Public Comments: April 2012 – WPF asks that the full Consumer Privacy Bill of Rights be applied to MS Process
WPF filed two sets of comments with the US Department of Commerce regarding the MultiStakeholder Process and the privacy topics to be taken up. The first set of comments were WPF’s formal filing of the joint Civil Society MultiStakeholder Principles on behalf of WPF and the American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers’ Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers’ League, Privacy Rights Clearinghouse, and US PIRG. The second set of comments were WPF’s own comments to the Department. WPF urged the Department to employ a fair process, choose focused topics, and to apply the full range of the Consumer Privacy Bill of Rights to each topic.
or Read comments below
Comments of the World Privacy Forum
Department of Commerce, National Telecommunications and Information Administration MultiStakeholder Process To Develop Consumer Data Privacy Codes of Conduct, RIN 0660–XA27
Via email to email@example.comNational Telecommunications and Information Administration,
U.S. Department of Commerce,
1401 Constitution Avenue NW.,
Room 4725, Washington, DC 20230
April 2, 2012
The World Privacy Forum appreciates the opportunity to respond to the National Telecommunications and Information Administration’s request for comments on substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct, as well as procedures to foster the development of those codes. The request for comments appeared in the Federal Register on March 5, 2012 at 77 Federal Register 13098, http://www.ntia.doc.gov/files/ntia/publications/fr_privacy_rfc_notice_03052012_0.pdf.
The World Privacy Forum is a US-based nonprofit, non-partisan public interest research group, with a focus on research and analysis of privacy issues, along with consumer education. For more information on WPF activities, see generally http://www.www.worldprivacyforum.org.
I. MultiStakeholder Process
The World Privacy Forum worked with leading privacy and consumer advocacy organizations to develop Civil Society Principles for the MultiStakeholder Process (MSP). These principles are included in an appendix to these comments, along with the names of the organizations that cosigned them. WPF has also filed the Civil Society MultiStakeholder Principles as a separate document with the Department. The principles represent the views of multiple Civil Society organizations. Other views expressed in these comments come only from the World Privacy Forum.
The goals of the Civil Society Principles are to assure that any MSP would be representative of all stakeholders and would operate under procedures that are fair, transparent, and credible.
Civil Society organizations are concerned that the MSP might be organized in a manner that would disadvantage consumer, privacy, and other groups. We highlight several of the ten principles here to emphasize some of our concerns.
Principle 1 states in part that only consumer representatives can determine who speaks for consumers. It would be inappropriate for NTIA, the Department, any other government agency, or any private sector entity to determine who represents consumers and which consumer groups can participate in the MSP on behalf of consumers. While it remains to be determined how any interest groups on any side would be identified and select their representatives, consumers can, will, and must make their own choices.
Principle 2 states in part that the MSP must, to the greatest extent practicable, occur in the open with public sessions and public documents. Transparency benefits all participants and assures the public at large that the process is fair and credible.
Principle 8 states in part that in person meetings may only be scheduled if adequate resources are made available to facilitate in person participation by civil society. Consumer groups have watched industry standards organizations operate in a manner that requires participants to travel long distances to meetings held in expensive hotels. The effect is to make it practically and fiscally impossible for many or most civil society groups to participate in standards activities that affect privacy and consumer interests. Only well-funded corporations are typically able to pay the price of participation. Principle 8 is intended to assure that the playing field for MSP is level and that all who choose to participate will have equal say and equal presence. If there is no funding for interested civil society organizations to travel to meetings, then meetings should be held electronically so that all can participate equally.
The WPF believes that these and the other principles are responsive to the request for comment on implementation of MSP. These principles were developed before the White Paper was released, and we have additional thoughts about the process.
First, while the Department asked for ideas for topics – and we suggest some later in these comments – we believe there are a number of process issues that need to be discussed first, at the beginning of the process. Process is crucial because if the process is not agreed to by all in advance, there is no hope of agreement on the substance. We need to know how MSP will operate, who will participate, what the procedural rules will be, and if MSP activities will overlap. From the perspective of the WPF, it will extremely difficult to participate in more than one MSP. We suggest that one and only one MSP happen at the same time, and that a second MSP not begin until the first has concluded.
Second, we appreciate that the Department has proposed a Consumer Privacy Bill of Rights. However, whether that is the proper background for MSP is something for MSP participants to decide. We would prefer to begin with the classic statement of Fair Information Practices from the OECD. Other stakeholders may prefer different starting points. The MSP will not work if Commerce Department decides on the starting policy framework.
Third, the White Paper proposes legislation as an important element of the Administration’s approach to privacy. We think that it is important for the Department to draft and circulate its legislative proposal ideally before the MSP begins. The Department’s legislative proposal will help us evaluate MSP activity with the legislative background that the Administration seeks.
Fourth, we want to highlight the importance of privacy-specific groups in this process. The MultiStakeholder Process is focused on privacy concerns. Privacy groups have a different focus and expertise than consumer groups or civil liberties groups. We believe it is essential for privacy-focused groups to be distinctly and robustly represented in the MultiStakeholder Process.
From the request for comments:
NTIA expects that a company’ s public commitment to follow a code of conduct will be legally enforceable, provided the company is subject to the Federal Trade Commission’ s jurisdiction.
WPF understands the construction of this mode of enforcement. However, we also understand that practically speaking, the expectation of FTC enforcement is very challenging for a number of reasons, some of which are tied to budgetary and staff constraints. We also observe that the Commission has no authority over many record keepers in the United States. It has limited or no authority to enforce codes of conduct against agencies of the federal government, agencies of state and local governments, most non-profit organizations, and many commercial entities engaged in transportation, insurance, banking and telecommunications common carriage. There are many gaps in the Commission’s jurisdiction through no fault of its own.
Further, while the Commission may have this authority in theory for those parts of the economy within its jurisdiction, the Commission has no capability of carrying out enforcement of the multiple codes of conduct covering hundreds or thousands of companies that the Department envisions. We have existing privacy codes of conduct, yet Commission actions enforcing those codes are infrequent. In the past, companies have repeatedly joined existing privacy codes and left them without action or comment by the Commission. Entire privacy self-regulatory programs have arisen and dissolved without action or comment by the Commission.
Tying the MultiStakeholder Process solely to FTC enforcement is theoretically possible, but we see that the role of the FTC would need to be enhanced through legislation. There may be additional enforcement mechanisms to consider, and we would encourage the MSP to look at this issue for new possibilities. For example, any new privacy codes may need to provide for their own independent enforcement and allow mechanisms that will allow data subjects to use their own enforcement measures. We would prefer, of course, private rights of action, but we recognize that they will not be a product of any MSP. Providing consumers with other enforcement mechanisms (including crowd-sourced enforcement) will be necessary.
III. Subject Matter Priorities
WPF does have some priorities for MSP including privacy rules for data brokers. mobile privacy apps, cloud computing, time limits for retention of data by search engines, use of facial recognition in public spaces, as well as commercially held personal health information, and do- not-track rules for Internet advertisers. Any of these areas have the potential to provide useful privacy protections to consumers and to let business know what they can and cannot do. For each area, there is plenty of room in the middle where agreement should be possible.
Overall, one of the great difficulties in approaching any topic is the temptation to implement only a portion of the OECD Fair Information Practices or the Department’s Consumers Privacy Bill of Rights in the process of addressing it. In our list of suggested topics below, we can already see that this is an issue even in our approach. We note this, and want to clarify that our suggestions here are focused on a first phase of the MultiStakeholder Process only.
A pressing issue for the Department to address in practical terms is how to make the MultiStakeholder Process comprehensive for each topic chosen. For example, focusing on disclosures to consumers in a process focused on mobile apps would in practical terms provide for application of only one aspect of the Bill of Rights to this topic. WPF understands deeply that the conversation must be focused and narrowed. But narrowing a topic by implementing only one aspect of the Consumer Privacy Bill of Rights to a topic is not ultimately the right answer. We urge the Department to plan ahead for this issue, as it is highly likely to arise.
We recognize the desire to show an early success for the MultiStakeholder Process, but that early success must be comprehensive in vision. We believe the Department can plan ahead for a thorough implementation of the Bill of Rights for each topic. Even if the plan takes time to implement, that is fine. But a plan to implement the full Bill of Rights for each topic is important, and will provide a critical baseline of how the Department is going to approach the entire MultiStakeholder Process. We urge the Department to tie the shoelaces of each topic thoroughly, as this is an important opportunity to reach agreement on privacy in this topic areas.
A. Mobile App Privacy
Mobile app privacy is an important privacy issue where little disclosure to consumers is occurring, and is a worthy topic. However, there are a number of challenges inherent in approaching this topic. First, the number of potential stakeholders is quite large. For this reason, we recommend that any mobile privacy topic focus on influential mobile app aggregators, such as iTunes, Amazon, and other large app portals and what these large providers can do to create more muscular disclosure and protections in the mobile app arena.
Which leads us to the second challenge of mobile app privacy. The Department’s request for comment gives considerable attention to transparency, and suggests that it might be good to facilitate the implementation of the transparency principle in the privacy notices for mobile device applications. We support transparency whole-heartedly. However, we are also concerned about addressing privacy principles one at a time. This, while well-intended, could lead to problematic outcomes in the long term. WPF encourages the Department to consider how it might create a plan to address, in a deliberate sequence or manner, all of the aspects of the Consumer Bill of Rights for this topic, even if the MultiStakeholder Process begins with a focus on Transparency.
B. Time Limits for Data Retention by Search Engines
While this is not a flashy topic, this topic has the advantage of being important, having substantial impact, and allowing for focused discussion. There are already certain baselines of general agreement in this area, and a functionally more discrete set of discussants.
C. Data Broker Opt-Out Site
In our 2011 comments to the FTC regarding its privacy report, we urged the Commission to create a central website to facilitate consumer opt-outs from commercial data brokers. The FTC picked this suggestion up and discussed it in its Feb. 2012 privacy report. We believe that this envisioned data broker consumer opt-out site (and data broker opt-outs generally) would be an excellent topic for the MultiStakeholder Process. We reiterate that WPF encourages the Department to consider how it might create a plan to address all of the aspects of the Consumer Bill of Rights for this topic, even if the MultiStakeholder Process begins with a focus on one or two principles.
D. Cloud Computing Standards
WPF published a report on issues for consumers, business and government in cloud computing, Privacy in the Clouds (Robert Gellman, Privacy in the Clouds, http://www.www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf). In this report we highlighted numerous issues. One particular issue, we think, lends itself to a MultiStakeholder Process.
The cloud computing industry could establish standards that would help users to analyze the difference between cloud providers and to assess the risks that users face. The cloud computing industry could be doing a lot more to explain its services. One approach may be to group cloud services into types or categories based on levels of protections. For example, there might be two basic classes of cloud providers. One class of provider would promise never to use or disclose information. It might employ mandatory or optional encryption that prevents the provider from examining content of user information. In addition, the same class of provider might make stronger and more permanent commitments about not making substantive changes in the terms of service that would affect a user’s privacy or confidentiality interests. Strong security obligations might also be a part of the package of obligations. Commitments made by “class one” providers could be subject to independent audit and certification. The second class of cloud provider might make no or fewer promises regarding the content of user information and might retain a broader ability to change the terms of service. Of course, there may be a need for additional classes of cloud providers to meet different needs. Helping users find the appropriate level of protection will be important.
Users in this case can be businesses or consumers.
E. Facial Recognition and Detection
The World Privacy Forum has written a report called the One Way Mirror Society (http://www.www.worldprivacyforum.org/pdf/onewaymirrorsocietyfs.pdf) in which we describe various forms of digital signage and how facial detection and in some cases recognition technologies are being used to track consumers in retail and other public and some private settings. One aspect of this topic, that of signage interacting visually and with users’ mobile devices, would work well in a MSP. This issue is becoming increasingly important. Currently, consumers with mobile devices who are tracked by their mobile device’s MAC address and/or geolocation through retail or other environments with corresponding facial detection or recognition technologies are typically not told about this tracking. Also typically, these companies do not allow for opt-outs. There are some exceptions to this, but generally speaking, this is an area where consumers have almost no disclosures and highly limited rights.
F. Commercially-held Personal Health Information
Health-related information about consumers that is either disclosed by the consumer or is held by a non-covered entity is unregulated information under HIPAA. Many instances of this exist at this point. We are focused here on non-HIPAA covered consumer health information flowing through either health-related mobile apps, or information about consumers that is being compiled and shared from social networking sites. This is potentially sensitive information that is entirely unregulated, and often consumers have no disclosure of what is being done with their information, and few if any subsequent rights to delete or curtail the use of that information after the fact. This is a challenging area to tackle, but a good outcome would yield a potentially high positive impact.
G. Do Not Track
While we support do-not-track rules for Internet advertisers (and perhaps others), we support the work of the ongoing Worldwide Web Consortium Tracking Protection Group and want to ensure nothing undermines the W3C process. As such, we assign do-not-track the lowest possible priority for MSP.
Thank you for the opportunity to comment on the plans for a MultiStakeholder Process. The World Privacy Forum looks forward to participating in this process.
World Privacy Forum
Appendix: Civil Society Principles
Principles for Multi-Stakeholder Process
February 23, 2012
Civil society groups believe that protecting the online privacy of consumers is crucial to ensuring the availability, utility, and vitality of the Internet. For any approach to privacy to be meaningful, it must reflect fair information practices, including mechanisms to assure accountability. The US Department of Commerce is proposing a multi-stakeholder process for developing better applications of privacy principles. For the multi-stakeholder process to succeed, it must be representative of all stakeholders and must operate under procedures that are fair, transparent, and credible.
We believe the following baseline principles will provide the multi-stakeholder process the legitimacy it needs to succeed.
1. No multi-stakeholder process can succeed unless consumer representation is robust and reasonably balanced. Only consumer representatives can determine who speaks for consumers.
2. To the greatest extent practicable, the multi-stakeholder process should occur in the open with public sessions and public documents. All substantial decisions must be made in open sessions.
3. Any stakeholder may submit proposals and those proposals must be addressed and resolved within the consensus process.
4. Participants, but not necessarily observers, must specifically identify their employer and/or the group, industry, or organization whose interest they represent.
5. There must be a fair opportunity for public engagement at all levels of the stakeholder process. Stakeholders must be allowed to communicate with members of their communities about the multi-stakeholder process in any way that the stakeholders see fit, including use of electronic processes such as web sites, social media, and other methods.
6. The formal publication of any consensus document or decision must include dissenting views and statements.
7. Decisions must be based on a fair and broad consensus among stakeholders rather than a majority vote by participants. The process should seek to resolve issues through open discussion, balance, mutual respect for different interests, and consensus.
8. A multi-stakeholder process needs to be fully informed by stakeholders from civil society. As such, in person meetings may only be scheduled if adequate resources are made available to facilitate in person participation by civil society. Otherwise, meetings may only be conducted electronically to facilitate equal participation by all stakeholders. Meeting locations must be chosen with robust input from civil society stakeholders.
9. All stakeholders must receive a copy of a draft document at least ten days prior to consideration or presentation of the document at any level of the stakeholder process.
10. At the end of 12 months or at any other time, civil society participants may decide to reevaluate the multi-stakeholder process and make recommendations for changes in rules, procedures, or process.
World Privacy Forum
American Civil Liberties Union
Center for Digital Democracy
Consumer Federation of America
Electronic Frontier Foundation
National Consumers’ League
Privacy Rights Clearinghouse
Publication date: February 23, 2012
Authors: Signatory organizations