination of publicly available
information such as birth dates or marital status.

3. Publicity that unreasonably places another in a false light before the public

"One who gives publicity to a matter concerning another that places the other before the public
in a false light is subject to liability to the other for invasion of privacy, if (a) the false light in
which the other was placed would be highly offensive to a reasonable person, and (b) the actor
had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the
false light in which the other would be placed." (Restatement (Second) of Torts, 1965)

The problem with finding tort liability for online profiling under this provision is that it is limited
to the dissemination of erroneous information. Under this tort, consumers can insist on the right
to correct false information in the databases, but they cannot claim the right to prohibit
surveillance altogether.

4. The appropriation of another's name or likeness

"One who appropriates to his own use or benefit the name or likeness of another is subject to
liability to the other for invasion of his privacy." (Restatement (Second) of Torts, 1965)

This tort may create a cause of action for the sale of personal information to online publishers or
unsolicited commercial emailers. However, plaintiffs have thus far been unsuccessful in this vein
of argument (Shibley, 1975).
Cookies and Web Bugs and Spyware, Oh My!

http://www.scmagazine.com/cookies-and-web-bugs-and-spyware-oh-my/article/30616/

Cookies are text files that hold user information in order to personalize web pages. A cookie
generally operates on six basic parameters, of which only one, the 'value,' is required. They
include: the name of the cookie, the value, the expiration date if any, the domain in which the
cookie operates, the path in which it operates, and whether it requires a secure connection. As
you can see, this information is pretty straightforward and non-threatening. Also, the user can
delete or block a cookie at any time.

An example of the excellent use of cookies is Amazon.com, which uses cookies to present a
selection of materials to the user based upon their interests as reflected in their purchases and
browsing habits. Another example is DoubleClick, which suffered a series of class action
lawsuits for user privacy violations related to the company's cookie tracking practices.

Web bugs are tiny (usually a single pixel) transparent image files on web pages that are used to
monitor user's online habits. As cited in a CNET article at the height of the web bug storm, critics
claimed the bugs could capture IP addresses or perhaps install "pernicious files" and were
therefore more invasive than cookies. The argument revolved around the capability, used or
unused, that the bugs could take information given by the user at a selected web site and transfer
it to any number of other sites without the user's knowledge or consent. The arguments also
included the possibility of the bug's information being aggregated with that of cookies and used
to create profiles of specific users' habits, instead of being used as general demographic
information. Critics were further aggravated by the fact that, unlike cookies, the bugs were
beyond the control of the user to block or delete.

Spyware spawned the newest debate in this series of tools used to track your habits and send the
information to someone else without your consent or knowledge. Spyware is also called adware,
trojanware, parasite programs or media plug-ins. Spyware was originally designed to allow
freeware authors to make money on their products. This worked by bundling the programs
together for download onto users' machines. The users would see the ads and the freeware
authors would be compensated accordingly. This is an excellent concept; however, according to
some critics the spyware doesn't stop there.

Many users did not even realize they were downloading the spyware that was bundled with the
freeware they wanted, although it may have been obliquely addressed in the licensing agreement
with generic wording that may sound something like "may include software that occasionally
notifies users of important news." It sits on the hard drive and continually tracks users' actions. It
periodically sends reports to its originator concerning the user's activities. The problem is that the
user cannot control what data is sent, and unless using special tools cannot uninstall the spyware
even if the software it was bundled with is removed from the system.

The programs also use the user's connection without permission, which can be a real issue. They
also have the capability of using system resources for other purposes, as illustrated by Brilliant
Digital Entertainment, which bundled their 3-D adware with the KaZaA file-trading program and
planned to employ users' machine resources to host and distribute content from client companies.

According to security expert Steve Gibson, spyware programs are independent executables that
have the capability to monitor keystrokes, arbitrarily scan files on your hard drive, snoop other
applications such as word processors and chat programs, read your cookies, change your default
homepage, interface with your default web browser to determine what web sites you are visiting,
and find and disclose any data on, entering or exiting your computer.

Thus the term "trojanware" results from the many similarities between this type of program and a
malicious Trojan horse. One of the definitions of a Trojan horse is an executable program that is
introduced to a computer by stealth, is hidden within an apparently harmless or desirable
program, executes tasks for a third party without the user's knowledge, and may steal passwords
or other data from the computer and send it to a third party.

Web bugs are similar to the Internet cookies that are widely used to track the online movements
of Web users and store information about them. But the bugs are invisible to users, typically
being set up on a Web page as a graphical element that's just 1 pixel by 1 pixel in size - about as
large as a period at the end of a sentence of standard-size text.

What could I do to be protected?

https://webbug.eu/

Web bugs can be deactivated relatively simply. Solutions can be categorized as follows:

1. blocking utilities: browser extensions can simply block web bugs or make their task
much harder. In most cases they provide a high level of privacy, although they could be
circumvented.

2. anonymous browsers: these web browsers were designed to provide complex

countermeasures against online surveillance, either when commercial or government
parties are considered.

3. secured systems: live operation systems that were crafted having security and privacy in
mind.
Blocking utilities
Ghostery: block web bugs based on a fixed, but frequently updated list. The filtering could be
personalized with high granularity, and you might consider turning off the ghostrank option if
you take privacy seriously.

NoScript: the professional blocker app, that allows blocking other types of content as well
(JavaScript, Flash, etc.).

Anonymous browsers
Firefox: private browsing mode is quite interesting in the newest version of Firefox: it turns of
ads and block third party trackers.

JondoFox: anonymous browser designed by german professionals. Portable and has cutting edge
technology, coming with a closed system anonymizing service called JondoNym.

Tor Browser: the most well known anonymous browser, which is also portable and fully
equipped. Network level anonymization is provided the Onion Routing technology.

Secured systems
Tails: live system that provides high security and privacy way beyond safe web browsing.