New privacy bill makes your location, sex habits "sensitive info"

[Richard Forno <rforno () infowarrior org>]

New privacy bill makes your location, sex habits "sensitive info"

By Nate Anderson | Last updated 39 minutes ago

http://arstechnica.com/tech-policy/news/2010/05/religion-sex-money-location-bill-makes-them-sensitive-info.ars
       
Major Internet privacy legislation was unveiled today (PDF) by Rep. Rick Boucher (D-VA) and Rep. Cliff Stearns (R-FL). 
Under the bill, companies would be forbidden from using your cell phone's geolocation information without your consent, 
and the same goes for information on your race, religious beliefs, or sexual orientation. For most other information, a 
simple opt-out will keep that data—even data already collected—from being used.

Boucher chairs the House Subcommittee on Communications, Technology, and the Internet, and he has dealt with Internet 
issues for years (he was a driving force behind the doomed attempt to patch the worst parts of the DMCA, as well); 
Stearns is the ranking member on the committee. The two today released a "discussion draft" of their new privacy 
legislation in order to gauge Congressional and public opinion on its ideas.

Covered and sensitive

The bill isn't particularly long, and compared to laws in other countries, it's not particularly strict. But it does 
provide a decent privacy baseline in the US, providing limited protection for "covered information" and much tougher 
protection for "sensitive information."

The bill makes a key distinction between the two kinds of data: covered information collection is "opt-out," while 
sensitive information collection would become "opt-in" only.

According to the bill, covered information includes:

        • The first name or initial and last name
        • A postal address
        • A telephone or fax number
        • An e-mail address
        • Unique biometric data, including a fingerprint or retina scan
        • A Social Security number, tax identification number, passport number, driver's license number, or any other 
government-issued identification number
        • A financial account number, or credit or debit card number, and any required security code, access code, or 
password that is necessary to permit access to an individual’s financial account
        • Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet 
Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information 
about a specific individual or a computer
Companies and websites that disclose their data collection practices can harvest this data on the assumption that, by 
using the site, one has agreed to such collection. But they are required to provide an opt-out option that would stop 
all such data collection and prevent the company from using even previously acquired data.

Sensitive information can't even be collected and stored in the first place without an explicit opt-in assent. The bill 
defines sensitive information as:

        • Medical records, including medical history, mental or physical condition, or medical treatment or diagnosis 
by a health care professional
        • Race or ethnicity
        • Religious beliefs
        • Sexual orientation
        • Financial records and other financial information associated with a financial account, including balances and 
other financial information
        • Precise geolocation information
When it comes to that last one, the bill states that "a user’s express opt-in consent to an application provider that 
relies on a platform offered by a commercial mobile service provider shall satisfy the requirements of this subsection."

Aggregate and anonymous information can be collected without any privacy policy at all.

Salvation or devastation?

The draft bill has only been out for a few hours, and its opponents are already issuing a call to arms. The Progress & 
Freedom Foundation warns that "policymakers could unintentionally devastate the 'free' Internet as we know it. Because 
the Digital Economy is fueled by advertising and data collection, a 'privacy industrial policy' for the Internet would 
diminish consumer choice in ad-supported content and services, raise prices, quash digital innovation, and hurt online 
speech platforms enjoyed by Internet users worldwide."

Groups like the Center for Democracy & Technology have a different take. "It has been almost a decade since Congress 
last considered consumer privacy legislation," said CDT President Leslie Harris. "Since that time, commercial 
collection and use of consumer information both online and off has increased exponentially. Consumers deserve 
comprehensive privacy protection. Today’s release of the staff discussion draft of the Boucher-Stearns consumer privacy 
bill is the first step to achieving this important goal."

As for Boucher, he sees the bill as ultimately pro-business. "Our goal is to encourage greater levels of electronic 
commerce by providing to Internet users the assurance that their experience online will be more secure," he said in a 
statement. "That greater sense of privacy protection will be particularly important in encouraging the trend toward 
cloud computing.

"Online advertising supports much of the commercial content, applications and services that are available on the 
Internet today without charge, and this legislation will not disrupt this well established and successful business 
model. It simply extends to consumers important baseline privacy protections."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php