Copyright 2000 Federal News Service, Inc.
Federal News Service
October 11, 2000, Wednesday
SECTION: PREPARED TESTIMONY
LENGTH: 2386 words
HEADLINE:
PREPARED TESTIMONY OF ANDREW SHEN POLICY ANALYST, ELECTRONIC PRIVACY INFORMATION
CENTER
BEFORE THE HOUSE COMMITTEE ON COMMERCE
SUBJECT - RECENT DEVELOPMENTS IN PRIVACY PROTECTIONS FOR
CONSUMERS
BODY:
My name is Andrew Shen. I am a
Policy Analyst at the Electronic Privacy Information Center (EPIC).1 At EPIC, I
work largely on consumer privacy issues. Earlier this year, I served as a member
of the Federal Trade Commission (FTC) Advisory Committee on Online Access and
Security.2 I have been a panelist at FTC and Department of Commerce workshops on
online profiling and more recently, online privacy technologies.
EPIC
works with consumer organizations on a wide range of privacy issues. We also
work on the international level within coalitions such as the Trans Atlantic
Consumer Dialogue (TACD) that brings together consumer advocates from the U.S.
and Europe.3 I want to thank the Committee for inviting me to testify today on
an issue that is of growing importance to the American public.
SURFER
BEWARE REPORTS
Since 1997, EPIC conducted annual "Suffer Beware" surveys
on the state of Internet privacy. EPIC's survey of Internet privacy policies
"Surfer Beware: Personal Privacy and the Internet" - the first survey of online
privacy ever conducted - found that only 17 of the 100 most frequently visited
websites posted privacy policies and that none met basic standards for privacy
protection.4 That report recommended that Internet websites make privacy
policies easy to find, clearly state how and when information is collected,
provide access to data already collected, make cookie transactions more
transparent, and continue to support anonymity. "Surfer Beware II: Notice Is Not
Enough" assessed the online privacy practices of members of the Direct Marketing
Association (DMA).5 The DMA was and is a leading proponent of industry
self-regulation with regards to personal information. The report found that only
8 of the 40 new DMA members with websites had privacy policies and only 3
complied with the DMA's own guidelines published nine months earlier.
Our most recent report "Surfer Beware III: Privacy Policies without
Privacy Protection" was conducted shortly before last year's holiday shopping
season.6 Looking at the top 100 e-commerce sites, we found that not a single one
had a privacy policy that complied with the benchmark of Fair Information
Practices. For example, many websites posted privacy policies but did not
provide access to personal data already collected.
We also found that
many of the privacy policies were confusing and inconsistent. While over 80% of
the websites that we surveyed did post a privacy policy, our survey proved that
posting a privacy policy has no significant correlation with a high level of
protection.
In the years between our first and last reports, we have
documented the lack of protections for consumer privacy in these crucial early
years of e-commerce. It is no secret that consumer concerns about privacy on the
Internet have not dissipated in this time. If anything, recent developments such
as online profiling indicate that the current approach of self-regulation may be
putting consumer privacy at increasing risk.
ONLINE PROFILING
Online profiling caught the attention of consumers earlier this year
when online advertiser, DoubleClick, proposed to created detailed profiles on
Internet users. The company came under fire for linking personal information
such as a name and address to online profiles, records of what Internet
consumers were doing online. In doing so, it reneged on earlier statements made
in its privacy policy that all information it collected would remain anonymous.7
In testimony before the Senate Commerce Committee in July of 1999, EPIC was one
of the first organizations to publicly discuss the change in DoubleClick's
business model.8
In early February, EPIC filed a complaint with the
Federal Trade Commission (FTC) that DoubleClick had unfairly and deceptively
misled consumers about its information collection practices. At the end of July,
the FTC approved a set of selfregulatory guidelines that permits wholesale
tracking of Internet consumers and linking of those profiles to personal
information without the knowledge or permission of the consumer. The guidelines
were negotiated with the Network Advertising Initiative (NAI), a group of online
profiling companies.
In response, EPIC along with 13 other consumer
privacy organizations signed a letter pointing out that "the NAI Principles
recently endorsed by the Federal Trade Commission fail to provide an adequate
level of privacy protection".9 The letter said that The Principles will allow
online profilers to combine previously declared anonymous data with personally
identifiable data, like home addresses and telephone numbers. In the future,
online profilers will be allowed to link information about online behavior with
personally identifiable data on a burdensome opt-out basis. The persons profiled
by these companies will have no guaranteed level of access to view what data has
been collected on them. Personally identified profiles may also be distributed
to any third party - for completely unrelated purposes - on an opt-out basis.
All of these provisions, and others, will erode consumer control over the
collection and use of highly detailed profiles.10
Furthermore, the
letter faults the FTC for failing to involve the consumer advocacy community in
negotiations with the Network Advertising Initiative. The negotiations were done
behind closed doors and EPIC had to file a Freedom of Information Act request
just to see the record of those proceedings.
EPIC, along with
Junkbusters, completed a full analysis of the Network Advertising Initiative
guidelines entitled "Network Advertising Initiative: Principles not Privacy"
detailing the vague and weak restrictions it offers.11 That review concluded
that The Principles perpetuate the secretive tracking of Internet users and run
counter to the standards that consumers want. The Principles place the burden of
privacy protection squarely on the consumer by relying on opt-out for both
tracking of Internet users and linking of profiles to personally identifying
information.12
Further, the report recommended that "strong laws and
effective enforcement will spur Internet advertisers to adopt methods and
technologies that promote consumer privacy"
Online profiling remains a
serious concern for Internet users. I urge the Committee to ask the FTC why,
despite their own recommendations for Internet legislation, it chose to approve
self-regulatory guidelines for online profiling companies the most personal
information intensive sector that has developed to date on the Internet.
BANKRUPTCY
Apart from the activities of online profiling
companies, the most recent development facing online consumers is the growing
number of Internet companies that are auctioning off personal information when
they go bankrupt. In June, online retailer Toysmart.com went bankrupt and
advertised the sale of its assets in the Wall Street Journal. What caught the
attention of many is that the company also attempted to sell its customer lists
and other personal information in violation of representations made when it
collected that data. The ongoing dot-com shakeout will likely produce more
companies trying to recoup capital for their investors, but how will the
privacy of this personal information be protected?
The
FTC was able to pursue Toysmart.com since the company said that the information
collected was "never shared with a third party". The FTC's attempted settlement
fell short of requiring the company not to sell the personal data of its
customers. Since then, other companies have been failing, similarly putting the
information of its customers at risk.
Over Labor Day weekend, Amazon.com
told its millions of customers that in the event that it failed - it would also
declare their personal information as a business asset. That statement and other
changes to the company's privacy policy prompted EPIC's decision to cut ties
with the online bookseller. In a letter to EPIC's newsletter subscribers, we
said that "Because of this decision, and in the absence of legal or technical
means to assure privacy for Amazon customers, we have decided that we can no
longer continue our relationship with Amazon".14
Failing to guarantee
that personal information will not be sold in the future is an obvious
requirement of privacy protection but one that companies have avoided taking on.
As bankruptcies become more common, the failure to provide privacy standards for
online consumers allows companies to protect privacy only when it suits them.
When bankrupt, the privacy of a company's customers is no longer important to
the company and is no longer respected. Furthermore, the growing number of
bankruptcies points to an underlying problem with the current reliance on
privacy policies. By making privacy policies the only standard to which Internet
websites are held, it allows companies to change the terms on consumers - most
recently allowing companies to unilaterally declare personal
information theirs to sell.
GOVERNMENT PRIVACY
POLICIES
Another issue before the Committee today is the issue of
government website privacy policies. While this will not be the focus of my own
testimony, I do wish to make a few comments on this issue.
The General
Accounting Office survey commissioned by Rep. Armey and others found that 97
percent of government websites did not comply with the FTC Fair Information
Practice principles of Notice, Consent, Access, and Security.
We support
efforts to strengthen the privacy safeguards for federal websites. History has
proven that such restrictions are necessary to curtail possible governmental
abuses of power. Events like Watergate spurred laws such as the Privacy Act of
1974 that provides citizens with an array of rights to protect their privacy.
I should also point out that government agencies - unlike commercial
entities - are not free to use personal information however they wish.
Government agencies have to comply with guidelines set out in law while
commercial websites have to comply with privacy policies that they themselves
write.
PRIVACY ENHANCING TECHNOLOGIES
Since the beginning of the
online privacy debate, EPIC has urged the wide adoption of privacy-enhancing
technologies to protect consumers. However, I would like to point out what makes
a technology one that enhances rather than invades privacy. Privacy enhancing
technologies make it easier to take advantage of rights as provided through Fair
Information Practices and minimize or eliminate the collection of personal data.
Without legal guarantees that data is collected for limited specific
purposes, is collected only with consent, is accessible to the consumer, is
securely stored and transmitted, privacy technologies can currently do little to
help consumers utilize their rights. Only when existing law provides those
rights will technologies develop to help consumers take advantage of them. The
Platform for Privacy Preferences (P3P) demonstrates that failings of online
privacy technologies in an environment without privacy law. A report released
earlier this June, entitled "Pretty Poor Privacy: An Assessment of P3P and
Internet Privacy", details some of the protocol's failings.15
There is
however, one area in which technology can address privacy in the absence of
laws. That is in the promotion of anonymity and elimination of the need to
collect personal data. Most of the activities conducted online such as reading
news, shopping for products, searching for information, can be done without the
collection of information from consumers. However, the current trend towards
"personalization" results in the increased storage and analysis of these basic
online activities. Infomediaries that seek to provide information according to
user preferences do not provide this anonymity. Rather than reinforcing that the
dispersal of customer information should not be the norm, they seek to encourage
more information collection by making it easier than ever for personal data to
be disclosed.
CONCLUDING REMARKS
Internet consumers are facing
an increasingly hostile environment. Faced by online profiling companies that
seek to know about their online surfing habits and websites that change their
privacy policies at will, consumers are increasingly left to their own devices
in protecting their privacy. Technologies available to consumers, for reasons I
mention above, have a role to play but will only have significant impact once
legal standards become effective.
Congress has a critical role to play
in safeguarding online privacy. It should build on the legal framework for
privacy protection, consistent through many federal laws protecting personal
information.16
There is significant public support for Internet privacy
legislation.17 Consumers should not be left without legal rights in the online
world.
FOOTNOTES
1 EPIC is a public interest research center in
Washington, D.C. It was established in 1994 to focus public attention on
emerging civil liberties issues and to protect privacy, the First Amendment, and
constitutional values. More information about EPIC is available at the EPIC
website, http://www.epic.org
2 http://www.ftc.gov/acoas/
3
http://www.tacd.org
4 http://www.epic.org/reports/surfer-beware.html
5 http://www.epic.org/reports/surfer-beware2.html
6
http://www.epic.org/reports/surfer-beware3.html
7 For more information,
see http://www.epic.org/doubletroublfe/
8
http://www.epic.org/privacy/internet/EPIC_testimony_799.pdf
9
http://www.epic.org/privacy/internet/NAI_group_letter.html
10 ibid. 11
http://www.epic.org/privacy/internet/NAI_analysis.html 12 ibid.
13 ibid.
14 http://www.epic.org/privacy/internet/amazon/letter.html
15
http://www.epic.org/reports/prettypoorprivacy.html
16 Fair Credit
Reporting Act (1970) 15 U.S.C. Section 1681; Family Educational Rights and
Privacy Act (1974) 20 U.S.C. Section 1232g; Cable Communications Policy Act
(1984) 47 U.S.C. Section 551; Electronic Communications Privacy Act (1986) 18
U.S.C. Section 2510; Video Privacy Protection Act (1988) 18 U.S.C. Section 2710;
See Telecommunications Act (1996) 47 U.S.C. Section 222; Children's Online
Privacy Protection Act (1999) 15 U.S.C. Section 6501.
17 Business
Week/Harris Poll: A Growing Threat, March 20, 2000,
http://www.businessweek.corn/2000/00_12/b3673010.htm
END
LOAD-DATE: October 20, 2000