Skip to main content
Engineering LibreTexts

8.2.3: Privacy

  • Page ID
  • Privacy

    The term privacy has many definitions, but for our purposes, privacy will mean the ability to control information about oneself. Our ability to maintain our privacy has eroded substantially in the past decades, due to information systems.

    Personally Identifiable Information

    Information about a person that can be used to uniquely establish that person’s identify is called personally identifiable information, or PII. This is a broad category that includes information such as:

    • name;
    • social security number;
    • date of birth;
    • place of birth;
    • mother‘s maiden name;
    • biometric records (fingerprint, face, etc.);
    • medical records;
    • educational records;
    • financial information; and
    • employment information.

    Organizations that collect PII are responsible to protect it. The Department of Commerce recommends that “organizations minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission.” They go on to state that “the likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores.”[7] Organizations that do not protect PII can face penalties, lawsuits, and loss of business. In the US, most states now have laws in place requiring organizations that have had security breaches related to PII to notify potential victims, as does the European Union.

    Just because companies are required to protect your information does not mean they are restricted from sharing it. In the US, companies can share your information without your explicit consent (see sidebar below), though not all do so. Companies that collect PII are urged by the FTC to create a privacy policy and post it on their website. The state of California requires a privacy policy for any website that does business with a resident of the state (see

    While the privacy laws in the US seek to balance consumer protection with promoting commerce, in the European Union privacy is considered a fundamental right that outweighs the interests of commerce. This has led to much stricter privacy protection in the EU, but also makes commerce more difficult between the US and the EU.

    Restrictions on Record Collecting

    In the US, the government has strict guidelines on how much information can be collected about its citizens. Certain classes of information have been restricted by laws over time, and the advent of digital tools has made these restrictions more important than ever.

    Children’s Online Privacy Protection Act

    Websites that are collecting information from children under the age of thirteen are required to comply with the Children’s Online Privacy Protection Act (COPPA), which is enforced by the Federal Trade Commission (FTC). To comply with COPPA, organizations must make a good-faith effort to determine the age of those accessing their websites and, if users are under thirteen years old, must obtain parental consent before collecting any information.

    Family Educational Rights and Privacy Act

    The Family Educational Rights and Privacy Act (FERPA) is a US law that protects the privacy of student education records. In brief, this law specifies that parents have a right to their child’s educational information until the child reaches either the age of eighteen or begins attending school beyond the high school level. At that point, control of the information is given to the child. While this law is not specifically about the digital collection of information on the Internet, the educational institutions that are collecting student information are at a higher risk for disclosing it improperly because of digital technologies.

    Health Insurance Portability and Accountability Act

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the law the specifically singles out records related to health care as a special class of personally identifiable information. This law gives patients specific rights to control their medical records, requires health care providers and others who maintain this information to get specific permission in order to share it, and imposes penalties on the institutions that breach this trust. Since much of this information is now shared via electronic medical records, the protection of those systems becomes paramount.

    Sidebar: Do Not Track

    When it comes to getting permission to share personal information, the US and the EU have different approaches. In the US, the “opt-out” model is prevalent; in this model, the default agreement is that you have agreed to share your information with the organization and must explicitly tell them that you do not want your information shared. There are no laws prohibiting the sharing of your data (beyond some specific categories of data, such as medical records). In the European Union, the “opt-in” model is required to be the default. In this case, you must give your explicit permission before an organization can share your information.

    To combat this sharing of information, the Do Not Track initiative was created. As its creators explain[8]:

    Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. At present few of these third parties offer a reliable tracking opt out, and tools for blocking them are neither user-friendly nor comprehensive. Much like the popular Do Not Call registry, Do Not Track provides users with a single, simple, persistent choice to opt out of third-party web tracking.

    Non-Obvious Relationship Awareness

    Digital technologies have given us many new capabilities that simplify and expedite the collection of personal information. Every time we come into contact with digital technologies, information about us is being made available. From our location to our web-surfing habits, our criminal record to our credit report, we are constantly being monitored. This information can then be aggregated to create profiles of each and every one of us. While much of the information collected was available in the past, collecting it and combining it took time and effort. Today, detailed information about us is available for purchase from different companies. Even information not categorized as PII can be aggregated in such a way that an individual can be identified.

    This process of collecting large quantities of a variety of information and then combining it to create profiles of individuals is known as non-obvious relationship awareness, or NORA. First commercialized by big casinos looking to find cheaters, NORA is used by both government agencies and private organizations, and it is big business.

    Non-obvious relationship awareness (NORA)

    In some settings, NORA can bring many benefits, such as in law enforcement. By being able to identify potential criminals more quickly, crimes can be solved more quickly or even prevented before they happen. But these advantages come at a price: our privacy.

    2. ACM Code of Ethics and Professional Conduct Adopted by ACM Council 10/16/92.
    6. From the US Patent and Trademark Office, "What Is A Patent?"
    7. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). National Institute of Standards and Technology, US Department of Commerce Special Publication 800-122.
    • Was this article helpful?