Privacy Self Regulation: A Decade of Disappointment
By Chris Jay Hoofnagle
March 4, 2005
A hi-resolution version report is available in PDF (2.5 MB).
[Front Cover: Lists of personal information for sale from website
registrations.]
[Inside Front Cover: Letter forwarded to EPIC explaining that an
individual has no rights in personal information held by the company,
Locateplus.com.]
Summary
The Federal Trade Commission (FTC) is capable of creating reasonable
and effective privacy protections for American consumers. There is no
better example of this than the Telemarketing Do-Not-Call Registry.
The Registry, which was created and is now run by the FTC, makes it
easy for individuals to opt-out of unwanted telemarketing. Now, more
than 80 million numbers now no longer ring at the dinner hour.
Prior to the creation of the Registry, the telemarketing industry
created self-regulatory protections that were largely useless. One
had to write a letter to opt out of telemarketing, or pay to opt out
by giving their credit card number to the Direct Marketing Association
(DMA). The industry's self-regulatory efforts didn't even cover all
telemarketers-only those that were members of the DMA. At its peak,
the self-regulatory opt-out system had less then 5 million
enrollments.
FTC's success in the telemarketing field demonstrates that it can
protect Americans' privacy effectively and fairly. However,
telemarketing was a 20th century problem. This report argues that it
is time for the agency to move into the 21st century. It is time for
the agency to apply the principles of telemarketing privacy regulation
into the online world.
The FTC can protect privacy better than the industry can with
self-regulation. We now have ten years of experience with privacy
self-regulation online, and the evidence points to a sustained failure
of business to provide reasonable privacy protections.
New tracking technologies exist that individuals are unaware of, and
old tracking technologies continue to be employed. Some companies
deliberately obfuscate their practices so that consumers remain in the
dark. Spyware has developed and flourished under
self-regulation. Emerging technologies represent serious threats to
privacy and are not addressed by self-regulation or law.
Self regulation has failed to produce easy to use anonymous payment
mechanisms.
And finally, the worst identification and tracking policies from the
online world are finding their way into the offline world. In other
words, the lack of protection for privacy online not only has resulted
in a more invasive web environment, but has also started to drag down
the practices of ordinary, offline retailers.
EPIC calls upon the Federal Trade Commission and Congress to
seriously reconsider its faith in self-regulatory privacy approaches.
They have led to a decade of disappointment; one where Congress has
been stalled and the public anesthetized, as privacy practices
steadily worsened. We call on the government to create a floor of
standards for protection of personal information based on Fair
Information Practices.
I. The FTC Registry Is Better Than Market Alternatives
The Federal Trade Commission's (FTC) Telemarketing Do-Not-Call
Registry was a stunning privacy success. Americans enrolled 10
million numbers in the Registry in its first day of operation. Now,
the phone has stopped ringing on the more than 60 million numbers that
were enrolled by the public. The nuisance of telemarketing will now
be a thing of the past. Those who wish to receive telemarketing may
still do so, but others have an easy option to preserve the dinner
hour from interruption.
When one analyzes the decisions made by the FTC, it reveals that the
agency took steps to effect consumers' desires. The FTC publicized
the existence of the Registry and gave it a simple name and URL on the
Internet. The FTC allowed people to enroll free by telephone or by
the Internet. The FTC minimized "authentication" burdens. That is,
the FTC made it easy for people to enroll by not requiring the
consumer to jump through unnecessary hoops. Some from the industry
suggested that only the line subscriber-not even a spouse or
roommate-could enroll.
The Do-Not-Call Registry was a success because the FTC took the
opposite approach from the self-regulatory system created by the
Direct Marketing Association (DMA). In every respect, the FTC ensured
that the Registry would be easy to use and fair, while the DMA's
opt-out mechanism was difficult to use and relatively unknown.
For starters, the DMA's system only applied to the industry
association's members. Telemarketers who had not joined the group
were not bound to comply with consumers' desire to opt-out. The FTC's
approach applied to a much broader group of telemarketers.
Second, the DMA's list was named the "Telephone Preference Service."
The name and acronym, "TPS," had no meaning to the public. To some,
it could mean a list of people who preferred to be telemarketed. The
FTC approach, on the other hand, was sensibly named and assigned a
easy to remember URL, http://donotcall.gov, on the Internet.
Third, the DMA's list required the consumer to actually write a
letter for free enrollment. To enroll online, the consumer had to pay
a fee and give their credit card number to the DMA. The FTC's
approach allows free Internet, mail, and telephone enrollment.
The FTC's Registry is universal, free, and easy to
use. Individuals could enroll online or by phone. The DMA's only
applied to its members, cost money to enroll online, and was difficult
to find. It's no wonder why the DMA's list only had 5 million
enrollments, while the FTC's has more than 80 million.
These forces combined to make the DMA's market approach to
telemarketing ineffective. The numbers speak for themselves. USA
Today commented in 2002 that: "In 17 years, just 4.8 million consumers
have signed up with the DMA's do-not-call list. By contrast, just five
states -- New York, Kentucky, Indiana, Florida and Missouri -- have
signed up roughly the same number in far less time."[i]
Today's self-regulatory approaches to Internet privacy are much like
the failed ones employed by the DMA for telemarketing. They are
difficult to use, confusing, and often offer no real protection at
all. This report details the current state of privacy on the
Internet, and illustrates the myriad ways in which threats to privacy
are becoming ever more grave, as new technologies are developed, new
practices become commonplace, and companies are not held accountable
for disregarding privacy risks. Collection of personal information on
the Internet runs rampant, both through direct and indirect means,
both in the open and in secret. It is imperative that the FTC act now
to correct these market failures. The FTC effectively and fairly
corrected the failures of a 20th century nuisance-telemarketing. It
is time for the agency to move into the 21st century and correct the
failures of self-regulation to meaningfully protect Internet privacy.
II. Ten Years of Self-Regulation and Still No Privacy In Sight
EPIC has completed three Surfer Beware reports assessing the state
of privacy on the Internet. "Surfer Beware I: Personal Privacy and the
Internet," a 1997 report, reviewed privacy practices of 100 of the
most frequently visited web sites on the Internet. It checked for
collection of personal information, establishment of privacy policies,
cookie usage, and anonymous browsing. The inquiry found that few
sites had easily accessible privacy policies, and none of these
policies met basic standards for privacy protection. However, at that
time, most of the sites surveyed allowed users to access web content
and services without disclosing any personal data. The report ended
with a recommendation of continuing support for anonymity and the
development of both good privacy policies and practices.
In 1998, EPIC produced "Surfer Beware II: Notice Is Not Enough," a
report based on a survey of the privacy practices of 76 new members of
the Direct Marketing Association ("DMA"), a proponent of
self-regulation of privacy protection. The DMA released guidelines in
1997 that would require all future members of the DMA to publicize
privacy policies and provide an opt-out capability for information
sharing. Of the 76 new members surveyed, only 40 had web sites, and
only 8 of these sites had policies satisfying the DMA's requirements.
The report concluded that DMA's self-regulation efforts were not
effective.
The 1999 report "Surfer Beware III: Privacy Policies without Privacy
Protection" assessed the privacy practices of the 100 most popular
shopping web sites on the Internet. It examined whether these sites
complied with common accepted privacy principles, used profile-based
advertising, and employed cookies. The survey determined that 18 of
the sites had no privacy policy displayed, 35 of the sites used
profile-based advertising, and 86 of the sites used cookies. None of
the companies adequately addressed Fair Information Practices,
commonly-accepted responsibilities covering collection, access to, and
control over personal information. Surfer Beware III concluded that
current practices of the online shopping industry provided little
meaningful privacy protection for consumers.
The Federal Trade Commission ("FTC") has given self-regulation a
decade to produce reasonable privacy protections online. The FTC
first visited online privacy in 1995, and with minor fluctuations
since then, has adopted a policy that embraces the idea that
self-regulation is "the least intrusive and most efficient means to
ensure fair information practices online, given the rapidly evolving
nature of the Internet and computer technology."[ii] It certainly is
the least intrusive approach for companies exploiting personal
information, but it has not efficiently ensured Fair Information
Practices. Of the five Fair Information Practices[iii] endorsed by
the FTC-notice, choice, access, security, and accountability-only
notice can be said to be present as a result of privacy statements.
The first fluctuation in the FTC's commitment to self-regulation
occurred in 1998, after the agency's survey of online practices showed
that the lowest level of protection for consumer, notice of privacy
practices, was not widely implemented. In a survey of 1400 web sites
conducted by the Commission, 92% of the commercial sites collected
personal information but only 14% had privacy notices. Of the
commercial sites, only 2% had a "comprehensive" privacy policy.[iv] In
reaction to these findings, the FTC was "still hopeful" that industry
efforts would produce adequate privacy protections.[v] At the time,
Chairman Pitofsky recommended that Congress pass legislation if
self-regulation failed to produce significant progress.[vi]
A year later in testimony to Congress, the FTC renewed its faith in
self-regulation, noting that many web sites had adopted privacy
policies. But protections beyond mere disclosure of practices lagged
behind. Only a small number of surveyed sites had incorporated
choice, access, and security into their practices. No meaningful
avenue for enforcement existed at all. Commissioner Sheila Anthony
concurred with the report's findings but dissented from its
recommendations, noting, "industry progress has been far too slow
since the Commission first began encouraging the adoption of voluntary
fair information practices in 1996. Notice, while an essential first
step, is not enough if the privacy practices themselves are toothless.
I believe that the time may be right for federal legislation to
establish at least baseline minimum standards."
"Notice, while an essential first step, is not enough if the
privacy practices themselves are toothless."
In 2000, a 3-2 majority of the FTC formally recommended that
Congress adopt legislation requiring commercial web sites and network
advertising companies to comply with Fair Information Practices.[vii]
However, a year later with the appointment of a new FTC Chairman, the
FTC embraced self-regulation again. Chairman Muris decided to focus
the Commission's attention on enforcing existing laws rather than
create new legislative protections for online privacy.[viii] Chairman
Muris indeed has expanded privacy protections through the creation of
a do-not-call list and with application of the agency's powers to
prevent unfair and deceptive trade practices.
The overall effect of the FTC's approach has been to delay the
adoption of substantive legal protection for privacy. The adherence to
self-regulatory approaches, such as the Network Advertising Initiative
that legitimized third-party Internet tracking and the Individual
References Service Group principles that concerned sale of SSNs,
allowed businesses to continue using personal information while not
providing any meaningful privacy protection. Ten years later, online
collection of information is more pervasive, more invasive, and just
as unaccountable as ever-and increasingly, the public is anesthetized
to it.
It doesn't have to be this way. The FTC has been effective in
protecting privacy when dealing with 20th century nuisances. It's
time for the FTC to apply the lessons from telemarketing and other
efforts to address the 21st century problem of Internet privacy.
III. Today's Tracking Methods Are More Pervasive and Invasive
Seven years ago, EPIC's report Surfer Beware I reviewed the status
of Internet users' privacy rights and protections on the 100 most
frequently visited web sites. The report was concerned primarily with
the solicitation, collection, use, and protection of personal
information obtained either from user-input forms or cookies.
Today, there are many more methods through which users can be
tracked, profiled, and monitored in the online world. Cookie
technology has matured-cookies are widespread and new uses have been
developed. Entirely new technologies have emerged as well, some of
which are all but unknown to consumers. Few of these methods are
regulated, either internally by industry or externally by
government. Without privacy legislation to protect Internet users from
improper use of the information collected on the web, companies are
unlikely to voluntarily cease privacy-invasive practices.
Cookies
Surfer Beware I discussed an Internet tracking technology over which
there was "a great deal of controversy"-cookies. It found that about
a quarter of the most frequently visited web sites used
cookies. Today, many websites use cookies for one reason or
another. In addition, there are several new wrinkles in the use of
this tracking technology.
Third Party Cookies
Today, websites that a user explicitly visits are not the only
entities which place cookies in your web browser-many web sites
contain advertising served by outside commercial providers, and these
providers may also send a cookie to your browser. These are known as
"third party cookies." Some web browsers, such as Firefox allow users
to block third party cookies.
Many web pages today have arrangements with third party ad servers
that serve advertisements to their pages. For example, the MSN
Privacy Statement lists two dozen third party ad networks that may
place cookies in a user's browser.[ix]
Privacy policies (such as MSN's) tend to frame these third party
cookies as a benefit to the user, allowing advertisers to "deliver
targeted advertisements that they believe will be of most interest to
you."
Persistent Cookies
A persistent cookie is one that remains on a user's computer after
she has quit the browser. These cookies can be used to set and
remember a user's web site preferences, settings, and passwords from
one browser session to the next, but can also be used for tracking and
monitoring purposes. A troubling recent trend is to design these
cookies to remain not just for many browser sessions, but for many
years. Google's search cookie, for example, will not expire until
January 17, 2038. This kind of long range tracking of users raises
significant privacy risks.
Web Bugs
A web bug is a graphic on a web page that allows tracking and
monitoring of visitors to that page. Web bugs are usually invisible,
"clear" images only 1-by-1 pixel in size. They are capable of
transmitting, back to the bug's originating server your Internet
Protocol ("IP") address, the page you visited, the time you visited,
browser information, and information from existing cookies in the
browser.
For market approaches to work, consumers must grasp both
technology and practices. But in a Pew Internet Report, 56% surveyed
couldn't identify a cookie.[x]
Web bugs are sometimes used for the innocuous purpose of counting
how many times a particular page is viewed and gathering statistics
about browser usage and web site usage. There are, however, much more
invasive uses, such as compiling a detailed web-browsing profile of a
particular user.
Web bugs are designed specifically to be secret and invisible. Many
Internet users today are aware of cookies, and may perceive them from
the appearance of visible advertisements. There are also tools to
manage cookies. Web bugs, however, can transmit information and set
cookies even when there is no telltale banner advertisement on the
website tipping off a user that information might be collected about
them. Furthermore, just one "allowed" cookie from an ad network opens
the door for all web bugs within that network to collect browsing
information about that user. With companies such as DoubleClick,
providing advertising to countless web sites, this risk is
significant. For instance, if a user with a DoubleClick cookie in
their browser loads a web page with a DoubleClick web bug on it, that
bug can grab the identifying information in the cookie and transmit it
back to the server along with the other information collected by the
bug.
Google's Gmail Content Extraction
On April 1, 2004, Google announced the launch of their new Gmail
service. Gmail is a web-based e-mail service offering one-gigabyte of
e-mail storage to users. Gmail is supported by advertisers who buy
keywords, much like the Google search engine's AdWords advertising
program, which lead to targeted advertisements displayed alongside an
e-mail message in a Gmail user's inbox. Gmail uses "content
extraction" (a term from Google's patents) on all e-mails sent to and
from a Gmail account in order to target the advertising to the user.
"If Google ogles your e-mail, will Ashcroft be far behind?"[xi]
Many privacy advocates hold the position that the Gmail service
violates the privacy rights of both Gmail users and non-subscribers.
Non-subscribers who e-mail a Gmail user have "content extraction"
performed on their e-mail even though they have not consented to have
their communications monitored, nor may they even be aware that their
communications are being analyzed.
This is a significant development in Internet tracking technology
because it is one of the first with the capacity and the structure to
monitor and record not just transactional data and personal
information, but the content of private communications.
Spyware
Spyware and adware are extremely invasive and annoying technologies
that have flourished in the self-regulatory world of Internet
privacy. Both can be broadly described as pieces of software placed on
a user's computer by a third party that perform unwanted
functions. Spyware and adware collect information about the user,
sometimes in complete secrecy without the knowledge of the user. Some
programs display pop-up ads on the user's monitor, while others track
and record everything the user does online. Information is sometimes
collected by the programs for the sole purpose of sending that data
back to an advertiser, and other times used to immediately serve
pop-up ads to the user. Users often inadvertently download and install
spyware and adware along with other desired computer programs, most
commonly file-sharing applications. McAfee, an Internet security firm
that sells popular virus protection and other personal computer
security programs, reported more than 2.5 million "potentially
unwanted programs" on its customers' computers, as of March 2004.[xii]
[TELECOM Digest Editor's Note: In the next issue of the Digest, we
will begin with Part IV of this essay, discussing even more nefarious
schemes to invade your privacy getting started. PAT