Copyright 2000 Federal News Service, Inc.
Federal News Service
February 9, 2000, Wednesday
SECTION: PREPARED TESTIMONY
LENGTH: 4895 words
HEADLINE:
PREPARED TESTIMONY OF DEIRDRE MULLIGAN STAFF COUNSEL OF THE CENTER FOR DEMOCRACY
AND TECHNOLOGY
BEFORE THE SENATE COMMITTEE ON
COMMERCE, SCIENCE AND TRANSPORTATION SUBCOMMITTEE ON CONSUMER AFFAIRS, FOREIGN
COMMERCE AND TOURISM
BODY:
I. Introduction
The Center for Democracy and Technology (CDT) is pleased to have this
opportunity to testify about privacy in the online environment and the Federal
Trade Commission's role in developing privacy policy. CDT is a non-profit,
public interest organization dedicated to developing and implementing public
policies to protect and advance civil liberties and democratic values on the
Internet. One of our core goals is to enhance privacy protections for
individuals in the development and use of new communications technologies. We
thank the Chairman for the opportunity to participate in this hearing and look
forward to working with the Committee to develop policies that support civil
liberties and a vibrant Internet To being, I would like to offer three points to
guide the Committee as it begins to address the protection of individual
privacy: * The Internet presents new challenges and opportunities for the
protection of privacy. Our policies must be grounded in an understanding of the
medium's unique attributes and its unique potential to promote democratic
values. It must also address the unique risks the Internet poses to our values
including personal privacy. As many .coms tout the benefits of customized
content and personalized advertising they play down the personalized tracking
and profiling that support such applications. The Internet will best serve
individuals if we recognize the risks to privacy and develop public policies and
technologies that address them. There is little doubt that the Internet holds
great promise for maximizing our democratic values and growing our economy,
however sound public policies play an integral part in ensuring we achieve these
goals. I look forward to working with the Committee to explore legislative
options for protecting privacy on the Internet.
* Increasingly, the
rules that govern society are embodied in computer code. This code, and the
products built upon it, can enhance or limit the collection of personal
information and can either afford or deny individuals control over their
information. Technical decisions including whether a product is designed to keep
information on an individual's own computer or on a remote server, what personal
information a product collects, and for how long information is retained have
important implications for privacy. The availability of robust encryption, the
development of strong authentication devices, and the deployment of technical
standards such as the Platform for Privacy Preferences are an important
component of protecting privacy on the Internet.
* Privacy is a complex
value. Ensuring that individuals' long-held expectations of autonomy, fairness,
and confidentiality are respected as daily activities move online requires a
thoughtful, multi-faceted approach combining self-regulator, technological, and
legislative components. These expectations exist vis-a-vis both the public and
the private sectors. By autonomy, I mean the individual's ability to browse,
seek out information, and engage in a range of activities without being
monitored and identified. Fairness requires individuals maintain control over
the information that they provide to the government and the private sector. The
concept of fairness is embodied in the Code of Fair Information Practices
-long-accepted principles specifying that individuals should be able to
"determine for themselves when, how, and to what extent information about them
is shared." In terms of confidentiality, we need a strong Fourth Amendment in
cyberspace.
I have attached a law review article that elaborates on
these three points, authored by CDT's Executive Director, Jerry Berman and
myself. I will devote the remainder of my testimony to providing the Committee
with an overview of important privacy issues on the Internet and some thoughts
on the roles of the Federal Trade Commission and Congress as we seek policies to
protect privacy.
II. Privacy policies on the Web
Last July, I
provided the Subcommittee on Telecommunications with CDT's report, "Behind the
Numbers: Privacy Practices on the Web." The report concluded that Fair
Information Practices were the exception rather than the rule on the World Wide
Web; private sector enforcement programs covered a very small segment of
commercial Web sites; and individuals' privacy concerns remained largely
unaddressed. The report was based in part on the Georgetown Internet Privacy
Policy Survey, released last July, which found that while more Web sites were
mentioning privacy, only 9.5% provided the types of notices required by the
Online Privacy Alliance, the Better Business Bureau and TRUSTe.
The
Georgetown Survey found that an increased number of Web sites provided consumers
with some information about what personal information is collected (44%), and
how that information will be used (52%). But, on important issues such as access
to personal information and the ability to correct inaccurate information, the
survey found that only 22% and 18% respectively of the highly trafficked Web
sites surveyed provided consumers with notice of their rights. On the important
issue of providing individuals with the capacity to control the use and
disclosure of personal information, the survey found that 39.5% of these sites
said that consumers could make some decision about whether to be re-contacted
for marketing purposes - most likely an "opt-out" - and fewer still, 25%, said
they provided consumers with some control over the disclosure of data to third
parties.
While a year has passed a recent report indicates that
adherence to Fair Information Practices is not the norm on the Web. A report
released last week on the privacy policies and practices of Health Web sites
found that while 19 of the 21 Web sites surveyed had privacy policies, they
failed to meet Fair Information Practice Principles.
Overall, reports
and surveys over the past year have found that even the most frequently
trafficked consumer Web sites, do not adequately inform individuals about how
their personal information is handled. More troubling is the finding that health
Web sites, where individuals divulge sensitive information, are
not providing individuals' personal information with strong
privacy protections. At the same time these same busy
consumer-oriented Web sites are collecting increasingly detailed
personal information.
III. New threats to Individuals'
privacy
It is difficult for individuals to limit the
use and disclosure of their personal information. Where
"privacy statements" are posted they are frequently written in complex
and confusing language. An expert in communicating with the public provided CDT
with an analysis of a prominent company's privacy statement. He found the
statement to be written at the graduate school reading level with each sentence
averaging 24 words.
If a consumer finds a privacy statement and
successfully deciphers it she frequently finds that if she fails to "opt-out"
(object) her name, address, and other personal information will be shared with
undefined "others." Today, to limit the reuse of personal information an
individual must search every Web site for an opportunity to "opt-out.
"
And hope that the opt-out features work as promised, which CDT has found, is not
always the case.
On November 15, CDT launched a new Web site, "Operation
Opt-Out," to give consumers a simple one-stop location to "get off the lists" -
the mailing and telephone lists and profiling databases that have proliferated
with the digital economy. Operation Opt-out has assisted thousands of
individuals' to limit the use of their personal information.
In addition
to helping individuals, Operation Opt-Out produced useful information about
whether companies do what they say. During its second week Operation Opt-Out ran
a feature on how to "opt-out" of the online profiling or "network advertising"
companies data systems. We found several problems with the opt-out features
offered by the online profiling companies. Problems ranged from broken "opt-out"
features at Flycast and Matchlogic, to Matchlogic's display of an expired TrustE
seal.
Individual's ability to limit the use and disclosure of their
personal information by businesses with which they have chosen to interact
remains difficult. But of increasing concern are the activities of online
profiling companies, or network advertisers, who collect data without the
individual's knowledge or consent. With growing frequency, navigational and
other data is being captured by advertising networks or "profiling companies."
With the permission of the Web site, but not the individual, these profiling
companies place unique identifiers on individuals' computers. These identifiers
are then used to track individuals as they surf the Web. The individual's
profile grows with time, because online profiling is a continuing collection of
his online behavior, despite the fact that the individual disconnects. The
navigational data collected may include information such as, Web sites and Web
pages visited, the time and duration of the visit, search terms typed in search
engines' forms, and other queries, purchases, "click through" responses to
advertisements, and the previous page visited. In addition to long lists of
collected information, a profile may contain "inferential" or "psychographic"
data - information that the business infers about the individual based on the
behavioral data captured. From this amassed data, elaborate inferences may be
drawn, including the individual's interests, habits, associations, and other
traits.
The practices of online profiling companies have far-reaching
impacts on consumers' online privacy. The companies that engage in profiling are
hidden from the individual. They reach through the Web site with whom the
individual has chosen to interact and, unbeknownst to the individual, extract
information about the individual's activities. In the rare instances where
individuals are aware of the fact that a third party is collecting information
about them, they are unlikely to be aware that this information is being fed
into a growing personal profile maintained at a data warehouse, on which data
mining can be exercised.
At many Web sites individuals are told that
"cookies" are harmless bits of data that help customize and personalize their
experience. While "cookies" themselves are not per se bad, the use of "cookies"
to secretly tag and monitor individuals across multiple Web sites undermines
individuals' ability to determine to whom and under what circumstances to
disclose information about themselves. The practices of these profiling
companies undermines individuals' expectations of privacy by fundamentally
changing the Web experience from one where consumers can browse and seek out
information anonymously, to one where an individual's every move is recorded.
While several of the companies engaged in profiling state that they do
not correlate information with identifying information such as name, e-mail,
address, this does not on its own address the privacy concerns at issue. The
highly detailed nature of the profiles and the capture of information that can
be reasonably easily associated with a specific individual raise questions about
the claims of anonymity and promises of non-identifiability. While the
companies, in some instances, may not be tying information that they gather
about individuals' use of the Internet to their name and address, the
information may be quite capable of revealing the individual's identity, through
the use of various computer tools and software.
While the name and
e-mail address of the individual may remain obscure, the information the
individual is able to access, the offers made to the individual are being
determined by the business based on specific information collected about the
individual. While the concern raised by the use of information about the
individual to alter what information they see in the context of advertising may
appear relatively trivial, this same practice, and perhaps data, can be used to
make other decisions about the individual that even a privacy- skeptic may find
objectionable. The info collected about the individual could be used to alter
the prices at which goods or services, including important services such as life
and health insurance, are offered, employed by a government, and could be used
to alter the information viewed by individuals. While the impact of altered
advertisements on the individual- harm ? benefit ?--can be disputed, these other
examples indicate that there is a privacy interest in information about
individuals actions and interactions when it is collected and used to make
decisions about them.
Recently it has become dear that DoubleClick
intends to attach identities to the extensive profiles they collect about
individuals' online activities. It is unclear whether other online profiling
companies will follow a similar path. DoubleClick's privacy statement had stated
that its cookies identified computers, not people - that it couldn't link its
"cookies" to names and home addresses or other elements of personal identity and
didn't want to do so. After its purchase of the consumer transaction database
Abacus, DoubleClick acknowledged that it intended to tie surfing habits and
online searches to personal identity. DoubleClick's Abacus Alliance has arranged
to collect names, addresses, and other personal information from Web sites where
Internet users knowingly register. So far, at least ten Web sites (the Company
hasn't said who they are) have agreed to participate by providing DoubleClick
the identity of their subscribers. Thus, DoubleClick, to whom an individual has
never revealed her identity, may have access to an individual's name, credit
card number, and home address.
As these companies merge with each other
and with companies such as Abacus that maintain detailed personally identifiable
profiles about individuals' offline activities, the consolidation of offline and
online profiles will erode the distinction between online and offline identity.
Online companies are aware of the sensitivity this raises. Consumers have shown
an aversion to having their online activities tied to their identity.
Finally, recent revelations about government demands for access to
individual profiles created in the consumer marketplace warn us that even the
most benign information, such as grocery purchases, that provides insights into
individuals' behavior are sought out by the government.
The profiling
activities of these companies pose unique threats to individual privacy.
IV. Consumer Reaction to Profiling
On February 1, 2000, CDT
launched a consumer campaign to alert consumers to the threat that online
profiling poses to privacy and to encourage consumers to say no to DoubleClick's
plans to create a data system to track individuals' online and offline
activities and their identities. At CDT's Web site consumers are able to
"opt-out" of DoubleClick's tracking activities, send a letter to DoubleClick's
CEO and send a letter to several prominent companies that use DoubleClick's
services. In less than three days 13,000 people used our Web site to opt-out of
DoubleClick's tracking; over 6,000 individuals sent messages to DoubleClick's
CEO; and, in the first 36 hours, over 4,400 email messages were sent to
prominent DoubleClick affiliates. Several companies have responded to consumer
concerns and clarified their policy of not disclosing subscriber information to
DoubleClick.
We believe that the public's voice is important when
evaluating whether a business' practices comport with individuals' expectations
of privacy. The email we received from individual citizens and the participation
of thousands of individuals in our campaign indicates that many individuals
object to DoubleClick's practice of tracking and monitoring individuals and do
not want information about their identity included in such a system.
V.
The Federal Trade Commission's role in protecting individual privacy Over the
past five years the Federal Trade Commission's activities in the area of
information privacy have expanded. The Commission has convened seven workshops
to explore privacy on the Internet, issued several reports, conducted surveys,
and brought several important enforcement actions in the area of privacy.
Finally, the Commission played a pivotal role in shaping the Children's Online
Privacy Protection Act and crafting rules to implement it that map onto the
Internet.
The Commission's work has played an important role in bringing
greater attention to privacy issues and pushing for the adoption of better
practices in the market place.
While the Commission's contributions to
the protection of individual privacy has and will continue to be important,
their mission and jurisdiction places limits on their involvement in many
important privacy issues such as government collection and use
of personal information. They are not able to provide the forum
for all privacy discussions - and there are many important privacy discussions
waiting to occur.
However, keeping with its mission, the FTC must have
the resources and staff to continue their privacy agenda. The upcoming Web
survey, the Advisory Committee on Online Access and Security, the ongoing
exploration of online profiling are important. The detailed and thorough work of
the Commission enables advocates, businesses, and policy makers to better
understand the privacy issues and to choose the appropriate tools to address
them. Over the next few months the Commission's work will produce reports and
surveys that will aid this Committee as it evaluates the growing number of
legislative proposals to protect privacy and examines the role of ongoing
serf-regulatory efforts. It is important that the FTC be provided with funding
to hold workshops, issue reports, enforce the Children's Online Privacy
Protection Act, and take action against abuses of privacy in the marketplace.
VI. The role of Congress
As Congress moves forward this year, we
look forward to working with you and all interested parties to ensure that fair
information practices are incorporated into business practices on the World Wide
Web. We must adopt enforceable standards, both self-regulatory and legislative,
to ensure that information provided for one purpose is not used or redisclosed
for other purposes without the individual's consent and to ensure that the
Fourth Amendment follows our personal information into
cyberspace.
The challenge of implementing privacy
practices on the Internet is ensuring that they build upon the medium's
real-time and interactive nature to foster privacy and that they do not
unintentionally impede other beneficial aspects of the medium. Implementing
privacy protections on the global and decentralized Internet is a complex task
that will require new thinking and innovative approaches. Both legislation and
serf-regulation are only as good as the substantive policies they embody. As we
said at the start, crafting meaningful privacy protections that map onto the
Internet requires us to resolve several critical issues. While consensus exists
around at least four general principles (a subset of the Code of Fair
Information Practices) - notice of data practices; individual control over the
secondary use of data; access to personal information; and, security for data-
the specifics of their implementation and the remedies for their violation must
be explored. We must wrestle with difficult questions: When is information
identifiable? How is it accessed? How do we create meaningful and proportionate
remedies that address the disclosure of sensitive medical information as well as
the disclosure of inaccurate marketing data? For the policy process to
successfully move forward these hard issues must be more fully resolved.
The Federal Trade Commission and several members of the full Senate
Commerce Committee are well aware of the hard issues that must be resolved and
are working to address them. I am a member of the Federal Trade Commission's
Committee on Online Access and Security tasked with exploring how to implement
the important principle of providing consumers with access to their data and
what security measures are appropriate to protect personal information on the
Internet. I believe that the work of that Committee will provide useful
information to Congress as it examines options for protecting privacy. I would
welcome the opportunity to provide the Committee with information about our
progress and look forward to working with members of this committee, to develop
a framework for privacy protection in the online environment.
The Online
Privacy Protection Act, S. 809, introduced by Senators Bums (R-MT) and Wyden
(D-OR), the Electronic Rights for the Twenty-First Century (E-RIGHTS), S. 854,
introduced by Senator Leahy (D-VT), forthcoming proposals, and the Children's
Online Privacy Protection Act of 1998 (COPPA) provide an excellent starting
point for this discussion. COPPA demonstrated that Congress could take action to
protect privacy and ensure consumer trust in electronic commerce. By providing
some flexibility to the Federal Trade Commission Congress ensured that
technology and innovation would not be unintentionally stunted by efforts to
protect children's privacy. The leadership of Internet savvy members of this
Committee and others will be critical as we seek to provide workable and
effective privacy protections for the Internet.
VII. Conclusion
No doubt, privacy on the Internet is in a fragile state. Providing
protections for individual privacy is essential for a flourishing and vibrant
online community and marketplace. It is dear that our policy framework did not
envision the Internet as we know it today, nor did it foresee the pervasive role
information technology would play in our daily lives. Providing a web of privacy
protection to data and communications as they flow along networks requires a
unique combination of tools--legal, policy, technical, and self-regulatory. I
believe that legislation is an essential element of the online privacy framework
and we look forward to working with this Committee toward that end. Whether it
is setting limits on government access to personal information, ensuring that a
new technology protects privacy, or developing legislation all require
discussion, debate, and deliberation. I thank the Committee for the opportunity
to share our views and look forward to working with the members and staff and
other interested parties to foster privacy protections for the Digital Age.
FOOTNOTES:
The Coda of Fair Information Practices as stated in
the Secretary's Advisory Comm. on Automated Personal Data Systems, Records,
Computers, and the Rights of Citizens, U.S. Dept. of Health, Education and
Welfare, July 1973: There must be no personal data record-keeping systems whose
very existence is secret.
There must he a way for an individual to find
out what information about him is in a record and how it is used. There must be
a way for an individual to prevent information about him that was obtained for
one purpose from being used or made available for other purposes without his
consent.
There must be a way for the individual to correct or amend a
record of identifiable information about him. Any organization creating,
maintaining, using, or disseminating records of identifiable personal data must
assure the reliability of the data for their intruded use and must take
precautions to prevent misuse of the data. Id. at xx
The Code of Fair
Information Practices as stated in the OECD guidelines on the Protection of
Privacy and Transborder Flows of Personal Data
http://www.oecd.org/dsti/sti/ii/secur/prod/PRIV_EN.HTM
1. Collection
Limitation Principle: There should be limits to the collection of personal data
and any such data should be obtained by lawful and fair means and, where
appropriate, with the knowledge or consent of the data subject.
2. Data
quality: Personal data should he relevant to the purposes for which they are to
be used, and, to the extent necessary for those purposes, should be accurate,
complete and kept up-to-date.
3. Purpose specification: The purposes for
which personal data are collected should be specific not later than at the time
of data collection and the subsequent use limited to the fulfillment of those
purposes or such others as are not incompatible with those purposes and as are
specified on each occasion of change of purpose.
4. Use limitation:
Personal data should not be disclosed, made available or otherwise used for
purposes other than those specified in accordance with the "purpose
specification" except: (a) with the consent of the data subject;, or (b) by the
authority of law.
5. Security safeguards: Personal data should be
protected by reasonable security safeguards against such risks as loss or
unauthorized access, destruction, use, modification or disclosure of data.
6. Openness: There should be a general policy of openness about
developments, practices and policies with respect to personal data. Means should
be readily available of establishing the existence and nature of personal data,
and the main purposes of their use, as well as the identity and usual residence
of the data controller.
7. Individual participation: An individual
should have the right (a) to obtain from a data controller, or otherwise,
confirmation of whether or not the data controller has data relating to him; (b)
to have communicated to him, data relating to him:
- within a reasonable
time; - at a charge, if any, that is not excessive; - in a reasonable manner,
and, - in a form that is readily intelligible to him; (c) to be given reasons if
a request made under subparagraphs (a) and (b) is denied, and to he able to
challenge such denial; and, (d) to challenge data relating to him and, if the
challenge is successful to have the data erased, rectified completed or amended.
8. Accountability: A data controller should be accountable for complying
with measures which give effect to the principles stated above.
Alan
Westin. Privacy and Freedom (New York: Atheneum, 1967), 7. This number is
generated using the data from Q32 (number of sites that say they give consumers
choice about having collected information disclosed to outside third parties) --
64 - and dividing it by 256 (the total survey sample (364) minus the number of
sites that affirmatively stale they do not disclose data to third-parties (Q29A)
(69) and the number of sites that affirmatively state that data is only
disclosed in the aggregate (Q30) (39)).
Report on the Privacy Policies
and Practices of Health Web Sites, Janlori Goldman and Zoe Hudson, Health
Privacy Project, Georgetown University, and Richard M. Smith.
http://ehealth.chcf.org/pfiv_pol/index_show.cfm?doc_id=33 To Flycasts credit
they were quick to fix this problem once we contacted them, however, we have no
idea how long the opt-out was broken and how many consumers were effected by
this problem. Matchlogic now provides an online opt-out feature.
A
psychographic study "joins consumers' measurable demographic characteristics
with the more abstract aspects of attitudes, opinions and interests." Data
mining specialists code demographic, media, purchasing and psychographic data
from surveys, throw them together and analyze them until some groups with shared
characteristics can be distinguished from all other groups. They can identify
those groups most likely to buy specific products and services by including
questions relating to a product about past buying habits or future intentions to
purchase. Every kind of psychographic study adds the dimension of psychology
and/or lifestyles to a demographic inquiry and uses quantitative survey
techniques. Cf. Rebecca Piirto HEATH, Psychographics: Qu'est-Ce Que C'est ?,
Marketing Tools, Nov.-Dec. 1995;
http://www.demographics.com/publications/mt/95_mt/9511 mt/MT3gg.htm (last viewed
on Nov. 12, 1999).
A "data warehouse" is n system used for storing and
delivering huge quantities of data, while data warehousing refers to the process
used to extract and transform operational data into informational data and
loading it into a central data store or "warehouse". Data warehousing allows
data from disparate databases to be consolidated and managed from a single
database., which in turn allows for the development of longer and more
"accurate" profiles more efficiently and less expensively.
Data mining
is "a set of automated techniques used to extract buried or previously unknown
bits of information from large databases." (Ann CAVOUKIAN, Data Mining: Staking
a Claim on your Privacy (Information and Privacy Commissioner of Ontario,
Canada), Jan. 1998,
http://www.ipc.on.ca/web_site.eng/matters/sum_pup/PAPERS/datamine.htm (last
viewed on Oct. 6, 1999). A successful data mining operation will make it
possible to unearth patterns and relationships, and afterwards, use the new
information to make proactive knowledge-driven business decisions. Data mining
focuses on the automated discovery of new facts and relationships in data. For
more information, cf. Kurt Thearling, From Data Mining to Database Markerin&
Oct. 1995, http://www3.shore.net/kht/text/wp9502/wp9502.htm (last viewed on Oct.
17, 1999).
END
LOAD-DATE: February 11, 2000
