1) CDT Files Two Sets of Comments to the FCC about the Importance of Privacy in the Context of the National Broadband Plan
2) The National Broadband Plan should release an updated version of FIPs to guide privacy practices by the federal government and industry.
3) The National Broadband Plan should recommend enactment of a federal baseline consumer privacy law.
4) The National Broadband Plan should recommend updates to the Privacy Act of 1974.
5) The National Broadband Plan should promote the incorporation of Privacy by Design principles into both innovation and business and government practices.
6) Encourage a marketplace of privacy protective, user-centric decentralized identity providers.
7) The National Broadband Plan should encourage innovation and consumer protection in third-party applications.
In one set of comments, CDT joined with a diverse set of privacy advocates to emphasize the importance of promoting a modern and comprehensive set of Fair Information Practice principles (FIPs) as the foundation for any discussion of legislation, regulation or self-regulation in the online sector. We call on the Commission to endorse a complete set of FIPs and to recommend them to policymakers as the best available basis for policy guidelines of all types.
In our other set of comments, which CDT filed alone, we call on the Commission to include in the National Broadband Plan a comprehensive set of recommendations for appropriate government bodies and companies detailing how these entities can protect consumer privacy online. CDT believes that fully protecting consumer privacy interests online requires a rigorous mix of self-regulation, enforcement of existing law, development of technical tools and standards, and enactment of new legislation. In CDT’s independently filed comments, we present six of the most important recommendations that we believe the Commission can make in its broadband report. We describe these recommendations in greater detail below.
Through the National Broadband Plan, the FCC can play an important role in defining and clarifying the meaning and substance of consumer privacy. In our comments, we urge the Commission to endorse a modern, comprehensive set of FIPs and to recommend these principles to policymakers as the best available basis for federal legislation, agency rules, and self-regulatory guidelines.
These FIPs, which were articulated in 2008 by the Department of Homeland Security, include:
- Individual Participation
- Purpose Specification
- Data Minimization
- Use Limitation
- Data Quality and Integrity
- Accountability and Auditing
This recommendation is also detailed in the set of comments that CDT filed jointly with other privacy advocates. In those comments, as well as our independently filed ones, we urge the FCC to endorse this full set of FIPs and to recommend them to policymakers as the best available basis for policy guidelines of all types.
The Department of Homeland Security’s FIP principles – a modern and comprehensive set of FIPS
Despite how critical privacy protections are to the continued health of the Internet, the United States lacks a comprehensive consumer privacy law. Instead, American consumers currently face a confusing patchwork of privacy standards that offer only weak protections for much personal information collected by businesses and that leave some information unprotected in surprising ways. The National Broadband Plan should call on Congress to enact general privacy legislation. Simple, flexible legislation would protect consumers from inappropriate collection and use of their personal information while enabling legitimate business use to promote economic and social value. In principle, such legislation would codify the fundamentals of FIPs. While self-regulation would likely still be necessary to address certain areas not covered by a baseline privacy law, self-regulation cannot suffice on its own.
The Privacy Act of 1974 is the primary law regulating federal agencies’ collection, maintenance, use, and dissemination of personal information. While the underlying framework is still sound, the thirty-five year-old wording of the Act renders it ill-equipped to meet many of the privacy challenges posed by modern information technology. For example, the technologies in use today are so different than those in use 35 years ago that the switch that turns the law on – the definition of a “system of records” – cannot address some of the most common database techniques in use today. Tellingly, transactional data is not addressed by the Act. In our comments, we call on the FCC to urge Congress to update the Privacy Act of 1974 and bring the federal government’s privacy framework into the 21st century.
In the interest of building support for an update to the Privacy Act, and building on the recent work of the US Information Security and Privacy Advisory Board and the Government Accountability Office, CDT brought together a working group of public interest organizations, government representatives, and members of the private sector to draft the E-Privacy Act Amendments of 2009. We opened this policy-drafting process to the public through a wiki that allowed the public to edit the draft.
E-Privacy Act Amendments Wiki
June 2008 report of the United States Government Accountability Office, PRIVACY: Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information
The “foundational principles” of Privacy by Design should be implemented to guide innovation in a manner that is consistent with FIPs. Privacy by Design offers a roadmap for integrating privacy considerations into business models, product development cycle, and new technologies. The FCC should recommend that Congress and the FTC act to encourage business practices that are consistent with Privacy by Design and that the National Institute of Standards and Technology (NIST) deliver Privacy by Design standards for government agencies. The federal government can have a considerable impact on the marketplace simply by requiring that companies offer innovative new technologies to protect privacy in order to gain the government as a client. The federal government should commit itself to incorporating Privacy by Design into its operations and promoting Privacy Enhancing Technologies as part of its open government initiative as well as of part of day-to-day government operations.
CDT Consumer Privacy Roundtable Comments: The Role of Privacy by Design in Protecting Consumer Privacy
Anne Cavoukian, Privacy by Design: The 7 Foundational Principles
What Is Privacy by Design?
Alissa Cooper, WhiteHouse.Gov: Moving the Cookie Forward
Decentralized identity management will be an important building block for new broadband applications, allowing users to share information using trusted providers and enabling new, innovative online applications. The keys to creating trusted relationships online are creating meaningful privacy and security and enabling user control within the identity management system. CDT recommends that trusted frameworks mediate the policies and practices of identity management providers. To avoid the creation of a massive and potentially vulnerable centralized repository of highly sensitive personal information on almost every American, it is essential that identity management systems have a federated, or decentralized, structure.
While it is critical that government not discourage the nascent identity management industry from growing by adopting overly intrusive regulations, identity providers must be covered under some type of private or public legal regime in order to ensure that they properly safeguard consumer privacy. CDT proposes two principal options for covering these entities. First, identity providers could required by a trust framework to offer a three-party contract that imposes restrictions on, and gives enforcement rights to, the identity provider, relying parties and users. Second, identity providers may already be covered under existing law, specifically the Fair Credit Reporting Act (FCRA). If both these options fail, however, there is a potential need for a new policy and/or law to govern these entities.
The past two years have seen the introduction and rapid adoption of a new model for broadband-enabled services: companies are increasingly opening their platforms to the public, allowing every-man innovators, advertisers, and even competitor companies to contribute applications that enhance the original platform in previously unimaginable ways. While these third-party applications have seen a boom in innovation, they have also attracted developers whose goal is to prey on weak security and privacy regimes. Creation of a trustworthy marketplace for third-party applications is not impossible. In fact, platform providers can go a long way in offering privacy and security protective regimes for consumers without fear of liability. CDT notes that existing limitations on liability for content provided by others and limitations on liability for voluntary filtering of content provided by others (Section 230 of the Telecommunications Act of 1996) are specifically intended to encourage responsible innovation by providers of forums for third-party content. With the threat of liability removed, providers can launch more open and innovative platforms with less risk, while marketplace pressures to cultivate consumer goodwill are likely sufficient to encourage responsible vetting of applications. The FCC can play an important role in encouraging platform providers to build protections into their platforms while keeping them open, beginning with self-regulatory, information sharing and law enforcement reporting projects.