Skip banner
HomeHow Do I?Site MapHelp
Return To Search FormFOCUS
Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint

Document ListExpanded ListKWICFULL format currently displayed

Previous Document Document 60 of 261. Next Document

More Like This
Copyright 2000 eMediaMillWorks, Inc. 
(f/k/a Federal Document Clearing House, Inc.)  
Federal Document Clearing House Congressional Testimony

June 13, 2000, Tuesday

SECTION: CAPITOL HILL HEARING TESTIMONY

LENGTH: 8134 words

HEADLINE: TESTIMONY June 13, 2000 ORSON SWINDLE COMMISSIONER FEDERAL TRADE COMMISSION SENATE COMMERCE, SCIENCE AND TRANSPORTATION INTERNET PRIVACY

BODY:
June 13, 2000 Statement of Commissioner Orson Swindle Concurring in Part and Dissenting in Part Online Profiling: A Report to Congress, I. INTRODUCTION On November 8,1999, the Federal Trade Commission (hereinafter "FTC" or "Commission") and the United States Department of Commerce jointly sponsored a Public Workshop on Online Profiling.' The goals of the Workshop were to educate government officials and the -public about online profiling and its implications for consumer privacy, and to examine efforts of the profiling industry to implement fair information practices.' The Commission also sought public comment on any issues of fact, law or policy that might inform its consideration of the practice of online profiling.' In keeping with its long-standing support of industry self- regulation, the Commission has encouraged the network advertising industry in its efforts to craft an industry-wide program. The industry has responded with working drafts of self-regulatory principles for our consideration. In examining the practice of online profiling, as well as our work in online privacy, we nonetheless recognize there are real challenges to creating an effective self-regulatory regime for this complex and dynamic industry, and this process is not yet complete. This report describes the current practice of online profiling by the network advertisers' and the benefits and concerns it presents for consumers. It also discusses the ongoing effort of the industry to develop self-regulatory principles. The Commission expects to supplement this report with specific recommendations to Congress after it has an opportunity to fully consider the self- regulatory proposals and how they inter-relate -with the Commission's previous views and recommendations in the online privacy area. 11. . WHAT IS ONLINE PROFILING? A. Overview Over the past few years, online advertising has grown exponentially in tandem with the World Wide Web. Online advertising revenues in the U.S. grew from $301 million in 1996'to $4.62 billion in 1999,6 and were projected to reach $11.5 billion by 2003.' A large portion of that online advertising is in the form of "banner ads" displayed on Web pages - small graphic advertisements that appear in boxes above or to the side of the primary site content. Currently, tens of billions of banner ads are delivered to consumers each month as they surf the World Wide Web.9 Often, these ads are not selected and delivered by the Web site visited by a consumer, but by a network advertising company that manages and provides advertising for numerous unrelated Web sites. DoubleClick, Engagej and 24/7 Media, three of the largest Internet advertising networks, all estimate that over half of all online consumers have seen an ad that they delivered.' 0 In general, these network advertising companies do not merely supply banner ads; they also gather data about the consumers who view their ads. This is accomplished primarily by the use of "cookies"" and "Web bugs" which track the individual's actions on the Web." Among the types of information that can be collected by network advertisers are: information on the Web sites and pages within those sites visited by consumers; the time and duration of the visits; query terms entered into search engines; purchases; "click-through" responses to advertisements;" and the Web page a consumer came from before landing on the site monitored by the particular ad network (the referring page). All of this information is gathered even if the consumer never clicks on a single ad. The information gathered by network advertisers is often, but not always, anonymous, .i.e., the profiles are frequently linked to the identification number of the advertising network's cookie on the consumer's computer rather than the name of a specific person. This data is generally referred to as non-personally identifiable information ("non-PII"). In some circumstances, however, the profiles derived from tracking consumers' activities on the Web are linked or merged with personally identifiable information ("P111"). " This generally occurs in one of two ways when consumers identify themselves to a Web site on which the network advertiser places banner ads." First, the Web site to whom personal information is provided may, in turn, provide that information to the network advertiser. Second, depending upon how the personal information is retrieved and processed by the Web site, the personally identifying information may be incorporated into a URL string" that is automatically transmitted to the network advertiser through its cookie." Once collected, consumer data can be analyzed and combined with demographic and "psychographic"" data from third-party sources, data on the consumer's offline purchases, or information collected directly from consumers through surveys and registration forms. This enhanced data allows the advertising networks to make a variety of inferences about each consumer's interests and preferences. The result is a detailed profile that attempts to predict the individual consumer's tastes, needs, and purchasing habits and enables the advertising companies' computers to make split-second decisions about how to deliver ads directly targeted to the consumer's specific interests. The profiles created by the advertising networks can be extremely detailed. A cookie placed by a network advertising company can track a consumer on any Web site served by that company, thereby allowing data collection across disparate and unrelated sites on the Web. Also, because the cookies used by ad networks are generally persistent, their tracking occurs over an extended period of time, resuming each time the individual logs on to the Internet. When this "clickstream" information is combined with third-party data, these profiles can include hundreds of distinct data fields. Although network advertisers and their profiling activities are nearly ubiquitous,'o they are most often invisible to consumers. All that consumers see are the Web sites they visit; banner ads appear as a seamless, integral part of the Web page on which they appear and cookies are placed without any notice to consumers." Unless the Web sites visited by consumers provide notice of the ad network's presence and data collection, consumers may be totally unaware that their activities online are being monitored. B. An Illustration of How Network Profiling Works Online consumer Joe Smith goes to a Web site that sells sporting goods. He clicks on the page for golf bags. While there, he sees a banner ad, which he ignores as it does not interest him. The ad was placed by USAad Network. He then goes to a travel site and enters a search on "Hawaii. " USAad Network also serves ads on this site, and Joe sees an ad for rental cars there. Joe then visits an online bookstore and browses through books about the world's best golf courses. USAad Network serves ads there, as well. A week later, Joe visits his favorite online news site, and notices an ad for golf vacation packages in Hawaii. Delighted, he clicks on the ad, which was served by the USAad Network. Later, Joe begins to wonder whether it was a coincidence that this particular ad appeared and, if not, how it happened. At Joe's first stop on the Web, the sporting goods site, his browser will automatically send certain information to the site that the site needs in order to communicate with Joe's computer: his browser type 22 and operating system;21 the language(s) accepted by the browser; and the computer's Internet address. The server hosting the sporting goods site answers by transmitting the HTTP21 header and HTMV' source code for the site's home page, which allows Joe's computer to display the page. Embedded in the HTML code that Joe's browser receives from the sporting goods site is an invisible link to the USAad Network site which delivers ads in the banner space on the sporting goods Web site. Joe's browser is automatically triggered to send an HTTP request to USAad which reveals the following information: his browser type and operating system; the language(s) accepted by the browser; the address of the referring Web page (in this case, the home page of the sporting goods site); and the identification number and information stored in any USAad cookies already on Joe's computer. Based on this information, USAad will place an ad in the pre-set banner space on the sporting goods site's home page. The ad will appear as an integral part of the page. If an USAad cookie is not already present on Joe's computer, USAad will place a cookie with a unique identifier on Joe's hard drive. Unless he has set his browser to notify him before accepting cookies, Joe has no way to know that a cookie is being placed on his computer. When Joe clicks on the page for golf bags, the URL address of that page, which discloses its content, is also transmitted to USAad by its cookie. When Joe leaves the sporting goods site and goes to the travel site, also serviced by USAad, a similar process occurs. The HTML source code for the travel site will contain an invisible link to USAad that requests delivery of an ad as par t of the travel site's page. Because the request reveals that the referring site is travel related, USAad sends an advertisement for rental cars. USAad will also know the identification number of its cookie on Joe's machine. As Joe moves around the travel site, USAad checks his cookie and modifies the profile associated with it, adding elements based on Joe's activities. When Joe enters a search for "Hawaii," his search term is transmitted to USAad through the URL used by the travel site to locate the information Joe wants and the search term is associated with the other data collected by the cookie on Joe's machine. USAad will also record what advertisements it has shown Joe and whether he has clicked on them. This process is repeated when Joe goes to the online bookstore. Because USAad serves banner ads on this site as well, it will recognize Joe by his cookie identification on number. USAad can track what books Joe looks at, even though he does not buy anything. The fact that Joe browsed for books about golf courses around the world is added to his profile. Based on Joe's activities, USAad infers that Joe is a golfer, that he is interested in traveling to Hawaii someday, and that he might be interested in a golf vacation. Thus, a week later, when Joe goes to his favorite online news site, also served by USAad, the cookie on his computer is recognized and he is presented with an ad for golf vacation packages -in Hawaii. The ad. grabs his attention and appeals to his interests, so he clicks on it. 111. PROFMING BENEMTS AND PRIVACY CONCERNS A. Benefits Cookies are used for many purposes other than profiling by third- party advertisers, many of which significantly benefit consumers. For example, Web sites often ask for user names and passwords when purchases are made or before certain kinds of content are provided. Cookies can store these names and passwords so that consumers do not need to sign in each time they visit the site. In addition, many sites allow consumers to set items aside in an electronic shopping cart while they decide whether or not to purchase them; cookies allow a Web site to remember what is in a consumer's shopping cart from prior visits. Cookies also can be used by Web sites to offer personalized home pages or other customized content with local news and weather, favorite stock quotes, and other material of interest to individual consumers. Individual online merchants can use cookies to track consumers' purchases in order to offer recommendations about new products or sales that may be of interest to their established customers. Finally, by enabling businesses to monitor traffic on their Web sites, cookies allow businesses to constantly revise the design and layout of their sites to make them more interesting and efficient." Network advertisers' use of cookies and other technologies to create targeted marketing programs also benefits both consumers and businesses. As noted by commenters at the Public Workshop, targeted advertising allows customers to receive offers and information about goods and services in which they are actually interested." Targeted advertising can also improve a consumer's Web experience simply by ensuring that she is not repeatedly bombarded by the same ads." Businesses clearly benefit as well from the ability to target advertising because they avoid wasting advertising dollars marketing themselves to consumers who have no interest in their products. Additionally, a number of commenters stated that targeted advertising helps to subsidize free content on the Internet. By making advertising more effective, profiling allows Web sites to charge The privacy issues raised by these uses of cookies are beyond the scope of this report. Data reflecting the use of cookies are reported in the FTC's recent report Privacy Online: Fair Information Practices in the Electronic Marketplace (May 2000) hereinafter "2000 Report" , available at <http://www.ftc.gov/ reports/privacy2OOO/privacy2OOO.pdf> The Commission's vote to issue the 2000 Report was 3-2, with Commissioner Swindle dissenting and Commissioner Leary concurring in part and dissenting in part. more for advertising. This advertising revenue helps to subsidize their operations, making it possible to offer free content rather than charging fees for access." Finally, one commenter suggested that profiles can also be used to create new products and services. First, entrepreneurs could use consumer profiles to identify and assess the demand for particular products or services. Second, targeted advertising could help small companies to more effectively break into the market by advertising only to consumers who have an interest in their products or services." In sum, targeted advertising can provide numerous benefits to both business and consumers. B. Concerns Despite the benefits of targeted advertising, there is widespread concern about current profiling practices. Many commenters at the Workshop objected to network advertisers' hidden monitoring of consumers and collection of extensive personal data without consumers' knowledge or consent; they also noted that network advertisers offer consumers few, if any, choices about the use and dissemination of their individual information obtained in this manner. As one of the commenters put it, current profiling practices "undermine individuals' expectations of privacy by fundamentally changing the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded."" The most consistent and significant concern expressed about profiling is that it is conducted without consumers' knowledge." The presence and identity of a network advertiser on a particular site, the placement of a cookie on the consumer's computer, the tracking of the consumer's movements, and the targeting of ads are simply invisible in most cases. This is true because, as a practical matter, there are only two ways for consumers to find out about profiling at a particular site before it occurs." The first is for Web sites that use the services of network advertisers to disclose that fact in the in privacy policies. Unfortunately, this does not typically occur. As the Commission's recentprivacysurveydiscovered,although57%ofarandomsampleofthebusi estWebsitesailowed third parties to place cookies, only 22% of those sites mentioned third-party cookies or data collection in their privacy policies; of the top I 00 sites on the Web, 78% allowed third-party cookie placement, but only 5l% of those sites disclosed that fact. The second way for consumers to detect profiling is to configure their browsers to notify them before accepting cookies." One recent survey indicates, however, that only 40% of computer users have even heard of cookies and, of those, only 75% have a basic understanding of what they are." The second most persistent concern expressed by cornmenters was the extensive and sustained scope of the monitoring that occurs. Unbeknownst to most consumers, advertising networks monitor individuals across a multitude of seemingly unrelated Web sites and over an indefinite period of time. The result is a profile far more comprehensive than any individual Web site could gather. Although much of the information that goes into a profile is fairly innocuous when viewed in isolation, the cumulation over time of vast numbers of seemingly minor details about an individual produces a portrait that is quite comprehensive and, to many, inherently intrusive.' For many of those who expressed concerns about profiling, the privacy implications of profiling are not ameliorated in cases where the profile contains no personally identifiable information." First, these commenters felt that the comprehensive nature of the profiles and the technology used to create them make it reasonably easy to associate previously anonymous profiles with particular individuals." This means that anyone who obtains access to ostensibly anonymous data - either by purchasing the data or hacking into it - might be able to mine the data and link it to identifiable individuals. Second, commenters feared that companies could unilaterally change their operating procedures and begin associating personally identifiable information with non-personally identifiable data previously collected. Third, commenters noted that, regardless of whether they contain personally identifiable information, profiles are used to make decisions about the information individuals see and the offers they receive. These commenters expressed concern that companies could use profiles to determine the prices and terms upon which goods and services, including important services like life insurance, are offered to individuals (for example, products might be offered at higher prices to consumers whose profiles indicate that they are wealthy, or insurance mightbeofferedathigherpricestoconsumerswhoseprofilesindicatepossi blehealthrisks).' This practice, known as "weblining," raises many of the same concerns that "redlining" and "reverse redlining" do in offline financial markets." Another concern expressed by commenters is that, as consumers begin to learn more about companies' monitoring activities, fear of online monitoring will discourage valuable uses of the Internet that are fostered by its perceived anonymity. As one commenter noted: The anonymity that the Internet affords individuals has made it an incredible resource for those seeking out information. Particularly where the information sought is on controversial topics such as sex, sexuality, or health issues such as HIV, depression, and abortion; sic the ability to access information without risking identification has been critical." Indeed, in support of this point, this commenter' cites studies that it believes suggest that, in both the online and offline world, the perceived anonymity of computer research facilitates access to these kinds of sensitive information." By chilling use of the Internet for such inquiries, several commenters asserted, profiling may ultimately prevent access to important kinds of information." Finally, some commenters expressed the opinion that targeted advertising is inherently unfair and deceptive. They argued that targeted advertising is manipulative and preys on consumers' weaknesses to create consumer demand that otherwise would not exist, and that, as a result, targeted advertising undermines consumers' autonomy.'9 Recent consumer surveys indicate that consumers are troubled by the monitoring of their online activities. First, as a general matter, surveys consistently show that Americans are worried about online privacy. Ninety-two percent say they are concerned about threats to their personal privacy when they use the Internet and seventy-two percent say they are very concerned. Eighty percent of Americans believe that consumers have lost all control over how personal information is collected and used by companies." In particular, surveys show that consumers are not comfortable with profiling. A Business Comments of the Center for Democracy and Technology (CDT) at 19; see also Rebuttal Comments of the Electronic Frontier Foundation (tFF) at 4-5; Reply Comments of the Electronic Information Privacy Center (EPIC) at 2. Week survey conducted in March of this year found that 89% of consumers are not comfortable having their browsing habits and shopping patterns merged into a profile that is linked to their real name and identity. 12 If that profile also includes additional personal information such as income, driver's license, credit data and medical status, 95% of consumers express discomfort." Consistent with the comments received in connection with the Public Workshop, consumers are also opposed to profiling even when data are not personally identifiable: sixty-three percent of consumers say they are not comfortable having their online movements tracked even if the data is not linked to their name or real-world identity." An overwhelming 91 % of consumers say that they are not comfortable with Web sites sharing information so that they can be tracked across multiple Web sites." Many consumers indicate that their concerns about the collection of personal information for online profiling would be diminished if they were given clear notice of what data would be collected about them and what it would be used for, and were given a choice to opt-out of data collection or of particular uses of their personal data. A recent survey by Privacy & American Business explained to Internet users that, in order to offer consumers personalized advertising, companies would need information about the consumer. 16 Internet users were then asked about their willingness to provide that information by: (1) describing their interests; (2) allowing the use of information on their Web site visits; (3) allowing the use of information on their Internet purchases; (4) allowing the use of information on their offline purchases; and (5) allowing the combination of online and offline purchasing information. When told that the company providing tailored ads would spell out how they would use the consumer's information and the consumer would be given a chance to opt-out of any uses that he did not approve, a majority of consumers indicated willingness to provide personal information. With notice and choice, 68% were willing to describe their interests; 58% were willing to allow site visit data to be used; 5 1 % were willing to allow use of online purchasing information; 53% were willing to allow use of offline purchasing data; and 52% were willing to allow the use of combined online and offline purchasing information." Although this survey indicates that, with appropriate notice and choice, many consumers would be willing to allow companies to use their personal information in order to deliver advertising targeted to the consumer's individual needs and interests, the statistics also demonstrate that many consumers are not willing to allow this kind of profiling regardless of whether notice and choice are given. A substantial minority of Internet users - between 32% and 49% - indicated that they would not be willing to participate in personalization programs even if they were told what would be done with their information and were given the choice to opt-out of uses that they did not approve. 18 Internet users are also overwhelmingly opposed to the wholesale dissemination of their personal information. Ninety-two percent say that they are not comfortable with Web sites sharing their personal information with other organizations and 93% are uncomfortable with their information being sold." Eighty-eight percent of consumers say they would like a Web site to ask their permission every time it wants to share their personal information with others. 60 Ultimately, consumers' privacy concerns are businesses 'concerns; the electronic marketplace will not reach its MI potential unless consumers become more comfortable browsing and purchasing online. That comfort is unlikely to come unless consumers are confident (1) that they are notified at the time and place information is collected who is collecting information about them, what information is being collected, and how it will, be used and (2) that they can choose whether their personal information is gathered, how it is used, and to whom it is disseminated." IV. THE FI C'S ROLE IN ADDRESSING ONLINE PRIVACY ISSUES AND SELF- REGULATION A. Legal Authority The FTC's mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and to increase consumer choice by promoting vigorous. competition. The Commission's primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCX'), which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce." With the exception of certain industries and activities, the FTCA provides the Commission with broad investigative and law enforcement authority over entities engaged in or whose business affects commerce." Commerce on the Internet falls within the scope of this statutory mandate. B. Online Privacy As noted in Section UI.B., the online collection and use of consumers 'information, including the tracking of individual browsing habits, raise significant concerns for many consumers. These concerns are not new; since 1997, surveys have consistently demonstrated consumer unease with data collection practices in the online marketplace.' The Commission has responded to these concerns with a series of workshops and reports focusing on a variety of privacy issues, including the collection of personal information from children, self-regulatory efforts and technological developments to enhance consumer privacy, consumer and business education efforts, and the role of government in protecting online privacy." The Commission's long-standing goal has been to understand this new marketplace and its information practices and to assess its cost and beneficial effects. It has also used its law enforcement authority to challenge Web sites with deceptive privacy policy statements. In its 1998 report, Privacy Online: A Report to Congress, the Commission summarized widely-accepted principles regarding the collection, use, and dissemination of personal information. These fair information practice principles, which predate the online medium, have been recognized and developed by government agencies in the United States, Canada, and Europe since 1973, when the United States Department of Health, Education, and Welfare released its seminal report on privacy protections in the age of data collection, Records, Computers, and the Rights of CitizenS.61 T he 1998 Report identified the core principles of privacy protection common to the government reports, guidelines, and model codes that had emerged as of that time: (1)Notice - data collectors must disclose their information practices before collecting personal information from consumers ;69 (2)Choice - consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided;' (3)Access - consumers should be able to view and contest the accuracy and completeness of data collected about them; and (4)Security - data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use." It also identified Enforcement - the use of a reliable mechanism to impose sanctions for noncompliance with these fair information practices - as a critical ingredient in any governmental or self-regulatory program to ensure privacy online." The 1998 Report assessed the information practices of commercial Web sites and the existing self-regulatory efforts in light of these fair information practice principles and concluded that an ,effective self-regulatory system had not yet taken hold.74 The Commission deferred judgment on the need for legislation to protect the online privacy of consumers generally, and instead urged industry to focus on the development of broad-based and effective self-regulatory programs. One year later, the Commission issued a second report, Self'-Regulation and Online Privacy: A Report to Congress ("1999Report"). In the l999 Report, a majority of the Commission again recommended that self regulation be given more time, but called for further industry efforts to implement the fair information practices.' The Commission also outlined plans for future Commission actions to encourage greater implementation of online privacy protections, including the public workshop on online profiling. In its 2000 Report, a majority of the Commission concluded that, despite its significant work in developing self-regulatory initiatives, industry efforts alone have been insufficient. Thus, the majority recommended that Congress enact legislation to ensure consumer privacy online.' C. Online Profiling and Self Regulation: the NAI Effort The November 8th workshop provided an opportunity for consumer advocates, government, and industry members not only to educate the public about the practice of online profiling, but to explore self-regulation as a means of addressing the privacy concerns raised by this practice. In the Spring of 1999, in anticipation of the Workshop, network advertising companies were invited to meet with FTC and Department of Commerce staff to discuss their business practices and the possibility of self-regulation. As a result, industry members announced at the Workshop the formation of the Network Advertising Initiative (NAI), an organization comprised of the leading Internet Network Advertisers - 24/7 Media, AdForce, AdKnowledge, Avenue A, Burst! Media, DoubleClick, Engage, and MatchLogic - to develop a framework for self- regulation of the online profiling industry. In announcing their intention- to implement a self-regulatory scheme, the NAI companies acknowledged that they face unique challenges as a result of their indirect and invisible relationship with consumers as they surf the Internet. The companies also discussed the fundamental question of how fair information practices, including choice, should be applied to the collection and use of data that is unique to a consumer but is not necessarily personally identifiable, such as clickstrearn data generated by the user's browsing activities and tied only to a cookie identification number.8' Following the workshop, the NAI companies submitted working drafts of self-regulatory principles for consideration by FTC and Department of Commerce staff. Although efforts have been made to reach a consensus on basic standards for applying fair information practices to the business model used by the network advertisers, this process is not yet complete. The Commission will supplement this report with specific recommendations to Congress after it has an opportunity to fully consider the self- regulatory proposals and how they interrelate with the Commission's previous views and recommendations in the online privacy area. IV.Conclusion The Commission is committed to the goal of ensuring privacy online for consumers and will continue working to address the unique issues presented by online profiling.

LOAD-DATE: June 21, 2000, Wednesday




Previous Document Document 60 of 261. Next Document


FOCUS

Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
   
About LEXIS-NEXIS® Congressional Universe Terms and Conditions Top of Page
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.