Webmaster's Domain

Internet Privacy, European Style

By Lincoln Stein
Web Techniques Magazine
November 1998
Volume 3, Issue 11

A couple of months ago, I registered for an Internet security conference. The online registration screen was nothing unusual. There were the usual fields for my name, affiliation, address, and telephone number, plus options for selecting the hotel and other accommodations. A few weeks later, I started receiving junk mail (the paper kind, not email) from various exhibitors at the conference. Clearly the conference organizers had shared my registration information with conference exhibitors. A common enough occurrence, and certainly nothing to write home about.

Except for one thing. If I had been European, and this had happened after October 28, 1998, this sharing of my personal information would have been unlawful under European Union regulations. In fact, the very act of collecting my online registration information would have been prohibited by law, and the conference organizers could be subject to lawsuits brought by the European state I belonged to.

This sounds extreme, but it's true. Under the European Data Protection and Privacy Directive issued in 1995, all European Union member states are required to enact laws by October 1998 that ensure the privacy of personal information collected and stored electronically. Historically, most European states have taken a much stricter attitude towards the sharing and dissemination of electronic information than the U.S. For example, the practice of aggregating and cross- correlating databases–which is routinely done in the U.S. by credit verification companies, marketing firms, and the government–is forbidden by law in France. Germany forbids the collection of personal data without the fully informed consent of the user, and other European states have similar laws.

It was therefore not surprising that the European Commission (EC), which is in the business of standardizing everything from the European currency to the packaging requirements for imported bananas, would turn its attention to online privacy. Beginning in 1992 and culminating in 1995 with the aforementioned Directive, the EC drafted guidelines for the online collection and distribution of personal data. The language of the Directive is dense at times, but it enunciates several privacy principles, of which the following are the most important:

  1. Informed consent: Before collecting personal data from an individual, a service must fully inform the user of what it is collecting, explain the purpose of the collection, and obtain the user's explicit consent. No information may be collected unless this consent is granted.
  2. Inspection: Individuals have the right to inspect their data fully, and at any time.
  3. Objection: Recorded personal data must be accurate. Individuals have the right to object to inaccurate data and to seek reparation of the error.
  4. Security: The data must be transmitted and stored in a secure fashion, so as not to corrupt it or disclose it to unauthorized individuals.

There are exceptions to these principles. For example, the principles can be bent in the interests of national security or to protect the well-being or vital interests of the individual in question. However, the number of loopholes is small. Enforcement of the principles is to be accomplished via a public "supervisory authority," one per European state. The supervisory authority is responsible for reviewing and licensing services' plans for collecting personal information, responding to complaints, and monitoring companies' compliance with the regulations.

Under the terms of the directive, European Union members must pass national laws that are consistent with the Directive by October 28, 1998. That date may already have passed by the time you read this.

The Directive was initiated in the early '90s, when the Web was just beginning to take off. The information transfers that the Directive's framers had in mind were things like airline food reservations, which may reveal an individual's ethnicity, the transfer of medical information from pharmaceutical companies to insurance companies during drug trials, and the use of personnel data by international corporations. In the freewheeling environment of the World Wide Web, where information is collected willy-nilly by tens of thousands of individuals and businesses large and small, few Web sites could pass muster on the Directive's strict privacy requirements. Nevertheless, the EC has gone on record with the statement that the Directive should be taken seriously, and that its provisions will be enforced on the Web just as strongly as they will be on other forms of electronic data processing.

Exporting the Directive

As far as American and other non-European Web site operators are concerned, the kicker is in Directive articles 25 and 26, which cover the transfer of personal data to non-EU countries. Here, the Directive states that "member states shall provide that the transfer to a third country of personal data ... may take place only if the third country in question ensures an adequate level of protection." In other words, European electronic privacy laws will make it illegal for personal data to be transferred to a country that doesn't meet European privacy standards.

So what does "an adequate level of protection" mean? Nobody knows for sure. Come October the EC is expected to make a set of determinations as to which third countries satisfy the European requirements. The commission isn't looking for "equivalence," but merely "adequacy." Unfortunately, there is substantial evidence that the EC is not at all happy with the loose American approach to electronic data exchange, which is based largely on self-regulation and generally accepted business practices. The Europeans favor formal statutory protections on individual rights.

Possibly the only sector of American online business that will meet the European requirements is the credit reporting industry, because it's governed by the Federal Credit Reporting Act, which implements the same types of consumer protections that the Directive calls for. Other sectors, including everything from hotel reservation systems to the accounting systems of multinational corporations, will likely fail the strict European standards. It's possible, and maybe even likely, that the EC will choose to make an example of one or more business sectors, perhaps forbidding some businesses to transfer information from Europe to the U.S. or forcing companies to move all their data- processing operations to European shores.

The situation is even more uncertain in regard to the Web. Most Web sites (non-European and European alike) don't even have published privacy policies, let alone provide the levels of consent, inspection, objection, and security that the Directive calls for. In theory, European countries could attempt to block their citizenry from accessing offshore Web sites. More likely, large Internet-based businesses such as America Online would be restricted from extending their services into Europe.

Until recently, many people thought that voluntary initiatives such as the Platform for Personal Privacy (P3P) and the TRUSTe program would be sufficient to satisfy the EC requirements. P3P is a technical solution proposed by the World Wide Web Consortium (W3C). Its main component is a controlled vocabulary for describing privacy preferences. For example, two sites may collect users' email addresses, but while one site uses the address only for internal site administration, another discloses the address to marketers. The P3P vocabulary allows these two uses to be distinguished. P3P also introduces the notion of an "agreement" between the user and the Web site. The user describes his or her privacy preferences using a human-readable representation of the P3P vocabulary. The Web-site operator describes the site's privacy policy in the same way. When the user's browser contacts the remote server, the browser compares the user's preferences to the site's policy. If they don't match, the browser tries to negotiate a more acceptable policy with the server. If no agreement can be reached, the contact is broken. Microsoft and Netscape, among other Web software vendors, have announced support for P3P in future products.

The TRUSTe project takes a low-tech approach. In this system, there is a contractual licensing agreement between the Web site and a third party, the TRUSTe company. This license binds the Web site to restrict its information gathering and sharing activities to one of three explicit privacy policies: "No Exchange," "One-to-One Exchange," and "Third-Party Exchange." By agreeing to the license, the site receives the right to use an inline image that displays the TRUSTe trademark and a small cartoon indicating the site's privacy policy. The site displays this icon on its home page, rather like the Good Housekeeping Seal of Approval. If a site violates its TRUSTe policy, or if it displays the image without proper authorization, the TRUSTe company can prosecute the company for breach of contract or trademark infringement. Currently, only a few Web sites have adopted TRUSTe, but those that have include some of the larger ones, such as Disney. This may change if organizations with better name recognition, such as the Better Business Bureau, get into the online privacy certification business.

Raising the Ante

However, voluntary privacy standards may not be sufficient to meet EC guidelines. Last July, just two days before the U.S. Independence Day holiday, the EC dropped a bombshell by announcing that it would be satisfied by nothing less than statutory regulation of online information gathering and processing. Although technical solutions such as the P3P could be used to monitor and enforce such regulations, the EC press release made it clear that U.S. legislators would have to pass comprehensive Internet privacy legislation before the EC would judge American privacy protections to be "adequate."

Thus the EC steps into a hot debate that has been building for the past two years. Should the nascent Internet industry regulate itself, or should it be forced to meet standards laid down by law? Last year's debate was over the Communications Decency Act (CDA), when industry representatives argued that they could voluntarily implement technical means, such as filtering software, to keep indecent material out of the hands of minors, and legislators argued that the control had to come from above. This year the debate will be over personal privacy, with pressure from the EC feeding the flames.

The Clinton Administration has also recently turned its attention to Internet privacy. In July the administration announced its Framework for Global Electronic Commerce, which includes calls for privacy protections similar to the European Union's. Meanwhile, a commission headed by Commerce Secretary William Daley and Frank Raines, the director of the Office of Management and Budget, have been charged with preparing a report on the Internet industry's progress (or lack thereof) towards forming a data protection and privacy policy. This report is due to be handed to President Clinton by July 1, 1999. If the European October 28 deadline doesn't wake up the industry, the American July 1 deadline certainly will.

What's going to happen next? In the long run, I predict that there will be a body of law that regulates the use of personal data on the Internet, but I don't know whether it will take the form of statutory law, case law, or perhaps be embodied in Web site operating licenses issued by a regulatory body. Even without threats from the EC, there is sufficient domestic concern that a communications privacy act or equivalent is a real possibility for 1999. Meanwhile, expect the EC to become increasingly confrontational if it doesn't see the U.S. and other non-European countries acting swiftly to address Internet privacy issues.

Correction: Making MD5 Hashes Secure

In my two previous columns ("SET–Who Needs It?," August 1998, and "Referer Refresher," September 1998) I demonstrated how to use the MD5 message digest function to create untamperable document fingerprints. The approach I suggested was to create a message authentication check (MAC) using the function:

MAC = MD5(MD5(secret_key + message))

An attentive reader, Lawrence Stewart of the OpenMarket company, points out that this isn't the best way to create a MAC. A more secure method uses the secret key twice, as in:

MAC = MD5(secret_key + MD5(secret_key + message))

The technique I suggest isn't known to be insecure, but it isn't known to be secure either. Other recommended MAC functions use two different secret keys, or some combination of secret keys and padding strings. The one MAC function you don't want to use is a simple MD5(secret_key + message), because this lets a nefarious individual add content to the end of your message and generate a valid MAC for it without even knowing the secret key. A full discussion of MAC functions can be found in the various CryptoBytes articles listed in the "Online" box.

Thanks, Larry, for setting me straight!


The European Union Directive on Data Protection

Jonathan Rosenoer's "CyberLaw" Commentary on the Directive

Clinton Administration's "Framework for Global Electronic Commerce"

TRUSTe Project

Platform for Privacy Preferences (P3P) Project

Privacy Discussions of MAC Construction Functions
"Message Authentication with MD 5," Kaliski and RobShaw, Vol. 1, No. 1
"Message Authentication Using Hash Functions: the HMAC Construction," Bellaire, Canetti, and Krawcyzk, Vol. 2, No. 1
"The Status of MD5 After a Recent Attack," Dobbertin, Vol. 2, No. 2


Lincoln is an MD and PhD who designs information systems for the human genome project at Cold Spring Harbor Laboratory in New York. He can be reached at lstein@cshl.org.

Copyright © Web Techniques. All rights reserved.
Web Techniques Magazine