The following are the comments of the Privacy Rights Clearinghouse for the May 1999 "Georgetown Internet Privacy Policy Survey." A similar survey was conducted in 1998 by the Federal Trade Commission. Survey results can be found at the web site of the study's director, Prof. Mary Culnan, of the School of Business at Georgetown University.
http://www.msb.edu/faculty/culnanm/gippshome.html
The most irrefutable finding of the May 1999 Internet Privacy Policy Survey (hereinafter called the Survey) is that collection of personally identifiable information is the norm on commercial web sites. The Survey found that 93% of the sites in the sample (n=364) collect at least one type of personal information (such as name, email address, postal address). Only 7% of the sites collect no information.(2)
Imagine if nine out of ten of the commercial establishments you visited in the physical world were to collect and store information pertaining to your identity(3) - whether you actually purchased something or just browsed, whether you paid by cash or by credit card or check. Imagine if a record were created of the stores you visited, the merchandise you viewed, the books and magazines you perused, as well as the times, dates and duration of your commerce-related activities. You would no doubt have the feeling that your every move was being tracked as you traveled about the commercial landscape. You would also no doubt feel that you have virtually no privacy. Yet, the collection of personally identifiable information has become standard practice on a vast majority of commercial web sites.
The definition of privacy used in these Comments pertains to control -- the ability "of individuals . to determine for themselves when, how, and to what extent information about them is communicated to others."(4)
The policy tool that has been created to provide individuals a measure of control over their personal information is the Fair Information Principles (FIP). The principles were first developed a quarter century ago when the U.S. Department of Health, Education and Welfare (HEW) studied the best way to take advantage of the growing power of computers without trampling on personal privacy. A task force of the HEW developed a set of five principles that have since formed the basis of privacy-related laws in the U.S. The FIP have also been codified into the national data protection laws of many industrialized countries (the U.S. is the exception, having pursued a sectoral approach to privacy protection rather than adopting an omnibus privacy protection law).
The shortened version of the HEW's Fair Information Practices is: openness (no secret data collection), notice, limitations on secondary use, correction, and security(5). In 1980 the Organization of Economic Cooperation and Development (OECD) expanded on these principles by adopting a set of eight Fair Information Principles. The principles of purpose specification, use limitation, and individual participation were added to HEW's list of five. The OECD principles were adopted by 24 countries including the U.S.
The Survey used a variation of these principles to evaluate the adequacy of personal privacy protection for individuals who visit commercial web sites. The four principles are notice, choice, access and security - deemed by the Federal Trade Commission in 1998 as de facto standards for privacy protection on the Internet. A fifth factor, contact, was also considered in the Survey's evaluation scheme, whether or not a web site visitor could "ask a question about the site's information practices or . complain to the company or another organization about privacy."(6)
Survey findings are dismal indeed when placed against the backdrop of near universal data collection by commercial web sites.
- Less than 10% of the sites post privacy policies that comprise all five elements of notice, choice, access, security, and contact.
- One third of sites post no privacy policies at all.
- Survey findings regarding data security should be particularly alarming to consumers who wonder about the safety of their personal information collected by commercial web sites (such as credit card numbers). Only 19% of sites disclose the steps they take to safeguard the data they collect and store about their web site visitors.
On a more positive note, nearly two-thirds of sites posted some form of a privacy statement, up from 14% in a similar 1998 Federal Trade Commission study. However, given the fact that over 90% of commercial web sites collect data from their visitors, this finding should provide little comfort to consumers who are avoiding the Internet because of fear that their privacy will be invaded.
Industry representatives have proclaimed this single finding - the increase in sites that post privacy statements - as proof that, indeed, self-regulation can be counted on to protect consumers' privacy on the Internet. This brings to mind the fairy tale "The Emperor's New Clothes." The citizens of a mythical kingdom were duped into believing that the emperor was adorned in the most splendid of garb, when in fact he wore nothing at all.
Unlike the Emperor's loyal subjects, we must not be lulled into believing that the increase in sites that post privacy statements is evidence that consumer privacy protection is assured on the Net. Robust privacy policies are not the norm on commercial web sites.
We only need to look at several privacy fiascos of late to realize that the presence of privacy policy statements does little to safeguard Internet users' privacy.
- Some "shopping cart" software, for example, has been found to enable other web users to view shoppers' order information.
- GeoCities, a provider of free web pages, was found to have disclosed information about its members, many of whom who were children, to third parties, even though it is a member of the privacy seal program Truste.
- AOL disclosed information about one of its subscribers to the Navy without a proper warrant, in violation of the Electronic Communications Privacy Act and in violation of its own member services agreement.
- Microsoft's Internet Explorer 5.0 was found to inform web sites when users bookmark their pages without obtaining the consent of those users. Microsoft is a member of Truste.
- The chip manufacturer Intel has released the Pentium III chip containing unique serial numbers that enable individual users' transactions to be tracked in cyberspace.
What have we learned from the Survey, in addition to the fact that commercial web sites have a long way to go before consumers can feel confident that their privacy is protected?
- We must view privacy policy statements in a much broader context. They are but one part of a more complex Internet privacy environment and cannot be deemed as the sole evidence that self-regulation works and that Internet users' privacy is protected.
- We must recognize that the Survey used "easy grading" methodology to evaluate the web sites it studied, something the Survey director explained in the report. Not only were sites given a high grade for simply having a single "information practices statement," but the FIP standards selected to evaluate the content of privacy policies were significantly weaker than the OECD principles that have become the de facto standard to evaluate privacy protection practices.
- If more such Surveys are to be conducted in the coming years, they must move beyond the simply tallying of whether or not a web site has a policy. They must even move beyond counting how many elements of the Fair Information Principles are embodied in individual privacy policies. Consumers' actual experiences in the electronic marketplace must be tracked.
- The Federal Trade Commission, or another appropriate federal government entity, must exert a stronger leadership role in evaluating the adequacy of privacy protection policies and practices in e-commerce.
- If similar surveys are to be conducted in the coming years for the purpose of evaluating whether or not self-regulation is effective, the FTC or another appropriate federal government entity must sponsor and fund such surveys. Industry-funded surveys cannot be counted upon to present a balanced look at the adequacy of privacy policy statements on commercial web sites. The amount this Survey cost, approximately $60,000, is a small amount to factor into an agency's budget.
- The purpose of such surveys should be shifted from evaluating the efficacy of self-regulation to assessing whether or not Internet users' privacy is being protected.
- The FTC or another appropriate agency must look beyond a simple tallying of web site policy statements, as indicated above. It should employ more qualitative study methods in the future in order to assess whether or not consumers' privacy is being adequately protected on the Internet. And its standards for determining the adequacy of online privacy policies must include enforcement mechanisms and whether or not they provide meaningful redress for consumers' grievances.
1 Givens was a member of the Survey's Advisory Committee. The Committee was comprised of 14 individuals from industry, six from consumer and privacy groups, and one from academia. The Privacy Rights Clearinghouse is a nonprofit consumer information and advocacy program based in San Diego, California. http://www.privacyrights.org.
2 Survey results can be found at the web site of study director, Prof. Mary Culnan of the School of Business at Georgetown University. http://www.msb.edu/faculty/culnanm/gippshome.html.
3 Granted, a growing number of commercial establishments use video surveillance cameras to make a record of shoppers and employees. But the video systems do not [yet] have the ability to identify those individuals captured on tape. And they are usually destroyed after a short period of time.
4 Alan Westin. Privacy and Freedom (New York: Atheneum, 1967), 7.
5 See Robert Ellis Smith. The Law of Privacy Explained. (Providence: Privacy Journal, 1993), 50-51.
6 Mary J. Culnan, Ph.D. "Draft. Georgetown Internet Privacy Policy Survey: Privacy Online in 1999: A Report to the Federal Trade Commission." (Washington, D.C.: Georgetown University, May 13, 1999), 8.