---

How Can We Ensure the Privacy of Internet Users?
Politically attractive but substantially complex and difficult, Internet privacy is not likely to be legislated this year

By Harriet P. Pearson
hpearson@us.ibm.com

Recent developments pose a challenge to the conventional wisdom that says that on the Internet, no one knows you're a dog. As the Web has transformed into a mass medium, its use continues to raise issues such as the following.

What is the best way that a visitor to a Web site should be apprised of the site's information collection and use policies, so that users can exercise their discretion? Close to 90 percent of the top commercial Web sites post a privacy policy statement, compared with 14 percent just two years ago. Is that an indicator that the market is responding to Internet privacy concerns? Can such notices be improved in their readability and usefulness, so that they can truly inform the Internet user?

What kinds of accountability and enforcement exist for so-called bad actors-those who promise to do one thing with one's data but instead do another? Does the appearance in the United States of seal programs such as BBBOnline and TRUSTe, combined with existing legal authority to prosecute misleading or deceptive acts, adequately address the enforcement issue? What do we do about the free riders-those Web sites that do not adopt the best practice of posting a privacy policy statement that addresses the fair information practice principles of notice, choice, access, and security?

Further issues: How should the privacy of Internet users be protected from the government, as opposed to the private sector? What kind of legal protections exist or should exist to establish certain baseline protections and expectations for Internet users? How can a user's privacy expectations and preferences be met seamlessly no matter the origin of a Web site? In other words, how can we harmonize approaches to privacy in this global medium? Is federal preemption of state attempts to regulate Web site data privacy necessary to avoid the balkanization of the World Wide Web?

Still other issues: When an Internet user visits a Web site, what kind of notice and choice should the user have about the presence of Web ad serving? This practice occurs when companies help place targeted advertising to a Web site by placing a cookie on the user's machine and then identifying patterns of visits by that uniquely identified machine across multiple sites.

Finally: When will we realize the promise of technology to assist users in achieving their privacy preferences, whether they prefer anonymity or some level of information sharing? Will the next generation of the Internet be smarter about enabling individuals to guard their own privacy? Is there a reason to distinguish between online and offline privacy, since the data gathered from Internet users ultimately resides in databases that may hold data derived from multiple sources?

The Players

A new report from the U.S. Federal Trade Commission (FTC) profiles how commercial Web sites in the U.S. addressed privacy in early 2000. The FTC's May 2000 report is its third annual report on Internet privacy. The report relies on the survey of a random sample of dot-coms (335 sites) receiving 39,000 or more unique visitors each month-excluding children, adults, and business-to-business sites-as well as a sample of 91 of the 100 busiest Web sites (called the Most Popular Group) in January 2000. In a 3-2 vote, the FTC recommended that private-sector efforts be supplemented by legislation that would require all commercial Web sites to comply with standards of notice, choice, access, and security. Under the FTC's proposal, an agency-presumably the FTC-would issue regulations to implement the general requirements. The FTC's rationale was that despite progress in the private sector's addressing privacy issues on the Internet, only government regulation could ensure that all commercial Web sites adopt good information practices. This government authority would be added to that already in place for-among other things-children's online privacy, financial privacy, and medical privacy.

The Commerce Department and the Clinton Administration overall have not followed the FTC's lead in calling for legislation for all aspects of Internet privacy. Instead, they have focused on the near-term objectives of passing medical and financial privacy regulations and have urged the private sector to accelerate its work on general Internet privacy.

Many members of the U.S. Congress have demonstrated interest in understanding and addressing Internet privacy. They include those who support comprehensive regulation of privacy (Representative Markey, D-MA), those who would impose opt-in standards for the Internet and all information sharing (Senator Hollings, D-SC), those who would outlaw cookies (Senator Torricelli, D-NJ), those who approach privacy holistically and would address security issues and government access issues (Senators Hatch, R-UT; Leahy, D-VT; and Schumer, D-NY), and those who support the creation of a study commission (Representatives Hutchinson, R-AR, and Moran, D-VA).

Many state legislatures this year have seen either legislation on Internet privacy or comprehensive regulation of information privacy, including those of California, Massachusetts, New York, South Carolina, and Washington.

In the private sector, the Online Privacy Alliance (OPA) has set guidelines for Web sites' collection and use of personally identifiable information collected online. Composed of over 100 companies and associations from multiple industries, the OPA serves as industry's main voice on Internet privacy policy issues. Several independent seal programs, such as BBBOnline and TRUSTe, continue to gain momentum in the marketplace, with over 2,000 Web sites now carrying some type of privacy trust mark.

Network-ad-serving companies such as Doubleclick and Engage have formed a self-regulatory group, the Network Advertising Initiative, which is developing-with the Commerce Department and the FTC-self-regulatory guidelines for Web-ad-serving privacy.

The World Wide Web Consortium continues its work on the Platform for Privacy Preferences specification, due to be finalized this year. Technologically-oriented companies such as Zero Knowledge, Privada, Novell, IBM, NCR, and Microsoft, have announced products to help consumers and enterprises manage data privacy. Other companies-including IBM, Microsoft, Disney, Procter & Gamble, and Novell-are spending advertising dollars only with Web sites that make a commitment to privacy disclosures.

Governments in Canada and the European Union (EU), as well as other countries' governments that have broad privacy laws, are also actively trying to understand how they can implement their laws in the world of the Internet. The EU-U.S. Safe Harbor agreement is one pragmatic approach to harmonizing varying approaches to privacy.

The Forums

In the United States, at the federal level, the FTC and the Commerce Department are the primary agencies charged with overseeing Internet privacy. The two committees of jurisdiction in the Congress-Judiciary and Commerce-are now starting to establish how they will approach Internet privacy. A number of state legislatures are also active.

A fair number of countries, including Canada and all of the members of the European Union, have already enacted broad privacy laws that presumably affect the Internet, as has Hong Kong. Canada's law, the most recently enacted, is the only law that was developed with the Internet a reality; the rest predate the Net. Key questions of jurisdiction for this global medium, as well as those of enforcement, remain open. Other nations, such as Japan, support private-sector programs and are deliberating what other legislation is needed, if any. The issue is not yet joined in Latin America or in some parts of Asia, including India.

The Prospects

Politically attractive, but substantively complex and difficult, Internet privacy is an issue not likely be legislated in this election year at either the federal or the state level. But it will return in 2001, when the focus of the public policy process will likely shift from the FTC to Congress. Look for a political handshake between the EU and the U.S. on the Safe Harbor framework for data flows between the two regions, which will be an important example of how nations can harmonize differing approaches to Internet policy issues. The appearance-finally-of a working specification for P3P, the Platform for Privacy Preferences, will prompt a renewed look at technology's potential to help resolve privacy policy issues, but it will be a multiyear process.

What You Can Do

When you use the Internet, look for privacy policy statements. If they are not present on a Web site or are not understandable, contact the Web site and urge its compliance with baseline industry practices. Refer the site to the Online Privacy Alliance Web site http://www.privacyalliance.org for more information. Become educated about the ways you can protect your privacy preferences by surveying the Web sites listed below, and be a privacy-aware consumer.

If you are involved in an organization or company, urge it to comply with the best practices suggested by the Online Privacy Alliance or the Federal Trade Commission.

For More Information

PrivacyExchange (http://www.privacyexchange.org)-a free resource of privacy laws, regulations and developments worldwide

Online Privacy Alliance (http://www.privacyalliance.org)-offering guidelines for the collection and use of personal information gathered on the Internet, as well as other resources for business and individuals

TRUSTe (http://www.TRUSTe.org)

Better Business Bureaus (http://www.BBBOnline.org)

Center for Democracy and Technology (http://www.cdt.org)-an advocacy group that contains resources for individuals

Electronic Privacy Information Center (http://www.epic.org)-an advocacy group

Call For Action (http://www.callforaction.org)-a consumer assistance site with basic consumer education material including the ABCs of Online Privacy

Congressional Internet Caucus Advisory Committee (http://www.netcaucus.org)-an advisory group to the Congressional Internet Caucus; see compilation of information on online privacy

World Wide Web Consortium (http://www.w3.org/P3P)-containing information on the Platform for Privacy Preferences (P3P)

Federal Trade Commission: Kidz Privacy
(http://www.ftc.gov/kidsprivacy)-containing information on children's privacy

Federal Trade Commission (http://www.ftc.gov)-containing the FTC report on online privacy, as well as the report of its Advisory Committee on Online Access and Security

International Trade Administration at the U.S. Department of Commerce (http://www.ita.doc.gov)-containing documents on the European Union's Safe Harbor framework