TESTIMONY OF DEIRDRE MULLIGAN
STAFF COUNSEL
OF
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

BEFORE

THE SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
SUBCOMMITTEE ON CONSUMER AFFAIRS, FOREIGN COMMERCE, AND TOURISM

February 8, 2000


I. Overview

The Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about privacy in the online environment and the Federal Trade Commission's role in developing privacy policy. CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values on the Internet. One of our core goals is to enhance privacy protections for individuals in the development and use of new communications technologies. We thank the Chairman for the opportunity to participate in this hearing and look forward to working with the Committee to develop policies that support civil liberties and a vibrant Internet.

To being, I would like to offer three points to guide the Committee as it begins to address the protection of individual privacy:

  1. The Internet presents new challenges and opportunities for the protection of privacy. Our policies must be grounded in an understanding of the medium's unique attributes and its unique potential to promote democratic values. As many .coms tout the benefits of customized content and personalized advertising they play down the personalized tracking and profiling that support such applications. The Internet will best serve individuals if we recognize the risks to privacy and develop public policies and technologies that address them. There is little doubt that the Internet holds great promise for maximizing our democratic values and growing our economy, however sound public policies play an integral part in ensuring we achieve these goals.
  2. Increasingly, the rules that govern society are embodied in computer code. This code, and the products built upon it, can enhance or limit the collection of personal information and can either afford or deny individuals control over their information. Technical decisions including whether a product is designed to keep information on an individual's own computer or on a remote server, what data a product collects, and for how long data is retained have important implications for privacy.
  3. Privacy is a complex value. Ensuring that individuals' long-held expectations of autonomy, fairness, and confidentiality are respected as daily activities move online requires a thoughtful, multi-faceted approach combining self-regulatory, technological, and legislative components. These expectations exist vis-�-vis both the public and the private sectors. By autonomy, we mean the individual's ability to browse, seek out information, and engage in a range of activities without being monitored and identified. Fairness requires individuals maintain control over the information that they provide to the government and the private sector. The concept of fairness is embodied in the Code of Fair Information Practices [ 1 ] --long-accepted principles specifying that individuals should be able to "determine for themselves when, how, and to what extent information about them is shared." [ 2 ] In terms of confidentiality, we need a strong Fourth Amendment in cyberspace.
I have attached a law review article, authored by myself and CDT's Executive Director Jerry Berman, that elaborates on these three points. I will devote the remainder of my testimony to providing the Committee with an overview of privacy issues facing individuals on the Internet and some thoughts on the Federal Trade Commission's role and Congress's role moving forward.


Privacy policies on the Web: What do we know

Last July, I provided the Subcommittee on Telecommunications with CDT's report, "Behind the Numbers: Privacy Practices on the Web." The report concluded that Fair Information Practices were the exception rather than the rule on the World Wide Web; private sector enforcement programs covered a very small segment of commercial Web sites; and individuals' privacy concerns remained largely unaddressed. A report released last week on the privacy policies and practices of Health Web sites found that while 19 of the 21 Web sites surveyed had privacy policies, they also failed to meet Fair Information Practice Principles. [ 3 ]

Similarly, the Georgetown Internet Privacy Policy Survey released last July found that while more Web sites were mentioning privacy, only 9.5% provided the types of notices required by the Online Privacy Alliance, the Better Business Bureau and TRUSTe.

The Georgetown Survey found that an increased number of Web sites provided consumers with some information about what personal information is collected (44%), and how that information will be used (52%). But, on important issues such as access to personal information and the ability to correct inaccurate information, the survey found that only 22% and 18% respectively of the highly trafficked Web sites surveyed provided consumers with notice of their rights. On the important issue of providing individuals with the capacity to control the use and disclosure of personal information, the survey found that 39.5% of these sites said that consumers could make some decision about whether to be re-contacted for marketing purposes -- most likely an "opt-out" -- and fewer still, 25%, said they provided consumers with some control over the disclosure of data to third parties. [ 4 ]

Overall, the reports and surveys reveal that even the most frequently trafficked consumer Web sites, do not adequately inform individuals about how their personal information is handled. At the same time these same busy consumer-oriented Web sites are collecting increasingly detailed personal information.


Individuals' ability to control personal information

It is difficult for individuals to limit the use and disclosure of their personal information. Where "privacy statements" are posted they are frequently written in complex and confusing language. An expert in communication provided CDT with an analysis of a prominent company's privacy statement. He found the statement to be written at the graduate school reading level with each sentence averaging 24 words.

If a consumer successfully deciphers a privacy statement she frequently finds that if she fails to "opt-out" (object) her name, address, and other personal information will be shared with undefined "others." Today, to limit the reuse of personal information an individual must search every Web site for an opportunity to "opt-out." And hope that the opt-out features work as promise, which is not always the case.

On November 15, CDT launched a new Web site, "Operation Opt-Out," to give consumers a simple one-stop-shop to "get off the lists" -- the mailing and telephone lists and profiling databases that have proliferated with the digital economy -- and to learn more about privacy in the digital age. During its second week Operation Opt-Out ran a feature on how to "opt-out" of the online profiling or "network advertising" companies data systems.

In addition to helping thousands of individuals limit the use and sale of their data by companies on and off line, Operation Opt-Out produced useful information about whether companies do what they say. We found several problems with the opt-out features offered by the online profiling companies. 24/7 Media does not offer consumers an option to opt-out of their profiling activities, but they say that they do. Rather, they offer an opt-out for their email solicitation program. Flycast was providing consumers with a link that was broken -- so consumers could not opt-out (once this was pointed out it was quickly corrected). Matchlogic provided consumers with a faulty email address for opting-out (it now has an online opt-out) and was displaying an expired TrustE seal.

Online profiling companies, or network advertisers, are further frustrating consumers ability to control the collection and use of their personal information. With growing frequency, navigational and other data is being captured by third parties -- advertising networks or "profiling companies." With the permission of the Web site, but not the individual, these profiling companies place unique identifiers on individuals' computers. These identifiers are then used to track the individual as they surf the Web. The individual's profile grows with time, because online profiling is a continuing collection of his online behavior, despite the fact that the individual disconnects. The navigational data collected may include information such as, Web sites and Web pages visited, the time and duration of the visit, search terms typed in search engines' forms, and other queries, purchases, "click through" responses to advertisements, and the previous page visited. In addition to long lists of collected information, a profile may contain "inferential" or "psychographic" data -- information that the business infers about the individual based on the behavioral data captured. From this amassed data, elaborate inferences may be drawn, including the individual's interests, habits, associations, and other traits . [ 5 ]

In most cases individuals are unaware of the fact that a third party is reaching through the Web site the individual has visited and collecting information about their activities. At many Web sites individuals are told that "cookies" are harmless bits of data that help customize and personalize their experience. While "cookies" themselves are not per se bad, the use of "cookies" to secretly tag and monitor individuals across multiple Web sites undermines the efforts of consumers to protect their privacy and the efforts of responsible businesses to grow consumer confidence in the Internet by addressing privacy concerns.

The surreptitious monitoring and collection of detailed navigational data on Internet users' activities undermines individuals' ability to determine to whom and under what circumstances to disclose information about themselves.

The profiling techniques employed by online advertising networks raise troubling privacy concerns. Advertising networks are using unique identifiers to track and monitor individuals' online activities across multiple Web sites without their knowledge and consent. This practice undermines individuals' expectations of privacy by fundamentally changing the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded.

The profiling activities of advertising networks, such as DoubleClick which currently commands approximately 60% of market share, are the leading edge of a growing industry built upon the widespread tracking and monitoring of individuals' online behavior. The increasingly pervasive use of surreptitious monitoring systems breeds consumer distrust and undermines consumers' efforts to protect their privacy by depriving them of control over their personal information.

The practices of advertising networks have far-reaching impacts on consumers' online privacy. The advertising networks that engage in profiling are hidden from the individual. They reach through the Web site with whom the individual has chosen to interact with and, unbeknownst to the individual, extract information about the individual's activities. In the rare instances where individuals are aware of the fact that a third party is collecting information about them, they are unlikely to be aware that this information is being fed into a growing personal profile maintained at a data warehouse [ 6 ], on which data mining [ 7 ] can be exercised.

While several of the companies engaged in profiling state that they do not correlate information with identifying information such as name, e-mail, address, this does not on its own address the privacy concerns at issue. The highly detailed nature of the profiles and the capture of information that can be reasonably easily associated with a specific individual raise questions about the claims of anonymity and promises of non-identifiability. While the companies, in some instances, may not be using the information in identifiable form, the information may be quite capable of revealing the individual's identity, through the use of various computer tools and software.

Recently it has become clear that DoubleClick intends to attach identities to the extensive profiles they collect about individuals' online activities. DoubleClick's privacy statement had stated that its cookies identified computers, not people -- that it couldn't link its "cookies" to names and home addresses or other elements of personal identity and didn't want to do so. After its purchase of the consumer transaction database Abacus, DoubleClick acknowledged that it intended to tie surfing habits and online searches to personal identity. DoubleClick's new Abacus Alliance has arranged to collect names, addresses, and other personal information from Web sites where Internet users knowingly register. So far, at least ten Web sites (the Company hasn't said who they are) are participating by providing DoubleClick the identity of their subscribers. Thus, DoubleClick, to whom an individual has never revealed her identity, may have access to an individual's name, credit card number, and home address.

As these companies merge with each other and with companies such as Abacus that maintain detailed personally identifiable profiles about individuals' offline activities, the consolidation of offline and online profiles will erode the distinction between online and offline identity. Online companies are aware of the sensitivity this raises. Consumers have shown an aversion to having their online activities tied to their identity . Finally, recent revelations about government demands for access to individual profiles created in the consumer marketplace warn us that even the most benign information, such as grocery purchases, that provides insights into individuals' behavior are sought out by the government.

Perhaps most importantly, the profiles created by the advertising networks are being used to make decisions about specific individuals. While the name and e-mail address of the individual may remain obscure, the information the individual is able to access, the offers made to the individual are being determined by the business based on specific information collected about the individual. While the concern raised by the use of information about the individual to alter what information they see in the context of advertising may appear relatively trivial, this same practice, and perhaps data, can be used to make other decisions about the individual that even a privacy-skeptic may find objectionable. The info collected about the individual could be used to alter the prices at which goods or services, including important services such as life and health insurance, are offered, employed by a government, and could be used to alter the information viewed by individuals. While the impact of altered advertisements on the individual-- harm ? benefit ?--can be disputed, these other examples indicate that there is a privacy interest in information about individuals actions and interactions when it is collected and used to make decisions about them.


Consumer Reaction to Profiling

On February 1, 2000, CDT launched a consumer campaign to alert consumers to the threat that online profiling poses to privacy and to encourage consumers to say no to DoubleClick's plans to create a data system to track individuals' online and offline activities and their identities. At CDT's Web site consumers are able to "opt-out" of DoubleClick's tracking activities, send a letter to DoubleClick's CEO and send a letter to several prominent companies that use DoubleClick's services. In less than three days 13,000 people used our Web site to opt-out of DoubleClick's tracking; over 6,000 individuals sent messages to DoubleClick's CEO; and, in the first 36 hours, over 4,400 email messages were sent to prominent DoubleClick affiliates.

We believe that the public's voice is important when evaluating whether a business' practices comport with individuals' expectations of privacy. The personal email we received from individual citizen's and the quick response of thousands of individuals to our message indicates that many individuals object to DoubleClick's practices.


The Federal Trade Commission's role in protecting individual privacy

Over the past five years the Federal Trade Commission's activities in the area of information privacy have expanded. The Commission has convened seven workshops to explore privacy on the Internet, issued several reports, conducted surveys, and brought several important enforcement actions in the area of privacy. Finally, the Commission played a pivotal role in shaping the Children's Online Privacy Protection Act and crafting implementation rules that map onto the Internet. The Commission's work has played an important role in bringing greater attention to privacy issues and pushing for the adoption of better practices in the market place.

While the Commission's contributions to the protection of individual privacy has and will continue to be important, their mission and jurisdiction places limits on their involvement in many important privacy issues such as government collection and use of personal information. They are not able to provide the forum for all privacy discussions -- and there are many important privacy discussions waiting to occur.

However, keeping with its mission, the FTC must have the resources and staff to continue their privacy agenda. The upcoming Web survey, the Advisory Committee on Online Access and Security, the ongoing exploration of online profiling are important. The detailed and thorough work of the Commission enables advocates, businesses, and policy makers to better understand the privacy issues and to choose the appropriate tools to address them. Over the next few months the Commission's work will produce reports and surveys that will aid this Committee as it evaluates the growing number of legislative proposals to protect privacy. It is important that the FTC be provided with funding to hold workshops, issue reports, enforce the Children's Online Privacy Protection Act, and take action against abuses of privacy in the marketplace.


Endnotes. Links will open in a new browser window.

1. The Code of Fair Information Practices as stated in the Secretary's Advisory Comm. on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, U.S. Dept. of Health, Education and Welfare, July 1973:

The Code of Fair Information Practices as stated in the OECD guidelines on the Protection of Privacy and Transborder Flows of Personal Data
  1. Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  2. Data quality: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
  3. Purpose specification: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
  4. Use limitation: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the "purpose specification" except: (a) with the consent of the data subject; or (b) by the authority of law.
  5. Security safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
  6. Openness: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
  7. Individual participation: An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him: (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and, (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified completed or amended.
  8. Accountability: A data controller should be accountable for complying with measures which give effect to the principles stated above.

2. Alan Westin. Privacy and Freedom (New York: Atheneum, 1967), 7.

3. Report on the Privacy Policies and Practices of Health Web Sites, Janlori Goldman and Zoe Hudson, Health Privacy Project, Georgetown University, and Richard M. Smith. http://ehealth.chcf.org/priv_pol3/index_show.cfm?doc_id=33

4. This number is generated using the data from Q32 (number of sites that say they give consumers choice about having collected information disclosed to outside third parties) -- 64 -- and dividing it by 256 (the total survey sample (364) minus the number of sites that affirmatively state they do not disclose data to third-parties (Q29A) (69) and the number of sites that affirmatively state that data is only disclosed in the aggregate (Q30) (39)).

5. A psychographic study "joins consumers' measurable demographic characteristics with the more abstract aspects of attitudes, opinions and interests." Data mining specialists code demographic, media, purchasing and psychographic data from surveys, throw them together and analyze them until some groups with shared characteristics can be distinguished from all other groups. They can identify those groups most likely to buy specific products and services by including questions relating to a product about past buying habits or future intentions to purchase. Every kind of psychographic study adds the dimension of psychology and/or lifestyles to a demographic inquiry and uses quantitative survey techniques. Cf. Rebecca Piirto HEATH, Psychographics : Qu'est-Ce Que C'est ?, Marketing Tools, Nov.-Dec. 1995; http://www.demographics.com/publications/mt/95_mt/9511 _mt/MT388.htm (last viewed on Nov. 12, 1999).

6. A "data warehouse" is a system used for storing and delivering huge quantities of data, while data warehousing refers to the process used to extract and transform operational data into informational data and loading it into a central data store or "warehouse". Data warehousing allows data from disparate databases to be consolidated and managed from a single database, which in turn allows for the development of longer and more "accurate" profiles more efficiently and less expensively.

7. Data mining is "a set of automated techniques used to extract buried or previously unknown bits of information from large databases." (Ann CAVOUKIAN, Data Mining : Staking a Claim on your Privacy (Information and Privacy Commissioner of Ontario, Canada), Jan. 1998, http://www.ipc.on.ca/web_site.eng/matters/sum_pap/PAPERS/datamine.htm (last viewed on Oct. 6, 1999). A successful data mining operation will make it possible to unearth patterns and relationships, and afterwards, use the new information to make proactive knowledge-driven business decisions. Data mining focuses on the automated discovery of new facts and relationships in data. For more information, cf. Kurt Thearling, From Data Mining to Database Marketing, Oct. 1995, http://www3.shore.net/~kht/text/wp9502/wp9502.htm (last viewed on Oct. 17, 1999).