Who's Minding Whose Business On The Internet?
By Juliana Gruenwald, CQ Staff Writer
Andy Tarnoff had no idea his privacy had been violated until NationsBank called to ask whether he had applied for a new credit card. When he answered no, the 24-year-old Web page designer from Milwaukee got some shocking news: Someone from New York City had tried to obtain credit using Tarnoff's name and Social Security number.
Tarnoff suspects the culprit gained access to his Social Security number and other personal information from the Internet.
"I'm a young, single guy who uses the Web," said Tarnoff. "I've never been to New York. . . . That's what leads me to think they got it off the Web because it's so random."
Tarnoff's story highlights the growing concern among consumers, privacy advocates and lawmakers about the lack of protection for personal information on the Internet.
The Internet is a boundless, vast medium that is proving to be fertile ground for those who seek private information about others for financial or personal gain. Information can be accessed anywhere in the world at any time of the day, making the Internet's reach both exciting and treacherous.
Sen. Patrick J. Leahy, D-Vt., an Internet-savvy lawmaker, said he often warns his colleagues to consider, "If you're using the Internet for sending a message, is it a message you would put on a postcard?"
Leahy said he thinks this is one area where Congress may need to provide a legislative fix. So far, lawmakers have yet to focus on the issue in any depth.
Even though several bills aimed at bolstering privacy on-line have been introduced, many key lawmakers seem willing at this point to give industry the opportunity to tackle the issue first.
"I think it will make a lot of sense to take our time" on this issue, said Rep. Rick White, R-Wash., who has helped arrange a series of hearings in the House Commerce Committee on issues surrounding electronic commerce. "We've been guilty in the past of rushing to judgment and getting it wrong."
Capitol Hill has been following the Clinton administration's lead in giving industry a chance to show that self-regulation will work before resorting to government intervention.
"There are 10,000 new Web pages forming each week. It would be difficult for any agency to monitor," said Ira Magaziner, the White House Internet policy adviser. "If you have a law but no way of enforcing it, you're giving [Internet users] a false sense of security."
Despite such views, the administration, like many lawmakers, is not ruling out legislation or new regulation if industry action fails to address the problem adequately.
And patience appears to be growing thin among some regulators. At a July 21 hearing before the House Commerce Committee's Telecommunications, Trade and Consumer Protection Subcommittee, Federal Trade Commission (FTC) Chairman Robert Pitofsky said that if the industry's efforts are not working by the end of the year, Congress should intervene to ensure that consumers are protected when surfing the Internet.
"We have not given up on self-regulation," said Pitofsky. "If it does not work out, we believe Congress should seriously consider legislation."
Administration officials and lawmakers also are worried about the confidentiality of on-line medical records. Democrats and Republicans have added provisions in their managed care proposals to increase medical record privacy.
Information Blitz
The most common invasions of privacy involve the use of personal information by marketers who gain information from Web surfers voluntarily or through technology.
Some Web sites require patrons to register before they can enter. Many of these on-line registration forms often ask for a wide array of personal information. Many sites also have ways of tracking what types of information Web users seek out when they visit their sites, information that could prove useful for marketing products to individuals.
But some sites are trying to make money from information available on-line. They offer to provide sensitive information such as Social Security numbers to any taker for a fee, information that is increasingly being used by thieves to gain access to credit.
Many Web users are often unaware that this information is collected or how it is used.
"A lot of people think government is the primary threat [to] privacy," said Jason Catlett, CEO of Junkbusters, an on-line company that provides resources for protecting privacy. That has "long been surpassed by private companies."
This is precisely why Catlett and others say the federal government needs to establish a basic level of protection for personal privacy on the Internet.
"There needs to be a clear national standard," said Jeff Chester, executive director of the Center for Media Education, a Washington think tank which studies media policies.
Critics and supporters of the administration's hands-off approach say that industry has an interest in ensuring that Americans are comfortable conducting on-line commerce. If not, they fear, electronic commerce may not grow to its full potential even as use of the Internet increases.
In 1998, there are 100 million customers on-line worldwide, up from 3 million, mostly in the United States, in 1994, according to an April Commerce Department report.
"People will not put their faith, their trust or their cash into electronic commerce if they feel that in order to buy a product, they must first sell their privacy," Vice President Al Gore warned in a June 24 speech to a technology conference in Fairfax, Va.
While he says he is unlikely to stop surfing the Web, Tarnoff, who has made a few purchases on-line, said he is unlikely to shop on the Internet any time soon because of his privacy worries. "I'm gun-shy," Tarnoff said.
The Ease of Data Collection
The Internet has increased the ease and speed with which companies can collect vast amounts of information about consumers and even children.
The FTC, in a June 4 report on Internet privacy, found that 92 percent of 1,189 sites it sampled collected personal information from its visitors, such as their name, e-mail address, postal address or telephone number. A separate sample of 212 children's sites found that 89 percent collect personal information from their underage visitors.
Few sites post privacy policies that would tell visitors what information is being collected and how it is used, the report said.
Transactions on the Internet can be protected from hackers by using encryption technology, which scrambles data or electronic communications to prevent unauthorized access.
But even if a commercial transaction is encrypted, there is no guarantee that a business receiving the information will keep it private.
In addition, many Web sites track a visitor's habits and preferences through the use of "cookies," bits of data placed on the user's computer hard disk that record which Web pages are visited.
Many users do not realize cookies are being placed on their computer hard disk by the Web site they are visiting.
There are ways to prevent sites from placing cookies on a computer. However, some sites, such as the discount travel site Lowestfare (www.lowestfare.com), require users to accept cookies to access their site.
Some of the information collected by Web sites is sold to third parties for advertising or other reasons. Others might use the information to send junk e-mail messages, also known as "spamming," a growing annoyance for many Internet users.
By using data collected from cookies or other means, an "unprecedented dossier can be assembled of what a person has seen, revealing their interests and embarrassing facts," said Ohio State University law professor Peter P. Swire, an expert on Internet privacy and security issues.
Many companies have sprung up on the Internet, offering to sell much more sensitive information. One Web site called "Lou's Clues," (www.lousclues.com) which promotes itself as an "information service for women," advertises that it can deliver Social Security numbers to those who pay $22, as well as furnish the name and address of the subject.
This kind of information in the wrong hands can be used to commit fraud or to steal another person's identity, as Tarnoff discovered. He said he thinks his personal information was simply grabbed off the Internet.
While many identity-theft cases are perpetrated by those who access information off-line, the Internet is easy pickings for thieves seeking to obtain personal identifying information, according to a May 1998 report by the General Accounting Office.
"The advent of the Internet has made this information much more accessible," said Rep. Gerald D. Kleczka, D-Wis., sponsor of legislation (HR1813) that would prohibit credit bureaus from releasing Social Security numbers and other personal information, and ban commercial use of a Social Security number without written consent.
Kleczka's bill and a similar measure, (S600) introduced in the Senate by Dianne Feinstein, D-Calif., are aimed at tackling identity fraud.
The Senate Judiciary Committee approved a separate bill (S512) July 9 that would make it a crime to steal personal identifying information such as a Social Security number.
Current federal law bans the fraudulent possession, transfer and production of identity documents. But law enforcement officials must catch a culprit in possession of such documents in order to prosecute.
Consumer Trepidation
Polls have found that many Americans are worried that their privacy will be compromised on the Internet.
While only 6 percent of Internet users reported being the victim of privacy invasion, 86 percent said they were concerned about potential threats to their privacy, according to a poll released in June by Louis Harris and Associates Inc. and Alan F. Westin, a public law professor at Columbia University.
"It's a little like how many people have had an experience with their [car] brakes failing. You don't need to have that experience to want to have brakes" that work, said Marc Rotenberg, director of the Electronic Privacy Information Center, a public interest research group in Washington, D.C., focusing on electronic privacy, security and civil liberties issues.
Of those surveyed who do not regularly use the Internet, 44 percent said they would be more likely to do so if they could be assured that their personal information would be kept private.
"It's holding back the [full] development of commerce on the Internet," said the FTC's Pitofksy.
Industry officials say such information collection on the Internet is necessary to provide customers with better service, and not for sinister motives.
"Very few [Web sites] are exchanging information with other marketers," said Chet Dalzell, a spokesman for the Direct Marketing Association, an industry association of companies that sell and market products and services by phone, mail or via the Internet. "What we're trying to do is be better communicators" by making Web sites easier to navigate and targeting ads to meet consumers' interests.
The Clinton administration in 1997 challenged industry representatives to develop and implement policies aimed at protecting privacy on-line.
"Self-regulation can have one important feature: It builds a marketplace for privacy and makes consumers demand privacy protections," said Becky Burr, acting associate administrator of international affairs in the Commerce Department's National Telecommunications and Information Administration.
After some initial attempts, industry leaders unveiled a proposal that many see as the most serious attempt at self-regulation.
A coalition called the Online Privacy Alliance, which includes about 50 of the biggest companies and organizations doing business on the Internet or providing products and services for Internet commerce, announced in June a series of privacy guidelines. Among the group's members are IBM, America Online, Yahoo! and the Direct Marketing Association.
The guidelines call for members to adopt, implement and post on their Web sites privacy policies that state what information is being collected and how it is used. The group also requires members to allow consumers to decide whether the information can be used for other purposes. Members also agree not to collect information from children under 13 without the consent of their parents.
Many of the companies involved with the alliance also have signed on to other initiatives, such as the Better Business Bureau's BBBonline and TRUSTe. These groups offer privacy seals that can be placed on Web sites to assure consumers that the privacy policies of those sites have been reviewed and are being monitored by the organizations providing the seals.
Industry officials say such approaches empower consumers and provide them with the necessary information to be on the lookout for privacy violators.
"The Internet is a global place," said Harriet Pearson, IBM's director of public affairs. "When you go on the Internet, you should be as self-aware as when" you are conducting business elsewhere.
Industry officials said legislation to force companies to comply with privacy guidelines is unworkable and would quickly be outdated as technology changes.
"Laws are two-by-fours," said former FTC Commissioner Christine Varney, who is advising the Online Privacy Alliance. "They are very broad. . . . They retard innovation."
Varney and others say consumers have some recourse under current FTC regulations that bar deceptive practices. For example, the FTC can take action against companies that post privacy policies on their Web sites but do not adhere to them.
While praised for its initiative, the alliance was criticized for not including a plan for enforcing the guide-lines and instead setting a deadline of Sept. 15 for completing work on this issue.
Following the alliance's announcement, Commerce Secretary William M. Daley expressed disappointment June 23 during a two-day departmental summit on privacy, saying, "I have taken some hits for supporting the industry on self-regulation. . . . I sincerely hope industry steps up to the plate first. But if it doesn't, we will have to consider all the options we have for protecting the American consumer."
Jill Lesser, America Online's director of law and public policy, defended the alliance's efforts, saying the Internet industry "moved more quickly than many others" to address the issue. America Online faced an onslaught of negative publicity and recently agreed to a monetary settlement after an employee revealed to a Navy investigator in a telephone call the name of a sailor who had identified himself as gay in an electronic message posted on the company's service.
In response to pressure from the administration and others, the alliance released its enforcement provisions July 20. The group called for members to sign on to a privacy seal program that has standards similar to the alliance's and a mechanism for punishing those that violate their privacy policies.
Magaziner hailed the alliance's effort as a "very good step forward" and said he believed it should be given a chance to work.
Bad Apples
But privacy advocates complained that the alliance's effort does not go far enough. Industry self-regulation and technological innovations to protect privacy need to be backed up with regulation, they argue.
They say self-regulation does not address the bad apples -- those who are unwilling to sign on to privacy policies.
"The industry doesn't have a way of legally policing the renegades within the industry who will seek to capitalize upon gathering this information," said Rep. Edward J. Markey, D-Mass.
Markey has sponsored a broad privacy bill (HR1964) that requires the FTC and Federal Communications Commission to issue guidelines mandating that consumers be told what personal information is being collected about them and have the option of stopping unauthorized collection, use or sale of this information.
Some privacy advocates also say the federal government needs to establish a full-time federal commission or office to address privacy concerns.
Establishing some ground rules for protecting privacy on the Internet is "the responsible thing to do if we care about privacy in this country," said Rep. Bruce F. Vento, D-Minn., who has proposed legislation (HR98) to prohibit Internet service providers from revealing a subscriber's sensitive personal information to a third party without that subscriber's consent.
While numerous bills similar to Vento's have been introduced, none has seen any action, and they appear unlikely to go anywhere in the 105th Congress. Nonetheless, some lawmakers have been seeking other ways to tackle the problem.
Markey has been trying to attach privacy amendments to other pieces of legislation. During a June markup before a House Commerce subcommittee, Markey succeeded in gaining adoption of an amendment to ensure that legislation (HR2281) aimed at updating the nation's copyright laws for the digital age would not prohibit consumers from taking steps to block cookies from being placed on their computers.
But Magaziner and industry leaders say that if the industry guidelines catch on and consumers become accustomed to looking for privacy seals, they will put pressure on the rogues by refusing to visit their sites.
"The power of the marketplace on the Internet is incredible," said Harris N. Miller, president of the Information Technology Association of America, an Arlington, Va.-based computer and communications industry association.
If the marketplace fails, however, many expect Congress will step in.
Rep. W.J. "Billy" Tauzin, R-La., chairman of the House Commerce Committee's telecommunications subcommittee, praised the administration for giving industry a chance to address the issue first.
While he favors enacting legislation only as a last resort, he said, "It might be useful to have some legislation [moving through Congress] to incentivize the industry to do it right."
He has introduced a bill (HR2368) to prohibit commercial marketing of personal health or medical information over the Internet without consent and to ban the display on the Internet of individuals' Social Security numbers.
Magaziner said the administration backs legislation to protect privacy in a few specific areas, such as measures to protect medical records and to prohibit the collection of information from children without parental consent.
In its report, the FTC called for legislation barring Web site operators from collecting personal information from children 12 and under unless their parents know about it.
Sen. Richard H. Bryan, D-Nev., introduced a bill (S2326) on July 17 that would implement the FTC's recommendations to protect children's privacy on the Internet.
Senate Commerce Committee chairman John McCain, R-Ariz., a co-sponsor of S2326, said his panel may act on the bill before the end of the year.
If industry does not move soon to protect the privacy of every user, the FTC has proposed that Congress require Web sites to take several actions. These include notifying consumers about information being collected about them and how it is used.
International Pressure
Overshadowing the debate in the United States is a 1995 European Union directive set to go into effect Oct. 25 that would require companies that process information in 15 European countries to give consumers the right to access and correct data about themselves. It would require the companies to gain consumers' permission to use information for any purposes other than those for which it was collected.
European officials were skeptical about whether U.S. proposals for self- regulation would comply with the directive. Some privacy advocates were hopeful the Europeans would put pressure on the administration to push for comprehensive privacy legislation because privacy protections are important in a global economy.
"Fortunately for us, the Europeans are pushing [the U.S.] government to do something about privacy," said Shari Steele, staff counsel for the Electronic Frontier Foundation, a San Francisco-based think tank specializing in high-technology issues.
Magaziner, who has been negotiating with the Europeans on the issue, said he is confident that if the administration is satisfied that the U.S. Internet industry has come up with effective privacy policies, the Europeans will accept them.
Gerard de Graaf, the first secretary for trade for the European Commission's U.S. delegation, said that in theory, "self-regulation can meet the guidelines."
But he added that "We have some questions about what is appropriate self-regulation. . . . We want to be sure there is substance" to these proposals.
© 1998 Congressional Quarterly Inc. All Rights Reserved.
|
News
Click here