Home / Privacy Resources / Article Search / May 2001

May 2001

PrivaTalk

May 2001
Volume 1
Issue 4

Privacy Seals – Do you Need One?

On-line businesses have a problem: Consumers will shun Internet companies that misuse their personal information, but in the virtual world, its hard to tell the good guys from the bad. What do you do to let your Web site visitors know that you protect personal information? You can vouch for yourself – post a clear privacy policy saying what you do with the information you collect. Such formal commitments, along with the information-handling practices that support them, are required by Canada’s new privacy law, and the Federal Trade Commission in the U.S. has on a number of occasions, sanctioned violators for unfair trade practices.

Alternatively, you can get someone else to certify your good intentions with a privacy seal on your site. Privacy seal programs sell their “brand” of business integrity. But are privacy seal worthwhile? Here’s a quick look at the ones out there:

The Better Business Bureau, PricewaterhouseCoopers and the TRUSTe offer BBBOnline, BetterWeb and the trustmark seals respectively. These seals involve a privacy policy self-assessment – the company buying the seal makes a pledge to adhere to an approved privacy policy, but there is no independent checking of the company’s procedures. The policies are monitored regularly and may even be subject to random spot checks. The BBBOnline seal ranges from $350 to $7,500 (CDN) a year based on annual revenues, the BetterWeb seal costs $22,500 (CDN) a year since you’re paying for the PWC name, and TRUSTe ranges from $450 to $10,000 (CDN) annually based on annual revenues.

The WebTrust certification program and seal is administered by CAs (in Canada) and CPAs (in the United States) and is based on a comprehensive audit of e-commerce sites and the practices behind them. The audits occurs at least every 6 months and the cost varies significantly depending on the size and complexity of the business – the initial cost can range from $6,000 to $100,000 (CDN). WebTrust requires an audit opinion signed by a professional CA or CPA, who is licensed to issue WebTrust seals and must follow specific standards of professional ethics.

There are a large number of other less popular seals: SecureAssure is delivered to companies that sign an agreement to comply with privacy principles and costs from $300 to $3,500 (CDN) based on annual revenues. PrivacyBot has automated privacy policy review that costs about $50. These are one time fees since there is no on-going monitoring of practices or policies.

The criteria behind these seals vary significantly and most consumers do not know what those differences are. There have also been problems with privacy seals – for example, several sites posting the trustmark seal had significant privacy breaches in 2000. TRUSTe has also been criticized because it is sponsored by some of the major Internet companies, including America Online, Microsoft and Intel, all of whom have had very public privacy problems. TRUSTe gave no indication that it was going to investigate and showed no concern about the privacy invasions.

Prominent business organizations such as BBB and the Association of European Chambers of Commerce recently joined forces to begin creating an international seal that on-line companies can use to show they adhere to voluntary standards.

The support that privacy seals are receiving in the States by large Internet businesses is based primarily on attempts to deflect moves in Congress to pass legislation protecting consumers against abuse of personal information by demonstrating that self-regulation works. Until Web companies do a better job of safeguarding privacy, or the U.S. Congress intervenes to make them do so, privacy-suspicious consumers will look for reassurances that businesses on-line can be trusted. Studies suggest that privacy seals reassure such consumers. However, in the long run, it makes more sense for companies to post clear privacy policies and for consumers to read these assurances rather than attempting to understand seal criteria. Web sites with 42 different seals will not be helpful. With hopefully consistent privacy laws appearing across Canada, companies will be forced to be open about their practices. The privacy policy is thus what really counts at the end of the day as long as consumers can be made to feel confident that the organization is compliant with the requirements of the privacy law.

The Application of Bill C-6 to “Commercial Activities”

The Personal Information Protection and Electronic Documents Act, otherwise known as Bill C-6, defines a "commercial activity" as: “Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” The law applies to every organization that collects, uses or discloses personal information in the course of commercial activities.

The definition of “commercial activity” is key to understanding the scope of the Act. The definition, while helpful, is also somewhat circular and continues to be a source of concern for many types of organizations. For example, within the health sector, many services are now provided by health care providers operating on a commercial fee-for-service basis. The time that would be required by the health sector to prepare for the law was a major factor in the Senate decision to delay the application of the legislation to “personal health information” till January 1, 2002.

In the educational sector, a distinction has been made between publicly supported universities or colleges and private training institutions, despite the fact that both types of institutions charge tuition fees and may use student information in similar ways. In the legal profession, constitutional expert and former Deputy Minister of Justice Roger Tasse suggested in his testimony to the Standing Senate Committee on Social Affairs, Science and Technology on December 6, 1999 that some types of professional services offered to the public by lawyers (such as pro forma legal forms available on the Internet) may eventually be deemed by the courts to be a form of commerce rather than a professional service.

Case law (such as the Hearst case found at (1983), 143 D.L.R. (3d) 590 (S.C.C.)), suggests that if the predominant purpose of an organization is not the making of a profit, then the organization is not carrying on business or engaging in a commercial activity. On the other extreme, in the case of Re Canada Labour Code ([1992] 2 S.C.R. 50), the majority of the Supreme Court of Canada found that the nature and purpose of an activity are interrelated – the purpose should not predominate because this would mean that every non-profit-centred act by commercial agents would be a commercial activity. The purpose of the activity (that is whether the purpose was predominantly to make a profit) throws light on the nature of the activity and puts it into context.

Bill C-6 sits between these two extremes with its definition of “commercial activity”. The predominate purpose of making a profit places the organization within the purview of the law, however, if a profit-centred activity is engaged in by an organization whose overall purpose is not to make a profit, that activity also falls within the scope of the legislation. In the words of Bill C-6, any organization that is carrying on business and collects, uses, or discloses personal information in the course of doing business would be bound by the law for all its activities. On the other hand, if an organization is not a commercial business (such as a not-for-profit or an educational institution), its regular activities would not be subject to the law because they are not of a commercial character. However, if that organization from time to time engages in the selling of its donor or membership lists, for example, or a graduate list in the case of an educational institution, that particular transaction would be subject to the Act.

It seems that the best route to take in determining whether a commercial activity is involved is to ask the following questions:

1) Is the making of a profit the larger goal of the organization which is engaging in the collection, use or disclosure of the information? [This focuses on the ultimate purpose].

If the answer is “yes”, there is a commercial activity. If the answer is “no” or is not clear, the following question should be asked:

2) Is there an expectation of profit in engaging in the collection, use or disclosure of the personal information? That is, is the very nature of the activity commercial? (e.g. the selling of a list).

If the answer is “yes”, there is a commercial activity. If the answer is “no”, there is no commercial activity involved. This contextual approach will need to undertaken on a case by case basis. Whether a reasonable person would consider the activity in question to be a commercial activity must be kept in mind.





Alberta’s New Health Information Act

The Alberta government's controversial Health Information Act finally became law at the end of April 2001. The Act, which was passed by the legislature in the Fall of 1999, creates a database of the health records of all Albertans. The information can be shared with the health department, regional health authorities and other health professionals. Thus the Act applies to everyone who is part of Alberta’s publicly funded health system.

The legislation attempts to ensure that the rules about the collection, use and sharing of health information are clear to all Albertans. The Act is designed to make the health system more efficient and at the same time requires custodians, those responsible for maintaining and protecting health information, to explain to individuals why certain information is being collected. People will be asked to give their consent before their health information can be disclosed for certain purposes. Albertans will also have a right to review their personal health information and ask for copies, for explanations, or for changes to be made.

The government created a six month grace period in response to concerns about the legislation and to give health agencies and physicians time to comply.

Individuals can take a variety of specific concerns to Alberta’s Information and Privacy Commissioner for review including any difficulties in accessing their own information, or how a custodian collects, uses or discloses health information.
The Act provides for penalties of up to $50,000 if the rules are broken.

The Liberals and New Democrats opposed the legislation, saying a person's private health records could fall into the wrong hands, such as insurance companies. Meanwhile police fear they won't be able to share health information about a possible suspect unless there is a warrant out for his or her arrest.

The legislation specifically calls for a review within three years, and that must include a review of whether and how the legislation should be extended to apply to other public and to private sector organizations.

Regardless of the opposition to the new law, Alberta has done a great job of balancing the health sector’s need for the free flow of comprehensive health information, and the privacy concerns of Albertans given the sensitivity of health information.

Data Protection Legislation Talks around the World

Japan’s Cabinet approved a privacy protection bill designed to set a legal framework to regulate the acquisition and dissemination of personal information for commercial use in the private sector.

Officials say the government hopes to enforce the law by spring 2003. The proposed legislation stipulates five basic principles for the collection of personal information, requiring that information-gathering be conducted fairly and with transparency and that personal information cannot be used other than for the purposes specified.

The law would ban the transfer of personal information to a third party without consent from the individual involved. Entities that collect personal information about a particular person would, at the request of that individual, be obliged to release the information, correct mistaken data or stop further dissemination of information concerning that person. Providers of personal information would also be required to set up a system to handle public complaints and make swift responses.

Government agencies would be empowered by the proposed legislation to issue directives over the use of personal information and, if necessary, punish offenders. Failure to comply with the administrative instructions could result in a prison sentence of up to six months, or a fine of up to 300,000 yen.

The Japan Newspaper Publishers & Editors Association has urged the government to exempt the news media from the restrictions on collection, arguing that the guidelines could impede the media from performing its duties and interfere with the public's right to know. The draft legislation provides no special consideration for the press with respect to the basic principles of information-gathering. The news media, however, would be exempted from the requirements on the release of information and other rules that would be imposed on entities that collect personal information for commercial gain. The same privilege would also apply to the gathering of personal information in connection with academic research as well as religious and political activities.

Legislative initiatives to safeguard personal privacy are being formalize in many other parts of the world. For example, the Personal Data Protection Act of Malaysia is currently in draft form. The Act will regulate the collection, holding, processing and use of personal data by any person. People who obtain personal information from hackers and then sell it, will face up to a three year jail term or a fine of 200,000 ringgit or both. If a company commits a data offence, its top officials could also be liable unless they can prove they knew nothing about the hacking. The draft law provides for the appointment of a commissioner for personal data protection to enforce it.

South Africa plans to introduce a long-awaited electronic-commerce law by the end of the year that will deal with a wide range of issues including consumer protection and privacy, how to tax electronic transactions and fight cybercrime, and ways to protect intellectual property. It will also likely include incentives to encourage broader Web access.

There has been growing interest in Washington in passing a bill to mandate greater protection for Americans’ privacy, but legislative initiatives are facing severe opposition from American businesses.

Privacy is a global issue that countries are individually grappling with. Companies doing business in more than one country will face complex compliance issues. If international data protection standards are respected by all countries, conflicts between legal regimes are less likely to occur.

Study shows Cookies are Not Disabled

Web Side Story released the results of their survey at the beginning of April and found that only about seven out of 1,000 Internet surfers reject cookies, those little data files that Web sites store on computer hard drives, often to record users’ preferences and to track their activities.

Web Side Story found in a review of more than 1 billion page views of the most visited Web sites that cookies were disabled just 0.68 percent of the time. Does such a low cookie rejection rate mean that setting a browser to disable cookies is too difficult, or that 99.3 percent of Internet users don't care about the potential tracking and sharing of their personal information through cookies?

Web Side Story chief privacy officer Randy Broberg suggested the study results show that there is little concern about cookies. However, if cookies are properly explained to Internet users, users may choose disable them in certain situations.

Surfers' options to block out cookies are limited on some browsers and cookies are required as a "condition of entry" to some Web sites. Surfing without cookies is difficult and annoying due to constant pop-up messages asking for cookies to be turned on. Many Web site privacy policies offer one solution to cookie concerns – turn them off. However, that would make surfing the Net almost impossible. What companies should be doing is explaining how they use cookies and what the implications of such uses are for the surfer. There are harmless usages of cookies from a privacy standpoint that are in fact crucial to security, such as the use of session cookies for login purposes. When a user logs in, often times an arbitrary value is placed on the user’s computer that uniquely identifies them and enables them to go to other pages on the site without re-entering their login ID and password. As soon as the user closes down their browser, the cookie is erased from the computer.

Andrew Cervantes, chief operating officer of the Privacy Foundation, said computer users find the process of blocking cookies "too much of a hassle." Microsoft touts its new Explorer 6 browser as having a more flexible cookie
management system that gives users more control over their personal information. However, Explorer 6 is designed to "silently" accept third-party cookies for companies that claim to offer an opt-out from tracking. Many surfers will not know how to opt out in any case. The Web site owner itself must take responsibility and clearly disclose their cookie practices on their site.


Face Recognition Technology causes Privacy Concerns

Face recognition technology – a powerful tool that is able to deter terrorists and thieves alike – is being used today in a number of contexts.

Tampa, Florida security forces recently used powerful video-surveillance equipment to secretly digitize and instantaneously compare 100,000 Super Bowl fans with 1,700 images of suspected felons stored in a police data bank. The Winter Olympics in Utah and the Summer Games in Athens may do likewise.

Police in Los Angeles have used the system and the U.S. Department of Defence is researching a specialized version to protect embassies and military bases. Colorado may deploy it to identify phony applications for driver licenses. Uganda plans to use it against voter fraud. In the private sector, the Stratosphere in Las Vegas installed the technology to catch casino cheats. Casinos around the world have been using the technology for some time.

Face recognition technology combines the standard mug shot, police lineup, and highly sophisticated biometrics that measure distances and angles between facial features. Cameras instantaneously transmit images to a central data
bank, where a specialist can compare those images with those in the computer.

Those who make the systems are eager to sell them to security-conscious convenience stores, malls and banks for about U.S. $50,000. The industry boasts that the system is so secure it will replace computer passwords, ATM personal identification numbers and keys. The International Biometric Industry Association adopted Privacy Principles in 1999 that were intended to encourage biometric manufacturers, integrators and end users to ensure that biometric data cannot be misused.

But civil libertarians and privacy-rights advocates remain wary. They see more than just irritating intrusions. False arrests are a threat. And, much like the FBI photographed anti-war protesters, the new technology could be
used to monitor perfectly legal activities.

Largely ignored until the Super Bowl, the technology suddenly has become the latest battleground in a worldwide debate over the delicate balance between public safety and civil rights.

Many downplay the privacy concerns associated with face recognition technology, saying that the public has become accustomed to surveillance cameras at the gas station, corner market and doughnut store for some time. Others, though, compare face recognition technology with DNA samples and fingerprints – one more tool the police can add to their kit.

In the end, the future of face recognition technology as a widespread commercial venture may come down to public acceptance. Unlike the video security cameras at banks and convenience stores that merely record, biometrics seek to identify.

It is clear that the more information a country has on its citizens, the more potential there is for abuse. The problem is that the technology is evolving at the speed of light, while American legislators who want to impose some rules expect to find intense opposition from businesses and others. Several bills on the issue where quietly killed in the last session. However, Canada is much more legislation friendly. For example, in Ontario, the Social Assistance Reform Act of 1997 established minimum standards governing how biometric data used to identify social assistance applicants is gathered, stored and disseminated. Legislative efforts in this area reflect the core privacy values of a government and the extent to which these values will be compromised in order to deter crime.