Privacy Historically, have consumers been concerned about their privacy? millions of consumers choose to have their phones listed in their last name only (to avoid revealing their gender) tens of millions more (30% of households!) choose to have an unlisted phone number others use private mailbox services to avoid revealing where they live Today we live in an "information economy" can check credit card and bank balances on the phone or by computer can pay bills over the phone or by computer can order gifts or clothes or airplane tickets online can borrow $20,000 from a complete stranger and drive home a new car Convenience comes at a cost: there's a lot more personal information out there than ever Why should we be concerned about it? Misuse of the information can result in 1. Risks to physical security sexual predators use the internet to identify children women may not want their address known to potential stalkers 2. Risks to economic security unauthorized charges to credit card unauthorized withdrawals from bank/investment accounts viruses that attack our computers identity theft 3. Unwarranted intrusions into our personal lives telephone calls disrupt our home and work lives spam litters our computers with solicitations some including pornography and other objectionable goods or services Internet Privacy Ziff-Davis Media, Inc. (August, 2002) company's online security system failed due to a coding error allowed anyone surfing the internet to access about 12,000 subscription orders for the magazine Gaming Monthly. many had used credit cards to pay for their subscriptions a number reported that their accounts were used fraudulently information remained easily available for about a month before "good samaritans" who viewed the material alerted subscribers via e-mail. Double-Click (March, 2000) What are “cookies”? files created by an internet site to store information on your computer your preferences when visiting that site (e.g., airline itineraries) a record of the pages you looked at within the site Good news: cookies only contain information that the user volunteers and cannot infiltrate a user's hard drive and siphon personal information E.g., credit card numbers Bad news: cookies can also store personally identifiable information that can be used to contact you name e-mail address home or work address telephone number Cookies permit advertisers to target customers whose previous visits to web sites might suggest an interest in its goods or services. For example, if you check out the Celtics home page a couple of times, the next time you open a search engine you might encounter an ad from a sporting goods store that sells Celtics clothing DoubleClick handles advertising for about 1,500 web sites initially it claimed it would only use "anonymous profiling" when collecting data on individuals. However, DoubleClick in fact used "pseudonymous" tracking i.e., when it placed cookies on consumers' computers, it assigned each cookie a unique number this would permit the company to merge the information with consumers' names if it wished but which it had not yet done when this controversy arose. Examples of the kinds of information the DoubleClick kept that had privacy implications included health inquiries travel plans the names of videos in which the consumer showed an interest information could, in theory, be useful to video stores to pitch movies or travel companies to pitch a vacation could also be used to the consumer's detriment e.g., when applying for insurance Privacy advocates feared DoubleClick would sell this information to telephone and mail- based direct marketers, health organizations, insurance companies, etc. After a number of states and the FTC opened privacy investigations, DoubleClick agreed not to link personally identifiable information to anonymous user activity across web sites some consumer advocates argue that the law should go further Propose that web sites should be prohibited from placing cookies on consumers' computers without express permission an "opt in" provision The advertising industry has set up several web sites that allow computer users to "opt out" of having their personal data collected and profiled when they visit commercial internet sites. Network Advertising Initiative Financial Privacy Financial institutions (banks, insurance companies, securities firms) collect substantial personal ("non-public") information, including names, addresses and phone numbers bank and credit card account numbers income credit histories social security numbers In the 1990's privacy advocates became concerned when financial institutions began selling customer account information to third parties (e.g., telemarketers) for purposes of marketing non-financial services Discount buying clubs Roadside assistance Credit card loss protection Dental plans Often kept a percentage of sales In 1999 Congress passed the "Gramm-Leach-Bililey Financial Modernization Act“ (GLBA) The Act applies to all "financial institutions," including companies that offer financial products or services, like loans, financial or investment advice, or insurance 1. Affiliation GLBA repealed Glass-Steagall Act depression-era law that prohibited banks, securities firms, and insurance companies from affiliating 2. Privacy GLBA requires financial institutions to protect information collected about individuals key provisions require them to: disclose to customers their policies and practices for protecting the privacy of non- public personal information provide customers annually an opportunity to opt out of having information shared with non-affiliated third parties e.g., telemarketers notice must offer a reasonable way for the consumer to express choice to opt out Generally done by providing consumer with either toll-free telephone number; or detachable form with a pre-printed address Vermont's Rules on Financial Privacy Vermont law provides greater protection for consumers than does the federal law rules adopted by Vermont's Department of Banking, Insurance, Securities and Health Care Administration (BISHCA) use an opt- in provision financial institutions must obtain a consumer's consent before private financial and health information can be sold to or shared with other companies BISHCA's rule was challenged by five insurance industry trade groups on First Amendment grounds February, 2004 a Vermont trial court rejected the challenge to the law Court referred to financial companies as "high volume traffickers of consumers' intimate personal information" 3. Pretexting "Information brokers" (also known as individual reference services) gather public information about consumers addresses, licenses, aliases, listed phone numbers also gather non-public information unlisted phone numbers, credit card numbers, social security numbers sell the information. services provide numerous benefits help law enforcement do their job help lawyers find witnesses help consumers find lost relatives help collection agencies find debtors Problem is that the availability of this information increases risks of crimes such as identity theft thwarts consumers' efforts to protect their privacy (Americanada ad) inaccurate information can result in problems Florida election results some information brokers called banks and other financial institutions, under the pretext of being a customer obtained the customer's account numbers and balances and other personal information GLBA makes it a crime to engage in pretexting Credit Reporting consumers’ credit reports contain significant amounts of personal information credit card numbers social security numbers bank account numbers federal Fair Credit Reporting Act (FCRA) and Vermont's Fair Credit Reporting Act (VFCRA) provide for the accuracy and privacy of consumer credit reports FCRA assures privacy by limiting who has access to a credit report credit reports can only be used or collected for one of the following five “permissible purposes” for credit for employment for insurance to a governmental agency (e.g., for a license or other benefit) to a person with a legitimate business need for the information in connection with a transaction with the consumer credit reporting agencies generally require the user of the report to certify the purpose for which the report is going to be used. may also check user's references, visit its place of business, etc. credit reporting agency must disclose on the report the identity of all parties receiving the information files must be made available to consumers free if the request comes within 30 days of denial of credit VFCRA further protects privacy by requiring that the consumer give permission before his or her credit report can be accessed allowing Vermont consumers to receive a copy of their report once a year free of charge Radio Frequency Identification (RFID) System What is RFID? What are some of the current uses of RFID systems? What are some possible future uses of RFID systems? What are the privacy concerns related to the use of RFID systems?