Networking

What your multinational's systems have in common with East Germany's Stasi

IT departments in multinationals are collecting personally identifiable data on European citizens, sometimes in violation of E.U. privacy mandates. Mark Underwood compares U.S. and E.U. attitudes to PII and offers a checklist for network and database admins to follow for protection.

They know where you live. They know when you go to sleep. They know which coffee shops you visited. They know which hotels you stayed in, and for how long. With a little database cross-referencing, they can learn that you bought wine in a local restaurant while your spouse was traveling in another part of the country.  They know where you're planning to travel next summer. They know everywhere you've lived for the past decade or more.

They know all this without tailing you, without setting foot in your house, and without speaking to you or your friends and family.

"They" is any private or public firm doing business with citizens of European Union countries.  "They" is your IT department if your systems collect IP addresses or other personally identifiable information (PII) from E.U. citizens or exchange such data with E.U. systems.

For those of you needing a Cold War refresher, the Stasi, or Staatssicherheit in German, was the official state security service of East Germany.  The Stasi has been compared to the Gestapo, but in some ways the comparison is not apt, because the Stasi was a kindler, gentler, more insidious apparatus of the State. The Stasi were sometimes no more intimidating than, say, the network administrator working on the third floor, or the shiny new database consultant.

Think this issue unimportant? Due to privacy concerns in the E.U., until recently the United States did not have access to 2010 bank transaction data from the SWIFT database, a Europe-based system. This data was regarded as essential to U.S. law enforcement attempts to identify such transactions as money laundering and transfers to terrorist organizations. In a recently agreed upon compromise, the E.U. placed one of their officials at the U.S. Department of Treasury on a permanent basis, and will house the data within the E.U. instead of shipping it out en masse to the U.S.

(Image at left is the badge suggested for U.S. Dept of Commerce Voluntary Privacy Framework.)

IP = "Invaded Privacy" address?

Network and database administrators may be unwitting perpetrators of such surveillance.  All this became clear when Google first entered the E.U. market, and concern peaked again when Google Street View was rolled out to Europe. While case law in the U.S. has been ambiguous, with federal courts deciding that IP addresses are not PII, and others deciding that a grand jury subpoena is required before an ISP is required to disclose a subscriber's IP address. As can easily be seen from online ad targeting, i.e., "localized behavioral advertising," it requires little effort to obtain city name and more from IP addresses.

Regardless of its current legal standing in the U.S., the public attitude that IP addresses were not PII shifted in 2006 when AOL released search logs from its members and New York Times reporters were able to identify and profile a single "anonymized" individual within days. Though many web site privacy policies say otherwise, when IIS or Apache collects IP addresses of users, PII data is being collected.

As DePaul's Joshua McIntyre writes in a piece arguing for treatment of IP addresses as PII, "what prevails today is an online world that lulls its inhabitants into a false sense of anonymity while secretly recording their every move for future discovery." In the U.S., privacy is viewed as a secondary concern in telecommunications policy. It's been often mentioned that "privacy" does not appear in the U.S. Constitution. Not so in Europe, with its dark history of secret police, citizen-spies, and totalitarian regimes that obtained information clandestinely and used it to chase down individuals for imprisonment or death. As shown in the table, the U.S. and Europe have taken different approaches.

Attitudes About Personally Identifiable Information

European Union United States
European Union Data Privacy Directive 95/46/EC sets high standards for the protection and movement of personally identifiable information between E.U. member countries and to outside Data protection is granted even after the consumer has passed on the data. Focus on informed consent, with relatively few legal restrictions on the use of information provided voluntarily. What rules do exist are primarily state-by-state.
Firms are responsible for protecting PII data once it has been collected, and also for managing its transfer to others by monitoring compliance of recipients. Once the data has been yielded to a company, the company is largely free to use it as it wishes, subject to local state regulations.
E-privacy rules introduce mandatory notifications for personal data breaches by providers of communications networks and services, "regardless of sector or type of the data concerned." In the U.S., violations are rarely prosecuted.  According to a Business Week analysis, only seven cases have been brought to court, and none were proven to be actual non-compliance. (As a cautionary tale, though, consider the case of Twitter's 2009 security breach.)
Medical records are no different from other E.U. citizen's personal information because a degree of data protection is already afforded. Concern over medical records privacy may increase with the push to reduce health care costs through greater automation.
As shown in the case of Germany's export oversight, data to be transferred from Germany to the U.S. requires that the sender verify the recipient's Safe Harbor certification and adherence to notification principles, and be prepared to show auditors the results of such analysis of third parties. Companies can self-certify through the voluntary Safe Harbor framework suggested by the Department of Commerce.  Except for certain areas (e.g., airline passenger data), enforcement is primarily through the private sector.

A checklist for U.S. multinational IT departments

This columnist is neither a lawyer nor a compliance specialist. Still, it is obvious to anyone working in IT that privacy considerations are often more lax here than in the E.U. and other countries. This could create risks for U.S. firms and nonprofits that have customers, contacts, and coworkers based in E.U. member states. Accordingly, this proposed checklist for proactive network and database administrators is just a starting point.

  1. Learn about the Department of Commerce Safe Harbor framework. Consideration of voluntary compliance might enhance awareness of the issue, even if that official route isn't ultimately selected. If you have a Compliance Officer, make an appointment to discuss the current state of affairs in your company. Get a feeling for the climate about PII in Europe; a 2009 RAND-Europe report covers the pros and cons of the E.U. Data Protection Directive.
  2. Treat IP addresses as PII. Educate other IT professionals about privacy considerations associated with IP addresses (as well as other network data such as connection details) to minimize unnecessary or inadvertent collection of PII.
  3. Update data protection policies to include web logs and other PII-containing repositories if they are not already included. Encrypt when not in use, and review data expunging policies. Consider at most a 6-month policy for IP address retention.
  4. Verify that cybersecurity best practices are in place to protect PII. This should include pragmatic considerations such as authentication unique to the type of data to be protected, logging of access to PII archives, and proactive aggregation.
  5. Review and update web site privacy policies.
  6. Be alert for emerging sources of PII, such as bar codes scanned, photos with location and timestamp data in the EXIF, electronic ID, security access logs, GPS, wireless communications . . . the list goes on.
  7. If you're already in over your head, look for expertise from specialty outfits like DataGuidance, Hunton and Williams, Covington and Burling, Proskauer - to name but a few.

About

Mark Underwood ("knowlengr") works for a small, agile R&D firm. He thinly spreads interests (network manageability, AI, BI, psychoacoustics, poetry, cognition, software quality, literary fiction, transparency) and activations (www.knowlengr.com) from...

4 comments
corral
corral

Dont know about other EU countries, but here in Spain the laws set three levels of protection for PII. Medical records, religious and political opinions all belong to the highest level.

Jaqui
Jaqui

that they have no record of which client used which ip address at any given time is another falsehood they use to imply that an ip is not personally identifiable. after all, they have to track data transfer used for accounting purposes, and accounting records MUST be kept for 7 years. This means they have complete client ip assignment hiistory for 7 years, or they are not in compliance with financial regulations. :\

dawgit
dawgit

It's, unfortunately, just the tip of the iceberg, but a good article in the general sense. This is a very hot theme here in Europe, and in Germany particular. edited to add: Here, we call it Stasi 2.0 ]:)

seanferd
seanferd

and the ISP tells the government or the content police (e.g., RIAA) that they do not have these records, or that to provide data requested is cost prohibitive. This versus the telecom ISPs who handed over millions of unrequested records along with the requested data which was asked for illegally in the first place. Just one of the reasons DPI should die an ugly death. The IP address records are bad enough.