Statement of Marc Rotenberg (6/13/00)

Testimony and Statement for the Record of
Marc Rotenberg

Executive Director
Electronic Privacy Information Center

On Internet Privacy and Profiling

Before the
Senate Commerce Committee
United States Senate

June 13, 2000

Senate Russell Building 253

Summary

Privacy organizations that favor legislation to protect privacy have also been the leaders in the effort to establish good technology to protect privacy. Our view is that good privacy technologies will depend very much on the regulatory environment. Laws such as export controls that limit the availability of encryption or the requirements of the Communications Assistance for Law Enforcement Act, now before a federal appeals court, will discourage the development of good techniques to protect privacy. On the other hand, laws that implement Fair Information Practices, such as the Privacy Act of 1974, will have a positive impact on the development of technology. Privacy legislation is appropriate for the Internet because it will have a positive impact on the development of technologies to protect online privacy.

In the matter of Doubleclick, we first brought the Committee's attention to this problem at a similar hearing a year ago. We warned that self-regulation would fail to protect privacy and that there would be a public backlash against the company's plan to profile Internet users. We think the lesson is clear that legislation is necessary. Even good models for online advertising can quickly change without baseline privacy rules.

Going forward, we think the key is the development of techniques that implement common-sense Fair Information Practices and that minimize or eliminate the collection of Personally Identifiable information. Techniques for profiling that are not based on the identity of an actual user may be acceptable. But any system of profiling that could be linked to a user, even if that is not intended at the beginning should be subject to legal safeguards. The experience with Doubleclick has made this clear.

In terms of P3P, we do not view this as a technology that will promote privacy. It builds on the very weak "notice and choice" approach that is increasingly asking consumers to trade their privacy for the benefits on electronic commerce. It is not fair to force consumers to make this choice. Good technologies that aim to protect consumer privacy will not be built on this model.

We need privacy legislation to establish baseline standards for electronic commerce. We also need to look closely, with input from technical experts and experts in privacy, at how best to develop technologies that protect online privacy. We need a much broader right of access in the online world than currently exists in the offline world precisely because the online world enables such far-reaching profiling. Finally, we need to think more deeply about the true nature of profiling in the online world. The establishment of persistent profiles, beyond the control or scrutiny of the individuals affected, can stigmatize and reduce opportunity for some even as they create benefits for others.

Testimony

My name is Marc Rotenberg, and I am Executive Director of the Electronic Privacy Information Center in Washington, DC. I am grateful for the opportunity to appear before the Committee this morning and also for your efforts in developing good privacy legislation that responds to growing public concern. Last year I testified before you on the growing risks to Internet privacy and described a firm named Doubleclick that had announced a merger with Abacus Direct. I warned in my testimony that Doubleclick proposal to profile Internet users showed the problems with the self-regulatory approach to privacy protection and that it would lead to a vast privacy backlash.

This morning I will focus my comments specifically on one of the central questions in the ongoing effort to protect privacy online — what is the relationship between privacy legislation and privacy technology? With legislation pending before the committee, and many companies developing privacy technologies, I am sure you are trying to understand the relationship between privacy legislation and privacy technology. Are they alternatives? Should we have both? What happens with technology if we continue to go forward without legislation?

Privacy Advocates Have Long Encouraged the Development of Technology to Protect Privacy

To answer these questions, I need to say a few words about the establishment of EPIC. The Electronic Privacy Information Center, which has long favored the adoption of legislation to protect Internet users, has also been on the front lines to ensure that Internet users would have access to the best technology to protect privacy. Several years ago there was a widespread belief in government that it would be necessary to limit the availability of strong technology, such as encryption, that would protect personal privacy. We strongly opposed this view and said that these technologies should be widely available to the general public. We argued that privacy technology was good for consumers, good for business, and ultimately good for national security. We prepared a letter to the President by experts, opposing the Clipper proposal to establish the escrowed encryption standard. That letter was later endorsed by 50,000 users of the Internet who agreed that good technology was critical to good privacy. The administration eventually changed its views and today the United States policy on encryption favors the development of good tools to protect personal privacy, though I should add that it is still the case that electronic mail is not routinely encrypted, though I think it should be.

Since the Clipper campaign, we have also urged the development and adoption of the very best technical means to protect personal privacy. Our web site contains a popular page — Practical Privacy Tools, which was featured in the New York Times just last week. The page includes techniques for encryption, anonymity, cookie management, and more.

Members of the EPIC staff have even trained human-rights advocates and journalists in different parts of the world how to use encryption to protect their private communications from police forces and governments that would send a person to jail for what he might write in a private message. We supported the widespread use of anonymous remailers, PGP, robust encryption, and other privacy tools, when many industry groups waited quietly in the wings for the policy debate to play out.

Although lobbyists like to characterize privacy advocates as favoring "heavy-handed Government regulation" in fact we were far ahead of industry on proposing technical solutions to privacy protection. We have been pressing for good technical solutions to protect privacy before the vast majority of Internet-based companies were even established.

And when groups in industry or government have gone forward with technical standards that threaten individual privacy — the Clipper chip, the Intel Processor Serial Number, the FBI wiretap standards, the Microsoft Global Universal Identifier — we launched national campaigns, in association with such groups as Junkbusters, the ACLU and others to bring public attention to the growing risks to privacy.

Privacy Legislation is Critical to Privacy Technology

So why do we favor legislation? The answer is that our experience over the last ten years shows that you will get better technologies to protect personal privacy where there a legal framework in place that establishes baseline privacy standards. The Clipper proposal came about in the United States but not in Europe or Canada. One of the reasons is that European and Canadian privacy laws and European and Canadian privacy agencies prevented the adoption of a technical standard that would have enabled such widespread surveillance of privacy communications.

Doubleclick pushed forward with its profiling scheme in the United States but not in Europe because European law would have required to Doubleclick to follow a set of privacy rules once it started collecting personal data. Doubleclick decided it didn’t want to bother complying with privacy rules so it pushed forward in the United States.

Many of the Internet protests that are taking place in the United States result from the failure to develop good privacy standards. Some might say that this is because the US is a leader in technology and first to experience the social consequences when companies go too far. But in fact, in many critical sectors — online banking, Internet use, cell phone use — the US is not the leader but is still facing enormous public concerns about the loss of privacy. The reason is simply that whereas other countries have made some effort to update their privacy laws to keep pace with new technology, the US stubbornly refuses to do so. And in the United States where privacy legislation is in place, you simply do not see the type of invasive profiling that companies like Doubleclick have pursued on the Internet.

The message here is simple: privacy laws encourage good business practices and good privacy technologies. Where those laws exist, you can have innovation and privacy protection. Where the laws do not exist, you may still have innovation, but I doubt you will have privacy protection.

The Profiling Problem is Not New

Although the Internet and Doubleclick appear to raise new problems, in many ways Congress has confronted similar problems in the past and developed appropriate legislative solutions.

More than thirty years ago there was a proposal to establish a centralized databank in the United States called the National Data Center that would have provided detailed profiles on American citizens. The purpose was benign. It was believed that such a databank would be very useful to social scientists and others, but the implications were severe. People understood that the collection of these permanent profiles, made possible by computerized automation, would pose a threat to the privacy and liberty of American citizens. The proposal for the National Data Center was withdrawn and over time a comprehensive legal framework — the Privacy Act of 1974 — was established to safeguards the rights of American citizens. The Privacy Act imposed on all federal agencies essential privacy rights and responsibilities — "Fair Information Practices" — that would limit would federal agencies could do with personal information and gave every American the right to see the information about them that was collected.

Significantly, the Privacy Act did not slow the use of computers. It simply made the people who were designing those systems more aware of their obligations to protect the privacy interests of the people whose information was collected. In other words, the Privacy Act helped ensure that as automation was introduced in the federal government, privacy was built-in at the outset.

Now I want to be clear at this point, that I am not defending all data collection practices by the federal government. I think there are any number of programs where data collection is too intrusive. Nor do I think the Privacy Act is beyond criticism. Recent amendments appropriately strengthened the penalty provisions to help ensure that there would be sufficient incentives to pursue enforcement, and recent court opinions have asked, appropriately in my view, whether the Privacy Act should apply to the White House.

But the critical point is clear: law is necessary to limit profiling, such law does not discourage innovations, and the US Privacy Act provides a clear example of how such laws can operate successfully.

Lessons of Doubleclick

To understand Doubleclick, I think it is important to think about how advertising has operated traditionally. Whether in the print world with magazine ads and billboards or the communications world with radio spots and TV ads, advertisers large and small have been able to reach their audience without collecting any personal information. This is true when 30 million people watch the same beer commercial on a television football game or when 30 people see an ad for a used kitchen table in the classified section of a morning newspaper. Advertisers communicate information to an audience without trying to create detailed profiles.

Advertisers have always been able to tailor ads to specific markets. With the Internet it is even easier to do. The subject matter can be more focused, the information more timely. Advertisers also get almost instantaneous feedback on which ads are working and which are not. Follow an auction on one of the auction sites and you will see just how well the Internet enables targeted advertising between buyer and seller and still protects privacy.

All of these factors suggest that the Internet could be a very effective way for marketers to reach customers with a minimal privacy intrusion. But Doubleclick, and in fairness, several of its competitors ,pushed the envelope and decided that reaching customers, regardless of the privacy consequences, was the way to go. Not content with the most effective and efficient form of advertising ever made possible, these companies began plans to profile net surfers, to link anonymous clickstream data with detailed and personally identifiable purchase records. They called it "personalization" but the process is "profiling" and the method involves the secretive collection of personal information about consumers.

The schemes were deeply flawed, both as a matter of policy and technology. Doubleclick essentially ignored all of the generally accepted privacy rules. People could not see what information would be collected or determine how it would be used. Doubleclick couldn't even comply with their own privacy policy. As we pointed out in our complaint to the Federal Trade Commission, the privacy policy at the Doubleclick web site was constantly being revised. First, Doubleclick's privacy policy assured users who received targeted ads from Doubleclick that they would remain "completely anonymous." Then Doubleclick dropped the reference to anonymity and said the information was not "personally identifiable." More recently, following the merger with Abacus Direct, Doubleclick said that if it joined the two databases it would further revise its privacy statement to reflect its "modified data collection and data use practices."

There was no way any consumer could make a meaningful decision about whether to disclose personal information to Doubleclick. Doubleclick could essentially do with the information whatever they wished. They might as well have scrapped their privacy policy and put up three words "subject to change."

The technology was just as bad. Even Doubleclick's business partners were not aware of how personal information was being collected. Kozmo dropped Doubleclick when they realized that videotape rental records were being transferred by the advertising network, most likely in violation of the Video Privacy Protection Act. Web sites offering healthcare advice learned to their chagrin that they were passing on medical information on their visitors through the Doubleclick network. Even the opt-out scheme proposed by Doubleclick had problems. Customers who wanted privacy would be required to store a Doubleclick cookie on their computer. Not a very smart idea when consumers, trying to protect their privacy, are routinely deleting cookies.

By the time Doubleclick dropped the plan, the company was facing investigation from the Federal Trade Commission, two state attorneys general, and a host of private litigants. Doubleclick’s problems were hardly caused by the campaigning of a few privacy advocates; virtually anyone who thought about the long-term implications of profile-based advertising saw the problem.

Doubleclick CEO Kevin O’Connor was right to admit a mistake and should be commended for responding, albeit belatedly, to growing public concern about privacy in the online world. The question now is what lessons will be learned. Is this simply a matter of "issue management," or is there an opportunity for a genuine exploration of how to develop business models for the Internet that are profitable and also respect consumer privacy? My hope is that the industry will take the second course. But this will mean taking seriously the need to develop strong and effective privacy measures.

If net advertisers intend to collect personal information on Internet users, they should follow the most stringent Fair Information Practices. That's not just about giving individuals "notice and choice," it's about allowing individuals to know what the company knows about them, and to object to the use of the information and even to have it permanently deleted if they wish. It’s about being more open and accountable in how personal information will be used. Access to a privacy policy is never as good as actually being able to see how someone else will use your personal data.

Better of course would be for innovative firms to take advantage of the extraordinary flexibility of the Internet and develop advertising models that do not rely on the collection of personally identifiable information. Several advertising firms currently do this and others should consider it as well. There is every reason to believe that advertising models that respect consumer privacy can be made to work in an environment as dynamic as the Internet.

Support for privacy legislation that would establish baseline standards across the industry would also be a good move. Self- regulation has its advantages, but in the world of privacy it simply protects bad actors. A better approach would establish simple, uniform, predictable rules for business and consumers. A legal principle in support of anonymity will do a lot to spur the development of robust technologies of privacy.

One argument that simply does not fly is that the surreptitious profiling of customers’ private activities -- what web sites they visit, what articles they read, what pictures they watch -- is necessary to support the Internet. That's an argument without bounds and one the Net advertisers should drop quickly if there is going to be a real discussion about how to protect privacy online. The Internet is growing rapidly in countries that do not permit these practices. In fact Internet penetration is higher in several countries that have stronger privacy rules than the United States.

Consumers are serious about the need for privacy protection on the Internet, and they do not see a need to trade their privacy for their ability to use the Net.

The Danger of Notice and Choice

Too often, the privacy problem is viewed as requiring the offering of notice and choice to consumers. But this is not the approach that the United States has typically taken to ensure privacy protection in other sectors, even those where there is rapidly changing technology. The privacy of cable subscriber records is protected because of a provision in the Cable Act. The privacy of video rental records is protected by the Video Privacy Protection. The privacy of telephone calling records is protected by a series of laws and regulations. But "choice" is what consumers face where there is no baseline privacy protection.

You have probably already heard about something called "P3P" and you are no doubt going to hear more about this in the future. This is a technical proposal developed by the World Wide Web consortium to facilitate the collection of personal information on the Internet. Many in industry believe that this standard will help solve the privacy problem because it will facilitate choice about privacy practices. But the real choice offered is not how to protect privacy, but how much privacy to give up. The FTC Chairman made the point very well that the reason we need privacy laws today is that consumers are too often asked to give up their privacy for some benefit.

We need strong technical measures that give people greater control over the collection and use of personal information, and that limit where possible the collection and use of personal data. Consumers should not be forced to choose between the protection of privacy and the benefits of electronic commerce.

Recommendations

First, we need privacy legislation to establish baseline standards for electronic commerce. Until there is legislation, you will see public protests grow. But in those sectors where there is good legislation, you will hear fewer complaints, except to see that the laws are in fact enforced. Even where companies are doing the right thing today, there is no assurance that they will continue to do so tomorrow. Remember that Doubleclick began with the exact same approach to Internet advertising that some today will hold up as a model. But that model collapsed because there were no baseline privacy rights in place to hold it up.

Second, we need to look closely — with far more input from technical experts and experts in privacy — at how best to develop technologies that protect online privacy. Too many of these standard-setting discussions are dominated by the industry groups that have opposed privacy legislation and would much prefer technical standards that encourage people to trade privacy rather than to retain privacy. Privacy experts believe that we can develop good technical standards for privacy protection built on a legal framework that protects the interests of consumers and still encourages innovation. We do not think that users of the Internet should face a bewildering range of choices to protect their reasonable expectation of privacy in the collection and use of their personal information.

We need a much broader right of access in the online world than currently exists in the offline world precisely because the online world enables such far-reaching profiling of private behavior in a way that is simply not possible in the physical world. The FTC’s recent report on this subject failed to make clear this essential point.

Any company that creates a persistent profile on a known user, or that could be linked to a known user, should be required to make known to that user all of the information that is acquired and how it is used in decisions affecting that person’s life. The profile should always be only "one-click" away — there is no reason on the Internet that companies should force users to go through elaborate procedures or pay fees to obtain this information about themselves. Access will promote transparency and accountability. It is vital to consumer trust and confidence.

It would also be appropriate in many cases to give individuals the right to compel a company to destroy a file that has been created improperly or used in a way that has caused some harm to the individual. Data could still be preserved in an aggregate form, but individuals should be able to tell a company that they no longer have permission to make use of the personal information that they have obtained.

Finally, we need to think more deeply about the true nature of profiling in the online world. Profiling raises significant questions about identity, grouping, and what information people receive and what information they do not. Of course, such lines are drawn all the time, but it is the establishment of persistent profiles, beyond the control or scrutiny of the individuals affected, that can stigmatize and reduce opportunity for some even as they create benefits for others. Privacy law will help make companies more accountable and reduce the risk of unfair or inaccurate decisionmaking.

Conclusion

We are not simply talking today about Internet privacy. More and more of our lives — entertainment, private communications, banking, reading, buying products, getting the news — all of this is taking place online. We are really talking about the future of privacy in the twenty-first century and whether there will be good standards in place to protect personal information or whether companies will be free to build secret, elaborate profiles that will determine where we go and what we see in this new world.

Technology will clearly play a role in privacy protection. Technologies that protect privacy will enable online transactions without requiring the disclosure of actual identity as much as possible. Technologies that protect privacy will minimize or eliminate the collection of personally identifiable information.

But technology is not enough. Legislation that enforces common-sense Fair Information Practices is necessary to protect the interests of Internet users and it will also play a critical role in the development of these new technologies. It will protect privacy where privacy technologies have not been deployed. It will properly place burdens on companies that chose not to use good techniques to protect privacy. And it will support the development of technologies that will genuinely protect privacy.

We are living in a time when we can still exercise choice over the future of the Internet. I don’t mean simply the choice of a single person trying to comprehend a complicated privacy policy, but the choice of a country to safeguard its basic freedoms even as it enjoys the benefits of new technology. Legislation is the way we express this choice and legislation is the path toward technologies that will safeguard privacy interests in the future.

References

Phil Agre and Marc Rotenberg, eds., Technology and Privacy: The New Landscape (MIT Press 1997)

EPIC Doubleclick page

[www.epic.org/doubletrouble/]

EPIC, Online Guide to Practical Privacy Tools

[http://www.epic.org/privacy/tools.html]

Oscar H. Gandy, Jr., Exploring Identity and Identification in Cyberspace, Notre Dame Journal of Law (forthcoming)

Junkbusters Doubleclick page

[www.junkbusters.com/doubleclick.html]

Peter G. Neumann, Computer Related Risks (Addison Wesley 1995)

Marc Rotenberg, Testimony and Statement for the Record on The Online Privacy Protection Act of 1999, S. 809, Before the Subcommittee on Communications

of the Senate Committee on Commerce, Science and Transportation, 106^th Cong., 1st Sess. (July 27, 1999), reprinted in Congressional Digest, February 2000

"Weblining," Businessweek, March 26, 2000

[http://www.businessweek.com/2000/00_14/b3675017.htm]

"Kozmo Delivers ‘Consumer Racism?’, MSNBC, April 12

[http://www.zdnet.com/zdnn/stories/news/0,4586,2534749,00.html]

Attachments

In the Matter of Doubleclick,, Complaint and Request for injunction, Request for Investigation and Other Relief, Electronic Privacy Information Center (EPIC), before the Federal Trade Commission, February 10, 2000

[http://www.epic.org/privacy/internet/ftc/DCLK_complaint.pdf]

"Privacy on the Internet," New York Times, February 22, 2000 (editorial)