My name is Andrew Shen. I am a Policy Analyst at the Electronic Privacy Information Center (EPIC)¹. At EPIC, I work largely on consumer privacy issues. Earlier this year, I served as a member of the Federal Trade Commission (FTC) Advisory Committee on Online Access and Security². I have been a panelist at FTC and Department of Commerce workshops on online profiling and more recently, online privacy technologies.

EPIC works with consumer organizations on a wide range of privacy issues. We also work on the international level within coalitions such as the Trans Atlantic Consumer Dialogue (TACD) that brings together consumer advocates from the U.S. and Europe³.

I want to thank the Committee for inviting me to testify today on an issue that is of growing importance to the American public.

SURFER BEWARE REPORTS

Since 1997, EPIC conducted annual "Surfer Beware" surveys on the state of Internet privacy. EPIC's survey of Internet privacy policies "Surfer Beware: Personal Privacy and the Internet" - the first survey of online privacy ever conducted - found that only 17 of the 100 most frequently visited websites posted privacy policies and that none met basic standards for privacy protection⁴. That report recommended that Internet websites make privacy policies easy to find, clearly state how and when information is collected, provide access to data already collected, make cookie transactions more transparent, and continue to support anonymity.

"Surfer Beware II: Notice Is Not Enough" assessed the online privacy practices of members of the Direct Marketing Association (DMA)⁵. The DMA was and is a leading proponent of industry self-regulation with regards to personal information. The report found that only 8 of the 40 new DMA members with websites had privacy policies and only 3 complied with the DMA's own guidelines published nine months earlier.

Our most recent report "Surfer Beware III: Privacy Policies without Privacy Protection" was conducted shortly before last year's holiday shopping season⁶. Looking at the top 100 e-commerce sites, we found that not a single one had a privacy policy that complied with the benchmark of Fair Information Practices. For example, many websites posted privacy policies but did not provide access to personal data already collected.

We also found that many of the privacy policies were confusing and inconsistent. While over 80% of the websites that we surveyed did post a privacy policy, our survey proved that posting a privacy policy has no significant correlation with a high level of protection.

In the years between our first and last reports, we have documented the lack of protections for consumer privacy in these crucial early years of e-commerce. It is no secret that consumer concerns about privacy on the Internet have not dissipated in this time. If anything, recent developments such as online profiling indicate that the current approach of self-regulation may be putting consumer privacy at increasing risk.

ONLINE PROFILING

Online profiling caught the attention of consumers earlier this year when online advertiser, DoubleClick, proposed to created detailed profiles on Internet users. The company came under fire for linking personal information such as a name and address to online profiles, records of what Internet consumers were doing online. In doing so, it reneged on earlier statements made in its privacy policy that all information it collected would remain anonymous⁷. In testimony before the Senate Commerce Committee in July of 1999, EPIC was one of the first organizations to publicly discuss the change in DoubleClick's business model⁸.

In early February, EPIC filed a complaint with the Federal Trade Commission (FTC) that DoubleClick had unfairly and deceptively misled consumers about its information collection practices. At the end of July, the FTC approved a set of self-regulatory guidelines that permits wholesale tracking of Internet consumers and linking of those profiles to personal information without the knowledge or permission of the consumer. The guidelines were negotiated with the Network Advertising Initiative (NAI), a group of online profiling companies.

In response, EPIC along with 13 other consumer privacy organizations signed a letter pointing out that "the NAI Principles recently endorsed by the Federal Trade Commission fail to provide an adequate level of privacy protection"⁹. The letter said that

The Principles will allow online profilers to combine previously declared anonymous data with personally identifiable data, like home addresses and telephone numbers. In the future, online profilers will be allowed to link information about online behavior with personally identifiable data on a burdensome opt-out basis. The persons profiled by these companies will have no guaranteed level of access to view what data has been collected on them. Personally identified profiles may also be distributed to any third party - for completely unrelated purposes - on an opt-out basis. All of these provisions, and others, will erode consumer control over the collection and use of highly detailed profiles¹⁰.

Furthermore, the letter faults the FTC for failing to involve the consumer advocacy community in negotiations with the Network Advertising Initiative. The negotiations were done behind closed doors and EPIC had to file a Freedom of Information Act request just to see the record of those proceedings.

EPIC, along with Junkbusters, completed a full analysis of the Network Advertising Initiative guidelines entitled "Network Advertising Initiative: Principles not Privacy" detailing the vague and weak restrictions it offers¹¹. That review concluded that

The Principles perpetuate the secretive tracking of Internet users and run counter to the standards that consumers want. The Principles place the burden of privacy protection squarely on the consumer by relying on opt-out for both tracking of Internet users and linking of profiles to personally identifying information¹².

Further, the report recommended that "strong laws and effective enforcement will spur Internet advertisers to adopt methods and technologies that promote consumer privacy"¹³.

Online profiling remains a serious concern for Internet users. I urge the Committee to ask the FTC why, despite their own recommendations for Internet legislation, it chose to approve self-regulatory guidelines for online profiling companies - the most personal information intensive sector that has developed to date on the Internet.

BANKRUPTCY

Apart from the activities of online profiling companies, the most recent development facing online consumers is the growing number of Internet companies that are auctioning off personal information when they go bankrupt. In June, online retailer Toysmart.com went bankrupt and advertised the sale of its assets in the Wall Street Journal. What caught the attention of many is that the company also attempted to sell its customer lists and other personal information in violation of representations made when it collected that data. The ongoing dot-com shakeout will likely produce more companies trying to recoup capital for their investors, but how will the privacy of this personal information be protected?

The FTC was able to pursue Toysmart.com since the company said that the information collected was "never shared with a third party". The FTC's attempted settlement fell short of requiring the company not to sell the personal data of its customers. Since then, other companies have been failing, similarly putting the information of its customers at risk.

Over Labor Day weekend, Amazon.com told its millions of customers that in the event that it failed - it would also declare their personal information as a business asset. That statement and other changes to the company's privacy policy prompted EPIC's decision to cut ties with the online bookseller. In a letter to EPIC's newsletter subscribers, we said that "Because of this decision, and in the absence of legal or technical means to assure privacy for Amazon customers, we have decided that we can no longer continue our relationship with Amazon"¹⁴.

Failing to guarantee that personal information will not be sold in the future is an obvious requirement of privacy protection but one that companies have avoided taking on. As bankruptcies become more common, the failure to provide privacy standards for online consumers allows companies to protect privacy only when it suits them. When bankrupt, the privacy of a company's customers is no longer important to the company and is no longer respected. Furthermore, the growing number of bankruptcies points to an underlying problem with the current reliance on privacy policies. By making privacy policies the only standard to which Internet websites are held, it allows companies to change the terms on consumers - most recently allowing companies to unilaterally declare personal information theirs to sell.

GOVERNMENT PRIVACY POLICIES

Another issue before the Committee today is the issue of government website privacy policies. While this will not be the focus of my own testimony, I do wish to make a few comments on this issue.

The General Accounting Office survey commissioned by Rep. Armey and others found that 97 percent of government websites did not comply with the FTC Fair Information Practice principles of Notice, Consent, Access, and Security.

We support efforts to strengthen the privacy safeguards for federal websites. History has proven that such restrictions are necessary to curtail possible governmental abuses of power. Events like Watergate spurred laws such as the Privacy Act of 1974 that provides citizens with an array of rights to protect their privacy.

I should also point out that government agencies - unlike commercial entities - are not free to use personal information however they wish. Government agencies have to comply with guidelines set out in law while commercial websites have to comply with privacy policies that they themselves write.

PRIVACY ENHANCING TECHNOLOGIES

Since the beginning of the online privacy debate, EPIC has urged the wide adoption of privacy-enhancing technologies to protect consumers. However, I would like to point out what makes a technology one that enhances rather than invades privacy. Privacy enhancing technologies make it easier to take advantage of rights as provided through Fair Information Practices and minimize or eliminate the collection of personal data.

Without legal guarantees that data is collected for limited specific purposes, is collected only with consent, is accessible to the consumer, is securely stored and transmitted, privacy technologies can currently do little to help consumers utilize their rights. Only when existing law provides those rights will technologies develop to help consumers take advantage of them. The Platform for Privacy Preferences (P3P) demonstrates that failings of online privacy technologies in an environment without privacy law. A report released earlier this June, entitled "Pretty Poor Privacy: An Assessment of P3P and Internet Privacy", details some of the protocol's failings¹⁵.

There is however, one area in which technology can address privacy in the absence of laws. That is in the promotion of anonymity and elimination of the need to collect personal data. Most of the activities conducted online such as reading news, shopping for products, searching for information, can be done without the collection of information from consumers. However, the current trend towards "personalization" results in the increased storage and analysis of these basic online activities. Infomediaries that seek to provide information according to user preferences do not provide this anonymity. Rather than reinforcing that the dispersal of customer information should not be the norm, they seek to encourage more information collection by making it easier than ever for personal data to be disclosed.

CONCLUDING REMARKS

Internet consumers are facing an increasingly hostile environment. Faced by online profiling companies that seek to know about their online surfing habits and websites that change their privacy policies at will, consumers are increasingly left to their own devices in protecting their privacy. Technologies available to consumers, for reasons I mention above, have a role to play but will only have significant impact once legal standards become effective.

Congress has a critical role to play in safeguarding online privacy. It should build on the legal framework for privacy protection, consistent through many federal laws protecting personal information¹⁶.

There is significant public support for Internet privacy legislation¹⁷. Consumers should not be left without legal rights in the online world.

 

FOOTNOTES

1. EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. More information about EPIC is available at the EPIC website, http://www.epic.org

2. http://www.ftc.gov/acoas/

3. http://www.tacd.org

4. http://www.epic.org/reports/surfer-beware.html

5. http://www.epic.org/reports/surfer-beware2.html

6. http://www.epic.org/reports/surfer-beware3.html

7. For more information, see http://www.epic.org/doubletrouble/

8. http://www.epic.org/privacy/internet/EPIC_testimony_799.pdf

9. http://www.epic.org/privacy/internet/NAI_group_letter.html

10. ibid.

11. http://www.epic.org/privacy/internet/NAI_analysis.html

12. ibid.

13. ibid.

14. http://www.epic.org/privacy/internet/amazon/letter.html

15. http://www.epic.org/reports/prettypoorprivacy.html

16. Fair Credit Reporting Act (1970) 15 U.S.C. § 1681; Family Educational Rights and Privacy Act (1974) 20 U.S.C. § 1232g; Cable Communications Policy Act (1984) 47 U.S.C. § 551; Electronic Communications Privacy Act (1986) 18 U.S.C. § 2510; Video Privacy Protection Act (1988) 18 U.S.C. § 2710; See Telecommunications Act (1996) 47 U.S.C. § 222; Children's Online Privacy Protection Act (1999) 15 U.S.C. § 6501.

17. Business Week/Harris Poll: A Growing Threat, March 20, 2000, http://www.businessweek.com/2000/00_12/b3673010.htm