|July 6, 1998
Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration
14th Street and Constitution Ave, N.W., Room 4898
Washington, D.C. 20230
Re: Elements of Effective Self Regulation for the Protection of Privacy and
Questions Related to Online Privacy
The American Civil Liberties Union (ACLU) respectfully submits comments to the National
Telecommunications and Information Administration (NTIA) in response to the Notice and
Request for Public Comment in the above referenced matter. We have provided a brief
section that outlines our general position on the protection of privacy online, which is
followed by our responses to the questions posed by the NTIA Notice.
I. Introduction and Background:
The revolutionary pace with which our communications infrastructures have grown,
and the ever increasing digitization of information have truly made global access to
intelligence easier and more efficient. However, the enormous advantages provided by
electronic networking also present unprecedented threats to personal security and privacy.
Unlike any other time in our history, it is now readily possible to gather, link and sell
information about organizations and governments, and to compile profiles of millions of
individuals that include their most sensitive and personal data.
The ACLU believes that the privacy of an individual is directly affected by the
collection, maintenance, use and dissemination of personal information by government
agencies and the private sector. Every day millions of people give away private data --
from information about medical conditions, home addresses, mortgage borrowing, stock
purchases, household incomes and social security numbers -- often providing such facts
without understanding the consequences until it is too late. Without sufficient
safeguarding of such information, we are all vulnerable to unwarranted, annoying and
potentially dangerous snooping -- by governments, businesses, nosy neighbors and thieves.
The ACLU believes that there must be a safety net for the most sensitive information and
vulnerable populations -- and that safety net must include remedies for the violation of
Today, a simple trip to the grocery store can unwittingly make a consumer vulnerable to
snooping. Many stores now offer "discount club" membership programs that provide
shoppers with new bonuses for their purchases if they provide their names and other
information. The shopper in turn receives an identification card with a computer bar code
that they present each time they make a purchase to receive a discount. While this
practice seems innocuous enough, under some of these programs, each item the consumer
purchases is recorded and stored online and is attributable to the purchaser. This
information could include not only the brand of orange juice or cereal purchased, but the
type of contraception the shopper uses. Although such information is arguably gathered for
"marketing purposes," the buying and selling of computerized consumer data as a
valuable commodity leaves open the possibility that such information can be purchased and
linked to other databases with great ease. The following section briefly describes current
uses of linked databases and the threats to individuals posed by such practices.
II. Linking of Information is Not Just a Virtual Reality
Thousands of online databases now provide ready access to revealing personal
information about ordinary people, either through privately owned dial-up services or via
the Internet.1 These databases cover information ranging from
tax records to arrest records, home addresses and telephone numbers. Moreover, many sites
that provide personal information tout the ability to provide virtually any information.
For example, one site we examined states that users can obtain information on a subject
based on any of the following databases2:
||International Bank Accounts
|Auto Ownership by Name
||Personal Bank Accounts
|Auto Ownership by Tag #
||Personal Stock Holdings
|Auto Ownership by VIN #
||Phone Number to Name & Address
|Brokerage House Search
||Personal Address from P.O. Box
|Business Analysis Report
|Business Bank Account Search
|Business Credit Report
||Real Property Search
|Cellular Phone # to Address
||Skip Trace with SSN
|Complete Background Check
||Skip Trace without SSN
|Creditors of an Individual
||Social Security Number Search
|Criminal Records Search
||UCC, Lien, Mortgage Search
|Death Master Index Search
||Unpublished Phone Number
|Executive Business Relationships
|Identify Social Security Number
|Individual Credit Report
|Individual Driving Record
||Cellular Toll Calls
Another similar site claims that it can create personal profiles of individuals using
cross-referenced databases. "Background checks can be used by companies or
individuals and are commonly used to verify and reveal information about employment
applicants, nannies, someone your dating, or if your just "unsure" about a
certain person. This report can return complete background information on an individual by
providing information from a multitude of sources including credit bureau headers, voter
registrations, assessor records, civil court filings, bankruptcy filings, vehicle
registrations, property ownership, drivers license files, corporate filings, telephone
white pages, mailing lists and many more.3" Moreover,
many traditional information companies such as Lexis-Nexis, a division of Reed Elsevier
PLC, have offered access to controversial databases with information on real estate
ownership, auto registration and voting records.4
Some recently publicized abuses of information highlight the dangers of poor
This year, after the Massachusetts Attorney General filed suit against tobacco
manufacturers for reimbursement for tobacco-related health care costs, defendants in the
suit sought access to the state database containing medical data on Medicaid patients.
However, the Massachusetts state medical database not only includes information about
Medicaid patients, but includes detailed information about every hospital visit by every
individual in the state. It also contains other sensitive information -- all in one
database. Previously, the state had defended the creation of the huge database saying that
it could limit the inspection of such records and ensure confidentiality despite public
outcry against its creation -- now portions of that database are being turned over in
In April 1997, the IRS announced that it had fired 23 employees and disciplined 349
others for using their computers to browse through tax returns of countless Americans.
Similarly, in 1995, a former IRS employee who was a member of the Ku Klux Klan was
convicted of improper use of computers after it was learned that he had gained
unauthorized access to tax returns. The individual had reportedly bragged to a fellow Klan
member that he could use his access to data to "build dossiers on people."
In 1996, ten current and former SSA employees were arrested for accepting bribes from a
credit fraud ring in the business of selling mothers' maiden names to activate
fraudulently obtained credit cards.
In April 1997, the Social Security Administration was forced to shut down its web site
after reports that it may have provided unauthorized access to information about
individuals' personal income and retirement benefits on the Internet. While the agency
denied that it had received any claims of fraud that stemmed from the availability of such
information on their site, many victims of credit card crimes or other fraud are unaware
of how their information is obtained by thieves -- thus, there is no way to verify who
obtained information or about whom they did from the site.
Earlier this year, Navy Senior Chief Petty Officer Timothy R. McVeigh (no relation to
the Oklahoma City bomber) won a law suit against Naval investigators for obtaining
confidential information about him illegally from his Internet Service Provider, America
Online (AOL). The Navy sought to discharge the highly decorated officer from service for
allegedly violating the military's "Don't ask, don't tell" policy by listing his
marital status as "gay" on his civilian Internet user profile. Despite the legal
victory, McVeigh suffered tremendous public scrutiny of his private life and has stated
that AOL's disclosure had ruined his career.
These are merely a few instances of privacy problems involving sensitive medical, social
security, credit and other personal information that have received public attention. The
possibility of countless other violations is very real and that the current privacy
protections are simply not working. We believe that these problems will only continue to
proliferate as digitization of information continues to grow unless there is a safety net
for such information.
III. Self Regulation Is Not Enough
Despite the severity of these threats, American privacy protections have not kept
pace with the information revolution. To date, the Administration and industry have relied
on the "promise of self regulation" in the digital environment despite
consistent disapproval by the public and privacy advocates. Even the questions posed by
this Notice presume that self-regulatory measures are still the only measures under
serious consideration by the Clinton Administration.
We recognize that there are advantages to self regulation. From a business perspective
such self regulatory initiatives are financially appealing and require less expenditure of
time and resources, and there are some public education benefits where such initiatives
promote awareness and provide clearly articulated and user friendly information. However,
we remain unconvinced that self-regulation alone can provide an acceptable answer. We
believe that the single most important issues raised by the Notice were relegated to the
last question. Question 14 addresses where the appropriate balance lies between the
freedom of information and privacy. This question should have been the starting point for
the discussion of privacy online for the purpose of this proceeding. It states:
14. The Administration's A Framework for Global Electronic Commerce cites the need to
strike a balance between freedom of information values and individual privacy concerns.
Please comment on the appropriate point at which that balance might be struck. What is the
responsibility of businesses, organizations or webpages to protect individual privacy? To
what extent do these parties have a right to collect and use information to further their
commercial interests? To what extent is it the individual's responsibility to protect his
or her privacy?
Clearly, this proceeding and the ongoing discussions about how to protect privacy of
individuals needs to maintain the balance between the right to gather and disseminate
information -- the right to free speech, and the importance of preserving confidentiality
of sensitive information-- the right of privacy. We support the right of individuals to
disclose and others to gather information that is consentually given in exchange for a
benefit, but we also believe government must provide a base line of protection for private
information. (Indeed, there may be less need for government involvement where the
information disclosed is less sensitive or has a restricted use for a stated purpose.)
We believe that the proper balance should allow for the collection of information from
users who provide their information knowingly and voluntarily. Businesses and web site
owners have a responsibility to users from whom they solicit and receive personal
information. Even where users knowingly share personal information for a benefit they
should still have rights to control against its use or abuse. Certain types of information
are so sensitive, that site owners or businesses should have no right to share it with
third parties without an affirmative grant of authority. For example, Social Security
Numbers and medical information should always be non-transferable by recipients of such
information unless specific consent is given. Businesses and site owners must also be
responsible for safeguarding any information that they collect so that it is secure,
accurate and not used for secondary purposes without consent.
We believe that the following principles must be incorporated into legislation:
- Personal information should never be collected or given out without knowledge and
permission by the subject of such information. The most sensitive personal information,
such as Security Numbers, should be non-transferable without notification or express
affirmative consent and the circumstances under which it can be collected must be limited.
- Federal and state government may not acquire information that is collected by the
private sector. Moreover, individuals who are the subject of improper government browsing
of data should be provided notice and redress.
- There must be no intermingling of government and private sector collected data for the
creation of membership or identification cards -- e.g. smart cards -- which include
private information and government issued driver's license numbers.
- Organizations must inform users as to why they are collecting personally identifiable
information and they may not reuse such information for any purpose other than the stated
reason for which they receive user permission. Information may only be reused if the
individual provides affirmative consent to the new use.
- Information that is collected with permission must be secure from intrusion and
unauthorized browsing. Any information that is no longer being used for the stated purpose
for which it is sought should not be retained.
- Users who provide consent to collection of information must have the right to examine,
copy, and correct their own personal information.
- Government restrictions on the development and use of strong encryption programs to
secure online information and communications must be removed. Such utilities must be
widely available to provide security against government and third party abuse of
- These principles should be enforceable by law. And no service, benefit or transaction
should be conditioned on a user's waiving of her privacy rights.
Without a safety net for individual privacy the damage that may ensue from improper
disclosure of information may wreck financial havoc, cause the loss of employment or
inflict tremendous emotional harm on individuals. These harms may be irreparable. Thus, to
the extent that information is to be collected from individuals, we seek to ensure that
the public understands what may happen if they choose to reveal information and what they
can do in the event of misuse or inaccuracies that may be damaging.
While we believe that self regulation is beneficial to the extent that it helps raise
awareness by users and to protect information that is not sensitive or personally
identifiable, we believe that the it is not enough for the following reasons:
- Self regulation has not been widely embraced
By the Federal Trade Commission's own statistics in the June 1998 Report to Congress,
self regulatory practices have been implemented by a minuscule number of sites. The report
generally concluded that privacy protection is simply not occurring. It states:
"The Commission's survey of over 1,400 Web sites reveals that industry's efforts
to encourage voluntary adoption of the most basic fair information practice principle --
notice -- have fallen far short of what is needed to protect consumers. The Commission's
survey shows that the vast majority of Web sites -- upward of 85% -- collect personal
information from consumers. Few of the sites -- only 14% in the Commission's random sample
of commercial Web sites -- provide any notice with respect to their information practices,
and fewer still -- approximately 2% -- provide notice by means of a comprehensive privacy
policy....The Commission's examination of industry guidelines and actual online practices
reveals that effective industry self-regulation with respect to the online collection,
use, and dissemination of personal information has not yet taken hold."
The FTC Report further confirms the ACLU position that the failure to implement true
privacy protection will have a profound impact on the growth of the digital environment.
It states, the "[d]evelopment of the online marketplace is at a critical juncture. If
growing consumer concerns about online privacy are not addressed, electronic commerce will
not reach its full potential. To date, industry has had only limited success in
implementing fair information practices and adopting self-regulatory regimes with respect
to the online collection, use, and dissemination of personal information."
Additionally, as part of our comments submitted herewith, the ACLU has conducted a
survey of more than a dozen of the most highly rated financially oriented web sites that
gather private information from users which supports our conclusion that self regulation
alone is insufficient. Despite the small number of sites surveyed, we believe our findings
provide a useful demonstration of current practices by some of the most highly trafficked
sites on the web. Moreover, the ACLU survey specifically focused our search to include
some of the best rated financially oriented sites -- which gather highly sensitive user
data -- and therefore should ideally engage in the strongest privacy protection practices.
Instead, our survey found that in the few instances where sites provide privacy policies
or provide notice about their information collection practices, there is little user
choice about how the information will be used, how individuals can obtain access to such
information and whether there is any recourse for abuse of the information. Given the
nature of our study, the ACLU is alarmed by the lack of attention paid by industry.
- Self Regulation Does Not Provide Users With Mechanisms for Private Redress or Government
Privacy policies that explain the information practices of sites that collect sensitive
information are often not provided. Even where they do provide some type of notice to
users, this alone is not an effective protection. Users should be informed how they can
seek redress where there is a failure to protect their data -- by a government agency and
directly from the site owner. There is little incentive in a free market setting to
provide genuine accountability to the user. Even where penalties are imposed by self
auditing programs -- these penalties may effect the site's accreditation -- but there is
no recourse available to an aggrieved user. For example, in the ACLU survey of privacy
policies of top rated financial sites, one site out of the 14 reviewed uses the TRUSTe
self- auditing mechanism. However, the site disclaims any liability "for any breach
of security or for any actions of third parties which receive information." None of
the sites we surveyed provided anything beyond an e-mail address for complaints or
questions about privacy protections and half of the sites do not provide even an e-mail
address or a general privacy information.
For a detailed discussion of accountability mechanisms, enforcement, consumer recourse,
verification and consequences see the ACLU response to Question 6 of the NTIA Notice
- Self Regulation Does Not Offer Genuine Safeguards for the Sensitive Data
Some forms of data, such as medical records and financial information are so sensitive
that the failure to protect it can have devastating and irreparable effects. While we
believe that government oversight is necessary to ensure that all sites implement privacy
protections are implemented and not merely advertised, we believe that the level of
regulation should depend on the nature of the information collected.
- The Current State of the Law Discourages Self Regulation
Many site owners are reluctant to even provide notice about fair information practices
and how they use or reuse information not only but because in the current regulatory
environment there is no requirement that they do so but because establishing a providing a
may subject the owner to liability if such information is deemed misleading by the FTC.6 A site with no notice on the other hand would not be subject to
review under the current regulatory scheme even if they engaged in harmful practices such
as reselling an individual's data without disclosure or gaining consent. The FTC Report on
Privacy Online to Congress, June 1998, acknowledges the agency's limited authority over
the implementation of fair information practices currently. It states:
"The federal government currently has limited authority over the collection and
dissemination of personal data collected online. The Federal Trade Commission Act (the
"FTC Act" or "Act")(161) prohibits unfair and deceptive practices in
and affecting commerce. The Act authorizes the Commission to seek injunctive and other
equitable relief, including redress, for violations of the Act, and provides a basis for
government enforcement of certain fair information practices. For instance, failure to
comply with stated information practices may constitute a deceptive practice in certain
circumstances, and the Commission would have authority to pursue the remedies available
under the Act for such violations. Furthermore, in certain circumstances, information
practices may be inherently deceptive or unfair, regardless of whether the entity has
publicly adopted any fair information practice policies. ... However, as a general matter,
the Commission lacks authority to require firms to adopt information practice
- The Public Wants Government Oversight of Private Collection Practices
The American public has made it clear that they want government intervention to ensure
privacy. Recent studies have repeatedly documented that the number one concern of online
users is privacy.7 These studies have found that most users of
the Internet are afraid to engage in commercial transactions or provide any personally
identifiable information because they do not know how such information would be used. Such
fear results not only in commercial harms for businesses looking to provide services
online, but also has a serious implication on individual's first amendment rights. For
example, a user seeking information from a controversial site may be reluctant to get such
information or even browse a particular site for fear that they cannot do so anonymously
and that information about their inquiries or membership at a particular site will not
remain confidential. An analogous case in point occurred earlier this year, when
Independent Counsel Kenneth Starr, who is investigating President Bill Clinton for
potential criminal wrong-doing, subpoenaed information from local bookstores about the
book purchases of a potential witness -- Monica Lewinsky. Could the next subpoena be
for the list of web sites an Internet user has registered with or browsed?8
- Self Regulation Has Been Rejected By the International Community
Moreover, as the effective date of the European Privacy Directive approaches this
October, the failure of the U.S. to offer meaningful safeguards to personal information
may have a devastating impact on commerce in the electronic world. Members of the EU have
announced that they will target American e-commerce companies for legal action if they
fail to guarantee confidentiality of personal data that is processed in the United States.9 While (large) companies could potentially sign contracts with
individual EU countries guaranteeing that they will comply with the relevant national laws
and provide necessary audits on information gathered about citizens of the member country,
that could mean that users outside of the U.S. would be entitled to stronger protection by
industry than domestic users. Smaller businesses with online sites could face tremendous
difficulty in ensuring that they are not violating fair information laws abroad since it
is virtually impossible to accurately determine the geographic location of a particular
user. Thus, while the EU Privacy Directive may not be the best solution from the U.S.
perspective, a legislative enactment should strive to find a more common solution.
IV. Protection Should Be Comprehensive For All Users
While the FTC Report to Congress is critical of information collection practices today,
the report generally concludes that legislation aimed at preventing the collection of
information from children must be the first issue to be addressed by the legislature. We
commend the FTC's recognition that many unfair practices and potentially dangerous
transactions are occurring as a result of collection of private information online and we
recognize the significance of ensuring that information about children is not abused by
third parties. However, the ACLU believes that any legislation or regulation to provide a
safety net for information must be comprehensive to include all online users and must
include baseline principles written into law. We agree that there is an important interest
in protecting children, but remain unconvinced that a solution that limits all collection
of personally identifiable information from minors, regardless of the nature of the site,
the information sought, and the purposes for which it is sought.
The FTC proposal on children's privacy also makes no distinction between the nature of
the information sought from minors and the purposes for which it is sought.
For example, by requiring all site owners who obtain information from minors to get
parental consent prior to collecting the information, the proposal makes no distinction
between direct marketing sites and sites that collect general registration information for
educational issues. In addition, such a proposal may restrict the ability of minors to
seek information from sites that they are afraid to get parental consent to join, such as
sites that provide resources, electronic mailing lists or newsletters on safer sex, gay
and lesbian support information. Moreover, minors who do not receive parental consent
because their parents do not have Internet access or because they are unavailable may be
denied the ability to receive information that they have a constitutional right to. Thus,
we believe that the proposal does not just limit the collection of information for direct
marketing purposes from minors but may also impair the ability of minors to receive
constitutionally protected information.
Moreover, we believe that the FTC's recommendations for protection of children's
privacy online -- that would require site owners to obtain parental consent prior to
disclosing any information -- including their e-mail addresses -- would be impossible to
verify. As the Supreme Court noted in Reno v. ACLU, there is no way to verify the
identity, age or geographic users online. 138 L. Ed. 2d at 888. As the Court noted, and as
is still true today, most sites are not financially or technically capable of providing
screening measures such as requiring proof of age.
The following section provides brief comments by the ACLU to the questions posed by the
NTIA in the Notice and Comment. However, the NTIA Notice has asked questions based
exclusively on the premise that self regulatory mechanisms should be enacted. While we
believe that self regulatory mechanisms may be advantageous in some cases, we are
committed to our belief that self regulation alone is wholly insufficient and that a
regulatory or statutory framework is essential to ensure accountability to the American
The discussion paper sets out nine specific characteristics of effective self
regulation for privacy: awareness, choice, data security, data integrity, consumer access,
accountability, consumer recourse, verification and consequences. Which of the individual
elements set out in the draft discussion paper do you believe are necessary for self
regulation to protect privacy? To what extent is each element necessary for effective self
regulation? What are the impediments and costs involved in fulfilling each element of a
self regulatory scheme? What are the competing interests in providing each element? How
would the inclusion of each element affect larger, medium sized, and smaller companies?
What advantages or disadvantages does each element hold for consumers? What are the
challenges faced by companies in providing each element? How do these challenges depend
upon the size and nature of the business?
While the ACLU believes that self regulatory measures cannot successfully protect
individual privacy, we encourage the use of each of the nine factors set out in the
discussion papers for the implementation of a legislative or regulatory privacy safety
net. By providing a legal framework for the adoption of these principles instead of
relying on self regulatory measures alone, we believe there will be greater consistency in
what users are told and that there will be greater incentive for sites that collect
information to take measures to protect privacy.
We have provided a brief explanation of the factors below:
- Awareness. We agree that consumers need to know the identity of the collector of
their personal information, the intended uses of the information, and the means by which
they may limit its disclosure. However, we do not believe that notice of who is collecting
the information is sufficient. We believe that where personally identifiable information
is collected, users should be provided with a clearly articulated explanation of the site
collects, uses, and protects data, and the choices they offer consumers to exercise rights
in their personal information should be posted in a highly visible manner that is
accessible before a user is required to disclose any information. On the basis of such
information, users should be free to make decisions about what information they will
provide and what limitations they will place on the use of their data. These policies
should include a clear explanation about why the information is gathered, how the
information will be protected, whether users must disclose information in order to enjoy
use of the site. The policies must also clearly articulate whether users will have access
to information that is gathered about them, how they can gain access and modify, delete or
update information that a site has collected.
- Notification of Uses: privacy procedures and data collection should also explain
whether the data will be shared by third parties or used for any purposes other than the
stated purpose. If indeed information will be used for incompatible purposes or by other
parties, users must be asked for permission.
- Choice: Consumers should be given the opportunity to exercise choice with respect
to whether and how their personal information is used, either by businesses with whom they
have direct contact or by third parties. Consumers must be provided with simple, readily
visible, available, and affordable mechanisms--whether through technological means or
otherwise--to exercise this option. We believe that the best approach is to allow users to
opt-in if they consent to third party sharing of their information or other secondary uses
of the data.
- Data Security. Companies creating, maintaining, using or disseminating records of
identifiable personal information must take reasonable measures to assure its reliability
for its intended use and must take reasonable precautions to protect it from loss, misuse,
alteration or destruction. Companies should also strive to assure that the level of
protection extended by third parties to whom they transfer personal information is at a
level comparable to its own. Such measures should include the use of security programs
such as encryption or anonymous or pseudonymous use of the site. (See ACLU response to
Question 3 below).
- Data Integrity. Companies should keep only personal data relevant for the
purposes for which it has been gathered, consistent with the principles of awareness and
choice. To the extent necessary for those purposes, the data should be accurate, complete,
and current. Data should not be retained any longer than necessary.
- Consumer Access. Consumers should have the opportunity for reasonable,
appropriate access to information about them that a company holds, and be able to correct
or amend that information when necessary. Consumers should not have to pay to receive
access to their information.
For a discussion of accountability mechanisms, enforcement, consumer recourse,
verification and consequences see our response to Question 6.
The draft discussion paper notes that individual industry sectors will need to develop
their own methods of providing the necessary requirements of self regulation. How might
companies and/or industry sectors implement each of the elements for self regulation?
While the ACLU believes that self regulatory methods alone have not been successful and
that such mechanisms cannot ensure accountability or appropriate oversight, we believe
that tools such as self-audit programs may be of help for sites to educate their users
about the protections they offer. Such mechanisms may be used by sites that collect less
sensitive information from users. For example, the TRUSTe Privacy Program, which is a
self-audit program that is used by some sites, provides an online "seal" or
that display trustmark have formally agreed to adhere to the TRUSTe privacy principles,
and to disclose their information gathering and dissemination practices. These companies
must disclose to Truste auditors what information they gather, how the information will be
used, and who they share information with.
Thus, we believe that self-auditing measures may be useful in areas where less
government regulation is required because there is limited collection and use of data.
However, these mechanisms should not be relied on where sites collect sensitive
information, such as medical or financial data, there should be greater governmental
oversight and accountability by the site owners.
Please submit examples of existing privacy policies. In what ways do they effectively
address concerns about privacy in the information to which they apply? In what ways do
To illustrate the varied approaches used by commercial sites that gather information
online, the ACLU surveyed certain sites that were included in a section of PC World
Magazine's 1998 "Best Web Sites." The 19 sites the ACLU reviewed were ranked by
PC World Magazine as providing the top "investment tools and advice" and best
"online trading" for consumers. The ACLU chose to evaluate this section of PC
World's "top sites" since they involve the exchange of personally identifiable
information that may include financial and personal data, which we believe are the types
of information that should receive the strongest protections. We reviewed the privacy
protections afforded at each site using the criteria provided in the Discussion Draft that
accompanied the NTIA Notice. We have provided an explanation and summary below.
Factors Analyzed and Summary of Results:
- Collection of Personally Identifiable Information - what types of data are collected at
All of the sites collect personally identifiable information, including name, address,
telephone number. Some sites requested the user's income, estimate of total financial
investment value, type of investment, credit card information and Social Security Number.
NTIA Notice for this proceeding provided a basic definition of what privacy policies
should include. The discussion papers states that "privacy policies articulate the
manner in which a company, collects, uses, and protects data, and the choices they offer
to consumers to exercise in their personal information.
Of the 19 sites we reviewed more than one half -- eleven of the sites neglect to
was no uniformity among sites that provided policies and not all of the policies provided
users the ability to opt-out restrict uses of their data as against third parties.
Two sites use the third party self-auditing service provided by TRUSTe to provide
public information about their information practices provide links to the TRUSTe site for
information about grievances.
- Notification: Are users provided with an explanation of the primary uses?
Seven sites provided an explanation of why information is gathered. One site states
that information is gathered for direct marketing purposes. The remaining sites offer no
explanation of why information is gathered.
- Choice: May users limit third party use?
One site permits users to opt-in if they would like to receive other information from
the site owner or from third parties.
Nine sites permit users to opt-out of receiving additional information from the site
owner or from third parties. One of these sites asks users who decline the reuse of their
information for their name, address, phone number and Social Security Number in order to
have their information removed.
Three sites state that information will only be used by the site owner.
Six sites provide no information on the use of data or user's ability to control their
- Data security: Do the site owners describe precautions to protect information from
loss, misuse, alteration or destruction?
One site provides a detailed explanation about mechanisms used to safeguard
Thirteen sites provide no information on how information is stored after it is
- Data integrity and consumer access were considered together to determine if users have
an opportunity for reasonable, appropriate access to information about them.
Twelve sites permit some degree of user access to their profiles. Six provide no
explanation about how users can change their information.
- Accountability: is there any statement that companies will be accountable for
compliance with their policies?
The eight sites that provide privacy policies also provide e-mail contact information
for general questions.
Only one site states what remedies are available under the applicable laws. No sites
explain how they were accountable in the event of a breach of security.
Three sites explicitly disclaim any liability for breach of security or abuse of
information by third parties.
4. Are elements or enforcement mechanisms other than those identified in the draft
discussion paper necessary for effective self regulation for privacy protection? If so,
what are they? How might they be implemented? In addition to the fair information
practices and enforcement mechanisms stated in the discussion draft, are there other
privacy protections or rights essential to privacy protection?
There Is No Privacy Without Appropriate Security -- Privacy and security are
inexorably linked in online transactions. One of the most important elements for privacy
protection has been omitted in the discussion draft, that is the use of cryptography.
Cryptography is essential as a security measure whenever sensitive information is gathered
or whenever a commercial transactions are conducted online. We believe that the widespread
use and availability of cryptographic programs will ensure greater data integrity and user
confidence by making unauthorized uses or prying far less likely. Through the use of
cryptography, communications and information stored and transmitted by computers can be
protected against third party interception.
As the district court in ACLU v. Reno recognized, electronic messages sent over the
Internet are not "'sealed' or secure, and can be accessed or viewed on intermediate
computers between the sender and the recipient (unless the message is encrypted )."
929 F. Supp. at 834 (emphasis added). Similarly, the district court in American Library
Association v. Pataki lamented the insecurity of electronic communications via the
Internet relative to communications via U.S. mail, noting that "[w]hile first class
letters are sealed, e-mail communications are more easily intercepted." American
Library Association v. Pataki, 969 F. Supp. 160, 165 (S.D.N.Y. 1997). That court went on
to note that "[c]oncerns about the relatively easy accessibility of e-mail
communications have led bar associations in some states to require that lawyers encrypt
sensitive e-mail messages in order to protect client confidentiality." Id. Thus,
encryption enhances the privacy of communications that may otherwise not be secure or
Cryptography provides an envelope, seal and signature for otherwise unprotected
electronic communications.10 It accomplishes four essential
tasks necessary to both business and individual privacy:
- ensuring the integrity of data. Cryptography can detect deliberate or accidental
alterations in digital messages.
- authentication of users. Cryptography can establish and verify the identify of a
party to a communication.
- nonrepudiation. Cryptography protects against impersonation and denial of creation
by making it more difficult (if not impossible depending on the strength of the encryption
used) for a party to a communication to later deny that he or she sent it.
- preservation of confidentiality. Cryptography can protect against others gaining
access to private communications.
Communications conducted via electronic mail and electronic fund transfers that take
place during any online commercial transaction require secure means of encryption and
authentication. Without readily-available encryption software, however, electronic
communications can be easily intercepted, and data intended to be private may be rendered
vulnerable to exposure. We believe that the Commerce Department must encourage wide
availability of cryptographic technology and that the development and use of cryptography
must be unencumbered by government regulation. Hence, the ACLU concludes that
implementation of online privacy protections must include a removal of the Commerce
Department's encryption licensing rules.
A second factor which will greatly enhance the protection of user privacy is the
allowance and encouraged use of "anonymous browsing" on the Internet. By
allowing users to make purchases or browse using digital cash or digital pseudonyms, sites
could reduce the amount of personally identifiable information that is gathered
unnecessarily. Moreover, by incorporating digital cash payment schemes or allowing users
to register at a site with a pseudonym, user concerns about interception of credit card
information or other sensitive material would be greatly enhanced. The Commerce Department
should seek to promote awareness about anonymity and encourage the development of digital
cash payment mechanisms.
Thus, we conclude that the use of technological solutions including encryption programs
and programs to enhance anonymous use of online services are critical elements to ensuring
online privacy. These tools are of minimal cost to sites and should be a requirement of
any privacy protection scheme.
5. Should consumer limitations on how a company uses data be imposed on any other
company to which the consumer's information is transferred or sold? How should such
limitations be imposed and enforced?
Clearly there is some information that individuals may wish to give up in exchange
for some benefit -- in such cases, users should be free to waive limitations if they
provide consent and they are clearly informed about how their data will be used.
Generally, there is no doubt that consumer limitations on how information is used must be
respected by recipients of such information -- be they direct recipients or purchasers of
the data. Without an extension of consumer limitations of information use to non-parties
to the original agreement any regulation would be rendered meaningless. Thus, as with any
other transfer of obligations during a commercial negotiation or transaction, any rights
or remedies an individual has against the original recipient of personally identifiable
data must be applicable to third parties that acquire such information.
More importantly, in some cases there should be no right for companies to transfer
sensitive information such as Social Security Numbers or medical information without
obtaining express consent from the individual and full disclosure of the identity of
recipient's of the information, including subsidiary companies. While consent should be
sufficient for less sensitive information, the risk of abuse of sensitive information is
so great that there should be further legal protection for certain types of information.
Any privacy protection safety net must also provide remedies for the transfer of sensitive
or less sensitive information without consent. These remedies must provide for consumer
redress and for government action.
6. Please comment specifically on the elements set out in the draft discussion paper
that deal with enforcement (verification, recourse, and consequences) and suggest ways in
which companies and industry sectors might implement these. What existing systems and/or
organizations might serve as models for consumer recourse mechanisms, and explain why they
might or might not be effective? Would a combination of elements from existing systems
and/or organizations be effective? How might verification be accomplished? What would
constitute adequate verification, i.e., in what instances would third-party verification
or auditing be necessary, and in what cases would something such as self certification or
assertions that one is "audit-ready" suffice? What criteria should be considered
to determine the kind of verification that would be appropriate for a company or sector?
What constitutes "reasonable access?" What are the costs/impediments involved in
providing access? What criteria should be considered to determine "reasonable
access" to information for a company or sector?
In order to create effective verification, recourse and consequences for misuse of
personally identifiable data there must be oversight by the government beyond the private
verification remedies suggested by proponents of self regulation. The ACLU believes that
legislation designed to be a safety net for privacy protection should include the
- Users must be notified when there is a breach in privacy;
- Users must be allowed to limit the use of information by requiring that sites obtain
consent prior to collecting data;
- Users must be provided with the opportunity to review information that is maintained
about them and correct, delete or modify the information;
- Third party verification may be necessary depending on the nature of the information
that is obtained, e.g., medical information or financial information collection would be
subject to a higher standard of verification than a site that merely acquires an e-mail
- All sites that gather personally identifiable information will be subject to regulation
and must be prepared for outside review of their procedures. There should be greater
government oversight and stricter reporting requirements on companies, World Wide Web
sites and government agencies that collect sensitive information.
- Because the consequences that may result from improper disclosure may have a devastating
impact on an individual, damages should not be conditioned on proof of intentional or
willful violations of the law. Actual and statutory damages should be available to
aggrieved individuals as well as punitive damages where a breach of privacy is the result
of intentional or willful violations of the law.
- All individuals should be provided with the ability to review or modify information that
is obtained about them in a timely manner. Users must also be permitted to revoke consent
against continued storage of data about them. Reasonable access includes a timely response
that it free of charge to the individual. Failure to provide a timely response to a user's
request to her own information should provide administrative recourse.
Legislation must include the creation or extension of jurisdiction to an agency that
will provide oversight to the implementation and review of fair information practices.
Only through the appointment or creation of a body that will hold sites accountable will
users truly have the resources to gain recourse against violations of privacy. Thus,
individuals must have the right to petition an agency for both governmental and private
sector privacy violations.
7. In the section on consequences, the draft discussion paper states that
"sanctions should be stiff enough to be meaningful and swift enough to assure
consumers that their concerns are addressed in a timely fashion." Identify
appropriate consequences for companies that do not comply with fair information practices
that meet this goal, and explain why they would be effective.
The ACLU believes that individuals should have the ability to petition a government
agency charged with overseeing the implementation of privacy protection legislation or
regulation for redress and that they should have the right to seek statutory, actual or
punitive damages against sites that engage in unfair practices depending on the nature of
the compromised information or the breach of privacy. Financial sanctions should be
imposed on sites that fail to meet the minimum standards established by the law.
Congress should designate or establish a government body charged with enforcing fair
information practices. Such a body could either operate under the auspices of the Federal
Trade Commission through a Congressional extension of their authority, or by creating a
commission dedicated to privacy protection. Without such remedies, self-audit or third
party scrutiny or penalties are not sufficient to deter sites that profit from collecting
8. What is required to make privacy self regulation effective? Self-regulatory systems
usually entail specific requirements, e.g., professional/business registries, consumer
help resources, seals of accreditation from professional societies, auditing requirements.
What other elements/enforcement mechanisms might be useful to make privacy self regulation
effective? How have these enhanced or failed to enhance a self-regulation regime?
Self regulation alone has proven itself ineffective in the absence of a legal framework
that will ensure that claims about fair information practices are actually practiced and
not merely an advertising or media ploy. Certification and accreditation are helpful to
the extent that they provide a means of labeling that make it easier for consumers to make
choices, but such accreditation offers little comfort where no penalty or accountability
is enforceable by the individual.
Moreover, as discussed in Section III (1) above, self auditing requirements that are
voluntarily elected on businesses or organizations that collect information have not been
widely used. The Report to the Congress on Privacy Online by the Federal Trade Commission,
June 1998 states, only a small percentage of sites on the World Wide Web provide any
notice of their information collection. Even fewer provide comprehensive privacy policies.
As we have demonstrated through our own survey of top financial service and online trading
sites, even where privacy policies or notice are available, they provide the user with
little or no understanding of how information will be used, what third parties may be
given access to the data, how a user can verify such information or what recourse they
have for violation of any agreement.
12. What issues does the online environment raise for self regulation that are not
raised in traditional business environments? What characteristics of a self-regulatory
system in a traditional business environment may be difficult to duplicate online? Does
the online environment present special requirements for self regulation that are not
present in a traditional business environment? Does the traditional business environment
have special requirements that are not presented in the online environment? What are these
We believe that the nature of online communications and the ease with which information
can be collected, linked, cross-referenced and sold presents concerns that have not been
as critical in traditional environments. Moreover, our organizations do not believe that
traditional fair information practices are adequate. Privacy protection has simply failed
to keep the pace with emerging technologies, and current laws such as the Electronic
Communications Privacy Act, 18 U.S.C. 2510, et seq., do not cover all online
communications or provide sufficient relief.
13. What experiences have you encountered online in which privacy has been at issue? In
what instances has privacy appeared to be at risk? In what instances is it well protected?
In what ways have businesses or organizations been responsive to privacy concerns? How
difficult have you found it to protect your privacy online? What circumstances give rise
to good privacy protection in a traditional business setting or online?
The failure to protect privacy online is a widespread problem that has alarmed many
Internet users. As we have previously stated, Internet users are deeply concerned about
abuses of information and are often reluctant to engage in communications for fear of how
information may be used against them. In other instances, users have no understanding that
information that they are providing may be sold or reused by other parties. We believe
that the examples highlighted in our introductory section show the scope of the threats to
privacy, by government agencies, hackers and by parties that promise to maintain the
confidentiality of information.
Our survey of web sites also leads us to the conclusion that even where businesses have
elected to conduct self-audits or have posted privacy policies the only effect that such
efforts have is to provide notice to users about practices. However, we as many other
privacy organizations do not believe that notice alone is sufficient and that only by
providing individual redress can we ensure that companies will do more than claim they
engage in privacy protection. 11
The ACLU believes that circumstances that give rise to good protection in the online
world include: situations where transactions are secure through the use of encryption,
where individuals are not required to provide personally identifiable information or are
allowed to have access using a digital pseudonym or anonymously. These and other
technological solutions will tremendously reduce concerns about providing personal
information where it is necessary and reduce the need for sites to gather information
1See generally, Databases Online: What is Already
Known, They've Got Your Number, by Will Rodger, ZDNET News Online, December 9,
2 This information was found on the Cornerstone Information
Services World Wide Web Site, at http://www.cypac.com/mall1/cisinfo/cis-surv.html#otherinvest.
This Private Investigative agency is located in Austin, Texas and states that its services
include: "surveillance, information resources, witness locate, missing persons and
investigative services. Although the services provided are typical of private
investigatorial services, we use their web site to illustrate the variety of information
sources that can be used by any number of information brokers. We found this site by using
the search engine "Yahoo!" and conducting a search for "personal
3This information is from the website of "Fast Track"
investigative services, at Error! Hyperlink reference not valid..
4 See Databases Online: What is Already Known, They've Got Your
5 See Private Data, Public Worries, John Schwartz,
Washington Post, June 8, 1998, F24.
6The FTC contends that it would have jurisdiction over deceptive
statements about a sites privacy protection policies if such a statement were untrue
under section . On the other hand, where there is no statement about how the company uses
or protects information, there may be no claim because sites are not required by law to
provide such notice.
7 In March 1998, Business Week / Harris poll found that Americans
care deeply about privacy, and that the number one reason that people do not use the
Internet is because they are discouraged by the lack of privacy protections afforded
personal information and communications. The poll aslo found taht 53 percent of Americans
believe that legislation about how personal information is collected and used on the
Internet must be enhanced.
8 While the Electronic Communications Privacy Act, 18 USC 2510, et
seq., protect electronic communications such as electronic mail and information users
provide to Internet Service Providers, it is unclear that the provisions that apply to
stored electronic communications would apply in a situtation involving a government
request for information from a site owner who is a direct party to the communication. Even
if ECPA applies, the failure of the statutory framework to prevent America Online from
disclosing information about a subscriber -- Tim McVeigh from the Navy shows that the law
as to carriers must also be updated and strengthened.
9 See Europe Presses Electronic Privacy, Will Rodger, ZDNET
News Online, June 15, 1998.
10See generally, ACLU Special Report: Big Brother in the
Wires: Wiretapping in the Digital Age, March 1998.
11 See Surfer Beware and Surfer Beware II, Special
Reports by the Electronic Privacy Information Center, Washington D.C. 1997, 1998
(concluding that few sites online provide notice to users about their privacy practices,
that notice alone provides little genuine protection to users and that the ambiguety of
notice often renders it meaningless to users.)