From: Deborah Pierce dsp@eff.org
To: HQ.DCMAIL4(PROFILE)
Date: Tue, Nov 30, 1999 4:58 PM
Subject: FTC Public Workshop on Online Profiling - Rebuttal Comments

Deborah Pierce, Staff Attorney
Electronic Frontier Foundation
1550 Bryant Street, Suite 725
San Francisco, CA 94103

November 30, 1999

Secretary
Federal Trade Commission
600 Pennsylvania Avenue, NW, Room H-159
Washington, DC 20280

Sent Via Electronic Mail

Re: FTC Public Workshop on Online Profiling - Rebuttal Comment, P994809
Docket No. 990811219-9219-01

Dear Sir or Madam,

Thank you for giving us the opportunity to submit additional comments in reference to the Public Workshop on Online Profiling that was held recently in Washington DC.

The Electronic Frontier Foundation (EFF) believes that several points were not adequately addressed at the workshop and therefore additional clarification is required. First, there needs to be further discussion about what constitutes "effective notice" and whether self-regulation is still the correct method to ensure that effective notice is provided to consumers. Generally, privacy advocates did not feel that the notice contained in privacy policies was effective enough to protect consumer's privacy. Marketing companies on the other hand, believed that the opportunity to "opt-out" was more than reasonable to protect privacy and still promote business needs. Second, the study presented by Dr. Alan Westin needs to be thoroughly examined to clarify some of the ambiguities presented by the data, as well as the apparent bias present in the questionnaire that was used to conduct the study. Lastly, we wish to comment on the question that was asked over and over at the Workshop, "what is the harm consumers suffer by receiving 'targeted marketing' ads?" After all, even US Department of Commerce Secretary William Daley stated in the opening address that we are a nation of "shoppers" and we like to get personalized service.

Trying to reach a resolution on this issue is difficult since in general, people think that issues surrounding identity are critical, yet we as a society have not yet had a full discussion about it.

Effective Notice and Self-Regulation

Two of the main issues identified at the Workshop were that consumers do not always receive effective notice about how personal information is being gathered about them as they travel through cyberspace, and whether self-regulation is the proper vehicle to continue to protect consumer interests online.

Many of the companies who presented in the morning discussed the types of information that they collect and the purposes for which they use this data. Some collect only information that is not personally identifiable while others collect personally identifiable information. Privacy interests are implicated even for non-identifiable personal information because as it was pointed out, triangulation is inevitable.

Privacy policies for the most part have been ineffective at providing effective notice to consumers about these eventualities. They should nevertheless be regarded as the absolute baseline for privacy protection online and ideally should provide all of the protections outlined in fair information practices guidelines. Corporations that gather and use personal information should implement more comprehensive privacy policies in addition to any additional legislation that is passed by Congress or the states. Right now, privacy policies are often hard to find, and when present often contain only mere disclosures about how personal information will be used. Many times privacy policies are written in legalese, which only adds to consumer confusion. These types of privacy policies do not offer the consumer any meaningful way to protect their privacy online.

So much information can potentially be tracked and collected about consumers that privacy policies must include as much information in them about data collection and uses as possible so that consumers can make an informed choice about whether they want to share information with a particular company or not. Privacy policies should also explain how consumers can access information that is collected about them. This iscritical. Without access, consumers will never know where any incorrect information gathered about them came from and how to ensure that any misadventures that they suffered as a result of the use of incorrect information don't happen again. The policies should be written in clear language so that they are easily understandable and they must be prominently displayed on the front page of the web site.

The situation is similar with regard to banner ads. The US Government's Chief Counselor for Privacy, Peter Swire, commented that information from a consumer's visit to a primary web site is sent to the owner of the banner ad present on the page. People in general do not know this. Privacy policies rarely if ever cover how information is collected through banner ads. Information should be included in privacy policies or elsewhere so that consumers know how banner ads work so they can decide if they want to click on one or not.

Another important question regarding protecting privacy online is who should be responsible for shouldering the burden of helping to keep private information private? It is our position that the responsibility should rest with companies who want to use data collected about individuals. Opt-out provisions do not leave the consumer in control; they inappropriately place the burden of protecting personal data on the consumer, who may or may not be net savvy. Opt-in, while more costly to business would give consumers much greater control simply because the default is that the data can't be used without permission.

FTC Chairman Robert Pitofsky stated at the Workshop that he was not opposed to targeted marketing so long as the consumer remained in control. He also stated that one of the goals was to develop consumer confidence. One of the best ways to do that is to educate the consumer about data that is collected and used and then to give that consumer control over the personal information about her that has been collected.

Self-regulation has not yet given consumers much control over their information. Privacy policies are not prevalent and personal information is still being collected without notice and consent. Access is often times not granted to the consumer. The harsh reality is that regulation is likely needed over and above getting corporations to draft better privacy policies. There must be a mechanism to constrain corporations from gathering as much information about consumers as they can just because technology provides an easy means to do so. More thorough privacy policies, and regulating data gathering processes may help to bolster consumer confidence and therefore make people more inclined to participate in electronic commerce.

Study: "Personalization and Privacy: What Net Users Want

A. Ambiguous Data

The categorizations that Dr. Westin used to classify consumers according to their privacy preferences set the tone for the study and showed an underlying hostility to privacy. In his study people who chose to scrupulously protect their privacy were classified as "privacy fundamentalists". Today, classifying someone as a "fundamentalist" usually has a negative connotation; and it does here as well. "Privacy pragmatists" on the other hand, were described favorably as people who knew how to make the right trade-offs with regard to allowing business to collect private information about them in return for unspecified benefits.

The questions focused on how consumers felt about sharing their information if notice and an opt-out mechanism were present. There was no explanation of what opt-out meant in the questionnaire. This could lead to confusion on the part of those who participated in the study. Additionally, no information was gathered about whether consumers preferred an opt-out to an opt-in mechanism. It would have been much more illuminating to see whether consumers would choose opt-in or opt-out if given a choice. In spite of asking no questions about how consumers felt about opt-in versus opt-out, Dr. Westin still concluded that with regard to personalization of banner ads, the degree of consumer participation depends on the scope of information collected and the sense of ability to exercise control. What would the categories of "privacy fundamentalists" an "privacy pragmatists" look like if questions regarding opt-in choices had been included?

The phraseology of the questions was also troubling. Only one question in the survey addressed the issue that marketing firms collect information and combine it with other personal information about a consumer. This question was phrased as the company wanting to collect information so that they could tailor a banner ad to the consumer's particular interest. No mention was made that profiles are being constructed from the combined information. If the question gave the respondent full disclosure about profiling, would the consumer be so willing to hand over their personal information?

B. Appearance of Bias

Online marketing company DoubleClick underwrote the study. DoubleClick is a large collector of the personal habits of consumers online. Since their merger with Abacus, consumer offline behavior is also available to them. It is in their best interest to conclude that a majority of consumers are found to be interested in receiving tailored advertisements. It is also in their best interest to have findings that support an opt-out mechanism because not only would opt-in would be more costly to implement, but potentially fewer customers would be inclined to participate in targeted marketing programs.

Because the issues surrounding the privacy of individuals are so important, and because of the ambiguities and biases present in the data, the FTC should thoroughly dissect the study examine these statistics before drawing any conclusions about consumer behavior.

How "Targeted Marketing" Harms Consumers

Consumers suffer real harm as a result of the use of targeted marketing. It is not the ads per se that harm the consumer, but the use of all of the individual pieces of personal information that were gathered and combined in order to put together a specific targeted ad.

The harms that people suffer as a result of the targeted marketing process are numerous. Some of the harms include electronic redlining; particularly when companies are able to match online and offline data into one file. Identity theft cases are increasing resulting in more cases of destroyed credit ratings, people being turned down or fired from jobs or being falsely arrested for crimes they did not commit. When people realize how much personal information is being gathered and used to construct profiles they may be less inclined to post to newsgroups and less inclined to seek out information, especially if that information is of a sensitive nature.

As mentioned before in our previous comments on profiling, the 10th Circuit Court recently found that corporations have a First Amendment right to "consumer proprietary network information" (CPNI) that trumps a consumer's privacy right in that same information. That means every phone number that a consumer calls and the duration of that call whether it is to a particular doctor or psychologist, or friends and relatives, are available for marketing purposes and can be used to create a better profile.

It has often been said that people are stripped naked on the Internet and that we should get over the fact that we have no privacy on the Internet. This viewpoint does not take into account the harm that befalls consumers as well as society as a whole. If people are fearful that they are being tracked without their knowledge and that this information is shared with others without their permission, people tend to conform to accepted or "normal" behavior.

Taking away an individual's uniqueness is a way that people can be broken down. We have many examples of this in our society. Soldiers are given identical haircuts and uniforms so that they all look the same. Their individuality has been taken from them on the theory that this makes better soldiers. The same is done to inmates at prisons; their identity is taken from them so that they become easier to manage. There have been countless news articles in the press recently that illustrate the consequences of looking or acting different than what is considered "normal." Students have been suspended or expelled from school for no other reason than because they have blue hair, wear black clothes or because they have web sites that school authorities don't approve of. Some students fight back with lawsuits, but we do not know how many others break down and conform their looks or actions to what is accepted in order to avoid being suspended or expelled. The use of profiles to determine who should receive a certain advertisement for a particular service and who should be excluded from the pool promote conformity among consumers.

Sameness is not what makes our culture so vibrant. It is our uniqueness that makes it possible for many new ideas to flourish. For these reasons we must put in place mechanisms to protect personal information online.

Conclusion

As stated in EFF's original comments, the proliferation of new corporate databases filled with personal information used to construct profiles and which is shared and sold without consumer notice or consent is undermining consumer privacy, with potentially severe consequences. Lack of controls on how information is shared or sold contributes to the decrease of privacy for consumers. The continuing loss of privacy due to better abilities to profile without any more privacy protections being put in place harms individuals by inhibiting them from participating in commerce and society.

Self-regulation as the only means to protecting consumer privacy on the Internet is not realistically the best method to protect privacy. Ultimately, we will need to employ consumer education programs and legislation as well.

Thank you again for allowing us to submit additional comments. Please feel free to call me at 415-436-9333, x106 if I can be of any further assistance.

Sincerely,

Deborah Pierce
Staff Attorney

CC: HQ.DCMAIL4(MLANDESBERG)