Christopher K. Ridder
744 Mountain Blvd. Oakland, California 94611
November 30, 1999
Secretary, Federal Trade Commission
Dear Mr. Secretary:
I am submitting this reply comment in response to the DoC's and FTC's Federal Register Notice Requesting Public Comment and Announcing a November 8, 1999 Public Workshop on Online Profiling, and in response to NTIAs solicitation of reply comments by November 30, 1999. Although I was unable to attend the workshop, I thank the Commission for the opportunity to nevertheless present some thoughts on the issue. I am writing this comment solely as an interested citizen, and not on behalf of any other person or organization. I will also be submitting these comments as coursework for my Cyberlaw class at the University of California at Berkeley School of Law (Boalt Hall).
My submission focuses on the Notice/Awareness prong of the fair information practices identified by the FTC, as it applies to privacy policies currently in use by large corporations engaged in online profiling. The paper highlights some of the notice issues that I believe are most pressing on the web today, and provides some examples. I conclude that, despite some industry progress and promising new technologies enabling consumers to control their privacy online, such efforts will not be sufficient to protect consumer privacy in an uncertain 21st century.
I welcome comments from anyone on my submission, and look forward to further developments in this area.
cc: Martha K. Landesberg
Wendy S. Lader,
Reply Comments to the November 8, 1999 Workshop on Online Profiling
Online Profiling Project - Comment, P994809 / Docket No. 990811219-9219-01
Submitted by: Christopher K. Ridder
I would like to thank the Commission for the opportunity to submit these comments. As a law student with an abiding interest in cyberlaw, and as someone who has been using the Internet since 1989, Ive been following developments in online profiling for some time. Like many who have already commented, I see both the promise and the specter inherent in the Internets ability to enable two-way communication. And like most American consumers who know something of the surveillance capability that is just beginning to be realized by private actors in our society, I am concerned.
Ive been following the Commissions work in this area with great interest, as well as industrys efforts to institute effective self-regulation measures. These efforts have recently yielded a profusion of privacy policies. They have led to the creation of seal programs. Some Internet architectural measures designed to assist consumers in protecting their privacy are in place or coming soon. Yet despite these advances, we still have a long way to go in terms of achieving consistent use of fair information practices in consumer profiling.
My comments here will center on online privacy policies, the recent profusion of which seems to have provided a substantial part of the FTCs justification in its 1999 Report for recommending that legislation protecting privacy not be enacted at this time. In my opinion, a larger number of policies should not be the standard by which we gauge the effectiveness of industry self-regulation. Rather, we should look to the substantive nature of those policies. It is here that we find the strongest support for a suggestion that you have heard frequently from industry critics that despite an increasing number of policies, self-regulation has failed to provide even the most basic assurances that consumers personal data will be safe in the 21st century.
Substantively, many privacy policies are toothless. Many are designed with the bare minimum of disclosures. Frequently, they are silent on which type of information is collected, as opposed to used. Nearly all say that they are subject to change the only notice of this change being modification of the web site, and a suggestion that browsers check back periodically. And perhaps most serious privacy disclosures are generally limited to the online activities of a company. They fail to disclose to what extent the company collects information outside of the web context, and they fail to disclose whether offline information is correlated with data gleaned from the Internet.
Sadly, though perhaps not surprisingly so, many privacy policies ride a fine line between vacuous and misleading. Both the FTC and some of the watchdog organizations that have commented here have acted in the case of seriously misleading policies, especially where childrens data has been involved. Unfortunately, I dont believe that industry has an incentive to remedy the vacuousness problem until fair information practices are defined more strictly, and until a baseline of privacy protection is implemented through federal legislation.
As many other commentors here have outlined, the ability to compile detailed dossiers on American consumers has reached an unprecedented level, and these capabilities are further increasing at an alarming rate. Today, as more sites implement "cookie synchronization" agreements, and as companies begin to merge large online and offline databases of customer information, both the breadth and depth of electronic dossiers on American citizens is expanding rapidly. These are capabilities that many consumers are probably not aware of. Nevertheless, numerous surveys document that consumers increasingly believe that data privacy is a serious problem.
Quality vs. quantity
If fewer than 10% of these web sites contain as few as one of each survey item, how many sites are likely to contain privacy policies that truly are in line with fair information practices? So far, few web sites have met the substance of the self-regulation challenge. In this comment, I will highlight a few problems that I believe are pervasive, and intractable absent further regulation, in the area of Notice/Awareness.
Collection, as opposed to use, of information
Companies should be required to disclose what information is collected. Companies and databases change over time. When companies merge, so do their databases. Moreover, companies with multiple, yet currently separate, databases could elect to merge and/or sell them at some future point. Although it is probably impossible to predict how these companies databases would be handled in the future, customers would at least have as much information as anyone if they knew what information was being stored about them.
Data is persistent. Data migrates through many systems as it is bought and sold, and as companies merge. Americans have a right to know what data is being stored about them, so they can be aware of the potential risk of its disclosure in an unpredictable future. Moreover, although companies may not use all of the information they collect today, it is certainly discoverable through a subpoena or court order. Americans should be able to identify which information resulting from private surveillance activities might be used against them at a later date.
Deletion of information is especially a problem with regard to opting out of a service after one has already registered. Many sites give users the option of discontinuing the further use of personal information. However, most make no representation that data already provided to them will be deleted. Moreover, any data previously provided to third parties must be handled in separate transactions if consumers can even find those third parties, and if they permit deletion of previously stored information.
For example, AltaVista advertises, "If you do not wish demographic or profile information to be shared, then you may opt-out [sic] at the time of registration." Such a statement lacks clarity about whether theres an option to opt out subsequent to registration. More important, the statement says nothing about whether information will be deleted only that it will no longer be shared.
Aggregation of databases
As databases are aggregated, and as data mining technology improves, the quality of profiles increases dramatically. Outright sale of information, while possible, is far from necessary for such consolidation to occur. Some companies may choose to merge their own database information. For example, if Safeway were to create a successful online grocery store, it would be extremely beneficial to merge its online clickstream data with its in-store club card information. Yet far more ominous developments are already occurring, such as the recent approval of the DoubleClick/Abacus merger.
Many Americans would be shocked to learn that in the future, if not today, detailed psychographic profiles could be readily available. As these databases become ever more detailed, one could imagine them frequently becoming targets of subpoenas, law enforcement investigations or hackers. Insurance companies, employers and others could use online profiles to discriminate. If consumers knew the potential consequences, would they still consent to intrusive monitoring?
The site further notes that this information is collected in a single location, although it is unclear with whom it may be shared.
Also of note is that privacy policies generally apply only to online activities. Offline profiling efforts, which may be correlated with databases containing online information, are generally not included. For example, Safeway makes no disclosures concerning the extent to which its "club card" data is collected or used. General Electric recently made the news when it embedded a secret tracking code in an offline survey, designed to match respondents with real investors. GEs policy has not changed since that story broke. It still provides, "At times we conduct on-line surveys to better understand the needs and profile of our visitors. When we conduct a survey, we will try to let you know how we will use the information at the time we collect information from you on the Internet." Companies that collect personal information offline should disclose the full scope of such collection in their Internet privacy policies, especially where correlation may occur.
Web bugs, cookies and other "obscure" profiling technologies
Consumers are probably unaware of the full range of profiling capabilities that exist, and are currently in use, on the web. Future developments in this area may be difficult to anticipate, but are certainly coming soon. Few sites disclose the implications of cookies, and many completely omit statements concerning their use. Few sites disclose URL tracking, whereby URLs are embedded with personal information, such as referral chains and user IDs.
Transfer of information to third parties
This disclosure fails to even mention cookies. Moreover, it implies that advertisers collect no information about consumers until they click through.
Subject to change without notice
Perhaps the most serious notice issue arises in the virtually standard term used in privacy policies that they are subject to change without notice. Such a statement is usually accompanied by a suggestion that customers should check back periodically to see if the company has decided to use previously collected information in a different way. Such a practice, in failing to provide adequate notice, seriously undermines choice and consent.
Many of the industry commentors have discussed the holy grail of one to one marketing, and its growing importance to the evolution of ecommerce. If theres one thing everyone agrees on with regard to this issue, its that the profiles were talking about are extremely valuable both to industry and to consumers who care about their privacy.
However, its important to keep in mind that there is much more at stake here than merely ensuring that consumers are confident enough in their privacy rights to hand out their credit card numbers online. Privacy is not only an inherent human right, it is a legal right in this country as well a right that demands an analysis that goes beyond considerations of economic efficiency. Our inquiry should be forward-looking, and take into account the long-term implications of online profiling, not merely the short-term benefits to be gained from "targeted advertising". In 30 years, how will companies use the detailed psychographic profiles theyve amassed? How sophisticated will futuristic data mining techniques be, and to what extent will they be able to create new information from old data? How secure will this information be from hackers and identity thieves?
I agree with your non-industry commentors, and over 70% of Americans, that some form of legislation is required to protect privacy. Although the industry appears to be making a concerted effort to self-regulate, such attempts are virtually certain to fall short of satisfying the information practices endorsed by the FTC. Industry self-regulation will always play an important role in the management of online profiles, but even in combination with consumer self-help technologies, it is woefully insufficient. I urge you to recommend legislation that would codify the fair information practices the Commission has outlined, so that every American can be assured of at least a certain baseline of protection.