Privacy: Issues, Policies, Statements

views updated

PRIVACY: ISSUES, POLICIES, STATEMENTS

Few Internet-related issues have generated as much controversy, conflict, and concern as privacy. The debate encompasses freedom of expression, security of intellectual property, marketers' abilities to gather information about consumers on the Web, workplace productivity, and rights of Internet users. Governments, industry, and citizen-advocacy groups are struggling to define workable privacy guidelines and enforcement procedures that will satisfy all parties in the rapidly changing universe of the commercial Internet. As data-collection technologies such as cookies, Web-crawlers, and Web cameras proliferate, the issue becomes more pressing.

Activity on the Internet in the early 2000s continued to increase rapidly, and with it, the rate of personal data collection, commercial transactions, and surveillance of Web users. Americans thus have grown more concerned about safeguarding their privacy online. A 2000 Pew Internet & American Life Project survey reported that 86 percent of the 1,017 Internet users polled wanted legal requirements mandating that Internet companies gain explicit permission to collect personal data online. Furthermore, 54 percent felt that tracking users' movements online constituted an invasion of personal privacy.

Many groups have motives for collecting and storing users' personal information online. Governmental and law-enforcement officials contend that access to such information spurs rapid identification of criminals, helping to combat credit fraud, terrorism, and illegal immigration. Businesses have a seemingly insatiable appetite for minute details about the identities and personal habits of online consumers. This information enables them to tailor promotions and advertising in hopes of generating sales and increased profits. Individual Web users appreciate the ease and efficiency provided by personalized Web sites, which store credit card information for future purchases, remember passwords, and modify Web pages automatically to cater to their interests.

But commercial and governmental organizations can compromise the privacy of online users. For example, Toysmart.com, an online toy retailer, contained a privacy statement guaranteeing that it would not make its customer list available to outside organizations. But when its operation failed amid the dotcom shakeout, Toysmart.com attempted to sell its customer database to a third party. In another retail example, in the year 2000, the online bookseller Amazon.com faced a U.S. Federal Trade Commission (FTC) probe and two privacy-invasion lawsuits charging it improperly handled the personal information stored in its online database. Meanwhile, government data was called into question when Image Data Inc. entered into a $1.5 million contract in 1997 with the U.S. Secret Service to digitize drivers' licenses and other personal data in order to create a national identity database for governmental use. A three-state pilot program was launched, only to be halted after widespread media coverage revealed the program's existence. Government surveillance was again at stake in July 2000, when it was disclosed that the Federal Bureau of Investigation (FBI) was using an Internet monitoring system called Carnivore, which it installed in Internet service providers' sites to monitor their traffic. Carnivore became the object of a Freedom of Information Act (FOIA) suit brought against the FBI by the Electronic Privacy Information Center (EPIC). By January 2001, the FBI had complied in part with the FOIA request to release documents regarding the information Carnivore had gathered.

METHODS OF ONLINE SURVEILLANCE

Commercial Web sites' early collection of user data generally consisted only of how many hits a particular site received. No method of information gathering existed to build profiles of typical users who frequently visited the site—the very information that helps marketers tailor advertisements and promotions for specific target audiences. But as Internet software and technology became more sophisticated, online information-gathering techniques grew more powerful and precise. Since the mid-1990s traffic-logging systems have routinely provided details about the brand of browser, version number, and available plug-ins that an individual uses, as well as identify sites previously visited and recreating searches the user conducted on a search engine. Web servers record the Internet address of each computer that visits a site, though this does not reveal the personal characteristics of the actual person operating that computer.

Web sites can also identify visitors via "cookies"—small text files that the Web site writes to a user's hard drive. Cookies contain the name of their proprietary Web site and a unique identifier they assign to a user's computer, which is written to the cookie file the first time a person visits the site. On subsequent visits, the Web site reads the cookie and recognizes the user's computer. Only the originating site can read the cookie, which may also store user passwords. Most browsers contain a feature that permits users to disable cookies.

Banner ads are another online information-gathering device. They are controlled by network advertisers, third-party companies that function as intermediaries between advertisers and Web-site companies. Banner ads place and read cookies, just like Web sites. Network advertisers can track users' surfing habits across the Web by placing banner ads on thousands of different Web pages.

Cookies and banner ads can only generate aggregate user profiles, based on the computers used for browsing rather than individual humans users. To collect more user-specific data, some companies permit users to customize their sites. Often they give users an incentive for registering, such as offering access to restricted content, in the hopes of gathering more detailed information about visitors. This helps online merchants fine-tune their profiles of individual users. When users enter personal data required for site registration or online purchases, the company gains access to that information.

E-COMMERCE AND PRIVACY

Most e-commerce Web sites monitor the movements of online visitors and consumers. Often companies sell or release customer information to third parties to promote additional products or to support direct-marketing campaigns. Online marketing generates spam, or "junk" e-mail, in the form of unsolicited advertisements and promotions. Studies indicate that many Americans consider these practices an un-warranted invasion of their privacy. Forrester Research estimated that $12.2 billion in e-commerce revenue was lost to privacy concerns in 2000, up from $2.8 billion in 1999.

Internet users can block monitoring of their online behavior in various ways. Two simple examples are giving false information when personal data is requested and encrypting their own e-mail. Software is also available to prevent online tracking and block spam. But despite Americans' nervousness about online surveillance, only 10 percent of Internet users have set their browsers to reject cookies, according to a 2000 Pew Internet Survey.

WORKPLACE PRIVACY

Employees constitute another group whose Internet use has come under increasing scrutiny. Work-place surveillance pits employers' financial interests, the protection of corporate intellectual property, workplace productivity, and security against the privacy rights of employees.

International Data Corporation (IDC) attributes 30 to 40 percent of all lost worker productivity to personal Web surfing on company time; this costs U.S. companies about $54 billion annually. According to the American Management Association, in 2000 nearly 75 percent of all major U.S. companies monitored employee communications, including telephone calls, e-mail, and Internet connections; this represented nearly twice the percentage that did so in 1997.

Frequently the supervision of employee behavior falls to the information technology (IT) department, though increasingly U.S. firms also hire CPOs—Chief Privacy Officers. Many companies use monitoring software that scans not only Web-site URLs, but the actual content of Web pages, to determine whether employees' online activity is linked to their workplace duties.

CHILDREN AND PRIVACY

The law views children as less capable of making well-reasoned judgments than adults, and there's a common understanding that children need special legal protections from harm and exploitation. Children are particularly vulnerable to manipulation by online marketers and more likely than adults to surrender personal or family information on the Web. In 1998, an FTC survey of 212 child-oriented Web sites concluded that although 89 percent of the sites collected personal data, 46 percent failed to notify users of that fact. In part to remedy such situations, Congress passed the Children's Online Privacy Protection Act (COPPA) in 1998. COPPA, which took effect in 2000, prohibits organizations from gathering personal information online from children under age 13, unless their parents give "verifiable" consent before the information is collected or shared with third parties. Web-site operators must also post their privacy policies online and notify parents of the types of information that they collect.

It was unclear whether COPPA was effective. In 2001 the FTC cited survey data revealing that 91 percent of children's Web sites contained privacy policies, compared with only 24 percent in 1998. However, a report the same year by the University of Pennsylvania's Annenberg Public Policy Center stated fewer than half of the 167 children's sites surveyed complied with COPPA guidelines.

LEGAL DIMENSIONS OF ONLINE PRIVACY

U.S. law governing online privacy is in a state of enormous flux. The Constitution contains no explicit right to privacy, though the Fourth Amendment protects Americans from illegal searches and seizure of personal records. Supreme Court decisions have created a variety of privacy rights, based on the Fourth Amendment and on the Fourteenth, which restricts the government from compelling individuals to disclose certain personal information. However, these rights apply to government actions, not the private sector. Hence, the U.S. lacks all-encompassing, federal data-privacy laws similar to those of the European Union (EU), as well as clear legal remedies for breaches of electronic-data privacy.

The Supreme Court has ruled that the Fourth Amendment protection of privacy holds where an individual has a "reasonable expectation" of privacy. However, since anyone can access the Internet, a Web user cannot have a "reasonable expectation" that his or her activities will be considered private, except if they occur on a limited network or when that user transmits information to a discrete Internet address. Thus data exchanged on electronic bulletin boards and chat rooms does not merit protection. In addition, any e-mail taken if a computer is seized is not protected.

One legal solution proposed to enhance privacy protection was the granting of intellectual property status to personal data. In other words, individuals would hold property rights to their personal data. However, this generates First Amendment concerns; in general, "data," or basic facts that are not part of a creative work, is not subject to ownership. Thus it is difficult to prevent Web sites from gathering and storing users' personal information.

The FTC, the chief governmental agency responsible for regulating personal data, has preferred to promote user control over personal data, rather than ownership rights to it. It has encouraged e-marketers to develop and post privacy statements that guarantee the security of personal data gathered online. But public-interest privacy advocates argue that this strategy will fail because few Web users even read privacy policies, many sites do not follow their own policies, and few policies guarantee enforcement. Noncompliant Web sites can be charged with engaging in deceptive trade practices, but the responsibility for forcing compliance rests with private citizens, who must lodge the suits to get results.

U.S. ONLINE PRIVACY-PROTECTION LEGISLATION

A series of existing laws addresses the privacy dilemmas spawned by the Internet, with dozens of new bills proposed in each Congressional session.

Title III of the 1968 Omnibus Crime Control and Safe Streets Act, also called the Federal Wiretap Statute, represents one of the first legislative attempts to protect the privacy of individuals' communications. It levies criminal and civil penalties for the intentional and unauthorized interception or disclosure of private communications, but it extended only to aural, not electronic, communications. In 1986, the Electronic Communication Privacy Act (ECPA) added electronic communications to those already protected by the Wiretap Statute. The Stored Communications Act, which safeguards electronic data stored after transmission, followed in the same year.

However, the ECPA allows governmental officials with a valid court order to trace private communications. Judges must approve requests for such court orders if prosecutors can verify that the data is relevant to ongoing criminal investigations. Furthermore, the statute doesn't protect users' identifications, only the content of their communications.

Congress asked the FTC to assess the privacy risks associated with computer databases in 1995. Partly as a result of FTC findings, a series of subsequent laws were passed, each addressing a separate facet of online privacy.

The 1996 Health Insurance Portability and Accountability Act (HIPAA) requires that safeguards be instituted to protect patients' medical records, which health-care organizations are increasingly storing and transmitting online. The Health and Human Services (HHS) Department drafted attendant regulatory protections in 1999. They grant patients the right to review and obtain copies of their medical records; require patients' consent before health information is released; and allow patients to restrict the use of their medical information.

Individuals' online financial information is protected under the Fair Credit Reporting Act (FCRA) of 1997. It gives consumers control over their credit histories, requires employers to notify employees in advance if they are to be subject to workplace misconduct investigations, and obligates them to inform employees of the results of such investigations. Proposed changes to FCRA would require online companies to notify individuals about data-sharing arrangements with third parties and to permit them to opt out of such arrangements.

The Gramm-Leach-Bliley Act of 1999 further targeted the security of personal financial data. It mandated that financial institutions reveal to consumers what personal information they share with third parties and that they notify their customers annually about how personal data is gathered and protected.

By 2000, there was growing bipartisan support in Congress for Internet privacy. Many relevant bills were submitted to congressional sessions in the late 1990s and in 2000. The 107th Congress introduced nearly 50 bills in its first four months alone. Among them were bills proposing the establishment of a federal privacy commission, the protection of social security numbers online, and the prohibition of any future governmental attempts to establish a uniform national identification standard.

Proponents of stronger privacy-protection legislation cite a 2000 FTC report to Congress, which revealed that only 20 percent of the most heavily visited Web sites had implemented comprehensive "fair information practices" regarding online data-gathering. The report concluded that industry self-regulation alone had failed to guarantee sufficient protection for user privacy and personal data, and that more comprehensive legislation would be needed, in tandem with self-regulation, to accomplish that goal.

GLOBAL PRIVACY STANDARDS

Many industrialized countries possess far more stringent legislative rules protecting online users' privacy than exist in the U.S. The emerging global standard at the beginning of the 21st century was the European Commission's Directive on Data Protection, which took effect in 1998. It restricts all unauthorized transmission of personal data of EU citizens to any countries lacking legal standards that guarantee a similar level of online privacy protection. Since the directive's adoption, many other countries began drafting similar rules, among them Argentina, Australia, Canada, Switzerland, and New Zealand. Some countries also created governmental privacy directors or agencies to oversee Internet privacy.

For U.S. companies to exchange Internet users' personal data with EU members, they must participate in the Safe Harbor data-sharing agreement, which was devised by the EU and the U.S. Department of Commerce. The agreement, which became operational in November 2000, holds American businesses to implement data and privacy protection standards equivalent to those in the EU directive. Once a company complies with the Safe Harbor program, EU regulators can sue them only for breach of their own policies, not the standards of the EU Directive.

INDUSTRY SELF-REGULATION

Unlike the EU, the United States has relied primarily on industry self-regulation to ensure that Internet users receive an adequate level of privacy protection. Proponents of self-regulation argue that the breakneck speed of Internet growth, and its many successes, mandates against sweeping regulations that might stifle future development. U.S. businesses argue that self-regulation encourages industry to safeguard user privacy in order to boost consumers' confidence in the security of e-commerce transactions. In essence, business leaders believe that market forces will punish companies that breach privacy, causing them to lose business, while rewarding with increased sales those that protect privacy.

In the spirit of self-regulation, many e-businesses post privacy policies on their Web sites and permit opt-out avenues for users who don't wish to submit personal information online. When companies violate their own privacy policies, breach of contract suits and actions for deceptive business practices or false advertising can be brought against them. But this arrangement provides no penalties for failure to have a privacy policy, and such policies rarely cover the actions of third parties, such as network advertisers, who might acquire personal data online.

Detractors of self-regulation claim it can't be enforced. Thus it operates on the principle of caveat emptor ("let the buyer beware"), placing on consumers the responsibility of determining whether an online marketer is trustworthy and has the best interests of the consumer in mind.