ARTS & FARCES internet

“You have zero privacy anyway. Get over it.”

Most of us would be uncomfortable with those words coming from a person in a position of authority. But all of us should be angry over such words coming from someone trying to sell us something. Especially when such words come from someone who surely should know better.

Scott McNealy, chairman and chief executive of Sun Microsystems uttered those words during the launch of Sun’s new Jini technology, in response to a question about privacy safeguards that may be implemented in the new technology. Jini is designed to enable consumer devices to pass information between each other.

The timing of McNealy’s comments was especially ironic: only hours after Intel reversed its decision about using chip identification technology in its Pentium III chip.

Even more ironic, Sun is a member of the Online Privacy Alliance, an industry association formed to encourage industry self-regulation with regard to online privacy and derail government regulation. Meanwhile, the U.S. undersecretary of commerce, David Aaron, was in Europe assuring member countries of the European Union that American companies are committed to protecting consumer privacy.

Privacy, McNealy’s comments not withstanding, is obviously an important issue. In October 1998, the European Union’s privacy directive, guaranteeing the confidentiality of personal information as a fundamental right, went into effect. In America, more than 100 privacy-related bills were introduced in Congress in 1998. Many of these bills were designed to keep businesses like Sun out of our private affairs and personal information.

Somewhere along the line, businesses just decided that they were entitled to our personal information and simply took it, justifying the taking by possession.

Ask any businessperson about ownership rights of consumer information. They’ll assert that ownership rests with them because the information resides in their databases. When pressed for a citation covering the grant of that ownership right, they stare at their wingtips and don’t have a whole lot else to say.

We collectively continue the struggle to wrest control of our personal information back. Information about you—who you are, how much money you make, what you buy, where you live, and all the rest—should inherently be your property. Maybe American law will catch up with that fundamental right this year.

In late January 1999, Senators Paul Sarbanes (D-Maryland) and Christopher Dodd (D-Connecticut) introduced the first major privacy legislation of the new year. The Financial Information Privacy Act of 1999 would require an individual’s informed consent before businesses or other institutions could disclose financial information related to that individual.

Experts estimate the direct-marketing industry—the selling of our personal information—at US$1.5 billion annually.

The Financial Information Privacy Act is a good first step, but it’s got one serious flaw: it uses an “opt-out” system. Consumers have to specifically say “no” in order to prevent disclosure of their personal information. This is exactly backwards. We shouldn’t have to tell someone to keep her nose out of our personal business. Instead, the burden should be on those that want to disclose our information to seek our permission. The law should be written in such a way that the default condition is that information disclosure is forbidden without informed consent.

Businesses argue that such an “opt-in” system would be prohibitively expensive and that few individuals would take the time to send in the “opt-in” forms. That argument holds little water, or rather, that tide runs both ways. Businesses have no problem putting the costs of an “opt-out” system on individual consumers and bank on a low response rate.

In early June 1998, the Federal Trade Commission (FTC) issued a report calling for Web sites to be required to obtain parental consent before collecting personal information from children. Drawing on comparisons to children being taught not to talk to strangers, children “are given a contrary message by Web sites that encourage them to interact with strangers in their homes via the Web,” according to the report.

The FTC studied 1,400 Web sites in March 1998 and found that 92 percent collect personal information. Of the Web sites studied, only 14 percent notify users about what is done with the information they collect. Only 2 percent of the Web sites offered a comprehensive privacy policy. The numbers for Web sites targeted at children were even more disturbing: 89 percent of sites targeted at children collect personal information and only 23 percent of those tell children to ask parental permission before disclosing information.

Most Web sites that collect personal information insist that they do so in order to provide better service or a more appealing user experience. The same week that the FTC released its report, Advertising Age registered all 35,000 of its Web users at theglobe.com, resulting in a massive spam attack where each user received an email message from theglobe.com containing their Advertising Age password. Advertising Age maintained that it merely gave theglobe.com its user database in order to provide a new service for its users.

According to the FTC report, one Web site asked children to give their name, address, email address, age, and whether they received gifts of cash, stocks, or savings bonds.

In each of these example cases, users were given no choice about whether or not to disclose personal information and no information was provided about how the collected information would be used.

The FTC report advocates four principles of online privacy:

• notice
• choice
• access
• security

A week after the FTC released its report, the Commerce Department and the Office of Management and Budget closed ranks by supporting the FTC position advocating industry self-regulation. The Commerce Department released a set of guidelines for protecting online privacy:

• Privacy policies. Web sites must disclose their policies with regard to data collection, use, and protection.
• Notification. Users should be notified of a Web site’s privacy policies before being asked to provide personal information.
• Consumer education. Marketers should educate users about how collected information will be used and protected.
• Choice and access. Users should be given choices about how their personal information will be used by third-parties. Specific consent must be obtained from users before medical information can be disclosed to third-parties, and information cannot be collected from children without parental approval.
• Data integrity. Information should be stored only for the purpose for which it was collected and it should be accurate, complete, and current. Users should be allowed to correct or amend information.
• Accountability. Marketers should be held accountable for violations of privacy policy.

Opposition to any sort of Internet regulation has been exceptionally strong, especially among trade associations such as the Direct Marketing Association. Supporting industry self-regulation, the Direct Marketing Association announced that it would adopt a new policy requesting parental consent for online marketing efforts targeted for children younger than thirteen. America Online announced that it would not use the information it collects on its users for marketing purposes.

The harvesting of information from children on the Internet is especially pernicious because many Web sites make disclosing personal information seem like a game. Unilever’s Popsicle Web site, for instance, offers children a chance to win free popsicles if they disclose their personal information.

Privacy advocates, for the most part, criticized the FTC report as being too little and too late. Industry self-regulation, according to the privacy advocates, has clearly not worked and government privacy regulation is necessary.

FTC chairman Robert Pitofsky called the report’s conclusions “disappointing,” but refused to call industry self-regulation a failure, and was quoted in the New York Times as saying that he still believed “the best way to deal with this is self-regulation rather than heavy-handed government.”

Consumer advocates and privacy experts continue to call for “opt-in” systems that require a user to specifically request to receive marketing information or before personal information can be disclosed to third-parties. Marketers continue to advocate the “opt-out” approach where any personal information is considered fair game until a user specifically requests not to receive marketing information or disclosure of personal information.

By late July 1998, FTC chair Robert Pitofsky had modified the FTC’s position, testifying before Congress that marketers should be given one last chance at self-regulation. “Unless industry can demonstrate that it has developed and implemented broad-base and effective self-regulatory programs by the end of the year, additional governmental authority would be appropriate and necessary,” Pitofsky testified before the House subcommittee on Telecommunications, Trade, and Consumer Protection.

The revised FTC position includes four elements for model online privacy legislation:

1. Notice and awareness. Internet sites would be required to notify users of their information collection and use practices.
2. Choice and consent. Internet sites would be required to obtain user consent before collecting personal information.
3. Access and participation. Internet sites would be required to allow users “reasonable” access to their personal information and users would be allowed to correct inaccuracies.
4. Security and integrity. Internet sites would be required to take “reasonable” steps to ensure the security and integrity of the user information they collect.

President Clinton’s Internet advisor, Ira Magaziner, responded to the FTC’s revised position by saying that privacy legislation was Orwellian and unnecessary. In an interview with Wired News, Magaziner said that legislative action “is a knee-jerk reaction of the industrial age when government was expected to protect you. In the digital age, there are new paradigms; one of them is to empower people by giving them the tools to protect themselves.”

In early October 1998, the Senate Commerce Committee endorsed a bill proposed by Senator Richard Bryan (D-Nevada) that would require commercial Web sites to get parental permission before collecting personal information from children under thirteen years old.

Shortly thereafter eight of the largest commercial Web concerns announced the Privacy Partnership, a multimillion dollar privacy initiative intended to derail any privacy legislation. America Online, Excite, Infoseek, Lycos, Microsoft, Netscape, Snap, and Yahoo! made the joint announcement at the Internet World trade show in New York. Privacy Partnership activities will focus on a consumer education advertising campaign and industry self-regulation.

In late August 1998, Trans Union Corporation, one of the three largest credit bureaus in the United States, was ordered to stop invading consumer privacy by selling consumers’ personal information. A Federal Trade Commission (FTC) administrative law judge, James Timony, ruled the company “invades consumers’ privacy when it sells consumers’ credit histories to third-party marketers without consumers’ knowledge or consent.”

The FTC charged, and Judge Timony ruled, that Trans Union, which maintains extensive financial records on 200 million Americans, violated the Fair Credit Reporting Act by selling detailed consumer information including estimated income, mortgage information, student loans, automobile loans, and lists of credit card holders. The Fair Credit Reporting Act prohibits most releases of credit information without written authorization from the subject of the information. The Act’s preamble defines its purpose “to ensure that consumer reporting agencies exercise their grave responsibility with fairness, impartiality, and respect for the consumers’ right to privacy.”

Trans Union’s two major competitors—Equifax Credit Information Services and Experian, a business unit of Great Universal Stores PLC—stopped selling consumer information several years ago, under pressure from the FTC and consumer advocacy groups.

Although Trans Union offers consumers a method to request that their personal information not be sold—a traditional “opt-out” system—Judge Timony found that it doesn’t always work. “While the right to opt out theoretically allows consumers to request their names to be removed from target mailing lists, most consumers are unaware of the procedure,” Judge Timony wrote in his order. “There is no credible, direct evidence of the success rate of opt-out actually stopping direct mail or telemarketing calls,” Timony concluded.

Trans Union announced that it would continue its practice of selling consumer information pending appeal of Judge Timony’s order to the U.S. Court of Appeals. The case dates to 1992 when the FTC first brought action against Trans Union. At that time, a different administrative law judge, Lewis Parker, issued a summary judgment against Trans Union. Trans Union appealed to the full FTC, which upheld the ruling. Trans Union subsequently appealed to the Federal Appeals Court, which overturned the FTC summary judgment and required the trial presided over by Judge Timony.

These skirmishes will continue until such time as personal information is recognized as a basic property right under capitalist systems and that personal privacy is recognized as a fundamental human right.