Long before the internet entered the public sphere as a means of communication and commerce, laws were enacted that provided for the privacy and safekeeping of personal information. The following chronology traces the history of privacy law from the final quarter of the twentieth century to the suggested actions of this year.
In the law that set the precedent for the coming years, Congress agreed that the federal government should have no secret system of record-keeping, and that whatever information it collected be relevant to a specific purpose, accurate, complete, and up-to-date. However, this law applies only to the federal government, and not directly to businesses, therefore rendering it less applicable to our current internet problems. Full text and resource for this law.
This act was the first law regarding the privacy of e-mail. The ECPA dealt with both the transmission and storage of digitized textual information (i.e. electronic mail), making it illegal to "intercept the non-voice portion of a wire communication such as the data or digitized portion of a voice communication," which includes e-mail. While the law was supposedly intended to prohibit providers of electronic communication services from disclosing the contents of communication that had been stored electronically without the lawful consent of the person who originated the communication, some argued that it also made governmental access to private e-mail simpler. Service providers were required to turn over private e-mail with a government request, provided the government had "reasonable suspicion" of a person's involvement in a counterintelligence operation. As no judicial review was required for governmental requests, people had little protection over their personal e-mail should the government decide to summon it. Discussion of the ECPA.
Gelman wrote that users "should be aware of the following significant exceptions to the ECPA, however:
The Clipper Chip is a cryptographic device that would have been used as a means of providing stronger encryption while allowing the federal government "backdoor" access to the encrypted (and private) information. Government agents would be able to obtain the "keys" to decoding this information upon presentation of "legal authorization," a term never quite agreed upon in regards to what specifically was needed. The "keys" would be held by two government escrow agents (using the principle of a "trusted third party" system). The Clipper Chip proposal suffered an immense backlash from organizations such as EPIC and CPSR. Additionally, other countries were wary of the Clipper Chip and its capacity to allow the U.S. government to decrypt information, but not the country that was sending or receiving the transmission. In the end, the Clipper Chip was never implemented, and a definitive solution to the issue of encryption has yet to be reached. Full account of Clipper Chip debates.
Adopted by the EU, this directive dissolved most of the differences between member countries' privacy controls in regards to online and other data collection methods, implementing a specific set of rights for the flow and collection of personal information. Among the highlights of this directive are an individual's right to access information collected and know where it came from, their right to correct information, and their right to decline an organization's use of their personal information. As of yet, no comparable law exists in the United States. Further discussion of this law.
This law intends to allow much of the administrative transfer of personal records classically done manually and on paper to be converted to electronic format, storing databases of health insurance and other information online. Many privacy concerns stem from this act, including where the health care agencies using this "administrative simplification" will find sufficient encryption and privacy standards to adequately protect what many consider their most confidential information-medical records. Many people are in favor of storing medical information online, particularly in the case of children: if anything should happen to the child's primary caregiver or if the child should be far from home and need emergency medical care, his or her medical history could be easily accessed online. However, with this ease of access comes the increased need for security, a recurring theme in online information gathering. Comprehensive discussion and copy of the law.
This law, which went into effect several weeks ago, targets the collectors of information from children under the age of 13. This is probably the most pro-active legislation yet taken on the issue of online privacy, requiring that sites aimed at the collection of children's personal information publish their privacy policy, obtain parental consent, and not give the information to a third party without additional parental consent. Parental consent is difficult to ensure (much like clicking the "I am over 18" button to enter a pornography site does not really ensure the viewer is over 18), but steps are being taken to more seriously address this issue, including proposals such as print-and-send via postal mail or facsimile consent cards, use of a credit card or toll-free telephone number, digital signature, or e-mail accompanied by a PIN or password. Fines for violation of this new law can be up to $11,000 for each violation, though enforcement is another difficult issue. As with most privacy law, individual lawsuits take a long time to compile, process, and take effect, while the site can go on collecting information from other children illegally in the meantime. Problems like this reflect the need for a better means of privacy law enforcement, but provide no additional clue to what manner of enforcement would be best suited to solving the problem. Complete Guide to COPPA.