Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

U.S.-E.U. Data Privacy Deal Near 83

Duckie01 writes: "There's an interesting report about a deal being made between the European Union and the U.S. concerning companies collecting customer information on the Web. Right now privacy protection under EU laws is much stricter than under U.S. laws. With this 'Safe Harbor' deal, companies that choose to comply are to police themselves. Can you say 'sellout' and 'conflict of interest'?" In other words, says EPIC, "the fox guarding the hens." The pact must still be approved by the European Parliament.
This discussion has been archived. No new comments can be posted.

U.S.-E.U. Data Privacy Deal Near

Comments Filter:
  • by Anonymous Coward
    However, I must say that, privacy advocate that I am, I am still troubled by a paradox I've never been able to resolve: is privacy fundamental?

    Within the current situation - yes.

    As you have observed, it's basically related to urbanisation. Within a small, local community there is very little *need* for privacy. Anyone who makes a pest of themself to other people is quickly hauled into line by the social pressure of the other members of the local community.

    This breaks down in the urban environment where you can move around amongst large numbers of people. Essentially it means that you can act like a jerk in one place on the other side of the city and people have their work cut out for them tracking you down.

    The internet takes this to an absurd degree.

    Some would argue that the solution is transparency - the end of all privacy so that accountability for ones actions is restored.

    Where this argument fails is that there are ( and arguably allways will be ) holes in the system that can be used by a minority ( ie; the ones with the money and the resources to find them ) to escape from scrutiny.

    So essentially transparency boils down to the formation of a "privacy underclass" while the rich and powerful continue to do pretty much whatever they want.

    This is why privacy must be maintained at all cost at this point in time and why people must be educated to maximise their privacy even if it means giving up a few freebies. Once a "privacy underclass" forms, it's going to be even harder to stop the "privacy elite", since they can just steal someone else's identity for their own use.

    Hence, we must not only fight for our own privacy, we must insist that it is a "right" that everyone is entitled to. Privacy must be universal and it must be egalitarian.

    You might be strangling my chicken, but you don't want to know what I'm doing to your hampster.

  • A question for the (European) lawyers out there. I can take my national government to court for failing to protect my rights. Can I take the European Union to court for failing to protect my right to privacy (as enshrined in the European Bill of Human Rights)?

    If so, then this might not fly for very long
  • Please moderate all of these down.

    I see somebody is playing with Cross Site Scripting (well, same site really).
  • Welcome to the Cross Site Scripting Vulnerability. Demonstrated by somebody with nothing better to do. This site has lots of nasty Javascript. Please do not go there (if you really don't believe me, wget the link)

    Moderators: please moderate the parent down and any that have links to http://hobbiton.org/~zk65/wow.cgi

    Thanks very much
  • You cannot "ask for cookie". Cookies are sent by *your* browser, when you tell him to go to some page. Too bad you can't control this function, but this is not DClick's fault. That's your browser maker fault - so sue the right person.
  • by Jon Peterson ( 1443 ) <jonNO@SPAMsnowdrift.org> on Sunday June 04, 2000 @09:34PM (#1025796) Homepage
    "One would presume that the European Parliament is in some fasion amenable to public pressure"

    HA HA ha ha ha ha ha ha Ohhh ho ho ho ho ho tee hee heee heee *splutter* Oh my sides Ho ho ho ho ha Ha ha ha ha ha.

    You don't live in Europe do you? The European Parliament is in some fashion amenable to corruption, large expense accounts, glorying in its own power and self importance and congratulating itself on being the driving force of the amazing new wonderful federal Europe.

    That said, they sure don't like the U.S. because the EU to some extent defines itself as being not American. So yes, they may well put up a fight, and I hope they do, but don't for one moment think that it's because they listen to public opinion!

  • To extend the idea a little further, maybe there are other ways to flood DoubleClick and collectors of private information with fake data. Maybe some kind of distributed system where people set up little daemons that run in the background, pretend to be surfing, but are really just sending cookies designed to destory the integrity of their data. Would this be legal? hmmm...

    OFCOURSE this would be legal! It's the data miner that asks the little daemon for its cookies without the owner's permission, and the daemon happily hands out those cookies - it's not at all illegal to give false information. How can it possibly be illegal to broadcast garbage information across the internet for semi-legal data miners to choke on? What could they do about it? Whine that the data they collect in such a controvercial way is false?

    Doing this is rather similar to leaving a car unlocked as bait to catch car thieves, or putting up a box with a few juicy security holes and back doors as bait for script kiddies and other crackers.


    )O(
    the Gods have a sense of humour,

  • This agreement just allows US companies in the EU to export data from the EU, even tho they are recognised not to meet EU standards.
    That's not entirely true. First, it also has impact on companies in the USA doing business with consumers in the EU via the web.

    The agreement makes the company responsible while they would gain "safe harbor" from prosecution or lawsuits by EU governments.

    I read that as: "You can do what you want with my personal data and I can't do a damn thing about it". If they're responsible, give me the right to file a complaint. That's not too weird, is it?

  • Yes, you can.
    If you live in the union.
  • Junkbuster [junkbuster.com] already does this. It calls them wafers. You can configure it in all kinds of cool ways.
  • Since I live in the Netherlands, is it illegal for US (web-)companies to gather certain information about me (something which may be legal in the US)?

    If so can I sue doubleclick.com & friends? :-)

    Ah well, maybe turning off cookies helps a lot too...

  • by orpheus ( 14534 ) on Sunday June 04, 2000 @09:50PM (#1025802)
    I oppose the Safe harbor proposal, and the FTC seens to agree that American companies deserve an overwhelmingly failing grade [slashdot.org].

    Ordinarily, I'd hope that the European users, having a clear choice between privacy in Europe and blatant abuse in the US, would avoid American sites, and send a strong message that American companies might understand. I tend to favor free market solutions, and this might stand as a backup if we don't succeed in regulating US companies in their use of a commodity that does not truly beling to them: our personal info and patterns.

    However, as a practical matter, it's not always easy to know when you're dealing with an American company: .com doesn't mean "American", and many foreign TLDs may actually point to servers in the US and other "non-private" jurisdictions.

    I suppose that a privacy leak anywhere is a threat to privacy everywhere.

    The fact that far too few people fully appreciate their privacy, or personal info protections, can only make things worse. It would hardly be the first time a right ot privilege was not appreciated until it wa attenuated or gone.

    However, I must say that, privacy advocate that I am, I am still troubled by a paradox I've never been able to resolve: is privacy fundamental? Keep in mind that "urbanization" is a relatively ne phenomenon -- until the Great Depression (or a little later) most Americans lived in small towns or rural environments (I presume Europe was similar) and people rarely moved, compared to today. In a small town, a lot of what we now consider basic privacy was impossible. "Everyone knew your business": your salary, work history, the embarrassing things you did in third grade. Perhaps this is why our Founding Fathers did not address 'privacy' in the Constitution, though they seem to have a prescient awareness of other crtitical issues

    Perhaps the key is that the companies buy, sell, and use *our* information anonymously. They do not tell us exactly what they do, nor do we have any right of consent. Once the information is 'out', it is considered "their" property, not ours.

    Still, "privacy" is an important concept, if only because it is a major legal tool (in the American system) for defending and arguing for rights that were not mentioned in the Constitution, partly because wholesale violation was unthinkable before today's mindless technology evolved.

    ------------------
    "Dum spiro, spero. Dum vivimus, vivamus."
    (While I breathe, let me hope. While I live, let me live)
  • As part of society, privacy in relation to commerce should be EXTREMELY important, so much that I bet the founding fathers would have insisted on it had they envisioned the world as it is today. Such information sharing was not possible in the past.

    Privacy/Commerce laws seek to ensure that people's personal information does not become a negotiable item, a commoddity. It's not supposed to be. It's wrong.

    If you give your name at Blockbuster.. they have the right to know some things about you. Specifically, your name and address and other proof of identification so they can find you when you dont' return their property. This is fine.. nboody disputes this.
    But.. when you give them this information, you naturally assume that this is the only reason you are giving them this information. (well.. today people assume other things.. but they have been brainwashed into thinking this is acceptable).
    Under EU privacy laws, such information gathered in order to complete a business transaction may *not* be used in *any* way other than to complete the sale at hand. This is great.
  • I encourage you to use cash for your transactions. I try to do this, and it is becoming increasingly difficult.

    When the electric company guy comes to the door saying that it's time to pay the bill on the spot or get disconnected, he informs me that he 'cannot accept cash, only cheque or credit card'.
    The telephone company office is the same way.. they won't accept cash at their head office.

    Many hotels and motels, especially (strangely) some cheap ones won't let you stay without a credit card. You can't rent a car without a credit card.

    Let's look at the hotel too... I find it funny.
    If you stay at the hotel.... they get your credit card presumably so they can 'charge' you for things you might otherwise not pay for. Well.. surprise surprise.... they can't really do this ultimately. Whether it's cash or charge, your agreement is absolutely *required* in order to pay. Just like fine print on porn sites.. if they have deceptive agreements, you can dispute it at the credit company.

  • And this is why we make laws. to better people!

    People come first. Business exists to serve people.
    Laws exist for the betterment of society, not for the betterment of business.
  • Privacy isn't important in the world of e-commerce, unless it is a product unto itself.

    Yep.

    Companies will sell you software to help violate someone else's privacy, and software to protect your privacy, which means that privacy itself is for sale.

    Nope. Just because tools for for invasion/protection of privacy are being sold, does not mean privacy itself is being sold. I could download some, say, nasty sniffer software, and I could download some military-strength encryption software. Does this mean privacy is being downloaded?

    Unless protecting my privacy becomes profitable, companies will sell my details to the highest bidder.


    They most certainly will.

    This leads to the question: is there a way to guarantee that it is in Company X's best interest to protect my privacy?

    Why should that be so? Why should company X be concerned about your privacy? You are not in the business of protecting the privacy of your next-door neighbor, and company X is not in the business of protecting your privacy. Your privacy is your own concern -- if you care about it, you can protect it.

    I don't want anybody to protect my privacy -- but I want tools and rights to do the job on my own.

    Kaa
  • by Kaa ( 21510 ) on Monday June 05, 2000 @04:22AM (#1025807) Homepage
    In a small town, a lot of what we now consider basic privacy was impossible. "Everyone knew your business": your salary, work history, the embarrassing things you did in third grade.

    That's a common objection to privacy as a right -- "we didn't have any before urbanization". It has a bit of validity, but not much. Some problems with it:

    (1) Just because something hasn't always been a right does not mean it's not what we consider a "natural right". For example in ancient Greece personal freedom was not a basic right -- you could become a slave by being captured, by not paying your debts, etc. In medieval Europe (and in the Soviet Union until early 90s, that's 1990's) people could not freely change their place of living, though most American consider the right to settle anywhere to be a "natural right".

    (2) Even if you had no privacy against other inhabitants of your village, you had privacy against the world. A stranger coming into the village and asking about you would gain little information. Compare to contemporary situation where anybody with the right tools and access can get what's available.

    (3) The village's information-gathering system was highly imperfect. Some information was known by all, some by few, some by nobody. Yes, everybody knew what you did and how much you made, but goings-on inside the house were generally private. Nowaday the ability to concentrate information in one place is much higher.

    (4) The village's storage of information was short-term. Human memory is selective and lossy. Nobody remembers your third-grade grades or the fact that you were expelled from the class five times for being disrespectful to a teacher. Compare to now -- databases never forget.

    (5) The villagers would not generalize about you because they had too little information about people like you (and too little processing capability, too). Today it's perfectly feasible to make the following chain of connections: "This guy buys a lot of red meat and butter and we see no gym payments anywhere -- we know that statistically such people die early from heart disease -- so let's target this guy for cholesterol-lowering medication and raise his life insurance rates".

    So, no, "we all lived in villages with no privacy" is not a good argument.

    Kaa
  • Make that
    (!USA && !Canada)
    then :-)
  • by Paul Johnson ( 33553 ) on Monday June 05, 2000 @02:06AM (#1025809) Homepage
    I'd have thought that class action suits would be an effective deterrent. Its fairly easy to track misuse of marketing data if you try: just give a false name, and log who you give it to. So once someone has evidence that his name has been sold on in violation of the rules, it follows that lots of other people have as well. These people are a Class in whose name a class action suit can be brought. And the defendent has a handy list of their names and addresses too...

    In effect this privatises the enforcement side. All it takes is a few lawyers who make a practice of signing up for things under false names and tracking the resulting spam. When they find a violation they can sue and pocket a fee.

    This leaves open two issues:

    1. Establishing damage. Its hard to argue that you are damaged by receiving snail spam. You might be able to sue for the cost of reading it, deciding its not important, and disposing of it. But if you price your time at $20/hour (probably too optimistic), and it takes you 1 minute to open the envelope, scan it and decide you don't want it, then thats just 33 cents per "victim". Even with punitive damages its still only a dollar. This probably requires a separate law.
    2. Setting rules which can then be enforced. This could be done by government, but it could also be done by market pressure if we can just educate people. The people to do this educating are the same lawyers who will be bringing the class action suits. They just need to tell people to look for the TrustE logo on a web site, or whatever.

    Paul.

  • There's another version of the story on cNet> [cnet.com] - and, unlike the cgi script, it's a real story.

    Luckily, under the proposed regulations congress is looking at, the cgi script kiddie would be locked up for 20 years.

    Oh, you don't think that's lucky? Well, since noone is complaining to their elected officials (and they screen you out if you don't gave name, address, and phone) you don't get any say in the matter. We already sold your privacy rights in the US, and now we're going to sell the privacy rights of all EU citizens.

    What ya gonna do about it, cypherpunk?

  • And a complete history of everything you've brought using that card, how often, wether you prefer coke/pepsi/perrier etc.. And possibly your credit card number, (but I'm not sure if they are allowed to keep that). This is still usefull to them, even if they cannot tie it to a name, it still gives them useful demographics.

    EZ
    -'Press Ctrl + Alt + Delete to log on..'
  • Loyalty Marketing does have some drawbacks for protecting privacy, but industry/government has come up with a few controls. First, many companies will use "trusted" processors to filter information to the smallest amount needed to running the program according to terms. Many will specifically contract with the consumer to limit the use of the information to implementing the program, and promise not to use the information for any other purpose.
    If you do not trust the programs to abide by their bargain, their are safe guards that you can seek. First, are third party seals that guarentee privacy policies. You can investigate into the seal programs as well:
    - Some only collect complaints
    - Some only seek a promise of compliance
    - Some perform periodic audits and report either:
    (1) Transgressions from promise
    AND/OR
    (2) Potential security violations

    Their are some regulatory standards as well. Programs that are tied to a financial instrument or involve banking institutions are going to be affected by Gramm-Leach-Bliley, and some provisions of the Fair Credit Reporting Act (particularly regulation E).
    The FTC has recently tried to position itself to do oversight, but that has met with "big brother" style flames.
    As for the mini-disclaimer, I do have two clients that participate in this space. I do not think nor intend to market their services. I have spent some time collecting information for online privacy, particularly consumer rights. This has been both for business and academic purposes.
  • Actually, I don't think this is off topic. I have been reading a lot of arguments that places privacy in this commodity barrier; however, I think that honesty and oversight are the primary concerns in the EU "Safe Harbor".

    If Company A offers me a $##load of money to track my spending habits, explains to me that they will use this information to develop an XYZ profile, will not use this data for any other purpose, and will destroy the data at X period of time, then it becomes my choice as to whether I want to enter into a contract. This is not very different than what Nielsen does to compile ratings, and is how most market research companies operate.

    Consumers major fears are that Company A will breach their agreement, or worse yet, assume that they have this right implicitly without disclosure. Consumers lack an oversight mechanism, and it would be very costly and timely to pursue a claim. IMHO, the mechanism that protects the consumers will be one of the major policy questions of the next few years.
    The EU clearly codifies that the later right does not exist, and demands disclosure. The "safe harbor" debate mainly was EU protecting their consumers against businesses gaining this right through common law. (Per other post, the US has codified the rights and responsibilities for financial institutions and using information for credit reporting; however, all other businesses could claim that it was the other parties duty to create limitations/rights in the contracting language).
    Privacy will be/is a commodity, much the same as speech is a commodity. You can freely negotiate "gag" provisions. I doubt the US government will ever restrict the freedom to disallow a user from being able to contract away this priveledge. Selling your Pokemon purchase may never be as dangerous as selling a kidney. IMHO, it would be more advantageous to have more Gramm-Leach-Bliley/FCRA style legislation that require disclosure, or prohibit businesses from seeking this right as a mandatory contract provision.
  • >>>If a US company does not become a member of this 'Safe Harbor' then it is vulnerable to litigation in Europe by almost anyone

    I'm not sure that I totally agree. You could use a third-party to process the data. The third-party could maintain the "safe-harbor" status as its certain to evolve and create about the same type (although maybe not magnitude) of cost as maintaining banking regulations. The third-party could disclose the information it would reveal to the US company, and mask all other data.
    The US company could be insulated from direct action under certain circumstances. If they didn't have privity of contract with the person whose data was being released, and they were not negligent in choosing the company/processor any claim against them would be tenuous. They wouldn't be liable under respondeant superior, and they have not breached any contract with the consumer. If their actions were deplorable, they might get "third-party" contract status, but this would be an exception rather than a "deep pockets" rule.
    I am interested if you have alternative thoughts. I am trying to explore this further for professtional and academic reasons.
  • I absolutely agree, but the FTC did go after Double Click. I believe it has occurred to governments, but it takes them some time to react. Wiretapping was done by the government and everyone else, before the SC decided it was an invasion of privacy, the penumbra right. Cellular phone receivers were once widely used. The EU was quick to react with their guidelines, the US government has left a great deal to the private sector and limited legislation to financial companies and the reporting of information for credit. The latter provision being abused even before recent technological advancements.
  • It seems amazing that this has never ocurred to any government entity.

    Why would you ever think that it hasn't?

    Of course it has. Licensing commercial entities to bypass the Bill of Rights, and then granting Law Enforcement the ability to access such "public" information, is part of a strategy to bypass constitutional protections which limit police powers.

    After all, the US Constitution only applies to restrict the actions of certain governments. If the Feds can't do it, get the states to; if the states can't, get the feds or a private corporation to do it; if all else fails, rely on "anonymous" tips (that is, do the illegal wiretaps, as in the decades-long illegal wiretap system in Los Angeles). Any surveillance target that complains has clearly got something to hide, and likely less money than any govt or corporation to throw into the legal system ...

    The US has police state tendancies, which are increasingly showing clear and strong. J. Edgar Freeh is watching, be careful.

  • Isn't that the goal of Libertarians and Lassez-faire Capitalists? If safety and health can be bought and sold, why not privacy too? For that matter, why not freedom of speech or freedom from slavery. (If you say something someone doesn't like, and your free speech insurance has run out, they'll sue you far enough into debt that you become their indentured servant?)

    OK, so maybe its a little off-topic, but I think that it is a natural progression when one thing after another becomes a product instead of a legally protected right...
  • These kind of cards also exist in europe, but they HAVE to tell you what they do with your data, and you can refuse to give it, and still get the card. then you get the few pennies, but all the shops have is a number. no name, age, sex, whatever.

    //rdj
  • no idea, but I've been wondering about the exact same thing. Could make a nice test-case..maybe I should stop over at the 'rechtswinkel' some time.

    //rdj
  • and how would they get my (non-existing) creditcard number? sure.. they have a history of what someone bought. but they don't have any info on that someone. credit cards are not very big in the Netherlands. They're not needed since there are lots of way to pay for stuff in the Netherlands. There's cash (my preferred form of money), there's PIN if you like to pay electronically and there's the 'chipknip' if you're really feeling funny. (the chipknip was invented by banks as an easy way to pay for small amounts. it holds some (electronic) money, and is anonymous. a lot like real money. it's also insecure like real money: anyone can spend it, and it's easier to loose a bank-card than it is to loose some bank-notes. people just aren't buying it, and it adds nothing to existing possibilities)

    //rdj
  • there is a VERY clear distinction: ask the one whose data you want to use. It's clear, it's simple, and it's fair. If I want book recommendations, I'll ask for it. Some legal framework to prevent spam would be nice too. Opt-in ofcourse.

    //rdj
  • So you're saying you can't sell any stuff if you can't use personal customer data for marketing? that's bullshit. Pure and simple. Take my local game-shop. It's small. It doesn't collect personal information. It exists, and has existed for years.
    So we're just damned if we don't.

    //rdj
  • If you would like to receive several offers, that each have an infinitesimal chance of ever interesting anyone with more braincells than the average brussel sprout, please give us your name, age, adress, number of pets, type of pets, name of pets, dieases they've had/they've been inoculated against and your creditcard number (so we can bill you for conveniently storing these data) in the form below.

    There. simple, isn't it.

    //rdj

  • Hmm... off to Africa I go!

    Yes! There is some very 'out of the box' thinking [techweb.com] going on in Africa these days!

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • by Chasuk ( 62477 ) <chasuk@gmail.com> on Sunday June 04, 2000 @09:13PM (#1025825)
    A quote from the article: [excite.com]

    The U.S. Commerce Department favors this type of industry self-regulation, and President Clinton, together with EU officials, lauds the accord as a milestone in international e-commerce that will encourage economic growth.

    The words e-commerce and economic growth should be emblazoned in red. Note that the word privacy does not appear in this paragraph. Privacy isn't important in the world of e-commerce, unless it is a product unto itself. Companies will sell you software to help violate someone else's privacy, and software to protect your privacy, which means that privacy itself is for sale.

    The only interest of a commercial company is self-interest. Self-interest equals profit. Unless protecting my privacy becomes profitable, companies will sell my details to the highest bidder.

    This leads to the question: is there a way to guarantee that it is in Company X's best interest to protect my privacy? Can public pressure and the threat of diminishing sales make all companies champions of privacy, hypocritically or otherwise?

    If not, I see privacy crumbling before our eyes.
  • The EP is a fairly liberal institution, as there is a high correlation with liberalism and support of spreading the European integration project. The EP, of any institution at the EU or US level is most likely to be concerned about the privacy ramifications.

    So Euros, call your MEP!!!!!!!!

    ostiguy
  • From EPIC's website [epic.org] (emphasis added):

    FTC Calls for Privacy Legislation to Protect Internet Users. On May 22, the Federal Trade Commission (FTC) released a report (PDF) on the results of its latest survey of website privacy policies. The survey documented that only 20% of a random sample of websites addressed basic elements of Fair Information Practices. Based on the findings of the survey, a majority of the FTC Commissioners have recommended [ftc.gov] that legislation is needed. On Thursday, the FTC will formally present its findings and recommendations in front of the Senate Commerce Committee [senate.gov]. EPIC's latest survey, "Surfer Beware 3: Privacy Policies without Privacy Protection" [epic.org], also found that self-regulation provided an inadequate level of online privacy protection.

    I just hope the EU doesn't fall for the same bait as did TrustE. Self-regulation isn't.

    Sreeram.
    ----------------------------------
    Observation is the essence of art.

  • EU law prohibits the transfer of data to the United States and other non-EU countries that don't meet EU standards for protecting personal information.

    Without this agreement, companies in the EU would have some difficulties in doing ebusiness with the US. This agreement just allows US companies in the EU to export data from the EU, even tho they are recognised not to meet EU standards.

    In effect, they are saying 'what you are doing does not meet our minimum requirements, and normally we would prosecute you, but since you're a US company, we'll let you off if you promise to be good'

    It was noted in another article that other countries, like Japan and Australia, would not get safe harbour status so easily. I'm not sure if their standards meet the EU laws anyway, but it would be interesting how their gov'ts react if they don't get a similar exemption quickly.


    ---

  • you can refuse to give it,

    Can you? Whenever you shop with the card, they have the list of items you bought. From the number of condoms, they can figure out how often you get laid. And if you buy hemorrhoid medication, they can draw their conclusion as well. And don't forget what kind of information they can infer from your book purchases.

    no name, age, sex, whatever.

    Well, as soon as you use your rebate card together with your credit card, they have your name too. It's a lot like cookies actually. Cookies are also just a number. But as soon as you fill in your personal data into an online form on the Web which leads to a page with a doubleclick ad, then doubleclick has the data too, and can now put a name on the number.

    • The only interest of a commercial company is self-interest. Self-interest equals profit. Unless protecting my privacy becomes profitable, companies will sell my details to the highest bidder.

      This leads to the question: is there a way to guarantee that it is in Company X's best interest to protect my privacy? Can public pressure and the threat of diminishing sales make all companies champions of privacy, hypocritically or otherwise?

    Sure. Only give your information to entities that promise to protect the privacy of the information.

    Or not... I sometimes give out information to entities because I expect them to share it and it could lead to contacts for mutually beneficial commerce.


    -Jordan Henderson

  • by G27 Radio ( 78394 ) on Monday June 05, 2000 @06:44AM (#1025831)
    I just had a thought regarding DoubleClick. Right now most of us just block their cookies. Instead it might be interesting if false information would be returned instead. Over time, if enough people were returning false data, it would pollute their databases badly enough that they'd be useless.

    To extend the idea a little further, maybe there are other ways to flood DoubleClick and collectors of private information with fake data. Maybe some kind of distributed system where people set up little daemons that run in the background, pretend to be surfing, but are really just sending cookies designed to destory the integrity of their data. Would this be legal? hmmm...

    numb
  • Read this week that loyalty cards are (here in the Netherlands) topping out at 20% of the population - more growth is not expected. Still, hell of a lot of folks indeed don't care.
  • No matter what is decided, or how much we holler, the first order of business is to make money - at all costs. Attempting to hide your income, address, identity, etc. will continue to prove a futile chore.

    Maybe it's time to fight this privacy thing with bad data. Both my wife and I give out a wrong phone number without even thinking about it. I don't use my real e-mail address on any commerce related sites (unless I order something), and feel more and more like using cash for all my transactions.

    Of course, the day may come where giving out false information may be illegal in nearly every case.

  • Can I take the European Union to court for failing to protect my right to privacy

    IANAL

    No. We (in the UK) have no right to privacy, as we have no defined "rights" to anything, in the way that these are clearly defined in the USA. What we have instead is a set of laws on data privacy (and they're not a bad set). If a company breaks them, then we may have a case against that company. -- Although if they're a US company, then we may not have a case anyway, as they can dodge on the basis of the EU jurisdiction not being applicable to them. What we don't have is a case against our governing bodies. This is in the same way that if we were mugged, we'd have a case against the mugger, but not the government for preventing it.

  • I'd hope that the European users, having a clear choice between privacy in Europe and blatant abuse in the US, would avoid American sites,

    I'm a UK-based eCommerce developer. How should I develop my site ("Orinoco.com") when my main US-based competitor can do sophisticated CRM to up-sell related products and offer recommendations, but I can't ?

    I don't think there's any hope of a boycott. We don't (most of us) boycott Outlook, despite Melissa, and we don't boycott Amazon over patent issues. Very few users will support a boycott when the most obvious effect is to reduce their apparent functionality

    I'm in favour of privacy, but I also like good CRM systems that recommend useful books to me. The UK DPA (Data Protection Act) is far too blunt to distinguish between "helpful" CRM and intrusive "snooping" (mainly because those subjective terms are just that, subjective). We don't just need another legal framework for controlling personalised data and its security, we need some mechanism that allows the identified person to specify, at time of collection, how much data may be collected and what may be done with it in the future. This is an issue as complex as inherited rights management....

    Have you seen the complexity of P3P and APPEL ? Now those are privacy issue implementations by smart geeks, not by lawyers. If we ever produce a workable legal framework that can distinguish between "good" and "bad" data, then it will be hugely complex.

  • ask the one whose data you want to use. It's clear, it's simple, and it's fair

    It's fair, but it's far from simple. Current state of the art can barely pose the question (This is what APPEL [w3.org] addresses) and it certainly can't offer P3P [w3.org]-enabled products to people building sites today.

    If I browse to a site that claims to request data for one purpose (that I accept) and then does something unacceptable with it, then I have little redress under the current DPA. The DPA simply doesn't account for the situation where I might make a per-visit choice about how much information I want to offer, and the purposes for which I understood it would be used. The DPA just sees "data" and doesn't distinguish much between purposes. Claiming that I'd only offered my data on the basis of a particular offer (we'll use it for X, but not sell it on for Y) gets into per-issue contract law and outside the DPA remit.


  • Nothing wrong with demographics....I'm happy for people to collect general info from my shopping (for one thing it makes sure they don't run out of what I want) but it's when they tie it to me personally I would be worried. And as someone here said, in the UK the Data Protection Act stops them doing that without explicit permission from me. And I haven't given it...so I feel fairly safe.

  • All of the grocery chains in my town have the little "club" card. A few months ago, they even showed how much you've spent total at that chain. And your name appears on the reciept. kinda creepy if you ask me.. i stopped using them. every time i see someone signing up for them, i tell them about the ramifications of it(tracking you, snail mail spam, etc) its amazing how once you explain this to people they don't want the card anymore..

    ------------------------------------------
    If God Droppd Acid, Would he see People???
  • I guess this means that it's time to move to Sealand!
  • This leads to the question: is there a way to guarantee that it is in Company X's best interest to protect my privacy? Can public pressure and the threat of diminishing sales make all companies champions of privacy, hypocritically or otherwise?

    See this is where I start to have some problems with legislation and regulation.

    I think it is hypocritical to support free speech, even so-called 'freedom of information' stuff that many ./ers believe in., yet advocate laws 'protecting' privacy. The problem is that if you play both sides of the fench, you essentially are advocating more government control--it blurs the line of what the government is and is not responisble for.

    I argue that it is not any government's responsibility to 'protect' your privacy. The same way its not their responsibility to to tell you what you can and can't say, do drugs, or where to get your medical coverage.

    Many ./ers consider themselves libertarians. The definition of beign a libertarian is essentially that you should be able to look out for your own best interests, without the government interfering. I would just question everyone's overall political beliefs before the knee-jerk into supporting certain legislation.

    And as a consumer you absolutely have the ability to sway, or making privacy in the best interests of corporations. I think that privacy agreements are already adding a lot of value to b2c web sites, etc. So its an excellent point, and if you value your privacy it is important to vote with your dollars, and let the merchants know why you bought from them.

    -k
  • DATA MINING ON THE INTERNET WORKS AND IT WORKS WELL.

    Okay, I realise that using doubleclick type methods results in accurate data, but what are they doing with this data? Nobody is being particularly choosy about who to send spam to, and nobody is making their web pages dynamically adjust to target me. The only useful purpose is to draw correlations so that they know who to target. For this they don't actually need to know who I am.
  • Well, as soon as you use your rebate card together with your credit card, they have your name too.

    The data protection laws prevent them from doing this without your permission. European laws on this are really quite strict.
  • A little personal information helps for demographics too. An example (From Tesco) they discovered that on Fridays, men are more likely to buy nappies. They decided to put beer near nappies. They also found once or twice that sometime people on one side of the road visit much more often than people on the other side of the road on certain very busy roads, with a different supermarket in the opposite direction.
  • Its not really that easy to corrupt the EU. The EU parliament consists of a large number of MP's, who already get paid a huge salary (Plus expenses and really not an awful lot of work), and would be sorry to give it up.

    To summarize, the European parliament is too corrupted to be corrupted.
  • So, without this 'Safe Harbor,' the EU is going to do what to the US companies gathering information? I think the the US needs to make sure privacy is guarded (FCC?) before we start making deals with Europe.
  • The first thing I noticed in the article is that this deal still has (only) two steps left to go before getting implemented -- it has to be ratified by the European parliament, and then by the European Commission, before it goes into effect. So, I ask myself, is this deal still stoppable?

    One would presume that the European Parliament is in some fasion amenable to public pressure, especially when an issue like this is likely to to generate a considerable outcry. But then again, a quick check gives me the suspicion that the Parliament is mostly controlled by (admittedly, European) business concerns. After all, in the last couple of months, we've had major decisions that relieve agribusinesses of liability related to genetically modified foods, and another ordering EU member nations to lower their trade barriers (to British chocolate products, in this case).

    Now, this could go either way, in my view. (Mind you, I'm hardly an expert in European politics.) On the one side, you've got the big companies with American counterparts, arguing for this policy. On the other side, there are European companies who don't want to be at a disadvantage relative to the partnered companies. So, who knows which way this could go ... though I'd tend to suspect inertia and American pressure will probably push this one through.

    Too bad, I was kinda looking forward to the Europeans cracking down on American companies with European partners and lax privacy policies.

  • Check it out here: Cox blasts software patents [upside.com]

    In both cases it seems like the slightly more well thought out European standards are trying to be dragged down to US level, most probably by corporate interests.

    Fortunately it seems like there is some resistance building both in Europe and in America. One can only hope that common sense will prevail.

  • I think what might ultimately ensure our privacy is the sheer lack of value of these kinds of data. I don't think direct marketing on the internet is particularly effective; I think that like me most people just filter those intrusions out without really thinking about it.
  • Self or Government Regulation?

    Self regulation equates to: if it's going to cost me (the business owner) money, then it's going to be cheap as hell; Customers will have to pay for increased privacy.

    Government regulation: add 5 parts red tape with 1 heaping tablespoon of buearocratic non-sense and beat until e-commerce is dead.

    We're damned if we do...damned if we don't!

    dc!


    --
  • No, but rather a business will not be looking out for your best interests unless it's free or they can make money off of it.

    dc


    --
  • IANAL

    There are actually two European courts: the European Court of Justice, which is the EU's court and enforces EU law. If a privacy agreement between the EU and the US was in conflict with EU law, you could arguably take them to court there.

    The other court is the European Court of Human Rights. This is totally separate from the EU, and is based on the European Declaration of Human Rights promulgated just after WW2. (I believe that it pre-dates the EU). Any citizen of a signatory nation can either bring a case to this court (after exhausting due process in their own country) or plead that an action conflicts with the Declaration (towards the end of this yaer the declaration will be incorporated into UK law, thus allowing this to happen)

    Paradoxically, although all the EU's members are signatories, the EU itself is not, and thus EU action cannot be challenged here, though if any nation attempted to enforce such an EU action, it could be held in breach.

    There is a privacy clause in this Declaration, which could conceivably be used here, and the whole declaration is in admirably simply and non-lawerly language.>/p>

    Article 8 Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others

    Mark Austin

  • An October 1998 EU law prohibits the transfer of data to the United States and other non-EU countries that don't meet EU standards for protecting personal information.
    ...
    For the time being, the EU is letting U.S. companies continue to export personal data from Europe. But in an effort to avert a potential trade war, the two sides began negotiating the issue two years ago.
    ...
    The accord offers privacy protection deemed adequate but not equivalent to current EU law.


    Okay, so the EU has certain standards that they have been ignoring until better guidelines came along. Now they are passing guidelines which are admittedly not up to standards, but they are lauding them as the panacea. Moreover, they will be trusting corporations like we do here in the U.S. And of course the article goes on to list companies who are already trying to exploit the situation...

    IMHO, privacy in the hands of corporate America is a sad joke. If it were not, people would not have to put NO SPAM obfuscations in their email addresses. Every online transaction I personally do, I elect against all spam (you know the ubiquitous "don't spam me" checkboxes). Despite that, I am spammed mercilessly, probably like other /.ers. This shows the high regard corporate America has for my privacy elections.

    I see no way in which this action by the EU is not a sellout. Just my two coppers.

    -L
  • You are right, but here in America...

    "Unsolicited spam mail causes my client extreme frustration and hyper-acidity. Here are his medical bills for ulcer treatments."

    "Unsolicited spam mail makes my client feel powerless, and this feeds back on his libido. Here are his bills for Viagra."

    And finally...

    "Unsolicited mail led my client to believe that he could become part of a class-action lawsuit bonanza in which he would own a portion of your company valued like a Powerball lottery payout. Here are the bills for his heart medication."

    -L
  • Starring:
    - The US gov, the one-which-cannot-finish-the-Microsoft-antitrust-ca se. Surely a worldwide model of Justice...
    - The EU gov, the one-willing-to-be-"protected"-by-the-overhelming-U S-gov.
    Do EU representatives really need so much money as they are talking about such silly thoughts ?
    Now privacy, perhaps tomorrow military affairs and ASAP selling childrens to The States ?

    An angry EU citizen.
    ----------------
  • by octalman ( 169480 ) on Sunday June 04, 2000 @09:42PM (#1025855)
    Information "mining" by DoubleClick et al is the moral equivalent of physical wire tapping of one's telephone. It seems amazing that this has never occured to any government entity. If it it is illegal to make a physical wire tap on a telephone to intercept messages, why ought it be legal to intercept other's messages or information through a legal physical messaging connection? No telephone subscriber would ever allow these people to "listen" to voice communations for the purpose of information mining. One may only record voice communication with permission of the sender. Data communication should be held to a like test.
  • If a US company does not become a member of this 'Safe Harbor' then it is vulnerable to litigation in Europe by almost anyone - the govenrment, consumer unions, even simple citizens. And since the US company would most certainly loose on court that could mean anything - from steep fines to prohibiting the US company's business in Europe. Certainly I expect all medium to large companies that do business with the EU (or with possible future EU members - remember the EU is scheduled to grow to Easter Europe, Cyprus etc) to at least try to comply with this 'Safe Harbor'. Smaller companies may choose not to deal with Europe at all.

    Remember this does not change the standing of European companies at all. European companies still have to comply to strict European privacy laws. This, if played correctly, could actually became a bonus for European .coms (if and whenever they appear), especially if privacy concerns become important for more American consumers.

    Regarding the FCC I do believe that the US shoud have a 'watchdog' agency for privacy however I doubt that a communications or trade committee would be enough. Privacy is different than communications and trade because it involves legal and even human rights aspects. But that is something you Americans should decide on.

    Personally I believe that this 'Safe Harbor' will not last long (there is a possibility that it will be voted down on the European Parliament). But for that to happen, American citizens (citizens, not consumers) should push for more privacy

  • That with the passage of this, an EU citizen will have more privacy in the US than a US citizen?
  • Are dumb people actually clicking this or are they just all trying it for themselves...? Oh yeah, and I want my privacy...
  • Wow, I thought Linux users were clever than that...
  • doh... posted to the wrong story... this is an article about the Principality of Sealand... which is the previous story.
  • Somebody seems to have made a clever cgi script that reposts that message under your username. Congradulations to them for the hack value of it, but it's getting fscking annoying.
  • If you want an example of how people don't really give a crap about privacy, take a look at supermarket shopper cards. These cards have popped up over the last few years, and they really only have two purposes.
    • Brand loyalty (yummy carrot, here's a few pennies, now love us!)
    • Data mining (they all include clauses allowing them to share the data with marketing "partners" (ie people who pay them money)

    Joe Sixpack isn't generally thinking about this sort of thing enough to figure out why this might be bad. Sure, if he reads something like Database Nation [databasenation.com] it'll be crystal clear, but that's not going to happen.

    The only way to get this message out is if the mass media breaks it in a big way (yeah, the same ones who get paid by big marketing firms), or via some really embarrassing guerrilla action.

    For example, a website screaming: "Congressman Albertson has hemmrhoids, and gets laid about 1 time a month at home, but 3 times a week when on the road (who's the woman? come clean!)" Of course, the data miners would never do this, and would probably try damned hard to make sure that it never got out like this.

    Still, anyone with enough money can poison the well, by "accidentally" leaking selected data they've purchased from these data whores.
  • Hear, hear...
    Not quite the terminology I would have used but a point well put across
    May all spammers be infected with the Ebola virus so they will crack and bleed out.
  • The only interest of a commercial company is self-interest. Self-interest equals profit. Unless protecting my privacy becomes profitable, companies will sell my details to the highest bidder.

    Protecting people's privacy is profitible for a lot of companies. If it doesn't declare that it will protect your personal details, simply don't give them away.

    I think the biggest danger with self regulation is motivation for security - not honesty. Companies might promise not to give away details, but often there's no real way to guarantee that they're actually taking reasonable steps to protect it.

    As the general population gets more net-experience and starts to realise that one of the main sources of unwanted spam is themselves giving away their details so easily (especially email addresses), they'll become more conscious of actually checking the privacy policy.

    Voluntary privacy declarations will probably turn into a major marketing strategy over time.

  • OK.

    Given the new laws the scumfuck government in the UK are planning (the RIP Act), any data held by any company in the UK can be requested for the purposes of anyone the Home Secretary decides can have it.

    The real reason for RIP is tax collection. Since the big stores here told the Inland Revnue to go fuck itself when it asked for the "lifestyle" details from their loyalty cards, it has been itching to get at those data.

    And now it will have a free hand.

    If that doesn't scare the shit out of you, then I don't know what will.

  • It seems clear to me that we're watching the growth of false needs. It's one of the engines of the market in relationship with the man of the street. I'm not saying anything new.
    What annoys me, though, is that now PRIVACY itself is being packed like a need, like a new product. The next step in dealing with privacy is selling it to its respective owners. I don't want to BUY something I already own. I don't want to be forced to copyright or TM my private life.
  • To better people - we make laws - why is this?

    First come people. People serve to existing business.
    The betterment of business makes laws for the betterment of society. The sad truth.
  • It seems that the drafters of this agreement do not view privacy as a "legal right" as they should, but rather as another service that companies may offer, through the signing of the agreement.

    However the main problem I have with the proposed agreement is not this, but the apparent lack of recourse for consumers who have complaints against copmanies who are signatories of the agreement. There seems to be no independent watch-dog proposed to ensure that signatories are complying with the regulations (I suppose, because of the self-regulatory nature of the agreement), and moreover, the regulatory groups are funded by the industry (conflict of interest, anyone?).

    On top of this, "no self-regulatory group has ever referred a member company for investigation and the FTC has never provided remedies for any of the companies with which they have reached settlements" (from article cited below).

    Does it really sound like the EU is looking after its citizens' interests or bowing down to pressure by the US?

    For more arguments against the proposal, see TACD Statement on U.S. Department of Commerce Draft International Safe Harbor Privacy Principles and FAQs [tacd.org].

  • by 575 ( 195442 )
    Protect consumers
    Commerce cannot be trusted
    Eschelon? Hush, you!
  • Hey! You can't do that! CANADA defines itself as being not American. Find another identity :)

CChheecckk yyoouurr dduupplleexx sswwiittcchh..

Working...