Jamie Yoo CPSC 457 May 1, 2006 Controlling Sensitive Information “Today we stand at another computational crossroads. We are moving past the 1960s vision of computers that hold important financial, education, and credit information. We are moving into an integrated future in which computers will track the most mundane and the most intimate aspects of our lives.” —Simson Garfinkel, Database Nation INTRODUCTION During the past decade, there has been a dramatic growth in the quantity of personal information that is being collected and sold, and the expansion of the Internet has significantly facilitated this development. Unfortunately, the data collection industry has gone largely unregulated, allowing databanks like ChoicePoint and Acxiom to collect massive amounts of information and sell them to third parties, without any express permission from the data subjects. Insufficient regulation of this industry has not only led to blatant violations of the privacy rights of the individuals whose information is being sold but also to security risks. This paper will discuss a standard evaluating the process of personal information collection, the ways in which the current system fail to meet these standards, and technical and legal suggestions for addressing these failures. FAIR INFORMATION PRACTICES “Over the past quarter century, government agencies in the United States, Canada, and Europe have studied the manner in which entities collect and use personal information – their ‘information practices’ – and the safeguards required to assure those practices are fair and provide adequate privacy protection. The result has been a series of reports, guidelines, andmodel codes that represent widely-accepted principles concerning fair information practices. Common to all of these documents are five core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.” Over three decades ago in 1973, a task force at the U.S. Department of Health Education and Welfare, or HEW, set out to analyze the impact of computerization of information on medical records privacy. At the end of the investigation, the task force presented the Code of Fair Information Practices, which consisted of five basic principles: openness, disclosure, secondary use, correction, and security. In the following years, various countries adopted the Principles as law, and then in 1980, the Organization of Economic Cooperation and Development, or the OECD, adopted an expanded set of eight principles as part of the “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” (OECD). The OECD is an international body comprised of 24 countries throughout the world, including the United States. However, while most other industrialized countries have codified the principles into omnibus privacy laws, the United States has yet to pass such a law at the federal level, although the Principles have been used as a reference for sector-specific laws, such as the Fair Credit Reporting Act, the Right of Financial Privacy Act, the Electronic Communications Privacy Act, and the Video Privacy Act (Privacy Rights Clearinghouse). Thus, even given the United States’ failure to codify the Principles, it is well established that the principles provide for an effective framework for discussing the standards by which the process of personal data collection should be executed. Consequently, the following section will briefly review the Principles so that both current common practices as well as suggested practices can be evaluated using these standards.The Principles The following are the eight fair information practice principles as described by the OECD’s “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”: (1) Collection limitation: There should be limits to the collection of personal data and any such data should be obtain by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. (2) Data quality: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, relevant and kept up-to-date. (3) Security safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. (4) Openness: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available for establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. (5) Purpose specification: The purpose for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. (6) Use limitation: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified as described above, except with the consent of the data subject or by the authority of law. (7) Individual participation: An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request is denied and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended. (8) Accountability: Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of the Fair Information Practices.INFORMATION RESELLERS In the United States, these principles are generally considered to be guidelines and do not have the force of law. Thus, for instance, by 1983, 182 American companies had claimed to have adopted the guidelines, but the application of the principles