Copyright 2000 eMediaMillWorks, Inc.
(f/k/a Federal
Document Clearing House, Inc.)
Federal Document Clearing House
Congressional Testimony
June 13, 2000, Tuesday
SECTION: CAPITOL HILL HEARING TESTIMONY
LENGTH: 8134 words
HEADLINE:
TESTIMONY June 13, 2000 ORSON SWINDLE COMMISSIONER FEDERAL TRADE COMMISSION
SENATE COMMERCE, SCIENCE AND TRANSPORTATION INTERNET PRIVACY
BODY:
June 13, 2000 Statement of Commissioner Orson
Swindle Concurring in Part and Dissenting in Part Online Profiling: A Report to
Congress, I. INTRODUCTION On November 8,1999, the Federal Trade Commission
(hereinafter "FTC" or "Commission") and the United States Department of Commerce
jointly sponsored a Public Workshop on Online Profiling.' The goals of the
Workshop were to educate government officials and the -public about online
profiling and its implications for consumer privacy, and to examine efforts of
the profiling industry to implement fair information practices.' The Commission
also sought public comment on any issues of fact, law or policy that might
inform its consideration of the practice of online profiling.' In keeping with
its long-standing support of industry self- regulation, the Commission has
encouraged the network advertising industry in its efforts to craft an
industry-wide program. The industry has responded with working drafts of
self-regulatory principles for our consideration. In examining the practice of
online profiling, as well as our work in online privacy, we nonetheless
recognize there are real challenges to creating an effective self-regulatory
regime for this complex and dynamic industry, and this process is not yet
complete. This report describes the current practice of online profiling by the
network advertisers' and the benefits and concerns it presents for consumers. It
also discusses the ongoing effort of the industry to develop self-regulatory
principles. The Commission expects to supplement this report with specific
recommendations to Congress after it has an opportunity to fully consider the
self- regulatory proposals and how they inter-relate -with the Commission's
previous views and recommendations in the online privacy area. 11. . WHAT IS
ONLINE PROFILING? A. Overview Over the past few years, online advertising has
grown exponentially in tandem with the World Wide Web. Online advertising
revenues in the U.S. grew from $301 million in 1996'to $4.62 billion in 1999,6
and were projected to reach $11.5 billion by 2003.' A large portion of that
online advertising is in the form of "banner ads" displayed on Web pages - small
graphic advertisements that appear in boxes above or to the side of the primary
site content. Currently, tens of billions of banner ads are delivered to
consumers each month as they surf the World Wide Web.9 Often, these ads are not
selected and delivered by the Web site visited by a consumer, but by a network
advertising company that manages and provides advertising for numerous unrelated
Web sites. DoubleClick, Engagej and 24/7 Media, three of the largest Internet
advertising networks, all estimate that over half of all online consumers have
seen an ad that they delivered.' 0 In general, these network advertising
companies do not merely supply banner ads; they also gather data about the
consumers who view their ads. This is accomplished primarily by the use of
"cookies"" and "Web bugs" which track the individual's actions on the Web."
Among the types of information that can be collected by network advertisers are:
information on the Web sites and pages within those sites visited by consumers;
the time and duration of the visits; query terms entered into search engines;
purchases; "click-through" responses to advertisements;" and the Web page a
consumer came from before landing on the site monitored by the particular ad
network (the referring page). All of this information is gathered even if the
consumer never clicks on a single ad. The information gathered by network
advertisers is often, but not always, anonymous, .i.e., the profiles are
frequently linked to the identification number of the advertising network's
cookie on the consumer's computer rather than the name of a specific person.
This data is generally referred to as non-personally identifiable information
("non-PII"). In some circumstances, however, the profiles derived from tracking
consumers' activities on the Web are linked or merged with personally
identifiable information ("P111"). " This generally occurs in one of two ways
when consumers identify themselves to a Web site on which the network advertiser
places banner ads." First, the Web site to whom personal information is provided
may, in turn, provide that information to the network advertiser. Second,
depending upon how the personal information is retrieved and processed by the
Web site, the personally identifying information may be incorporated into a URL
string" that is automatically transmitted to the network advertiser through its
cookie." Once collected, consumer data can be analyzed and combined with
demographic and "psychographic"" data from third-party sources, data on the
consumer's offline purchases, or information collected directly from consumers
through surveys and registration forms. This enhanced data allows the
advertising networks to make a variety of inferences about each consumer's
interests and preferences. The result is a detailed profile that attempts to
predict the individual consumer's tastes, needs, and purchasing habits and
enables the advertising companies' computers to make split-second decisions
about how to deliver ads directly targeted to the consumer's specific interests.
The profiles created by the advertising networks can be extremely detailed. A
cookie placed by a network advertising company can track a consumer on any Web
site served by that company, thereby allowing data collection across disparate
and unrelated sites on the Web. Also, because the cookies used by ad networks
are generally persistent, their tracking occurs over an extended period of time,
resuming each time the individual logs on to the Internet. When this
"clickstream" information is combined with third-party data, these profiles can
include hundreds of distinct data fields. Although network advertisers and their
profiling activities are nearly ubiquitous,'o they are most often invisible to
consumers. All that consumers see are the Web sites they visit; banner ads
appear as a seamless, integral part of the Web page on which they appear and
cookies are placed without any notice to consumers." Unless the Web sites
visited by consumers provide notice of the ad network's presence and data
collection, consumers may be totally unaware that their activities online are
being monitored. B. An Illustration of How Network Profiling Works Online
consumer Joe Smith goes to a Web site that sells sporting goods. He clicks on
the page for golf bags. While there, he sees a banner ad, which he ignores as it
does not interest him. The ad was placed by USAad Network. He then goes to a
travel site and enters a search on "Hawaii. " USAad Network also serves ads on
this site, and Joe sees an ad for rental cars there. Joe then visits an online
bookstore and browses through books about the world's best golf courses. USAad
Network serves ads there, as well. A week later, Joe visits his favorite online
news site, and notices an ad for golf vacation packages in Hawaii. Delighted, he
clicks on the ad, which was served by the USAad Network. Later, Joe begins to
wonder whether it was a coincidence that this particular ad appeared and, if
not, how it happened. At Joe's first stop on the Web, the sporting goods site,
his browser will automatically send certain information to the site that the
site needs in order to communicate with Joe's computer: his browser type 22 and
operating system;21 the language(s) accepted by the browser; and the computer's
Internet address. The server hosting the sporting goods site answers by
transmitting the HTTP21 header and HTMV' source code for the site's home page,
which allows Joe's computer to display the page. Embedded in the HTML code that
Joe's browser receives from the sporting goods site is an invisible link to the
USAad Network site which delivers ads in the banner space on the sporting goods
Web site. Joe's browser is automatically triggered to send an HTTP request to
USAad which reveals the following information: his browser type and operating
system; the language(s) accepted by the browser; the address of the referring
Web page (in this case, the home page of the sporting goods site); and the
identification number and information stored in any USAad cookies already on
Joe's computer. Based on this information, USAad will place an ad in the pre-set
banner space on the sporting goods site's home page. The ad will appear as an
integral part of the page. If an USAad cookie is not already present on Joe's
computer, USAad will place a cookie with a unique identifier on Joe's hard
drive. Unless he has set his browser to notify him before accepting cookies, Joe
has no way to know that a cookie is being placed on his computer. When Joe
clicks on the page for golf bags, the URL address of that page, which discloses
its content, is also transmitted to USAad by its cookie. When Joe leaves the
sporting goods site and goes to the travel site, also serviced by USAad, a
similar process occurs. The HTML source code for the travel site will contain an
invisible link to USAad that requests delivery of an ad as par t of the travel
site's page. Because the request reveals that the referring site is travel
related, USAad sends an advertisement for rental cars. USAad will also know the
identification number of its cookie on Joe's machine. As Joe moves around the
travel site, USAad checks his cookie and modifies the profile associated with
it, adding elements based on Joe's activities. When Joe enters a search for
"Hawaii," his search term is transmitted to USAad through the URL used by the
travel site to locate the information Joe wants and the search term is
associated with the other data collected by the cookie on Joe's machine. USAad
will also record what advertisements it has shown Joe and whether he has clicked
on them. This process is repeated when Joe goes to the online bookstore. Because
USAad serves banner ads on this site as well, it will recognize Joe by his
cookie identification on number. USAad can track what books Joe looks at, even
though he does not buy anything. The fact that Joe browsed for books about golf
courses around the world is added to his profile. Based on Joe's activities,
USAad infers that Joe is a golfer, that he is interested in traveling to Hawaii
someday, and that he might be interested in a golf vacation. Thus, a week later,
when Joe goes to his favorite online news site, also served by USAad, the cookie
on his computer is recognized and he is presented with an ad for golf vacation
packages -in Hawaii. The ad. grabs his attention and appeals to his interests,
so he clicks on it. 111. PROFMING BENEMTS AND PRIVACY CONCERNS A. Benefits
Cookies are used for many purposes other than profiling by third- party
advertisers, many of which significantly benefit consumers. For example, Web
sites often ask for user names and passwords when purchases are made or before
certain kinds of content are provided. Cookies can store these names and
passwords so that consumers do not need to sign in each time they visit the
site. In addition, many sites allow consumers to set items aside in an
electronic shopping cart while they decide whether or not to purchase them;
cookies allow a Web site to remember what is in a consumer's shopping cart from
prior visits. Cookies also can be used by Web sites to offer personalized home
pages or other customized content with local news and weather, favorite stock
quotes, and other material of interest to individual consumers. Individual
online merchants can use cookies to track consumers' purchases in order to offer
recommendations about new products or sales that may be of interest to their
established customers. Finally, by enabling businesses to monitor traffic on
their Web sites, cookies allow businesses to constantly revise the design and
layout of their sites to make them more interesting and efficient." Network
advertisers' use of cookies and other technologies to create targeted marketing
programs also benefits both consumers and businesses. As noted by commenters at
the Public Workshop, targeted advertising allows customers to receive offers and
information about goods and services in which they are actually interested."
Targeted advertising can also improve a consumer's Web experience simply by
ensuring that she is not repeatedly bombarded by the same ads." Businesses
clearly benefit as well from the ability to target advertising because they
avoid wasting advertising dollars marketing themselves to consumers who have no
interest in their products. Additionally, a number of commenters stated that
targeted advertising helps to subsidize free content on the Internet. By making
advertising more effective, profiling allows Web sites to charge The privacy
issues raised by these uses of cookies are beyond the scope of this report. Data
reflecting the use of cookies are reported in the FTC's recent report Privacy
Online: Fair Information Practices in the Electronic Marketplace (May 2000)
hereinafter "2000 Report" , available at <http://www.ftc.gov/
reports/privacy2OOO/privacy2OOO.pdf> The Commission's vote to issue the 2000
Report was 3-2, with Commissioner Swindle dissenting and Commissioner Leary
concurring in part and dissenting in part. more for advertising. This
advertising revenue helps to subsidize their operations, making it possible to
offer free content rather than charging fees for access." Finally, one commenter
suggested that profiles can also be used to create new products and services.
First, entrepreneurs could use consumer profiles to identify and assess the
demand for particular products or services. Second, targeted advertising could
help small companies to more effectively break into the market by advertising
only to consumers who have an interest in their products or services." In sum,
targeted advertising can provide numerous benefits to both business and
consumers. B. Concerns Despite the benefits of targeted advertising, there is
widespread concern about current profiling practices. Many commenters at the
Workshop objected to network advertisers' hidden monitoring of consumers and
collection of extensive personal data without consumers' knowledge or consent;
they also noted that network advertisers offer consumers few, if any, choices
about the use and dissemination of their individual information obtained in this
manner. As one of the commenters put it, current profiling practices "undermine
individuals' expectations of privacy by fundamentally changing the Web
experience from one where consumers can browse and seek out information
anonymously, to one where an individual's every move is recorded."" The most
consistent and significant concern expressed about profiling is that it is
conducted without consumers' knowledge." The presence and identity of a network
advertiser on a particular site, the placement of a cookie on the consumer's
computer, the tracking of the consumer's movements, and the targeting of ads are
simply invisible in most cases. This is true because, as a practical matter,
there are only two ways for consumers to find out about profiling at a
particular site before it occurs." The first is for Web sites that use the
services of network advertisers to disclose that fact in the in privacy
policies. Unfortunately, this does not typically occur. As the Commission's
recentprivacysurveydiscovered,although57%ofarandomsampleofthebusi
estWebsitesailowed third parties to place cookies, only 22% of those sites
mentioned third-party cookies or data collection in their privacy policies; of
the top I 00 sites on the Web, 78% allowed third-party cookie placement, but
only 5l% of those sites disclosed that fact. The second way for consumers to
detect profiling is to configure their browsers to notify them before accepting
cookies." One recent survey indicates, however, that only 40% of computer users
have even heard of cookies and, of those, only 75% have a basic understanding of
what they are." The second most persistent concern expressed by cornmenters was
the extensive and sustained scope of the monitoring that occurs. Unbeknownst to
most consumers, advertising networks monitor individuals across a multitude of
seemingly unrelated Web sites and over an indefinite period of time. The result
is a profile far more comprehensive than any individual Web site could gather.
Although much of the information that goes into a profile is fairly innocuous
when viewed in isolation, the cumulation over time of vast numbers of seemingly
minor details about an individual produces a portrait that is quite
comprehensive and, to many, inherently intrusive.' For many of those who
expressed concerns about profiling, the privacy implications of profiling are
not ameliorated in cases where the profile contains no personally identifiable
information." First, these commenters felt that the comprehensive nature of the
profiles and the technology used to create them make it reasonably easy to
associate previously anonymous profiles with particular individuals." This means
that anyone who obtains access to ostensibly anonymous data - either by
purchasing the data or hacking into it - might be able to mine the data and link
it to identifiable individuals. Second, commenters feared that companies could
unilaterally change their operating procedures and begin associating personally
identifiable information with non-personally identifiable data previously
collected. Third, commenters noted that, regardless of whether they contain
personally identifiable information, profiles are used to make decisions about
the information individuals see and the offers they receive. These commenters
expressed concern that companies could use profiles to determine the prices and
terms upon which goods and services, including important services like life
insurance, are offered to individuals (for example, products might be offered at
higher prices to consumers whose profiles indicate that they are wealthy, or
insurance mightbeofferedathigherpricestoconsumerswhoseprofilesindicatepossi
blehealthrisks).' This practice, known as "weblining," raises many of the same
concerns that "redlining" and "reverse redlining" do in offline financial
markets." Another concern expressed by commenters is that, as consumers begin to
learn more about companies' monitoring activities, fear of online monitoring
will discourage valuable uses of the Internet that are fostered by its perceived
anonymity. As one commenter noted: The anonymity that the Internet affords
individuals has made it an incredible resource for those seeking out
information. Particularly where the information sought is on controversial
topics such as sex, sexuality, or health issues such as HIV, depression, and
abortion; sic the ability to access information without risking identification
has been critical." Indeed, in support of this point, this commenter' cites
studies that it believes suggest that, in both the online and offline world, the
perceived anonymity of computer research facilitates access to these kinds of
sensitive information." By chilling use of the Internet for such inquiries,
several commenters asserted, profiling may ultimately prevent access to
important kinds of information." Finally, some commenters expressed the opinion
that targeted advertising is inherently unfair and deceptive. They argued that
targeted advertising is manipulative and preys on consumers' weaknesses to
create consumer demand that otherwise would not exist, and that, as a result,
targeted advertising undermines consumers' autonomy.'9 Recent consumer surveys
indicate that consumers are troubled by the monitoring of their online
activities. First, as a general matter, surveys consistently show that Americans
are worried about online privacy. Ninety-two percent say they are concerned
about threats to their personal privacy when they use the Internet and
seventy-two percent say they are very concerned. Eighty percent of Americans
believe that consumers have lost all control over how personal information is
collected and used by companies." In particular, surveys show that consumers are
not comfortable with profiling. A Business Comments of the Center for Democracy
and Technology (CDT) at 19; see also Rebuttal Comments of the Electronic
Frontier Foundation (tFF) at 4-5; Reply Comments of the Electronic Information
Privacy Center (EPIC) at 2. Week survey conducted in March of this year found
that 89% of consumers are not comfortable having their browsing habits and
shopping patterns merged into a profile that is linked to their real name and
identity. 12 If that profile also includes additional personal information such
as income, driver's license, credit data and medical status, 95% of consumers
express discomfort." Consistent with the comments received in connection with
the Public Workshop, consumers are also opposed to profiling even when data are
not personally identifiable: sixty-three percent of consumers say they are not
comfortable having their online movements tracked even if the data is not linked
to their name or real-world identity." An overwhelming 91 % of consumers say
that they are not comfortable with Web sites sharing information so that they
can be tracked across multiple Web sites." Many consumers indicate that their
concerns about the collection of personal information for online profiling would
be diminished if they were given clear notice of what data would be collected
about them and what it would be used for, and were given a choice to opt-out of
data collection or of particular uses of their personal data. A recent survey by
Privacy & American Business explained to Internet users that, in order to
offer consumers personalized advertising, companies would need information about
the consumer. 16 Internet users were then asked about their willingness to
provide that information by: (1) describing their interests; (2) allowing the
use of information on their Web site visits; (3) allowing the use of information
on their Internet purchases; (4) allowing the use of information on their
offline purchases; and (5) allowing the combination of online and offline
purchasing information. When told that the company providing tailored ads would
spell out how they would use the consumer's information and the consumer would
be given a chance to opt-out of any uses that he did not approve, a majority of
consumers indicated willingness to provide personal information. With notice and
choice, 68% were willing to describe their interests; 58% were willing to allow
site visit data to be used; 5 1 % were willing to allow use of online purchasing
information; 53% were willing to allow use of offline purchasing data; and 52%
were willing to allow the use of combined online and offline purchasing
information." Although this survey indicates that, with appropriate notice and
choice, many consumers would be willing to allow companies to use their personal
information in order to deliver advertising targeted to the consumer's
individual needs and interests, the statistics also demonstrate that many
consumers are not willing to allow this kind of profiling regardless of whether
notice and choice are given. A substantial minority of Internet users - between
32% and 49% - indicated that they would not be willing to participate in
personalization programs even if they were told what would be done with their
information and were given the choice to opt-out of uses that they did not
approve. 18 Internet users are also overwhelmingly opposed to the wholesale
dissemination of their personal information. Ninety-two percent say that they
are not comfortable with Web sites sharing their personal information with other
organizations and 93% are uncomfortable with their information being sold."
Eighty-eight percent of consumers say they would like a Web site to ask their
permission every time it wants to share their personal
information with others. 60 Ultimately, consumers'
privacy concerns are businesses 'concerns; the electronic
marketplace will not reach its MI potential unless consumers become more
comfortable browsing and purchasing online. That comfort is unlikely to come
unless consumers are confident (1) that they are notified at the time and place
information is collected who is collecting information about them, what
information is being collected, and how it will, be used and (2) that they can
choose whether their personal information is gathered, how it is used, and to
whom it is disseminated." IV. THE FI C'S ROLE IN ADDRESSING ONLINE PRIVACY
ISSUES AND SELF- REGULATION A. Legal Authority The FTC's mission is to promote
the efficient functioning of the marketplace by protecting consumers from unfair
or deceptive acts or practices and to increase consumer choice by promoting
vigorous. competition. The Commission's primary legislative mandate is to
enforce the Federal Trade Commission Act ("FTCX'), which prohibits unfair
methods of competition and unfair or deceptive acts or practices in or affecting
commerce." With the exception of certain industries and activities, the FTCA
provides the Commission with broad investigative and law enforcement authority
over entities engaged in or whose business affects commerce." Commerce on the
Internet falls within the scope of this statutory mandate. B. Online Privacy As
noted in Section UI.B., the online collection and use of consumers 'information,
including the tracking of individual browsing habits, raise significant concerns
for many consumers. These concerns are not new; since 1997, surveys have
consistently demonstrated consumer unease with data collection practices in the
online marketplace.' The Commission has responded to these concerns with a
series of workshops and reports focusing on a variety of
privacy issues, including the collection of personal
information from children, self-regulatory efforts and technological
developments to enhance consumer privacy, consumer and business education
efforts, and the role of government in protecting online privacy." The
Commission's long-standing goal has been to understand this new marketplace and
its information practices and to assess its cost and beneficial effects. It has
also used its law enforcement authority to challenge Web sites with deceptive
privacy policy statements. In its 1998 report, Privacy Online: A Report to
Congress, the Commission summarized widely-accepted principles regarding the
collection, use, and dissemination of personal information. These fair
information practice principles, which predate the online medium, have been
recognized and developed by government agencies in the United States, Canada,
and Europe since 1973, when the United States Department of Health, Education,
and Welfare released its seminal report on privacy protections in the age of
data collection, Records, Computers, and the Rights of CitizenS.61 T he 1998
Report identified the core principles of privacy protection common to the
government reports, guidelines, and model codes that had emerged as of that
time: (1)Notice - data collectors must disclose their information practices
before collecting personal information from consumers ;69 (2)Choice - consumers
must be given options with respect to whether and how personal information
collected from them may be used for purposes beyond those for which the
information was provided;' (3)Access - consumers should be able to view and
contest the accuracy and completeness of data collected about them; and
(4)Security - data collectors must take reasonable steps to assure that
information collected from consumers is accurate and secure from unauthorized
use." It also identified Enforcement - the use of a reliable mechanism to impose
sanctions for noncompliance with these fair information practices - as a
critical ingredient in any governmental or self-regulatory program to ensure
privacy online." The 1998 Report assessed the information practices of
commercial Web sites and the existing self-regulatory efforts in light of these
fair information practice principles and concluded that an ,effective
self-regulatory system had not yet taken hold.74 The Commission deferred
judgment on the need for legislation to protect the online privacy of consumers
generally, and instead urged industry to focus on the development of broad-based
and effective self-regulatory programs. One year later, the Commission issued a
second report, Self'-Regulation and Online Privacy: A Report to Congress
("1999Report"). In the l999 Report, a majority of the Commission again
recommended that self regulation be given more time, but called for further
industry efforts to implement the fair information practices.' The Commission
also outlined plans for future Commission actions to encourage greater
implementation of online privacy protections, including the public workshop on
online profiling. In its 2000 Report, a majority of the Commission concluded
that, despite its significant work in developing self-regulatory initiatives,
industry efforts alone have been insufficient. Thus, the majority recommended
that Congress enact legislation to ensure consumer privacy online.' C. Online
Profiling and Self Regulation: the NAI Effort The November 8th workshop provided
an opportunity for consumer advocates, government, and industry members not only
to educate the public about the practice of online profiling, but to explore
self-regulation as a means of addressing the privacy concerns raised by this
practice. In the Spring of 1999, in anticipation of the Workshop, network
advertising companies were invited to meet with FTC and Department of Commerce
staff to discuss their business practices and the possibility of
self-regulation. As a result, industry members announced at the Workshop the
formation of the Network Advertising Initiative (NAI), an organization comprised
of the leading Internet Network Advertisers - 24/7 Media, AdForce, AdKnowledge,
Avenue A, Burst! Media, DoubleClick, Engage, and MatchLogic - to develop a
framework for self- regulation of the online profiling industry. In announcing
their intention- to implement a self-regulatory scheme, the NAI companies
acknowledged that they face unique challenges as a result of their indirect and
invisible relationship with consumers as they surf the Internet. The companies
also discussed the fundamental question of how fair information practices,
including choice, should be applied to the collection and use of data that is
unique to a consumer but is not necessarily personally identifiable, such as
clickstrearn data generated by the user's browsing activities and tied only to a
cookie identification number.8' Following the workshop, the NAI companies
submitted working drafts of self-regulatory principles for consideration by FTC
and Department of Commerce staff. Although efforts have been made to reach a
consensus on basic standards for applying fair information practices to the
business model used by the network advertisers, this process is not yet
complete. The Commission will supplement this report with specific
recommendations to Congress after it has an opportunity to fully consider the
self- regulatory proposals and how they interrelate with the Commission's
previous views and recommendations in the online privacy area. IV.Conclusion The
Commission is committed to the goal of ensuring privacy online for consumers and
will continue working to address the unique issues presented by online
profiling.
LOAD-DATE: June 21, 2000, Wednesday