Index: [thread] [date] [subject] [author]
  From: <yl2200@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Thu, 10 Mar 2005 14:10:33 -0500

Paper 1: The Unseen Camera

FROM THE CAMERA ON THE WALL TO THE UNSEEN CAMERA ¡V
THE COST BEHIND THOSE ACCOMPLISHED DREAM

By Yu-Ting Lin


In our first class, Professor Moglen told us to check the number of
surveillance cameras established on the streets on our way home.  I
did it after the class and found that the number was to my
amazement; there are a total of 21 cameras on my way home, just
from 115 St. to 123 St on the Amsterdam Avenue alone.  The idea
that each time when I walked out onto the Amsterdam Avenue,
there¡¦re 21 video cameras taping my every move made me feel
extremely uncomfortable.  It reminded me of the feelings that I had
when I watched the movie ¡§Enemy of the State¡¨.  It is terrifying
and unimaginable to realize that you are constantly being watched
when you walk on the street, stop at the store, and buys the
breakfast.  Unfortunately it seems to become a part of our daily
life now.

However, the surveillance cameras are visible to us, we can feel
their existence and the threat of surveillance.  What about the
unseen cameras?  What about the personal data collection happened
in the unforeseeable and unconscious occasions?  Or even under the
disguise of benefits or improvements to our life quality?

Decades ago, we were picturing a great scenario that we could sit at
home, and surf the net.  Through the website, we could conduct
financial transactions, enquire financial information, make
financial plans and plan investment portfolios.  There would be
fewer needs to rush to the bank. The banks would always know of our
banking needs in good time. What a wonderful dream that was!

In recent years, with the emerging tide of the financial aggregation
accompanied with great development of technology, this exciting
dream has come true.  However, the catch is that the financial
institutions¡¦ customers have to join in to the big, comprehensive,
and ambitious data-collection pool.  Through their services used by
the consumers, the financial institutions gather and analyze
consumer behaviors data.  Using the most advanced data mining
technology, the financial institutions analyze data about consumer
buying behaviors, eating habits, traveling preferences, total
annual family income, monthly income and monthly expenditure.  They
then customized their services to meet the consumer needs such as
the tailor-made suggestions about consumer financial plan.  They
even cooperate with other affiliated merchants to extend their
services to more commercial transactions.

What a great deal!  But think further, how could they know me better
than I do?  How could the industries and the merchants get so
detailed and updated information about me?  What if they just share
or sell my personal data to anyone without my consent?  Are my
rights protected?  Does their behavior adequately regulated?

The Congress and the Government have tried to provide some level of
protections to the personal financial data collected by the
financial institution by making laws and promulgating regulations. 
But are those protections so far enough?

The Gramm-Leach-Bliley Act, which regulates information privacy in
financial services sector, provides a weak protection to consumers.
 The GLB Act as well as the Regulation P, promulgated by the FRB
under the authorization of the GLBA, imposes few limits on the
collection and sharing of information by financial institutions. 
There are no limits on the type of consumer information that
financial institutions can collect and store.  It doesn¡¦t limit
financial institutions affiliated with each other, no mater through
ownership or otherwise, to share non-public personal information. 
What¡¦s even worse is that costumers cannot block the sharing of
one¡¦s personal information among affiliated institutions, although
affiliates are required to disclose the information sharing to
customers.

The few impotent rules in GLBA and its subsequence regulations are
mainly about the requirements of disclosure of the privacy policy
and to equip the customers with the opt-out options of the
¡§non-public¡¨ personal information sharing among ¡§unaffiliated¡¨
third parties.  In other words, the GLBA and Regulation P don¡¦t
require affirmative consent from customers for any data collection
and distribution to others, including non-affiliated third parties.
 Financial institutions are allowed to collect and share until
customers choose to opt-out.

In my opinion, to meet the minimal standard of an adequate
protection scheme, there¡¦re still several issues needed to be
addressed.  Except for the existing disclosure requirements,
customers should be given the privilege of accessing and correcting
personal data.  Customers would be able to see the information to be
released and would correct material errors if necessary.  To
preclude abuse of this protection, the financial institutions may
be allowed to charge for overuse of the access to this information
but the rights should be rendered as default rules.  Secondly,
regarding the information sharing among the affiliated parties,
customers should be entitled to choose to opt-out for affiliate
sharing, allowing customers to object to financial institutions
sharing their financial data with all affiliated firms.  On the
other hand, for the information distribution to non-affiliated
third parties, the existing opt-out option should be revised to
opt-in.  The default rule should be prohibition on the information
distribution to non-affiliated unless customers say yes.  Moreover,
for sharing sensitive information, like medical information or
personal spending habits, financial institutions would need to have
costumers¡¦ affirmative consents before releasing sensitive
information to either affiliate or non-affiliated third parties.

It¡¦s a very famous and popular slogan for financial industry use in
the commercial promotion, ¡§We know everything you want!¡¨  However,
with the lacking of adequate protection, imagine that there¡¦re
people collecting, analyzing, and sharing your every detail
personal information without any concern, doesn't it sound
terrifying that ¡§we know you don't know¡¨?  The Gramm-Leach-Bliley
Act and the following Regulation P provide some limited Federal
financial privacy protections for consumers.  While it is an
important beginning, these protections fail to meet the minimal
social expectations.  In my opinion, adopting opt-out option for
affiliate sharing, opt-in option for sensitive information sharing
and non-affiliate sharing, and the rights to access and to correct
the personal data are the least but not the last things to do now.

-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list



Index: [thread] [date] [subject] [author]