Data Protection and Privacy on the Internet

Report and Guidance

(adopted at the 20th Meeting of the International Working Group on Data Protection in Telecommunications in Berlin 19 November 1996 based on the discussions at the 19th meeting of the Group in Budapest 15 and 16 April 1996)

"Budapest - Berlin Memorandum"

Summary

There can be no doubt that the legal and technical protection of Internet users' privacy is at present insufficient.

Ten guiding principles are set out in this document to improve privacy protection on the Net:

1. Service providers should inform each user of the Net unequivocally about the risks to his privacy. He will then have to balance these risks against the expected benefits.

2. In many instances the decision to enter the Internet and how to use it is subject to legal conditions under national data protection law. This means e.g. that personal data may only be collected in a transparent way. Patients' data and other sensitive personal data should only be communicated via the Internet or be stored on computers linked to the Net if they are encrypted. Arrest warrants issued by the police should not be published on the Internet.

3. Initiatives to arrive at closer international cooperation, even an international convention governing data protection in the context of transborder networks and services are to be supported.

4. An international oversight mechanism should be established which could build on the existing structures such as the Internet Society and other bodies. Responsibility for privacy protection will have to be institutionalized to a certain extent.

5. National and international law should state unequivocally that the process of communicating (e.g. via electronic mail) is also protected by the secrecy of telecommunications and correspondence.

6. Furthermore it is necessary to develop technical means to improve the user´s privacy on the Net. It is mandatory to develop design principles for information and communications technology and multimedia hard- and software which will enable the individual user to control and give him feedback with regard to his personal data. In general users should have the opportunity to access the Internet without having to reveal their identity where personal data are not needed to provide a certain service.

7. Technical means should also be used for the purpose of protecting confidentiality. In particular the use of secure encryption methods must become and remain a legitimate option for any user of the Internet.

8. The Working Group would endorse a study of the feasibility to set up a new procedure of certification issuing "quality stamps" for providers and products as to their privacy-friendliness. This could lead to an improved transparency for users of the Information Superhighway.

9. Anonymity is an essential additional asset for privacy protection on the Internet. Restrictions on the principle of anonymity should be strictly limited to what is necessary in a democratic society without questioning the principle as such.

10. Finally it will be decisive to find out how self-regulation by way of an expanded "Netiquette" and privacy-friendly technology might improve the implementation of national and international regulations on privacy protection. It will not suffice to rely on any one of these courses of action: they will have to be combined effectively to arrive at a Global Information Infrastructure that respects the human rights to privacy and to unobserved communications.

Report

Today, the Internet is the world´s largest international computer network. There are "slip roads" to this "Information Superhighway" in more than 140 countries. The Internet consists of more than four millions of Internet sites ("hosts"); more than 40 millions of users from all over the world can use at least one of the different Internet services and have the facilities to communicate with each other via electronic mail. Users have access to an immense pool of information stored at different locations all over the world. The Internet can be regarded as the first level of the emerging Global Information Infrastructure (GII).The WorldWideWeb as the most modern Internet user interface is a basis for new interactive multimedia services. Internet protocols are increasingly being used for communications within large companies ("Intranets").

The participants in the Internet have different tasks, interests and opportunities:

• The software, computer and telecommunications industries design the networks and the services available.
  
• Telecommunications organisations like national telecoms provide basic networks for data transfer (point-to-point or point-to-multipoint connections).

• Access (communications) providers supply basic services for storage, transmission and presentation. They are responsible for the Internet transport system (routing, delivery) and process traffic data.

• Information (content) providers supply information stored in files and databases to the users.

• Users access different kinds of Internet services (mail, news, information) and use the Net for entertainment as well as for teleshopping, teleworking, teleteaching/ -learning and telemedecine.

I. Problems and risks

Unlike in traditional processing of personal data where there is usually a single authority or enterprise responsible for protecting the privacy of their customers, there is no such overall responsibility on the Internet assigned to a certain entity. Furthermore there is no international oversight mechanism to enforce legal obligations as far as they exist. Therefore the user is forced to put trust into the security of the entire network, that is every single component of the network, no matter where located or managed by whom. The trustworthiness of the Net will become even more crucial with the advent of new software which induces the user not only to download programs from the Net, but also weakens his control over his personal data.

The fast growth of the Internet and its increasing use for commercial and private purposes give rise to serious privacy problems:

• The Internet facilitates the quick transmission of great quantities of information to any computer system connected to the network. Sensitive personal data can be communicated to countries without an appropriate data protection level. Information providers might offer personal data from sites situated in countries without any privacy legislation where they can be accessed from all over the world by a simple mouse click.

• Personal data may be routed via countries without any or without sufficient data protection legislation. On the Internet, basically built for academic purposes, confidential communication is not ensured.
  
  There is no central switching center or other responsible authority in control of the entire network. Therefore the responsibility for data protection and data security is shared between millions of providers. Every message transmitted could be intercepted at any site it passes and could be traced, changed, forged, suppressed or delayed. Nevertheless the Internet use for business purposes increases exponentially and personal and other sensitive data (credit card data as well as individual health information) are transmitted via the Internet.

• The use of Internet services does not allow for adequate anonymity nor adequate authentification. Computer network protocols and many Internet services generally work with dedicated (point-to-point-) connections. In addition to the content data the identification (ID) of the sender and the recipient is transmitted. Every electronic mail message contains a header with information about the sender and the recipient (name and IP-address, host name, time of the mailing). The header contains further information on the routing and the subject of the message. It may also contain references to articles by other authors. Users are bound to leave an electronic trace which can be used to develop a profile of personal interests and tastes. Although there is no central accounting of the access to news or WorldWideWeb, the information behaviour of senders and recipients can be traced and supervised at least by the communications provider to whom the user is connected.

• On the other hand, the weakness of identification and authentication procedures on the Internet has been used to penetrate remote computer systems which were insufficiently protected, to spy on the information stored and to manipulate or delete it. The lack of secure authentication could also be used to access commercial services at the cost of another user.

• There are thousands of special news-groups in the Internet; most of them are open for every user. The contents of articles may contain personal data of third persons; this personal information is simultaneously stored on many thousands of computer systems without any right of redress for the individual.

The participants in the Internet share an interest in the integrity and confidentiality of the information transmitted: Users are interested in reliable services and expect their privacy to be protected. In some cases they may be interested in using services without being identified. Users do not normally realize that they are entering a global market-place while surfing on the Net and that every single movement may be monitored.

On the other hand many providers are interested in the identification and authentication of users: They want personal data for charging, but they could also use these data for other purposes. The more the Internet is used for commercial purposes, the more interesting it will be for service providers and other bodies to get as much transaction-generated information about the customer's behaviour on the Net as possible, thus increasing the risk to the customer's privacy. Increasingly companies start to offer free access to the Net as a way of assuring that customers read their advertisements which become a major financing method for the whole Internet. Therefore they want to follow to want extent, by whom and how often their advertisements are being read.

With regard to certain risks mentioned the functions of the bodies which on an international, regional and national level manage the Net are important in particular when they develop the protocols and standards for the Internet, fix rules for the identification of servers connected and eventually for the identification of users.

II. Existing regulations and guidelines

Although several national governments and international organisations (for example the European Union) have launched programmes to faciliate and intensify the development of computer networks and services, only very little efforts have been taken to provide for sufficient data protection and privacy regulations in this respect. Some national Data Protection Authorities have already issued guidelines on the technical security of computer networks linked to the Internet and on privacy risks for the individual user of Internet services. Such guidelines have been laid down for example in France, in the U.K. (see the 11th Annual Report of the Data Protection Registrar, Appendix 6) and in Germany. The main topics can be summed up as follows:

• Providing information on the Internet is subject to the national data protection laws and regulations. In this respect the Internet is not as unregulated as often stated. It is, to name but one example, illegal for a German provider of a WorldWideWebServer to register the complete addresses of computers which have accessed which Web pages and to which files are being downloaded without the knowledge of the person initiating that procedure (as is the usual practice on the Net). National regulations might include the obligation for information providers to register at a national data protection authority. National law also contains specific provisions with regard to international criminal, private and administrative law (conflict of laws) which may provide solutions in certain circumstances.
  
• Before connecting a local computer network - for example of a public authority - to the Internet the risks for the security of the local network and the data stored there have to be assessed in conformity with the national law. This may include drawing up a security plan and assessing whether it is necessary to connect the entire network or only parts of it to the Internet. Depending on the purpose it might even be sufficient to connect only a stand-alone system to the Net. Technical measures should be taken to secure that only the data which could be published can be accessed on the Internet for example by setting up a firewall system separating the local network from the Net. However, it should be noted that even if such technical steps have been taken connecting a computer network to the Internet means putting an additional risk to its security.

• If personal data on users of a service are collected it must be clear to them who is to use the data and what are the purposes for which the data are to be used or disclosed. This means giving notification on the screen before disclosure and providing an opportunity to prevent disclosure. The user should be able to make a hardcopy of this notification and of any other terms and conditions set by the provider.

• If access to personal data on a computer system is provided - for example by publishing biographical details of staff members in a directory - the information provider must make sure that those individuals understand the global nature of that access. The safe course is to publish the data only with the informed consent of the persons concerned.

There are also a number of international legal regulations and conventions that apply inter alia to the Internet:

- Recommendation with Guidelines on the protection of privacy and transborder flows of personal data adopted by the Council of the Organisation for Economic Cooperation and Development (OECD) on 23 September 1980

- Council of Europe Convention No. 108 for the protection of individuals with regard to automatic processing of personal data adopted on 28 January 1981

- Guidelines for the regulation of computerized personal data files adopted by the United Nations General Assembly on 14 December 1990

- European Council 90/387/EEC of 28 June 1990 on the establishment of the internal market for telecommunications services through the implementation of Open Network Provision (ONP) and ensuing ONP Directives (defining data protection as "essential requirement")

- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU-Data Protection-Directive)

- General Agreement on Trade and Services (GATS) (stating in Article XIV that Member States are not prevented by this worldwide agreement to adopt or enforce regulations relating to the protection of privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.

The EU-Directive as the first supra-national legal instrument does contain an important new definition of "controller" which is relevant in the Internet context. Article 2 lit. c) defines "controller" as the natural and legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Applying this definition to the use of the Internet for purposes of electronic mail the sender of an electronic message has to be considered to be the controller of this message when sending a file of personal data for he determines the purposes and means of the processing and transmission of those personal data. On the other hand the provider of a mailbox service himself determines the purposes and means of the processing of the personal data related to the operation of the mailbox service and therefore he as "controller" has at least a joint responsibility to follow the applicable rules of data protection.

More recently the European Commission has published two documents which might lead to Union legislation and will in that event have considerable consequences on data protection on the Internet:

Communication to the European Parliament, the Council, the Economic and Social Committee
and the Committee of the Regions on illegal and harmful content on the Internet (COM(96) 487 )
and
Green Paper on the protection of minors and human dignity in audiovisual and information
services (COM(96) 483).

Although not legally binding either and adopted on a national rather than an international level the

- Principles for providing and using personal information

"Privacy and the National Information Infrastructure"

adopted by the Privacy Working Group

of the Information Policy Committee

within the United States Information Infrastructure Task Force (IITF) on 6 June 1995

should be mentioned in this context for they are bound to influence the international data flows. They have been discussed intensively and fruitfully with the International Working Group on Data Protection in Telecommunications at the Joint Meeting in Washington, D.C., on 28 April 1995.

In practice some important and effective rules are being imposed by the Net Community themselves by way of self-regulation (e.g. "Netiquette"). Such methods are not to be under-estimated as to the role they play and might play in future in protecting the individual user's privacy. At least they contribute to creating the necessary awareness among users that confidentiality on the Net as a basic standard is non-existent ("Never send or keep anything in your mailbox that you would mind seeing on the evening news.") The EU-Data Protection Directive in turn calls for codes of conduct (Article 27) which should be encouraged by Member States and the Commission.

III. Guidance

There can be no doubt that the legal and technical protection of Internet users' privacy is at present insufficient.

On the one hand the right of every individual to use the Information Superhighway without being observed and identified should be guaranteed. On the other hand there have to be limits (crash-barriers) with regard to the use of personal data (e.g. of third persons) on the highway.

A solution to this basic dilemma will have to be found on the following levels:

1. Service providers should inform each potential user of the Net unequivocally about the risks to his privacy. He will then have to balance these risks against the expected benefits.

2. As "elements of network infrastructure as well as participants each have physical locations, states have the ability to impose and enforce a certain degree of liability on networks and their participants" (Joel Reidenberg). In many instances the decision to enter the Internet and how to use it is subject to legal conditions under national data protection law.

Personal data may only be collected in a transparent way. Patients' data and other sensitive personal data should only be communicated via the Internet or be stored on computers linked to the Net if they are encrypted.

There is also a strong case to prohibit the use of the Internet for the publication of arrest warrants by the police (the U.S. Federal Bureau of Investigations has published a list of wanted suspects on the Net for some time and other national police authorities are following this example). The described deficiencies in the authentication procedure and the easy manipulation of pictures in Cyberspace seem to prevent the use of the Net for this purpose.

3. Several national governments are calling for international agreements on the Global Information Infrastructure. Initiatives to arrive at closer international cooperation, even an international convention governing data protection in the context of transborder networks and services are to be supported.

4. An international oversight mechanism should be established which could build on the existing structures such as the Internet Society and other bodies. Responsibility for privacy protection will have to be institutionalized to a certain extent.

5. National and international law should state unequivocally that the process of communicating (e.g. via electronic mail) is also protected by the secrecy of telecommunications and correspondence.

6. Furthermore it is necessary to develop technical means to improve the user´s privacy on the Net. It is mandatory to develop design principles for information and communications technology and multimedia hard- and software which will enable the individual user to control and give him feedback with regard to his personal data. In general users should have the opportunity to access the Internet without having to reveal their identity where personal data are not needed to provide a certain service. Concepts for such measures have already been developed and published. Examples are the "Identity Protector" concept included in "Privacy-enhancing technologies: The path to anonymity" by the Dutch Registratiekamer and The Information and Privacy Commissioner of Ontario/Canada (presented at the 17th International Conference on Data Protection in Copenhagen (1995) and the "User Agent-concept" as reported on at the joint Washington meeting of the Working Group with the Privacy Working Group of the IITF (April 1995).

7. Technical means should also be used for the purpose of protecting confidentiality.

The use of secure encryption methods must become and remain a legitimate option for any user of the Internet.

The Working Group supports new developments of the Internet Protocol (e.g. IP v6) which offer means to improve confidentiality by encryption, classification of messages and better authentication procedures. The software manufacturers should implement the new Internet Protocol security standard in their products and providers should support the use of these products as quickly as possible.

8. The Working Group would endorse a study of the feasibility to set up a new procedure of certification issuing "quality stamps" for providers and products as to their privacy-friendliness. This could lead to an improved transparency for users of the Information Superhighway.

9. Anonymity is an essential additional asset for privacy protection on the Internet. Restrictions on the principle of anonymity should be strictly limited to what is necessary in a democratic society without questioning the principle as such.

10. Finally it will be decisive to find out how self-regulation by way of an expanded "Netiquette" and privacy-friendly technology might improve the implementation of national and international regulations on privacy protection. It will not suffice to rely on any one of these courses of action: they will have to be combined effectively to arrive at a Global Information Infrastructure that respects the human rights to privacy and to unobserved communications.

The International Working Group on Data Protection in Telecommunications will monitor the developments in this field closely, take into account comments from the Net Community and develop further more detailed proposals.