|
 |
|
|||||
 |
Testimony Of
Ari Schwartz
Associate Director
Center for Democracy and Technology
before the
Senate Committee on Commerce, Science, and Transportation
Subcommittee on Competition, Foreign Commerce, and Infrastructure
June 11, 2003
Chairman Smith and Members of the Subcommittee, the Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about the Federal Trade Commission (FTC) and its role in consumer and privacy protection. We thank the Chairman for the opportunity to participate in this hearing and look forward to working with the Committee to develop policies supporting civil liberties and a vibrant communications infrastructure.
Over the past eight years the FTC's activities in the area of information privacy have expanded. The Commission has convened multiple workshops to explore privacy, issued several reports, conducted surveys, and brought several important enforcement actions in the area of privacy. The Commission's work has played an important role in bringing greater attention to privacy issues and pushing for the adoption of better practices in the market place.
Three years ago, CDT testified that (t)he work of the Federal Trade Commission -- through its public workshops, hearingsÉ provides a model of how to vet issues and move toward consensus.
Chairman Muris has successfully continued the consultation and education process, working with public interest groups and industry on key issues and taking enforcement actions or instituting rulemakings on several important new fronts.
CDT and other public interest and consumer groups have been pleased with the Commission's thoughtful approach to creating a National Do Not Call Registry.
The registry will provide consumers with an easy way to cut down on unwanted telephone calls and will offer industry a streamlined means of complying with the growing number of state and self-regulatory Do Not Call
lists.
CDT has also been pleased with the Commission's extensive educational efforts with the public and industry on spam, privacy technologies, privacy notices, ID theft, wireless privacy, and other issues. It should be noted that each of these areas is clearly within the FTC's jurisdiction to prevent deceptive trade practices.
However, CDT would like to see the Commission use its resources to address unfair information practices as well as deceptive ones. These unfair practices include: lack of meaningful notice and choice; the ability to correct and amend personal information; and inadequate security safeguards.
It has long been CDT's belief that unfair information practices are already covered by the Commission's current authority. Yet, the long-standing hesitancy of the Commission to proceed has made it necessary for Congress to confirm this authority in law. Although Chairman Muris has suggested that general federal privacy legislation is unnecessary, CDT sees an urgent need for legislation similar to the Online Privacy Protection Act that was passed by the full Senate Commerce Committee last year. Privacy protections in law -- enforced by the FTC -- are an essential ingredient of building and maintaining consumer confidence in the networked economy. We thank you, Chairman Smith, as well as Senator Hollings and the other Senators who worked so hard to move the issue forward in the Committee last year. CDT looks forward to continuing to work with you to see such a measure passed again this Congress and signed into law.
CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values on the Internet. One of our core goals is to enhance privacy protections for individuals in the development and use of new communications technologies.
The FTC has used its current jurisdiction to take basic steps to protect the privacy of Americans in several innovative and balanced ways. The Commission is the government's leader in consumer privacy policy and should be commended for its current work in the area given its limited view of its own jurisdiction.
In October 2001, Chairman Muris said that the Commission would increase privacy enforcement by 50%. According to internal figures, the Commission says it is on track to reach this goal. This dramatic increase was on top of the new attention given to privacy issues.
In particular, over the past two years, the Commission has worked in ten areas of interest to CDT:
This year, the Commission held a three day-long workshop on spam that addressed many of the key issues and focused attention on possible solutions to a problem that has become a plague on Internet communications. The Commission taken several useful steps:
unsubscribeor
remove merequests were being honored. The study reported that the majority of consumer requests were not getting through. The Commission thereupon sent out warning letters to spammers. These studies also helped to inspire a wider range of research on this understudied issue, including CDT's well-received report
Why am I Getting All of this Spam?[1]
While the Commission, given its limited view of its jurisdiction, has taken these exemplary first steps in research, education and enforcement regarding unsolicited commercial email, CDT would like to see it given more power to tackle fraudulent spam Further appropriate steps could be taken under some of the provisions in the CAN SPAM Act (S. 877),sponsored by Senators Burns and Wyden. CDT is hopeful that we can begin to turn the tide on spam while still protecting the First Amendment right of anonymous non-commercial/political speech online.[2]
Do Not CallRegistry
Under the 1994 Telemarketing and Consumer Fraud and Abuse Prevention Act,[3] the Commission was given the authority to regulate telemarketing sales. The Commission's regulations, named the Telecommunications Sales Rules (TSR), were put into effect in 1995.[4] The TSR placed some basic time, place and manner restrictions on calls and left the door open to revisiting the rule if it was not adequately protecting consumers.
Some have said that telemarketing is merely an annoyance and not a privacy concern and therefore stronger rules are not necessary. CDT disagrees. We define privacy as individual control over one's personal information. Control over one's telephone number and other personal information is central to privacy in the modern world.
The American public seems to agree with us. An AARP study of New Jersey residents showed that 77% viewed telemarketing first and foremost as an invasion of privacy; 10% a consumer rip-off, and only 2% a consumer opportunity.[5]
The Commission responded to the public concern about telemarketing with the creation of a do not call
registry, similar to those already in existence in 15 states. On this proposal, by the way over 50,000 public comments were submitted to the Commission.[6] Over 90% of them support the registry.
CDT believes the do not call
list offers the best, balanced solution for unwanted telemarketing. Telemarketing in banned, but consumers can decide what kind of marketing calls they want and when they want to receive them.
In our comments supporting the FTC's Do-Not-Call
initiative we stressed that the list should not dilute or undercut the protections afforded consumers by the states against invasive telemarketing. Further, as we pointed out, it is critical that consumers are not charged a fee to be placed on the Do-Not-Call
list -- consumers' ability to protect the privacy of their personal information should not be contingent upon their ability to pay a fee.
CDT has been pleased with how the public process on this important issue has progressed. It has been a model example of how a complex but important issue can be addressed through an open, public process.
The fact that the Do-Not Call
list will open in two weeks is a testament to the Commission's commitment to this issue. We hope that the committee will continue to help monitor the roll out of the list in its oversight role.
The FTC has generally played a valuable role working with and educating the business community about privacy best practices and implementation of fair information practices.
This year the Commission has held two workshops on privacy technologies -- one aimed at consumer technologies and one at businesses. CDT participated in both and used the first as a forum to introduce a set of Authentication Privacy Principles developed in cooperation with a large working group of companies and consumer groups.[7]
FTC Forums such as these are important tool in highlighting specific privacy issues and encouraging efforts to address them. CDT is encouraged by discussions with the Commission, which indicate that these workshops will continue to tackle issues arising in the marketplace, including the difficult issue of the future of identity management in the networked economy.
The FTC has been a leading agency in the prevention and prosecution of identity theft through. The Commission's identity theft program contains three key elements: the Identity Theft Data Clearinghouse;[8] consumer education and assistance resources; and collaborative enforcement efforts involving criminal law officers and private industry.
The most recent reports indicate that the Identity Theft Clearinghouse holds more than 170,000 victim complaints and serves as an important tool for 46 federal and 306 state and local law enforcement agencies, including the US Secret Service, the Department of Justice, the US Postal Inspection Service, and the International Association of Chiefs of Police. The FTC has also been increasing outreach programs to educate law enforcement officials on how the Clearinghouse database can be used to enhance investigations and prosecutions.
In regards to consumer education and assistance resources, the FTC has held training seminars for law enforcement officials at all levels in an attempt to give law enforcement the necessary tools they will need to combat identity theft. The FTC has also implemented a nationwide, toll-free hotline that consumers can call if they have become a victim and a Web site that consumers can access to file a complaint and gain helpful prevention tips.
The Commission's efforts in this area show that it can be a leader with other law enforcement agencies, serving as the main contact to the public. We hope that the Commission's work can help to cut down on what many believe to be the fastest growing crime in the country.
In 1998, Congress passed the Children's Online Privacy Protection Act (COPPA)[9] in order to protect children's personal information in interactions with commercial sites. The FTC was required to enact a rule to implement COPPA and in doing so it clarified issues concerning coverage and liability, modified several definitions that would have interfered with children's ability to participate, speak and request information online, and made every effort to create a predictable and understandable environment for the protection of children's privacy online.
Since issuing its final Rule implementing COPPA, the FTC has taken several effective and necessary steps to enforce and enhance compliance with COPPA. In February 2003, the FTC took its most aggressive action yet to ensure children's privacy online by filing separate settlements with Mrs. Field's Cookies and Hershey Food Corporation for violating the law.
While there is still work to be done, we believe that COPPA has been successful in improving protection of children's privacy online. This experience demonstrates that the FTC can develop workable privacy rules in complex and sensitive areas that go well beyond its traditional arenas.
It is generally recognized that, across the financial service industry, the privacy provisions of GLB have proven unsatisfactory in scope and implementation -- specifically on the issue of notice. A range of institutions have provided consumer notice that is so detailed and legalistic as to be largely worthless. If nothing else, the experience offers a lesson to policymakers seeking to impose and enforce privacy notice requirements.
Under GLB, the Commission has jurisdiction over important financial institutions such as insurance and mortgage companies. In an August 2001 survey, CDT found that these companies were among the worst in posting privacy notices on Web sites. That month, we filed a complaint with the FTC about several mortgage companies that were not posting notices as required by the FTC's GLB regulations. While the Commission has not officially closed the case, the five remaining Web sites have now posted privacy policies.
CDT believes that there is more basic, but important enforcement work that the Commission could to do in the area of privacy notices for insurance and mortgage companies. Especially, the Commission could play a leadership role in moving the companies under its GLB jurisdiction toward simple clear and more meaningful notices.
The FTC has taken several steps to educate consumers on computer security. In addition to holding workshops, the FTC has created a helpful guide for consumers on how to stay safe online using a high-speed Internet connection. The guide details how users can protect their computers from viruses and hackers by explaining security features such as firewalls and updating virus protection software. The FTC has worked diligently to make the report both understandable and appealing to the average consumer through careful analysis and easy to read text. Led by Commissioner Orson Swindle, the Commission has continued to work with consumer groups to ensure that the guide is easy to use and contains the necessary information.
Last year, the Commission continued its ongoing assessment of the state of Internet privacy which began five years ago and has been repeated twice since. The Commission embraced a report[10] organized by the Progress and Freedom Foundation and conducted by the Ernst and Young accounting firm. The results show significant improvement in the number of privacy policies posted and the growth of the new privacy protocol, the Platform for Privacy Preferences (P3P).[11] This positive growth is due, in part, to the educational work of the Commission.
On the other hand, the study found that self-regulatory seal programs have actually been shrinking. This is mainly due to the bankruptcy of many dot com players, but it also indicates that we are entering a time of a major privacy gap. Some companies are actively involved in the privacy issue and are doing their best to build trust . Meanwhile, a small number of free-rider companies are doing no work on privacy. The marketplace has remained confusing to the average consumer and many prefer to sit on the sidelines until baseline privacy is assured.[12]
CDT hopes that Congress will continue to support and monitor the FTC's privacy sweeps -- and we urge the Commission to work with a wide range of organizations and academics, including consumer groups, when preparing the parameters and methodology for future sweeps.
In December 2000, the Commission held a workshop entitled "The Mobile Wireless Web, Data Services and Beyond: Emerging Technologies and Consumer Issues."[13] As this subcommittee knows well, the wireless privacy issues have been a growing concern for consumers due to the emerging use of location tracking technologies to provide consumers with enhanced services. It was clear from the workshop that the staff and Commissioners have the understanding and skills necessary to undertake a serious investigation of privacy and security in this area. However, the Commission has taken little action in this area since the workshop. CDT urges the Commission to follow-up with another workshop in this area as wireless technologies and location applications progress.
Online profiling is the practice of aggregating information about consumers' preferences and interests, gathered primarily by tracking their movements online. It remains one of the most complex and opaque issues in privacy. Consumers are concerned because they know someone is watching, but they don't know who, how or to what end.
In November 1999, FTC examined online profiling, focusing on the use of the resulting profiles to create targeted advertising on Web sites.[14] In July 2000, the FTC issued a two-part report on online profiling and industry self-regulation.[15] The Commissioners unanimously commended the Network Advertising Initiative (NAI) for its self-regulatory proposal that seeks to implement Fair Information Practices for the major Internet advertisers' collection of online consumer data. The July report also asked Congress to enact baseline legislation to protect consumer privacy. In addition to its several reports, the FTC has also held a series of public workshops on data mining in an effort to educate consumers as well as it itself.[16]
Especially important are the issues of government mining of commercial databases in the name of national security or other objectives. FTC examination of data quality issues could serve to be extremely useful. The reports and workshops that the FTC has undertaken in this area have represented the best work done in this area internationally. Unfortunately, since Chairman Muris has taken office, little public work has been continued in this area. We hope that the Commission will return to this area, one that causes concern to so many consumers.
While the Commission's privacy work has been successful, it has also been limited mainly to areas of deceptive or fraudulent practices. CDT believes that this limited focus is preventing the Commission from taking on urgently needed actions in the privacy area.
CDT believes that a comprehensive, effective solution to the privacy challenges posed by the information revolution must be built on three components: best practices propagated through self-regulatory mechanisms including nonprofit,[17] commercial and governmental education efforts; privacy as a design feature in products and services; and some form of federal legislation that incorporates Fair Information Practices -- long-accepted principles specifying that individuals should be able to "determine for themselves when, how, and to what extent information about them is shared."[18] Legislation need not impose a one-size-fits-all solution. For broader consumer privacy, there need to be baseline standards and fair information practices to augment the self-regulatory efforts of leading Internet companies, and to address the problems of bad actors and uninformed companies. Finally, there is no way other than legislation to raise the standards for government access to citizens' personal information increasingly stored across the Internet, ensuring that the 4th Amendment continues to protect Americans in the digital age.
On May 17, 2002 the Senate Commerce Committee passed the Online Privacy Protection Act. This important legislation would have set a true baseline of privacy protection and would give the FTC the clear authority to go after companies engaging in unfair information practices.
During the Committee process, Senator McCain asked the FTC Commissioners to give their views on the Online Privacy Protection Act. In response, Chairman Muris gave five reasons that such a bill was not necessary at that time.[19] CDT disagrees respectfully but strongly with the Chairman. While CDT continues to work with the FTC to help advance self-regulatory efforts, privacy enhancing technologies and public education, we believe that these efforts alone are not and cannot be enough to protect privacy or instill consumer confidence on their own.
CDT commends the Senate Commerce Committee for its excellent work on privacy issues. We hope that this Committee continues to push for the FTC's expanded jurisdiction in this area.
The Committee also asked CDT to address the issue of rescinding the exemption that prevents the Commission from exercising general jurisdiction over telecommunications common carriers.
The idea of creating a level playing field is appealing, particularly when some communications services fall within the jurisdiction of the FTC. In particular, lifting the restriction in certain areas -- such as billing, advertising and telemarketing --could ensure that the agency with the most expertise in these areas is taking a leading role.
However, rescinding the exemption completely could lead to duplication of government regulation and/or confusion for consumers in certain areas. For example, telecommunications companies are already subject to the Customer Proprietary Network Information (CPNI) rules administered by the Federal Communications Commission, which limit reuse and disclosure of information about individuals' use of the phone system including whom they call, when they call, and other features of their phone service. At this point, we are not sure it would be wise to take this issue away from the FCC. Similar questions may arise with other issues: Which agency would take the lead? By which rules would a complaint about deceptive notice be addressed? How will these decisions be made?
The Commission has been thoughtful in these areas in the past. Before any jurisdictional proposal moves forward the Commission would need to have a detailed examination of the issues and pan for dealing with areas of overlap.
The FTC is to be commended for taking some very laudatory steps to address the serious and widely shared concerns of the American public about privacy. Indeed, as the foregoing review of issues demonstrates, the FTC already has sufficient expertise to take on general privacy protection responsibilities. However, the Commission has, in our view, taken an unduly narrow view of its jurisdiction, such that Congressional action is needed to establish a baseline of fair information practices in law. We will continue to work with this Committee and the Commission to find innovative, effective and balanced solutions to the privacy problems posed by the digital age.
Links accurate as of June 10, 2003. Links will open in a new browser window.
1. http://www.cdt.org/speech/spam/030319spamreport.shtml
2. For more information on CDTÕs views on the CAN SPAM act, please see our recent Policy Post http://www.cdt.org/publications/pp_8.12.shtml
3. 15 U.S.C. 6101-6108
4. 16 CFR Part 310
5. http://research.aarp.org/consume/nj_telemarketing.pdf
6. CDTÕs comments, filed in coalition of other consumer groups, can be found at: http://www.ftc.gov/os/comments/dncpapercomments/04/consumerprivacyguide.pdf
7. The Interim Report of the Authentication Privacy Principles Working Group can be found at: http://www.cdt.org/privacy/authentication/030513interim.pdf
8. http://www.consumer.gov/idtheft/
9. 15 U.S.C. 6501
10. http://www.pff.org/pr/pr032702privacyonline.htm
11. CDT was the originator of the P3P concept and has continued to work on the specification and its adoption. More information about P3P can be found at http://www.w3.org/p3p and http://www.p3ptoolbox.org
12. Business Week has conducted a number of surveys showing that privacy is the number one concern of both those who are not online and those who are online, but do not shop online. The most recent is available at http://businessweek.com/2000/00_12/b3673006.htm. Jupiter Communications has estimated that $18 billion in consumer transactions did not take place online because of privacy concerns (McCarthy, John, The InternetÕs Privacy Migrane,
presentation, SafeNet2000, December 18, 2000].
13. A staff summary of the event was released in February 2002 http://www.ftc.gov/bcp/workshops/wireless/.
14. Public Workshop on On-Line Profiling
-- http://www.ftc.gov/bcp/profiling/index.htm
15. http://www.ftc.gov/os/2000/06/onlineprofilingreportjune2000.pdf and http://www.ftc.gov/os/2000/07/index.htm#27
16. http://www.ftc.gov/bcp/workshops/infomktplace/index.html
17. CDT has worked closely with the Internet Education Foundation in the further development of GetNetWise Ð http://www.getnetwise.org -- which we hope will serve as part of an educational clearinghouse on child protection, privacy and security issues and technologies. The FTC has been the single most helpful government agency in the promotion of GetNetWise.
18. Alan Westin. Privacy and Freedom (New York: Atheneum, 1967) 7.
  |
The Center For Democracy & Technology |