Comments of the Electronic Privacy Information Center Concerning Consumer On-Line Privacy - P954807
INTRODUCTION 1. EPIC commends the FTC for conducting the Public Workshop on Consumer Information Privacy. Privacy is clearly an issue of great concern to American consumers. The FTC has the authority and the responsibility to investigate privacy issues, particularly where unfair or deceptive trade practices arise. REQUEST FOR PARTICIPATION 2. Pursuant to the notice published by the FTC, the Electronic Privacy Information Center (EPIC) formally requests participation in all three sessions scheduled by the FTC for the upcoming workshop. EPIC has satisfied all of the criteria outlined in the agency notice. EPIC has submitted written comments for all three session areas. EPIC's participation would promote a balance of interests at the conference as there are few organizations that represent the public interest and do not receive funding from affected parties with regard to privacy issues . EPIC's participation would promote the consideration and discussion of a variety of issues raised by the FTC study as we have followed closely the work of the FTC and other federal agencies on privacy matters. EPIC has expertise and knowledge of the issues that are the focus of the study and has participated in a number of related privacy investigations, most recently as a member of the panel of experts of the Organization for Economic Cooperation and Development (OECD) that recently put forward international cryptography policy guidelines. EPIC reflects the public interest particularly well in this proceeding as it receives no financial support from any organization that would be directly affected by a decision of the FTC, and in particular has received no support from the Direct Marketing Association, credit reporting agencies, or database marketing, firms. EPIC has been designated by the US Privacy Council as a party that shares common interests with the Council. Finally, it is for the agency to determine the appropriate number of parties to participate in the public workshop. It is our view that the public concern about privacy matters must be given top priority in this determination. REVIEW OF PREVIOUS STATEMENTS TO FTC 3. On December 14, 1995 EPIC wrote to the FTC and urged the Commission to "investigate the misuse of personal information by the direct marketing industry and to begin a serious and substantive inquiry into the development of appropriate privacy safeguards for consumers in the information age." We noted the growing privacy concerns among the American public as well as increased consumer resistance to certain new services. We specifically asked the FTC to investigate the following issues: 1. How is personal information collected and sold within the industry? What is the extent of data aggregation on particular individuals? Do current collection and trade practices violate federal or state law? 2. Has the Mail Preference Service actually protected the privacy interests of consumers? Are there better and simpler methods for consumers to control personal data? 3.What are the implications of the sale of direct marketing lists to federal and state investigative agencies? Does this practice violate privacy rights, of American citizens Should it be regulated or prohibited? 4.Could new technologies for anonymous and pseudo-anonymous payment schemes coupled with enforceable legal rights ensure the development of on-line commerce that promotes business opportunity and protects personal privacy? What steps should be taken to pursue these new opportunities? http://epic.org/privacy/internet/ftc/ftc_letter.html REVIEW OF JUNE COMMENTS TO FTC 4. At the June 4, 1996 FTC Public Workshop on Consumer Privacy on the Global Information Infrastructure, we made five general points regarding the protection of consumer privacy in the information age. As these points were not adequately reflected in the staff report. we restate them here and ask that they be considered as part of our submission for the upcoming public workshop. The voluntary approach has failed. Public opinion polls demonstrate that the level of public concern about the absence of effective privacy protection in the United States continues to rise. According to Lou Harris Associates, at no time has public concern about the loss of privacy been greater than it is today. There are a number of explanations for the growing public concern. One explanation may be a general distrust of institutions, both public and private. The better explanation is simply that the law has failed to keep pace with the rapid changes in technology and the commonly accepted expectations of privacy are routinely threatened by new business services. In such an environment, enforceable legal rights are necessary to restore public confidence. Consumers will demand legal control over personal information. The difference between effective privacy policies and ineffective privacy policies can be seen in the difference between enforceable privacy rights and non-enforceable privacy rights. Where privacy rights are established in law, industry develops appropriate practices to protect identified privacy interests. This is apparent in the operation of the Fair Credit Reporting Act which ensures that consumers have a legal right to copies of their credit reports. Where there is no right, there is no remedy. For example, consumers who attempt to make use of the Direct Marketing Association's Mail Preference Service routinely report that they continue to receive junk mail and that the service is not effective. Current industry practices are not viable. It has become increasingly obvious that an approach which places burdens on consumers to learn about information practices, object to misuses and monitor compliance has failed to adequately resolve public concerns about privacy. Over time, the gap between privacy problems and privacy solutions has grown. We believe it is now time for a new approach to privacy that is based on (1) the promotion of anonymous payment services and (2) enforceable codes of fair information practices. Technologies of privacy limit or eliminate the collection of personal information. We have indicated on several occasions that there are many technical approaches to privacy protection. But we noted at the June hearing that the key feature of technologies that enhance privacy is that they limit or eliminate the collection of personally identifiable information. For this reason, we generally favor techniques that promote anonymous or pseudo-anonymous transactions. We do not support techniques that force consumers to disclose privacy preferences as a condition of a commercial transaction. Such techniques will undermine privacy rights and are discriminatory. These are not "Privacy Enhancing Technologies." but rather "Privacy Extraction Technologies", i.e. they require the disclosure of consumer privacy preferences as a condition of engaging in commercial transactions. Mechanisms which promote anonymity and reduce the collection and use of personal information are discussed in "The Path to Anonymity," published jointly by the Information and Privacy Commissioner, Ontario, Canada and the President Registratiekamer, The Netherlands. The report assesses the types of privacy technologies commercially available "for keeping anonymous the identity of individuals during the rendering of services." The report notes that security (that is, keeping data secure from third party intervention), is only one component of privacy. "The areas covered by privacy are much broader, extending from limitations on the initial collection of personal data ... to restriction of its use to the purpose specified, to prohibitions on any secondary uses." Mechanisms to promote anonymity and thus privacy include: digital signatures, blind signatures, digital pseudonyms, and trusted third parties. The mechanism for digital cash is an extension of the mechanism for pre-paid cards, such as the familiar anonymous telephone card. Smart companies (and countries) know this. Outside of the United States, companies and countries continue to move forward with plans to provide strong privacy safeguards for consumers recognizing, as the European Commission noted in 1992, that "privacy protection is a necessary precondition to consumer acceptance of new network services. The European Union will enforce the Data Directive beginning in 1998, Canada is committed to comprehensive private sector safeguards by the year 2000, and MITI has just announced far-reaching privacy safeguards for Japanese consumers. Anonymous cash payments are now being deployed in the EU, Germany, Austria, Norway, and Finland. Direct marketing firms from Canada to Australia are recommending the adoption of private sector privacy legislation to address public concerns about privacy. NEED FOR ENFORCEABLE PRIVACY CODES In general, we believe the best approach for Internet privacy would be to develop a Code of Fair Information Practices that would provide clear guidelines for users and service providers. This is the approach that the United States had historically taken in areas where there was public recognition of the need to protect privacy interests. It is also the approach that many countries are taking today to protect privacy interests in the online world. One possible code, based roughly on the OECD Guidelines of 1980, which the United States has already endorsed, is the following: The confidentiality of electronic communications should be protected Privacy considerations should be recognized explicitly in the provision, use and regulation of Internet services. The collection of personal data for Internet services should be limited to the extent necessary to provide the service. Service providers should not disclose information without the explicit consent of service users. Internet service providers should be required to make known their data collection practices to service users Users should not be required to pay for routine privacy protection. Additional charges should only be imposed for extraordinary protection. Service providers should be encouraged to explore technical means to protect privacy Appropriate security policies should be developed to protect network communications A mechanism should be established to ensure the observance of these principles. COMMENTS ON FTC NOTICE REQUESTING PUBLIC COMMENT AND ANNOUNCING PUBLIC WORKSHOP EPIC has attempted to comply with the request of the FTC and to provide responsive answers to all of the questions posed in the agency notice. However, many of the questions request survey data which is not available to us. Nonetheless, we recognize the importance of survey data in the assessment of industry practice, e.g. Reidenberg & Schwartz, Data Protection Law (Michie 1996) (failure of US marketing companies to comply with opt-out procedures), and urge the FTC to pursue these questions. It will become crucial for the FTC to determine the adoption and enforcement of codes of fair information practices. Information Collection and Use 2.1 What kinds of personal information are collected by commercial Web sites from users who visit those sites and how is such information subsequently used? Among other things, is clickstream data being collected and tied to personally identifying information? While EPIC did not survey to determine the kinds of information collected, CNET and WIRED have identified click-stream and "cookie" collection of data which in the aggregate can track users between distinct sites and provide a potential bounty for Web advertising agencies. CNET reports "many Internet sites either require registration or ask you to register voluntarily. Not only do they have your name, but subscription services could theoretically track every article you read. One day, someone could use all that information to piece together a fairly detailed personal profile." 2.2 To what extent is the collection, compilation, sale or use of personally identifying, as opposed to aggregate, personal information important for marketing online and for market research? What privacy concerns, if any, are raised by the collection or use of aggregate personal information in this context? EPIC did not survey the use of this data for marketing online or market research. From a privacy perspective, the collection of aggregate non-user identified data is not a problem. 2.3 What are the risks, costs, and benefits of collection, compilation, sale, and use of personal consumer information in this context? The risks are borne by the consumer who may not be aware of the collection of data, while benefits accrue to the seller of the data. The consumer has no control over the privacy of personal consumer information. USA Today stated in an editorial (October 25, 1995 ): "While voluntary compliance might be preferable in an ideal world, it's not likely to work in the real world. The reality is that the absence of government prodding has resulted in too many companies doing, too little to protect consumers' privacy rights." 2.4 What surveys, other research, or quantitative or empirical data exist about consumers' perceptions, knowledge and expectations regarding (1) whether their personal information is being or should be collected by Web site operators and the extent of such collection; (2) the benefits and risks associated with the collection and subsequent use of this information; (3) appropriate uses of such information, and (4) whether certain categories of information should never be collected or disclosed to others? The 1996 Equifax/Harris Consumer Privacy Survey reports nearly two thirds of the public (65%) say "protecting the privacy of consumer information" is "very" important to them. This figure represents a significant four-point increase since 1995 when 61% expressed a similar feeling. Not surprisingly this poll also reports: "Public opinion is divided regarding privacy protection on the Internet, with Internet users leaning toward greater privacy protection." Nearly half of the public agree that users should be able to visit Internet sites and use e-mail without having to give their real identities 21% agree "strongly," 27% agree "somewhat," and half disagree, with 21% disagreeing "somewhat" and 29% disagreeing "strongly." Among Internet users, however, the majority agree that this anonymity should exist --30% agree "strongly" and another 30% agree "somewhat." The Georgia Institute of Technology's annual Internet Survey 1996, demonstrates that consumers consider privacy one of the two most important Internet issues. The statement that respondents most strongly agreed with (4.6/5.0) was: "I value being able to visit sites on the Internet in an anonymous manner." A close second at 4.4 was: "A user ought to have complete control over which sites get what demographic information." The desire to control their own information is also seen in the conditions under which users are willing to reveal that information. (GVU's Fifth WWW User Survey, April 1996). 2.5 How many commercial Web sites collect, compile, sell or use personal information? Of these, how many give consumers notice of their practices regarding the collection and subsequent use of personal information? With respect to these Web sites, describe (1) how and when such notice is given, (2) the content of such notice, and (3) the costs and benefits, for both consumers and commercial Web sites, of providing such notice. EPIC did not attempt to survey commercial Web sites or their practices regarding the collection and subsequent use of personal information. However, Amazon.com, often cited as one of the most successful companies on the Web, has a good privacy policy that is based on clear rules and not the collection of arbitrary preference information. Amazon does not sell or rent its list of customers to anyone. Further, Amazon does not Generally disclose personally identifiable information to any of its thousand of Associates even though it does make useful aggregate data about marketing activities available. Amazon, in effect, allows user anonymity in the purchase of books on the Web. 2.6 Of the commercial Web sites that collect, compile, sell or use personal information, how many provide consumers choice with respect to whether and how their personal information is to be collected and subsequently used by those sites? With respect to such Web sites, describe (1) what choices are provided to consumers and how such choices are exercised; and (2) the costs and benefits, for both consumers and commercial Web sites, of providing such choices. EPIC did not attempt to survey commercial Web sites or the choices they provide consumers. As we note above, we think the better question would focus on what policies and practices are being adopted by commercial web sites to protect consumer privacy, 2.7 Of the commercial Web sites that collect, compile, sell or use personal information, how many provide consumers access to, and an opportunity to review and correct, personal information about them that is collected and retained by those sites? While EPIC did not survey the marketplace, if this mechanism is available it is so poorly advertised as to be non-existent. 2.8 Of the commercial Web sites that collect, compile, sell or use personal information, how many have procedures to maintain the security of personal information collected from consumers online, and what are those procedures? Existing security procedures are in place primarily to keep data secure from third party access, rather than to preserve the privacy of consumers' sensitive identifying information. Security is only one component of privacy and does not equate to limitations on the initial collection of personal data or to restrictions on its use or sale. Self-regulation 2.9 What industry principles, recommendations or guidelines have emerged since the June 1996 Workshop? Please discuss whether they are permissive or mandatory, whether they include sanctions for non-compliance, and the extent to which they have been implemented within the industry. The Direct Marketing Association and Interactive Services Association issued Principles for Unsolicited Marketing E-Mail. They are:
These principles serve little purpose beyond meeting the needs of public relations. These principles are extremely weak; the burden falls to the consumer to notify the marketer that they do not want to receive future solicitations. Where is an affirmative policy which states that information will not be collected for future use or sale? The policy states: "Any person who uses for online solicitation purposes e-mail addresses or screen names collected from the online activities of individuals in public or private spaces should see to it that those individuals have been offered an opportunity to have this information suppressed" -- placing the burden on the individual and condoning the surreptitious collection of information. Where is the educational campaign and/or the advertising, to assure that individuals "have been offered an opportunity to have this information suppressed"? Consumers have not been presented with an opportunity to suppress the sale of their e-mail address to a secondary market. Most importantly, there is no mechanism for enforcement of these principles. 2.10 What steps have individual commercial Web sites taken since June 1996 to address online privacy issues? How many have employed the procedures for notice and choice set forth in the Joint Statement on Online Notice and Opt-Out presented at the June 1996 Workshop by the Direct Marketing Association and the Interactive Services Association? EPIC did not survey commercial Web sites to determine self-regulatory steps taken to address online privacy issues or to determine how many sites actually follow these voluntary procedures. 2.11 How many online services have implemented the procedures set forth in the Interactive Services Association's Guidelines for Online Services: The Renting of Subscriber Mailing Lists submitted for inclusion in the June 1996 Workshop record? EPIC did not survey online services to determine how many have implemented the procedures set forth in the Interactive Services Association's Guidelines for Online Services. 2.12 How many marketers have implemented the provisions of the Coalition for Advertising Supported Information and Entertainment's (CASIE) Goals for Privacy in Marketing on Interactive Media presented at the June 1996 Workshop? EPIC did not survey marketers to determine the extent of implementation of the CASIE Goals for Privacy in Marketing on Interactive Media. The first goal is: "We believe it is important to educate consumers about how they can use interactive technology to save time and customize product and service information to meet their individual needs". Our final goal is: "We believe consumers ought to have the ability to obtain a summary of what personal information about them is on record with a marketer that has solicited them via interactive electronic communication. In addition, a consumer ought to be offered the opportunity to correct personal information, request that such information be removed from the marketers database (unless the marketer needs to retain it for generally accepted and customary accounting and business purposes), or request that the marketer no longer solicit the consumer." This is public relations not privacy policy. Educational efforts are largely invisible and consumers have no easy widely publicized mechanism for obtaining and correcting personal information. Once again the burden is solely on the consumer and there is no mechanism for enforcement. 2.13 What privacy concerns, if any, are not adequately addressed by existing guidelines? The guidelines do not address privacy. They do not propose an up-front affirmative position that personal information will not be collected, used or sold. Technological Developments 2.14 Has interactive technology evolved since June 1996 in ways that could address online privacy issues? To what extent is it currently available and being used by consumers and commercial Web sites? In the evolution of new technology the test must be: does it minimize or eliminate the collection of personal information. Privacy enhancing techniques, specifically those which address anonymity must be promoted. Today's technocrats all too often promote the technology which allows web site operators to surreptitiously track the activities of Internet users, rather than technology to enhance anonymity. 2.15 What are the risks and benefits to both consumers and commercial Web sites, of employing such technology? What are consumers' perceptions about the risks and benefits of using such technology to address online privacy issues? Without a clear definition of the technology under consideration, this question cannot be answered. As a general matter, many programs for operating web sites provide useful aggregate data about the usage of the site. However, techniques that require consumers to disclose privacy preferences will not be favored by consumers and will lead to discriminatory conduct in the marketplace. Unsolicited Commercial E-mail 2.16 How widespread is the practice of sending unsolicited commercial e-mail? Are privacy or other consumer interests implicated by this practice? What are the sources of e-mail addresses used for this purpose? While it would be difficult to adequately survey the extent of the practice of sending unsolicited commercial e-mail, it is pervasive enough to have inspired a spate of anti-E-mail activities and the new nuisance of e-mail spamming. Privacy interests are implicated just as they are with the inconvenience of traditional paper mail and tele-marketing. While paper mail burdens the consumer and the environment, e-mail fills the consumer's disk space. Both are intrusive. 2.17 What are the risks and benefits, to both consumers and commercial entities, of unsolicited commercial e-mail? What are consumers' perceptions, knowledge, and expectations regarding the risks and benefits of unsolicited commercial e-mail? Once again, the risks and burden are borne by the consumer. The benefit is to the business. Consumers are beginning to learn by experience that requesting subscriptions, down-loads, viewing of ads, or answering questionnaires will lead to unexpected, unsolicited e-mail. 2.18 What costs does unsolicited commercial e-mail impose on consumers or others? Are there available means of avoiding or limiting such costs? If so, what are they? This activity is regulated for faxes and phone solicitations through the Telephone Consumer Protection Act of 1991. 2.19 Are there technological developments that might serve the interests of consumers who prefer not to receive unsolicited commercial e-mail? If so, please describe. Anonymous or pseudo-anonymous mail addresses which discourage data links should minimize unsolicited e-mail. 2.20 How many commercial entities have implemented the Principles for Unsolicited Marketing E-mail presented at the June 1996 Workshop by the Direct Marketing Association and the Interactive Services Association? EPIC did not survey to determine how many commercial entities have implemented the Principles for Unsolicited Marketing E-mail. However, educational activities to alert the public to these principles have been woefully inadequate. It is not clear that even the Direct Marketing Association is aware of how many organizations follow the principles and to what extent each marketer follows the principles.
|