The IT Law Wiki
The IT Law Wiki

General[]

It is routinely acknowledged that the success of the Internet and electronic commerce depends upon the resolution of issues related to the privacy and security of online personal information.[1] Threats to the privacy of personal information arise primarily as a result of the widespread increase in the availability and use of computers and computer networks, the corresponding increase in the disclosure of personal information by Internet users to websites, the routine collection of personal information about online users by websites, and the utilization of online personal information for direct marketing and advertising purposes. The potential harm that can occur from unauthorized disclosures of such information has been well documented.[2] Increased availability of online personal information has contributed to the growth of the information industry.

Collection of personally identifiable information[]

Internet privacy issues encompass several concerns. One is the collection of personally identifiable information (PII) by website operators from visitors to government and commercial websites, or by software that is surreptitiously installed on a user’s computer (“spyware”) and transmits the information to someone else. Online users may voluntarily disclose personally identifying information, for example, to an online service provider for registration or subscription purposes, to a website, to a marketer of merchandise, in a chat room, on a bulletin board, or to an email recipient.[3] Information about online users is also collected by websites through technology which tracks, traces and makes portraits of every interaction with the network.

When a person accesses a website, the site's server requests a unique ID from the person's browser (e.g., Netscape Navigator, Microsoft Internet Explorer). If the browser does not have an ID the server delivers one in a "cookie" file to the user's computer. Websites use cookies to track information about user behavior.[4] Websites contend that the purpose for the use and collection of user data is so the computer receiving the data can send the information file requested to the user's computer, to permit website owners to understand activity levels within sites, and to build new Web applications tailored to individual customers.

Monitoring of electronic mail and web usage[]

Another is the monitoring of electronic mail and Web usage by the government or law enforcement officials, employers, or e-mail service providers. Technologies like data mining software facilitate the use of online personal information for commercial purposes. Because of the power of computer networks to quickly and inexpensively compile, analyze, share, and match digitized information, electronic information is potentially much more invasive. Information that is stored electronically often can be linked by use of the same key, such as the social security number. The widespread use of the social security number for secondary purposes (e.g., credit, financial, motor vehicle, health insurance, etc.) has contributed to this phenomenon.

Computers make information multi-functional as vast amounts of consumer information are collected, generated, sorted, disseminated electronically, and perhaps sold, with or without consent. How valuable the information is depends in part on how descriptive it is and how it can be used. The Federal Trade Commission and the Department of Commerce have held a Public Workshop on Online Profiling to assess the impact of “online profiling” — the practice of aggregating information about consumers’ interests, gathered primarily by tracking their movements online, and using the profiles to create targeted advertising on websites.[5]

Identity theft[]

A third issue, identity theft, is not an Internet privacy issue per se, but is often debated in the context of whether the Internet makes identity theft more prevalent. For example, Internet-based practices called “phishing” and “pharming” may contribute to identity theft.

Commercial website practices[]

One aspect of the Internet (“online”) privacy debate focuses on whether industry self-regulation or legislation is the best route to assure consumer privacy protection. In particular, consumers are concerned about the extent to which website operators collect “personally identifiable information” (PII) and share that data with third parties without their knowledge.

FTC activities and fair information practices[]

The Federal Trade Commission (FTC) conducted or sponsored several surveys between 1997 and 2000 to determine the extent to which commercial website operators abided by four fair information practices &mdash providing notice to users of their information practices before collecting personal information, allowing users choice as to whether and how personal information is used, allowing users access to data collected and the ability to contest its accuracy, and ensuring security of the information from unauthorized use. Some include enforcement as a fifth fair information practice. Regarding choice, the term “opt-in” refers to a requirement that a consumer give affirmative consent to an information practice, while “opt-out” means that permission is assumed unless the consumer indicates otherwise.

Briefly, the first two FTC surveys (December 1997 and June 1998) created concern about the information practices of websites directed at children and led to the enactment of COPPA. The FTC continued monitoring websites to determine if legislation was needed for those not covered by COPPA. In 1999, the FTC concluded that more legislation was not needed at that time because of indications of progress by industry at self-regulation, including creation of “seal” programs (see below) and by two surveys conducted by Georgetown University.

However, in May 2000, the FTC changed its mind following another survey that found only 20% of randomly visited websites and 42% of the 100 most popular websites had implemented all four fair information practices. The FTC voted to recommend that Congress pass legislation requiring websites to adhere to the four fair information practices, but the 3-2 vote indicated division within the Commission. On October 4, 2001, Timothy Muris, who had recently become FTC Chairman, stated that he did not see a need for additional legislation at that time.

Advocates of self-regulation[]

In 1998, members of the online industry formed the Online Privacy Alliance (OPA) to encourage industry self-regulation. OPA developed a set of privacy guidelines, and its members are required to adopt and implement posted privacy policies. The Better Business Bureau (BBB), TRUSTe, and WebTrust established “seals” for websites.

To display a seal from one of those organizations, a website operator must agree to abide by certain privacy principles (some of which are based on the OPA guidelines), a complaint resolution process, and to being monitored for compliance. Advocates of self-regulation argue that these seal programs demonstrate industry’s ability to police itself.

Technological solutions also are being offered. P3P (Platform for Privacy Preferences) is one such technology.[4]. It essentially creates machine-readable privacy policies through which users can match their privacy preferences with the privacy policies of the websites they visit. One concern is that P3P requires companies to produce shortened versions of their privacy policies, which could raise issues of whether the shortened policies are legally binding, since they may omit nuances and “sacrifice accuracy for brevity.”

Advocates of legislation[]

Consumer, privacy rights and other interest groups generally believe self-regulation is insufficient. They argue that the seal programs do not carry the weight of law, and that while a site may disclose its privacy policy, that does not necessarily equate to having a policy that protects privacy. The Center for Democracy and Technology (CDT)[5] and the Electronic Privacy Information Center (EPIC)[6] each released reports on this topic.

EPIC’s report, Privacy Self Regulation: A Decade of Disappointment,[7] argues that the National Do-not-call Registry, which restricts telemarketing phone calls, demonstrates that government regulation can be more effective than industry self regulation. Calling telemarketing a 20th century problem, the report concludes that the FTC has given self-regulation a decade to work in the Internet privacy arena, and it is time for the agency “to apply the lessons from telemarketing and other efforts to address the 21st century [sic] problem of Internet privacy.”

Some privacy interest groups, such as EPIC, also feel that P3P is insufficient, arguing that it is too complex and confusing and fails to address many privacy issues. An EPIC report from June 2000 further explains its findings.[8]

Privacy advocates have been particularly concerned about online profiling, where companies collect data about what websites are visited by a particular user and develop profiles of that user’s preferences and interests for targeted advertising. Following a one-day workshop on online profiling, the FTC issued a two-part report in the summer of 2000 that also heralded the announcement by a group of companies that collect such data, the Network Advertising Initiative (NAI), of self-regulatory principles. At that time, the FTC nonetheless called on Congress to enact legislation to ensure consumer privacy vis-à-vis online profiling because of concern that “bad actors” and others might not follow the self-regulatory guidelines.

References[]

  1. See U.S. Government Information Infrastructure Task Force, A Framework for Global Electronic Commerce 10-12 (1997).[1].
  2. See Jeffrey Rosen, The Unwanted Gaze: The Destruction of Privacy in America (2000).
  3. A report by the National Telecommunications and Information Administration (NTIA) concluded that as the cost of digitally storing personal information becomes less expensive, the accumulation of personal information from disparate sources will become more cost-effective for users. U.S. Department of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995).[2]
  4. See Vanderbilt University Owen Graduate School of Management, Commercialization of the World Wide Web: The Role of Cookies.[3]
  5. Federal Trade Commission, Online Profiling: A Report to Congress (June 2000).

See also[]