Internet privacy

General
Internet privacy issues encompass several concerns. One is the collection of personally identifiable information (PII) by website operators from visitors to government and commercial websites, or by software that is surreptitiously installed on a user’s computer (“spyware”) and transmits the information to someone else.

Another is the monitoring of electronic mail and Web usage by the government or law enforcement officials, employers, or e-mail service providers. Another issue, identity theft, is not an Internet privacy issue per se, but is often debated in the context of whether the Internet makes identity theft more prevalent. For example, Internet-based practices called “phishing” and “pharming” may contribute to identity theft.

Commercial Website Practices
One aspect of the Internet (“online”) privacy debate focuses on whether industry self-regulation or legislation is the best route to assure consumer privacy protection. In particular, consumers are concerned about the extent to which website operators collect “personally identifiable information” (PII) and share that data with third parties without their knowledge.

FTC Activities and Fair Information Practices
The Federal Trade Commission (FTC) conducted or sponsored several surveys between 1997 and 2000 to determine the extent to which commercial website operators abided by four fair information practices &mdash providing notice to users of their information practices before collecting personal information, allowing users choice as to whether and how personal information is used, allowing users access to data collected and the ability to contest its accuracy, and ensuring security of the information from unauthorized use. Some include enforcement as a fifth fair information practice. Regarding choice, the term “opt-in” refers to a requirement that a consumer give affirmative consent to an information practice, while “opt-out” means that permission is assumed unless the consumer indicates otherwise.

Briefly, the first two FTC surveys (December 1997 and June 1998) created concern about the information practices of websites directed at children and led to the enactment of COPPA. The FTC continued monitoring websites to determine if legislation was needed for those not covered by COPPA. In 1999, the FTC concluded that more legislation was not needed at that time because of indications of progress by industry at self-regulation, including creation of “seal” programs (see below) and by two surveys conducted by Georgetown University.

However, in May 2000, the FTC changed its mind following another survey that found only 20% of randomly visited websites and 42% of the 100 most popular websites had implemented all four fair information practices. The FTC voted to recommend that Congress pass legislation requiring websites to adhere to the four fair information practices, but the 3-2 vote indicated division within the Commission. On October 4, 2001, Timothy Muris, who had recently become FTC Chairman, stated that he did not see a need for additional legislation at that time.

Advocates of Self-regulation
In 1998, members of the online industry formed the Online Privacy Alliance (OPA) to encourage industry self-regulation. OPA developed a set of privacy guidelines, and its members are required to adopt and implement posted privacy policies. The Better Business Bureau (BBB), TRUSTe, and WebTrust established “seals” for websites.

To display a seal from one of those organizations, a website operator must agree to abide by certain privacy principles (some of which are based on the OPA guidelines), a complaint resolution process, and to being monitored for compliance. Advocates of self-regulation argue that these seal programs demonstrate industry’s ability to police itself.

Technological solutions also are being offered. P3P (Platform for Privacy Preferences) is one such technology.. It essentially creates machine-readable privacy policies through which users can match their privacy preferences with the privacy policies of the websites they visit. One concern is that P3P requires companies to produce shortened versions of their privacy policies, which could raise issues of whether the shortened policies are legally binding, since they may omit nuances and “sacrifice accuracy for brevity.”

Advocates of Legislation
Consumer, privacy rights and other interest groups generally believe self-regulation is insufficient. They argue that the seal programs do not carry the weight of law, and that while a site may disclose its privacy policy, that does not necessarily equate to having a policy that protects privacy. The Center for Democracy and Technology (CDT) and the Electronic Privacy Information Center

(EPIC) each released reports on this topic.

EPIC’s report, Privacy Self Regulation: A Decade of Disappointment, argues that the National Do Not Call list, which restricts telemarketing phone calls, demonstrates that government regulation can be more effective than industry self regulation. Calling telemarketing a 20th century problem, the report concludes that the FTC has given self-regulation a decade to work in the Internet privacy arena, and it is time for the agency “to apply the lessons from telemarketing and other efforts to address the 21st century [sic] problem of Internet privacy.”

Some privacy interest groups, such as EPIC, also feel that P3P is insufficient, arguing that it is too complex and confusing and fails to address many privacy issues. An EPIC report from June 2000 further explains its findings.

Privacy advocates have been particularly concerned about online profiling, where companies collect data about what websites are visited by a particular user and develop profiles of that user’s preferences and interests for targeted advertising. Following a one-day workshop on online profiling, the FTC issued a two-part report in the summer of 2000 that also heralded the announcement by a group of companies that collect such data, the Network Advertising Initiative (NAI), of self-regulatory principles. At that time, the FTC nonetheless called on Congress to enact legislation to ensure consumer privacy vis-à-vis online profiling because of concern that “bad actors” and others might not follow the self-regulatory guidelines.