FTC Privacy Briefings - Sensitive Data Parry Aftab to Join FTC Panel today

What is “sensitive data?”
“Sensitive Data” categorically includes but is not limited to data related to an individual’s health or medical condition, sexual behavior or orientation, or detailed personal finances, information that appears to relate to children under 13, racial or ethnic origin, political opinions, religious or philosophical opinions or beliefs and trade union membership.
Four common ways in which sensitive data is exposed
The first three listed are far less prevalent, combined, than the fourth.
1. Intrusion
• Intruders gain access to data through a weakness in the computer system or poor digital hygiene allowing access to computers, desktop and wireless devices
2. Phishing
• Involves a method of extracting sensitive data from unsuspecting individuals through fraudulent emails and communications from seemingly reputable companies and organizations
• Intruders obtain sensitive data by posing as representatives of a legitimate company or organization
3. Social Engineering
• Involves gathering public information that can be gleaned from social networks, online services and community sites, including games, and offline legal sources and combining it in such a way as to understand sensitive and otherwise personal information through de-anonymizing data.
4. Voluntary Sharing of PII
• Online community network users share a tremendous amount of PII all at once or in small portions with the public or with a broad user group
• Some is intentional, while others are shared through poor digital hygiene and failure to use privacy settings or the lack of privacy settings
• This information can be direct disclosure or available through profiling the user’s preferences, groups and surfing patterns, much of which is made publicly available by the user him or herself
• Children are often the source of public disclosures of sensitive data, not only about themselves, but about their friends and family. They may do this intentionally, to harass or torment the person whose information is being disclosed or they may do it without realizing the harm
• Some information is shared, unwittingly, by adults and businesses when disclosing communications, employee information and other sensitive data. In addition, adults, as well as children, share personal information about others either intentionally to harm them or without realizing the harm

Differing definitions of “sensitive data”
There has been a difference in what “sensitive data” means among marketers and privacy advocates in the current push to regulate online advertising. For the most part, the government has had a hands-off approach toward online marketing, giving companies relatively free rein in how they use tools that track what people do online and then use the data gathered to deliver tailored marketing messages.
On July 2, 2009, advertising/marketing industry groups proposed a set of guidelines for self-regulation (http://www.ana.net/news/content/1801) in which they proposed the following definition of “sensitive data”:
The Principle calls for entities not to collect financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about specific individuals for Online Behavioral Advertising purposes without Consent.
However, Pam Dixon of the World Privacy Forum argued that the definition was too broad and proposed this definition of “sensitive data”:
Advertisers should not collect, use, disclose, or otherwise process personally identifiable information about health, financial activities, sexual behavior or sexual orientation, social security numbers, insurance numbers, or any government-issued ID numbers for targeting or marketing.
The government has not yet shaped any regulation but should it do so, it will likely turn to the FTC to negotiate a compromise definition. The FTC is currently engaging in a series of roundtables focusing on privacy and behavioral advertising.
At the FTC's December 2009 privacy roundtable, panelists raised concerns that collection and third party use of browsing data invades private space by:
1. revealing a user's innermost thoughts, such as a search history that reflect a user's explorations of his sexual identity
2. taking away a user's control over her identity, such as by broadcasting compromising photos of a user at a Cancun Spring Break party to a potential employer
3. revealing sensitive identity or financial information that can be misused by third parties to perpetrate fraud
4. or intruding on a user's seclusion by serving targeted ads during a browsing session that reveal that outsiders are listening in.
These closely track the common law privacy rights available in several states. These include:
1. Intrusion on seclusion;
2. False light (true facts combined in such a way to lead other to a false conclusion);
3. Public disclosure of private facts; and
4. Right of publicity (or identity)
They were always recognized as the core privacy rights because of the likelihood of harm caused by their violation. They are a good place to start when considering sensitive data classifications and its treatment.
Parry Aftab, a privacy lawyer and Executive Director of the cybersafety charity, WiredSafety, identifies sensitive data in two different ways. She identifies sensitive data as “kids, cash and kidneys” meaning the three categories of data regulated within the US – children’s data, financial data and health data which data is most commonly abused commercially.
She also identifies sensitive data as relating to vulnerable groups whose data is most commonly abused by individuals in harassment, reputational attacks and in provocation of physical harm. These include gays, lesbians, bi-sexuals and trans-sexuals, victims of crime, medical patients and those with special medical or addiction issues, mental health patients or those suffering from mental health issues, those with special needs and physically- or mentally-challenged and disabled, children, religious and ethnic groups, racial and nationality classifications, litigants and those within the criminal justice system and, in certain cases, senior citizens.
In the former case, regulations already exist to handle the increased risk of disclosure of this information. However, individuals often carelessly or intentionally disclose this information about themselves and others. Once shared, that information is often gathered and used in social engineering, targeted marketing and in building dossiers for multiple purposes. The law typically only protects against the first disclosure and allows consensual disclosure that removes the information form special legal protection.
Vulnerable groups often do not understand their vulnerability online. They often seek support and help online in public forums, or forums that can be easily accessed by third parties. They tend to be less security savvy online and far more trusting of individuals and networks. They either do not use privacy settings, or use them ineffectively. And their information can be gathered, combined with offline and other online data to create risk-profiles or used by stalkers, harassers and hate groups to provoke them online and offline. Physical assaults, crimes against their persons or property and reputational attacks are common.
Aftab’s Socially Safe Seal™, offered through her new risk-management consulting firm, WiredTrust, requires seal holders to create special processes and policies to handle both sensitive data and better protect the vulnerable groups. Her holistic approach includes education, user tutorials and help and specially trained moderators and customer service professionals, and involves the charity, the consulting firm and industry working together to create awareness and implement the best practice standards she has developed over the years.
Sensitive Data & P2P Networks
Also, with the prominence of peer-to-peer network usage these days, the FTC has found that sensitive data such as financial records, SSNs, and driver’s license numbers are now becoming more available on various P2P networks. This happens when private and confidential files are mistakenly shared in “shared file” locations on an individual’s or company’s computer. WiredSafety has repeatedly conducted tests and found that income tax returns, credit applications and passwords and account information for online banking are inadvertently posted and shared through the P2P networks. Often these are shared inadvertently by preteens and teens who use these networks to download and share music, movies and online games on the family computer.
The FTC said that sensitive data about customers and employees have been shared from computer networks in over 100 firms and organizations to virtually anybody in the world connected to the Internet and P2P networks. However, this isn’t to suggest that rampant identity theft hacking is occurring, but merely that some cluelessness and carelessness among workers with access to this sort of data may be to blame.
In response to this, the FTC has released new educational materials to private and public entities explaining the risks of using P2P networks and suggestions on how to manage their use such as making sure that no unauthorized P2P programs can be downloaded and accessed and properly configuring and securing P2P programs that are authorized. WiredSafety has created its own educational programs on this and related issues, and posts an extensive library of resources on its WiredSafety.org and other websites.
Should All Sensitive Data Be Treated The Same?
Recent discussions have been conducted on whether all sensitive data should be treated the same. In particular, whether location information should be given the same privacy protections as medical data.
John Morris, general counsel for the Center for Democracy & Technology, at a recent Congressional hearing (The Collection and Use of Location Information for Commercial Purposes), express support that “location be treated as sensitive data, like medical data” given the meteoric rise in location based services and associated geolocation data. Morris goes on to testify that such location-based technology should be regulated by the FTC.
Many users have expressed concerns about their location being exposed in ways they don’t control and in effect, adversely impacting their safety and freedom. However, others believe that treating location data like medical data will only shroud it in complete privacy and present a detriment to the location service ecosystem. In addition, with GPS built-into most cell phones and many computers and games and other social networks using location to help pair users and locate on-the-ground stores, services and points of interest, how desirable is it to block access to and use of location data?