The National Telecommunications and Information Administration, or NTIA, has asked for comments on what issues should be addressed through a privacy multistakeholder process. Based on my experience in privacy law and policy, I believe an early and prominent candidate should be the definition of what counts as “de-identified” information. As discussed below this topic has multiple advantages, including heightened protection for consumers, positive effects on innovation and the broader economy, and likelihood of concrete, enforceable success for the process itself.

These comments provide background for the discussion and then explain the importance of the topic of de-identified data. The comments explain how the recent Federal Trade Commission privacy report provides a new and useful set of proposals for how to handle de-identified data, and concludes with an analysis of why the topic of de-identified data is a good candidate for early consideration in a multistakeholder process.

Background

As background for these comments, I am the C. William O’Neill Professor of Law at the Moritz College of Law of the Ohio State University, and Senior Fellow at the Center for American Progress Action Fund and the Future of Privacy Forum. Under President Bill Clinton I served as chief counselor for privacy in the U.S. Office of Management and Budget. Under President Barack Obama I was special assistant to the president for economic policy in 2009 and 2010. Further information is available at www.peterswire.net.

This February the administration issued its white paper, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” This privacy framework defined a Consumer Privacy Bill of Rights. To implement this bill of rights, the framework called on the Department of Commerce to foster the development of enforceable codes of conduct for consumer privacy. These codes of conduct will be developed through multistakeholder processes, so that the range of relevant stakeholders can convene and develop codes of conduct even in the absence of binding legislation or regulation. Consumer privacy legislation has been difficult to enact in the United States, so consumer protection will advance more quickly through initiatives, such as the multistakeholder process, that do not depend on passage of such legislation.

Along with the administration’s framework, the Federal Trade Commission, or FTC, has continued its vital role in U.S. privacy policy and enforcement. On March 26, 2012, the FTC issued “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” This report reflected intensive FTC efforts on a wide range of privacy topics. The comments here, building on a short previous statement, focus on the FTC’s recommendations about how to approach the important issue of de-identified data.

The importance of de-identified data

The title of the administration’s white paper reflects two principal goals for policy concerning the data of individual consumers: “A Framework for Protecting Privacy and Promoting Innovation.” This title reflects the risks to individuals if privacy is not protected effectively. It also reflects the importance of creating good information rules in order to foster innovation and growth in our information economy.

The issue of de-identified data creates a vital opportunity to meet both goals—use data for innovation and growth while also protecting privacy. At least in theory, de-identified data allows us to have our cake and eat it, too. With de-identified data, we strip out the name and other information that reveals identity, but we nonetheless can process the data, do research, discover patterns, and innovate in how we respond to the information.

In any statute or other legal obligation, such as a company’s enforceable promise to protect privacy, the most important definition is what counts as covered by the law or obligation. Defining what counts as “de-identified” is crucial because it draws the line between what data is covered by privacy protections (still “identified”) and what data is not (“de-identified”).

In U.S. law de-identified data was first defined as part of the Health Insurance Portability and Accountability Act, or HIPAA, medical privacy rule drafted in the late 1990s. I was very involved in drafting the proposed and final HIPAA rule and paid particular attention to defining what counted as “de-identified.” In HIPAA “identified” data is considered personal health information, subject to the full range of privacy protections. If the data is scrubbed hard enough, however, then it becomes de-identified data and no longer subject to the regulatory requirements.

The final HIPAA medical privacy rule provided two ways to show that data was de-identified. First, the holder of the data could remove a list of at least 17 data fields that could identify a person, such as name, address, or Social Security number. Second, a statistical expert could certify that the risk is very small that the information could be used, alone or in combination with other reasonable available information, to re-identify the individual. Since HIPAA went into effect nearly a decade ago, health care entities have been able to publicly release health data if it has been scrubbed well enough to meet the regulatory requirements for de-identification.

Finding a Goldilocks solution for de-identified data

Since the HIPAA de-identification provisions were proposed in 1999, we have learned a lot about when and how it is possible to “re-identify” data—to link a person’s name with the supposedly de-identified data. Two big trends have made it harder to keep information de-identified. First, search on the Web has gotten much better. Google was not incorporated until 1998, and today’s search engines let anyone link together tidbits from previously hard-to-link data sources. Second, the amount of information on the Web about a typical person has grown astronomically, including all of the personal details on a person’s blog or Facebook page.

The combination of efficient search tools and lots of data means that there is a higher likelihood today that a person’s medical or other records can be re-identified even if the name and other traditional identifiers are deleted. For instance, the de-identified medical record might state that a person in Ohio had minor hand surgery on April 3. In the past, it would have been difficult or impossible for an outsider to figure out the name. Today, online search might turn up a social network thread about the hand surgery—there are multiple such surgeries in Ohio each day, but not that many. A bit of follow-up research, using the rest of the supposedly de-identified information, might easily pinpoint the person who had the surgery.

As academics have analyzed these facts about re-identification, some have concluded that the entire effort to de-identify data has failed, because of the risk of linking information back to the individual. Others have emphasized the limited actual success of re-identification efforts in practice, and found that the benefits to research and innovation are so great that they outweigh the privacy risks.

The preliminary FTC report, issued in 2010, received strong criticisms from both of these perspectives. The earlier report would have applied privacy protections to “consumer data that can be reasonably linked to a specific consumer, computer, or other device.” The debate centered on what the FTC meant by “reasonably linked.” Consumer groups correctly emphasized that it is easier now to search on the Web and re-identify data, at risk to privacy. Researchers and other users of data focused on the problems that come with an over-broad definition of “reasonably linked,” which could extend privacy rules to an almost unlimited range of data processing, if enough effort is put into tracking down and re-identifying data.

Responding to these critiques, the FTC looked at the technical de-identification issues, and found what I believe is a Goldilocks solution for the problem of de-identified data. The FTC provides what amounts to a safe harbor where: “(1) a given data set is not reasonably identifiable; (2) the company publicly commits not to re-identify it, and (3) the company requires any downstream users of the data to keep it in de-identified form.”

The FTC approach responds to the technical experts who correctly say that it is easier today to find data on the Web that helps us re-identify data. To address the privacy concerns the FTC approach first requires a company to make a data set reasonably de-identified. We can think of this as “good but not foolproof de-identification.” Then, in addition, the FTC requires administrative protections. The company has to commit publicly that it won’t re-identify the data. The company also has to get similar promises from anybody downstream who receives the data. These promises are enforceable because Section 5 of the FTC Act prohibits deceptive practices, such as broken privacy promises. Privacy is protected through the combination of technical measures, having reasonably de-identified data, and backup administrative measures, so that the only people who receive the data have made binding promises not to re-identify.

The FTC approach also responds to those who want to study data for research, innovation, and related purposes. Data must be scrubbed pretty hard but not incredibly hard—the dataset need merely not be “reasonably identifiable.” That data should still often be detailed enough to be useful for a variety of purposes, protected by the enforceable promises not to re-identify.

I have long believed that technical controls alone are not enough to protect consumers against possible re-identification, as shown in a 2009 report by the Center for Democracy and Technology and my December talk on de-identified data. The best path is to have reasonably strong technical protections, supplemented by the sorts of enforceable promises that the FTC report supports.

You can read more about why defining de-identified data is a good fit for the multistakeholder process in the full comments at the Center for American Progress Action Fund. Peter Swire is the C. William O’Neill Professor of Law at Moritz College of Law at the Ohio State University, and Senior Fellow at the Center for American Progress Action Fund.

Further reading

To try to learn about these emerging technologies, the Federal Trade Commission recently held a Town Hall event. The event produced little consensus. Privacy advocates criticized the new types of online profiling. Industry mostly explained why profiling is good because people will see only the ads for things they are interested in.

At the Town Hall, along with my written testimony, I proposed a common-sense test for what should happen—individuals should have a realistic way to choose not to be profiled when they go online.

Repeated polling shows that millions of Americans don’t want to have detailed and permanent profiling of their surfing habits.

Current practices on the Web often don’t meet this simple test. For instance, the Network Advertising Initiative operates a web site that lets you stop DoubleClick and similar cookies from following you across the Net. Although the NAI opt-out tool has worked for me, I spoke with an FTC attorney at the Town Hall who had spent nearly an hour online the night before. She had tried without success to get the NAI opt-out to work for her. If it’s too hard for smart attorneys trying to opt out as part of their job, then it’s not a good enough system.

I learned the common-sense test when I worked on privacy in the White House under President Clinton. It was a huge help when we could say that individuals had a choice. One example was the financial privacy law in 1999. Under the law, individuals gained the choice not to have their personal information sent to outside marketers.

Another example was in 2000, when there was a cookie problem on the White House website. We created a policy that tracking cookies would be set only with the choice of the surfer.

On a political level, these measures worked—the administration could explain that individuals had a realistic choice about how their data would be handled. These measures also basically worked at the policy level. The reason: People who cared a lot about their privacy now had a way to say no to certain practices. (We later pushed for stronger financial privacy protections, but at least the 1999 law contained some important privacy measures.)

People in the advertising industry, understandably, don’t want to face burdensome regulations on their new business models. They believe targeted ads, based on detailed profiling of surfing habits, will be more profitable for companies. They say that consumers will benefit by seeing more relevant ads. They argue that profiling is benign because it only determines which ads get served to the desktop.

There are two major problems with that position, however. First, in our post-Patriot Act world, records can quite easily end up in government hands. The government can now use National Security Letters, so called Section 215 orders, and other tools to see the surfing records, often without any notice to the individual concerned.

Second, repeated polling shows that millions of Americans don’t want to have detailed and permanent profiling of their surfing habits. Some people are spooked by the risk that the government might be looking over their shoulders. Others simply want to surf without leaving detailed records in the hands of multiple company databases.

In short, there are good reasons for leaders in technology and E-commerce to find realistic ways for consumers to have a choice. I personally think, for instance, that search engines should have an option not to link my current search with previous searches. Ask.com has announced plans for this option, but the practices of other search engines vary widely.

Industry leaders should listen to the privacy concerns and come up with workable ways for consumers to get what they prefer when it comes to online profiling. Some consumers will love personalization and want online companies to know everything about them. Some consumers won’t care one way or the other. But some consumers don’t like the idea of their search requests and surfing habits being stored out of their control.

In the long run, the press and the political system are likely to push back whenever detailed profiling becomes a mandatory part of surfing the Web. It is common sense to build user-friendly systems from the start.

Peter Swire is a Senior Fellow at the Center for American Progress and the C. William O’Neil Professor at the Moritz College of Law of the Ohio State University. From 1999 to early 2001, he served as Chief Counselor for Privacy in the U.S. Office of Management & Budget.