How Can We Ensure the Privacy of Internet Users?
Politically attractive but substantially complex and difficult, Internet privacy is not likely to be legislated this year
By Harriet P. Pearson
Recent developments pose a challenge to the conventional wisdom that says that on the Internet, no one knows you're a dog. As the Web has transformed into a mass medium, its use continues to raise issues such as the following.
Further issues: How should the privacy of Internet users be protected from the government, as opposed to the private sector? What kind of legal protections exist or should exist to establish certain baseline protections and expectations for Internet users? How can a user's privacy expectations and preferences be met seamlessly no matter the origin of a Web site? In other words, how can we harmonize approaches to privacy in this global medium? Is federal preemption of state attempts to regulate Web site data privacy necessary to avoid the balkanization of the World Wide Web?
Still other issues: When an Internet user visits a Web site, what kind of notice and choice should the user have about the presence of Web ad serving? This practice occurs when companies help place targeted advertising to a Web site by placing a cookie on the user's machine and then identifying patterns of visits by that uniquely identified machine across multiple sites.
Finally: When will we realize the promise of technology to assist users in achieving their privacy preferences, whether they prefer anonymity or some level of information sharing? Will the next generation of the Internet be smarter about enabling individuals to guard their own privacy? Is there a reason to distinguish between online and offline privacy, since the data gathered from Internet users ultimately resides in databases that may hold data derived from multiple sources?
A new report from the U.S. Federal Trade Commission (FTC) profiles how commercial Web sites in the U.S. addressed privacy in early 2000. The FTC's May 2000 report is its third annual report on Internet privacy. The report relies on the survey of a random sample of dot-coms (335 sites) receiving 39,000 or more unique visitors each month-excluding children, adults, and business-to-business sites-as well as a sample of 91 of the 100 busiest Web sites (called the Most Popular Group) in January 2000. In a 3-2 vote, the FTC recommended that private-sector efforts be supplemented by legislation that would require all commercial Web sites to comply with standards of notice, choice, access, and security. Under the FTC's proposal, an agency-presumably the FTC-would issue regulations to implement the general requirements. The FTC's rationale was that despite progress in the private sector's addressing privacy issues on the Internet, only government regulation could ensure that all commercial Web sites adopt good information practices. This government authority would be added to that already in place for-among other things-children's online privacy, financial privacy, and medical privacy.
The Commerce Department and the Clinton Administration overall have not followed the FTC's lead in calling for legislation for all aspects of Internet privacy. Instead, they have focused on the near-term objectives of passing medical and financial privacy regulations and have urged the private sector to accelerate its work on general Internet privacy.
Many members of the U.S. Congress have demonstrated interest in understanding and addressing Internet privacy. They include those who support comprehensive regulation of privacy (Representative Markey, D-MA), those who would impose opt-in standards for the Internet and all information sharing (Senator Hollings, D-SC), those who would outlaw cookies (Senator Torricelli, D-NJ), those who approach privacy holistically and would address security issues and government access issues (Senators Hatch, R-UT; Leahy, D-VT; and Schumer, D-NY), and those who support the creation of a study commission (Representatives Hutchinson, R-AR, and Moran, D-VA).
Many state legislatures this year have seen either legislation on Internet privacy or comprehensive regulation of information privacy, including those of California, Massachusetts, New York, South Carolina, and Washington.
Network-ad-serving companies such as Doubleclick and Engage have formed a self-regulatory group, the Network Advertising Initiative, which is developing-with the Commerce Department and the FTC-self-regulatory guidelines for Web-ad-serving privacy.
The World Wide Web Consortium continues its work on the Platform for Privacy Preferences specification, due to be finalized this year. Technologically-oriented companies such as Zero Knowledge, Privada, Novell, IBM, NCR, and Microsoft, have announced products to help consumers and enterprises manage data privacy. Other companies-including IBM, Microsoft, Disney, Procter & Gamble, and Novell-are spending advertising dollars only with Web sites that make a commitment to privacy disclosures.
Governments in Canada and the European Union (EU), as well as other countries' governments that have broad privacy laws, are also actively trying to understand how they can implement their laws in the world of the Internet. The EU-U.S. Safe Harbor agreement is one pragmatic approach to harmonizing varying approaches to privacy.
In the United States, at the federal level, the FTC and the Commerce Department are the primary agencies charged with overseeing Internet privacy. The two committees of jurisdiction in the Congress-Judiciary and Commerce-are now starting to establish how they will approach Internet privacy. A number of state legislatures are also active.
A fair number of countries, including Canada and all of the members of the European Union, have already enacted broad privacy laws that presumably affect the Internet, as has Hong Kong. Canada's law, the most recently enacted, is the only law that was developed with the Internet a reality; the rest predate the Net. Key questions of jurisdiction for this global medium, as well as those of enforcement, remain open. Other nations, such as Japan, support private-sector programs and are deliberating what other legislation is needed, if any. The issue is not yet joined in Latin America or in some parts of Asia, including India.
What You Can Do
If you are involved in an organization or company, urge it to comply with the best practices suggested by the Online Privacy Alliance or the Federal Trade Commission.
For More Information
PrivacyExchange (http://www.privacyexchange.org)-a free resource of privacy laws, regulations and developments worldwide
Online Privacy Alliance (http://www.privacyalliance.org)-offering guidelines for the collection and use of personal information gathered on the Internet, as well as other resources for business and individuals
Better Business Bureaus (http://www.BBBOnline.org)
Center for Democracy and Technology (http://www.cdt.org)-an advocacy group that contains resources for individuals
Electronic Privacy Information Center (http://www.epic.org)-an advocacy group
Call For Action (http://www.callforaction.org)-a consumer assistance site with basic consumer education material including the ABCs of Online Privacy
Congressional Internet Caucus Advisory Committee (http://www.netcaucus.org)-an advisory group to the Congressional Internet Caucus; see compilation of information on online privacy
World Wide Web Consortium (http://www.w3.org/P3P)-containing information on the Platform for Privacy Preferences (P3P)
Federal Trade Commission: Kidz Privacy
(http://www.ftc.gov/kidsprivacy)-containing information on children's privacy
Federal Trade Commission (http://www.ftc.gov)-containing the FTC report on online privacy, as well as the report of its Advisory Committee on Online Access and Security
International Trade Administration at the U.S. Department of Commerce (http://www.ita.doc.gov)-containing documents on the European Union's Safe Harbor framework
Join the Internet Society today: http://www.isoc.org