NOTEREF _Ref445303279 See, e.g., Letter from 59 Public Interest and Consumer Groups to Tom Wheeler, Chairman, FCC at 1 (January 20, 2016), available at https://www.publicknowledge.org/documents/broadband-privacy-letter-to-fcc-jan.-2016.
NOTEREF _Ref445303279 Certain types of encryption can obscure the payload of customers’ communications packets from BIAS providers, but will not prevent BIAS providers from obtaining significant source, destination, and traffic type information, among others. For instance, a BIAS provider will still need to know the source and eventual destination of encrypted content in order to properly route the information; will still know the time and frequency of communications, and can determine other information from packet headers as well as from domain name resolution requests. See, e.g., New America, Open Technology Institute, The FCC’s Role in Protecting Online Privacy 3-5 (2016), https://static.newamerica.org/attachments/12325-the-fccs-role-in-protecting-online-privacy/CPNI__web.d4fbdb12e83f4adc89f37ebffa3e6075.pdf; Center for Democracy and Technology, Applying Communications Act Consumer Privacy Protections to Broadband Providers 2 (2016), https://cdt.org/files/2016/01/2016-01-20-Packets_Layers_fnl.pdf; Letter from Twelve Public Interest Organizations to Tom Wheeler, Chairman, FCC at 2-3 (Mar. 7, 2016). Furthermore, even more detailed information can be derived from encrypted content via traffic analysis. See Brad Miller, Ling Huang, et al., I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis, 14th International Symposium on Privacy Enhancing Technologies (2014) available at https://www.petsymposium.org/2014/papers/Miller.pdf.
NOTEREF _Ref445303279 Seesupra note 186.
NOTEREF _Ref445303279 Congress has recognized that Social Security numbers and financial account information warrant particular privacy protections under GLBA and FCRA. See 15 U.S.C. § 6801 et seq. (Gramm-Leach-Bliley Act); 15 U.S.C. § 1681 et seq. (Fair Credit Reporting Act). See also 2015 Pew Report at 18.
NOTEREF _Ref445303279 Congress has recognized that children’s privacy is of particular public concern, and has created heightened requirements for the collection, use, and disclosure of children’s information. See Children’s Online Privacy Protection Act of 1998, Pub. L. No. 105-277112 Stat. 2681-728 (codified at 15 U.S.C. §§ 6501-06).
NOTEREF _Ref445303279 See, e.g., United States v. Jones, 132 S. Ct. 945, 955 (2012) (Sotomayor, J. concurring) (“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.”).
NOTEREF _Ref445303279 See 18 U.S.C. § 2701 et seq. (Stored Communications Act); 18 U.S.C. § 2510 et seq. (Wiretap Act). See also 47 U.S.C. § 605 (Except as authorized under 18 U.S.C. § 2511(2), no person receiving or transmitting any interstate or foreign communication by wire or radio “shall divulge or publish the existence, contents, substance, purport, effect, or meaning thereof, except through authorized channels of transmission or receipt” to any person other than the addressee, his agent, or attorney (or in other specifically-delineated circumstances)) (emphasis added). In the cable context, Congress observed that “[c]able systems, particularly those with a ‘two-way’ capability, have an enormous capacity to collect and store personally identifiable information about each cable subscriber.” H.R. Rep. No. 934, 98th Cong., 2d Sess. 29 (1984), quoted in Scofied v. Telecable of Overland Park, Inc., 973 F.2d 874, 876 (10th Cir. 1992). “Subscriber records from interactive systems can reveal details about bank transactions, shopping habits, political contributions, viewing habits, and other significant personal decisions.” Id. The Cable Privacy Act prohibits operators from disclosing this personally identifiable information “without the prior written or electronic consent of the subscriber concerned.” 47 U.S.C. 551(c)(1).
NOTEREF _Ref445303279 2012 FTC Privacy Report at 35.
NOTEREF _Ref445303279 An FTC Staff Report recommended that mobile providers provide “just-in-time” disclosures to consumers before allowing applications to access sensitive content such as geo-location information. Federal Trade Commission, Mobile Privacy Disclosures: Building Trust Through Transparency at ii (2013), https://www.ftc.gov/sites/default/files/documents/reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff-report/130201mobileprivacyreport.pdf. We also observe that mobile industry guidelines incorporate the practices of “just-in-time” notices. See, e.g., Digital Advertising Alliance, Application of Self-Regulatory Principles to the Mobile Environment at 24 (July 2013), http://www.aboutads.info/DAA_Mobile_Guidance.pdf; Network Advertising Initiative, 2015 Update to the NAI Mobile Application Code at 6 (2015), http://www.networkadvertising.org/mobile/NAI_Mobile_Application_Code.pdf; Network Advertising Initiative, 2015 Update to the NAI Code of Conduct at 7 (2015), http://www.networkadvertising.org/sites/default/files/NAI_Code15encr.pdf.
NOTEREF _Ref445303279 See, e.g., 47 CFR § 64.2008(d)(3) (imposing requirements on notification by email).
NOTEREF _Ref445303279 See supra Part 84.A.
NOTEREF _Ref445303279 For example, BIAS providers may opt to provide a direct ASL line for deaf consumers to provide notice of their approval or disapproval of the use or disclosure of their information.
NOTEREF _Ref445303279 See 47 CFR § 64.2007(a).
NOTEREF _Ref445303279 See 47 CFR § 64.2007(a)(2).
NOTEREF _Ref445303279 See 47 CFR § 64.2008(f).
NOTEREF _Ref445303279 See 47 CFR § 64.2009.
NOTEREF _Ref445303279 See 47 CFR § 64.2009(e).
NOTEREF _Ref445303279 See 47 U.S.C. §§ 551(b), (c), 338(i)(3), (4).
NOTEREF _Ref445303279 If too much context is removed from data, it may no longer provide the insights for which BIAS providers and others value the information. See, e.g., Robert Gellman, The Deidentification Dilemma: A Legislative and Contractual Proposal, 21 Fordham Intell. Prop. Media & Ent. L.J. 33, 39 (2010).
NOTEREF _Ref445303279 See 2012 FTC Privacy Report at 21; see also 2015 Administration Discussion Draft at Sec. 4(a)(2)(A), (proposing a “reasonable basis for expecting that the data could not be linked” to an individual standard).
NOTEREF _Ref445303279 See, e.g., U.S. Public Policy Council of the Association for Computing Machinery, Response to Request for Information, Big Data Review, 79 FR 12251 at 2, http://usacm.acm.org/images/documents/BigDataOSTPfinal.pdf (“It has become significantly easier to extract personally identifiable information from nominally de-identified data as more data becomes available. In recent years academic researchers have shown that many data sets thought to be ‘de-identified’ or ‘anonymized’ can be re-identified when the data are correlated with other information that is publicly available.”). There is a rich scientific literature on re-identifying data that has been de-identified. Additionally, in 2000, Latanya Sweeney, now the Director of the Data Privacy Lab in the Institute for Quantitative Social Science at Harvard University, demonstrated that 87 percent of the population in the United States had reported characteristics that likely made them unique based only on 5-digit ZIP, gender, and date of birth. Latanya Sweeney, Abstract, Uniqueness of Simple Demographics in the U.S. Population (Carnegie Mellon Univ., Lab. for Int’l Data Privacy 2000), http://dataprivacylab.org/projects/identifiability/index.html. In 2008, researchers at the University of Texas at Austin succeeded in using publicly available information to identify Netflix subscribers in a dataset of movie ratings from which personal identifiers had been removed, explaining that “[r]emoving identifying information is not sufficient for anonymity.” Arvind Narayanan & Vitaly Shmatikov, Robust De-anonymization of Large Sparse Datasets, in Proceedings of the 2008 IEEE Symposium on Security and Privacy, 111, 118 (2008), http://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf.
NOTEREF _Ref445303279 NIST PII Guide at § 2.1.
NOTEREF _Ref445303279 See 45 CFR § 164.514(b)(1).
NOTEREF _Ref445303279 See 2012 FTC Privacy Report at 20-21; see also 2015 Administration Discussion Draft at Sec. 4(a)(2)(A) (advocating for a commitment not to attempt to re-identify information and contractual requirements not to attempt to re-identify information for entities and with whom the company shares the information).
NOTEREF _Ref445303279 See, e.g., Gellman, supra note 261, at 47-55 (describing the privacy benefits of contractually prohibiting re-identification or attempted re-identification of information).
NOTEREF _Ref445303279 See 2012 FTC Privacy Report at 21.
NOTEREF _Ref445303279 See 45 CFR § 164.514(b)(2)(i)(A)-(R).
NOTEREF _Ref445303279 See 45 CFR § 164.514(b)(2)(ii).
NOTEREF _Ref445303279 Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L. Rev. 1701, 1732 (2010). Ohm further argues that “[e]asy reidentification makes PII-focused laws like HIPAA underprotective by exposing the arbitrariness of their intricate categorization and line drawing. Although HIPAA treats eighteen categories of information as especially identifying, it excludes from this list data about patient visits—like hospital name, diagnosis, year of visit, patient’s age, and the first three digits of ZIP code—that an adversary with rich outside information can use to defeat anonymity.” Id. at 1740.
NOTEREF _Ref445303279 We note that there is an existing petition before the Commission that may address some of these issues. See Petition of Public Knowledge et al. for Declaratory Ruling Stating that the Sale of Non-Aggregate Call Records by Telecommunications Providers without Customers’ Consent Violates Section 222 of the Communications Act, WC Docket No. 13-306 (filed Dec. 11, 2013), http://apps.fcc.gov/ecfs/document/view?id=7520963695.
NOTEREF _Ref445303279 See supra Part108.A.
NOTEREF _Ref445303279 2012 FTC Privacy Report at 12; see also id. at n.61.
NOTEREF _Ref445303279 2012 FTC Privacy Report at 12, see also id. at n.64.
NOTEREF _Ref445303279 See, e.g.,Federal Trade Commission, Start with Security: A Guide for Business (2015), https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business (2015 FTC Security Guide for Business).
NOTEREF _Ref445303279 See, e.g., TerraCom Consent Decree; CBR Systems, Decision and Order, F.T.C. File No. 112-3120 (2013), https://www.ftc.gov/sites/default/files/documents/cases/2013/05/130503cbrdo.pdf.
NOTEREF _Ref445303279 See, e.g., Md. Code Ann., Com. Law § 14-3503(a); Utah Code Ann. § 13-44-201; Fla. Stat. § 501.171(2); Cal. Civ. Code § 1798.81.5(b)-(c).
NOTEREF _Ref445303279 See 2007 CPNI Order, 22 FCC Rcd at 6931, para. 6; TerraCom NAL, 29 FCC Rcd at 13330, para. 14; 2013CPNI Declaratory Ruling, 28 FCC Rcd at 9619, para. 29; Open Internet Privacy Standard; Enforcement Bureau Guidance: Broadband Providers Should Take Reasonable, Good Faith Steps to Protect Consumer Privacy, Enforcement Advisory, 30 FCC Rcd 4849 (2015).
NOTEREF _Ref445303279 See The White House, National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and Privacy at Appx. A (2011) (“Fair Information Practice Principles (FIPPs)”), http://www.nist.gov/nstic/NSTIC-FIPPs.pdf (NSTIC FIPPs Appendix); see alsoDepartment of Health, Education and Welfare, Records, Computers and the Rights of Citizens (1973); Organization for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980); Department of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information(1995); Canadian Standards Association, Model Code for the Protection of Personal Information: A National Standard of Canada (1996); Federal Trade Commission, Privacy Online: A Report to Congress (1998).
NOTEREF _Ref445303279 15 U.S.C. § 45(a)(1); 2012 FTC Privacy Report at 23-30; 2015 FTC Security Guide for Business. See also FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) (upholding FTC authority to bring data security cases under the Section 5 “unfairness” prong).
NOTEREF _Ref445303279 See, e.g., GMR Transcription Services, Inc., Complaint, F.T.C. File No. 122-3095 (2014), https://www.ftc.gov/system/files/documents/cases/140821gmrcmpt.pdf (GMR Transcription Services Complaint); GeneLink, Inc., Complaint, F.T.C. File No. 112-3095 (2014) https://www.ftc.gov/sites/default/files/documents/cases/140107genelinkcmpt.pdf (GeneLink Complaint); Accretive Health, Inc., Complaint, F.T.C. File No. 122-3077 (2014), https://www.ftc.gov/system/files/documents/cases/140224accretivehealthcmpt.pdf. The FTC also enforces data security obligations under the Fair Credit Reporting Act and the GLBA. See 15 U.S.C. §§ 1681 et seq., 6801-6809.
NOTEREF _Ref445303279 See, e.g., Md. Code Ann., Com. Law § 14-3503(a); Utah Code Ann. § 13-44-201; Fla. Stat. § 501.171(2); Cal. Civ. Code § 1798.81.5(b)-(c).
NOTEREF _Ref445303279 42 CFR § 164.304.
NOTEREF _Ref445303279 15 U.S.C. § 6801(b).
NOTEREF _Ref445303279 See infra n. 321.
NOTEREF _Ref445303279 In the 1998 CPNI Order, the Commission determined that different CPNI rules were not necessary for small or rural carriers and applied the CPNI rules adopted pursuant to Section 222 equally to all carriers. 1998 CPNI Order, 13 FCC Rcd at 8196, para. 194.
NOTEREF _Ref445303279 Pursuant to President Obama’s 2012 privacy blueprint, see The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (2012), https://www.whitehouse.gov/sites/default/files/privacy-final.pdf (2012 White House Privacy Blueprint), NTIA has convened stakeholders to develop industry best practices and codes of conduct for different issues within the NTIA’s purview, including privacy for mobile applications; commercial uses of facial recognition technology; and recently, privacy, accountability and transparency related to the commercial use of drones. See Press Release, National Telecommunications and Information Administration, NTIA Seeks Comment on Process for Developing Best Practices for Commercial and Private Use of Unmanned Aircraft Systems (Mar. 4, 2015), https://www.ntia.doc.gov/press-release/2015/ntia-seeks-comment-process-developing-best-practices-commercial-and-private-use-u.
NOTEREF _Ref445303279 See infra Part. III.E.3.
NOTEREF _Ref445303279 See 16 CFR § 314.4(b); see also 15 U.S.C. §§ 6801-6809.
NOTEREF _Ref445303279 45 CFR § 164.308(a)(1).
NOTEREF _Ref445303279 Id. at § 164.308(a)(1)(ii)(A). See also National Institute for Standards and Technology, An Introductory Resource Guide for Implementing the Health Insurance Portability And Accountability Act (HIPAA) Security Rule at 15-17 (2008), http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf (NIST HIPAA Implementation Guidance) (NIST guidance for HIPAA Security Rule risk analyses).
NOTEREF _Ref445303279 See Department of Health and Human Services, Guidance on Risk Analysis Requirements under the HIPAA Security Rule at 4-7 (2010), http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf (explaining “several elements a risk analysis must incorporate, regardless of the method employed”). This guidance is provided by the Centers for Medicare & Medicaid Services, a part of the part of the Department of Health and Human Services (HHS), for covered entities implementing HIPAA. See also 45 CFR § 164.308(a)(1)(ii)(A).
NOTEREF _Ref445303279 See International Association of Privacy Professionals, IAPP-EY Annual Privacy Governance Report 2015 (2015), https://iapp.org/media/pdf/resource_center/IAPP-EY_Privacy_Governance_Report_2015.pdf.
NOTEREF _Ref445303279 1998 CPNI Order, 13 FCC Rcd at 8198, para. 198; see also 47 CFR § 64.2009(b).