Harvard Law School > Berkman Center > Open Education >

PRIVACY IN CYBERSPACE

Module 1: Introduction

Participants discussed the value of privacy, namely, why informational "privacy," including Privacy in Cyberspace is and should be important. Responses pondered the ways in which the Internet allows the taking of information without individual knowledge of what has been taken and by whom.

Further, participants answered the question: "Does technology change conceptions of "privacy?" While some felt that it should not change the fundamental idea of privacy, others contended that the theory may be the same, but different standards must necessarily apply. Adopting rules designed for the brick and mortar world may not be the best response.

On the issue of anonymity and privacy, participants addressed the paradox that the Internet actually enables anonymity in some ways, but simultaneously destroys it in others.
Participants also discussed moral obligations of corporations concerning privacy violations. Just because collection of private, individual information is legal, does that mean that companies should proceed, particularly without disclosure?

Module 2: Data Profiling

In discussing why more consumers seem to have accepted real world profiling than online profiling, some participants felt that the Internet allowed companies to find out much more personal information about someone than a brick and mortar store. Others felt that the dangers were just as strong in both contexts, particularly with the advent of rewards programs.

On the issue of cookies and consent, participants discovered that cookies have become non-optional if one wants to use the Internet. Also, new technologies are on the way that will outlast cookies, which currently have a life of about five years.

Participants also answered the question: Should websites be required to obtain surfers' explicit consent before collecting data? Responses ranged from a simple "yes" to the assertion that website should not be allowed to collection information at all.

Module 3: Privacy in the Workplace

On the issue of balancing rights between employees and employers, some participants viewed the situation as one of property rights, meaning that the employer should have an absolute right to control of their "property." Others disagreed and asserted that even in a work context, individuals should have privacy rights.

Participants similarly disagreed when asked the question: should employers be required specifically to notify employees when their clickstream data are being collected or their emails are monitored? Answers ranged from "You are paid to work, not to socialize and have fun" to "An employee should be notified of the employer's monitoring activities" to "It is becoming more and more difficult to differentiate between personal and work because work time keeps growing into what used to be personal time."

In adapting workplace rules to the academic setting, some participants saw a major difference in that students are not employees of the university. Others argued that the university does own the "property" and should have an unlimited right to monitor.

Module 4: Governmental Collection of Data - Part I

When asked: How can we properly balance law enforcement's need for information with the right to privacy, some participants commented that the current laws are appropriately balancing privacy interests with the government's police power interest. But others disagreed and said, for instance, "Can we afford to have our liberties abridged or absconded with in the name of national security? Are we not, in effect and act, giving in to the terrorists' tactics and sacrificing the principles we hold dear and sacred?"

In discussing statutory protections under the ECPA, participants noted that many definitions in the statutes are confusing. For instance, the distinction between "storage" and "in transit" is unclear in purpose. Some suggested that perhaps legislators who wrote the laws were not schooled enough in the technology.

Module 5: Governmental Collection of Data - Part II

Participants discussed the new USA Patriot legislation. Some responses were quite negative to the legislation, which was said to completely negate and circumvent the Constitution. But other participants recognized that the Constitution has seemingly been violated in the past in order to protect national security. And in some circumstances, this may be necessary.

In terms of the international implications of the USA Patriot Act, non-US citizens were concerned about the power of the US intelligence agencies. Others felt it was a good and appropriate against terrorism.

When asked about the jurisdiction of the FISA "secret" court, some noted that interdicting terrorism before it strikes is an admirable goal. Others noted that we should not be looking for the quick and easy solution, but a proper solution that respects people's rights.

In discussing that many provisions of USA Patriot allow or even encourage ISP's to voluntarily disclose private information including customer records as well as content of electronic transmissions, participants worried about how voluntary the disclosure really is and if there really are any incentives not to disclose.

Module 6: Cryptography and Other Self-Help Mechanisms

In discussing encryption, there was some participant recognition that it is needed by private users as a protection against the state and other individuals. Others lamented that encryption technology is simply insufficient to protect users from privacy violations. "There are software applications specifically designed to counter encryption techniques. Software now exists to catch your key clicks and to transfer your keyboard actions to an outside party." Participants also looked at P3P as an alternative, but found it is not yet sufficiently developed. As a final note, participants generally agreed that whatever technology protections do become available, it is the users that will need to insist upon protections and actually make use of the technology.