From the EPIC Blog:

"The White House modified its privacy policy for WhiteHouse.gov on June 3, 2011. The new policy is more than twice as long as the old policy. The new policy states the White House web site now uses persistent Google Analytics cookies that track users for up to two years. Previously the site employed only single-session cookies, which were automatically deleted when users closed their browsers. The site does not provide a means for visitors to opt out of receiving cookies."

The EPIC blog post includes links to old and new privacy policies and a couple of other relevant links.

The new report Surveying the Digital Future from the Center for the Digital Future at the USC Annenberg School, says that internet users are increasingly concerned about their privacy:

The annual study of the impact of the Internet on Americans conducted by the Center for the Digital Future found that almost half of Internet users age 16 and older -- 48 percent -- are worried about companies checking their actions on the Internet.

-- press release and highlights

Users are more concerned about corporations than governments:

By comparison, the new question for the Digital Future Study found that only 38 percent of Internet users age 16 and older are concerned about the government checking what they do online.

It is not clear from the press release that respondents were asked about any specific activities or behaviors of governments or if they were asked about any specific laws such as the "PATRIOT" Act.

Providing users with privacy and confidentiality when they read is one of the key, long-term values of libraries. As we look to our future, we should invest in our ability to continue to do that by hosting digital content and providing users a way to securely and privately browse and read digital content.

See also:
Privacy: "I have nothing to hide"

Disintermediation

It almost seems like this is privacy week. After stories about a new book on privacy and Eli Pariser's compelling TED talk about how "search personalization" silently filters out useful information, now we have this:

• Take Your Paws Off Our Privacy Laws! Facebook, Google, Twitter, Zynga Formally Oppose California Social Networking Bill, by Liz Gannes, All Things Digital (May 16, 2011)

  A coalition of industry associations and Internet companies including Facebook, Google, Twitter, Zynga, Match.com and Skype this afternoon submitted a formal letter of opposition to proposed California legislation that would mandate new privacy policies for social networking sites.

The California law would require social networks to be private by default and make California users choose privacy settings before they complete registration.

The tech companies say the law is unconstitutional, would hurt the economy, and would significantly undermine the ability of Californians to make informed and meaningful choices about use of their personal data.

We often hear the argument that it is okay for the government to gather or analyze personal information because only those who have something to hide need worry. As the British government slogan says, "If you've got nothing to hide, you've got nothing to fear."

Libraries take a different approach to privacy. As the American Library Association says, "Privacy is essential to the exercise of free speech, free thought, and free association."

Yet we continue to hear the "nothing to hide" argument. Daniel J. Solove, a professor of law at George Washington University, examines the argument in detail and exposes its flaws in an excerpt from his new book, Nothing to Hide: The False Tradeoff Between Privacy and Security:

• Why Privacy Matters Even if You Have 'Nothing to Hide', by Daniel J. Solove, Chronicle of Higher Education, "The Chronicle Review" (May 15, 2011) [subscription required]

  Commentators often attempt to refute the nothing-to-hide argument by pointing to things people want to hide. But the problem with the nothing-to-hide argument is the underlying assumption that privacy is about hiding bad things. By accepting this assumption, we concede far too much ground and invite an unproductive discussion about information that people would very likely want to hide. As the computer-security specialist [Bruce] Schneier aptly notes, the nothing-to-hide argument stems from a faulty "premise that privacy is about hiding a wrong." Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.

Chapter 1 of the book is also freely available:

• Nothing To Hide: The False Tradeoff Between Privacy And Security, Chapter 1, by Solove, Daniel J., Yale University Press, 2011. SSRN.

Solove argues that, in many cases, privacy issues never get balanced against conflicting interests. Bruce Schneier, the security expert Solove quotes above and the author of the excellent monthly newsletter, Crypto-Gram, makes a similar argument in a recent presentation on security issues:

• The security mirage, Bruce Schneier. TEDxPSU. (Oct 2010), video, 21 min.

As we have mentioned here before, (see, for example, Will GPO guarantee user privacy? Can it? and PRIVACY: Key Challenges Facing Federal Agencies and "Policy neutral" does not mean "neutral policies"), privacy has important policy implications for individual FDLP libraries and their approaches to access to government information. What is your library policy? Will your library choose to retain its role as a protector of privacy, or will it abandon that role to government agencies?

My brother is a surgical resident. A few weeks ago he was complaining about the difficult Electronic Medical Record (EMR) software his hospital is using, particularly the unintuitive user interface. Then I read an article in the New York Times about the business opportunities that are growing in the world of electronic health records. According to this article, two brothers, who have already developed a software EMR package for small-practice doctors’ offices, are waiting for the Obama stimulus package to essentially kick in, as the medical community will eventually have to migrate to digital patient records, or pay the penalties for failure to do so.

To me, there are two primary issues: privacy and accuracy. In extolling the benefits of the EMR (Saves lives! Lowers costs! No more pesky paper!), what will prevent the doctors’ offices, hospitals, and health insurers from abdicating responsibility over the care and quality control of those records? I realize that the e-document movement is permeating all levels of our lives, from the personal to the professional, but I cannot help but feel that an attorney’s e-discovery litigation case papers are better protected than patient information in a hospital.

Further, not everyone knows that HIPAA entitles you to your entire medical record, doctor’s notes and all (which is why, from what I understand in talking to several medical residents, doctors are usually instructed to take care in how they write about the patient in the medical record, for subpoena purposes and patient record requests; it probably is not a good idea to write “this patient is an idiot”). But in the same DHHS website, HIPAA privacy rules seem to have a series of caveats. A Washington, DC public interest research center has the same concern: Apparently, the DHHS proposed rules required that privacy breaches need not be reported to patients unless the provider or insurer felt that there was a “significant risk” of harm. So then the discretion for the standard of “significant risk” is left to a large impersonal corporation or a doctor who does not have the time to return phone calls? Not good. DHHS is currently reconsidering that medical breach notification rule, but this caveat that the covered entities determine whether “significant risk” exists, does not appear on the DHHS’s website summary pages.

Accuracy is another issue, and I believe it will be a growing concern as records are increasingly kept in digital format. With the health care companies pushing the doctors and hospitals to get patients in and out of the hospitals as quickly as possible, the quality of time spent with the patient will inevitably be reflected in the patient EMR. Case in point: I visited the ophthalmologist a couple years ago for a routine check-up. I advised the technician that I had scar tissue on my left cornea from an old boxing injury. The technician then inserted the eye pressure gauge into my left eye and the instrument tore into my cornea. The doctor treated me for this second injury but my medical record has no indication of this new injury from the doctor’s office. How do I know? When I mentioned the injury to my GP in a routine checkup, he had no idea what I was talking about. I obtained the medical record myself and added notes for my own records, indicating the date and type of this new injury; I may need this information for future eye care.

Another example: my GP’s EMR for me does not include the list of drugs to which I am allergic (it also does not include any reference to the eye injury from above). I have called his office, but I have yet to see that information added to the EMR. This information is in his paper record on me (I know because I filled out the “patient information form” upon my first visit years ago), but the problem with the EMR is that it can be replicated to any doctor in the country with one phone call, and the information will be inaccurate – even though (or because?) it is digital.

So the government will monitor the transition to EMRs, a "cost-saving" and "patient care" measure, but just who benefits here?

Johanna Blakely-Bourgeois, Pratt SILS

Here are some links to stories and opinions about last week's announcement of a The National Strategy for Trusted Identities in Cyberspace.

The announcement: The National Strategy for Trusted Identities in Cyberspace. Posted by Howard A. Schmidt on June 25, 2010, The White House Blog.

The draft strategy itself: National Strategy for Trusted Identities in Cyberspace - Creating Options for Enhanced Online Security and Privacy, Department of Homeland Security (June 25, 2010)

• White House Proposes Vast Federal Internet Identity Scheme by Lauren Weinstein (June 25, 2010). "a rather chilling document -- tellingly hosted on Department of Homeland Security servers -- that proposes the creation of a vast, federally-led Trusted identities in Cyberspace infrastructure that would potentially reach into nearly every aspect of Internet use, from financial transactions to comments on blogs."
• White House wants to help you "blog anonymously". By Jon Stokes. ars technica (June 29, 2010)
• Analysis: Three privacy initiatives from the Office of Management and Budget. by Andy Oram, O'Reilly Radar, (Jun 28, 2010). "I can understand the strategy's reliance on PKI as the only social structure available to back up assertions of identity. But this is the wobbly leg of the table that holds up the OMB proposal. The document should recognize the flaws of PKI..."

Online 'Cookies' Crumble Under Tougher Fed Guidelines, by Chris Strohm, Tech Daily Dose (June 25, 2010).

An OMB spokesman said that the federal government is issuing new policies today governing how agencies may use Web "cookie" files and other technologies to collect information from visitors to government Websites.

White House bars agencies from posting some statistics, by Aliya Sternstein, NextGov (01/27/2010).

According to this article, datasets posted to data.gov by the Nuclear Regulatory Commission, the Peace Corps, the Agriculture Department's Food Safety and Inspection Service, the Interior Department's Bureau of Reclamation, and the Social Security Administration have been removed by the Office of Management and Budget "because they raised privacy, security or other concerns."

The article is based on work done by OpenTheGovernment.org which is tracking agency participation with the Open Government Directive here.

This year will probably be remembered (among other things!) as the year of the e-book-reader device hype. We've seen new Kindles, the B&N Nook, the FBReader, applications for book reading on iPhones and other handheld devices, and more. And, of course, there is the elephant-in-the-room of the Google book scanning project. (I find it so odd that so much of the popular press refers to the Google "Library" when it is clearly a Google book store.)

It will be a while before we know if the digital age will turn into the end of sharable books (see: Welcome to the library. Say goodbye to the books), but we certainly should be tracking the development of the advantages and disadvantages of e-books and e-book readers.

The Electronic Frontier Foundation is helping us track how these developments affect privacy:

• An E-Book Buyer's Guide to Privacy, Commentary by Ed Bayley.

EFF has created a first draft of our Buyer's Guide to E-Book Privacy. We've examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share.

In Google we trust? Think again, by Joe Newman, Public Citizen (October 21, 2009).

A Gmail user who did nothing wrong had his or her account shut down because of [a] bank’s monumental screw up. And Google, a company that basically prints its own cash, didn’t lift a finger to protect the rights of one of its users.