15-508 / 17-801 / 19-608 / 95-818: Privacy Policy, Law, and Technology

Homework 2 - due September 14, 2005

Reading Assignment:
- Cranor 2
- Solove 4
- A Review of the Fair Information Principles
- I Didn't Buy it for Myself (Cranor)
- Managing Information Technology Security and Privacy Compliance (Stampley)

Reminder: This and all future homeworks must include a bibliography!

1. Write a short summary of each chapter in the reading assignment (2-5 sentences each). After each summary (in a separate paragraph) provide a "highlight" for that chapter. This can be something new you learned that you found particularly interesting, a point you would like to discuss further in class, a question the chapter did not fully answer, something you found confusing, a point you disagree with, or anything else you found noteworthy. [20 points]

2. Pick a technology that causes privacy concerns. [40 points]

• a) Find two relevant sources of information about the privacy concerns associated with this technology and summarize their key points briefly.
• b) Prepare a table similar to Table 1 in the I Didn't Buy it for Myself paper that lists privacy risks, possible consequences, and examples of parties to whom personal information might be exposed for the technology you picked.
• c) Prepare a table similar to Table 2 in the I Didn't Buy it for Myself paper that demonstrates how the OECD privacy principles might be applied to reducing the privacy risks associated with the technology you picked.

3. Research a self-regulatory privacy program or privacy law. Your research should include both reviewing the program's web site and searching for relevant news articles, endorsements, criticism, etc. Please include the relevant citations in your write-up and add the sources to your bibliography. Please come to class prepared to discuss your findings. [40 points]

• a) Write a short summary description of the program or law.
• b) Explain which of the fair information practice principles it addresses.
• For self-regulatory programs state c) who runs it and d) the kinds of praise and criticism it has been getting.
• For laws state c) the agency responsible for enforcing them and d) the types of enforcement actions that have been taken and published evaluation of the law's effectiveness.

You will be assigned a program or law to research in class from one of the following (or one that you suggest):

Self-regulatory programs

• TRUSTe
• BBBOnline
• Trusted Sender Program
• Network Advertising Initiative
• Direct Marketing Association Privacy Promise
• CTIA Location-based privacy guidelines
• CPA WebTrust
• Japanese Privacy Mark
• Safe Harbor

Laws

• The Privacy Act of 1974
• The Fair Credit Reporting Act
• HIPPA
• The Gramm-Leach Bliley Act
• The Video Privacy Protection Act
• Childrens Online Privacy Protection Act
• CPNI rules
• Cable TV Privacy Act
• EU Directive
• PIPEDA (Canadian privacy law)
• Japanese Personal Information Protection Act (PIPA)
• California SB-1386