|The purpose of the Advisory Committee on Online Access and Security ("ACOAS"
or the "Advisory Committee") is to give advice and recommendations to the
Federal Trade Commission ("FTC") concerning providing online consumers
reasonable access to personal information collected from and about them online. In
addition, the ACOAS was asked to provide advice on adequate security for such information.
In particular, the Charter of ACOAS directs that the Advisory Committee "will consider the parameters of reasonable access to personal information and adequate security and will present options for implementation of these information practices in a report to the Commission." (Charter of the Federal Trade Commission Advisory Committee on Online Access and Security "Charter," attached hereto as addendum A).
This is the final report of ACOAS. The Advisory Committee considered access and security as it relates to online information. Its work and recommendations should be seen strictly in the online world and not be seen as a road map for off-line records. A wide range of discussion was held in four formal meetings of ACOAS and in numerous subcommittee working groups not held in the presence of any official of the FTC. All substantive proposals have been made available to members of ACOAS and to members of the public by having been promptly placed on the FTC's Web site for ACOAS.
The work of the Committee was separated into four working groups which are reflected in the organization of the report. The first section identifies the scope and nature of access. The second identifies entities responsible for providing access. The third group discussed the online authentication that is or will be necessary to authenticate that the person is in fact the person to whom access or collection should be provided.
Finally, the Committee examined the options available to provide security of personal information on the 'Net.
The advice of this Advisory Committee and the options presented are in the context of implementation of fair information practices by commercial Web sites. This is what the Charter required. The Charter did not request suggestions for legislation or mandatory regulation. The options identified here are not intended to be recommendations for legislation or mandatory regulation. Rather, they are being presented as a range of options that have been identified by the Advisory Committee as ways to implement the fair information practice principles. Whether they should be implemented voluntarily, by industry self-regulation, or by legislation was not discussed.
Each option has some support from at least one committee member. In order for an option to be included, it did not have to be supported by a consensus or even a majority of members. Each option has a cost-benefit analysis that reflects the pros and cons of that option. In some cases, such as with the security recommendation, there is significant consensus.
Access to private sector records, in the view of some on the Advisory Committee, is not yet appropriate for legislative recommendation. Others on the Advisory Committee believe that there should be immediate legislative implementation of some of the options. It is, therefore, not possible for this Committee to reach a consensus on legislative recommendations.
To some, access to records is an important concept of its fair information practice principles to ensure accuracy. It is the way that individuals can ensure the accuracy of information held about them and provide a check on institutions from obtaining information unknown to the subject. To others, access should not be seen as a fundamental issue. In the online context, much of the data gathered by Websites will not be easily tied to individuals, and several of us would exclude that data from the access principle. In addition, much of the data that remains cannot be made available for correction or even examination without putting privacy at risk. The problems of liability for granting access to the wrong person and how to authenticate that the right person is getting the data have not been solved.
At the same time, there are some who believe that setting up an access system could be costly and that very few people will avail themselves of the ability to obtain access. Moreover, access could even expose confidential business methods and data to competitors. There are others who believe that the costs are justified and people will use their access rights. In addition, there will be no competitive issues if everyone does it.
The government, with the use of this Advisory Committee, is examining extending the principles of access including correction to private sector online entities. To some on the Advisory Committee, the options identified here should be further examined and tested and applied before they are enacted with the force of law. To others, these options, or at least some of them, provide a road map to legislative action.
The value of this report is that it reflects a review of the issues of access and security by a wide range of experts, practitioners, and advocates from all sides of the issue. It provides an analysis of the issues and an identification of options that hopefully will be helpful to the FTC in its continued efforts in privacy and the application of fair information practice principles. This report, however, should not be used to either support or oppose legislation or mandatory regulation.