Commentary

EFF Questions Tighter Privacy Rules For Sensitive Data

In conversations about online privacy, industry executives and consumer advocates often appear to agree that companies should provide more protection for so-called sensitive data than other types of information, but disagree on the details -- including fundamentals like what constitutes sensitive data.

But now, the digital rights group Electronic Frontier Foundation, long a champion of users' privacy, is questioning whether it makes sense to craft different privacy rules for sensitive information and other types of data.

"EFF does not say this lightly," lawyers Lee Tien and Marcia Hofmann, and technologist Peter Eckersley, write in comments filed with the FTC. "But we see several considerable problems with attempting to regulate sensitive information more tightly than other consumer data in the general online environment, at least beyond existing regulation such as COPPA [the Children's Online Privacy Protection Act]."

The authors add that the EFF isn't philosophically opposed to additional regulations about sensitive data, but says that attempts to carve out separate rules for such data raise a host of practical problems.

One is that it's difficult to even begin to figure out what type of online data should be considered "sensitive." Consider, some people have said that information that a consumer suffers from a medical condition like cancer should be seen as sensitive. But, as the EFF points out, online it's difficult to know when users' activity signifies something about them personally.

For instance, the EFF says, a user might search for "swine flu" because he suffers from it. But it's also possible that the user is searching for swine flu simply because he heard about it on the news and is curious.

In that sense, as the EFF rightly points out, the difficulty of figuring out what type of data is sensitive is closely tied to the problems of defining personally identifiable information.

For many years, companies assumed that only names, addresses, phone numbers and the like was personally identifiable. But it's become increasingly obvious that supposedly anonymous information, like a list of search queries originating from the same IP address, can be used to identify specific Web users. The result is that an "anonymous" Web user's search about, say, diabetes, might not be sensitive in itself; but if that search, when combined with other data, can be linked back to a specific user, it could become sensitive.

The EFF also points to another complicating factor: Users themselves might supply information about their medical and financial matters on blogs or other sites accessible to the public. "Serious First Amendment issues could be raised by restricting the collection, use and dissemination of publicly available sensitive data," the group argues.

Next story loading loading..