Menu
Tech companies resist government attempts to broaden definition of 'personal information'
Think of all the ways you can be identified online. There’s the personal information you give up knowingly and voluntarily. And then there are the many unique identifiers that give you away whether you’re aware of them or not.
You probably know about your IP address, which for most people is a string of numbers assigned by their Internet service provider. In addition to identifying you to the sites you visit, your IP address discloses your general location, or “subnet,” and when combined with information about you from other sources, can pinpoint your home address, name, and other personal information.
(In a July 16, 2013, article, Network World’s JD Sartain describes various techniques and services that mask your IP address.)
I’m betting you know about tracking cookies, too. Many people block third-party cookies and delete their cookie files each time they close their browser. You’ll find instructions for doing both in this post from back in March 2011. In a nutshell, Firefox’s privacy settings are at Options > Privacy, and Chrome’s privacy options are at Settings > Show advanced settings > Privacy.
There’s another tracking technique called browser fingerprinting that Ntrepid chief scientist Lance Cottrell explains in a February 17, 2015, article on Network World. Related to browser fingerprinting is canvas fingerprinting, which relies on the Canvas element in HTML5. Canvas is intended for displaying graphics and animations on a page using Javascript, as explained in a post on BrowserLeaks. Because each computer renders graphics in a unique way based on its specific components and configuration, Canvas data can be used by a site to identify the machine – and you.
A new method of tracking people who use web sites is audio fingerprinting, which a group of Princeton researchers discovered as part of a broader study of web trackers (pdf). In a May 19, 2016, article, Tech Crunch’s Natasha Lomas explains that the technique “fingerprints” your machine based on its audio stack, which it accesses via the AudioContext API. Rather than recording sound or gathering sound files on the machine, audio fingerprinting creates a unique audio signature that can be used by web trackers to follow you around the Internet.
Audio fingerprinting isn’t common, but it’s not identified and reported by anti-tracking tools such as the free Ghostery browser extension. The arms race between web/mobile trackers on one side, and anti-tracking countermeasures on the other shows no signs of abating. New ways of identifying people who use the Internet and mobile phones pop up faster than, well, pop-ups.
Privacy-protecting efforts meet stiff, deep-pockets opposition from business interests
The U.S. Federal Trade Commission has been leading the government’s attempts to extend privacy protections to “persistent identifiers” such as your IP address. Yet the FTC has stopped short of reclassifying such identifiers as “personally identifiable information,” the same as your name, home address, and email address, as Lindsey Tonsager of Covington & Burling LLP writes in an April 30, 2016, article on National Law Review.
The FTC’s guidance on enforcing the Children’s Online Privacy Protection Act offers this definition of “personal information”:
The amended Rule defines personal information to include… [a] persistent identifier that can be used to recognize a user over time and across different websites or online services….
While stopping short of reclassifying “persistent identifiers” as personal information in the 2012 report entitled Protecting Consumer Privacy in an Era of Rapid Change (pdf), the FTC stated that the same privacy protections apply whenever the information “can be reasonably linked to a specific consumer, computer, or other device.” As Tonsager notes, this approach is in direct conflict with federal court interpretations of privacy statutes, such as the Cable Communications Policy Act of 1984 (Klimas v. Comcast Cable Communications, Inc., Case No. 02-CV-72054-DT, 2003 WL 23472182, *5 - E.D. Mich. July 1, 2003, and Pruitt v. Comcast Cable Holdings, LLC, 100 Fed. Appx. 713, 716 - 10th Cir. 2004).
Treating persistent identifiers with less care than “personally identifiable information” takes the onus off businesses, which would be required to extend privacy protections to IP addresses and other persistent identifiers if the definition of “personally identifiable information” were to be broadened.
FCC chairman takes heat for saying ‘it’s your data’
It’s no surprise that a group representing the interests of the information technology industry would rail against any limitation on the collection and unfettered use of the personal information of their Internet and mobile customers. In an April 27, 2016, article on Forbes, Doug Brake, an analyst for the Information Technology and Innovation Foundation, claims the ISPs that are now treated as common carriers by the FCC aren’t privy to their customers’ personal information. Brake asserts that increased use of encryption by consumers prevents ISPs from knowing what their customers are up to.
In fact, ISPs still have many ways to track the web and mobile activities of their customers, even when they enable encryption. The Electronic Frontier Foundation’s Jacob Hoffman-Andrews writes in a March 7, 2016, post that Verizon recently signed an agreement with the FCC requiring that the company get the explicit consent of its customers before injecting a “UIDH tracking header” into their web activities. Hoffman-Andrews notes that AT&T decided against using a unique ID header to track its customers in response to “customer outrage.”
ISPs have found many other surreptitious ways to follow their users around the web, such as hiding trackers in the “lower protocol layer” (TCP or IP, for example) by changing fields that are usually random to an agreed-upon value. Hoffman-Andrews points out that many of these tracking techniques can’t be detected from the outside, so ISPs need to be monitored to ensure the methods aren’t being used in violation of people’s privacy.
The ITIF’s Brake goes even further in criticizing the FCC’s plan, stating that the commission’s goal of giving consumers more control over their privacy will not be helped by the change in policy. The only result, according to Brake, is that ISPs will be limited in their ability to “responsibly experiment with new ways of supporting the expensive deployment and maintenance of broadband networks.”
Brake’s claims that consumers can opt out of tracking don’t jibe with reality. Has your ISP ever presented you with an option to opt out of tracking? You have to dig through a morass of legal boilerplate to find any such control. Yet Brake believes requiring that consumers opt in to tracking would “effectively kill the business case for ad-supported broadband, while doing nothing to change the choices consumers have.”
A more detailed analysis of the FCC’s reclassification of ISPs as common carriers is offered by K.C. Halm, Christin McMeley, John Seiver, and James M. Smith of Davis Wright Tremaine LLP in an April 27, 2016, article on JD Supra Business Advisor. The authors conclude that the change “would impose onerous and costly regulatory burdens on ISPs, while leaving much of the remaining online world free to operate under a significantly less restrictive regime.”
Excuse me if I fail to share the authors’ sympathy for the poor ISPs that would be subject to the same privacy regulations as telephone companies under the FCC’s proposal. Sen. Al Franken, D-Minn, defended the FCC’s plan when it came under attack by Republican senators at a recent hearing of the Senate Judiciary Committee’s subcommittee on Privacy, Technology and the Law. In particular, Franken pointed out that claims the new policy would stifle innovation are groundless. Law360’s Allison Grande reports on the hearing in a May 11, 2016, article.
The problem of unfettered tracking and personal data collection only gets worse when it comes to mobile phones. The Electronic Frontier Foundation’s Surveillance Self-Defense project warns that mobile phones “expose you to new kinds of surveillance risks – especially location tracking” while providing fewer privacy controls than are available on a PC. It’s also more difficult to prevent your service provider from tracking you on your mobile phone than doing so on a PC.
More tracking, more personal data collection, and fewer privacy controls – welcome to the future!
You probably know about your IP address, which for most people is a string of numbers assigned by their Internet service provider. In addition to identifying you to the sites you visit, your IP address discloses your general location, or “subnet,” and when combined with information about you from other sources, can pinpoint your home address, name, and other personal information.
(In a July 16, 2013, article, Network World’s JD Sartain describes various techniques and services that mask your IP address.)
I’m betting you know about tracking cookies, too. Many people block third-party cookies and delete their cookie files each time they close their browser. You’ll find instructions for doing both in this post from back in March 2011. In a nutshell, Firefox’s privacy settings are at Options > Privacy, and Chrome’s privacy options are at Settings > Show advanced settings > Privacy.
There’s another tracking technique called browser fingerprinting that Ntrepid chief scientist Lance Cottrell explains in a February 17, 2015, article on Network World. Related to browser fingerprinting is canvas fingerprinting, which relies on the Canvas element in HTML5. Canvas is intended for displaying graphics and animations on a page using Javascript, as explained in a post on BrowserLeaks. Because each computer renders graphics in a unique way based on its specific components and configuration, Canvas data can be used by a site to identify the machine – and you.
A new method of tracking people who use web sites is audio fingerprinting, which a group of Princeton researchers discovered as part of a broader study of web trackers (pdf). In a May 19, 2016, article, Tech Crunch’s Natasha Lomas explains that the technique “fingerprints” your machine based on its audio stack, which it accesses via the AudioContext API. Rather than recording sound or gathering sound files on the machine, audio fingerprinting creates a unique audio signature that can be used by web trackers to follow you around the Internet.
Audio fingerprinting isn’t common, but it’s not identified and reported by anti-tracking tools such as the free Ghostery browser extension. The arms race between web/mobile trackers on one side, and anti-tracking countermeasures on the other shows no signs of abating. New ways of identifying people who use the Internet and mobile phones pop up faster than, well, pop-ups.
Privacy-protecting efforts meet stiff, deep-pockets opposition from business interests
The U.S. Federal Trade Commission has been leading the government’s attempts to extend privacy protections to “persistent identifiers” such as your IP address. Yet the FTC has stopped short of reclassifying such identifiers as “personally identifiable information,” the same as your name, home address, and email address, as Lindsey Tonsager of Covington & Burling LLP writes in an April 30, 2016, article on National Law Review.
The FTC’s guidance on enforcing the Children’s Online Privacy Protection Act offers this definition of “personal information”:
The amended Rule defines personal information to include… [a] persistent identifier that can be used to recognize a user over time and across different websites or online services….
While stopping short of reclassifying “persistent identifiers” as personal information in the 2012 report entitled Protecting Consumer Privacy in an Era of Rapid Change (pdf), the FTC stated that the same privacy protections apply whenever the information “can be reasonably linked to a specific consumer, computer, or other device.” As Tonsager notes, this approach is in direct conflict with federal court interpretations of privacy statutes, such as the Cable Communications Policy Act of 1984 (Klimas v. Comcast Cable Communications, Inc., Case No. 02-CV-72054-DT, 2003 WL 23472182, *5 - E.D. Mich. July 1, 2003, and Pruitt v. Comcast Cable Holdings, LLC, 100 Fed. Appx. 713, 716 - 10th Cir. 2004).
Treating persistent identifiers with less care than “personally identifiable information” takes the onus off businesses, which would be required to extend privacy protections to IP addresses and other persistent identifiers if the definition of “personally identifiable information” were to be broadened.
FCC chairman takes heat for saying ‘it’s your data’
It’s no surprise that a group representing the interests of the information technology industry would rail against any limitation on the collection and unfettered use of the personal information of their Internet and mobile customers. In an April 27, 2016, article on Forbes, Doug Brake, an analyst for the Information Technology and Innovation Foundation, claims the ISPs that are now treated as common carriers by the FCC aren’t privy to their customers’ personal information. Brake asserts that increased use of encryption by consumers prevents ISPs from knowing what their customers are up to.
In fact, ISPs still have many ways to track the web and mobile activities of their customers, even when they enable encryption. The Electronic Frontier Foundation’s Jacob Hoffman-Andrews writes in a March 7, 2016, post that Verizon recently signed an agreement with the FCC requiring that the company get the explicit consent of its customers before injecting a “UIDH tracking header” into their web activities. Hoffman-Andrews notes that AT&T decided against using a unique ID header to track its customers in response to “customer outrage.”
ISPs have found many other surreptitious ways to follow their users around the web, such as hiding trackers in the “lower protocol layer” (TCP or IP, for example) by changing fields that are usually random to an agreed-upon value. Hoffman-Andrews points out that many of these tracking techniques can’t be detected from the outside, so ISPs need to be monitored to ensure the methods aren’t being used in violation of people’s privacy.
The ITIF’s Brake goes even further in criticizing the FCC’s plan, stating that the commission’s goal of giving consumers more control over their privacy will not be helped by the change in policy. The only result, according to Brake, is that ISPs will be limited in their ability to “responsibly experiment with new ways of supporting the expensive deployment and maintenance of broadband networks.”
Brake’s claims that consumers can opt out of tracking don’t jibe with reality. Has your ISP ever presented you with an option to opt out of tracking? You have to dig through a morass of legal boilerplate to find any such control. Yet Brake believes requiring that consumers opt in to tracking would “effectively kill the business case for ad-supported broadband, while doing nothing to change the choices consumers have.”
A more detailed analysis of the FCC’s reclassification of ISPs as common carriers is offered by K.C. Halm, Christin McMeley, John Seiver, and James M. Smith of Davis Wright Tremaine LLP in an April 27, 2016, article on JD Supra Business Advisor. The authors conclude that the change “would impose onerous and costly regulatory burdens on ISPs, while leaving much of the remaining online world free to operate under a significantly less restrictive regime.”
Excuse me if I fail to share the authors’ sympathy for the poor ISPs that would be subject to the same privacy regulations as telephone companies under the FCC’s proposal. Sen. Al Franken, D-Minn, defended the FCC’s plan when it came under attack by Republican senators at a recent hearing of the Senate Judiciary Committee’s subcommittee on Privacy, Technology and the Law. In particular, Franken pointed out that claims the new policy would stifle innovation are groundless. Law360’s Allison Grande reports on the hearing in a May 11, 2016, article.
The problem of unfettered tracking and personal data collection only gets worse when it comes to mobile phones. The Electronic Frontier Foundation’s Surveillance Self-Defense project warns that mobile phones “expose you to new kinds of surveillance risks – especially location tracking” while providing fewer privacy controls than are available on a PC. It’s also more difficult to prevent your service provider from tracking you on your mobile phone than doing so on a PC.
More tracking, more personal data collection, and fewer privacy controls – welcome to the future!