Privacy is the claim of individuals to be left alone, free from surveillance or interference from other individuals or organizations, including the state. Claims to privacy are also involved at the workplace. Millions of employees are subject to digital and other forms of high-tech surveillance. Information technology and systems threaten individual claims to privacy by making the invasion of privacy cheap, profitable, and effective.
The claim to privacy is protected in the United States, Canadian, and German constitutions in a variety of ways and in other countries through various statutes. In the United States, the claim to privacy is protected primarily by the First Amendment guarantees of freedom of speech and association, the Fourth Amendment protections against unreasonable search and seizure of one’s personal documents or home, and the guarantee of due process.
Table 4.3 describes the major U.S. federal statutes that set forth the conditions for handling information about individuals in such areas as credit reporting, education, financial records, newspaper records, and electronic and digital communications. The Privacy Act of 1974 has been the most important of these laws, regulating the federal government’s collection, use, and disclosure of information. At present, most U.S. federal privacy laws apply only to the federal government and regulate very few areas of the private sector.
Most American and European privacy law is based on a regime called Fair Information Practices (FIP), first set forth in a report written in 1973 by a federal government advisory committee and updated in 2010 to take into account new privacy-invading technology (U.S. Department of Health, Education, and Welfare, 1973). FIP is a set of principles governing the collection and use of information about individuals. FIP principles are based on the notion of a mutuality of interest between the record holder and the individual. The individual has an interest in engaging in a transaction, and the record keeper—usually a business or government agency—requires information about the individual to support the transaction. After information is gathered, the individual maintains an interest in the record, and the record may not be used to support other activities without the individual’s consent. In 1998, the Federal Trade Commission (FTC) restated and extended the original FIP to provide guidelines for protecting online privacy. Table 4.4 describes the FTC’s FIP principles.
The FTC’s FIP principles are being used as guidelines to drive changes in privacy legislation. In July 1998, the U.S. Congress passed the Children’s Online Privacy Protection Act (COPPA), requiring websites to obtain parental permission before collecting information on children under the age of 13. The FTC has recommended additional legislation to protect online consumer privacy in advertising networks that collect records of consumer web activity to develop detailed profiles, which other companies then use to target online ads. In 2010, the FTC added three practices to its framework for privacy. Firms should adopt privacy by design, building products and services that protect privacy; firms should increase the transparency of their data practices; and firms should require consumer consent and provide clear options to opt out of data collection schemes (Federal Trade Commission, 2012). Other proposed Internet privacy legislation focuses on protecting the online use of personal identification numbers, such as social security numbers; protecting personal information collected on the Internet from individuals not covered by COPPA; and limiting the use of data mining for homeland security. In 2015 the FTC was researching new guidance for the protection of privacy and the Internet of Things (IoT), and mobile health apps (Federal Trade Commission, 2015).
In 2012, the FTC extended its FIP doctrine to address the issue of behavioral targeting. However, the government, privacy groups, and the online ad industry are still at loggerheads over two issues. Privacy advocates want both an opt-in policy at all sites and a national Do Not Track list. The online industry opposes these moves and continues to insist that an opt-out capability is the only way to avoid tracking. Nevertheless, there is an emerging consensus among all parties that greater transparency and user control (especially making opting out of tracking the default option) is required to deal with behavioral tracking. Public opinion polls show an ongoing distrust of online marketers. Although there are many studies of privacy issues at the federal level, there has been no significant legislation in recent years. A 2016 survey by the Pew Research Center found that 91 percent of Americans feel consumers have lost control of their personal information online and 86 percent have taken steps to protect their information online.
Privacy protections have also been added to recent laws deregulating financial services and safeguarding the maintenance and transmission of health information about individuals. The Gramm-Leach-Bliley Act of 1999, which repeals earlier restrictions on affiliations among banks, securities firms, and
insurance companies, includes some privacy protection for consumers of financial services. All financial institutions are required to disclose their policies and practices for protecting the privacy of nonpublic personal information and to allow customers to opt out of information-sharing arrangements with nonaffili- ated third parties.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which took effect on April 14, 2003, includes privacy protection for medical records. The law gives patients access to their personal medical records that healthcare providers, hospitals, and health insurers maintain and the right to authorize how protected information about themselves can be used or disclosed. Doctors, hospitals, and other healthcare providers must limit the disclosure of personal information about patients to the minimum amount necessary to achieve a given purpose.
1. The European Directive on Data Protection
In Europe, privacy protection is much more stringent than in the United States. Unlike the United States, European countries do not allow businesses to use personally identifiable information without consumers’ prior consent. In 1998, the European Commission’s Data Protection Directive went into effect, requiring companies in European Union (EU) nations to inform people when they collect information about them and disclose how it will be stored and used. Customers must provide their informed consent before any company can legally use data about them, and they have the right to access that information, correct it, and request that no further data be collected. Informed consent can be defined as consent given with knowledge of all the facts needed to make a rational decision. Individual EU member nations translated these principles into their own laws and prohibited the transfer of personal data to countries, such as the United States, that do not have similar privacy protection regulations. In 2009, the European Parliament passed new rules governing the use of third-party cookies for behavioral tracking purposes. These new rules require website visitors to give explicit consent to be tracked by cookies and websites to have highly visible warnings on their pages if third-party cookies are being used (European Parliament, 2009).
In 2012, the EU changed its data protection rules to apply to all companies providing services in Europe and required Internet companies, such as Amazon, Facebook, Apple, Google, and others, to obtain explicit consent from consumers about the use of their personal data, delete information at the user’s request, and retain information only as long as absolutely necessary. In 2014, the European Parliament extended greater control to Internet users by establishing the “right to be forgotten,” which gives EU citizens the right to ask Google and social network sites to remove their personal information. Although the privacy policies of U.S. firms (in contrast to the government’s) are largely voluntary, in Europe, corporate privacy policies are mandated and more consistent across jurisdictions.
The European Commission and the U.S. Department of Commerce developed a safe harbor framework for U.S. firms. A safe harbor is a private, selfregulating policy and enforcement mechanism that meets the objectives of government regulators and legislation but does not involve government regulation or enforcement. U.S. businesses would be allowed to use personal data from EU countries if the firms developed privacy protection policies that met EU standards. Enforcement would occur in the United States by using self-policing, regulation, and government enforcement of fair trade statutes.
By 2015 the EU started taking steps to replace safe harbor and the Data Protection Directive with a more stringent General Data Protection
Regulation (GDPR). The GDPR applies to any firm operating in any EU country, requires unambiguous consent to use personal data for purposes like tracking individuals across the web, and limits the use of data for purposes other than those for which it was collected (such as constructing user profiles). It also strengthens the right to be forgotten by allowing individuals to remove personal data from social platforms like Facebook and to prevent such companies from collecting any new information. Companies operating in the EU are required to delete personal information once it no longer serves the purpose for which it was collected (European Commission, 2016).
Following the revelation that U.S. government intelligence agencies had access to personal information on EU citizens, and a growing sense that Facebook and Google were not complying with EU policies, the EU GDPR was revised in 2016 to further strengthen users’ ability to control what information is collected and retained, with whom it is shared, and how and where it is processed. Fines for failure to comply were increased to up to 4 percent of a firm’s global revenue (about $1.6 billion for Facebook). GDPR also created a single EU privacy policy that governed all 28 nations in the Union. One result in Europe, but not in the United States, is that ad targeting will be reduced, along with the likelihood that ads will follow users around the Internet. The GDPR went into effect in May 2018. Facebook, Google, and Microsoft are building major data centers in Europe, and are planning to implement the GDPR regulations worldwide.
2. Internet Challenges to Privacy
Internet technology has posed new challenges for the protection of individual privacy. Websites track searches that have been conducted, the websites and web pages visited, the online content a person has accessed, and what items that person has inspected or purchased over the web. This monitoring and tracking of website visitors occurs in the background without the visitor’s knowledge. It is conducted not just by individual websites but by advertising networks such as Microsoft Advertising, Yahoo, and Google’s DoubleClick that are capable of tracking personal browsing behavior across thousands of websites. Both website publishers and the advertising industry defend tracking of individuals across the web because doing so allows more relevant ads to be targeted to users, and this pays for the cost of publishing websites. In this sense, it’s like broadcast television: advertiser-supported content that is free to the user. The commercial demand for this personal information is virtually insatiable. However, these practices also impinge on individual privacy.
Cookies are small text files deposited on a computer hard drive when a user visits websites. Cookies identify the visitor’s web browser software and track visits to the website. When the visitor returns to a site that has stored a cookie, the website software searches the visitor’s computer, finds the cookie, and knows what that person has done in the past. It may also update the cookie, depending on the activity during the visit. In this way, the site can customize its content for each visitor’s interests. For example, if you purchase a book on Amazon.com and return later from the same browser, the site will welcome you by name and recommend other books of interest based on your past purchases. DoubleClick, described earlier in this chapter, uses cookies to build its dossiers with details of online purchases and examine the behavior of website visitors. Figure 4.3 illustrates how cookies work.
Websites using cookie technology cannot directly obtain visitors’ names and addresses. However, if a person has registered at a site, that information can be combined with cookie data to identify the visitor. Website owners can also combine the data they have gathered from cookies and other website monitoring tools with personal data from other sources, such as offline data collected from surveys or paper catalog purchases, to develop very detailed profiles of their visitors.
There are now even more subtle and surreptitious tools for surveillance of Internet users. Web beacons, also called web bugs (or simply tracking files), are tiny software programs that keep a record of users’ online clickstreams. They report this data back to whomever owns the tracking file, which is invisibly embedded in email messages and web pages to monitor the behavior of the user visiting a website or sending email. Web beacons are placed on popular websites by third-party firms who pay the websites a fee for access to their audience. So how common is web tracking? In a path-breaking series of articles in the Wall Street Journal, researchers examined the tracking files on 50 of the most popular U.S. websites. What they found revealed a very widespread surveillance system. On the 50 sites, they discovered 3,180 tracking files installed on visitor computers. Only one site, Wikipedia, had no tracking files. Two-thirds of the tracking files came from 131 companies whose primary business is identifying and tracking Internet users to create consumer profiles that can be sold to advertising firms looking for specific types of customers. The biggest trackers were Google, Microsoft, and Quantcast, all of whom are in the business of selling ads to advertising firms and marketers. A follow-up study found tracking on the 50 most popular sites had risen nearly fivefold due to the growth of online ad auctions where advertisers buy the data about users’ web-browsing behavior.
Other spyware can secretly install itself on an Internet user’s computer by piggybacking on larger applications. Once installed, the spyware calls out to websites to send banner ads and other unsolicited material to the user, and it can report the user’s movements on the Internet to other computers. More information is available about intrusive software in Chapter 8.
Nearly 80 percent of global Internet users use Google Search and other Google services, making Google the world’s largest collector of online user data. Whatever Google does with its data has an enormous impact on online privacy. Most experts believe that Google possesses the largest collection of personal information in the world—more data on more people than any government agency. The nearest competitor is Facebook.
After Google acquired the advertising network DoubleClick in 2007, it began using behavioral targeting to help display more relevant ads based on users’ search activities and to target individuals as they move from one site to another to show them display or banner ads. Google allows tracking software on its search pages, and using DoubleClick, it can track users across the Internet. One of its programs enables advertisers to target ads based on the search histories of Google users, along with any other information the user submits to Google such as age, demographics, region, and web activities (such as blogging). Google’s AdSense program enables Google to help advertisers select keywords and design ads for various market segments based on search histories such as helping a clothing website create and test ads targeted at teenage females. Google now displays targeted ads on YouTube and Google mobile applications, and its DoubleClick ad network serves up targeted banner ads.
The United States has allowed businesses to gather transaction information generated in the marketplace and then use that information for other marketing purposes without obtaining the informed consent of the individual whose information is being used. These firms argue that when users agree to the sites’ terms of service, they are also agreeing to allow the site to collect information about their online activities. An opt-out model of informed consent permits the collection of personal information until the consumer specifically requests the data not to be collected. Privacy advocates would like to see wider use of an opt-in model of informed consent in which a business is prohibited from collecting any personal information unless the consumer specifically takes action to approve information collection and use. Here, the default option is no collection of user information.
The online industry has preferred self-regulation to privacy legislation for protecting consumers. Members of the advertising network industry, including Google’s DoubleClick, have created an industry association called the Network Advertising Initiative (NAI) to develop its own privacy policies to help consumers opt out of advertising network programs and provide consumers redress from abuses.
Individual firms such as Microsoft, Mozilla Foundation, Yahoo, and Google have recently adopted policies on their own in an effort to address public concern about tracking people online. Microsoft’s Internet Explorer 11 web browser was released in 2015 with the opt-out option as the default, but this was changed to opt-in by default because most websites ignored the request to opt out. Other browsers have opt-out options, but users need to turn them on, and most users fail to do this. AOL established an opt-out policy that allows users of its site to choose not to be tracked. Yahoo follows NAI guidelines and allows opt-out for tracking and web beacons (web bugs). Google has reduced retention time for tracking data.
In general, most Internet businesses do little to protect the privacy of their customers, and consumers do not do as much as they should to protect themselves. For commercial websites that depend on advertising to support themselves, most revenue derives from selling access to customer information. Of the companies that do post privacy policies on their websites, about half do not monitor their sites to ensure that they adhere to these policies. The vast majority of online customers claim they are concerned about online privacy, but fewer than half read the privacy statements on websites. In general, website privacy policies require a law degree to understand and are ambiguous about key terms (Laudon and Traver, 2019). Today, what firms such as Facebook and
Google call a privacy policy is in fact a data use policy. The concept of privacy is associated with consumer rights, which firms do not wish to recognize. A data use policy simply tells customers how the information will be used without any mention of rights.
A group of students at the University of California at Berkeley conducted surveys of online users and of complaints filed with the FTC involving privacy issues. Some results showed that people feel they have no control over the information collected about them, and they don’t know to whom to complain. Websites collect all this information but do not let users have access, their policies are unclear, and they share data with affiliates but never identify who the affiliates are and how many there are. Web bug trackers are ubiquitous, and users are not informed of trackers on the pages they visit. The results of this study and others suggest that consumers want some controls on what personal information can be collected, what is done with the information, and the ability to opt out of the entire tracking enterprise. (The full report is available at knowprivacy.org.)
3. Technical Solutions
In addition to legislation, there are a few technologies that can protect user privacy during interactions with websites. Many of these tools are used for encrypting email, for making email or surfing activities appear anonymous, for preventing client computers from accepting cookies, or for detecting and eliminating spyware. For the most part, technical solutions have failed to protect users from being tracked as they move from one site to another.
Many browsers have Do Not Track options. For users who have selected the Do Not Track browser option, their browser will send a request to websites that the user’s behavior not be tracked, but websites are not obligated to honor these requests. There is no online advertising industry agreement on how to respond to Do Not Track requests nor, currently, any legislation requiring websites to stop tracking. Private browser encryption software or apps on mobile devices provide consumers a powerful opportunity to at least keep their messages private.
Source: Laudon Kenneth C., Laudon Jane Price (2020), Management Information Systems: Managing the Digital Firm, Pearson; 16th edition.
I have read so many posts about the blogger lovers however this post is really a good piece of writing, keep it up
whoah this blog is wonderful i really like reading your articles. Keep up the great paintings! You realize, a lot of people are hunting round for this info, you could help them greatly.