Home > Articles > Home & Office Computing > The Web/Virtual Worlds/Social Networking

This chapter is from the book

This chapter is from the book

Privacy Defended: Protecting Yourself OnlinePrivacy Defended: Protecting Yourself Online

Learn More Buy

This chapter is from the book

This chapter is from the book

Privacy Defended: Protecting Yourself OnlinePrivacy Defended: Protecting Yourself Online

Learn More Buy

New Initiatives

Privacy organizations are at the forefront of the fight against companies and governments to protect consumer privacy. As we have seen with just a sampling of the cases and initiatives that are underway, many fronts exist that require defending by privacy organizations. There are a number of new concerns, as well as positive defenses revolving consumer information that go beyond simple things such as spam e-mail and purchased information for direct mailings.

Chief Privacy Officer

One of the most positive changes in consumer privacy has been the emergency of the chief privacy officer (CPO) position in many large corporations. The goal of the CPO is to guide a company's privacy policies and practices. The need for a privacy officer has grown rapidly over the past couple years and is the focus of attention because of the new laws that affect a company's policies regarding consumer information. Legal requirements are forcing many companies to comply or face penalties. We have discussed laws such as HIPPA and Gramm-Leach-Bliley that have definite requirements and penalties for non-compliance of protecting consumer information. Fear is also a driving factor behind the ascension of the CPO. Companies are afraid of lawsuits and laws that could affect their reputations and business practices. The CPO role is more of a policy role than an implementation of technology.

Standards for the CPO role are still being developed, as are the requirements of the role. Some CPOs report to a director of compliance, whereas others report to the chief executive officer (CEO) or chief operations officer (COO). CPOs are former lawyers, marketing people, and compliance officers as well as people who have no experience in technology. Technology skills are not high on the list of requirements for the position; however, some of the requirements of the position include

  • Developing privacy taskforces from cross-functional groups

  • Making, coordinating, and implementing policy and activities

  • Monitoring company products and services for compliance with policies

  • Coordinating IT, management, and marketing departments

  • Conducting privacy audits

  • Training employees

  • Dealing with the media

  • Communicating legislation to management

  • Recommending privacy strategies and policies

  • Comparing the company's privacy policies with potential risks

  • Keeping up-to-date with technology issues

  • Managing a customer-privacy dispute and verification process

The role has spawned the Association of Chief Privacy Officers (http://www.pandab.org), a professional group for CPOs. Privacy issues have also spawned the Privacy Leadership Initiative, an alliance to study consumer privacy issues and lay out voluntary guidelines. The group will work with the New York-based Direct Marketing Association on a three-year, multimillion-dollar publicity blitz to convince consumers that their data is safe. CPOs are playing a prominent role is such initiatives. Doubleclick, one of the companies that has been in the news and in the courts over privacy issues, has filled their CPO role after the FTC and several states started to investigate it. AT&T's CPO has a hand in denying a deal that would compromise consumer data through a retail company partnership.

There are many potential and real problems with the CPO role, however. The main problem is that of actual authority to accomplish the privacy needs of a company. If the role is not invested with the proper authority, the company will not be capable of complying with laws and consumer pressures. The technological challenges are another obstacle the CPO must face. Even if the policies are in place, the implementers of the technology can make mistakes or even not comply with the company's policies without the CPO knowing or understanding how technology is compromising consumer information.

The CPO has no baseline from the government to follow to achieve consumer privacy. But the few laws passed on privacy issues do not address the guidelines necessary for the CPO to be successful. U.S. senators on the Commerce, Science, and Transportation Committee have been debating how to best implement privacy safeguards but can't come to a consensus on whether businesses should be required to seek consent, or "opt in," from users before collecting and sharing personal information.

Key areas of contention that must be addressed before online privacy legislation is adopted include the following:

  • The ability to sue, or "private right of action"—Consumers need the ability to sue businesses that violate privacy rules as a means of ensuring that businesses comply with the law.

  • Online versus offline rules—Offline merchants that do not require opt-in or opt-out choices should face the same rules as online merchants that need opt-in or opt-out choices from users.

  • Federal preemption of state laws—States are free to adopt tougher privacy rules unless Congress says otherwise.

Other government agencies are facing the same dilemma, which is determining what the best method is of protecting consumer privacy. If corporate self-regulation doesn't work with the help of the CPO roles in many leading organizations, the government will be forced to come to some compromise that might not be in the best interests of consumers or corporations, as is typically the case with government intervention.

Privacy is stated as one of the roadblocks to successful e-commerce, yet consumers sometimes seem to not care at all about their privacy and assume it is a lost cause. The CPO role is evolving into a police role as well as a strategic role. When consumers do not understand how their privacy can be compromised and when it is inappropriate for a company to require information, the CPO has to step in and defend the consumers' rights. The need for a CPO might not be necessary in all organization; those companies that already have a CPO tend to be organizations that collect a lot of information about the consumer, including such things as credit card information and shopping preferences. In addition, diverse businesses, such as financial institutions and insurance companies, are finding the need for a CPO role. The public only seems to hear the stories about the small companies, such as dot.coms, that have privacy compromises or sell consumer data to get cash for the failing business. Government actions have not been targeted at the smaller players; recent regulations have affected the financial, insurance, and medical industries, where most of the CPO roles have been filled.

Some other notable companies that have installed a CPO role include IBM, Zero Knowledge Systems, Earthlink, and American Express. With such companies leading the way, the CPO role is becoming a reality in more and more companies, even down to small shops that are very concerned about consumer privacy. For companies that rely heavily on consumer personal information, the CPO can be a roadblock to doing business. If the company wants to sell consumer information or do mass marketing with information that goes against its policies, the CPO must step in and uphold the company's policies. The result of installing CPOs has not yet been fully realized. As more companies fill the role, we will see if it affects consumer privacy and helps companies comply with the laws being passed.

Internet Blocking

Internet blocking refers to software that has been designed to sort and filter content on the Internet. Its main focus has been the capability to block pornography. It's also called filtering software or censorware. Because each state or country has its own set of laws, such software has to work within the guidelines set up by the local authorities—whether it is governmental or societal. Several laws are in progress that would require censorship software in schools and libraries; if libraries and schools are not in compliance, they would lose funding from the government. The Children's Online Protection Act & Neighborhood Children's Online Protection Act make such software a requirement. Organizations such as the EFF are vigorously protesting these acts and calling for public support. Even SurfControl, maker of the Cyber Patrol blocking software, issued a statement against Massachusetts's attempt to make such software mandatory in public libraries. In the case of Multnomah Public Library v. U.S., the plaintiff, a diverse group of public libraries, library associations, library patrons, and Internet authors and publishers seek injunctive and declaratory relief against provisions of the Children's Internet Protection Act, as it relates to blocking software. CHIPA requires all public libraries that participate in certain federal programs to install and enforce blocking software. The software is supposed to filter obscene, child pornographic, or harmful materials a minor can access.

Rather than affecting consumer privacy directly, blocking software restricts the consumer's right to choose. This type of software faces right to free speech arguments from opponents. In public facilities, laws are being designed to tell consumer what they can and can't see. Many of the organizations mentioned previously have come out with strong statements and protests against the use of blocking software in public places.

Laws passed requiring blocking technology face many problems. Congress requires such technologies in schools and libraries, but those against such use of technology say that the technology is just not ready or capable of performing the necessary blocking. Several reason given include the following:

  • Underblocking—No blocking technology is sophisticated enough to block even half of the pornography and explicit sites.

  • Overblocking—Blocking technology can't filter correctly to just restrict pornography. Legitimate sites also get blocked, which can infringe on free speech rights and civil liberties. Informative and useful sites can get blocked because of the inadequacies of such technology.

  • "Expert" control—Average consumers will require expert help to use the software. Companies will decide what the consumer can and can't see.

  • Subjective—No specific guidelines exist for what should be blocked. Blocked sites are purely subjective. It is hard to customize the software to meet the specific needs of different groups of people.

  • Error-Prone—Frequent errors occur in the software and in the sites being blocked. Blocking sites is more art than science.

  • Censorship—Government-mandated censorship is in direct conflict with the U.S. Constitutional guarantees to free expression and freedom of association and can be challenged by any of the advocate groups.

  • Discrimination—Blocking can unfairly discriminate against whole communities of people accessing, publishing, or broadcasting on the Internet; there is no customization of who can see what material, or even by geographic location.

  • Vulnerable—The technology can easily be bypassed.

  • Problematic—Technical problems can occur with this type of software during installation, maintenance, upgrades, and removal. This would negatively affect the use of the Internet in public places.

  • Focus—Having software attempt to monitor children's activities is probably not the best way to educate children about what is right and wrong.

The following paragraphs describe some blocking software.

X-Stop (http://www.xstop.com), shown in Figure 3.7, has both client and server software and charges a year fee for the product.

Figure 3.7 Xstop administration screen.

Cyber Patrol (http://www.surfcontrol.com), shown in Figure 3.8, is one of the more popular filter programs. Each year of service has some cost associated with it. Surf Control also has a version for education sites.

Figure 3.8 Cyber Patrol administration screen.

Bair (http://www.thebair.com), shown in Figure 3.9, is another filter program.

Figure 3.9 Bair administration screen.

We-Blocker (http://www.we-blocker.com), shown in Figure 3.10, is yet another filtering program.

The Censorware Project (http://censorware.net/), formed by a group of writers and activists in late 1997, is an anti-filtering advocacy group. This advocacy group analyzes Internet blocking software and decrypting and lists the sites blocked by these programs. These products block Internet users from receiving information, but the lists of sites blocked by each product are closely guarded secrets of the companies. Censorware programs take this blocking technology to the next level by censoring what information is sent out from your computer through mediums such as e-mail. Censorware programs rely on automated aids such as spiders to review the Web for controversial material, but they do need human intervention because many such programs inadvertently block valid sites. Sites blocked by censorware have no idea that they are blocked, so legitimate sites would never know they were blocked unless they researched what the products block or people tell them they can't reach their sites. The Censorware Project found that the Utah Education Network's Internet "filtering" software blocked various sites offering information on safe-sex practices, legal issues concerning homosexuality, and the U.S. Constitution. As with other blocking programs, censorware faces court battles over freedom of speech.

Figure 3.10 We-Blocker administration screen.

Privacy Pledge

The Privacy Coalition—a nonpartisan coalition of consumer, civil liberties, educational, library, labor, and family-based groups—launched a government-targeted initiative in February 2001 that is aimed at setting standards for privacy laws in the future. "The Privacy Pledge" is a document that the coalition urges federal and state government legislatures to sign to show their support for consumer privacy friendly laws. Members of the coalition include the American Association of Law Libraries, American Library Association, American Civil Liberties Union (ACLU), Center for Media Education, Consumer Federation of America, and Consumers Union.

The pledge that the coalition developed is in the following sidebar.

The Privacy Pledge

Privacy is one of America's most fundamental values.

The Fourth Amendment states that "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." In addition, the U.S. has adopted many laws protecting Americans from privacy invasive practices by both the public and private sectors.

Recognizing the need to protect this essential freedom, I, (insert Member's name), pledge to my constituents in (State and District) and to the American people that I will support a privacy framework to safeguard the rights of Americans in this information age.

This framework includes:

  1. the Fair Information Practices: the right to notice, consent, security, access, correction, use limitations, and redress when information is improperly used,

  2. independent enforcement and oversight,

  3. promotion of genuine Privacy Enhancing Technologies that limit the collection of personal information and legal restrictions on surveillance technologies such as those used for locational tracking, video surveillance, electronic profiling, and workplace monitoring, and

  4. a solid foundation of federal privacy safeguards that permit the private sector and states to implement supplementary protections as needed.

Platform for Privacy Preferences Project

The Platform for Privacy Preferences Project (P3P) is a new industry standard providing a simple, automated way for users to control information that is given to Web sites they visit. P3P covers a Web site's privacy policy with a number of multiple-choice questions. The answers give users of the site an understanding of how the Web site handles user information. P3P enables an automated process that can be used by applications to determine the privacy policy of a site. P3P-enabled browsers can "read" the answers about the privacy policy and compare the policy to user preferences. One of the problems consumers face is the inability to understand the legal language many privacy policies have or even understand what simple language polices actually mean. P3P might be the solution to giving users an understanding of what actually happens to their information. The machine-readable syntax of P3P automates and provides a guideline for future policy statements and promotes a standard for policy creation.

P3P is an industry self-regulation that has not gotten much support from federal legislatures. Government lawmakers remain unconvinced that P3P will be enough to regulate privacy policies and secure consumer information. One major contributor to the P3P push is Microsoft. In Internet Explorer 6, support for P3P will be built in. With P3P, users can configure their browsers to automatically determine whether a Web site collects personally identifiable information and creates profiles. Users can use the browser to opt in or opt out of information collection. P3P will be used to check advertisements' network privacy policies. If the policies are not in compliance with user preferences, the ads will not be capable of placing cookies on the user's system. Because ads require cookies, most leading ad networks will comply with P3P and IE standards. As P3P takes off, many companies will be out of compliance and will not be capable of using cookies and gathering consumer information. Netscape will also support P3P in its browser.

Microsoft and Netscape will face a number of challenges with promoting P3P in their browsers. The capability to manage cookies will be the first. Cookies enable a lot of Web site function as a well as store information for ad networks. If users can't understand how to manage cookies with the new capabilities provided by their browsers, they could lose functionality on a number of Web sites. The browser will automatically be capable of reading the privacy policies associated with cookies. The browser can then block or allow cookies, much the same as programs such as CookiePal can do, but extra software will not need to be installed. The new browser will enable users to use a lever to set their browsers to one of five settings, ranging from a low to high level of privacy protection. Ease of use is always a major stumbling block for any new technology. Another problem all industries face is the fact that governments will still become involved in privacy issues and pass laws that could adversely affect companies and how they handle consumer information. P3P has not proven that it can be the end-all solution to privacy policies and ensure information collected from consumers is justified and secured. A future obstacle for P3P might be the capability of new technology to get around the controls installed with P3P. This is almost a certainty given how quickly technology progresses. EPIC has come out with criticisms of P3P and the way Microsoft is using it, specifically that not enough has been done to protect consumer information.

European Union Privacy Laws

The EU has come out with very strong privacy standards regarding consumer information. The European Union's comprehensive privacy legislation, the Directive on Data Protection (the Directive), became effective on October 25, 1998. Only recently have the laws of the EU begun to impact other countries, namely the United States. The strict laws of the Directive require that transfers of personal data take place only to non-EU countries that provide an "adequate" level of privacy protection. The problem U.S. companies are facing with the stringent mandates of the Directive is that the United States uses a sectorial approach that relies on a mix of legislation, regulation, and self regulation, which do not meet all the requirements of the EU.

One of the points of the Directive states that consumers must have access to data collected about them and have the opportunity to destroy or change such data. U.S. companies can't as yet fulfill this requirement on a wide scale basis, and the exchange of such data across international borders will become a problem. The most effected of the industries is the financial sector. The U.S. Gramm-Leach-Bliley Act requires financial institutions, including insurance companies, brokerages, and banks, to let customers opt out of potential data-sharing practices among those three parties but is not as strict as the EU laws.

Along with the Directive, the EU and the U.S. have developed Safe Harbor. Safe Harbor is an arrangement negotiated by the Department of Commerce and the EU in which companies agree to abide by a set of guidelines dealing with the transfer of data. No legal requirements exist; this is a self-regulatory mechanism supported by both governments and a number of large, influential corporations. Microsoft, Intel, Hewlett-Packard, and Procter and Gamble have recently pledged to provide European-grade privacy protection to their customers in the United States and around the world along with 69 other companies. Safe Harbor will help U.S. companies comply with EU privacy laws and give them the right to transfer EU citizen information to the U.S.

The Safe Harbor principles are outlined in the following sidebar.

Safe Harbor Privacy Principles
Issued by the U.S. Department of Commerce on July 21, 2000

NOTICE: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party(1).

CHOICE: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.

For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.

ONWARD TRANSFER: To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it might do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.

SECURITY: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

DATA INTEGRITY: Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used. An organization might not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

ACCESS: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

ENFORCEMENT: Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

U.S. Laws

In addition to the laws we have already mentioned, such as COPA, Gramm-Leach-Bliley, and HIPPA, a number of proposals for new laws regarding consumer information and privacy are before the various state and federal legislatures. The following list describes some of the numerous proposals for laws and regulations that are pending:

  • H.R.89 Online Privacy Protection Act of 2001—Requires the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals who are not covered by the Children's Online Privacy Protection Act of 1998 on the Internet, to provide greater individual control over the collection and use of that information, and for other purposes. Sponsor: Rep. Rodney P. Frelinghuysen, R-NJ. Latest major action: 1/3/2001 referred to House Energy and Commerce Committee.

  • H.R.90 Know Your Caller Act—A bill to amend the Communications Act of 1934 to prohibit telemarketers from interfering with the caller identification service of any person to whom a telephone solicitation is made and for other purposes. Sponsor: Rep. Rodney P. Frelinghuysen, R-NJ. Latest major action: 3/12/2001 House preparation for floor.

  • H.R.91 Social Security On-line Privacy Protection Act—Regulates the use by interactive computer services of Social Security account numbers and related personally identifiable information. Sponsor: Rep Rodney P. Frelinghuysen, R-NJ. Latest major action: 1/3/2001 referred to House Energy and Commerce Committee.

  • H.R.95 Unsolicited Commercial Electronic Mail Act of 2001—Protects individuals, families, and Internet service providers from unsolicited and unwanted electronic mail. Sponsor: Rep. Gene Green, D-TX (introduced 1/3/2001). Latest major action: Referred to House Committees on Energy and Commerce and House Judiciary.

  • H.R.199 Law Enforcement Officers Privacy Protection Act—Amends rule 26 of the Federal Rules of Civil Procedure to provide for the confidentiality of a personnel record or personal information of a law enforcement officer. Sponsor: Rep. John E. Sweeney, R-NY (introduced 1/3/2001). Latest major action: Referred to House Judiciary Committee.

  • H.R.220 Identity Theft Protection Act of 2001—Amends title II of the Social Security Act and the Internal Revenue Code of 1986 to protect the integrity and confidentiality of Social Security account numbers issued under such title to prohibit the establishment in the federal government of any uniform national identifying number and to prohibit federal agencies from imposing standards for identification of individuals on other agencies or persons. Sponsor: Rep. Ron Paul, R-TX. Latest major action: 1/3/2001 referred to House Ways and Means and House Government Reform Committees.

  • H.R.232 Telemarketing Victims Protection Act—Amends the Telemarketing and Consumer Fraud and Abuse Prevention Act to authorize the Federal Trade Commission to issue new rules regulating telemarketing firms, and for other purposes. Sponsor: Rep. Peter T. King, R-NY (introduced 1/6/2001). Latest major action: Referred to House Committee on Energy and Commerce.

  • H.R.237 Consumer Internet Privacy Enhancement Act—Protects the privacy of consumers who use the Internet. Sponsor: Rep. Anna G. Eshoo, D-CA (introduced 1/20/2001). Latest major action: 1/20/2001 referred to House Committee on Energy and Commerce.

  • H.R.260 Wireless Privacy Protection Act of 2001—Requires customer consent to the provision of wireless call location information. Sponsor: Rep. Rodney P. Frelinghuysen, R-NJ. Latest major action: 1/30/2001 referred to House Committee on Energy and Commerce.

  • H.R.333 Bankruptcy Abuse Prevention and Consumer Protection Act of 2001—Amends title 11, United States Code, and for other purposes. Sponsor: Rep. George W. Gekas, R-IA. Latest major action: 3/5/2001 received in the Senate. Read twice. Placed on Senate Legislative Calendar under General Orders. Calendar No. 17.

  • H.R.347 Consumer Online Privacy and Disclosure Act—Requires the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals on the Internet, to provide greater individual control over the collection and use of that information, and for other purposes. Sponsor: Rep. Gene Green, D-TX. Latest major action: 1/31/2001 referred to House Committee on Energy and Commerce.

  • H.R.583 Privacy Commission Act—Establishes the Commission for the Comprehensive Study of Privacy Protection. Sponsor: Rep. Asa Hutchinson, R-AR. Latest major action: 2/13/2001 referred to House Committee on Government Reform.

  • H.R.733 Parent-Child Privilege Act of 2001—Amends the Federal Rules of Evidence to establish a parent child privilege. Sponsor: Rep. Robert E. Andrews, D-NJ. Latest major action: 2/27/2001 referred to House Judiciary Committee.

  • H.R.1017 Anti-Spamming Act of 2001—Prohibits the unsolicited e-mail known as spam. Sponsor: Rep. Bob Goodlatte, R-VA. Latest major action: 3/14/2001 referred to House Judiciary Committee.

  • H.R.1158 National Homeland Security Agency Act—Establishes the National Homeland Security Agency. Sponsor: Rep. William (Mac) Thornberry, R-TX. Latest major action: 3/21/2001 referred to House Committee on Government Reform.

  • H.R.1176 Fair Credit Reporting Act Amendments of 2001—Amends the Fair Credit Reporting Act to protect consumers from the adverse consequences of incomplete and inaccurate consumer credit reports, and for other purposes. Sponsor: Rep. Harold Ford, Jr., D-TN. Latest major action: 3/22/2001 referred to House Committee on Financial Services.

  • H.R.1215 Medical Information Protection and Research Enhancement Act of 2001—Ensures confidentiality with respect to medical records and health care–related information, and for other purposes. Sponsor: Rep. James C. Greenwood, R-PA. Latest major action: 3/27/2001 referred to House Committee on Energy and Commerce and House Judiciary Committee.

  • H.R.1259 Computer Security Enhancement Act of 2001—Amends the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes. Sponsor: Rep. Constance A. Morella, R-MD. Latest major action: 3/28/2001 referred to House Committee on Science.

  • H.R.1292 Homeland Security Strategy Act of 2001—Requires the president to develop and implement a strategy for homeland security. Sponsor: Rep. Ike Skelton, D-MO. Latest major action: 3/29/2001 referred to House Committees on Armed Services, Judiciary, Transportation and Infrastructure, and the Select Committee on Intelligence.

  • H.R.1408 Financial Services Antifraud Network Act of 2001—Safeguards the public from fraud in the financial services industry, streamlines and facilitates the antifraud information sharing efforts of federal and state regulators, and other purposes. Sponsor: Rep. Mike Rogers, R-MI. Latest major action: 4/4/2001 referred to House Committees on Agriculture, Financial Services, and Judiciary.

  • H.R.1478 Personal Information Privacy Act of 2001—Protects the privacy of the individual with respect to the Social Security number and other personal information, and for other purposes. Sponsor: Rep. Gerald D. Kleczka, D-WI. Latest major action: 4/4/2001 referred to House Committees on Financial Services and Ways and Means.

  • H.R.1543 Civil Rights and Employee Investigation Clarification Act—Amends the Fair Credit Reporting Act to exempt certain communications from the definition of consumer report, and for other purposes. Sponsor: Rep. Pete Sessions, R-TX. Latest major action: 4/24/2001 referred to House Committee on Financial Services.

  • H.R.1655 Personal Pictures Protection Act of 2001—Amends title 18, United States Code, to punish the placing of sexually explicit photographs on the Internet without the permission of the persons photographed. Sponsor: Rep. Mark Green, R-WI. Latest major action: 5/1/2001 referred to House Judiciary Committee.

  • H.R.1846 Who Is E-Mailing Our Kids Act—Amends section 254 of the Communications Act of 1934 to require schools and libraries receiving universal service assistance to block access to Internet services that enable users to access the World Wide Web and transfer electronic mail in an anonymous manner. Sponsor: Rep. Felix J. Grucci, Jr., R-NY. Latest major action: 5/22/2001 referred to House Subcommittee on Energy and Commerce.

  • H.R.1847 Hands Off Our Kids Act of 2001—Requires the attorney general to identify organizations that recruit juveniles to participate in violent and illegal activities related to the environment or to animal rights, and to amend the Juvenile Justice and Delinquency Prevention Act of 1974 to provide assistance to states to carry out activities to prevent the participation of juveniles in such activities. Sponsor: Rep. Felix J. Grucci, Jr., R-NY. Latest major action: 5/15/2001 referred to House Committee on Education and the Workforce and the House Judiciary Committee.

  • H.R.1854 Parental Freedom of Information Act—Amends the General Education Act to allow parents access to certain information about their children. Sponsor: Rep. Todd Tiahrt, R-KS. Latest major action: 5/15/2001 referred to House Committee on Education and the Workforce.

  • H.R.1877 Child Sex Crimes Wiretapping Act of 2001—Amends title 18, United States Code, to provide that certain sexual crimes against children are predicate crimes for the interception of communications, and for other purposes. Sponsor: Rep. Nancy L. Johnson, R-CT. Latest major action: 5/16/2001 referred to House Judiciary Committee.

  • H.R.2031 Consumer Credit Report Accuracy and Privacy Act of 2001—Amends the Fair Credit Reporting Act to enable any consumer to receive a free credit report annually from any consumer reporting agency. Sponsor: Rep. Lucille Roybal Allard, D-CA. Latest major action: 5/25/2001 referred to House Committee on Financial Services.

  • H.R.2036 Social Security Number Privacy and Identity Theft Prevention Act of 2001—Amends the Social Security Act to enhance privacy protections for individuals, to prevent fraudulent misuse of the Social Security account number, and for other purposes. Sponsor: Rep. E. Clay Shaw, Jr., R-FA. Latest major action: 5/25/2001 referred to House Committees on Financial Services, Energy and Commerce, and Ways and Means.

  • H.R.2135 Consumer Privacy Protection Act—Protects consumer privacy. Sponsor: Rep. Tom Sawyer, D-OH. Latest major action: 6/18/2001 referred to House Subcommittee on Energy and Commerce.

  • H.R.2136 Confidential Information Protection Act—Protects the confidentiality of information acquired from the public for statistical purposes. Sponsor: Rep. Tom Sawyer, D-OH. Latest major action: 6/12/2001 referred to House Committee on Government Reform.

Federal Bureau of Investigation

Although the FBI certainly can't be called a new initiative, it has taken on a modified or even "new" role in computer security and privacy. The role of the FBI has traditionally been criminal investigations, but the rise of Internet hacking has spawned new skills and responsibilities for the agency. Within government enforcement agencies, there is a conflict between a centralizing tendency that would set uniform standards and link "intrusion detection" monitoring for all government and private systems and protect consumer information from unwanted dissemination using the current decentralized self-regulation of the industry. Security requirements between government systems, business systems, and consumer systems vary greatly, and government agencies have not come up with reliable or acceptable standards that address this issue.

Government agencies such as the FBI have increased spending on research and manpower to combat threats to privacy and security. They have also helped fund the education of new information security professionals, assisted in the development of best security testing procedures, and encouraged systems security improvements. Yet we see a rise in Internet hacking and information theft. The lack of standards and quantifiable metrics as far as what types of compromises and invasions have taken place all contribute to the trend toward more government intervention in security matters and law enforcement.

In association with the FBI, agencies such as the National Institute for Standards and Technology (NIST) and the National Security Agency (NSA) are attempting to define processes and standards for information protection and system protection to help both private industry and government sectors. The changing role of the FBI might cause long-term conflicts that have not been discussed to date, but for now, the FBI has taken the spotlight in many hacking cases and has become more publicly involved in computer security.

The FBI has been seen in many news stories for its prosecution of well-known hacker cases. The latest is the arrest of the Russian programmer Dmitry Skylarov at the DefCon convention in Las Vegas in July 2001. He was arrested on charges of criminal copyright violations, which sparked protests from privacy advocacy groups and the security/hacker community. Skylarov developed a crack for Adobe's Ebook and was charged under the Digital Millennium Copyright Act. "The U.S. government for the first time is prosecuting a programmer for building a tool that may be used for many purposes, including those that legitimate purchasers need in order to exercise their fair-use rights," said Robin Gross, an attorney with the EFF.

The FBI has also made prominent headlines with its DCS1000 tool (originally called Carnivore), which can capture a lot of user data and information that travels over the Internet from the ISP location. Not only does the program capture data for the suspect under investigation, but other user information is also captured. This is taking the "monitoring" role of the FBI to a new level in Internet security. Advocacy groups and public officials are questioning the FBI's extended capabilities. House Majority Leader Dick Armey said in a letter to Attorney General John Ashcroft, "I respectfully ask that you consider the serious constitutional questions Carnivore has raised and respond with how you intend to address them. This is an issue of great importance to the online public."

After the terrorist attacks in the U.S. on September 11, 2001, the FBI was granted more leeway in its use of DCS1000 and has gotten more cooperation from ISPs in capturing and turning user information over to the government. Both AOL and Earthlink have cooperated to track terrorist activities using their systems.

The USA Patriot Act makes it even easier to use DCS1000. This act gives federal authorities much wider capabilities in monitoring Internet use and expands the way such data is shared among government agencies. Even though this bill was passed to track down terrorists, it by no means restricts investigations to terrorists. It can easily be applied to anyone or any organization.

The FBI's more active role in prosecuting criminal hacking has led to it working with more corporations to track and prosecute hackers. However, most corporations still don't want to admit that they have been hacked and need help from the FBI. Corporations have always been very sensitive about letting the public know that they suffered a break-in and that consumer information such as credit card numbers or Social Security numbers could have been stolen. One of the reasons companies give for not notifying the FBI of a break-in is that the FBI can't guarantee that the information collected is limited to what is absolutely necessary for prosecution and that information will not be shared without proper consent of the corporation. The government tends to make mandatory requirements without much notice and forces private industry to comply without warning. The FBI can provide many services regarding information protection, but the history of government involvement and specifically FBI involvement has caused private industry to be very leery of any help. The DCS1000 case illustrates that capability of the FBI to garner consumer information even when there is no ongoing investigation. To alleviate the fears of private industry, the government must justify both the purpose and the use of information-gathering tools and clearly define how it will protect consumer information.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020