| Deborah Pierce, Staff Attorney Electronic Frontier Foundation 1550 Bryant Street,
Suite 725 San Francisco, CA 94103 October 18, 1999 Secretary Sent Via Overnight Delivery and Electronic Mail
Dear Sir or Madam: I am writing today on behalf of the Electronic Frontier Foundation (EFF), a nonprofit, public interest organization working to protect rights and promote responsibility in the electronic world. EFF is the leading global organization linking technical architectures and legal frameworks to support the rights of individuals in an open society. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression, privacy, and access in the information society. We are now living in a networked society. This simple fact forces us to rethink our stances on privacy issues across the board because the problems surrounding privacy are so complex. There is no one fix, no one silver bullet that will cure all of the problems associated with protecting privacy. EFF therefore believes that employing self-regulation as the only means used to address the privacy concerns raised by online profiling of consumers on the Internet is not enough. There are several other steps that we should take that would better protect privacy.
We feel that it is useful to discuss each of these potential solutions separately so that if necessary, further workshops can be called to address each component. In these comments we will address the issues that we have identified with each component. EFF Background EFF has had a long tradition of devising mechanisms to protect privacy and were early participants in the current debate about privacy and identity. We've gone through a period of discovery while working with other NGOs to help discover solutions that will best protect consumer privacy, including market-based solutions. Creation of TRUSTe and its seal program was one such early innovation of EFF. TRUSTe was successful in several areas. It was successful in its first mission in educating companies about the necessity of privacy policies and giving them a proactive mechanism to help solve the problem. TRUSTe was useful in getting companies to focus on giving consumers notice and consent mechanisms with which to protect their privacy. It was also useful as were working to raise awareness of the growing problem of transparency of consumer information and to give companies the time they needed to put effective privacy policies into effect. We now must move out of this awareness-raising mode and into an action mode where real protection can be achieved. Legislation is needed in order to achieve that goal. TRUSTe wouldn't have been successful without the help of government. Without the real threat of government regulation and enforcement, it is very unlikely that there would have been any impetus for companies to devise any plan to protect consumer privacy on their own. It was only when companies were threatened with the specter of governmental regulation that caused them to embrace seal programs like TRUSTe and then BBB Online. This is one reason why we think it is time to move away from a strict self-regulation approach to protecting privacy online. Architecture is Policy EFF has long believed that architecture and technology is policy. As Harvard law professor Larry Lessig has often said, "computer code is law". How individual and businesses transact and evolve is tied to the language and infrastructure underlying this communication. Proactively bringing together the voices for informed debate and the creation of solutions allows us the opportunity to embed socially responsible policy in the technology as opposed to responding with reactive policies to counteract less responsible infrastructures. One possible technical solution, that works in conjunction with self-regulation is P3P, the Privacy Preferences Project, "The P3P specification will enable Web sites to express their privacy practices and users to exercise preferences over those practices."(1) The broader goals of P3P are to put in place an architecture online, which allows people to control their personal information and to "make informed decisions regarding their Web experience".(2) By allowing individual control, personal information can re requested, transmitted and stored in an informed and secure way. P3P also will allow for empowerment of individuals because they do have some level of control over their information. Another possible solution is a software product, still in beta, from Zero Knowledge. Their software makes use of pseudonymous identities for consumers to use when browning the Net for political, personal (including medical), and business information. A pseudonym would be created for each separate activity a consumer engages in. It then becomes quite difficult for a marketer to match profile data to a specific individual. Legislation Legislation is needed to strengthen privacy laws to help address the issues relating to privacy and online profiling. Current law is inadequate to protect the privacy of consumers. For example, we have weak laws that cover our video tape rentals and our cable TV viewing habits, but nothing to protect our financial or medical privacy. In addition, it may be time to begin the discussion over whether an overarching privacy law is needed to protect consumer privacy to counteract the weak patchwork of privacy laws currently in effect. Self-regulation has worked up to a point, but as we saw with TRUSTe, without strong legislation (or the threat to enact legislation), progress has come slowly. For example, today most privacy policy statements read more like disclaimers than any statement about protections for your information. Some statements we have seen have stated that the individual has no expectation of privacy in their information once it is transmitted to the web site. In addition, privacy statements are often difficult to locate on a page. This discussion has focused on web sites that individuals visit and the information that is collected at that point. But what about the information collected by companies that the individual has no relationship with. For example, individuals have no business relationship with DoubleClick, yet DoubleClick, especially given its merger with Abacus, is able to amass a more detailed profile of buying habits and personal preferences than any company that an individual may deal with individually. A privacy statement on a web site wouldn't protect personal information collected by companies like DoubleClick. With regard to technology, getting technological specifications into products to protect privacy is not happening quickly enough. We also still need to have discussions with NGOs and government regarding embedding policy in architecture. It would be preferable if government were able to provide direction about how to provide a baseline for protecting privacy in software specifications with the goal of requiring that Fair Information Practices guidelines be built into the specifications. Consumer Education Self-regulation does not address the persistent questions that still exist about educating consumers about privacy. Education of all segments of our population about privacy issues online is necessary if consumers are to make informed decisions about their personal data. One of the difficult questions is who will pay for this educational effort and who will administer it? Should it be up to the companies who collect the personal information? Should it be up to the consumer? Does the education process need to be provided for in legislation? Industry's message has consistently been that self-regulation has worked well and that companies continue to make progress. We therefore shouldn't do anything at this point to interfere with the growth of this fledgling marketplace. But self-regulation has always ignored consumer education issues. On the other hand, we have heard consistently from consumers that privacy on the Internet is an important concern. The AT&T study "Beyond Concern: Understanding Net Users' Attitudes About Online Privacy" found that only 13% of those in the study were either "not very" or "not at all" concerned about privacy. (3) Even in those that were concerned, responses indicated that they are unaware of the scale of data collection that is occurring and they do not understand some of the technologies that are employed in data collection such as cookies. Further, while we have not done any formal studies, there is an assumption that privacy is a right protected by law and is therefore automatically protected. In many cases though consumers are not even aware that there is threat to their privacy. Requiring the burden for protection to be placed entirely on consumers therefore seems unfair. Some form of consumer education needs to take place surrounding privacy-promoting technologies, such as encryption, programs that allow for anonymous surfing of the Net and the P3P and Zero Knowledge technologies. Through these education programs, individuals would be better able to decide for themselves how to protect their personal information. Fair Information Practices Much has been written about the need to strengthen Fair Information Practices guidelines. They need to be given real teeth so that they can be effectively enforced. In the FTC's report, "Self-Regulation and Privacy Online: A Report to Congress", the commission found that most companies who have privacy statements on their web sites have incorporated the "notice" prong of fair information practices into their privacy statements. They have yet to incorporate the other prongs, consent, consumer access to the stored information, security of the information, and enforcement of the guidelines. The lack of all four prongs is especially important with regard to online profiling. One of the pitfalls of only using self-regulation to protect privacy is that users are often unable to find out who is collecting information about them and how to manage that flow of information. Incorporation of all of the prongs would allow consumers to find out who is collecting information about them. Legislation is particularly needed to put teeth into the "enforcement" prong of the guidelines. With regard to companies who collect information through their web sites, although there has been improvement, most sites still do not have privacy policies and even when they do, when corporations violate their own privacy policies there is often no means of redress for consumers. Lack of security for sensitive and non-sensitive information alike is also a problem. We see almost weekly the effects that lack of security can have on information that is collected and stored in databases. Email accounts are invaded, medical records are accessed by unauthorized personnel and the list goes on. Ensuring that companies have procedures in place to protect consumer information is paramount. Legislation is also needed to provide for customers to meaningfully consent to the use of their personal information. The problem becomes acute when we see that banks and insurance companies want to merge. Financial and medical information then becomes available to one giant firm. We should pass legislation that ensures that a mortgage company isn't able to call in a borrowers loan because the company has just found out that the borrower has filed a medical claim for cancer treatment. In this same vein, bankruptcy laws should be investigated and updated to better protect privacy. Currently, these laws do not allow privacy contracts to transfer along with any data that is acquired. For example, today if a company has a privacy policy stating that a consumer's information will not be shared with others and has a TRUSTe seal, if the company goes bankrupt, that privacy statement will not be enforced. Laws like this need to be updated to enforce the privacy protections consumers had prior to the bankruptcy. Conclusion Self-regulation as the only means to protecting consumer privacy on the Internet is not realistically the best method to protect privacy. Ultimately, we will need to employ not only new technological developments, but consumer education programs and legislation as well. Thank you again for giving us the opportunity to submit comments for the upcoming workshop. Please contact me at 415-436-9333, ext. 106 if I can clarify any of the above comments. Sincerely, Deborah Pierce Online Profiling Project - Request to Participate, P994809 Docket No. 990811219-9219-01 Request to Participate: Public Workshop on Online Profiling, Session III: The Role of Self-Regulation Tara Lemmey, President of Electronic Frontier Foundation would like to participate as a panelist for Session III, "Self-Regulatory efforts to protect consumers' privacy online." Bridging the gap between public policy and technology innovation has been Tara Lemmey's role for the last decade of Internet expansion. Lemmey is one of the pioneers in creating a cooperative environment between government, advocacy groups, and the private sector in the areas of privacy, identity, and freedom of expression. An experienced entrepreneur, Lemmey is a well-known data and privacy practitioner. Her focus in the private sector has extended to electronic commerce and media. She was the founder of Narrowline, and currently holds board advisory roles with Metasound and eNutrition. In addition, she has been an e-commerce advisor to the US Postal Service and Cybercash. In the non-profit arena, she is part of the originating team of TrustE, a non-profit organization advocating privacy on the Internet, and is currently a TrustE Board Member. Lemmey was recently named one of the 10 most important people to the future of digital music by Spin magazine for her efforts to protect the rights of consumers. Prior to joining the Electronic Frontier Foundation, Lemmey was a founding partner of one of the first commercial online content providers, digital://threads, the Internet publishing company that issued Buzznet. She also performed an integral role in the strategic development of Absolut Vodka's online presence. Lemmey has a professional history of combining marketing and technology. She was an advertising executive at Young and Rubicam, managing the Unisys, Xerox and Holiday Inn businesses, as well as Goldberg Moser O'Neill, where she lead the advertising team on Symantec, Xircom, and Rolm. Earlier in her career, she was Communications Director for the United Way, an Associate Producer at Lifetime Television, and one of the early employees at People Express Airlines. Lemmey's involvement in the Federal Trade Commission's Internet privacy hearings brought her to the forefront of the industry as a major influence in the development of privacy practices through the cooperation of industry with government. Lemmey also participated in the White House Framework for Global Economic Commerce, the World Wide Web Consortium (W3C) as an advisory board member for technology and society, and in the W3C's Platform for Privacy Preferences (P3P) standard. A frequent speaker on topics concerning e-commerce, media, and privacy, Lemmey has made appearances at Internet World, Jupiter's Advertising Conference, the Aspen Institute, the United Nations forum on electronic commerce, the Department of Commerce hearing on privacy, and PC Forum. Please also see our attached written comments for this session. 1. 1 Lemmey, Tara, Architecture is Policy: Case Study: Cooperative developments as a means for a standards-based Implementation for Privacy on the Internet" (1999) Contributing authors: Saul Klein, Microsoft Corporation; Topher Neumann, Ernst & Young 2. Id. 3. AT&T Labs-Research Technical Report, Cranor, Reagle & Ackerman, "Beyond Concern: Understanding Net Users' Attitudes About Online Priavcy (1999) |