Embed Size (px)
Citation preview
Birnhack & Elkin-Koren, Feb. 2004 1
Privacy Practices of Israeli Public Web SitesFebruary 2004
Dr. Michael Birnhack & Dr. Niva Elkin-KorenHaifa Center of Law & Technology
Supported by the Burda Center for Innovative Communications at Ben-Gurion University
Birnhack & Elkin-Koren, Feb. 2004 2
Regulation of Online Privacy
Law Market forces Technology
Is the law effective? Law in the books vs. Law in action
Birnhack & Elkin-Koren, Feb. 2004 3
Research Goals
Examining the application of the Privacy Act of 1981 among Israeli Public Web Sites
Comparing the law with statements addressed to users (phase II: comparing the above with the actual practices)
Assessing the relevance of the law Regulation of digital privacy Regulation of digital environment
Birnhack & Elkin-Koren, Feb. 2004 4
Method of Research
Defining the scope of the research
Classification of sites according to practices: Information Collectors Non-Collectors
Privacy Policies: Finding them…, and Analysing them in light of legal requirements
Birnhack & Elkin-Koren, Feb. 2004 5
Scope: Israeli Public Web Sites
Home pages no internal pages (http://haifa.ac.il/law) no sub-sites (excludes geocities-like sites)
Israeli sites (<.il>) Top third level domain
http://haifa.ac.il, not http://infosoc.haifa.ac.il/ Active sites only (only about 50% active) Sites operated by Public bodies and licensed
ISPs
Birnhack & Elkin-Koren, Feb. 2004 6
Examined Populations
0
20
40
60
80
100
120
net.il ac.il muni.il gov.il
Active Sites Registered Domain Names
Birnhack & Elkin-Koren, Feb. 2004 7
Legal Requirements: Privacy Protection Act of 1981 Database:
Collection of electronic information, with the exception of:
Personal collection Communications data only
Obligation of Registration, if: 10,000+ people, or “sensitive information”, or Information obtained by third parties, or Public database, or Direct marketing.
Birnhack & Elkin-Koren, Feb. 2004 8
Notice
S. 11 of the Privacy Act: A request aimed at a person, for the provision
of information to be held in a database, should be accompanied with a notice: Is there a legal duty to provide the info.? The purpose for which the info. is sought Will the info. be disclosed to third parties? To
whom? For what purpose?
Birnhack & Elkin-Koren, Feb. 2004 9
Results
50% Collect Information
30% (15% of total population)Have Privacy Policy
60%(9% of total population)Privacy Policy
90%Links to policy active
70% No Privacy Policy
40% different title for the policy
10% links to policy inactive
Birnhack & Elkin-Koren, Feb. 2004 10
Results
50%
15%
50%
35%
do not collect info collect Info.
no privacy policy with privacy policy
Birnhack & Elkin-Koren, Feb. 2004 11
Results
70%18%
12%30%
no privacy policy with privacy policy
PP titled "Privacy Policy" PP under different title
Birnhack & Elkin-Koren, Feb. 2004 12
Notice
S. 11 of the Privacy Act: A request aimed at a person, for the provision
of information to be held in a database, should be accompanied with a notice: Is there a legal duty to provide the info.? The purpose for which the info. is sought Will the info. be disclosed to third parties? To
whom? For what purpose?
Birnhack & Elkin-Koren, Feb. 2004 13
The Content of Privacy Policies
30% of Information Collecting Sites have a privacy policy of some sort
75% do not indicate whether info. is collected
60% did not indicate the purpose of the collection of info.
90% did not indicate whether there is an obligation to provide info.
Birnhack & Elkin-Koren, Feb. 2004 14
Privacy Act of 1981
S. 13: Right of Access Data subject is entitled to access information
about her held in database
S. 14: Right of Amendment If information is inaccurate, subject has the
right to require amendment
Birnhack & Elkin-Koren, Feb. 2004 15
Results
Number of sites which indicate the right of access and/or the right of amendment:
?0
Birnhack & Elkin-Koren, Feb. 2004 16
Data Security
S. 17 of the Privacy Act of 1981:
The owner of a database… is responsible for the security of the information stored in the database.
Birnhack & Elkin-Koren, Feb. 2004 17
Privacy Practices in Excess of the Act’s requirements 21% of the sites which do not seem to collect
information have a privacy policy
70% of all sites, including sites which do not collect information, specifically announce that they secure the data.
Birnhack & Elkin-Koren, Feb. 2004 18
Summary of results
Low level of compliance Low awareness Vagueness of the concept of privacy Enforcement failure
Privacy practices in excess of the Act: Market forces “law in action” Future plans
Birnhack & Elkin-Koren, Feb. 2004 19
Other Countries
South Africa: Survey of top 100 sites: 2/3 fail to comply fully with the law -- Information Systems students, Cape Town University,
AllAfrica.com, Sep. 7, 2003
UK: Survey of 90 most popular websites: only 2% were “totally compliant” with the
Privacy and Electronic Communications Regulation
-- WebAbacus research, BBC News, Dec. 14, 2003
Birnhack & Elkin-Koren, Feb. 2004 20
Ramifications
Assumptions: Non-deterministic view of technology Privacy is an important value, and should subsist in the
digital environment Within the law:
Correct enforcement-failures, e.g., class actions; effective governmental supervision
Require disclosure of rights (access, amendment) Indirect regulation: carrot & stick approach:
Incentives to provide privacy (e.g., US-EU safe harbor) Disincentives to non-compliance
Private Ordering Regulation by code
Birnhack & Elkin-Koren, Feb. 2004 21
Privacy Practices of Israeli Public Web Sites
Thanks!
