Archive

July 6, 1998

Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration
14th Street and Constitution Ave, N.W., Room 4898
Washington, D.C. 20230

Re: Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy

The American Civil Liberties Union (ACLU) respectfully submits comments to the National Telecommunications and Information Administration (NTIA) in response to the Notice and Request for Public Comment in the above referenced matter. We have provided a brief section that outlines our general position on the protection of privacy online, which is followed by our responses to the questions posed by the NTIA Notice.

I. Introduction and Background:

The revolutionary pace with which our communications infrastructures have grown, and the ever increasing digitization of information have truly made global access to intelligence easier and more efficient. However, the enormous advantages provided by electronic networking also present unprecedented threats to personal security and privacy. Unlike any other time in our history, it is now readily possible to gather, link and sell information about organizations and governments, and to compile profiles of millions of individuals that include their most sensitive and personal data.

The ACLU believes that the privacy of an individual is directly affected by the collection, maintenance, use and dissemination of personal information by government agencies and the private sector. Every day millions of people give away private data -- from information about medical conditions, home addresses, mortgage borrowing, stock purchases, household incomes and social security numbers -- often providing such facts without understanding the consequences until it is too late. Without sufficient safeguarding of such information, we are all vulnerable to unwarranted, annoying and potentially dangerous snooping -- by governments, businesses, nosy neighbors and thieves. The ACLU believes that there must be a safety net for the most sensitive information and vulnerable populations -- and that safety net must include remedies for the violation of law.

Today, a simple trip to the grocery store can unwittingly make a consumer vulnerable to snooping. Many stores now offer "discount club" membership programs that provide shoppers with new bonuses for their purchases if they provide their names and other information. The shopper in turn receives an identification card with a computer bar code that they present each time they make a purchase to receive a discount. While this practice seems innocuous enough, under some of these programs, each item the consumer purchases is recorded and stored online and is attributable to the purchaser. This information could include not only the brand of orange juice or cereal purchased, but the type of contraception the shopper uses. Although such information is arguably gathered for "marketing purposes," the buying and selling of computerized consumer data as a valuable commodity leaves open the possibility that such information can be purchased and linked to other databases with great ease. The following section briefly describes current uses of linked databases and the threats to individuals posed by such practices.

II. Linking of Information is Not Just a Virtual Reality

Thousands of online databases now provide ready access to revealing personal information about ordinary people, either through privately owned dial-up services or via the Internet.1 These databases cover information ranging from tax records to arrest records, home addresses and telephone numbers. Moreover, many sites that provide personal information tout the ability to provide virtually any information. For example, one site we examined states that users can obtain information on a subject based on any of the following databases2:

Aircraft Locator International Bank Accounts
Auto Ownership by Name Personal Bank Accounts
Auto Ownership by Tag # Personal Stock Holdings
Auto Ownership by VIN # Phone Number to Name & Address
Brokerage House Search Personal Address from P.O. Box
Business Analysis Report Employment Information
Business Bank Account Search Pre-Employment Background
Business Credit Report Real Property Search
Cellular Phone # to Address Skip Trace with SSN
Complete Background Check Skip Trace without SSN
Creditors of an Individual Social Security Number Search
Criminal Records Search UCC, Lien, Mortgage Search
Death Master Index Search Unpublished Phone Number
Executive Business Relationships Watercraft Locator
Identify Social Security Number
Individual Credit Report Toll Calls
Individual Driving Record Cellular Toll Calls

Another similar site claims that it can create personal profiles of individuals using cross-referenced databases. "Background checks can be used by companies or individuals and are commonly used to verify and reveal information about employment applicants, nannies, someone your dating, or if your just "unsure" about a certain person. This report can return complete background information on an individual by providing information from a multitude of sources including credit bureau headers, voter registrations, assessor records, civil court filings, bankruptcy filings, vehicle registrations, property ownership, drivers license files, corporate filings, telephone white pages, mailing lists and many more.3" Moreover, many traditional information companies such as Lexis-Nexis, a division of Reed Elsevier PLC, have offered access to controversial databases with information on real estate ownership, auto registration and voting records.4

Some recently publicized abuses of information highlight the dangers of poor information practices:

  • This year, after the Massachusetts Attorney General filed suit against tobacco manufacturers for reimbursement for tobacco-related health care costs, defendants in the suit sought access to the state database containing medical data on Medicaid patients. However, the Massachusetts state medical database not only includes information about Medicaid patients, but includes detailed information about every hospital visit by every individual in the state. It also contains other sensitive information -- all in one database. Previously, the state had defended the creation of the huge database saying that it could limit the inspection of such records and ensure confidentiality despite public outcry against its creation -- now portions of that database are being turned over in litigation.5
  • In April 1997, the IRS announced that it had fired 23 employees and disciplined 349 others for using their computers to browse through tax returns of countless Americans. Similarly, in 1995, a former IRS employee who was a member of the Ku Klux Klan was convicted of improper use of computers after it was learned that he had gained unauthorized access to tax returns. The individual had reportedly bragged to a fellow Klan member that he could use his access to data to "build dossiers on people."
  • In 1996, ten current and former SSA employees were arrested for accepting bribes from a credit fraud ring in the business of selling mothers' maiden names to activate fraudulently obtained credit cards.
  • In April 1997, the Social Security Administration was forced to shut down its web site after reports that it may have provided unauthorized access to information about individuals' personal income and retirement benefits on the Internet. While the agency denied that it had received any claims of fraud that stemmed from the availability of such information on their site, many victims of credit card crimes or other fraud are unaware of how their information is obtained by thieves -- thus, there is no way to verify who obtained information or about whom they did from the site.
  • Earlier this year, Navy Senior Chief Petty Officer Timothy R. McVeigh (no relation to the Oklahoma City bomber) won a law suit against Naval investigators for obtaining confidential information about him illegally from his Internet Service Provider, America Online (AOL). The Navy sought to discharge the highly decorated officer from service for allegedly violating the military's "Don't ask, don't tell" policy by listing his marital status as "gay" on his civilian Internet user profile. Despite the legal victory, McVeigh suffered tremendous public scrutiny of his private life and has stated that AOL's disclosure had ruined his career.
  • These are merely a few instances of privacy problems involving sensitive medical, social security, credit and other personal information that have received public attention. The possibility of countless other violations is very real and that the current privacy protections are simply not working. We believe that these problems will only continue to proliferate as digitization of information continues to grow unless there is a safety net for such information.
  • III. Self Regulation Is Not Enough

    Despite the severity of these threats, American privacy protections have not kept pace with the information revolution. To date, the Administration and industry have relied on the "promise of self regulation" in the digital environment despite consistent disapproval by the public and privacy advocates. Even the questions posed by this Notice presume that self-regulatory measures are still the only measures under serious consideration by the Clinton Administration.

    We recognize that there are advantages to self regulation. From a business perspective such self regulatory initiatives are financially appealing and require less expenditure of time and resources, and there are some public education benefits where such initiatives promote awareness and provide clearly articulated and user friendly information. However, we remain unconvinced that self-regulation alone can provide an acceptable answer. We believe that the single most important issues raised by the Notice were relegated to the last question. Question 14 addresses where the appropriate balance lies between the freedom of information and privacy. This question should have been the starting point for the discussion of privacy online for the purpose of this proceeding. It states:

    14. The Administration's A Framework for Global Electronic Commerce cites the need to strike a balance between freedom of information values and individual privacy concerns. Please comment on the appropriate point at which that balance might be struck. What is the responsibility of businesses, organizations or webpages to protect individual privacy? To what extent do these parties have a right to collect and use information to further their commercial interests? To what extent is it the individual's responsibility to protect his or her privacy?

    Clearly, this proceeding and the ongoing discussions about how to protect privacy of individuals needs to maintain the balance between the right to gather and disseminate information -- the right to free speech, and the importance of preserving confidentiality of sensitive information-- the right of privacy. We support the right of individuals to disclose and others to gather information that is consentually given in exchange for a benefit, but we also believe government must provide a base line of protection for private information. (Indeed, there may be less need for government involvement where the information disclosed is less sensitive or has a restricted use for a stated purpose.)

    We believe that the proper balance should allow for the collection of information from users who provide their information knowingly and voluntarily. Businesses and web site owners have a responsibility to users from whom they solicit and receive personal information. Even where users knowingly share personal information for a benefit they should still have rights to control against its use or abuse. Certain types of information are so sensitive, that site owners or businesses should have no right to share it with third parties without an affirmative grant of authority. For example, Social Security Numbers and medical information should always be non-transferable by recipients of such information unless specific consent is given. Businesses and site owners must also be responsible for safeguarding any information that they collect so that it is secure, accurate and not used for secondary purposes without consent.

    We believe that the following principles must be incorporated into legislation:

    • Personal information should never be collected or given out without knowledge and permission by the subject of such information. The most sensitive personal information, such as Security Numbers, should be non-transferable without notification or express affirmative consent and the circumstances under which it can be collected must be limited.
    • Federal and state government may not acquire information that is collected by the private sector. Moreover, individuals who are the subject of improper government browsing of data should be provided notice and redress.
    • There must be no intermingling of government and private sector collected data for the creation of membership or identification cards -- e.g. smart cards -- which include private information and government issued driver's license numbers.
    • Organizations must inform users as to why they are collecting personally identifiable information and they may not reuse such information for any purpose other than the stated reason for which they receive user permission. Information may only be reused if the individual provides affirmative consent to the new use.
    • Information that is collected with permission must be secure from intrusion and unauthorized browsing. Any information that is no longer being used for the stated purpose for which it is sought should not be retained.
    • Users who provide consent to collection of information must have the right to examine, copy, and correct their own personal information.
    • Government restrictions on the development and use of strong encryption programs to secure online information and communications must be removed. Such utilities must be widely available to provide security against government and third party abuse of information.
    • These principles should be enforceable by law. And no service, benefit or transaction should be conditioned on a user's waiving of her privacy rights.

    Without a safety net for individual privacy the damage that may ensue from improper disclosure of information may wreck financial havoc, cause the loss of employment or inflict tremendous emotional harm on individuals. These harms may be irreparable. Thus, to the extent that information is to be collected from individuals, we seek to ensure that the public understands what may happen if they choose to reveal information and what they can do in the event of misuse or inaccuracies that may be damaging.

    While we believe that self regulation is beneficial to the extent that it helps raise awareness by users and to protect information that is not sensitive or personally identifiable, we believe that the it is not enough for the following reasons:

      1. Self regulation has not been widely embraced
      2. By the Federal Trade Commission's own statistics in the June 1998 Report to Congress, self regulatory practices have been implemented by a minuscule number of sites. The report generally concluded that privacy protection is simply not occurring. It states:

        "The Commission's survey of over 1,400 Web sites reveals that industry's efforts to encourage voluntary adoption of the most basic fair information practice principle -- notice -- have fallen far short of what is needed to protect consumers. The Commission's survey shows that the vast majority of Web sites -- upward of 85% -- collect personal information from consumers. Few of the sites -- only 14% in the Commission's random sample of commercial Web sites -- provide any notice with respect to their information practices, and fewer still -- approximately 2% -- provide notice by means of a comprehensive privacy policy....The Commission's examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to the online collection, use, and dissemination of personal information has not yet taken hold."

        The FTC Report further confirms the ACLU position that the failure to implement true privacy protection will have a profound impact on the growth of the digital environment. It states, the "[d]evelopment of the online marketplace is at a critical juncture. If growing consumer concerns about online privacy are not addressed, electronic commerce will not reach its full potential. To date, industry has had only limited success in implementing fair information practices and adopting self-regulatory regimes with respect to the online collection, use, and dissemination of personal information."

        Additionally, as part of our comments submitted herewith, the ACLU has conducted a survey of more than a dozen of the most highly rated financially oriented web sites that gather private information from users which supports our conclusion that self regulation alone is insufficient. Despite the small number of sites surveyed, we believe our findings provide a useful demonstration of current practices by some of the most highly trafficked sites on the web. Moreover, the ACLU survey specifically focused our search to include some of the best rated financially oriented sites -- which gather highly sensitive user data -- and therefore should ideally engage in the strongest privacy protection practices. Instead, our survey found that in the few instances where sites provide privacy policies or provide notice about their information collection practices, there is little user choice about how the information will be used, how individuals can obtain access to such information and whether there is any recourse for abuse of the information. Given the nature of our study, the ACLU is alarmed by the lack of attention paid by industry.

      3. Self Regulation Does Not Provide Users With Mechanisms for Private Redress or Government Intervention
      4. Privacy policies that explain the information practices of sites that collect sensitive information are often not provided. Even where they do provide some type of notice to users, this alone is not an effective protection. Users should be informed how they can seek redress where there is a failure to protect their data -- by a government agency and directly from the site owner. There is little incentive in a free market setting to provide genuine accountability to the user. Even where penalties are imposed by self auditing programs -- these penalties may effect the site's accreditation -- but there is no recourse available to an aggrieved user. For example, in the ACLU survey of privacy policies of top rated financial sites, one site out of the 14 reviewed uses the TRUSTe self- auditing mechanism. However, the site disclaims any liability "for any breach of security or for any actions of third parties which receive information." None of the sites we surveyed provided anything beyond an e-mail address for complaints or questions about privacy protections and half of the sites do not provide even an e-mail address or a general privacy information.

        For a detailed discussion of accountability mechanisms, enforcement, consumer recourse, verification and consequences see the ACLU response to Question 6 of the NTIA Notice (below).

      5. Self Regulation Does Not Offer Genuine Safeguards for the Sensitive Data
      6. Some forms of data, such as medical records and financial information are so sensitive that the failure to protect it can have devastating and irreparable effects. While we believe that government oversight is necessary to ensure that all sites implement privacy protections are implemented and not merely advertised, we believe that the level of regulation should depend on the nature of the information collected.

      7. The Current State of the Law Discourages Self Regulation
      8. Many site owners are reluctant to even provide notice about fair information practices and how they use or reuse information not only but because in the current regulatory environment there is no requirement that they do so but because establishing a providing a privacy policy may create new liability. Actually providing notice about such practices may subject the owner to liability if such information is deemed misleading by the FTC.6 A site with no notice on the other hand would not be subject to review under the current regulatory scheme even if they engaged in harmful practices such as reselling an individual's data without disclosure or gaining consent. The FTC Report on Privacy Online to Congress, June 1998, acknowledges the agency's limited authority over the implementation of fair information practices currently. It states:

        "The federal government currently has limited authority over the collection and dissemination of personal data collected online. The Federal Trade Commission Act (the "FTC Act" or "Act")(161) prohibits unfair and deceptive practices in and affecting commerce. The Act authorizes the Commission to seek injunctive and other equitable relief, including redress, for violations of the Act, and provides a basis for government enforcement of certain fair information practices. For instance, failure to comply with stated information practices may constitute a deceptive practice in certain circumstances, and the Commission would have authority to pursue the remedies available under the Act for such violations. Furthermore, in certain circumstances, information practices may be inherently deceptive or unfair, regardless of whether the entity has publicly adopted any fair information practice policies. ... However, as a general matter, the Commission lacks authority to require firms to adopt information practice policies."

      9. The Public Wants Government Oversight of Private Collection Practices
      10. The American public has made it clear that they want government intervention to ensure privacy. Recent studies have repeatedly documented that the number one concern of online users is privacy.7 These studies have found that most users of the Internet are afraid to engage in commercial transactions or provide any personally identifiable information because they do not know how such information would be used. Such fear results not only in commercial harms for businesses looking to provide services online, but also has a serious implication on individual's first amendment rights. For example, a user seeking information from a controversial site may be reluctant to get such information or even browse a particular site for fear that they cannot do so anonymously and that information about their inquiries or membership at a particular site will not remain confidential. An analogous case in point occurred earlier this year, when Independent Counsel Kenneth Starr, who is investigating President Bill Clinton for potential criminal wrong-doing, subpoenaed information from local bookstores about the book purchases of a potential witness -- Monica Lewinsky. Could the next subpoena be for the list of web sites an Internet user has registered with or browsed?8

      11. Self Regulation Has Been Rejected By the International Community

    Moreover, as the effective date of the European Privacy Directive approaches this October, the failure of the U.S. to offer meaningful safeguards to personal information may have a devastating impact on commerce in the electronic world. Members of the EU have announced that they will target American e-commerce companies for legal action if they fail to guarantee confidentiality of personal data that is processed in the United States.9 While (large) companies could potentially sign contracts with individual EU countries guaranteeing that they will comply with the relevant national laws and provide necessary audits on information gathered about citizens of the member country, that could mean that users outside of the U.S. would be entitled to stronger protection by industry than domestic users. Smaller businesses with online sites could face tremendous difficulty in ensuring that they are not violating fair information laws abroad since it is virtually impossible to accurately determine the geographic location of a particular user. Thus, while the EU Privacy Directive may not be the best solution from the U.S. perspective, a legislative enactment should strive to find a more common solution.

    IV. Protection Should Be Comprehensive For All Users

    While the FTC Report to Congress is critical of information collection practices today, the report generally concludes that legislation aimed at preventing the collection of information from children must be the first issue to be addressed by the legislature. We commend the FTC's recognition that many unfair practices and potentially dangerous transactions are occurring as a result of collection of private information online and we recognize the significance of ensuring that information about children is not abused by third parties. However, the ACLU believes that any legislation or regulation to provide a safety net for information must be comprehensive to include all online users and must include baseline principles written into law. We agree that there is an important interest in protecting children, but remain unconvinced that a solution that limits all collection of personally identifiable information from minors, regardless of the nature of the site, the information sought, and the purposes for which it is sought.

    The FTC proposal on children's privacy also makes no distinction between the nature of the information sought from minors and the purposes for which it is sought.

    For example, by requiring all site owners who obtain information from minors to get parental consent prior to collecting the information, the proposal makes no distinction between direct marketing sites and sites that collect general registration information for educational issues. In addition, such a proposal may restrict the ability of minors to seek information from sites that they are afraid to get parental consent to join, such as sites that provide resources, electronic mailing lists or newsletters on safer sex, gay and lesbian support information. Moreover, minors who do not receive parental consent because their parents do not have Internet access or because they are unavailable may be denied the ability to receive information that they have a constitutional right to. Thus, we believe that the proposal does not just limit the collection of information for direct marketing purposes from minors but may also impair the ability of minors to receive constitutionally protected information.

    Moreover, we believe that the FTC's recommendations for protection of children's privacy online -- that would require site owners to obtain parental consent prior to disclosing any information -- including their e-mail addresses -- would be impossible to verify. As the Supreme Court noted in Reno v. ACLU, there is no way to verify the identity, age or geographic users online. 138 L. Ed. 2d at 888. As the Court noted, and as is still true today, most sites are not financially or technically capable of providing screening measures such as requiring proof of age.

    The following section provides brief comments by the ACLU to the questions posed by the NTIA in the Notice and Comment. However, the NTIA Notice has asked questions based exclusively on the premise that self regulatory mechanisms should be enacted. While we believe that self regulatory mechanisms may be advantageous in some cases, we are committed to our belief that self regulation alone is wholly insufficient and that a regulatory or statutory framework is essential to ensure accountability to the American public.

    The discussion paper sets out nine specific characteristics of effective self regulation for privacy: awareness, choice, data security, data integrity, consumer access, accountability, consumer recourse, verification and consequences. Which of the individual elements set out in the draft discussion paper do you believe are necessary for self regulation to protect privacy? To what extent is each element necessary for effective self regulation? What are the impediments and costs involved in fulfilling each element of a self regulatory scheme? What are the competing interests in providing each element? How would the inclusion of each element affect larger, medium sized, and smaller companies? What advantages or disadvantages does each element hold for consumers? What are the challenges faced by companies in providing each element? How do these challenges depend upon the size and nature of the business?

    While the ACLU believes that self regulatory measures cannot successfully protect individual privacy, we encourage the use of each of the nine factors set out in the discussion papers for the implementation of a legislative or regulatory privacy safety net. By providing a legal framework for the adoption of these principles instead of relying on self regulatory measures alone, we believe there will be greater consistency in what users are told and that there will be greater incentive for sites that collect information to take measures to protect privacy.

    We have provided a brief explanation of the factors below:

    • Awareness. We agree that consumers need to know the identity of the collector of their personal information, the intended uses of the information, and the means by which they may limit its disclosure. However, we do not believe that notice of who is collecting the information is sufficient. We believe that where personally identifiable information is collected, users should be provided with a clearly articulated explanation of the site owner's privacy policy. Privacy policies should plainly state the manner in which a site collects, uses, and protects data, and the choices they offer consumers to exercise rights in their personal information should be posted in a highly visible manner that is accessible before a user is required to disclose any information. On the basis of such information, users should be free to make decisions about what information they will provide and what limitations they will place on the use of their data. These policies should include a clear explanation about why the information is gathered, how the information will be protected, whether users must disclose information in order to enjoy use of the site. The policies must also clearly articulate whether users will have access to information that is gathered about them, how they can gain access and modify, delete or update information that a site has collected.
    • Notification of Uses: privacy procedures and data collection should also explain whether the data will be shared by third parties or used for any purposes other than the stated purpose. If indeed information will be used for incompatible purposes or by other parties, users must be asked for permission.
    • Choice: Consumers should be given the opportunity to exercise choice with respect to whether and how their personal information is used, either by businesses with whom they have direct contact or by third parties. Consumers must be provided with simple, readily visible, available, and affordable mechanisms--whether through technological means or otherwise--to exercise this option. We believe that the best approach is to allow users to opt-in if they consent to third party sharing of their information or other secondary uses of the data.
    • Data Security. Companies creating, maintaining, using or disseminating records of identifiable personal information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, misuse, alteration or destruction. Companies should also strive to assure that the level of protection extended by third parties to whom they transfer personal information is at a level comparable to its own. Such measures should include the use of security programs such as encryption or anonymous or pseudonymous use of the site. (See ACLU response to Question 3 below).
    • Data Integrity. Companies should keep only personal data relevant for the purposes for which it has been gathered, consistent with the principles of awareness and choice. To the extent necessary for those purposes, the data should be accurate, complete, and current. Data should not be retained any longer than necessary.
    • Consumer Access. Consumers should have the opportunity for reasonable, appropriate access to information about them that a company holds, and be able to correct or amend that information when necessary. Consumers should not have to pay to receive access to their information.

    For a discussion of accountability mechanisms, enforcement, consumer recourse, verification and consequences see our response to Question 6.

    The draft discussion paper notes that individual industry sectors will need to develop their own methods of providing the necessary requirements of self regulation. How might companies and/or industry sectors implement each of the elements for self regulation?

    While the ACLU believes that self regulatory methods alone have not been successful and that such mechanisms cannot ensure accountability or appropriate oversight, we believe that tools such as self-audit programs may be of help for sites to educate their users about the protections they offer. Such mechanisms may be used by sites that collect less sensitive information from users. For example, the TRUSTe Privacy Program, which is a self-audit program that is used by some sites, provides an online "seal" or trustmark to signify disclosure of a Web site's personal information privacy policy. Sites that display trustmark have formally agreed to adhere to the TRUSTe privacy principles, and to disclose their information gathering and dissemination practices. These companies must disclose to Truste auditors what information they gather, how the information will be used, and who they share information with.

    Thus, we believe that self-auditing measures may be useful in areas where less government regulation is required because there is limited collection and use of data. However, these mechanisms should not be relied on where sites collect sensitive information, such as medical or financial data, there should be greater governmental oversight and accountability by the site owners.

    Please submit examples of existing privacy policies. In what ways do they effectively address concerns about privacy in the information to which they apply? In what ways do they fail?

    To illustrate the varied approaches used by commercial sites that gather information online, the ACLU surveyed certain sites that were included in a section of PC World Magazine's 1998 "Best Web Sites." The 19 sites the ACLU reviewed were ranked by PC World Magazine as providing the top "investment tools and advice" and best "online trading" for consumers. The ACLU chose to evaluate this section of PC World's "top sites" since they involve the exchange of personally identifiable information that may include financial and personal data, which we believe are the types of information that should receive the strongest protections. We reviewed the privacy protections afforded at each site using the criteria provided in the Discussion Draft that accompanied the NTIA Notice. We have provided an explanation and summary below.

    Factors Analyzed and Summary of Results:

    • Collection of Personally Identifiable Information - what types of data are collected at these sites?

    All of the sites collect personally identifiable information, including name, address, telephone number. Some sites requested the user's income, estimate of total financial investment value, type of investment, credit card information and Social Security Number.

    • Is there a privacy policy on the site? The Draft Discussion Paper accompanying the NTIA Notice for this proceeding provided a basic definition of what privacy policies should include. The discussion papers states that "privacy policies articulate the manner in which a company, collects, uses, and protects data, and the choices they offer to consumers to exercise in their personal information.

    Of the 19 sites we reviewed more than one half -- eleven of the sites neglect to publish any privacy policy with even bare minimum notice of how information is used. There was no uniformity among sites that provided policies and not all of the policies provided users the ability to opt-out restrict uses of their data as against third parties.

    Two sites use the third party self-auditing service provided by TRUSTe to provide public information about their information practices provide links to the TRUSTe site for information about grievances.

    • Notification: Are users provided with an explanation of the primary uses?

    Seven sites provided an explanation of why information is gathered. One site states that information is gathered for direct marketing purposes. The remaining sites offer no explanation of why information is gathered.

    • Choice: May users limit third party use?

    One site permits users to opt-in if they would like to receive other information from the site owner or from third parties.

    Nine sites permit users to opt-out of receiving additional information from the site owner or from third parties. One of these sites asks users who decline the reuse of their information for their name, address, phone number and Social Security Number in order to have their information removed.

    Three sites state that information will only be used by the site owner.

    Six sites provide no information on the use of data or user's ability to control their information.

    • Data security: Do the site owners describe precautions to protect information from loss, misuse, alteration or destruction?

    One site provides a detailed explanation about mechanisms used to safeguard information.

    Thirteen sites provide no information on how information is stored after it is collected.

    • Data integrity and consumer access were considered together to determine if users have an opportunity for reasonable, appropriate access to information about them.

    Twelve sites permit some degree of user access to their profiles. Six provide no explanation about how users can change their information.

    • Accountability: is there any statement that companies will be accountable for compliance with their policies?

    The eight sites that provide privacy policies also provide e-mail contact information for general questions.

    Only one site states what remedies are available under the applicable laws. No sites explain how they were accountable in the event of a breach of security.

    Three sites explicitly disclaim any liability for breach of security or abuse of information by third parties.

    4. Are elements or enforcement mechanisms other than those identified in the draft discussion paper necessary for effective self regulation for privacy protection? If so, what are they? How might they be implemented? In addition to the fair information practices and enforcement mechanisms stated in the discussion draft, are there other privacy protections or rights essential to privacy protection?

    There Is No Privacy Without Appropriate Security -- Privacy and security are inexorably linked in online transactions. One of the most important elements for privacy protection has been omitted in the discussion draft, that is the use of cryptography. Cryptography is essential as a security measure whenever sensitive information is gathered or whenever a commercial transactions are conducted online. We believe that the widespread use and availability of cryptographic programs will ensure greater data integrity and user confidence by making unauthorized uses or prying far less likely. Through the use of cryptography, communications and information stored and transmitted by computers can be protected against third party interception.

    As the district court in ACLU v. Reno recognized, electronic messages sent over the Internet are not "'sealed' or secure, and can be accessed or viewed on intermediate computers between the sender and the recipient (unless the message is encrypted )." 929 F. Supp. at 834 (emphasis added). Similarly, the district court in American Library Association v. Pataki lamented the insecurity of electronic communications via the Internet relative to communications via U.S. mail, noting that "[w]hile first class letters are sealed, e-mail communications are more easily intercepted." American Library Association v. Pataki, 969 F. Supp. 160, 165 (S.D.N.Y. 1997). That court went on to note that "[c]oncerns about the relatively easy accessibility of e-mail communications have led bar associations in some states to require that lawyers encrypt sensitive e-mail messages in order to protect client confidentiality." Id. Thus, encryption enhances the privacy of communications that may otherwise not be secure or remain confidential.

    Cryptography provides an envelope, seal and signature for otherwise unprotected electronic communications.10 It accomplishes four essential tasks necessary to both business and individual privacy:

    1. ensuring the integrity of data. Cryptography can detect deliberate or accidental alterations in digital messages.
    2. authentication of users. Cryptography can establish and verify the identify of a party to a communication.
    3. nonrepudiation. Cryptography protects against impersonation and denial of creation by making it more difficult (if not impossible depending on the strength of the encryption used) for a party to a communication to later deny that he or she sent it.
    4. preservation of confidentiality. Cryptography can protect against others gaining access to private communications.

    Communications conducted via electronic mail and electronic fund transfers that take place during any online commercial transaction require secure means of encryption and authentication. Without readily-available encryption software, however, electronic communications can be easily intercepted, and data intended to be private may be rendered vulnerable to exposure. We believe that the Commerce Department must encourage wide availability of cryptographic technology and that the development and use of cryptography must be unencumbered by government regulation. Hence, the ACLU concludes that implementation of online privacy protections must include a removal of the Commerce Department's encryption licensing rules.

    A second factor which will greatly enhance the protection of user privacy is the allowance and encouraged use of "anonymous browsing" on the Internet. By allowing users to make purchases or browse using digital cash or digital pseudonyms, sites could reduce the amount of personally identifiable information that is gathered unnecessarily. Moreover, by incorporating digital cash payment schemes or allowing users to register at a site with a pseudonym, user concerns about interception of credit card information or other sensitive material would be greatly enhanced. The Commerce Department should seek to promote awareness about anonymity and encourage the development of digital cash payment mechanisms.

    Thus, we conclude that the use of technological solutions including encryption programs and programs to enhance anonymous use of online services are critical elements to ensuring online privacy. These tools are of minimal cost to sites and should be a requirement of any privacy protection scheme.

    5. Should consumer limitations on how a company uses data be imposed on any other company to which the consumer's information is transferred or sold? How should such limitations be imposed and enforced?

    Clearly there is some information that individuals may wish to give up in exchange for some benefit -- in such cases, users should be free to waive limitations if they provide consent and they are clearly informed about how their data will be used. Generally, there is no doubt that consumer limitations on how information is used must be respected by recipients of such information -- be they direct recipients or purchasers of the data. Without an extension of consumer limitations of information use to non-parties to the original agreement any regulation would be rendered meaningless. Thus, as with any other transfer of obligations during a commercial negotiation or transaction, any rights or remedies an individual has against the original recipient of personally identifiable data must be applicable to third parties that acquire such information.

    More importantly, in some cases there should be no right for companies to transfer sensitive information such as Social Security Numbers or medical information without obtaining express consent from the individual and full disclosure of the identity of recipient's of the information, including subsidiary companies. While consent should be sufficient for less sensitive information, the risk of abuse of sensitive information is so great that there should be further legal protection for certain types of information. Any privacy protection safety net must also provide remedies for the transfer of sensitive or less sensitive information without consent. These remedies must provide for consumer redress and for government action.

    6. Please comment specifically on the elements set out in the draft discussion paper that deal with enforcement (verification, recourse, and consequences) and suggest ways in which companies and industry sectors might implement these. What existing systems and/or organizations might serve as models for consumer recourse mechanisms, and explain why they might or might not be effective? Would a combination of elements from existing systems and/or organizations be effective? How might verification be accomplished? What would constitute adequate verification, i.e., in what instances would third-party verification or auditing be necessary, and in what cases would something such as self certification or assertions that one is "audit-ready" suffice? What criteria should be considered to determine the kind of verification that would be appropriate for a company or sector? What constitutes "reasonable access?" What are the costs/impediments involved in providing access? What criteria should be considered to determine "reasonable access" to information for a company or sector?

    In order to create effective verification, recourse and consequences for misuse of personally identifiable data there must be oversight by the government beyond the private verification remedies suggested by proponents of self regulation. The ACLU believes that legislation designed to be a safety net for privacy protection should include the following principles:

    • Users must be notified when there is a breach in privacy;
    • Users must be allowed to limit the use of information by requiring that sites obtain consent prior to collecting data;
    • Users must be provided with the opportunity to review information that is maintained about them and correct, delete or modify the information;
    • Third party verification may be necessary depending on the nature of the information that is obtained, e.g., medical information or financial information collection would be subject to a higher standard of verification than a site that merely acquires an e-mail address.
    • All sites that gather personally identifiable information will be subject to regulation and must be prepared for outside review of their procedures. There should be greater government oversight and stricter reporting requirements on companies, World Wide Web sites and government agencies that collect sensitive information.
    • Because the consequences that may result from improper disclosure may have a devastating impact on an individual, damages should not be conditioned on proof of intentional or willful violations of the law. Actual and statutory damages should be available to aggrieved individuals as well as punitive damages where a breach of privacy is the result of intentional or willful violations of the law.
    • All individuals should be provided with the ability to review or modify information that is obtained about them in a timely manner. Users must also be permitted to revoke consent against continued storage of data about them. Reasonable access includes a timely response that it free of charge to the individual. Failure to provide a timely response to a user's request to her own information should provide administrative recourse.

    Legislation must include the creation or extension of jurisdiction to an agency that will provide oversight to the implementation and review of fair information practices. Only through the appointment or creation of a body that will hold sites accountable will users truly have the resources to gain recourse against violations of privacy. Thus, individuals must have the right to petition an agency for both governmental and private sector privacy violations.

    7. In the section on consequences, the draft discussion paper states that "sanctions should be stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion." Identify appropriate consequences for companies that do not comply with fair information practices that meet this goal, and explain why they would be effective.

    The ACLU believes that individuals should have the ability to petition a government agency charged with overseeing the implementation of privacy protection legislation or regulation for redress and that they should have the right to seek statutory, actual or punitive damages against sites that engage in unfair practices depending on the nature of the compromised information or the breach of privacy. Financial sanctions should be imposed on sites that fail to meet the minimum standards established by the law.

    Congress should designate or establish a government body charged with enforcing fair information practices. Such a body could either operate under the auspices of the Federal Trade Commission through a Congressional extension of their authority, or by creating a commission dedicated to privacy protection. Without such remedies, self-audit or third party scrutiny or penalties are not sufficient to deter sites that profit from collecting user data.

    8. What is required to make privacy self regulation effective? Self-regulatory systems usually entail specific requirements, e.g., professional/business registries, consumer help resources, seals of accreditation from professional societies, auditing requirements. What other elements/enforcement mechanisms might be useful to make privacy self regulation effective? How have these enhanced or failed to enhance a self-regulation regime?

    Self regulation alone has proven itself ineffective in the absence of a legal framework that will ensure that claims about fair information practices are actually practiced and not merely an advertising or media ploy. Certification and accreditation are helpful to the extent that they provide a means of labeling that make it easier for consumers to make choices, but such accreditation offers little comfort where no penalty or accountability is enforceable by the individual.

    Moreover, as discussed in Section III (1) above, self auditing requirements that are voluntarily elected on businesses or organizations that collect information have not been widely used. The Report to the Congress on Privacy Online by the Federal Trade Commission, June 1998 states, only a small percentage of sites on the World Wide Web provide any notice of their information collection. Even fewer provide comprehensive privacy policies. As we have demonstrated through our own survey of top financial service and online trading sites, even where privacy policies or notice are available, they provide the user with little or no understanding of how information will be used, what third parties may be given access to the data, how a user can verify such information or what recourse they have for violation of any agreement.

    12. What issues does the online environment raise for self regulation that are not raised in traditional business environments? What characteristics of a self-regulatory system in a traditional business environment may be difficult to duplicate online? Does the online environment present special requirements for self regulation that are not present in a traditional business environment? Does the traditional business environment have special requirements that are not presented in the online environment? What are these requirements?

    We believe that the nature of online communications and the ease with which information can be collected, linked, cross-referenced and sold presents concerns that have not been as critical in traditional environments. Moreover, our organizations do not believe that traditional fair information practices are adequate. Privacy protection has simply failed to keep the pace with emerging technologies, and current laws such as the Electronic Communications Privacy Act, 18 U.S.C. 2510, et seq., do not cover all online communications or provide sufficient relief.

    13. What experiences have you encountered online in which privacy has been at issue? In what instances has privacy appeared to be at risk? In what instances is it well protected? In what ways have businesses or organizations been responsive to privacy concerns? How difficult have you found it to protect your privacy online? What circumstances give rise to good privacy protection in a traditional business setting or online?

    The failure to protect privacy online is a widespread problem that has alarmed many Internet users. As we have previously stated, Internet users are deeply concerned about abuses of information and are often reluctant to engage in communications for fear of how information may be used against them. In other instances, users have no understanding that information that they are providing may be sold or reused by other parties. We believe that the examples highlighted in our introductory section show the scope of the threats to privacy, by government agencies, hackers and by parties that promise to maintain the confidentiality of information.

    Our survey of web sites also leads us to the conclusion that even where businesses have elected to conduct self-audits or have posted privacy policies the only effect that such efforts have is to provide notice to users about practices. However, we as many other privacy organizations do not believe that notice alone is sufficient and that only by providing individual redress can we ensure that companies will do more than claim they engage in privacy protection. 11

    The ACLU believes that circumstances that give rise to good protection in the online world include: situations where transactions are secure through the use of encryption, where individuals are not required to provide personally identifiable information or are allowed to have access using a digital pseudonym or anonymously. These and other technological solutions will tremendously reduce concerns about providing personal information where it is necessary and reduce the need for sites to gather information about users.

    ENDNOTES

    1See generally, Databases Online: What is Already Known, They've Got Your Number, by Will Rodger, ZDNET News Online, December 9, 1997.

    2 This information was found on the Cornerstone Information Services World Wide Web Site, at http://www.cypac.com/mall1/cisinfo/cis-surv.html#otherinvest. This Private Investigative agency is located in Austin, Texas and states that its services include: "surveillance, information resources, witness locate, missing persons and investigative services. Although the services provided are typical of private investigatorial services, we use their web site to illustrate the variety of information sources that can be used by any number of information brokers. We found this site by using the search engine "Yahoo!" and conducting a search for "personal investigation."

    3This information is from the website of "Fast Track" investigative services, at Error! Hyperlink reference not valid..

    4 See Databases Online: What is Already Known, They've Got Your Number.

    5 See Private Data, Public Worries, John Schwartz, Washington Post, June 8, 1998, F24.

    6The FTC contends that it would have jurisdiction over deceptive statements about a sites privacy protection policies if such a statement were untrue under section . On the other hand, where there is no statement about how the company uses or protects information, there may be no claim because sites are not required by law to provide such notice.

    7 In March 1998, Business Week / Harris poll found that Americans care deeply about privacy, and that the number one reason that people do not use the Internet is because they are discouraged by the lack of privacy protections afforded personal information and communications. The poll aslo found taht 53 percent of Americans believe that legislation about how personal information is collected and used on the Internet must be enhanced.

    8 While the Electronic Communications Privacy Act, 18 USC 2510, et seq., protect electronic communications such as electronic mail and information users provide to Internet Service Providers, it is unclear that the provisions that apply to stored electronic communications would apply in a situtation involving a government request for information from a site owner who is a direct party to the communication. Even if ECPA applies, the failure of the statutory framework to prevent America Online from disclosing information about a subscriber -- Tim McVeigh from the Navy shows that the law as to carriers must also be updated and strengthened.

    9 See Europe Presses Electronic Privacy, Will Rodger, ZDNET News Online, June 15, 1998.

    10See generally, ACLU Special Report: Big Brother in the Wires: Wiretapping in the Digital Age, March 1998.

    11 See Surfer Beware and Surfer Beware II, Special Reports by the Electronic Privacy Information Center, Washington D.C. 1997, 1998 (concluding that few sites online provide notice to users about their privacy practices, that notice alone provides little genuine protection to users and that the ambiguety of notice often renders it meaningless to users.)