Electronic Privacy Information Center
Committee on the Judiciary
U.S. House of Representatives
2141 Rayburn House Office Building
The protection of privacy is quickly emerging as a central concern for Americans as we approach the twenty-first century. In the past year we have seen national protests launched against companies that design computer chips and computer software that could endanger personal privacy. More than a quarter of a million Americans opposed a banking regulation that would have established extensive government reporting requirements on routine financial transactions. And polls routinely show that the lack of privacy protection is contributing to growing public unease about the use of the Internet for commercial transactions. Will privacy policies actually protect the privacy rights of Americans in the years ahead?
Simply stated, I believe that the current efforts to promote industry self-regulation will not adequately address the public concerns about privacy and the Internet. Industry policies are typically incomplete, incoherent, and unenforceable. They are having little impact on actual data collection practices. Instead of reducing the demand for personal information or encouraging the development of privacy enhancing techniques, industry privacy policies are literally papering over the growing problem of privacy protection online.
A better approach would be to establish a legal framework that provides simple, predictable, uniform rules to regulate the collection and use of personal information. Not only is this approach consistent with US privacy legislation, it would also provide clarity and promote trust for consumers and businesses in the new online environment. I also believe that protecting privacy rights in law would encourage the development of better techniques to protect privacy and, in the long term, reduce the need for government intervention. The key is to pursue the enforcement of Fair Information Practices and the development of methods that reduce the need for personally identifiable information.
PRIVACY PROTECTION AND THE ROLE OF FAIR INFORMATION PRACTICES
Up until a few years ago, legislating privacy protection was a straightforward problem. The basic goal was to outline the responsibilities of organizations that collect personal information and the rights of individuals that give up personal information. These rights and responsibilities are called "Fair Information Practices" and they help ensure that personal information is not used in ways that are inconsistent with the purpose for which they were collected. Fair Information Practices typically include the right to limit the collection and use of personal data, the right to inspect and correct information, a means of enforcement, and some redress for individuals whose information is subject to misuse.
Fair Information Practices are in operation in laws that regulate many sectors of the US economy, from companies that grant credit to those that provide cable television services. Your video rental store is subject to Fair Information Practices as are public libraries in most states in the country. The federal government is subject to the most sweeping set of Fair Information Practices. It is called the Privacy Act of 1974 and it gives citizens basic rights in the collection and use of information held by federal agencies. It also imposes on these same agencies certain obligations not to misuse or improperly disclose personal data.
The current debates in Congress over protecting medical records and financial records follow in this tradition. And privacy laws in these areas will reflect the rights that Congress is prepared to extend to patients and bank customers who seek to safeguard their personal information.
The United States and more than a hundred US companies pledged to support the OECD Guidelines almost twenty years ago. It is worth noting also that the United States has a particularly strong tradition of extending privacy rights to new forms of technology. For example, subscriber privacy provisions were included in the Cable Act of 1984. New protections for electronic mail were adopted in the Electronic Communications Privacy Act of 1986. Video rental records were safeguarded as a result of the Video Privacy Protection Act of 1988. And auto-dialers and junk faxes were regulated by the Telephone Consumer Protection Act of 1991. Even the original Privacy Act of 1974 came about in response to growing public concern about the automation of personal record held by federal agencies.
Viewed against this background, the problem of privacy protection in the United States in the early 1990s was fairly well understood. The coverage of US law was uneven: Fair Information Practices were in force in some sectors and not others. There was inadequate enforcement and oversight. Technology continued to outpace the law. And the Europeans were moving forward with a comprehensive legal framework to safeguard privacy rights of their citizens.
Some said that the interactive nature of the Internet made possible a new approach to privacy protection, one that focused on individuals exercising privacy "choice" or "preferences." But providing a range of choices for privacy policies turns out to be a very complicated process, and there is no guarantee that a persons privacy preferences on one day will be the same the next. In the rush to avoid a "one size fits all approach," those who focused on privacy choices may have discovered paradoxically that "many sizes fits none." In other words simple, predictable, uniform rules make it easier for individuals to exercise control over their personal information, than an endless selection of choices that turn out to be meaningless.
An additional problem was created by the somewhat awkward role of the Federal Trade Commission. Because the United States lacks an agency with the expertise and competence to develop privacy policies, the FTC was cast in the role of de facto privacy agency. But the FTC did not itself have the authority to enforce Fair Information Practices or to promote the development of the various privacy enhancing techniques that were being pursued by other privacy agencies around the world. The FTC relied instead on its Section 5 authority to investigate and prosecute fraudulent or deceptive trade practices.
The better approach would have been to look at the Internet and ask how could it make it easier to apply and enforce Fair Information Practices. For example, one of the hard problems in privacy protection is ensuring that individuals are able to access and correct information about themselves. In the paper world, the right of access is an elaborate and costly process for both businesses and consumers. Records must be copied and sent by mail. In the online world it is much easier to provide ready access to profile information. In fact many web sites today, from airline reservations to online banking, are making information that they have about their customers more readily available to their customers over the Internet. It is not "choice" that customers are exercising but rather "control" over their personal information held by others.
The Internet is also offering interesting developments in the use of techniques for anonymity and pseudo-anonymity to protect online privacy. These techniques enable commercial transactions while minimizing or eliminating the collection of personal information. Such techniques avoid the need for privacy rules simply by avoiding the rights and responsibilities that result from the collection and use of personal data.
THE ROLE OF PRIVACY SURVEYS
For the last several years a great effort has been underway to encourage industry groups to develop policies for self-regulation. Self-regulation has been offered as an effective and appropriate way to encourage industry groups to respond to public concerns about privacy without the actual burden of changing practices or reducing the growing dependence on personal information. The critical question that is typically ignored in the quest for solutions based on self-regulation is whether it is an effective means to protect personal privacy.
Users of web-based services and operators of web-based services have a common interest in promoting good privacy practices. Strong privacy standards provide assurance that personal information will not be misused, and should encourage the development of on-line commerce. We also believe it is matter of basic fairness to inform web users when personal information is being collected and how it will be used.
We recommended that:
- Privacy policies should state clearly how and when personal information is collected.
- Web sites should make it possible for individuals to get access to their own data
- Cookies transactions should be more transparent
- Web sites should continue to support anonymous access for Internet users.
Not surprisingly, the 1998 FTC survey found an increase in the number of web sites posting privacy policies.
Two recent surveys, funded by industry groups, found an increased number of web sites are now posting privacy policies. While many were quick to take this finding as an indication that self-regulation is working, a quick look behind the numbers reveals a different story. Less than 10% of the web sites have privacy policies that include the minimal elements proposed by the FTC. The collection and use of information among commercial web sites is rapidly accelerating.
The survey methodology also reflects a lack of interest in the various techniques that would enable privacy protection through anonymity. The German government for example, more than two years ago adopted legislation to encourage the use of anonymity for commercial sites on the Internet. A survey that attempted to measure online privacy in 1999, as compared with our survey in 1997, should move the inquiry forward by trying to determine what techniques were being adopted to protect online privacy and specifically ask about the availability of techniques that would enable users to protect the disclosure of their personal information, particularly in the absence of enforceable Fair Information Practices.
THE GLOBAL PICTURE
To understand the larger picture of privacy protection, it is necessary to look beyond the United States and the narrow issue of whether web sites post privacy policies. In 1998 EPIC undertook the first comprehensive survey on international privacy laws and practices. The report Privacy and Human Rights 1998: An International Survey of Privacy laws and Developments looked in detail at the state of privacy in fifty countries around the world. We found that:
- Privacy is a fundamental human right recognized in all major international treaties and agreements on human rights. Nearly every country in the world recognizes privacy as a fundamental human right in their constitution, either explicitly or implicitly. Most recently drafted constitutions include specific rights to access and control one's personal information.
- New technologies are increasingly eroding privacy rights. These include video surveillance cameras, identity cards and genetic databases.
- There is a growing trend towards the enactment of comprehensive privacy and data protection acts around the world. Currently over 40 countries and jurisdictions have or are in the process of enacting such laws. Countries are adopting these laws in many cases to address past governmental abuses (such as in former East Bloc countries), to promote electronic commerce, or to ensure compatibility with international standards developed by the European Union, the Council of Europe, and the Organization for Economic Cooperation and Development.
- Surveillance authority is regularly abused, even in many of the most democratic countries. The main targets are political opposition, journalists, and human rights activists. The U.S. government is leading efforts to further relax legal and technical barriers to electronic surveillance. The Internet is coming under increased surveillance.
A review of the surveys undertaken over the last several years leads to the following general observations:
First, while it can be shown that more web site operators are posting privacy policies, there is little evidence that this is translating into better privacy protection for Internet users. There is still no effective means of enforcement. No real effort has been undertaken to begin auditing or conduct oversight to ensure that the privacy policies posted are being followed.
Second, just as the number of web site privacy policies has increased, so too have the demands for personal information. Indeed, it would not be too difficult to show that that the collection and use of personal data online over the last few years has far exceeded the development and enforcement of privacy policies. In this respect, the "privacy gap" has widened not narrowed since 1997.
Fourth, there has been a movement away from the consideration of techniques that could protect privacy and reduce the need for legislation. When EPIC undertook the first survey of Internet policies, we were very much aware that anonymity would play a critical role in protecting online privacy. We continue to believe that a much greater emphasis must be placed on developing techniques that reduce the demand for personally identifiable information.
ROLE OF THE FEDERAL TRADE COMMISSION
Much has been made in the last few years about the role of the Federal Trade Commission in defending the privacy rights of Internet users. The FTC has been held out as the de facto privacy agency in the United States and the backstop to enforce Industry self-regulatory policies. And while it is clearly the case that the FTC has expressed great interest in privacy issues, almost four years after it was asked by Congress to investigate the privacy risks associated with computerized databases, the FTC has produced little in the way of privacy assistance or enforcement for Internet users.
In the past three years, the FTC has rendered an opinion in a privacy case about once a year. Which is to say the enforcement of privacy rules comes as often at the FTC as does Christmas. By comparison, the Information and Privacy Commissioner of the Canadian province of British Columbia has issued 200 orders in the same time period.
Interestingly, one of the ongoing problems with the FTCs investigation of privacy complaints is the lack of transparency into the agencys own practices for pursuing privacy investigations. Earlier this year, there was a national campaign to stop the release of a computer chip that would enable ubiquitous identification across the Internet. While this technique may have provided some benefits in certain commercial applications, there was little doubt it would also raise enormous privacy issues.
EPIC, Privacy International, and Junkbusters, the groups that organized the campaign against the Intel chip wrote to the FTC to see if the FTC has the authority to investigate what many would agree is one of the biggest privacy issues so far in 1999. Several months after filing our complaint there is no indication at the FTC web site that any action has been taken on the Intel Pentium III matter. Meanwhile, privacy agencies around the globe have begun formal investigations into the Pentium III matter. How can it be that the agency charged with safeguarding privacy in the United States has yet to issue a statement on this matter?
PROBLEMS WITH SAFE HARBOR
The United States &emdash; at least the Administration &emdash; has chosen instead to develop a commercial "safe harbor" that allows US firms to meet the minimal requirements necessary to continue to do business in Europe without actually developing any new laws or rights for US citizens. But even this approach may not succeed. The European Commission working group that represents the privacy interests of European citizens has expressed great concerns about the Safe Harbor proposal. The Privacy Working Group recently issued an opinion on the effort. This is what they had to say:
Data protection rules only contribute to the protection of individuals to the extent to which they are followed in practice. In an entirely voluntary scheme such as this compliance with the rules must be at least guaranteed by an independent investigative mechanism for complaints and sanctions which must be, on the one hand dissuasive and, on the other give individual compensation where appropriate.
Significantly, the European expert group also said "the standard set by the OECD Guidelines of 1980 cannot be waived as it constitutes a minimum requirement for the acceptance of an adequate level of protection in any third country."
Leading consumer groups in both the United States and Europe have also rejected the safe harbor approach. In a statement issued last month by the Trans Atlantic Consumer Dialogue, representing sixty consumer organizations from across Europe and the United States said that:
The Safe Harbor proposal now under consideration by the United States and the European Union fails to provide adequate privacy protection for consumers in the United States and Europe. It lacks an effective means of enforcement and redress for privacy violations. It places unreasonable burdens on consumers and unfairly requires European citizens to sacrifice their legal right to pursue privacy complaints through their national authorities. The proposal also fails to ensure that individual consumers will be able to access personal information obtained by businesses.
TACD urged the rejection of the Safe Harbor proposals and recommended instead the development and adoption of an International Convention on Privacy Protection that will help safeguard the privacy interests of consumers and citizens in the twenty-first century.
It is possible that the Safe Harbor proposal will be adopted in some form by the time of the US-EU Summit in June. But if that comes to pass, a very unfortunate circumstance will result. US firms will offer a higher level of privacy protection for the processing of records on Europeans than they will in processing the records of Americans. This is one of the consequences of a policy that places such little emphasis on the privacy rights of US citizens.
PERSISTENT PRIVACY PROBLEMS AND COOKIES
Another area where the failure of the self-regulatory approach can be seen is in the ongoing debate over cookies and other techniques that enable the collection and use of personal information. While it should be said at the outset that cookies perform many useful functions in the online world, it should also be recognized that there are privacy risks associated with the routine tagging of Internet users who visit web sites.
When we looked at the cookies issue in 1997 we said that one of the main problems was the lack of transparency: users could not make meaningful choices about whether to accept cookies because the purpose and use was completely opaque.
How do things stand two years later? To answer that question I was prepared to produce a survey showing that cookie practices were no more helpful today than they were two years ago. Looking at the Top 100 web sites listed in the Online Privacy Alliance survey, I could show for example that a typical cookie notice looks like the following:
I could even point out that some cookie files have such a long VALUE field that the user does even get to see the full question:
But as I reviewed the cookies practices at the web sites identified as the TOP 100 in the OPA Survey, I uncovered an even more serious problem. Some of the web sites are using the end-users IP address for the cookie file, which means that if I reprint the cookies statement here you will see my IP address.
Consider the web site www.insidetheweb.com. This is a typical portal site that provides access to other web site grouped by topic area and is supported by advertising revenue. If you go the www.insidetheweb.com site, a cookie notice similar to the following will appear on your screen:
We use IP addresses to help diagnose problems with our server, and to administer our Web site. We do not link IP addresses to any personal information such as that provided when registering for a new message board. In rare instances IP addresses may be used to assist in deterring and/or preventing abusive or criminal activity on message boards.
I am not an expert in web protocols but it seems obvious that a cookie that collects a users IP address is not always anonymous. Is this the basis for an action at the FTC? Perhaps. But the better approach, and the approach that will make it easier to avoid an endless parade to the FTC in the years is the enforcement of Fair Information Practices and the development of new techniques to protect online privacy. And the studies that are necessary at this point are the ones that look at the actual practices that web sites follow and not the privacy policies which are often not worth the HTML theyre coded in.
PRIVACY LAWS AND PRIVACY TECHNIQUES
I am very much aware of the important work by members of this Subcommittee and particularly Mr. Goodlatte to promote the widespread availability of strong techniques, such as encryption, to protect the privacy and security of network users and to reduce the risk of crime and network attack. As you may know, EPIC was established in 1994 in the campaign to stop the Clipper encryption scheme, and we very much support your continued efforts to relax export controls.
The interesting question, though, is whether it is more or less difficult to make strong techniques available to protect privacy in countries do not respect the right of privacy in law. While some continue to view privacy techniques as an alternative to privacy laws, I think the better and more accurate view is that privacy techniques and privacy laws are complimentary. Strong encryption is more likely to emerge and be freely used in countries where the legal right of privacy is well established.
The point is clear if you consider the recent history of negotiation over international cryptography policy. The United States government has tried repeatedly to obtain foreign acceptance of the key escrow concept, but such efforts have been resisted in part because of national privacy laws and the European Data Directive, which make key escrow encryption inherently suspect. Only when the United States had the opportunity to pursue an international negotiation on encryption policy beyond the reach of national privacy authorities was it possible to obtain support for new export limitations on the use of encryption software.
Thus privacy laws and privacy officials turn out to be not only an ally for consumers, citizens, and users but also companies and developers of advanced networked services. Privacy agencies around the globe continue to support the development of genuine privacy enhancing techniques that may in the long term obviate the need for much privacy legislation. Technology professionals also understand that the design and development of information systems means that the responsibility for privacy risks must be carried who are best able to avoid the problem. The Association for Computing Machinery has had a long-standing commitment to privacy protection. The ACMs own code of professional conduct makes clear that it is the developer of systems who must in the end take responsibility for privacy protection.
The lesson here is that if we want good techniques to promote privacy online we will need good laws for online privacy.
I wont pretend that privacy protection in the online world will be easily solved. We are at the beginning of a long and complicated process. We will constantly have to make decisions individually and collectively about how important we believe privacy to be and what steps we are prepared to take. Imagining a comprehensive solution to information privacy in 1999 would be like to trying to imagine how to solve the problem of environmental protection in 1899 &emdash; many of our greatest challenges lie ahead.
But I do think that more can be done to protect privacy and that Congress will have a significant role to play. There is more than enough precedent in US law and enough ingenuity in the technical community to move us in the right direction and give us at least a fighting chance of protecting what Justice Brandeis called "the most comprehensive of all rights and the right most cherished by a free people."
Key steps will include the following:
- Establish a privacy agency with the expertise, competence and resources to assist consumers, act as ombudsman, and a voice for privacy within the administration
- Promote the establishment and enforcement of Fair Information Practices and encourage the development of simple, predictable uniform rules to protect personal information
- Encourage the development of new techniques that limit or eliminate the collection of personally identifiable information
The time for surveys has past. If we are to protect privacy, then we must take the necessary steps to ensure that the loss of privacy will not be the cost of the Information Society.
1 The Electronic Privacy Information Center is a project of the Fund for Constitutional Government, a non-profit charitable organization established in 1974 to protect civil liberties and constitutional rights. More information about EPIC is available at the EPIC web site http://www.epic.org.
2 See generally, Robert Gellman, "Does Privacy Law Work?" in P. Agre and M. Rotenberg, Technology and Privacy: The New Landscape (MIT Press 1998)
3 M. Rotenberg, The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments 1-37, 95-97 (Fair Credit Reporting Act of 1970, Cable Communications Policy Act of 1984) (EPIC 1998) [hereinafter Privacy Law Sourcebook]
4 Privacy Law Sourcebook 38-54.
5 Privacy Law Sourcebook 161-87.
6 BASIC PRINCIPLES OF NATIONAL APPLICATION
Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose Specification Principle The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: (a) with the consent of the data subject; or (b) by the authority of law.
Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
Individual Participation Principle. An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him (i) within a reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.
7 Privacy Law Sourcebook 163-64.
8 Privacy Law Sourcebook 98-131.
9 Privacy Law Sourcebook 132-34.
10 Privacy Law Sourcebook 144-52.
11 See, e.g., EC Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, "Anonymity on the Internet" (1997) reprinted in Privacy Law Sourcebook 331-42.
12 EPIC, "Surfer Beware I: Personal Privacy and the Internet" (1997) [http://www.epic.org/reports/surfer-beware.html]
13 FTC, "Online Privacy: A Report to Congress" (1998) [http://www.ftc.gov/reports/privacy3/index.htm].
14 Prepared statement of the Federal Trade Commission on "Internet Privacy" before the Subcommittee on Courts and Intellectual Property of the House Judiciary Committee, March 26, 1998 [http://www.ftc.gov/os/1998/9803/privacy.htm
16 "Online Privacy Alliance Says Web Sweeps Confirm Significant Progress in Privacy Self-Regulation," Online Privacy Alliance [http://www.privacyalliance.org/news/05121999.shtml].
17 EPIC and Privacy International, Privacy and Human Rights: An International Survey of Privacy Laws and Practice (EPIC 1998)
18 Colin Bennett, Regulating Privacy (Cornell 1992).
19 Letter from EPIC Director Marc Rotenberg to FTC Commissioner Christine Varney (December 14, 1995) ("I am writing to you to urge the Federal Trade Commission to investigate the misuse of personal information by the direct marketing industry and to begin a serious and substantive inquiry into the development of appropriate privacy safeguards for consumers in the information age.") http://www.epic.org/privacy/internet/ftc/ftc_letter.html. Letter from Senators Bryan, Pressler, and Hollings to FTC Chairman Robert Pitofsky ("We are writing to request that the Federal Trade Commission conduct a study of possible violations of consumer privacy rights by companies that operate computer data bases.") [http://www.epic.org/privacy/databases/ftc_databases.html]
20 "Office of Information and Privacy Commissioner British Columbia," Table of orders (Last Updated May 13, 1999) [http://www.oipcbc.org/orders/orders_index.html]
21 "Working document: Processing of Personal Data on the Internet," Adopted by the Working Party on 23 February 1999 (DG XV 5013/99-WP 16) [http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp16en.htm]; "Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware," Adopted by the Working Party on 23 February 1999 (DG XV 5093/98-WP 17) [http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp17en.htm]
22 Privacy Law Sourcebook 201-27.
24 Working Party on the Protection of Individuals with regard to the Processing of Personal Data,, Opinion 2/99 on the Adequacy of the "International Safe Harbor Principles" issued by the US Department of Commerce on 19th April 1999, Adopted 3 May 1999 (5047/99/EN/final WP 19) [http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp19en.htm]
25 TransAtlantic Consumer Dialogue "Resolution on Safe Harbor Proposal and International Convention on Privacy Protection"(Brussels April 1999)[http://www.tacd.org/meeting1/electronic.html#safe]
27 Respect the privacy of others.
Computing and communication technology enables the collection and exchange of personal information on a scale unprecedented in the history of civilization. Thus there is increased potential for violating the privacy of individuals and groups. It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be established to allow individuals to review their records and correct inaccuracies.
This imperative implies that only the necessary amount of personal information be collected in a system, that retention and disposal periods for that information be clearly defined and enforced, and that personal information gathered for a specific purpose not be used for other purposes without consent of the individual(s). These principles apply to electronic communications, including electronic mail, and prohibit procedures that capture or monitor electronic user data, including messages, without the permission of users or bona fide authorization related to system operation and maintenance. User data observed during the normal duties of system operation and maintenance must be treated with strictest confidentiality, except in cases where it is evidence for the violation of law, organizational regulations, or this Code. In these cases, the nature or contents of that information must be disclosed only to proper authorities.
ACM Code of Ethics and Professional