Tài liệu PRIVACY & FREE SPEECH: IT''''''''S GOOD FOR BUSINESS docx

LINK DOWNLOAD MIỄN PHÍ TÀI LIỆU "Tài liệu PRIVACY & FREE SPEECH: IT''''''''S GOOD FOR BUSINESS docx": http://123doc.vn/document/1045204-tai-lieu-privacy-free-speech-its-good-for-business-docx.htm

Privacy & Free Speech: It’s Good for Business
2
Online at www.aclunc.org/tech
PRIVACY AND FREE SPEECH MISTAKES
HURT BUSINESS
When it comes to protecting your users’ privacy and free speech, mistakes can cost you not only money
but also your good name.
MISTAKES CAN RESULT IN GOVERNMENT INVESTIGATIONS AND
FINES
Government oversight and penalties can hurt. For example, data broker ChoicePoint’s insecure data
practices cost it $25 million in government fines, legal fees, and costs to notify consumers about a
security breach,
7
as well as a rapid 9% dive in stock price.
8
Comcast was taken to task by the Federal
Communications Commission
9
and forced to defend against class-action lawsuits
10
for interfering with
free speech by slowing access for customers using peer-to-peer technologies.
MISTAKES CAN RESULT IN EXPENSIVE LAWSUITS
Several large companies have felt the sting of lawsuits related to their privacy and free speech practices.
AT&T and Verizon have both been sued for hundreds of billions of dollars in multiple class-action
lawsuits and have spent massive amounts on attorney and lobbyist fees after reportedly collaborating
with the National Security Agencys massive warrantless wiretapping and data-mining program.
11
Apple
was slapped with $740,000 in attorney’s fees when it tried to expose the identity of individuals who
leaked information to bloggers about new products.
12
MISTAKES CAN RESULT IN LOSS OF REVENUE AND REPUTATION
Free speech and privacy violations can directly affect a company’s revenue as well. Facebook lost major
advertising partners and was the target of online protests from 80,000 of its users for failing to provide
proper notice and consent for its Beacon advertising service tying a user’s other Internet activities to
her Facebook profile.
13
NebuAd’s plan to meticulously track all online activity, down to every Web click,
and then use this information for targeted advertising went awry when consumers sounded the alarm for
online privacy and free speech; in its wake, major partnership agreements crumbled, a Congressional
committee investigation was initiated, and the company’s founder and chief executive resigned.
14
Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
3
FOLLOWING THE LAW IS NOT ENOUGH
FOR USERS OR THE BOTTOM LINE
It is imperative to understand and strictly adhere to all federal and state privacy and free speech laws and
regulations.
15
But businesses should be aware that the current laws are often unclear; moreover, these
laws may not always provide consumers with the level of privacy and free speech protections that they
expect and demand.
COMPANIES MAY FIND THEMSELVES CAUGHT BETWEEN DEMANDS
FOR INFORMATION AND USERS’ EXPECTATIONS OF PRIVACY
Outdated privacy laws can leave companies in an impossible situation, forced to choose between
maintaining the trust of users and responding to subpoenas and other demands for information from the
government or third parties.
Although many users believe that the letters, diaries, spreadsheets, photographs, videos, and other
personal documents and materials that businesses encourage them to store online are as private as
those stored in a file cabinet or on their computer’s hard drive at home, the legal requirements for the
government and third parties to demand access to these documents are uncertain. The “business
record” doctrine, which was established in pre-Internet Supreme Court cases
16
and has not been
reconsidered in light of the new reality of online communication and commerce, holds that there is no
reasonable expectation of privacy, and thus no Fourth Amendment privacy protection, when a user turns
over information to a third-party business. Law enforcement officials thus claim that they can demand
information about online activities of Internet users without a search warrant, at least without violating the
Constitution.
However, other laws, such as the California state constitution and federal and state statutes protecting
health records, financial records, electronic communications, video rentals records, and other specific
information, provide additional sources of privacy protection for personal information.
17
This patchwork
of laws, along with the grey areas in Fourth Amendment doctrine, may leave companies exposed to
demands for information whose legal validity is difficult or impossible to determine.
Even where the law is relatively clear, there may be a significant disparity between what users expect
and what the law requires. Only companies that develop robust privacy policies that anticipate potential
conflict and lay out procedures to safeguard user privacy to the greatest extent possible will meet user
expectations during these difficult situations; those that do not risk paying the price by alienating both
existing and potential users.
Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
4
COMPANIES MAY FACE COMPETING DEMANDS TO ENABLE AND
LIMIT SPEECH
Consumers have come to rely on the Internet and other new technologies as crucial platforms for the
distribution and discussion of news and current events, creative expression, and other socially valuable
speech. When a user’s political video is removed from a site, when an individual posts an anonymous
message and his identity is revealed, or when a company censors information that should be delivered
to users, there is often a free speech firestorm regardless of the nuances of what a company is legally
required to do. Although its technology may be cutting-edge, a company must be careful to ensure that
its business plan and policies do not interfere with long-established free speech expectations.
COMPANIES CAN ACT TO PROTECT THEIR CUSTOMERS AND THEIR
OWN INTERESTS
Companies that meekly comply with every request for customer information, whether from the
government or a third party, may find themselves subject to a barrage of such requests, which can
consume resources while alienating customers. Companies that stand up for their customers’ rights to
privacy and free speech will earn customer loyalty and may even reduce the administrative burden of
dealing with such requests.
Moreover, weak privacy and free speech laws hurt companies that want to build trustworthy services.
Companies should push for new laws that will build consumer confidence and protect them from
being caught between the privacy interests of customers and government and third-party demands for
information.
Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
5
PROMOTING PRIVACY AND FREE SPEECH
IS GOOD BUSINESS
Establishing policies that protect privacy and free speech can be a good way to stand out from your
competitors. Protecting your users’ rights though legal and other means can generate valuable trust and
goodwill that will pay off in the long run. The following sections give you the chance to ask yourself important
questions about how your company is currently doing business. Use the tips here to build a solid plan that
will save your company money, time, and reputation by properly protecting privacy and free speech.
These tips will help you get an edge by building customer loyalty and trust while protecting your company
from both litigation and excessive demands for information. In a competitive market, superior privacy and
free speech policies might be the difference between success and failure.
KEEP USERS INFORMED
w Develop a comprehensive and easy-to-
understand privacy policy
w Post your privacy policy prominently on all
Web pages
w Always follow your privacy policy
w Alert users and employees to privacy policy
changes
w Provide notice and get user consent for
software and service updates
PROTECT USERS WHILE
GATHERING DATA
w Collect and store only necessary user
information
w Aggregate or anonymize user transactional
data where appropriate
w Inform users about data collection
w Use “opt-in” processes to collect and share
user data
w Have easy, fast, and effective user correction
and deletion procedures for user data
PROTECT USER DATA FROM
DISCLOSURE
w Ensure proper legal process for disclosures
and resist overbroad requests
w Promptly notify users about disclosure
requests whenever possible
w Disclose only required information
w Safeguard user data—protect devices and
develop data security practices
w Quickly respond, notify, and provide service
for data breaches
w Protect users from surreptitious monitoring
PROMOTE FREE SPEECH
w Develop and enforce content-neutral policies
w Protect anonymous speech
AVOID POLICIES AND PRACTICES
THAT CHILL FREE SPEECH
w Draft your terms of use and service narrowly to
avoid stifling protected speech
w Safeguard product trust by not monitoring and
tracking speech
w Respect free speech in takedowns
w Plan for fair use before deploying digital rights
management (DRM)
Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
6
II: GETTING AN EDGE:
MAKING YOUR PRIVACY
PRACTICES STAND OUT
T
he key to developing outstanding privacy practices is ensuring that users are a part of the process.
Informing your users about your products and policies, ensuring that their interests are protected
when a data breach occurs or a third party seeks their information, and enabling them to control
their own data can give users an ownership stake in your product and build invaluable trust and loyalty.
KEEP USERS INFORMED
DO WE HAVE A REAL “PRIVACY” POLICY?
Every company that operates a commercial Web site in California must post a conspicuous privacy policy
on its Web site that discloses the kinds of personally identifiable data that it collects and shares with
third parties.
18
But the term “privacy policy” is often misleading. Although consumers expect that privacy
policies actually protect consumer privacy,
19
such policies may instead state, in effect, that the company
may do as it pleases with whatever information it chooses to collect.
Having a real privacy policy designed to inform users is not just the law, it is also good business. A strong
privacy policy can be a marketing tool, attracting users who prefer to do business with a trustworthy
company that safeguards their private information.
w Explain what data you collect. Do you collect personal information, such as phone
numbers, addresses, or Social Security numbers? Do you create a log of users’ online histories? Do
you collect clickstream data?
w Explain how data is stored. How long is each category of data stored? What data is
linked to an individual? What data is anonymized and after how long? What data is combined?
89% of consumers in 2006
felt more comfortable giving
their personal information
to companies that have clear
privacy policies.
20
Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
7
w Explain how data will be used or shared. Do you create a user profile? Do
you use it to deliver targeted advertising? Do you sell or share this data? If so, with whom? How do
you ensure that this data is not being misused or resold? How can users stop their data from being
shared?
w Explain your processes for responding to data requests by
government and third parties. What data could be requested and disclosed?
What standards must the government or third parties meet in order to obtain that data from your
company? When and how will you provide notice to users about requests for information? Will you
challenge questionable demands on behalf of your users?
w Explain how users can view and control their own data. What
options do users have to view data? What categories of data can be deleted and how? How quickly is
data purged, both online and in archives? What procedures are in place to fix errors?
w Notify users in advance if your privacy policy is about to
change. Give users the opportunity to terminate use of the system and have existing data deleted
or keep using your service but opt out of having their existing data processed under the new policy.
w Always follow your privacy policy. Your policy is a contract that you make
with your users; failure to follow it can result in the loss of user trust as well as lawsuits by users and
action by the Federal Trade Commission and other state and federal agencies.
DO WE PROVIDE USERS WITH NOTICE AND GET THEIR CONSENT
BEFORE INSTALLING OR UPDATING SOFTWARE OR FEATURES?
Making it as easy as possible for users to install or upgrade their software or use new features can be
beneficial, but keeping users in the loop about changes is just as important. Users want to have notice
and an opportunity to consent before any significant changes take effect. Both Sony and Google learned
the hard way that users do not like their software to contain silent, hidden surprises.
59% of consumers said they
would recommend a business
to their family and friends if
they believe that it follows its
privacy policies.
21
Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
8
w Notify users and gain their consent before installing or
updating products. Most users will embrace new or improved functionality as long as
they are aware of what they are getting. Giving users choices before making changes will allow them
to voice possibly legitimate complaints as well as prevent controversies when new features have
unforeseen consequences.
w Activate auto-update only with user consent. Most users will happily
activate a feature that keeps their software up-to-date without requiring any effort on their part—but
some will be less than pleased if such updates happen automatically without their knowledge or
permission. Avoid dissatisfaction by making auto-update an opt-in process.
w Distribute updates and new products separately. Using an update to
push out new, unrelated products can result in negative press and may cause users to lose faith in
security update tools. Encourage users to install or use your great new product voluntarily—don’t
trick them into it by attaching it to an update for a service they already use.
Sony: Shipping CDs with an aggressive digital rights management (DRM) program that
installed itself on users’ computers without their permission was a big mistake for Sony. The
company was targeted by multiple class-action lawsuits and blasted in the media.
22
Sony
was forced to recall the CDs and pay millions of dollars in compensation to its users.
23
Google: The company was pilloried in the press for making millions of its
Google toolbar users vulnerable to a malicious software attack because of its
toolbar’s silent, automatic update mechanism.
24
In 2006, a researcher found a
flaw in the toolbar update mechanism of the Firefox browser.
25
But since the Google toolbar
software, unlike that used by Yahoo! or Facebook, did not provide notice to and obtain
consent from users prior to updating the toolbar, Google toolbar users who used the Firefox
browser could not control when the toolbar was updated and faced increased risk.
26
Apple: When Apple released its Safari 3.1 for Windows Web browser, it wasn’t
content to simply promote its new product. Instead, it released the browser as an
“update” to its popular iTunes music software, causing many iTunes users to involuntarily
install Safari. Critics claimed that Apple’s behavior “bordered on malware distribution practices,”
27

driving Apple to clearly identify Safari as a new product and have users opt in prior to installation.
28
Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
9
PROTECT USERS WHILE GATHERING DATA
DO WE COLLECT AND STORE ONLY NECESSARY USER INFORMATION?
As data storage becomes less expensive, it may start to seem as though
there is little reason not to collect and retain as much data as possible
about your users. However, the apparent ease of accumulating masses
of data can hide enormous costs due to user dissatisfaction, security
breaches, time-consuming subpoena requests, and privacy and free
speech firestorms.
w Capture only the data you need for your
service or that you are legally required to
capture. AOL reportedly receives more than 1,000 subpoenas
every month requesting information about its users.
30
Other tech
companies may face similar numbers of requests, although they do
not reveal exact numbers.
31
An efficient way to avoid these costs is to
capture only the data you need for your service. Do you really need an
individual’s name, address, and phone number? Alternatively, could
your company get by just as well with only one of these pieces of
identifying information? Or none?
w Store only necessary data. Even if you needed to capture identifying information
in order to handle a specific transaction, there may be no need to retain it after the transaction
is complete. Any data collected should be purged in its entirety after it is no longer necessary.
Personally identifying information should rarely be retained for more than a few weeks.
Ask, Google, Microsoft, Yahoo!: Major search engines have started
to recognize the importance of limiting data-retention periods for all data.
32
Ask developed
the AskEraser, allowing users to conduct online searches without the company logging
any information.
33
Microsoft deletes the full IP address, cookies, and any other identifiable user
information from its logs after 18 months.
34
Yahoo! is now planning to anonymize all search records
after three months.
35
Google now engages in a very limited form of log anonymization after nine
months for those using the search engine and not logged into a Google account.
36
After 18 months,
the company deletes a portion of the stored IP address and de-identifies the cookie information
stored in its logfiles.
37

59% of
adults in a
2008 study
had refused
to provide
information
to a business
or company
because they
thought
it was not
necessary
or too
personal.
29
Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
10
DO WE MINIMIZE THE LINKS BETWEEN
PERSONAL INFORMATION AND
TRANSACTIONAL DATA?
By minimizing the connections between personal information about
users and data about the users’ activities, companies may be able
to achieve desired business goals such as optimizing performance
or delivering targeted advertisements and services while cultivating
user trust and insulating a company from voluminous legal demands
and costly security breaches. Anonymization, aggregation, and similar
techniques can help you extract value from your data while protecting
your users’ privacy.
w Associate user records or personal
information with transactional records
only where necessary.
Tying identifiable data, including IP addresses or account
information, to transactional records invites privacy breaches
and lawsuits. Evaluate aggregation and anonymization as
tools to protect privacy while preserving the value of collected
information.
39
68% of
consumers in
2000 were
“not at all
comfortable”
with companies
that create
profiles that
link browsing
and shopping
habits to
identity.
The numbers
spiked to 82%
when profiles
include income,
driver’s license
numbers,
credit data,
or medical
status.
38
YouTube: In 2008, YouTube was ordered to turn over records of every video
watched by its users, including names and IP addresses, to Viacom, which was
suing the company for copyright infringement.
40
Since YouTube collected and
maintained “deeply private information” linking individuals and their viewing habits, this
information was available when Viacom came calling.
41
Eventually, a compromise was reached
and the data was anonymized before being turned over to Viacom.
42
However, this close call
resulted in extensive press coverage and outrage by YouTube users and privacy advocates.
43
AOL: In 2006, AOL and its Chief Technical Officer learned the hard way that
users do not appreciate disclosure of their online search activities. The company
thought that it had properly anonymized the data when it posted online the search
records of 500,000 of its users for use by researchers. It was wrong. The private search habits
of AOL users became public knowledge.
44
AOL quickly pulled the dataset from its Web site,
but not before the information had been mirrored on Web pages around the world and AOL’s
privacy breach was plastered on front pages around the globe.
45
The incident led to the firing
of the researchers involved with the database’s release and the resignation of the company’s
Chief Technical Officer.
46

Privacy & Free Speech: It’s Good for Business
Online at www.aclunc.org/tech
11
DO WE GIVE OUR USERS CONTROL OVER
THE SERVICES THEY RECEIVE AND THE
INFORMATION THEY SHARE?
Users want to be in control of how their information is used or
shared. California law already gives consumers the right to learn
how their personal information is shared by companies and
encourages the adoption of simple methods for individuals to
have the ability to opt out of information sharing.
47

Failing to ask opt-in permission to use or share personal
information, or making it difficult for users to remove themselves
from lists or terminate use of products, risks alienating existing
users and discouraging others from joining. Follow an ethos of
putting the user in control and your relationship with your users
may be far more positive.
w Use opt-in to activate any new services
or features. Users will often happily volunteer to use
new features—if they are given the choice. When new features
are simply activated without consent, however, backlash can
be severe. Overall, giving users a choice can lead to more
trust and, ultimately, more users.
w Use opt-in to initiate or change data
collection or sharing. Users are particularly
concerned that their personal information might be shared
without their permission. Giving them the choice to share data
puts them in control and will mitigate these fears.
Facebook: The popular social networking site has repeatedly failed to include
adequate privacy protections in its new features and has paid with complaints by
hundreds of thousands of users,
51
calls for boycotts,
52
legislative proposals for industry
regulation, and loss in both reputation and advertising partners.
53
When Facebook
announced its new Beacon advertising service in 2007, which tied a user’s activity on external Web
sites to the user’s Facebook profile, the service leaked surprise holiday gifts, engagement plans, and
other private information to friends and family.
54
The widespread outrage and negative press forced
the company to modify this feature, but not before several large advertisers, including Coca-Cola,
Travelocity, and Overstock.com, withdrew from the new program.
55

88% of Internet
users in 2000
wanted businesses
to afrmatively
ask them for
permission, through
an opt-in mechanism,
each time the
business wants to
share personal
information with
anyone else.
48
∂
94% in 2003 wanted
the legal right to
know everything
that a Web site
knows about them.
49

∂
84% in 2003
believe that a law
giving them the
right to control
how a Web site
uses and shares
the information
collected about
them would protect
their privacy.
50