Confidentiality of Online Data
Confidentiality of Online Data refers to a set of rules often is included in a contractual agreement concerning information online. It's used to govern the sharing, exchange, and disclosure of information. Confidentiality, integrity, and authenticity are the three major components of information security[1][2] that help regulate policy decisions. Because technology is used daily and integrated into almost every aspect of life, there are many concerns surrounding how corporations or institutions use or secure an individual’s personal data. As technology becomes increasingly more prevalent, these data privacy issues occur with more frequency. In response, this has been met with new legislation to protect personal information online. The ethical issues of the confidentially of information shared online include ownership of data and breaches of privacy.
Overview
Confidentiality has traditionally been applied in the medicaldefense and legal fields. However, as the internet evolved, it integrated itself into governmental organizations. Online, confidentiality applies to the privacy of information shared, produced, or consumed as it travels between two or more entities. As the internet’s role as a platform for interaction continues to grow, confidentiality gained a larger emphasis on its importance to protect web user’s personal data. When confidentiality is not upheld, the source of the information can be subjected to scrutiny and criticism.
Background
Historically, policies and laws regarding confidentiality has been viewed through the lens of client interactions, primarily in the field of medicine. Medical consultation requires the divulgence of private and sensitive information to external. Therefore, it is critical that a reliable framework of rules and legal procedures to protect this information exists. This concept was later adopted by the legal system in the form of attorney-client privilege[3] for similar reasons.
The internet has supplanted itself as one of the primary platforms of 21st-century interaction. The internet has replaced traditional physical interactions in many cases and has created novel virtual ones. Interactions on such platforms has required the adoption of guidelines for confidentiality.
Philosophy
Confidentiality is fundamentally supported by philosophy and ethical theory. There is friction between the philosophical arguments underpinning confidentiality and the ethical framework applied to confidentiality in practice.
Traditionally, confidentiality has been argued for in the vein of deontological ethics[4], in which the morality of an action is judged based on the intrinsic nature of the action itself, as opposed to the consequences of the said action. Philosophers from the time of Plato have argued that the right to privacy is one such intrinsically virtuous principle so any action to conserve this principle is in itself virtuous. In history, this has mostly been the guiding principle of ethics[5], thought and policy regarding confidentiality and more broadly, privacy. However, in practice, this is not always the case. There are many situations in which the state or other authorities have the power to break confidentiality agreements to further utilitarian benefits. This historical debate of the ethics of confidentiality has been extended to the internet in unforeseen ways.
Legal Cases
A few important cases related to confidentiality have been prominent in recent years. Due to the growth of technology and its expansive increase in use by many people, it has become a targeted source of information. Because of this, there have been known breaches in privacy and confidentiality that have either received a large amount of media coverage, or have gone to court and received a judges verdict.
Equifax Data Breaches
In 2017, a data analytics company primarily in the credit risk assessment industry called Equifax had a data breach that "exposed the sensitive personal information of 143 million Americans,"[6] including social security numbers, dates of birth, credit card information, and more.[7] The number continued to grow through March 2018, with approximately 148 million people affected.
The initial break was completely undetected for about 2.5 months, which had to due with Equifaxes failure to inspect their network-data which had not worked for 10 months before being noticed. The database contained unencrypted credentials, which were used by attackers to access other databases and that information. CEO Richard Smith blamed one employee for breach, stating that they failed to update one server's software.[7] About a year later, Consumer Reports (who independently acts in favor of consumer protections) noted that Equifax suffered minimal consequences while Americans remain uninformed about practices in the credit reporting industry.[8]
Apple vs. FBI
In December 2015, the terrorist attacks in San Bernardino, California re-invigorated the conversation about data confidentiality. In 2016-2017, Apple received and challenged more than ten court orders from the United States District Court for the Central District of California[9] to assist in decrypting the work phones of the perpetrators of the attacks as well as creating a backdoor to Apple's Operating System to aid in future investigations[10]. However, Apple argued that creating such a back door would be an unconstitutional violation of customers privacy and confidentiality and set a dangerous precedent for future cases. CNBC reports[11] that the FBI dropped the case as they had successfully found a 3rd party to assist with the decryption. Moreover, Apple released a statement that they will continue assisting FBI investigations as they have done while continuing to strengthen their security of user’s data.
Facebook and Cambridge Analytica
Main Article: Cambridge Analytica
In early 2018, it was revealed that the Data Brokering company Cambridge Analytica mined millions of personal Facebook profiles, without the user's consent, potentially violating confidentiality and privacy agreements for their own use. Facebook has confirmed that the dataset contained more than 80 million users’ profiles. However, the legalities of said violation are still being worked on. The information is proprietary data to Facebook according to their data policy. [12] CNN[13] claims Facebook has violated agreements with the United Kingdom’s Information Commissions Officer under Britain’s data protection laws. Furthermore, this revelation proved to be a watershed moment in the public’s view of data privacy on the internet, sparking conversations regarding the ethics of data privacy and confidentiality. Since March of 2018, when the news of CA’s dealings and practices were exposed, there has been a drastic increase in mention of online data privacy and security, questions surrounding such ethics, and how our personal data is being accessed and used to influence our behaviors and actions.
Phone Carriers
In 2018, four of the largest U.S cell carriers were caught for sending and selling their customer's real-time location data to other companies.[14] This information was easily retrieved within seconds. Verizon, T-mobile, AT&T, and Sprint sold their customers' private information to a company known as LocationSmart. LocationSmart would use the data to track down phone owners without their permission and leak the data. Essentially, they violated the phone owners' confidentiality and their promise to protect customer data. By breaking this confidentiality phone owners' privacy and anonymity as their location was compromised. After being exposed, they promised to stop sharing customer data. It is evident that they have not upheld this promise, as user location data is still being sold. Motherboard, Vice's website is continuing to investigate this breach of confidentiality.
Laws and Enforcement
There is no national data privacy/protection legislation, policy, or agency in the U.S. that has jurisdiction over all types of personal identifiable, confidential online information. The existing infrastructure of U.S. data privacy/protection is patchwork of state and federal laws and regulations, in which certain types of data are regulated by different agencies in different sectors, which creates overlapping and contradictory protections.
Federal Laws
At the federal level, laws that regulate certain types of online information are:
- The Health Insurance Portability and Accountability Act protects all healthcare related information and data.
- The Children’s Online Privacy Protection Act protects online data for children under the age of 13. [15]
- The Gramm Leach Bliley Act protects financial information in the hands of banks, insurance companies, and financial services.
- The Fair and Accurate Credit Transactions Act restricts the use and disclosure of consumer credit information, and requires financial institutions that hold credit information to conduct implement proper cybersecurity measures against identity theft.
- The Telephone Consumer Protection Act protects the content and information regarding mobile phone calls and text messages. [16]
Additionally, various laws regulate and empower the federal government to perform surveillance regarding online data:
- The Electronic Communications Privacy Act restricts the interception of transmitted communications, and its Title II Stored Communications Act regulates access of stored communications.
- Federal prosecutors can seize data under statutes in the ECPA and the SCA. Both Acts refer to any communications via email, telephone, and data stored electronically, along with its associated metadata. The law allows prosecutors to collect a FISA warrant for data stored less than 180 days, or subpoena data that has been stored for more time. [17]
- The Patriot Act expands the government surveillance mechanisms, by including email content, pen registries, and IP addresses. It enabled expanded search warrant use, delayed notifications, and increased subscriber records. [18]
- The CLOUD Act allows federal law enforcement to request access to data in foreign countries, under international agreements which lift restrictions on compliance and jurisdictional barriers. It also creates a process for companies to challenge data requests, if they create “material risks” to the nations in which the data presides. [19]
- Currently, Microsoft is suing DOJ over issuing a warrant for cloud data, part of which was stored in Ireland, and gagging the company from notifying customers regarding the data seizure. The enactment of the CLOUD Act provided a legal basis for prosecutors to seize foreign-stored data, but Microsoft is still fighting the SCA’s establishment of issuing gag orders to bar notifying users. [20]
State Laws
California passed its own comprehensive data protection law, which is seen by some as one of the most thorough in the country. The law enables consumers the right to know what information companies have on them, why they have, how they are using it, and with which third parties they are sharing the data. Consumers are given the right to have companies delete data, and to opt-out of data sharing. Other states may adopt a similar model to adhere to CA’s new standard. While it is not as comprehensive, nor applies to as large a jurisdiction as the GDPR standard, it is still a new baseline for data protection in the U.S.. [21]
Federal Enforcement
The U.S. has no broad national data protection law or federal agency that has jurisdiction over privacy and protection. The FTC oversees all areas of consumer protection, and prohibits “unfair or deceptive practices" that apply to offline and online privacy and data privacy. [22] It is the primary U.S. agency for enforcing consumer data privacy, and has taken the roll by investigating and fining various data controller platforms for misuse of consumer data, and compromising consumer privacy. The FTC has prosecuted over 500 enforcement actions protecting the privacy of consumer information. [23] One its most notable actions was in 2011, when FTC entered a consent decree agreement with Facebook to implement better data security policies regarding its data-sharing active with third-party applications and digital advertisers. The FTC is also the current federal agency that is investigating data misuse with Facebook and Cambridge Analytica.
The FTC is sometimes at jurisdictional odds with the Federal Communications Commission (FCC), which regulates traditional telecommunications policy. Under current telecom laws, the FCC regulates information on who we call, who calls us, how often we call, the duration of the call, and where the call takes place. Many new types of correspondence are replacing traditional telecommunications plans, such as Voice-over internet protocol technologies like Whatsapp, Google Call, or Facetime, which are performing similar functions to traditional telephone plans, but are governed by different broadband rules. [24] Streaming services, search engines, social networking sites, e-commerce sites, and user generated mediated sites can also perform similar functions, but would fall under the FTC's jurisdiction since they do not perform traditional telecom functions. The FTC has limited rulemaking capabilities in contrast to the FCC, due to existing consumer protection laws. [25] Current data regulations do not focus on the sensitivity of the data across all platforms, but rather on the individual sectorial actors who collect the data.
Ethics
Because of the high volume of people using the internet, it mainly deals with proprietary data. This consist of user’s private information, the company’s website usage information, and specific Internet Service Provider's web traffic. Every aspect of the information on the internet is owned by some entity. The discrepancy between who owns the documentation of these interactions and the parties involved in the interactions is the source and roots of the evolving debate about informational ethics online.
Data Ownership
Property ownership has consistently been a topic of many debates. People argue that copyright laws to intellectual property violations, ownership policies and laws are in constant need of being revised. This is true in regards to online data ownership.[26] Data can includes photos, videos, and text messages uploaded by a user; users' usage statistics, websites that users visited and users' transactional information. Digital property gets tricky, as data is shared at a rapid pace and can be in the possession of many people at once. This makes the original owner of data much harder to track down and credit than physical property. Private companies on the internet provide platforms for users to have the right to dictate their own policies in regards to the ownership of this data. New conversation regarding the ethics of data ownership policies are drawing more attention as policies are being improved and formed. This better preserve users interests such as the GDPR policy introduced in Europe [27]. Implemented on May 25, 2018, GDPR is a regulation that provide data protection and privacy for all individuals in the European Union. Its goal is to provide individuals with control over their personal data. Also, the European Union is in control of these regulations.
Breaches of Confidentiality
Doxxing
Main Article: Doxxing
Doxxing is defined as releasing a person, group or organization's information online in a public environment without the consent of the individual or group. The goal of doxxing is to slander or ruin the reputation of the victim. [28]. Doxxing removes the confidentiality of online data by sharing pictures of what is shown on private social media accounts and private messages. Some of this information may place a victim's life in danger such as an email address, home address, work address or phone number.
Expungement
Because of social media and mass media and its increased interest, expungement has sparked an debate that revolves around online data confidentiality. Laws on Expungement differ state to state such as some states allow former criminals the option to apply for expungement after 5 years from an encounter with the law. While the time frame for applicability varies, implementation can be slow and it can take years for full expungement. Expungement is granted to relatively few applicants each year and when they are accepted it usually takes a really long time - more than five years.This has proven the difficult to fully remove the records from the internet due to the slow development of data brokers. Data-brokers scrape the internet for records on individuals by storing that data and allowing companies and individuals to view backgrounds on whomever they desire. Often, these data-broking sites pull data on an individual once and fail to update individual records for years[29]. It is possible for an individual with a first-time minor offense to limit the opportunities for the criminal background searches are outdated data-brokers[29]. This is concerning as there can be as much as a 20% increase in employ-ability post-expungement as compared to pre-expungement[30]. In certain cases it is possible to remove oneself from Google searches, and data-brokers, online (called delinking). As Luciano Floridi describes, it is possible to remove oneself from Google within several European nations but as Florida argues, it should occur solely within national boundaries, not across international borders[31]. Floridi argues that those searching for an individual through Google are almost always searching from within the same nation[31], as is the case in the U.S. with employers looking at criminal records of almost exclusively U.S. citizens.
Justified Legal Breach
Medical guidelines state that medical professionals have the right to breach confidentiality when disclosing evidence of attempted or future serious self-harm, the harm of others, physical or mental abuse or neglect, or violation of other certain other laws.[32]. However these guidelines do not exist for governing confidentiality of information online. Private companies can create their own policies regarding data privacy and confidentiality so it typically differ from one another. For example, Facebook's privacy policy[33] indicates that they maintain the right to sell the data collected on their users, as opposed to Apple's privacy policy[34] which does not. Interestingly, in America, all private companies are legally obligated to share information with authorities if a warrant or adequate criteria is presented.
Violation of Confidentiality
Legally unjustified violation of confidentiality can take place when a contract, agreement or policy is violated by either party in cases of non-extenuating circumstances. The penalty of such a violation can differ in intensity depending on the specific consequences and circumstances. Organizations such as the FTC[35] play a major role in safeguarding customers against data breaches, in the form implementing policies, enforcing privacy and confidentiality laws and public education.
Ethics of breaches
Besides the legal aspect for maintaining the confidentiality of data, there are ethical and moral considerations as well. Regardless of users generating data by users on the internet to help with proprietary data for various platform and service providers on the internet, there is a tacit agreement to uphold the privacy of their users. As the internet continues to evolve, many of the traditional ethical frameworks have failed to keep up with the public’s changing interaction with information. However, philosophers and policy makers are beginning to reconsider the ethical ramifications of such ownership of information given the evolving role the internet plays in people’s lives. A study[36] by MIT reveals that the average American spends around 23 hours on the internet per week. In his book Ethics of Information[37], ethicists and philosopher Luciano Floridi[37] argues for a re-utilization of the infosphere that we exist within and rethinking the policies and laws surrounding information.
See Also
References
- ↑ “Information Security.” Wikipedia, Wikimedia Foundation, 7 Apr. 2019, en.wikipedia.org/wiki/Information_security.
- ↑ “Confidentiality, Integrity, and Availability.” MDN Web Docs, developer.mozilla.org/en-US/docs/Web/Security/Information_Security_Basics/Confidentiality,_Integrity,_and_Availability.
- ↑ Busby, John C. “Attorney-Client Privilege.” Legal Information Institute, Legal Information Institute, 15 Oct. 2018, www.law.cornell.edu/wex/attorney-client_privilege.
- ↑ Alexander, Larry, and Michael Moore. “Deontological Ethics.” Stanford Encyclopedia of Philosophy, Stanford University, 17 Oct. 2016, plato.stanford.edu/entries/ethics-deontological/.
- ↑ Mandal, Jharna, et al. “Utilitarian and Deontological Ethics in Medicine.” Tropical Parasitology, Medknow Publications & Media Pvt Ltd, 2016, www.ncbi.nlm.nih.gov/pmc/articles/PMC4778182/.
- ↑ “The Equifax Data Breach.” Federal Trade Commission, 18 June 2018, www.ftc.gov/equifax-data-breach.
- ↑ 7.0 7.1 Fleishman, Glenn. “Equifax Data Breach, One Year Later: Obvious Errors and No Real Changes, New Report Says.” Fortune, 8 Sept. 2018, fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/.
- ↑ Union, Consumers. “Don't Let Equifax Put Americans At Risk Again.” Consumer Reports, www.consumerreports.org/data-theft/dont-let-equifax-crisis-go-to-waste-equifax-data-breach/.
- ↑ “Central District of California.” Central District of California | United States District Court, www.cacd.uscourts.gov/.
- ↑ Moser, Robert, and Patrick McDonald. “The FBI & Apple Security vs. Privacy.” Ethics Unwrapped, ethicsunwrapped.utexas.edu/case-study/fbi-apple-security-vs-privacy#additional-resources.
- ↑ Kharpal, Arjun. “Apple vs FBI: All You Need to Know.” CNBC, CNBC, 29 Mar. 2016, www.cnbc.com/2016/03/29/apple-vs-fbi-all-you-need-to-know.html.
- ↑ “Data Policy.” Facebook, www.facebook.com/policy.php.
- ↑ “Cambridge Analytica Scandal: Facebook Broke the Law and Faces Maximum Fine, UK Watchdog Says.” CNNMoney, Cable News Network, money.cnn.com/2018/07/10/technology/facebook-britain-ico-cambridge-analytica-fine/index.html.
- ↑ Wittaker, Zack. “Despite Promises to Stop, US Cell Carriers Are Still Selling Your Real-Time Phone Location Data.” Techcrunch, Jan. 2019. https://techcrunch.com/2019/01/09/us-cell-carriers-still-selling-your-location-data/
- ↑ O’Connor, Nuala. “Reforming the U.S. Approach to Data Protection and Privacy,” Council on Foreign Relations, 1/30/18, https://www.cfr.org/report/reforming-us-approach-data-protection
- ↑ Thoren-Penden, Deborah; Meyer, Catherine. “USA: Data Protection 2018,” International Comparative Legal Guides, Pillsbury Whitman Shaw Pittman LLP, 12/6/18, https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa
- ↑ “Electronic Communications Privacy Act of 1986 (ECPA),” Department of Justice Information Sharing, https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285
- ↑ Solove, Daniel. “A Brief History of Information Privacy Law,” George Washington University Law School, 2006, https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2076&context=faculty_publication
- ↑ Loeb, Robert. “The CLOUD Act, Explained,” 4/6/18, Orrick. https://www.orrick.com/Insights/2018/04/The-CLOUD-Act-Explained
- ↑ Lazzarotti, Joseph; Atrakchi, Maya. “The U.S. Supreme Court Dismisses U.S. v. Microsoft Following Passage of the CLOUD Act,” 4/20/18, Jackson Lewis. https://www.workplaceprivacyreport.com/2018/04/articles/big-data/the-u-s-supreme-court-dismisses-u-s-v-microsoft-following-passage-of-the-cloud-act/#page=1
- ↑ Wakabayashi, Daisuke. “California Passes Sweeping Law to Protect Online Privacy,” 6/28/18, New York Times, https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html1
- ↑ Kahn, Jeremy; Bodoni, Stephanie; Nicola, Stefan. “It’ll Cost Billions for Companies to Comply With Europe’s New Data Law,” Bloomberg Business,3/22/18. https://www.bloomberg.com/news/articles/2018-03-22/it-ll-cost-billions-for-companies-to-comply-with-europe-s-new-data-law
- ↑ "Privacy & Data Security Update: 2017," FTC, January-December 2017, https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2017-overview-commissions-enforcement-policy-initiatives-consumer/privacy_and_data_security_update_2017.pdf
- ↑ Protecting Customer Proprietary Network Information in the Internet Age,” House Energy & Commerce Subcommittee on Communication and Technology, 7/11/18. https://energycommerce.house.gov/hearings/protecting-customer-proprietary-network-information-in-the-internet-age/
- ↑ O’Connor, Nuala. “Reforming the U.S. Approach to Data Protection and Privacy,” Council on Foreign Relations, 1/30/18, https://www.cfr.org/report/reforming-us-approach-data-protection
- ↑ Tisne, Martin. “It's Time for a Bill of Data Rights.” MIT Technology Review, MIT Technology Review, 18 Dec. 2018, www.technologyreview.com/s/612588/its-time-for-a-bill-of-data-rights/.
- ↑ “The EU General Data Protection Regulation (GDPR) Is the Most Important Change in Data Privacy Regulation in 20 Years.” EUGDPR Home Comments, eugdpr.org/.
- ↑ Douglas, David M. Doxing: A Conceptual Analysis, vol. 18, no. 3, pp. 199–210. https://link.springer.com/article/10.1007/s10676-016-9406-0#Sec2
- ↑ 29.0 29.1 Wayne, Logan Danielle. “THE DATA-BROKER THREAT: PROPOSING FEDERAL LEGISLATION TO PROTECT POST-EXPUNGEMENT PRIVACY.”
- ↑ J.J., and Sonja B. Starr. “The Case for Expunging Criminal Records.” The New York Times, 20 Mar. 2019.
- ↑ 31.0 31.1 Floridi, Luciano. “Should You Have The Right To Be Forgotten On Google? Nationally, Yes. Globally, No.” New Perspectives Quarterly, vol. 32, no. 2, 2015, pp. 24–29., doi:10.1111/npqu.11510.
- ↑ Blightman, and Griffiths. “Patient Confidentiality: When Can a Breach Be Justified?” OUP Academic, Oxford University Press, 28 Aug. 2013, academic.oup.com/bjaed/article/14/2/52/271401.
- ↑ “Data Policy.” Facebook, www.facebook.com/policy.php.
- ↑ “Legal - Privacy Policy - Apple.” Apple Legal, www.apple.com/legal/privacy/en-ww/.
- ↑ “Federal Trade Commission.” Federal Trade Commission, 9 Apr. 2019, www.ftc.gov/.
- ↑ Condliffe, Jamie. “The Average American Spends 24 Hours a Week Online.” MIT Technology Review, MIT Technology Review, 23 Jan. 2018, www.technologyreview.com/the-download/610045/the-average-american-spends-24-hours-a-week-online/.
- ↑ 37.0 37.1 “Main Menu.” Luciano Floridi | Philosophy of Information, www.philosophyofinformation.net/books/the-ethics-of-information/.