1997-10-04 - Data Protection in the United States: A Rising Tide?

Header Data

From: Declan McCullagh <declan@well.com>
To: cypherpunks@toad.com
Message Hash: fa1df91037c695abd5bb48ffa7298e63c783dfafa3b124c8cfbb785ee20029d2
Message ID: <v03007802b05c04f73c17@[204.254.22.76]>
Reply To: N/A
UTC Datetime: 1997-10-04 15:09:08 UTC
Raw Date: Sat, 4 Oct 1997 23:09:08 +0800

Raw message

From: Declan McCullagh <declan@well.com>
Date: Sat, 4 Oct 1997 23:09:08 +0800
To: cypherpunks@toad.com
Subject: Data Protection in the United States: A Rising Tide?
Message-ID: <v03007802b05c04f73c17@[204.254.22.76]>
MIME-Version: 1.0
Content-Type: text/plain



[From RRE --Declan]

>Date: Fri, 3 Oct 1997 14:18:57 -0400
>From: Marc Rotenberg <rotenberg@epic.org>
>Subject: EPIC Speech in Brussels
>
>[...]
>
>-------
>
>"Data Protection in the United States: A Rising Tide?"
>
>Marc Rotenberg
>Electronic Privacy Information Center
>Washington, DC
>
>17 September 1997
>19th Intentional Conference on Data Protection
>Brussels, Belgium
>
>      Thank you, Mr. Chairman, ladies and gentlemen. I am
>grateful for the opportunity to be with you this morning.
>
>      I will speak today on behalf of consumers and users of
>the Internet in the United States. There are few issues of
>greater concern to us than the protection of privacy. You can
>read about this in our newspapers and our magazines. Privacy
>stories routinely appear on the front pages of national
>magazines and in the daily newspapers. In just the past few
>weeks stories about privacy have appeared in Time Magazine,
>the Washington Post and USA Today. So extensive is our
>discussion of privacy concerns that we even export the news
>of our problems. I found a story from the New York Times
>about the use of the Internet to collect detailed personal
>information on the front page of the International Herald
>Tribune that I purchased yesterday morning here in Brussels.
>
>      We believe that strong measures must be taken to
>protect personal privacy. You can see this in our responses
>to public polls. We have consistently expressed concern about
>the loss of privacy, and we have consistently shown support
>for new legislation to protect privacy.
>
>      We know that law is often an imperfect solution, but we
>are also firm believers in the rule of law. You will
>recognize this if you trace the development of privacy law in
>the United States over the twentieth century. You can see
>this if you understand that our country has always shown
>great regard for the right of privacy and expressed
>widespread concern when privacy was at risk.
>
>      So, when I say to you today that privacy is a great
>concern in the United States and that we need to do much more
>to protect it, I do so with the newspaper stories piled high,
>the polling numbers unambiguous, and with a respect for
>history that makes clear that few rights in American life are
>more greatly valued than the right to protect private life.
>
>      I will speak now to the three central issues that need
>to be addressed to build a bridge between the United States
>and Europe so that we can enter the information society
>together with mutual standards that protect the privacy
>rights of our citizens . The first issue concerns current
>attitudes of consumers in the United States and the current
>policies of government. The second concerns the short-comings
>of self- regulation. My final point is two recommendations
>for how we should proceed.
>
>      First, it is clear the consumers and users of the
>Internet favor the passage of law to protect personal
>privacy. Professor Westin found this year that 58% of the
>American public want government o pass law to protect privacy
>now. And 24% said that government should formally recommend
>privacy standards. Only 15% favored letting groups develop
>voluntary privacy standards and government taking action only
>if real problems arise.
>
>      Professor Westin's results are consistent with other
>surveys of attitudes toward privacy in the United States. A
>1991 poll conducted by Time Magazine found that 93% of the
>U.S . public felt that companies that sell personal
>information to others should be required to obtain explicit
>permission. And the most comprehensive poll of Internet users
>ever undertaken found that users of the Internet in the
>United States, on a 1 to 5 scale, said that the Internet
>needs new laws to protect privacy at a level of 3.8.
>
>      Public support for privacy legislation is clear.
>
>      Second, it is also clear that some political leaders
>favor the adoption of privacy law. While it is true that the
>White House has expressed the opinion that privacy
>legislation is unnecessary at this time, members of Congress
>are of a different opinion. Bills have been introduced in the
>House and the Senate that address a wide range of privacy
>issues. One bill would limit the disclosure of Social
>Security Numbers. Another bill would prohibit Internet
>Service Providers from disclosing customer information
>without consent. A third bill restricts the ability of direct
>marketers to sell information about young children. Several
>bills have been introduced to address public concern about
>unsolicited commercial email. Many other bills are also under
>consideration.
>
>      It is also clear that the United States is fully
>capable of enacting privacy laws to address public concern,
>particularly when new technologies threaten personal
>freedoms. In fact, we have passed several laws in a little
>over a decade that specifically target new technologies.
>Privacy protections for cable subscriber records were enacted
>in 1984. Electronic mail was covered in 1986. Video rental
>records gained protection in 1988. Even junk faxes and auto-
>dialers became subject to privacy legislation in 1991.
>
>      So, we must observe at this point, that the view of
>some that the United States does not support passage of
>privacy legislation is not supported by the majority of
>people of the United States, many of our elected officials,
>or our recent history.
>
>      Much has been said in the last few months in support of
>self-regulation. Self- regulation has been offered as a
>privacy solution, a way to steer a course between government
>control and free market chaos. It is critical to look closely
>at the case for self-regulation.
>
>      First, it should be said that the current argument for
>self-regulation is based on a preference and not a principle.
>While much has been said about the "common philosophy" of the
>Administration's policy toward the Internet, it is quite
>clear, some would say painfully clear, that the
>Administration is prepared to regulate if the interest at
>stake is copyright or cryptography./1/
>
>      Second, self-regulation as an argument against privacy
>protection is hardly new in the United States. The direct
>marketing industry has argued for more than twenty years that
>it did not need privacy regulation. The result is that today
>Americans receive a flood of junkmail, more junkmail per
>capita than any other country in the world. Millions of
>Americans sign up for the Mail Preference Service to escape
>this onslaught, but there is no assurance that the privacy of
>these people will be protected. Professor Reidenberg and
>Professor Schwartz have shown in their study of data
>protection in the United States that the Mail Preference
>Service is ignored by about half the members of the Direct
>Marketing Association./2/
>
>      Self-regulation has also failed repeatedly in the last
>few years as trade groups and individual companies have been
>unwilling to uphold their own principles and their own
>contractual agreements. In 1991 the Direct Marketing
>Association failed to take action against the Lotus
>Marketplace product even though it plainly violated the
>industry's own guideline on the need to offer an effective
>opt-out. Similarly, the DMA failed to take any action against
>Metromail after the company turned a mailing list into a
>look-up service in violation of another DMA edict. Companies
>also appear unable to police themselves. America Online
>entered into a deal with a telemarketing firm even after it
>assured customers in its service agreement that it would not
>disclose telephone numbers to others. There are many other
>similar cases.
>
>      Consumer groups challenged these practices, and
>eventually changes were made. But this is hardly proof, as
>some proponents have claimed, that the self- regulatory
>approach is working.
>
>      The advocates for self-regulation have also redefined
>privacy in a way that is ultimately harmful to the interests
>of consumers. Instead of focusing on the obligations of the
>organizations that collect personal information to safeguard
>the information and use it only for appropriate purposes, the
>self-regulatory environment has produced numerous proposals
>that all share the common goal of extracting as much
>information from the individual as the individual can be
>coerced to give up by means of contract. A typical
>negotiation in an environment produced by P3 or OPS requires
>consumers to satisfy the information disclosure requirements
>of the business as a condition of gaining access to services.
>
>      As my colleague Professor Agre has observed, these
>relationship easily become asymmetric with the organization
>having the greater power to control what information about
>itself is released while simultaneously obscuring the nature
>and scope of the information it has obtained about
>individuals.
>
>      Of course, one remains "free" to withhold consent and
>to therefore be denied admission to a web site, service from
>a web-based company, and many other opportunities in the
>Information Society regardless of whether a fair
>justification for the data collection is provided.
>
>      Simply stated, self-regulation elevates the principles
>of notice and consent to stratospheric heights and ignores
>virtually all other principles of privacy and data
>protection. It is, to borrow from the British philosopher
>Jeremy Bentham, "contracts on stilts."
>
>      This has been made clear by virtually all of the
>proposals in the United States that focus on obtaining
>consent. The most ironic of these was one recommendation
>earnestly made by a government official on this issue of
>children's privacy who proposed in place of legislative
>safeguards the use of biometric identifiers to ensure that a
>parent's consent to make use of a child's data for marketing
>purposes had in fact been obtained.
>
>      Self-regulation has also given rise to the emphasis on
>a multiplicity of privacy preferences. But whether
>individuals actually have such diverse privacy preferences,
>particularly in routine commercial transactions or in data
>gathering activity remains to be seen. As Professor Agre
>notes, "particular importance should be paid to uniformity of
>protocols across different industries and applications, so
>that consumers are not overwhelmed by a pointless diversity
>of interfaces and contracts." /3/
>
>      He suggests that it will be particularly important to
>look at a broad range of criteria, "including ease of
>understanding, adequacy of notification, compliance with
>standards, contractual fairness and enforceability,
>appropriate choice of defaults, efficiency relative to the
>potential benefits, and integration with other means of
>privacy protection."
>
>      Self-regulation has a further problem: it provides a
>very limited view of the problems surrounding privacy
>protection. It focuses on the microeconomic relationship
>between buyer and seller and ignores the larger social
>questions of architecture and design. Should highway systems
>be designed with anonymous toll payment ? Which technologies
>could facilitate commerce and protect privacy ? What stand
>should governments take on the use of cryptography ? Self-
>regulation provides no answers to these questions, it
>provides no mechanisms to find solutions.
>
>      Self-regulation have failed to work even in areas where
>public and industry support is overwhelming. The Center for
>Media Education found that more than a year after the release
>of a widely publicized report on children's privacy that
>companies were continuing to collect personally identifiable
>information from children at their web sites without
>disclosing how the information will be used, who will have
>access to it, and without obtaining parental consent. As the
>CME concluded, "it is clear that industry self-regulation
>does not provide adequate protection for children's privacy."
>
>      It has been proposed that the Federal Trade Commission
>could enforce a self- regulatory privacy regime by
>prosecuting deceptive trade practices. But the FTC's ability
>to actually enforce privacy protection in this manner is
>highly suspect. First, the legal authority of the FTC under
>section 5 of the Federal Trade Commission Act typically
>requires a showing of <<<< actual harm ~ to consumers. As those
>who have studied privacy law in the United States know, this
>will be a difficult test to satisfy. But even if this problem
>is overcome, one could well ask why the FTC, if it had such
>legal authority, pursued only one privacy case after two
>years of intense privacy investigation. And in the single
>case that the FTC investigated, the Commission issued an
>opinion only after the company had discontinued the
>challenged practice. There was no actual judgment against the
>firm or any sanction imposed. Finally, what expectation can
>there be that the FTC will pursue any privacy actions in the
>near future when the Commissioner responsible for privacy
>matters has now left the Commission ? One can look to the
>Federal Trade Commission for the enforcement of privacy
>safeguards on the Internet, but you will see only an empty
>chair.
>
>      Finally, there is a significant legal objection to
>self-regulation as a means to protect consumer privacy in the
>United States: such an arrangement could be impermissible
>under anti-trust law. It is, as one commentator has noted, a
>violation of competition law for businesses in the same
>market to combine to set the terms of competition and then to
>enforce those terms on their competitors. Establishing
>industry-wide privacy standards could have exactly this
>consequence. Some commentators have suggested that it may be
>possible for such agreements to survive anti-trust scrutiny
>if the codes are sensibly designed and do not discourage
>competition. But drafting such a policy may not be so simple.
>
>      What happens, for example, if industry adopts a code
>based on an opt-out procedure and an innovative company,
>recognizing the need for a higher privacy standard, prefers
>to offer an opt-in procedure instead? If the industry
>association discourages the company from offering the higher
>standard, consumers would be harmed and an anti-trust action
>could result. Indeed, there is already anecdotal evidence
>that the marketing industry has engaged in just such
>practices. (Note that in this example a regulatory framework
>that established opt-out in law could still permit the
>innovative company to offer the opt-in procedure.)
>
>      What we realize now is that self-regulation provides
>neither the assurance of a legal right nor the innovation and
>competitive benefit of the marketplace. It is simply an
>answer to the question: how do we regulate without the
>government ? This is not a path to privacy protection, it is
>not even privacy policy.
>
>THE FUTURE
>
>      It seems to me surprising that we are unable today to
>resolve the privacy differences between Europe and the United
>States particularly as they concern the Internet. Both
>regions share a high regard for privacy and a long privacy
>tradition. Both regions seem eager for greater privacy
>safeguards. We know also that there is a convergence in the
>development of privacy standards around the globe./4/
>
>      But even more obviously, the Internet offers the ideal
>environment to establish uniform standards to protect
>personal privacy. This is clear to anyone who recognizes that
>the platform is consistent around the globe, that the
>protocols are consistent, and the customs surrounding
>commercial transactions off-line are surprisingly consistent:
>money buys products and services, the disclosure of one's
>address is necessary to receive delivery of goods, and the
>release of personal financial information may be necessary
>when credit is sought.
>
>      For the vast majority of transactions on the Internet,
>simple, predictable, uniform rules offer enormous benefits to
>consumers and businesses. It is clear what the goal is.
>
>      We must find a way forward. The Commission would have
>ample justification at this point if it decided to restrict
>certain data flows to the United States because of the
>absence of appropriate privacy safeguards. How can this point
>be disputed? Consumers in the United States know that we lack
>adequate privacy protection.
>
>       I think it is time to end what Colin Bennett has
>called "American Exceptionalism.~ There is little support in
>our public attitudes, law, or history for this stance. The
>United States should move quickly to establish a privacy
>agency, and then proceed to explore the application of the
>OECD Privacy Guidelines to the private sector. This useful
>framework provides a strong foundation for the development of
>technical means to protect privacy and the development of new
>privacy standards and legal safeguards. It is already found
>today in several US privacy laws and in the practices of many
>US companies.
>
>       I also propose today that the United States, Europe,
>and Asia join together to develop an intentional convention
>on privacy protection based on the OECD Guidelines. A simple
>framework of general goals combined with a consultative
>process that brings together a wide array of countries could
>help ensure that privacy standards are extended to all comers
>of the globe
>
>       Only when we have established privacy standards and
>guidelines as strong as security standards and guidelines
>will users of advanced networked services have the trust and
>confidence to participate fully in the Information Society.
>
>       It is also my hope that in the process of working
>together toward a common goal that some of the current
>differences between the United States and Europe will
>diminish. There is too much at stake for consumers, and
>citizens, and users of the Internet to risk a clash of
>privacy rules.
>
>       We share a common interest in the protection of
>privacy. Let us go forward together and establish the
>policies that will launch the information economies of the
>next era while preserving the personal freedoms we cherish
>today.
>
>       I thank you for your attention.
>
>NOTES
>
>/1/  Framework for Electronic Commerce (1997)
>
>/2/ Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law
>(New York: Michie, 1996).
>
>/3/  Philip E. Agre and Marc Rotenberg, eds., Technology and
>Privacy: The New
>Landscape (Cambridge and London: MIT Press, 1997)
>
>/4/ Colin J. Bennett, Regulating Privacy (Ithaca: Cornell
>Press, 1992)
>







Thread