Home / Privacy Resources / Article Search / PrivaTalk - May 2002

PrivaTalk - May 2002

PrivaTalk

May 2002
Volume 2
Issue 5

DoubleClick Agrees to Settle Privacy Litigation

Internet advertiser DoubleClick has agreed to pay legal fees and costs of up to $1.8 million to 31 law firms to settle federal and state litigation against the company surrounding online privacy. The agreement, which will result in the dismissal of charges filed in January 2001, requires DoubleClick to take actions to protect consumer privacy over a two year period, including a public education effort, purging of old consumer information, and adherence to an enhanced privacy policy. The education effort will involve serving 300 million banner ads with information for consumers about Internet privacy, and the new privacy policy will include better disclosure of how data will be used by DoubleClick. The company has agreed not to combine the names, addresses, and other identifiable information about Web site visitors with anonymous marketing data without telling users.

The agreement shows how private litigants can affect a company’s privacy practices. The main goal of the litigation was to ensure that there is a strong set of protections in the event DoubleClick attempts to merge clickstream and personal information. In addition to changing its data handling practices, as noted above, DoubleClick also said it will purge the online data it obtained during the course of testing the manner in which on-line and off-line data could be merged. DoubleClick has said that it would allow an independent auditor to conduct annual reviews for the next two years to ensure its compliance with the terms of the settlement.

DoubleClick’s legal proceedings began after it acquired direct marketing firm Abacus Direct Corporation in 1999, and announced plans to link Abacus’s database of names and addresses with DoubleClick’s database of Internet user behaviour. The company reversed course after a firestorm of criticism from privacy and consumer rights organizations. In 2001, the FTC dropped its investigation into the data collection practices of DoubleClick. In March 2001, a federal judge in New York dismissed three privacy-related lawsuits against DoubleClick, however, the plaintiffs intended to appeal the ruling. As part of the settlement, the plaintiffs will drop the appeal and their pending suits in state courts in Texas and California.

The Electronic Privacy Information Center (EPIC), a privacy rights group, is considering opposing the settlement over some of its terms, such as a provision requiring that DoubleClick cookies expire within five years – two years after users typically change computers. Also, the deal doesn't prevent DoubleClick from creating and selling profiles of Web surfers without their knowledge.

The settlement may encourage lawsuits, but it doesn’t create laws that protect individuals’ privacy more fully. Without clear laws in place, the litigants weren't certified as a “class” for purposes of the case, and thus the ability to seek individual damage awards was limited. If there had been class certification any settlement or resolution of this case would have been far more costly. There have been fears among some industry groups that privacy litigation could ultimately become a multibillion-dollar industry, not dissimilar from tobacco litigation, if large numbers of people are given class action status. However, without laws in place that regulate DoubleClick’s activities in the United States and give private litigants clear privacy rights, it may be difficult to bring forward class action suits. It is in fact more likely to have a class action suit for a privacy violation by an Internet advertising company in Canada where litigants have or will soon have legislation in place to protect them.


A Legal Opinion on Security Cameras in Kelowna

For months now, Privacy Commissioner George Radwanski has fought to have the Royal Canadian Mounted Police camera mounted at a busy public intersection in Kelowna, British Columbia removed on the grounds that it intrudes on citizens’ right to privacy. Radwanski's most recent support could lead to Canada outlawing public surveillance cameras entirely.

A new report from a former Supreme Court of Canada judge, Gerard La Forest, claims the use of public surveillance cameras violates the Canadian Charter of Rights and Freedom. The report, commissioned by Radwanski, can be found at http://www.privcom.gc.ca/media/nr-c/opinion_020410_e.asp .

In his lengthy report, Justice Gerard La Forest writes that comprehensive and continuous video surveillance permits the police to systematically observe everyone present within the camera’s range. He says the camera violate section 8 of the Charter, which guarantees a “broad and general right” to privacy, as laid out by Justice Dickson in Hunter vs. Southam. Section 8 of the Charter states: “Everyone has the right to be secure against unreasonable search or seizure.” Any invasion of a reasonable expectation of privacy is by definition a “search” and thus violates section 8 of the Charter. The surveillance of specific individuals in public places may be permissible. There may also be circumstances where limited forms of general surveillance is justified, for example at a high security event.

“This type of video surveillance is equivalent to having individual police officers closely follow, 24 hours a day, every person within a certain geographical space,” La Forest wrote. “That would be a police state, not a free society.”

The downtown Kelowna camera was installed in February 2001 and ran 24 hours a day until June of 2001 when British Columbia’s Information and Privacy Commissioner complained to Radwanski about it. Currently, the camera is only switched on if police have a specific concern.

In the Kelowna case and most other video surveillance programs, notices are posted warning that the area may be monitored. But La Forest states that this should not be permitted to efface a reasonable expectation of privacy. I would argue that if the notice is clear to the average citizen, the expectation of privacy is somewhat reduced.

While La Forest’s report only qualifies as an opinion, it could become the basis for a successful legal challenge to the use of the surveillance camera in Kelowna. If that happens, other police forces will have to to take down security cameras across Canada, ranging from red light cameras to other municipally operated security cameras.

Solicitor General Lawrence MacAulay has been resisting the Commissioner’s pressure to have the camera removed and has refused to even acknowledge jurisdiction over the camera, claiming the RCMP are under contract to the municipality.

In his opinion, La Forest said the RCMP are subject to the authority of the Solicitor General and that the Supreme Court of Canada has “repeatedly held that in matters relating to the ‘administration and management’ of the force, the federal government has exclusive jurisdiction.”

The Charter-type question of whether individuals have a reasonable expectation of privacy is not one that is generally used when assessing whether surveillance cameras used by the private sector, for example, by banks and department stores, violate individuals’ right to privacy. However, the same test should play an important role in assessing surveillance activities in the private sector. Determining whether there is a reasonable expectation of privacy in a particular situation is an objective test – what is the standard of privacy that people can expect to enjoy in a free and democratic society? Whether a person has a subjective expectation of privacy is only a factor in some circumstances. La Forest’s opinion should have an effect on private sector video surveillance involving continuous recordings because if there is a reasonable expectation of privacy, for example, in a department store’s bathroom stalls, a complaint against surveillance is sure to follow.

A Privacy Review of Ontario’s Primary Care Reform Project

A review by Ontario’s Information and Privacy Commissioner of the Chatham-Kent IT Transition Pilot Project, following allegations of potential privacy problems, has concluded that the project was safeguarding, and continues to safeguard, the personal medical information used in the project. The Commissioner’s report entitled “Privacy Review: Chatham-Kent IT Transition Pilot Project”, can be found at http://www.ipc.on.ca/english/pubpres/reports/042202.htm.

In May 1998, the Ministry of Health and Long-Term Care (MOHLTC) and the Ontario Medical Association (OMA) launched a pilot project to reform primary care in Ontario. Primary care is the first level of contact that a patient has with the health care system.

The pilot project involved setting up primary care networks (PCNs) -- groups of doctors, nurses and other health professionals who deliver primary care to patients. Under this model, patients are enrolled or “rostered” with a specific PCN. Except for emergency situations, patients agree to see only their family doctor or other doctors within the PCN for primary care medical advice or treatment. Currently, there are 14 PCNs in Ontario. Thirteen of these PCNs, including one in Chatham-Kent, are pilot project sites.

A key component of primary care reform is the use of information technology to deliver health care services to patients in a more effective manner. The Ontario government is investing $250 million to support family health networks, including $150 million for information technology. The MOHLTC, the OFHN (Ontario Family Health Networks) and the OMA are also collaborating on a three-year “ePhysician Project” that will support the use of information technology in primary care reform. The OFHN is providing the ePhysician Project with office space and other support services.

Smart Systems for Health (SSH), an office within the MOHLTC, is providing secure infrastructure for the collection, storage, transmission and exchange of personal health information within the Chatham-Kent project, including a secure server environment for hosting personal health information, a high-speed digital network protected by encryption technology and virtual private network software, a secure authentication process for the physicians and their staff and encrypted e-mail within the group of physicians.

The Chatham-Kent pilot project went live on November 1, 2001 with little public fanfare. However, in late November and early December 2001, a reporter with The Globe and Mail contacted the Information and Privacy Commissioner of Ontario (IPC). The reporter informed the Commissioner that a source had provided him with internal SSH documents. The documents allegedly contained evidence that the personal health information of patients involved in the Chatham-Kent project was not being adequately protected.

The Commissioner's review has determined that:

- Although The Globe and Mail reported that three unencrypted backup tapes containing personal medical records had been taken home by a technician and lost, upon the IPC’s investigation, no tapes were lost and all of them have been accounted for.

- Smart Systems for Health (SSH), an office within the Ministry of Health and Long-Term Care, has taken adequate steps to protect the personal health information of Chatham-Kent residents.

Commissioner Ann Cavoukian, however, citing the rapid pace of technological development, is recommending that additional steps be taken. “When it comes to personal health information, arguably the most sensitive type of personal information available, the highest levels of security are required.”

The following are among the recommendations she makes in her report:

- Before the use of information technology is expanded to other Family Health Networks in Ontario, the ePhysician project and SSH should examine the use of privacy enhancing technologies, including strong encryption, to protect personal health information. This is particularly relevant given the rapid developments in this sector.

- The ePhysician project should prepare a patient information fact sheet on the Chatham-Kent IT transition pilot project. The fact sheet should be written in plain language and posted on the Ontario Family Health Networks Web site. Hard copies of the fact sheet could also be made available in the physicians’ offices in Chatham-Kent.

The Commissioner praised SSH, officials with the ePhysician project, the two Chatham doctors who were interviewed and everyone involved in the review, for the co-operation they provided.

Hong Kong’s Draft Employee Privacy Code

The Privacy Commissioner for Personal Data in Hong Kong, Raymond Tang, issued a draft Code of Practice on Monitoring and Personal Data Privacy at Work, which is intended to provide guidelines for monitoring and recording the activities and behaviours of employees at work. Currently, there is no legal framework regulating monitoring activities in the workplace in Hong Kong, and employers are able to deploy devices and technologies to keep track of employees’ communications and behaviour without any restrictions. Under the draft code, very stringent restrictions would be imposed on such practices.

For instance, employers can install surveillance cameras and other devices or technologies to log the contents of e-mails and phone calls made and received by employees, as well as the Web content they browse. Under the draft code, employers are liable for criminal prosecution if they monitor their staff without first having evidence of criminal activities or serious misconduct.

According to the proposal, employers would only be permitted to carry out selective checks made on a random basis, rather than continuous or universal monitoring. Even if employers have sufficient ground for monitoring employee behaviour, they are required to document and notify employees in writing of the exceptional circumstances under which continuous or universal monitoring may be justified.

Despite the fact that the draft code allows the use of surveillance cameras and devices that record and log e-mails and telephone conversations, all employers are required to inform employees of such practices. According to the findings of the Privacy Commissioner’s 2001 data users survey, merely 22% of the companies surveyed had notified employees of the use of monitoring equipment and technologies.

Strict restrictions will also be imposed on the types of data that employers can collect. For instance, the draft code suggested that in e-mail monitoring, employers should not retrieve and access the content of stored e-mail messages. The only justification to accessing e-mail content will be grounds for believing there are criminal activities on the part of staff.

Virus prevention, under the draft code will never be a reason to check e-mail contents as it stipulates that anti-virus software, not e-mail content monitoring, is the proper way to fight virus attacks. The same also applies to the monitoring of computer usage. According to the draft code, employers will merely be permitted to measure the amount of time spent on accessing the Internet and should refrain from monitoring sites visited or content browsed. The draft code also requires that records of employee communications and behaviour can only be kept for six months.

The draft code is an important step toward better protection of employee privacy. The Privacy Commissioner, in addition to the draft code, will also need to be proactive in educating employers to make their privacy practices known to employees. Lessons can be learned from Canada and the United States, where a recent study conducted by Harris Interactive showed that the vast majority of employees feel that the companies they work for are pretty good at protecting their personal information, though most say their employers could do a better job at communicating their policies on personal employee data and workplace security

The Hong Kong employee privacy code will be open for public consultation until early June 2002 and can be found at http://www.pco.org.hk/ .



On-line Privacy Study Reveals Web Sites Privacy Practices are Improving

A new study of on-line privacy policies commissioned by the Progress & Freedom Foundation evaluated the privacy practices of the 85 busiest sites (according to the Nielsen/NetRatings), as well as a random sample of approximately 300 smaller sites. The study was carried out in December 2001 and was the fourth in a series of surveys of the privacy practices of commercial Web sites on the Internet, dating back to 1998. It is designed to be directly comparable to the results from the most recent U.S. Federal Trade Commission survey of Web sites, published in May 2000.

The survey revealed a continuing evolution in the privacy practices and policies of commercial Web sites. The following are its most interesting findings:

Web sites are collecting less information than they were two years ago. Among the most popular domains, for example, the proportion of sites collecting personally identifying information other than e-mail addresses fell from 96 percent to 84 percent, and it fell from 87 percent to 74 percent for sites in the random sample. By every relevant measure, the extent of on-line information collection has declined since May 2000.

Fewer Web sites utilize third-party cookies. Another form of information collection, the use of third-party cookies to track surfing behavior across multiple Web sites, is also down significantly. The proportion of Web sites that utilize third party cookies fell from 78 percent to 48 percent for the most popular group and from 57 percent to 25 percent for the random sample.

Privacy notices are more prevalent, more prominent and more complete. Practically all of the most popular domains and 83 percent of the random sample sites provide some privacy disclosure, similar to in 2000. However, substantially more of the random sample domains provide a privacy policy comprehensively stating how they handle consumer information. Overall, privacy notices tend to provide more information and are more likely to be accessible from a site’s home page.

In general, consumers have more opportunities to choose how their personal information is used. For example, the percentage of the most popular sites that offer choice over sharing consumer information with third parties – a key consumer concern – jumped from 77 percent to 93 percent. By contrast, there was little change in the availability of choice for internal use of personally identifying information (e.g.. use by the Web site operator to send further communications), though such choice continues to be offered by 71 percent of sites in the random sample and 89 percent of sites in the most popular group.

More sites offer opt-in; fewer offer opt-out. For choice over third-party use, opt-in consent more than doubled from 15 percent to 32 percent among the most popular domains, while opt-out fell from 49 percent to 30 percent. In the random sample opt-in increased from 11 percent to 18 percent, while opt-out declined from 59 percent to 53 percent.

More sites offer a combination of fair information practice elements. The proportion of Web sites that provide a combination of notice, modified choice and security has increased both among the random sample and the most popular domains. Most striking is the fact that 80 percent of the most popular domains now provide all three elements, up from 63 percent in the 2000 survey.

P3P adoption is off to a rapid start, but adoption of seal programs is growing relatively slowly. Although P3P-enabled browsers were only available late last summer, one-quarter of the most popular domains and five percent of the random sample domains have already implemented this technology. Privacy seal programs, on the other hand, do not appear to be making major strides: the proportion of random sample sites displaying seals increased from eight percent to 12 percent, while the proportion in the most popular group remains essentially unchanged.

What the results of this survey suggest, are that the privacy practices and policies of commercial Web sites are continuing to evolve, and, by at least some criteria, to improve.
And, notably, some of the most significant changes are in the areas that have been identified as raising the greatest concerns for consumers – such as the use of third-party cookies and third party sharing of information.

The Progress & Freedom Foundation survey can be downloaded at: http://www.pandab.org/pffsurveyreport.pdf .


IBM and AT&T Offer Free Internet Privacy Tools

Technology giants AT&T and IBM are introducing new tools that promote the Platform for Privacy Preferences standard (P3P), and are also likely to prompt marketers to think more seriously about on-line privacy. P3P is a standard designed by a working group composed of privacy advocates, Web technology leaders, data protection commissioners and global e-commerce companies. To find out more about P3P, see the Technology to the Rescue article in the April 2001 issue of PrivaTalk. P3P supports a machine-readable language called XML for describing privacy policies and attempts to give users more control over the use of their personal information by the Web sites they visit. Web sites translate their privacy policies into P3P’s dialect, enumerating key characteristics such as whether the site tracks its users’ movements or shares data with partners. Once codified according to P3P’s rules, the policy becomes part of the computer code that makes up the Web sites’ individual pages. By specifying their privacy preferences through a P3P-enabled Internet browser, users can rely upon their browsers to ensure they are warned when they hit Web pages that don’t meet their preferences.

AT&T Research Labs has introduced Privacy Bird, an application that detects whether a site’s privacy policies are compliant with the P3P standard. Additionally, the application tells users whether sites match their specified privacy settings. The application places an icon of a bird in users’ toolbars. If a user visits a site that has a P3P privacy policy out of line with the user’s preferences, then the bird icon shows an alert. Similarly, if the user visits a site without a P3P policy, the bird shows a warning. To find out more about Privacy Bird, visit http://www.privacybird.com/.

IBM, meanwhile, made available an add-on to its Tivoli software that helps marketers create and translate their sites’ privacy policies into P3P format. The Tivoli Privacy Wizard thus promotes the implementation of P3P by Tivoli customers. IBM's software is available for download at:
http://www.tivoli.com/resource_center/maximize/privacy/wizard_ code.html/

According to AT&T Research Labs, six of the top 10 Web sites have P3P-compatible policies, as well as 30 percent of the top 100 Web sites. Both the Tivoli Privacy Wizard and Privacy Bird currently are being offered for free and encourage the development of P3P as the industry standard. Both consumers and businesses benefit because although the software may not solve all privacy problems, it may motivate corporations to improve their information-handling practices.

Recently, the World Wide Web Consortium (W3C) made P3P an official recommendation which indicates that it is a stable document, contributes to Web interoperability, and has been reviewed by the W3C membership, which favours its widespread adoption. W3C has not received universal approval, however, as some privacy advocates, such as the Electronic Privacy Information Center (EPIC) argue that the standard does not go far enough to prevent dissemination of personal information over the Web, yet contributes to a false sense of security. In a report on P3P, EPIC recently claimed that P3P is a complex and confusing protocol that makes it more difficult for Internet users to protect their privacy. What is clear is the fact that the Web now has a standard language for describing privacy practices that will enable a new level of transparency in Web-based interactions.