Historically, Europe has taken the lead on issue of privacy. But are there signs the US are starting to be more cautious?
It's been acknowledged for many years that privacy is taken far more seriously in Europe than in the United States. The attitudes of U.S. businesses and government organisations have been rather cavalier and epitomised by the now (in)famous remark of Sun Microsystems' CEO, Scott McNealy, in January 1999: “You have zero privacy anyway. Get over it.”
Many Americans can't seem to understand or appreciate the historical context of Europeans' concerns over privacy. While the U.S. and Europe approach privacy from different positions, we have begun to see a convergence over the last two years.
In 2006, the United States business community (and Congress) was stunned when Hewlett-Packard (HP), one of America's largest companies, was caught spying on its own board of directors and reporters. This brought a growing consumer concern around the illegal acquisition of personal phone records through ‘pretexting' (or social engineering) to the fore.
As a result, Federal Communications Commission (FCC) order number 07-22A1 was released on April 2, 2007, mandating stricter carrier requirements to prevent the unauthorised disclosure of “customer proprietary network information” (CPNI).
What needs to be kept in context in regard to the ‘pretexting' issue is that American carriers typically kept large amounts of customer calling data for long periods of time.
While the FCC's order does not impact the government's acquisition of such data, its intent is to protect the privacy of such information from unauthorised disclosure to businesses and individuals. At the same time, European carriers have held far less customer calling data – and for shorter periods of time.
Recently, the EU Data Retention Directive (2006/24/EC) modified legal requirements on the retention of customer data.
As of January 2008, telecommunication data must now be kept for several months. Starting in January 2009, internet service providers (ISPs) will also have to retain customer data such as dial-in identification and IP address during usage. These changes to the EU Data Retention Directive are driven by an increased need to combat terrorism.
Now the original differences between the amount of information American and European carriers are retaining are meeting somewhere in the middle. American carriers have a greater legal responsibility to protect customer information from unauthorised disclosure to businesses or individuals – and European carriers will be mandated to retain more customer information and for longer periods of time.
A second aspect of this privacy convergence is related to behavioural targeting.
In July, it was reported that Viviane Reding, the European Union commissioner for information, society and media, sent a letter to the British government warning that it needed to safeguard consumer privacy in relation to behavioural ad targeting technology. Reding stated that if the U.K. government didn't resolve the issue, the commission could take it to the European Court of Justice.
In the same month, the U.S. House of Representative's Subcommittee on telecommunications and the internet held hearings on the use of behavioural targeting and chided its use without informing customers.
On August 1st, 33 cable and internet companies (including Google and Microsoft) were sent letters requesting that they provide details about their privacy standards.
An interesting aspect of this scrutiny is that the two leading companies in this nascent space are British (Phorm) and American (NebuAd).
While both claim their technologies provide customer privacy protection, that message has found little resonance or understanding with either customer or government regulators.
Could it be that Americans are catching up in their concerns about privacy? Could we even be moving towards actual governmental cooperation on effective privacy protections on both sides of the Atlantic? No, that's probably too much to expect at this time.
Tim Mather is chief security strategist for RSA Conferences