FTC Advisory Committee on Online Access and Security Final Report - Second Draft 08 May 2000 Table of Contents FTC ADVISORY COMMITTEE ON ONLINE ACCESS AND SECURITY 1 INTRODUCTION 2 ONLINE ACCESS
3 SECURITY
4 OTHER CONSIDERATIONS NOT ADDRESSED
5 CHARTER OF THE FEDERAL TRADE COMMISSION ADVISORY COMMITTEE ON ONLINE ACCESS AND SECURITY 1 Introduction The purpose of the Advisory Committee on Online Access and Security ("ACOAS" or the "Advisory Committee") is to give advice and recommendations to the Federal Trade Commission ("FTC") concerning providing online consumers reasonable access to personal information collected from and about them by domestic commercial Web sites, and maintaining adequate security for that information. In particular, the Charter of ACOAS directs that the Advisory Committee "will consider the parameters of reasonable access to personal information and adequate security and will present options for implementation of these information practices in a report to the Commission." (Charter of the Federal Trade Commission Advisory Committee on Online Access and Security "Charter," attached hereto as addendum A). This is the final report of ACOAS. The Advisory Committee considered access and security as it relates to online information. The context of this committee's consideration was not to provide consensus definitions or options for legislation, mandatory regulation or self-regulation; nor is the report intended to replace more detailed and industry-specific initiatives in fields regulated by law, such as health care and financial services. Rather, the Advisory Committee here presents a range of definitions or options that have been identified as ways to implement Fair Information Practice principles of access and security. Except for security, no one definition or option represents a consensus of the members of the Advisory Committee. 2 Online Access "Access" to personal data is the first principle that the Committee addresses. As the Committee's deliberations revealed, this principle of the Fair Information Practices can be complicated - and controversial. This Section seeks to unpack the concept of access in a way that helps Web sites and policymakers understand the difficult questions that must be answered in fashioning an access policy. We first identify the questions that must be answered in defining access - does it mean only an ability to review the data or does it include authority to challenge, modify, or even delete information? We then ask "Access to what?" What is personal information for purposes of the access principle? Businesses gather a wide variety of data from many sources. Information is sometimes provided by the individual consumer and sometimes by a third party. At times it is inferred or derived by the business itself, using its own judgment or processes. And sometimes the data is imperfectly personalized - it relates to a computer that may or may not be used only by one person. How much of that data is covered by the access principle? Our third overarching question is "Who provides access?" Is it just the entity that gathered the data? Does it include its corporate affiliates and agents? Or every company to which the data may have been passed? The last of our ground clearing questions is "How easy should access be?" Should Web sites charge a fee to cover some or all of the cost of providing access? Is it fair to impose limits on multiple or duplicative access requests? How much effort is required to gain access? Having explored these questions, the Committee next lays out four illustrative options that show the many different ways in which the access principle could be implemented. The broadest option, Option 1, would give consumers "total access" - access to any information a commercial Web site may have about them. Under Option 2, consumer access becomes a default rule; personal information would be made accessible to consumers if the information were retrievable in the ordinary course of business. Option 3 takes the access decision case-by-case; and would not create a presumption for or against access but would take into account a variety of factors, including industry sector, the content, the data holder, the source, and the likely use of the information. The narrowest option, Option 4, entitled "access for correction," would provide access only to information that is used by the commercial Web site to grant or deny a significant benefit to the consumer, and then only if access is likely to produce an improvement in the accuracy of the information that justifies the costs. Finally, this section turns to an issue that links access and security - authentication. How does a Web site know it is providing access to the right person? Giving access to the wrong person could turn a privacy policy into an anti-privacy policy. The final section of this report examines the difficulties and possible solutions inherent in trying to authenticate requests for access to personal data. 2.1 What is Access? Commercial Web sites and their customers often have a common interest in making sure that customers are aware of the information that the Web site has collected about the consumer. To take one example, think of a Web site that receives an order from a new customer and within 24 hours is ready to ship. It is only prudent for the Web site to give the customer access to the shipping information, perhaps sending an email to say, "This is what we think you ordered and this is where we think you want it shipped." Both consumer and Web site have an interest in the accuracy that information, and sharing it with the consumer is a useful check on errors or fraud in the order process. The same interest in preventing errors may lead commercial Web sites to provide their customers with access to a wide variety of other personal information that the Web site has maintained about the customer. Similarly, banks and consumers both benefit from the transmission of detailed credit card statements each month. Among other things, providing an opportunity to review each transaction protects both parties against fraud. While there is broad agreement on this point, the issue of consumer access to personal information does not lend itself to consensus. For some, exceptions from the principle of access should be rare and narrow. They view access as a broad principle ensuring accountability and building trust. For others, it is the access principle itself that should be interpreted narrowly. They contend that the costs of access - in money, convenience, and privacy risks - are often too high, for businesses and consumers alike. This report cannot bridge the range of strong and honest opinions across the Committee about how and when Web sites should provide access to personal information. What it can do, and what we hope it does do, is illuminate ways of thinking about and talking about access so that even those who disagree profoundly can communicate in a common tongue. With that in mind, the Committee first turned to the question of defining access. What do we mean when we say that a consumer will have "access" to personal information in the hands of a commercial Web site? This question leads in turn to several different questions about how access may be defined. Type of Access. The first way of measuring access is to focus on the type of consumer access, which can be quite varied. The terms used by the Committee to convey the type of access included "view," "edit," and "delete" access. If "view" access is provided, consumers would be able to view or obtain a copy of the information. "Edit" access, in contrast, would allow consumers to correct, amend, challenge, or dispute information. (There are, of course, significant practical differences for both consumers and Web sites between allowing correction of data and allowing challenges to the data.) Finally, "delete" access would allow consumers to insist that particular information be removed from their file. The Committee did not agree on a single appropriate type of access for every situation. Instead, the type of access may vary between each access option put forth in following sections. The proper type of access will also be influenced by other considerations such as whether the Web site in question is the original source of the data and what kind of authentication the consumer supplies in order to obtain access. Means of Access. Access can also be provided through a variety of means. For example, information can be provided online, over the telephone, through the mail, or in person. In addition, information can be provided at the consumer's request, at regular intervals, in response to a specific event, or on some other schedule. Determining the most appropriate means of providing access is best done with due consideration to the usability for consumers, the authentication necessary to limit unauthorized access, the cost to businesses and consumers, and the security requirements surrounding the data. Ease of access. Ease of access will also vary depending on the circumstances. It will be influenced by how "usable" the access system may be for those without technical training, the form in which the information is presented, the availability of the access system, and the notice by which consumers are made aware of what information is available and how to access and correct this information. Easy to use access will be more meaningful to consumers. The cost of providing easy to use access systems is likewise a consideration. These costs may include the cost of creating and maintaining new or special capabilities to provide access, adding customer service staff to handle customer requests, additional security systems, and other costs. 2.2 What is Personal Information? Defining the term personal information is central to the task of considering various options for providing access. Over the course of its meetings and deliberations, the Committee discussed various approaches to defining the information that is made available for individuals to access. The discussion below examines several factors to be considered in defining the information available for access. Defining personal information is one factor in determining what data will be accessible to individuals. The scope of access will be further influenced by the access option chosen (section 2.5) and decisions about the appropriate points and means of access discussed below. "Fit"-- purely v. imperfectly personal data. Information is linked to individuals in various ways. Data can be tightly tied to a specific individual's name, address, and birth date. Data can be tied to a device such as the individual's telephone, browser, or computer in which case it may reflect the individual's activities and the activities of others who use the device. In such instances we are left with data that is both personal to an individual but perhaps not unique to the individual. The data collected in both cases may be used for nearly identical purposes, despite differences in its specificity. For example, information about an individual's use of a credit card may be used to determine the advertising inserts placed in their monthly billing statement, just as information about the actions of a computer browser may be used to determine the advertising placed on the next page the browser visits. Committee members expressed different opinions as to whether the definition of personal information should include imperfectly personal data in addition to purely personal data. The medium of collection: online v. offline. Information is collected from individuals through a variety of mediums. In both the "brick and mortar" and "click and mortar" worlds data is gathered from individuals through a variety of means. Members of the Committee expressed different opinions as to whether the scope of access should be limited to data collected online or should include all data regardless of what collection medium was used. The source of collection: individual v. third parties. Information about an individual can be collected directly from the individual or from third parties. A business may purchase information about its existing customers from another business or it can purchase a list containing information about individuals it would like to attract as customers, such as a mailing list. Similarly, a business may purchase census or other overlay data to enhance the information that it has collected about its own customers. Committee members expressed different opinions as to whether the scope of access should include all data regardless of its source or should be limited to data collected directly from the individual. The method of collection: passive v. active. Information is collected from individuals actively and passively. Information is actively solicited from the individual through the use of surveys, registration forms, and other solicitations. At other times data is gathered without the individual's explicit cooperation as in the collection of click stream data. This is commonly referred to as passive collection because the individual is not actively providing information. Passive collection is akin to monitoring. Members of the Committee expressed different opinions as to whether the scope of access should include all data collected or be limited to actively collected data. The type of data: factual v. inferred and derived data. Inferred or derived data is information that the business has not "collected" either passively or actively about the individual, but rather has inferred from observed behavior. It includes the assumptions or conclusions that a business makes about an individual, not the factual record of the individual's action or behavior. In this discussion, we have drawn a distinction between inferred data, which is based on information about a sample population, and derived data, which is based on information gathered from or about the individual subject. Committee members expressed different opinions as to whether the scope of access should include inferred and derived data or be limited to factual data. Advocates of providing access to inferred and derived data argue that it is used to make decisions about individuals and should therefore be available to individuals. Critics of providing access to such data argue that disclosing the assumptions a business makes about customers may both invite competitors to discover proprietary information and chill communications, such as candid opinions expressed about consumers by third parties or employees. 2.3 Who Provides Access? The Third-Party Issue Even after access has been defined, questions remain. In particular, who is to provide access to personal information? Information is mobile, especially on the Web. This is true for personal information as well. Take our order-fulfilling Web site from the last section. There may have been a time when businesses all had their own shipping departments, perhaps even their own delivery vans. Those days are mostly gone; the shipping information supplied by our Web site may have come from and gone to several third parties - such as credit card processors, fulfillment houses, and overnight delivery firms. How should the access principle take account of the movement of information from and to third parties? We identified three areas of particular salience. First, we dealt with the question of whether and how third parties should provide access. Second, we examined the centralization risk associated with expanding the access obligation to corporate affiliates. And third, we dealt with the question of providing "edit" access to information supplied by third parties. Upstream and Downstream Parties. If a Web site says that it provides access to personal information, the Web site itself is plainly covered by that promise. But should the assurance also bind third parties? There are at least two kinds of third parties involved in the access equation. These may be characterized as *upstream" third parties and "downstream" third parties. Upstream third parties are suppliers of information used by the Web site. Downstream third parties receive information from the Web site. (We will consider a third category in a minute). Upstream information is often purchased. A business may purchase information about its existing customers (a credit report, for example) or it may purchase information about individuals it would like to attract as customers (a mailing list, for example). Similarly, a business may purchase census or other overlay data to enhance the information that it has collected about its own customers. As discussed above, Committee members expressed different opinions about whether and how to provide access to such upstream information. Even if consumers receive access only to information gathered by the Web site, there remains the question of what to do about downstream third parties. Again, Committee members expressed different opinions about the extent to which those third parties should be expected to provide access. The Committee generally agreed that corporations should provide access to the data held by their agents in gathering or using the information (such as the fulfillment house in our Web sale example). However, beyond that point, opinion divided. Some members of the Committee thought that providing access to information in the hands of downstream third parties was unworkable and should not be attempted. Some argued that consumers could be protected if instead of access the Web site provided notice about all its information sharing. Others held that providing notice was unduly burdensome to consumers who will be less likely to be aware of the existence of such third parties, let alone how to contact those companies and exercise access. Still other members of the Committee believed that downstream parties should provide full access, although the type of access may vary in particular circumstances. Corporate Affiliates and the Risks of Centralization. The Committee recognizes that many companies that hold personal information are made up of a 'family' of businesses, each with a business (and therefore a data-driven) relationship with customers. Some Committee members believe that access should be granted across the corporate lines of affiliated companies, even if the information has not been directly traded from one entity to the other. This might be called the problem of "side-stream" third parties. In this context, concerns were raised that an obligation to provide consumer access across corporate lines might compel companies to create databases that gather all information into large central structures. Combining and centralizing previously separated databases might pose an increased threat to personal privacy. Centralizing and linking personal information is not a purpose of the access principle. Opponents of the most expansive interpretation of access argued that access should not be expanded to the point where it encouraged the creation of a new file or record on an individual. In response, it was noted that companies could provide central points to serve consumers access requests without actually centralizing the maintenance or storage of data can accommodate this. For example, parent companies could create a single point of access for consumer access requests, which would either transmit the requests to affiliates or provide information that would allow consumers to identify and make requests directly to the affiliates. Some questioned the workability of even this approach, saying that such a central point may be difficult to manage for companies that regularly acquire and divest subsidiaries. The Committee recognizes a second concern about providing a single point of access to all affiliates' information. It may increase the vulnerability of an individual's information to compromise - e.g., if bad actors can guess the password, they can get access to private information from one convenient location. Such a decision therefore must be accompanied by a risk assessment and installation of appropriate authentication and security. Third Parties and "Edit" Access. "Edit" access poses special problems in the context of third parties. Suppose that a Web site obtains information about a customer from a third party, adds it to its files, and shares the information with a downstream advertiser as well. Then suppose that the customer wishes to challenge or modify the data. Should the Web site simply make a note in its files or should it do something about the upstream and downstream third parties? There are many issues in this scenario, and we reached no conclusions. It recognized the desirability of correcting errors up and down the data stream. It also recognized that no company could know for sure where the data may have gone once it left the company's control. Some Committee members took the view that requests for "edit" access should always be directed to the authoritative source. For example, if the information is from a public source, a fair credit reporting agency, or other entity that is identified as the authoritative source of the data., then any efforts to challenge or correct the information should be directed to that source and not to downstream recipients of the data. 2.4 Cost of Access We discussed whether businesses should charge consumers for access. The possibilities discussed ranged from never charging a fee to always charging a fee. Businesses might charge a nominal fee commensurate with the type of data being accessed, the use of data being accessed, or the amount of data being accessed. The fee might also be based on the frequency of a user's access requests, or the nature of the access requests, for example a request for real time access might incur a fee where a request for delayed access might be free. Alternatively, the service provider could be free to charge any reasonable fee within specified limits. Charging a fee would allow businesses to recover at least some of the cost of providing access and would provide a means to shift the cost of providing access to those consumers who use access rather than passing it on to all consumers indirectly through higher prices. Experience suggests that many if not most consumers never seek access to their personal data. Fees might also provide a deterrent to frequent, nuisance or harassing access requests. Fees may limit the ability of consumers to access their information or lessen the attractiveness of accessing personal information. There was a wide range of opinion about when, if ever, an access fee should be charged. Some members of the Committee have argued there never be a charge to for reasonable access. Others thought any fee would be inappropriate where an adverse decision was based upon the information being accessed, but supported nominal fees, not greater than cost, in other cases. Still others contended that it was necessary to charge some fee to reflect what could be substantial access costs and to discourage frivolous (or even fraudulent) requests. 2.5 Access Options The broadest option, Option 1, would give consumers "total access" - access to any information a commercial Web site may have about them. Under Option 2, consumer access becomes a default rule; personal information would be made accessible to consumers if the information were retrievable in the ordinary course of business. Option 3 takes the access decision case-by-case; and would not create a presumption for or against access but would take into account a variety of factors, including industry sector, the content, the data holder, the source, and the likely use of the information. The narrowest option, Option 4, entitled "access for correction," would provide access only to information that is used by the commercial Web site to grant or deny a significant benefit to the consumer, and then only if access is likely to produce an improvement in the accuracy of the information that justifies the costs. 2.5.1 Access Option 1: Total Access Approach Commercial Web sites should provide access to all personal information regardless of medium, method, or source of collection, or the type of data in question. The "total access" option works from the presumption that consumers would benefit from having access to all their information in the possession of commercial Web sites. Under this option, no personal information would remain off-limits or confidential. Not only does this verify the accuracy of that data, it also places the consumer in the position of knowing how his or her personal information is collected and used. In keeping with the purpose of providing consumers as much access as possible, businesses would provide initial access for free, while charging for repetitive access requests or terminating access upon unduly repetitive access requests. The "total access" option would be interpreted to only apply to existing records. For example, off-line information possessed by a data collector but not yet linked or joined with online information would not be subject to access. In addition, creating more comprehensive records of individuals would not be done under the guise of establishing "total access". Such action could centralize even more personal information and that could pose a threat to personal privacy. Proponents would argue:
Opponents would argue:
2.5.2 Access Option 2: Default to Consumer Access Commercial Web sites should provide access to personal information that is retrievable in the ordinary course of business except in the narrow instance where it places an unreasonable burden on the Web site. The "default to consumer access" approach works from the presumption that consumers should have access to their personal information. The presumption of access is limited where considerations such as the privacy of another individual, the proprietary nature of certain information, or the cost of providing access outweighs the individual's interest in access. This approach is consistent with U.S. Federal statutes that provide access and correction, but may limit them due to other considerations. This approach recognizes that consumer access to personal information serves multiple purposes, including but not limited to ensuring accuracy. This approach seeks to promote openness and consumer awareness in the belief that they aid oversight and compliance and promote greater trust between businesses and their customers. Openness and awareness may increase consumer demand for limited data collection and encourage privacy-sensitive business practices. There are exceptions to the "default to consumer access" approach. Under this option, information is not accessible to a consumer unless it can be retrieved by taking steps that are taken on a regular basis in the business with respect to that information, or steps that the organization is capable of taking with the procedures it uses on a regular basis. This limitation on access is designed to ensure that businesses need not create new and more elaborate databases solely to provide access. The creation of new databases of this sort would create additional risks to privacy. However, limiting access in this fashion means that some personal information may be out of reach under this option. In addition, under this option, personal information is not retrievable in the ordinary course of business if retrieval would impose an "unreasonable burden" on the business. This is a narrow, but important, exception to access. It allows for a purpose or cost-benefit analysis in those situations where the ability to retrieve the information would be very costly or disruptive to the business -for example, where certain proprietary data may be disclosed, or where the information at issue is of marginal significance compared to the cost of access. It is here that the sensitivity of data, the uses of data, the purpose of the request, etc. could be considered. If an organization uses this exception to limit access, it should refer the individual to the provisions in its privacy notice that discuss its data collection use, and consent/choice policies, or provide the individual with information equivalent to the privacy notice. Proponents of this approach would argue:
Opponents of this approach would argue:
2.5.3 Access Option 3: Case-by-Case Approach Including Sectoral Considerations Commercial Web sites should provide access depending on a variety of considerations and the level of access may differ for different types of information or in different sectors. A third approach would be to treat different information differently depending on a calculation that takes into consideration, among other things, the content of the information, the holder of the information, the source of the information, and the likely use of the information. This approach is necessarily more complex, recognizing that whether access is appropriate depends on a variety of factors. Different sectors, record-keeping systems, and types of data raise different issues. The challenge, therefore, would be to develop an easy to administer set of rules. Unlike the Default option that is premised on a presumption of access, under this approach there is no presumption for or against access. Rather, the access inquiry requires an analysis of the relevant factors. This determination will depend both upon the nature of the data in question (e.g., information regarding children) and the record-keeping system in question. On the other hand, it is clear that under this third approach, there would be categories of data to which access is more limited than in the other approaches. For example, inferred data, "non-factual data" or internal identifiers may be less accessible under this approach than under the other approaches. This approach affords access to information that is likely to have an adverse effect on the person. This option supports access for a variety purposes, including but not limited to promoting consumer awareness. Access itself may not only enhance "consumer privacy" per se, but also ensure the accuracy of data and protect against adverse decisions based upon incorrect data. Applying this approach, in some instances access may be limited for purposes of correction of erroneous data. This approach also may allow a more precise weighing, in light of the nature of the data and the sector involved, the consumer's reasonable expectations about the data, and the costs of providing access, of whether access to the particular type of data is warranted. As with all options, the cost of providing access is a consideration that must be factored into the analysis. As the purpose for the data use becomes more significant, however, cost may become less of a factor. U.S. privacy laws have developed as the result of a sector-by-sector approach similar to this option. This approach could also result in classes or categories of data receiving similar treatment across various sectors. This approach considers data privacy in the context of specific types of information or sectors and whether it is likely to be used in a way that could adversely affect the data subject. For example, access as the ability to view and correct is the norm with regard to financial information used to make credit granting and employment decisions under the Fair Credit Reporting Act. Several laws provide for access and correction. These include the Family Education Rights and Privacy Act (20 USC 1232) which allows students the ability to view, dispute, and delete parts of student records. The Cable Communications Policy Act (47 USC 551) interprets access as the ability to view and correct. The U.S. Privacy Protection Study Commission, also addressed access issues in the mid-1970s. The Commission recommended access and correction as a component of fair information practices. They recognized that decisions about when and how to provide access to information are unique to the particular information systems or sectors. This approach would provide different access possibilities to different sectors or types of data. Depending on the number of factors in the calculation, the permutations could be extensive. This approach could afford access to all sensitive data such as financial information, health information, or information relating to children, and other data in sectors of the economy that may affect individuals in a materially adverse way if it is inaccurate. In these instances, it would yield the same result as the Default Rule and Total Access approaches. Proponents would argue:
Opponents would argue:
2.5.4 Access Option 4: Access for Correction Commercial Web sites should provide a consumer with access to personal information if (1) the information is used to grant or deny the consumer a significant benefit and (2) providing access will improve the accuracy of the data in a way that justifies the cost. This option begins by asking why access to personal data is important to consumers. One reason for allowing access - correcting errors - is of interest to both the individual and to the Web site. If the Web site uses personal data to grant or deny some significant benefit to consumers, then errors in the Web site's files could cause real harm to the consumer. Giving the consumer access to the data allows the consumer to challenge or correct errors. Both the consumer and the Web site have an interest in the accuracy of such data, so allowing access and correction helps both parties. Thus, even if allowing access increases the Web site's costs, as it often will, and even if the costs cannot be passed on to consumers, the Web site itself will get some benefit from access designed to improve the accuracy of important data. This option treats error-correction as the principal reason for incurring the costs of providing access. It gives little weight to other justifications that have been advanced for access, such as the view that giving consumers access to the files maintained about them will discourage Web sites from gathering sensitive or unnecessary information. Maintaining an access system imposes costs on Web sites and their customers - not just in money but also in convenience and even risks to privacy. The "access for correction" option seeks to minimize those costs while preserving the error-correction rationale that it treats as the touchstone for defining reasonable access. Under this option, a Web site would grant access to personal data in its files only after answering two questions in the affirmative: (1) Does the Web site use personal data to grant or deny significant benefits to an individual? (2) Will granting access improve the accuracy of the data in a way that justifies the costs? The first question resolves many of the issues that are more difficult to resolve under the other options presented here. Examples of information that is used to grant or deny significant benefits include credit reports, financial qualifications, and medical records. In contrast, information used for marketing purposes, such as targeted ads or direct mail, does not confer or deny a significant benefit. By focusing on whether the Web site uses personal data to grant or deny a significant benefit, the approach would largely exclude personal data that is not tied closely to an individual, because it is unlikely (though not impossible) that significant benefits will be granted anonymously. Similarly, the approach calls for access only to information that is collected and retrieved in the ordinary course of business. With some qualifications set out below, however, the approach would allow access to information that has been provided by a third party, as long as the information is used to grant or deny significant benefits. The second question - whether allowing access to correct errors justifies the cost - raises a variety of possible exceptions to access. Inferred data, such as judgments made about the consumer by third parties or Web site employees or even expert information systems, are not usually susceptible to direct correction, although obviously the underlying data used to generate the inference can be corrected. The option takes account of costs that are not simply financial. Thus, access is not ordinarily justified if it would reveal trade secrets. Nor is it justified if it would compromise expectations of confidentiality on the part of third parties or Web site employees (e.g., comments by the Web site's "help desk" employees on the civility or IQ of particular customers). Under this option, as the likelihood of improving the accuracy of personal data declines and the cost of providing secure access increases, the cost-effectiveness of access also declines and the public-policy justification for access grows weaker. Proponents of this option would argue:
Opponents of this option would argue:
2.6 Authentication This Committee was asked to consider not just access to personal information but also security for personal information. This combined mandate was an appropriate one, for there is a very real tension between access and security, one that we address in this section. Unlike the other Fair Information Practice principles, the access principle sometimes pits privacy against privacy. Simply stated, the problem is this -- On the one hand, privacy could be enhanced if consumers can freely access the information that commercial Web sites have gathered about them. On the other hand, privacy is lost if a security failure results in access being granted to the wrong person - an investigator making a pretext call, a con man engaged in identity theft, or, in some instances, one family member in conflict with another. How can consumers get the benefits of access to their personal data without running the risk that others will also gain access to that data? The answer is to employ techniques that adequately authenticate consumers - that provide some proof of that the consumer is authorized to have access to the personal data. As more and more of our personal information is stored on the Web, like stock portfolios and financial accounts, the need for good online authentication grows ever stronger, and new solutions continue to arrive in the market. But authentication often involves making tradeoffs between security and ease of access. How should those tradeoffs be made in the context of an access policy? In particular, what kind of authentication techniques should a commercial Web site employ to limit inappropriate access to personal information? If the consumer must produce three picture IDs, privacy will be protected, but access will be difficult. If an email address is treated as sufficient, access will be encouraged, but the risk of compromise will grow. This section of our report attempts to illustrate the ways in which these competing interests can be addressed. In the end, it will be clear that there is no single answer to the dilemma described above. As with many of the access issues discussed in this report, the proper level of authentication depends on the circumstances. To take one example, the level of authentication depends in part upon whether the consumer will simply view the information or will correct or amend it as well. Allowing the wrong individual to view someone else's data is a violation of privacy - and may lead to additional harm ranging from embarrassment to loss of employment - but allowing the wrong person to "correct" that personal information can result in equally devastating consequences. For example, in the past, criminals have gained access to an individual's credit card accounts by filling out a change of address card with the post office and diverting the individual's credit card statements to another location. With access to the individual's bank statements and credit card bills, the crook has ample information to impersonate the victim. For this reason, where correction or amendment is provided, an audit trail should, if practicable, be maintained to aid in identifying potential problems. In judging the proper level of authentication, it is necessary to bear in mind that the risk of liability will heavily influence the Web site's choices. Sooner or later, whatever level is set, the Web site's authentication requirements will turn out to be either too strict or not strict enough. A business runs a risk of liability if it allows the wrong person to access personal information. Although it is not clear what specific remedy an individual might have under existing law, the lack of certainty regarding liability presents a problem for both individuals and businesses. If the liability standard imposed upon business is too strict, businesses could raise the barrier to access very high, burdening individuals' access in an effort to avoid liability. Conversely, if existing legal remedies do not provide sufficient penalties for inappropriate access, individuals' privacy may suffer. How to strike an appropriate balance that spurs good practices, encourages the deployment of robust authentication devices, and does not overly burden access is the challenge at hand. We noted that efforts to provide consumer access could lead to authentication measures that could erode the advantages of anonymity on the Internet. Authentication can support access whether the consumer chooses to be anonymous, pseudonymous, or known. So, authentication does not require consumers to provide personally identifiable information. But as a practical matter the conflict is often direct. For example, technologies such as biometrics may improve authentication but they may inevitably reduce the consumer's ability to remain anonymous. Similarly, access processes that rely on data held by a third party to authenticate a consumer may increase the proliferation of personal data, bringing into question the privacy policies of third party authentication services. At the same time, third parties - intermediaries - can also play a role in the protection of identity. Currently, several intermediary companies provide anonymity or pseudonymity to individuals on the Internet. 2.6.1 Ways of addressing the authentication problem So, how can Web sites choose an authentication policy? There is no one right answer. In this section we look at two case studies to identify ways in which commercial Web sites might strike a balance in addressing the authentication problem. Often, the solutions chosen will depend on the Web site's relationship with the consumer, as well as the kind of data to which access is provided. Account Subscribers. Perhaps the fewest difficulties arise where a subscriber establishes an account with a Web site. In many cases, the individual may be given access to information about his or her account if he or she simply provided only the information required to establish and secure the account. But relying on information such as name, address and phone number to authenticate the identity and authorization of an account holder is risky because the information is so widely available. In fact, many of the most common "shared secrets" (such as social security numbers or mother's maiden name) have been so widely shared that it is hard to call them secrets any more. For this reason, it is common practice both offline and online to require some additional piece of information that is thought to be more difficult to compromise. Many businesses require individuals to use a shared secret (password) to access an account. Even a password requirement, with all its inconveniences and costs, suffers from serious security flaws. Many consumers use the same password at multiple places, or leave themselves reminders on yellow stickies, or use obvious passwords that are easily guessed, for example, one of the most commonly used passwords of all -"password". All of these risks can compromise the integrity of the authentication system. Authenticating identity has become a far more complex endeavor than it once was. Even when an account already requires a password, it may be appropriate to require something more than the password before allowing access. This could be a physical object (something the consumer owns), or some unique physical attribute (e.g. some a biometric characteristic), or information passed to the consumer in a separate channel, such as a special code provided with the customer's last statement or information about recent account activity. We discussed the feasibility of using authentication devices as a method for obtaining consumer access to personal data. Some Committee members expressed concern that "near perfect" authentication tools may be prohibitively expensive or too cumbersome for widespread use. Others said that wide ranges of authentication solutions are available today that solve the password 'problem' described above. They pointed to hardware tokens that may be used like an ATM card and software tokens that can be downloaded to a PC, PDA or cell phone. Doubters on the Committee argued that such solutions remain costly and that the risks of misuse and misappropriation remain.
Cookies, identifiers, and partially personalized data. A harder authentication problem arises if the Web site seeks to provide access to data that is not tied to an individual subscriber's account. Sometimes, data is gathered about the activities of a particular computer, through the use of cookies or another unique identifier,. But such data maybe only partially personalized -- the computer may have more than one user. The consequences of disclosing information about an individual's use of a Web site or click stream data to another person (family member, co-worker, other) could be damaging. The Committee notes that this problem is not limited to the online environment. Consumers are familiar with the problem in other contexts. To take one example, a home telephone number is only "partially personalized." It may be used by anyone who enters the house. Thus, an itemized phone bill may reveal information about one family member to another. For telephone billings, we accept over-disclosure - that is, account holders may see information about other users of that phone. And despite nearly a century of experience with telephones and telephone billing, new privacy issues continue to arise in this context (e.g., disclosure of use of 900 numbers). Based on this experience, the problem of partially personalized information will remain a thorny one for the foreseeable future. In such circumstances, how can a service authenticate that the individual is the person to whom the data relates? Can Web sites provide access in a fashion that reflects the potential adverse consequences of disclosing information to someone other than the subject of that information? Should the level of access authorized be lowered due to the complexities of connecting the user to the data? Are there other policies that would address the privacy interest and have a lower risk of unintentionally disclosing data to the wrong individual? Does this concern vary from Web site to Web site? Again, there is no single answer to these questions, as our case study shows.
3 Security We examined how to ensure the security of personal data held by commercial Web sites. This section first describes competing considerations in computer security. After then looking at some possibilities for regulating computer security in online systems, it discusses the importance of notice and education as supplements to standards for protecting personal data. It presents competing options for setting Web site security standards and recommends a specific solution to protect the security of personal data. 3.1 Competing Considerations in Computer Security Most consumers - and most companies - would expect companies that collect and hold personal data to provide some kind of security for that data. Identifying the most effective and efficient solution for data security is a difficult task. Security is application-specific and process-specific. Different types of data warrant different levels of protection. Security - and the resulting protection for personal data - can be set at almost any level depending on the costs one is willing to incur, not only in dollars but in inconvenience for users and administrators of the system. Security is contextual: to achieve appropriate security, security professionals typically vary the level of protection based on the value of the information on the systems, the cost of particular security measures, the costs of a security failure in terms of both liability and public confidence. To complicate matters, both computer systems and methods of violating computer security are evolving at a rapid clip, with the result that computer security is more a process than a state. Security that was adequate yesterday is inadequate today. Anyone who sets detailed computer security standards - whether for a company, an industry, or a government body - must be prepared to revisit and revise those standards on a constant basis. When companies address this problem, they should develop a program that is a continuous life cycle designed to meet the needs of the particular organization or industry. The cycle should begin with an assessment of risk; the establishment and implementation of a security architecture and management of policies and procedures based on the identified risk; training programs; regular audit and continuous monitoring; and periodic reassessment of risk. These essential elements can be designed to meet the unique requirements of organizations regardless of size. In our advice to the FTC, we attempt to reflect this understanding of security. Our work, and this report, reflects the various types of on-line commercial sites, and the fact that they have different security needs, different resources, and different relationships with consumers. The report reflects this understanding and seeks to identify the range of different possibilities for balancing the sometimes-competing considerations of security, cost, and privacy. 3.2 Directing Computer Security - Preliminary Considerations Before turning to the options it is worthwhile to comment on several issues that we considered but did not incorporate directly into its list of options. First, we considered whether guidelines or regulations on security should contain some specific provision easing their application on smaller, start-up companies or newcomers to the online environment, but we ultimately determined that new entries should not receive special treatment when it comes to security standards. In part, this is because organizations that collect personal data have an obligation to protect that data regardless of their size. In part, this is because we concluded that any risk assessment conducted to evaluate security needs should take into account the size of the company (or, more appropriately, the size of a company's potential exposure to security breaches). In many cases (but not all), a smaller Web site or less well-established company will have fewer customers, less data to secure, and less need for heavy security. A smaller site may also have an easier time monitoring its exposure manually and informally. And of course, even a small site may obtain security services by careful outsourcing. Second, we noted that several of the proposed options depend on or would be greatly advanced by inter-industry cooperation and consultation on appropriate and feasible security standards. Often, there are significant barriers to sharing information about adverse events, including fears of antitrust actions and liability exposure. In the past, the government's willingness to provide clarity on antitrust rules to allow useful cooperation among firms has been helpful, and similar guidance that will encourage industry members to cooperate in the development or enforcement of security standards and procedures without fear of antitrust liability will be helpful here. Third, it is vital to keep in mind that companies need to protect against internal as well as external threats when considering solutions designed to secure customers' personal data. Many companies have already implemented information security policies that protect sensitive corporate data (i.e., compensation information) by limiting access to only those employees with a "need to know." Companies need to implement similar measures that protect customer data from unauthorized access, modification or theft. At the same time, mandated internal security measures can pose difficult issues. For example, it is not easy to define "unauthorized" employee access; not every company has or needs rules about which employees have authority over computer or other data systems. And many companies that have such rules amend them simply by changing their practices rather than rewriting the "rule book." Even more troubling is the possibility that internal security requirements that are driven by a fear of liability could easily become draconian - including background checks, drug testing, even polygraphs. We should not without serious consideration encourage measures that improve the privacy of consumers by reducing the privacy of employees. Fourth, we are concerned about the risks of regulation based on a broad definition of "integrity." Some concepts of security - and some legal definitions - call for network owners to preserve the "integrity" of data. Data is typically defined as having integrity if it has not been "corrupted either maliciously or accidentally" [Computer Security Basics (O'Reilly & Associates, Inc., 1991)] or has not been "subject to unauthorized or unexpected changes" [Issue Update on Information Security and Privacy in Network Environments (Office of Technology Assessment, 1995, US GPO)]. These definitions, issued in the context of computer security rather than legal enforcement, pose problems when translated into a legal mandate. If integrity were read narrowly, as a legal matter, it would focus on whether a Web site has some form of protection against malicious corruption of its data by external or internal sources. If the definition is read broadly, it could lead to liability for data entry errors or other accidental distortions to the private personal information it maintains. Authentication and authorization controls for access to information are integral parts of system security. To establish appropriate authentication and authorization, businesses must consider the value of the information on their systems to both themselves and the individuals to whom it relates, the cost of particular security measures, the risk of inside abuse and outside intrusion, and the cost of a security failure in terms of both liability and public confidence. This discussion of security pertains both to information in transition and information in storage. 3.3 Notice and Education After considerable discussion, the Committee has developed a wide range of possible options for setting standards for protecting personal data held by commercial Web sites. Before presenting these options, we will address two policy options that the group considered but determined were unsatisfactory on their own. While insufficient standing alone, we concluded that development of programs to educate consumers on security issues and a requirement that companies post notice describing their security measures are approaches that should be examined as possible supplements to some of the options in the Security Options below. 3.3.1 Notice Notice is viewed as an appropriate tool for informing individuals about the information practices of businesses. It is critical to the consumer's ability to make informed choices in the marketplace about a company's data practices. In the area of security, as in the area of privacy, there is not necessarily meaningful correlation between the presence or absence of a security notice statement and the true quality of a Web site's actual security. A security notice could be more useful if it allows consumers to compare security among sites in an understandable way. Since it is difficult to convey any useful information in a short statement dealing with a subject as complex as the nuts and bolts of security, most such notices would be confusing and convey little to the average consumer. Further, providing too many technical details about security in a security notice could serve as an invitation to hackers. As was discussed at some length by the Committee, these considerations also mean that it is not possible to judge the adequacy of security at Web sites by performing a "sweep" that focuses on the presence or absence of notices. Notice is important in triggering one of the few enforcement mechanisms available under existing law. If a posted notice states a policy at variance with the organization's practices, the FTC may exercise its enforcement powers by finding the organization liable for deceptive trade practices. But security notices are ineffective standing alone. At the same time, we believe that they could be useful in conjunction with one of the other options discussed in Section D. The form such notice should take will vary depending upon the option selected. 3.3.2 Consumer Education In addition to notice, consumer education campaigns are also useful to alert consumers about security issues, including how to assess the security of a commercial site and the role of the consumer in assuring good security. Regardless of what security solutions the FTC decides to recommend, it would be extremely valuable for the FTC, industry associations, state attorneys general, and others to sponsor consumer education campaigns aimed at informing Internet users about what to look for in evaluating a company's security. In addition, no system is secure against the negligence of users, so consumers must be educated to take steps on their own to protect the security of their personal data. 3.4 Options for Setting Web site Security Standards The Committee has identified two sets of options for those seeking to set security standards. In essence, these options address two questions: How should security standards be defined? And how should they be enforced? The question of how security standards should be defined requires consideration of the parties responsible for the definition as well as issues of the scope and degree of flexibility and changeability of the standards. The entries that could be responsible for setting security standards explicitly include government agencies, courts, and standards bodies. Furthermore, it could be left up to Web sites themselves to develop security programs (perhaps with a requirement that each site develop some security program), or it could be left to market forces and existing remedies to pressure Web sites into addressing security at an appropriate level. In this section, we set forth five options for setting security standards that fall along a continuum from most laissez faire to most regulatory. Each of the proposals reconciles the three goals of adequate security, appropriate cost, and heightened protections for privacy in a different manner. For each option, we have presented the arguments deemed most persuasive by proponents and opponents of the option. 3.4.1 Security Option 1: Rely on Existing Remedies Before requiring any particular security steps, wait to see whether existing negligence law, state attorneys general, and the pressure of the market induce Web sites that collect personal information to generate their own security standards. It is worth noting that the insurance industry has started to insure risks associated with Internet security. The emergence of network security insurance may force companies to seriously address security issues, as the presence or absence of adequate security will be taken into account in the underwriting process utilized to determine rates for premium. Proponents would argue:
Opponents would argue:
3.4.2 Security Option 2: Maintain a Security Program Require all commercial Web sites that collect personal information to develop and maintain (but not necessarily post) a security program for protecting customers' personal data. This option could take one of two forms: The contents and methodology of the security program could be specified, and businesses could be required to post a brief notice indicating their compliance. The requirement could be limited to a simple mandate that the Web site adopt a security strategy without specifying the details or requiring that it be posted. Proponents would argue:
Opponents would argue:
3.4.3 Security Option 3: Rely on Industry-Specific Security Standards All businesses operating online that that collect personal information could be required to adhere to security standards adopted by a particular industry or class of systems. There are three quite different options for how the standards are developed:
Proponents would argue:
Opponents would argue:
3.4.4 Security Option 4: "Appropriate Under the Circumstances" - Standard of Care Require all commercial Web sites holding personal information to adopt security procedures (including managerial procedures) that are "appropriate under the circumstances." "Appropriateness" would be defined through reliance on a case-by-case adjudication to provide context-specific determinations. As the state of the art evolves and changes, so will the appropriate standard of care. An administrative law judge of the FTC or another agency or a court of competent jurisdiction could adjudicate the initial challenge. Proponents would argue:
Opponents would argue:
3.4.5 Security Option 5: Sliding Scale of Security Standards Require commercial Web sites that collect personal information to adhere to a sliding scale of security standards and managerial procedures in protecting individuals' personal data. This scale could specify the categories of personal data that must be protected at particular levels of security and could specify security based upon the known risks of various information systems. In the alternative or as part of the standard, there could be minimum-security standards for particular types of data. The sliding scale could be developed by a government agency or a private sector entity and could incorporate a process for receiving input from the affected businesses, the public, and other interested parties. Proponents would argue:
Opponents would argue:
3.5 Security Recommendation The great majority of the Committee believes that the best protection for the security of personal data would be achieved by combining elements from Options 2 and 4. (Of course, existing remedies would not be supplanted by this solution.) We therefore recommend a solution that includes the following principles:
4 Other Considerations not Addressed 4.1 Enforcement Alternatives The Committee was asked to provide its views on access and security in the context of the Fair Information Practice principles and industry self-regulation. We did not examine legislative or enforcement options in any detail, but it was difficult to address some of the access and security issues without giving some thought to the question of enforcement. As part of the security discussion, in particular, we assembled a range of representative options for enforcement of security principles. Some of these options are consistent with self-regulation, and others would require government intervention. We record them here, not for the purpose of recommending any particular course of action but to show the range of possibilities open to industry and government. Rely on Existing Enforcement Options - Many of the options include the publication of the Web site's security procedures or its adherence to particular standards. Such postings are subject to traditional FTC and state enforcement if the statements are false. It is also of course possible for consumers to bring their own actions for fraud, false statements, or underlying negligence in the handling of the data. Third-Party Audit or Other Assurance Requirements - Rely on independent auditors to ensure compliance with standards. This structure could require security standards to be verified by an external body and public disclosure of the findings. This option would provide more flexibility and could adjust faster to the changing threat environment. It would, however, introduce an additional cost and overhead that may not be justified by all industries and for all levels of risk exposure. It would, on the other hand, introduce a neutral, objective assessment of a company's security infrastructure relative to its industry. Create Express Private Cause of Action - Congress could establish a private right of action enabling consumers to recoup damages (actual, statutory, or liquidated) when a company fails to abide by the security standard established through one of the options set out above. Government Enforcement Program - The FTC or another agency could enforce compliance with standards using its current enforcement power or using newly expanded authority. The enforcement could establish civil or criminal fines, or both and other equitable remedies. (This option is, in some respects, modeled after the regulations governing the financial services industry as enforced by the Federal Financial Institution Examination Council (FFIEC). The FTC could establish a similar enforcement regime for other industries.) 4.2 Advancing Technologies We live in the middle of an information revolution where new opportunities for the use as well as the protection of personal data appear daily. Significant new technologies raise questions about privacy that will have to be addressed. For example, with new wireless technology, a unique identifier heretofore not linked to a specific individual may now be linked to an individual identified with a phone number, location information, or other identifier. And wireless communications can be intercepted in an undetectable manner. Similarly, communicating appliances will have the potential to share personal data that may be linked to an individual. The privacy implications of new technologies may be profound. We have attempted to write options and our recommendation in a manner independent of these new technologies. However, the FTC will have to monitor developments in these areas closely to stay abreast of the privacy and security implications that new technologies may bring. 4.3 Security Incident Data - Industry Sharing With The Government None of the Security Options discussed by the Committee addressed industry sharing security incident data with the government. However, during a Committee meeting this issue was raised. Because this issue is not raised by the security options, the Committee did not examine the question of whether or not the Freedom of Information Act (FOIA) is a barrier to the sharing of security incident data between industry and government. The Committee expresses no opinion on this issue. 5 Charter of the Federal Trade Commission Advisory Committee on Online Access and Security Official Designation
Scope and Objectives
Duration
Reporting Relationship
Support
Duties
Costs
Meetings
Date of Termination
Charter Filing Date
By direction of the Commission. Donald S. Clark |