IP: Data Protection and Privacy on the Internet

[Dave Farber <farber () central cis upenn edu>]

Date: Wed, 11 Sep 1996 17:23:04 -0700
From: Berliner Datenschutzbeauftragter <dsb () datenschutz-berlin de>
Subject: Report on Privacy on the Internet


The International Working Group on Data Protection in
Telecommunications is currently working on Data Protection
and Privacy on the Internet.


The Group was founded in 1983 and has been initiated by
Data Protection Commissioners from different countries
in order to improve Data Protection and Privacy in
Telecommunications. The Secretariat of the Group is
located at the Berlin Data Protection Commissioner's
Office, Berlin, Germany.


At its spring meeting 1996 in Budapest the Group has
agreed on a Draft Report and Guidance on Data Protection
on the Internet. It was agreed to publish the Report on
the Net in order to receive comments from the network
community.


The Secretariat of the Working Group has initiated a
discussion forum located at the WWW-Server of the
Berlin Data Protection Commissioner
(http://www.datenschutz-berlin.de/diskus/) that could
also be used for comments.


You can also make a contribution by sending an e-mail
directly to the Secretariat <mailbox () datenschutz-berlin de>.
In this case please include "Data Protection on the Internet"
as the subject.


A German version of the report is available at
http://www.datenschutz-berlin.de/diskus/budade.htm .


We are looking forward to your comments on the report.


Yours sincerely,


Hansj=FCrgen Garstka
(Berlin Data Protection Commissioner; Chairman of the Group)




Start of the report




International Working Group
on Data Protection
in Telecommunications


21 May 1996


Data Protection on the Internet


Report and Guidance


"Budapest Draft"


(revised on the basis of the discussions at the 19th Meeting of the Group
in Budapest 15 and 16 April 1996)


Today, the Internet is the world's largest international computer
network. There are "slip roads" to this "information superhighway" in
more than 140 countries. The Internet consists of more than four
millions of Internet sites ("hosts"); more than 40 millions of users
from all over the world can use at least one of the different Internet
services and have the facilities to communicate with each other via
electronic mail. Users have access to an immense pool of information
stored at different locations all over the world. The Internet can be
regarded as the first level of the emerging Global Information
Infrastructure (GII).The WorldWideWeb as the most modern Internet user
interface is a basis for new interactive multimedia services.


The participants in the Internet have different tasks, interests and
opportunities:


   * The software, computer and telecommunications industries design the
     networks and the services available.


   * Telecommunications organisations like national telecoms provide    
     basic networks for data transfer (point-to-point or
     point-to-multipoint connections).


   * Access (communications) providers supply basic services for storage,
     transmission and presentation. They are responsible for the Internet
     transport system (routing, delivery) and process traffic data.


   * Information (content) providers supply information stored in files
     and databases to the users.


   * Users access different kinds of Internet services (mail, news,
     information) and use the Net for entertainment as well as for
     teleshopping, teleworking, teleteaching/ -learning and telemedecine.


I. Problems and risks


Unlike in traditional processing of personal data where there is usually
a single authority or enterprise responsible for protecting the privacy
of their customers, there is no such overall responsibility on the
Internet assigned to a certain entity. Furthermore there is no
International oversight mechanism to enforce legal obligations as far as
they exist. Therefore the user is forced to put trust into the security
of the entire network, that is every single component of the network, no
matter where located or managed by whom. The trustworthiness of the Net
will become even more crucial with the advent of new software which
induces the user not only to download programs from the Net, but also
weakens his control over his personal data.


The fast growth of the Internet and its increasing use for commercial and
private purposes give rise to serious privacy problems:


   * The Internet facilitates the quick transmission of great quantities
     of information to any other computer system connected to the
     network.Sensitive personal data can be communicated to countries
     without an appropriate data protection level. Information providers
     might offer personal data from sites situated in countries without
     any privacy legislation where they can be accessed from all over the
     world by a simple mouse click.


   * Personal data may be routed via countries without any or without
     sufficient data protection legislation. On the Internet, basically
     built for academic purposes, confidential communication is not
     ensured.


     There is no central switching center or other responsible authority
     in control of the entire network. Therefore the responsibility for
     data protection and data security is shared between millions of
     providers. Every message transmitted could be intercepted at any
     site it passes and could be traced, changed, forged, suppressed or
     delayed. Nevertheless the Internet use for business purposes
     increases exponentially and personal and other sensitive data
     (credit card data as well as individual health information) are
     transmitted via the Internet.


   * The use of Internet services does not allow for adequate anonymity
     nor adequate authentification. Computer network protocols and many
     Internet services generally work with dedicated (point-to-point-)
     connections. In addition to the content data the identification (ID)
     of the sender and the recipient is transmitted. Every electronic
     mail message contains a header with information about the sender and
     the recipient (name and IP-address, host name, time of the mailing).
     The header contains further information on the routing and the
     subject of the message. It may also contain references to articles
     by other authors. Users are bound to leave an electronic trace which
     can be used to develop a profile of personal interests and tastes.
     Although there is no central accounting of the access to news or
     WorldWideWeb, the information behaviour of senders and recipients
     can be traced and supervised at least by the communications provider
     to whom the user is connected.


   * On the other hand, the weakness of identification and authentication
     procedures on the Internet has been used to penetrate remote
     computer systems which were insufficiently protected, to spy on the
     information stored and to manipulate or delete it. The lack of
     secure authentication could also be used to access commercial
     services at the cost of another user.


   * There are thousands of special news-groups in the Internet; most of
     them are open for every user. The contents of articles may contain
     personal data of third persons; this personal information is
     simultaneously stored on many thousands of computer systems without
     any right of redress for the individual.


The participants in the Internet share an interest in the integrity and
confidentiality of the information transmitted: Users are interested in
reliable services and expect their privacy to be protected. In some cases
they may be interested in using services without being identified. Users
do not normally realize that they are entering a global market-place
while surfing on the Net and that every single movement may be monitored.


On the other hand many providers are interested in the identification and
authentication of users: They want personal data for charging, but they
could also use these data for other purposes. The more the Internet is
used for commercial purposes, the more interesting it will be for service
providers and other bodies to get as much transaction-generated
information about the customer's behaviour on the Net as possible, thus
increasing the risk to the customer's privacy. Increasingly companies
start to offer free access to the Net as a way of assuring that customers
read their advertisements which become a major financing method for the
whole Internet. Therefore they want to follow to want extent, by whom and
how often their advertisements are being read.


With regard to certain risks mentioned the functions of the bodies which
on an international, regional and national level manage the Net are
important in particular when they develop the protocols and standards for
the Internet, fix rules for the identification of servers connected and
eventually for the identification of users.


II. Existing regulations and guidelines


Although several national governments and international organisations
(for example the European Union) have launched programmes to faciliate
and intensify the development of computer networks and services, only
very little efforts have been taken to provide for sufficient data
protection and privacy regulations in this respect. Some national Data
Protection Authorities have already issued guidelines on the technical
security of computer networks linked to the Internet and on privacy risks
for the individual user of Internet services. Such guidelines have been
laid down for example in France, in the U.K. (see the 14th Annual Report
of the Data Protection Registrar, Appendix 6) and in Germany. The main
topics can be summed up as follows:


   * Providing information on the Internet is subject to the national
     data protection laws and regulations. In this respect the Internet
     is not as unregulated as often stated. Ist is, to name but one
     example, illegal for a German provider of a WorldWideWebServer to
     register the complete addresses of computers which have accessed
     which Web pages and to which files are being downloaded without the
     knowledge of the person initiating that procedure (as is the usual
     practice on the Net). National regulations might include the
     obligation for information providers to register at a national data
     protection authority. National law also contains specific provisions
     with regard to international criminal, private and administrative
     law (conflict of laws) which may provide solutions in certain
     circumstances.


   * Before connecting a local computer network - for example of a public
     authority - to the Internet the risks for the security of the local
     network and the data stored there have to be assessed in conformity
     with the national law. This may include drawing up a security plan
     and assessing whether it is necessary to connect the entire network
     or only parts of it to the Internet. Depending on the purpose it
     might even be sufficient to connect only a stand-alone system to the
     Net.


     Technical measures should be taken to secure that only the data
     which could be published can be accessed on the Internet for example
     by setting up a firewall system separating the local network from
     the Net. However, it should be noted that even if such technical
     steps have been taken connecting a computer network to the Internet
     means putting an additional risk to its security.


   * If personal data on users of a service are collected it must be
     clear to them who is to use the data and what are the purposes for
     which the data are to be used or disclosed. This means giving
     notification on the screen before disclosure and providing an
     opportunity to prevent disclosure. The user should be able to make a
     hardcopy of this notification and of any other terms and conditions
     set by the provider.


   * If access to personal data on a computer system is provided - for
     example by publishing biographical details of staff members in a
     directory - the information provider must make sure that those
     individuals understand the global nature of that access. The safe
     course is to publish the data only with the informed consent of the
     persons concerned.


There are also a number of international legal regulations and
conventions that apply inter alia to the Internet:


   * Recommendation with Guidelines on the protection of privacy and
     transborder flows of personal data
     adopted by the Council of the Organisation for Economic Cooperation
     and Development (OECD) on 23 September 1980
   * Council of Europe Convention No. 108 for the protection of
     individuals with regard to automatic processing of personal data
     adopted 28 January 1981
   * Guidelines for the regulation of computerized personal data files
     adopted by the United Nations General Assembly on 14 December 1990
   * European Council 90/387/EEC of 28 June 1990 on the establishment of
     the internal market for telecommunications services through the
     implementation of Open Network Provision (ONP) and ensuing ONP
     Directives (defining data protection as "essential requirement")
   * Directive 95/46/EC of the European Parliament and of the Council of
     24 October 1995 on the protection of individuals with regard to the
     processing of personal data and on the free movement of such data
     (EU-Data Protection-Directive)
   * General Agreement on Trade in Services (GATS) (stating in Article
     XIV that Member States are not prevented by this worldwide agreement
     to adopt or enforce regulations relating to the protection of
     privacy of individuals in relation to the processing and
     dissemination of personal data and the protection of confidentiality
     of individual records and accounts.


The EU-Directive as the first supra-national legal instrument does
contain an important new definition of "controller" which is relevant in
the Internet context. Article 2 lit. c) defines "controller" as the
natural and legal person, public authority, agency or any other body
which alone or jointly with others determines the purposes and means of
the processing of personal data. Applying this definition to the use of
the Internet for purposes of electronic mail the sender of an electronic
message has to be considered to be the controller of this message when
sending a file of personal data for he determines the purposes and means
of the processing and transmission of those personal data. On the other
hand the provider of a mailbox service himself determines the purposes
and means of the processing of the personal data related to the operation
of the mailbox service and therefore he as "controller" has at least a
joint responsibility to follow the applicable rules of data protection.


Although not legally binding and adopted on a national rather than an
international level the


   * Principles for providing and using personal information "Privacy and
     the National Information Infrastructure" adopted by the Privacy
     Working Group of the Information Policy Committee within the United
     States Information Infrastructure Task Force (IITF) on 6 June 1995


should be mentioned in this context for they are bound to influence the
international data flows. They have been discussed intensively and
fruitfully with the International Working Group on Data Protection in
Telecommunications at the Joint Meeting in Washington, D.C. on 28 April
1995.


In practice some important and effective rules are being imposed by the
Net Community themselves by way of self-regulation (e.g. "Netiquette").
Such methods are not to be under-estimated as to the role they play and
might play in future in protecting the individual user's privacy. At
least they contribute to creating the necessary awareness among users
that confidentiality on the Net as a basic standard is non-existent
("Never send or keep anything in your mailbox that you would mind seeing
on the evening news.") The EU-Data Protection Directive in turn calls for
codes of conduct (Article 27) which should be encouraged by Member States
and the Commission.


III. Guidance


There can be no doubt that the legal and technical protection of Internet
users' privacy is at present insufficient.


On the one hand the right of every individual to use the information
superhighway without being observed and identified should be guaranteed.
On the other hand there have to be limits (crash-barriers) with regard to
the use of personal data (e.g. of third persons) on the highway.


There is a strong case to prohibit the use of the Internet for the
publication of search warrants by the police (the U.S. Federal Bureau of
Investigations has published a list of wanted suspects on the Net for
some time). The described deficiencies in the authentication procedure
and the easy manipulation of pictures in Cyberspace seem to prevent the
use of the Net for this purpose.


A solution to this basic dilemma will have to be found on the following
levels:


a) Service providers should inform each potential user of the Net
unequivocally about the risks to his privacy. He will then have to
balance these risks against the expected benefits. The Internet is a
"beautiful wilderness with lions and snakes" (Waltraut Kotschy) but there
is little awareness among users what this means.


b) As "elements of network infrastructure as well as participants each
have physical locations, states have the ability to impose and enforce a
certain degree of liability on networks and their participants" (Joel
Reidenberg). In many instances the decision to enter the Internet and how
to use it is subject to legal conditions under national data protection
law. Personal data may only be collected in a transparent way. Patients'
data and other sensitive personal data should only be communicated via
the Internet or be stored on computers linked to the Net if they are
encrypted.


c) Several national governments are calling for international agreements
on the Global Information Infrastructure. The French Minister for
Information Technology has argued in favour of an international treaty
similar to the International Convention on the Law of the Sea; the German
Minister for Research and Technology has called for an initiative in the
framework of the G 7 -group. These initiatives are to be supported. An
international cooperation, even an international convention governing
data protection in the context of transborder networks and services
including an oversight mechanism is essential.


d) National and international law should state unequivocally that the
process of communicating (e.g. via electronic mail) is also protected by
the secrecy of telecommunications and correspondence.


e) Furthermore it is necessary to develop technical means to improve the
user's privacy on the Net. It is mandatory to develop design principles
for information and communications technology and multimedia hard- and
software which will enable the individual user to control and give him
feedback with regard to his personal data. In general users should have
the opportunity to access the Internet without having to reveal their
identity where personal data are not needed to provide a certain service.
Concepts for such measures have already been developed and published.
Examples are the "Identity Protector" concept included in
"Privacy-enhancing technologies: The path to anonymity" by the Dutch
Registratiekamer and The Information and Privacy Commissioner of
Ontario/Canada (presented at the 17th International Conference on Data
Protection in Copenhagen (1995) and the "User Agent-concept" as reported
on at the joint Washington meeting of the Working Group with the Privacy
Working Group of the IITF (April 1995).


f) Technical means should also be used for the purpose of protecting
confidentiality.


The use of secure encryption methods must become and remain a legitimate
option for any user of the Internet.


The Working Group supports new developments of the Internet Protocol
(e.g. IP v6) which offer means to improve confidentiality by encryption,
classification of messages and better authentication procedures. The
software manufacturers should implement the new Internet Protocol
security standard in their products and providers should support the use
of these products as quickly as possible.


g) The Working Group would endorse a study of the feasibility to set up a
new procedure of certification issuing "quality stamps" for providers and
products as to their privacy-friendliness. This could lead to an improved
transparency for users of the Information Superhighway.


h) Finally it will be decisive to find out how self-regulation by way of
an expanded "Netiquette" and privacy-friendly technology might improve
the implementation of national and international regulations on privacy
protection. It will not suffice to rely on any one of these courses of
action: they will have to be combined effectively to arrive at a Global
Information Infrastructure that respects the human rights to privacy and
to unobserved communications.


The International Working Group on Data Protection in Telecommunications
will monitor the developments in this field closely, take into account
comments from the Net Community and develop further more detailed
proposals.