National Association of Attorneys General
Balancing Our Needs for Privacy and Security in the Digital Age
Gary Balch, United Kingdom Liaison Prosecutor to the U.S.-British Embassy; Hou-hsein Chung, Tainan District Prosecutor�s Office, Taiwan;Snejana Maleeva, Southeast European Law Enforcement Center, Bulgaria; Maartje Nieuwenhuis, Dutch National Public Prosecutor�s Office, Netherlands; and Steve Ruckman, Maryland Attorney General�s Office
We live in a digital age, with Internet and mobile technology making it possible for people all over the world to connect in new and innovative ways never before possible. We are conducting more global trade and everyday domestic commerce online, powering more of our cities and governments through Internet-connected networks, and spending more and more of our lives - both public and private - at virtual meeting places.
All of this connectivity involves sharing huge amounts of data and personal information we previously stored in our filing cabinets, wallets and even private diaries. We share it willingly with private companies because doing so makes our working and private lives more convenient, but by sharing it we are also making it vulnerable to unwanted exposure or use. This creates a tension between us and the online providers on whom we increasingly rely; we want them to safeguard more of our private information online, but the online environment is inherently less secure. It also creates confusion over the information we share: Who owns it? Who is responsible for it? Who can allow it to be further shared or used?
These questions perplex private companies. They want to protect consumers' information, but also want to be good corporate citizens -assisting law enforcement with requests for that information (since law enforcement can no longer get it through old-fashioned searches). But they also do not want to offer assistance that will breach their customers' trust or expose them to unwanted liability.
These questions plague law enforcement as well. Before the proliferation of the Internet, when law enforcement officers needed to access a person's private belongings or communications, they could obtain a warrant to search that person's home or office or tap his phone. But now, these items might be stored "in the cloud," where the cloud could mean a server in another country, encrypted with a technology largely unknown to police. What used to be routine procedures are now highly-complicated, inter-jurisdictional efforts. To make matters even more complicated, much of this potential evidence is now ephemeral - in the online environment, a key document or communication could be stored for only hours, minutes or even seconds. This problem is further compounded by the lack of mandated retention standards.
Existing statutes for law enforcement are not easily adaptable to this new landscape. For example, American laws regarding the search and seizure of stored emails no longer match how emails are stored and used. In other countries with laws that make it easy to obtain emails, the problems arise when those emails are hosted on servers in countries with stricter or more outdated laws. Similarly, existing laws were written to enable investigators to unlock physical, not digital, doors. Most countries lack clear legal authority to order suspects to hand over the encryption keys that now guard their valuable items.
Existing laws have also not kept pace with the collateral uses to which technologies can be put. Consumers now can track down a restaurant or business address with their mobile phones, but their mobile phones can also track them without their knowledge, and there are no clear rules limiting companies' and governments' abilities to use location-tracking technology, creating many potential privacy threats.
A Digital Privacy Bill of Rights
To better protect consumers' privacy in an age of information sharing, and to better help businesses and governments to respect that privacy while still succeeding, we need to identify rules of the road for the Information Superhighway. We need, in short, a digital privacy bill of rights. We have identified some critical rights below:
Consumers should have the right to know whether information is being collected about them online. When they choose to share/store their own information online, they also should have the right to know the who, what, when, and why of thatinformation's collection by others. If the who is a first-party or third-party corporation, then consumers should have the right to know precisely whether their information is being collected as soon as possible. If the who is law enforcement, then consumers should still have the right to know whether their information is being collected as soon as possible, but not at the expense of an ongoing investigation.
Access, Correction and Deletion Rights
Consumers should have a right to access all the information being collected and stored about them. If that information is incorrect, they should be able to correct or delete it. If they no longer wish to share that information, consumers should be able to liberate it from the entity that collected it. Furthermore, all information collected about a person should be promptly deleted when it is no longer needed to serve the purpose for which it was collected.
Rights to Appropriate and Proportional Collection and Use
The information collected about consumers by private companies should only be used for the purpose under which it was collected (e.g., if a consumer provides his address in order to get directions, his address should only be used for that purpose). No more information should be collected than is reasonably necessary to achieve that purpose (e.g., a card game application should not collect a consumer's geolocation data). Sensitive information like religion or sexual orientation should never be collected unless the consumer provides informed consent.
Consumers should have the right to affirmatively approve or disapprove the sale of their already-collected information to a third party. Also, when already-collected information is shared for free with another company, consumers should be promptly notified of that sharing, and wherever possible that data should not be shared without their informed consent. When prompt notification is not possible -- for example, when that information is being shared with law enforcement as part of an investigation -- the sharing should only occur by court order, and the consumer should be notified as soon as possible after that particular investigative objective has been met.
Consumers should have the right to know how their information is being stored and secured. If the security of their information is compromised, they should be notified as soon as possible and the responsible party should take steps to help them prevent the misuse of that information or face penalties. If a consumer�s information is lost, the responsible party should compensate the consumer for that loss.
Due Process Rights
If law enforcement needs to collect personal information without a consumer's consent, the consumer should be able to take steps to prevent that collection if unwarranted and complain and seek damages if that collection was unlawful.
These rights all stem from the notions of controland consent. Consumers' privacy will be best protected if they have control over their private information and the ability to offer informed consent for how it is used by others.
Additional Privacy Protections for Children Online
Because children do not have a fully developed understanding of what information should be kept private and what could be shared online, businesses and governments should take additional precautions to protect childrens� private information. For example, an adult should not be haunted by embarrassing or regrettable postings, photos, or videos that he or she shared online as a child.
Parental Notice and Consent Rights
Parents and legal guardians should be given prominent notice of, and an opportunity to consent to, the collection of information from and about their children.
Expanded Deletion Rights
Until they reach their country's legal age of majority, children should be able to delete any piece of information collected about them and any piece of information they share with a first party. For example, a child should be able to delete any previous social media posting from a social media website, and that website should be required to delete any copies it has of that posting. Also, a government agency should not keep information about children into adulthood. In the Netherlands, for example, juvenile records are cleared at age 18. The same should be true for all personal information stored about children online.
Rights against Anonymous Hate
Parents or legal guardians should have the right to compel Internet Service Providers (ISPs) and applications to remove hateful content posted about their children online. Although anonymous speech is protected for adults, even if obscene or hateful, it should not be protected when intentionally directed against children.
The above rights reflect the unique vulnerability of children in cyberspace and the importance of protecting their privacy and safety.
How Should These Rights Be Reflected in Privacy Policies?
Privacy policies are the main method companies use to inform consumers of their privacy rights when using a particular online product or service. Accordingly, they need to be crafted in ways that are sensitive to the rights outlined above. Here are some guidelines:
- Post the policy clearly and conspicuously (e.g., make it accessible from the home page of a website).
- Write the policy in plain language so that the average person can understand it.
- Before a consumer can sign up to use a particular online product or service, require that consumer to read and affirmatively consent to the policy (opt-in consent by default).
- Require the consumer to read and affirmatively consent to any material changes to the policy before they are implemented.
Protecting privacy and ensuring security in the digital age is a delicate balancing act -- one that requires the cooperation of citizens, industry and government. As more citizens rely on cyber technology to protect their personal information; more companies rely on it to provide wanted services; and more governments rely on it to advance justice; cybersecurity will become a larger and larger risk. In addressing that risk we have to balance the desire for improved security - including improved law enforcement - with the desire for strong privacy protection.
How best to balance these competing desires is an ever-evolving discussion. This discussion is valuable, but it must not be used to delay action. The longer we wait, the more difficult these issues will be to address - for companies, law enforcement officers and consumers alike.
The best way forward is to reach initial policy and legal decisions that give predictability to users of the Internet and mobile devices, and to refine those decisions as we learn how they impact consumer privacy, corporate efforts to respect consumer privacy and effective law enforcement. New legislation is needed to tackle these challenges, and our countries need to lead the way. As they say in the Netherlands, "Geen tijd te verliezen!" - There is no time to lose!