Privacy has been a growing concern over the last decade. The Internet with its ability to allow businesses to track your spending habits, your surfing habits and readily transmit the information has created alarms among privacy rights groups. However, many other sources of personal data exist that have potentially sever consequences on privacy. Real-time Residential Powerline Surveillance (RRPLS) is a method used by electricity companies to monitor power usage. The information can be analyzed to such detail that the utility company knows what appliances are being used. This information, as we will discuss puts privacy at risk at a potentially much larger scale as it becomes more widely implemented. Today governments are under increasing pressures from both advocacy groups and big business. The issue has raised many concerns in the United States and throughout the world. Internet privacy is gaining in importance and recent Canadian and EU legislation has been implemented to combat the risks to individuals. We will look at the trade issues and the inherent violation of human rights. We will then address the corporate and governmental responses to the demand for more privacy.

2. Description

People do it everyday. You go to your local grocery store, reach into your wallet and pull out the club card. The cashier scans the card and you save twenty cents on the bottle of Coca-Cola. Meanwhile, the cash register communicates the information to a database that has been tracking your spending habits since you first started using the card. Innocent enough, the data is merely bits and bytes stored among billions of other records from people all across the United States. But, in the right hands, that data becomes information about you and your lifestyle.
The stories sound like a bad rip-off of Orson Wells' 1984. However, the reality is that 1984 is today.

Real-time residential power line surveillance RRPLS, coined by Rick Crawford (or Non-Intrusive Appliance Load Monitoring as the industry terms it), allows utility providers to monitor the habits of customers. For example, RRPLS can extract "signatures" from power consumption. These signatures can tell the company whether two people shared a shower, or whether a consumer eats a microwave breakfast every morning (Rick Crawford, 1996).

Power companies install electricity usage monitors. These monitors can detect when independently controlled devices are turned on or off, or when they enter a different cycle. For example, the monitor can detect when a dishwasher goes from the rinse cycle to the heat-dry cycle. The information is then compared against a computer database of electrical signatures allowing the electric company to determine which appliances are being used.

In essence, RRPLS allows companies to monitor your daily life, your habits and your preferences. Alone, in the hands of your local Edison Company this information may seem somewhat innocuous. However, you can rest assured that companies possessing such a wealth of data will find ways to generate monetary wealth in exchange for the information. The next time you think how fortunate it is that you received a coupon for your favorite Hormel microwave cheeseburger, maybe you should wonder, "how did they know?"

Yes, RRPLS is a reality. And in reality it is not so widely practiced -- as of 1993, it had only installed in a few thousand homes, according to Crawford -- that currently every electrical supplier has information on every household, but unfortunately, many of your daily activities are tracked by a variety of companies. Armed with this information, these companies sell your data to advertisers and your mailbox becomes full of unwanted junk mail for any product imaginable.

Rick Crawford provides an interesting hypothetical example of the risks from RRPLS.

Again, it must be emphasized that the use of RRPLS has been limited to date. There is only a few thousand homes where it is being used by private industry. Additionally US law enforcement agencies have used this technology in the war against drugs to determine what residences are using high-powered lamps to grow marijuana. But this should not downplay the privacy risks that are inherent in such technology. As a matter of fact, there is an increasing lure towards RRPLS.

In 1998, under the guidance of the World Bank, Thailand initiated a program to study the usage of electricity through RRPLS. The purpose of the study was to monitor usage "in urban and rural environments and will also extend to commercial settings. The resulting data base on energy consumption will form a statistically representative foundation from which EGAT can both determine and forecast electricity demand and consequently evaluate existing energy efficiency programs or design new ones" (EPRI, 1998).

Such an undertaking, noble in cause, can have negative consequences. The equipment is installed and the data is gathered. This information in the hands of both the private sector, and in this case, the Thailand government could easily be used for ulterior motives, in addition to the stated intent.

In the United States, electric companies are investigating RRPLS as a means to integrate broadband access to many locations where telephone and Internet service providers fail to provide adequate services. RRPLS allows utility companies to fine tune power generation and thereby reducing costs. The surpluses generated from RRPLS could be invested into laying the fiber-optics and equipment necessary to wire areas of America.

It is difficult to gather any concrete data onto the extent that RRPLS threatens privacy, but it is not impossible to notice that the threat is real. In 1999, EPRI, a developer of RRPLS systems, began offering a product line called PowerShape. This product line provided, namely utility companies, with sector level information about residential and business power consumption so these companies could target consumers more effectively. The data had been gathered from a large number of homes over several years, according to an EPRI news release (EPRI, 1998a).

There are many incentives for utility companies to invest in RRPLS. As we noted above, though briefly, RRPLS can reduce the operations costs of utility companies and increase the revenue streams. With current power shortages gripping the west coast of the United States, such a system could assist in fine-tuning power production and consumption, thus reducing the demand without needs for such drastic steps as rolling blackouts. The technology, with its ability to lower costs and increase revenue, in turn, can allow the companies to invest in other technologies such as Internet access. Additionally, the information gathered by RRPLS can be lucrative for the utility companies. It could be sold to a variety of businesses at a substantial premium.

Alone, in the hands of the utility companies, the information would be too limited to be of use to large commercial segments. Yes, the utility companies would have a general understanding of an individuals preferences, but there is more personal data available. It is when this information is synthesized with personal data from other sources, credit cards, store databases, telephone records, driving records, etc., that the information can become extremely useful to corporations.

Personal data information in such magnitude would allow companies to, much like on the Web, strategically target customers with mailings and offerings. This would reduce the costs of marketing and increase marketing effectiveness. Instead of broad sweeping marketing campaigns where regions are targeted based on demographics, individuals will be targeted, saving a company substantial money and increasing revenues, simultaneously. This incentive helps further the debate over personal data exchange and privacy.

The privacy trade is a serious issue. The risks go beyond a mailbox overflowing with pre-approved credit card offers and special offers. One may easily fall victim to the clever deviant who seeks to use your information to purchase a new stereo or to live your life. Stalking and identity theft are aided by the vast amount of information that is stored about citizens.

In the United States, one Company, Acxiom Corporation, boasts of a database of personal information on over 175 million Americans in over 110 million households with hundreds of records on each person (Junkbusters.org). The total US population is only estimated at 281 million people. And there is a slew of other companies, from personal data collectors (like Acxiom) to credit bureaus (like Experian) with a piece of the privacy pie.

Advocacy groups have strengthened their call for more control; and their voices are being heard. The EU and Canada both have passed legislation that would work to limit the rights of companies to gather and sell personal information. However, both laws have met with criticism from business and rights groups. Businesses argue that eats too far into their bottom line and individuals saying it doesn't go far enough. We will look at the trade in personal information and its violation of the basic right to privacy (as affirmed by the Universal Declaration of Human Rights). The conflict is set -- capitalism and competitive advantage versus private rights.

Remember, when you're in the check out lane and you get ready to give out your telephone number... Big Brother is watching.

3. Related Cases

DataWar
Havens
Teledis
Cybersit
USJapanConnect
Crypto

4. Author and Date:

John-Andrew Minniti
April 25, 2001

5. Discourse and Status: Disagreement and Allegation

Privacy and the trade of personal information have been long standing concerns of the international community. Many states respect the right to privacy (though many more, have no laws protecting privacy). Additionally, states, regional organizations and in limited terms, international organizations have worked to create a framework to protect the right to privacy and to govern the flow of personal information.

6. Forum and Scope: US and International

The United States actually has a long history of protecting the privacy of its citizens. The Bill of Rights in the 1st Amendment and 4th Amendment has mechanisms to protect these rights. In the United States, the 1st Amendment of the Constitution not only guarantees the right to freedom of speech, it also provides a guarantee to the right of privacy in free speech. That is, if an author desires to remain anonymous, he or she is allowed to under the first amendment. Anonymity has been protected for years under the 1st Amendment. In 1995, the United States Supreme Court in McIntyre v. Ohio Elections Commission stated that "an author's decision to remain anonymous. . . is an aspect of the freedom of speech protected by the First Amendment" (Kling). Further, citizens are protected from the unlawful search under the 4th Amendment. In addition to the Constitution, the United States Congress amended the federal wiretap law by in 1986 to provide additional rights to privacy. According to Mark Rasch, the amendments of the wiretap law, known as the Electronic Communications Privacy Act (ECPA) expands federal jurisdiction and outlaws the unauthorized interception of stored and transmitted electronic communication (Rasch).

The United States is not alone in protecting privacy rights at the national level. For example, Article 21 of the Japanese Constitution states: "No censorship shall be maintained, nor shall the secrecy of any means of communication be violated." Japan is only one of a very few countries which constitutionally protects the privacy of individuals (Shearer and Gutmann).

Internationally, privacy rights are protected under the Universal Declaration of Human Rights. Article 12 and Article 19 of the UDHR provides basic rights to free speech and privacy. Article 12 specifically guarantees the right to freedom from interference with privacy. "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks" (United Nations).Article 19 protects the freedom of opinion and expression by stating: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers" (United Nations). This protects individuals from law enforcement agencies and other legal and illicit organizations from the interception and interference of electronic communications (Frankel, et al.). Unfortunately, it is only applicable to states that have ratified the treaty.

Additionally, in 1980 the OECD devised a framework for the collection and trade of personal information. The OECD guidelines work to protect private information while still protecting the needs of businesses and the free flow of information (OECD). However, the OECD guidelines are just that, guidelines. They have no legal authority. Additionally, membership of the OECD consists of the developed wealthy nations who control a vast majority of the worlds Gross Domestic Product. Thus even should such guidelines be adhered to by member states, they are not broad reaching.

The conflict arises, however at the regional level. The European Union and Canada, for example, have enacted laws that not only recognize the rights, but work to preserve the rights. However, these laws work to put other countries at a competitive disadvantage by restricting the flow of personal information.

Recently, Canada has approved very strict privacy regulations that went into effect January 1, 2001. Under the Personal Information Protection and Electronic Documents Act, businesses will be required to offer citizens certain privacy rights. For example, companies must obtain consent from individuals before information gathered is shared with third parties including affiliates and partners. It is expected that this law will not only affect Canadian corporations, but will also effect any multinational operating within Canada. From the multinationals' viewpoint it will create an administrative burden. However, from the civil libertarians view, it provides a better protection of personal privacy however it is still limited (EPIC and PI).

In 2000, the European Union updated its strict privacy regulation. The European Unions privacy regulation marked an aggressive approach to protecting the citizenry. Under the directive approved in July, corporations must receive permission to export personal data on European citizens. Europe wants to assure that companies of all nations with information on EU citizens maintain standards similar to those of EU nations. Additionally, the directive requires corporations to allow users to opt-out of marketing databases, review personal information and make corrections to that data. The directive also grants individuals recourse for unlawful usage of information and the right to prohibit the use of personal data in certain cases. Additionally the directive strengthens privacy in sectors such as health and finance and in "the future, the commercial and government use of such information will generally require "explicit and unambiguous" consent of the data subject" (EPIC and PI).This directive places additional pressures on countries outside of the EU. Countries that are unwilling to adopt more stringent privacy protection legislation may be restricted from certain data flows in the European Union.

The United States fears the disadvantage that these laws produce. The United States, emphasizing that they desire to protect individual privacy, state that the two different approaches taken by Europe and the United States regarding the trade of personal data puts the two countries policies at loggerheads. Thus the European Union would prohibit US businesses from exporting such data, even if the information remained in the same company, though different subsidiaries. The United States and the EU negotiated a Safe Harbor agreement that would allow US companies to trade this data, but it still puts US businesses at a disadvantage. To be protected under the Safe Harbor agreement a US business would have to meet and publicly announce that it meets the following requirements outline below.

Source: Safe Harbor Overview: United States Department of Commerce.
http://www.export.gov/safeharbor/SafeHarborInfo.htm.

As illustrated, privacy is a right honored by many nations. However, besides the United Nations' acknowledgment of that right in the UDHR, it is only at the national or regional level at which these rights are protected. Canada and the EU have two of the most advanced legal frameworks to protect the right to privacy and personal information. This creates many trade issues. As noted, the EU is willing to restrict trade with countries who lack a similarly forceful privacy law. In summary, there is a lack of a general consensus on how to guarantee the right to privacy and the trade of personal information. Thus US companies, for example, may be prevented from obtaining information (or exchanging information within their corporation) which it feels it needs; thus US corporation are at a competitive disadvantage to its EU or Canadian counterpart. Perhaps the United Nations or World Trade Organization should hammer out a universal agreement on privacy rights.

7. Decision Breadth: Many

8. Legal Standing: Treaty

9. Geographic Locations

a. Geographic Domain: Global

b. Geographic Site: Global

c. Geographic Impact: Global

10. Sub-National Factors: No

11. Type of Habitat: Many

12. Type of Measure:

13. Direct v. Indirect Impacts:

14. Relation of Trade Measure to Environmental Impact

a. Directly Related to Product: Yes, Information

b. Indirectly Related to Product: Yes, All Business to Consumer Products

c. Not Related to Product: No

d. Related to Process: Yes, Rights

15. Trade Product Identification: Data

The exchange of personal data constitutes a trade in information.

16. Economic Data

It is extremely important to note that over the last few years, awareness has been directed toward the collection of personal information on the Internet. Although this is significant, a majority of information is still gathered through other channels. The Internet has helped ignite the fire beneath the issue, but the economic impact is far broader than the simple collection of personal information through the Internet.

Acxiom, a US company is a leader in personal information collection and resale in the United States. Though they do not focus solely on data mining and selling, a large portion of their business can be attributed to their InfoBase product. For the fiscal year 2000, Acxiom reported revenues of $609.8 million and $232.6 million in their Services and Data Products divisions, respectively. "The Services segment, the Company's largest segment, provides data warehousing, list processing and consulting services to large corporations in a number of vertical industries" (Acxiom, 2000 Annual Report). While the Data products segment focuses more directly on providing information to supplement a company's direct marketing efforts. Both, however, focus on the distribution of personal information. Additionally, sales from their InfoBase product amounted to over $120 million dollars. It is important to keep in mind that not all of the revenue reported by Acxiom is generated by the resale of personal data (Acxiom).

Errata:

The FTC in a recent operation, has uncovered more than 200 US firms that gather and sell personal information (O'Harrow).

Missouri is reported to have made over $500,000 in 1998 from the sale of personal information (Desloge).

Experian, Equifax and Trans Union contain information on more than 90% of Americans (Junkbusters.org).

The trade of personal information is a lucrative industry. However, countries are taking efforts to protect the privacy of individuals. On January 1, 2001, Canada enacted new Privacy legislation that requires businesses to obtain permission from consumers before sharing personal information. This includes sharing personal information between subsidiaries. Experts agree that this will create difficulties for US businesses operating in Canada and trying to obtain personal information. These US businesses will have to comply with the Canadian law in order to exchange personal information. New laws, such as the Canadian Personal Information Protection and Electronic Documents Act work to strike a balance between consumer and business interests. But they also stifle the flow of personal information between countries.

17. Impact of Trade Restriction: High

Trade restrictions will have a significant impact on companies that operate in many nations. The current unilateral approach to the restriction of personal information exchange will help companies within the legislating state while putting businesses outside that state at a significant disadvantage.

Although it is necessary to help protect rights guaranteed by many nations and by the Universal Declaration of Human rights, businesses rely on such demographic and personal information. The information is essential for marketing campaigns that help increase revenue for businesses. A multilateral approach should be established to prevent a competitive advantage for any one region or country.

18. Industry Sector: Services

19. Exporters and Importers: US and Many

Most multinationals involved in B2C commerce either import or export the data. Major data mining companies involve Axciom, Equifax, Trans Union and Experian. These companies focus largely on collecting and selling personal data.

20. Environmental Problem Type: Rights

21. Name, Type, and Diversity of Species: N/A

22. Resource Impact and Effect: N/A and N/A

23. Urgency and Lifetime: High and 5 years

24. Substitutes: N/A

25. Culture: Yes

The trading of personal information has many negative societal effects. Yes, it is annoying to receive dozens of junk mailings a day and it may cause concern about what companies know, but this is a more peripheral concern (though still important). A greater risk, facilitated by the Internet, is the actual physical risk that the availability of private information creates.

Many holders of private information shirk the duties of securing the information. Winn Schwartau, a highly revered Internet specialist, discussed the ease with which private information can be obtained. An individual could easily obtain credit reports, medical records and other information about a victim. Services such as Experian will sell credit histories online. Any one willing to pay can often get that information without too much of a challenge from these credit reporting agencies. According to Winn Schwartau, "companies are not required by law to protect the confidential records that contain sensitive and private information about us. There is little legal recourse for violations, except in the most extreme cases" (Schwartau). In a recent Gallup poll, 60% of Americans are concerned about the misuse of private information (Boulard and Greenberg).

In the early fall of 1999, 20 year-old Amy Boyer was in her car at Nashua, New Hampshire Dentist's office getting ready to pull away. Just before she backed out, she heard her name called. When she turned to look, she saw a semiautomatic pointing at her. 21 year-old Liam Youens fired 11 rounds killing Amy and then he turned the gun on himself. Liam Youens had been stalking Amy and obtaining personal information about her on the Web. He was able to gather information about where she worked, her social security number and her exact whereabouts on that October autumn day (Boulard and Greenberg).

Amy's father has filed a wrongful death against Docusearch.com which provided Youens with Amy's whereabouts. Docusearch.com will provide anyone with any information. Docusearch.com, claims to be the place to find, locate, trace or track down anybody! The company offers 6 locate searches, 5 DMV driver & vehicle searches, 10 telephone record searches, 12 financial searches, plus criminal records, civil & court records, property records, plus 170 Free searches (Docusearch.com). They obtain information from credit agencies, Departments of Motor Vehicles, subscription databases, mail order databases and government agencies. And they are not the only firm who can get you this information, nor is it necessary to use a search agency.

Garry Boulard and Pam Greenberg sum it up nicely: "the death of Amy Boyer underlines a haunting proposition: Nothing in the new frontiers of cyberspace is really confidential, and everything written or communicated has the potential of being read and misused by others" (Boulard and Greenberg).Thus lies the true risk of the proliferation of personal information. All this data gathered by businesses and Web sites, sold throughout the world, and stored in databases that can be accessed by anyone willing to pay, creates a social risk around the globe.

26. Trans-Boundary Issues: No

27. Rights: Yes

Under the Universal Declaration of Human Rights Article 12, all people are guaranteed the right to privacy. Additionally, many states in their legal system or constitutions explicitly grant the right to privacy. Although not falling under jus cogens, the right to privacy is gaining significant status in international law.

28. Relevant Literature

Electronic Frontier Foundation, http://www.eff.org. Last Accessed march 21, 2001.

Electronic Privacy Information Center (EPIC) and Privacy International (PI). "Privacy and Human Rights 2000 Overview."
http://www.privacy.org/pi/survey/phr2000/overview.html. Last Accessed March 19, 2001.

"EPRI And EGAT Sign Agreement To Study Electricity Usage In Thailand," 11 June 1998.
http://www.epri.com/corporate/discover_epri/news/releases/egat.html. Last accessed April 21, 2001.

"EPRICSG Launches PowerShape™ --- Load Data For Commercial and Residential Markets," 18 Nov 1998.
http://www.epri.com/corporate/discover_epri/news/releases/powershape.html. Last accessed April 21, 2001.

Junkbusters. http://www.junkbusters.org. Last Accessed March 21, 2001.

Privacy Rights Clearinghouse. http://www.privacyrights.org. Last Accessed March 21, 2001.

Crawford, Rick. "Computer Aided Crises," Invisible Crises: What Conglomerate Control of Media Means for America and the World. Eds. George Gerbner, et al, (Boulder: Westview, 1996).

Desloge, Rick. "State makes $500,000 a year selling personal information." St. Louis Business Journal. 16 Oct 1998.
http://stlouis.bcentral.com/stlouis/stories/1998/10/19/newscolumn1.html. Last Accessed March 29, 2001.

ABCNews.com. "Cashing In on Your Card," September 28, 2000.
http://www.abcnews.go.com/sections/business/DailyNews/infoscam990928.html. Last Accessed March 21, 2001.

Canada's Personal Information Protection and Electronic Documents Act.

The EU Privacy Directive.

Kling, Rob, et al. Assessing Anonymous Communication on the Internet: Policy Deliberations, *Draft Version*.

Rasch, Mark D. Criminal Law and The Internet. http://www.cla.org/RuhBook/chp11.htm. Last Accessed March 19, 2001.

Shearer and Gutmann

United Nations. Universal Declaration of Human Rights. http://www.un.org/Overview/rights.html. Last Accessed March 19, 2001.

Frankel, Mark S., et al. "Anonymous Communication Policies for the Intern: Results and Recommendations of the AAAS Conference." The Information Society 15(2).

OECD. "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data."
http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM#3. Last Accessed March 19, 2001.

O'Harrow, Robert, Jr. "FTC Watches for Violations of Privacy Law," The Washington Post, 18 Feb 2001.
http://www.washingtonpost.com/wp-dyn/articles/A10861-2001Jan31.html. Last Accessed March 29, 2001.

Boulard, Garry and Pam Greenberg."Public Internet/Private Lives," State Legislatures, Feb 2001.

Docusearch.com. http://www.docusearch.com. Last Accessed March 21, 2001.

Winn Schwartau. Cybershock: Surviving Hackers, Phreakers, Identity Thieves, Internet Terrorist and Weapons of Mass Disruption. (NY: Thunder's Mouth Press, 2000.)