Testimony of the Center for Democracy and Technology
Federal Trade Commission
November 8, 1999
The profiling techniques employed by online advertising networks raise troubling privacy concerns. Advertising networks are using unique identifiers to track and monitor individuals' online activities across multiple Web sites without their knowledge and consent. This practice undermines individuals' expectations of privacy by fundamentally changing the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded.
The profiling activities of advertising networks, such as Doubleclick which currently commands approximately 60% of marketshare, are the leading edge of a growing industry built upon the wide spread tracking and monitoring of individuals' online behavior. The increasingly pervasive use of surreptitious monitoring systems breeds consumer distrust and undermines consumers' efforts to protect their privacy by depriving them of control over their personal information.
The practices of advertising networks have far-reaching impacts on consumers' online privacy. The advertising networks that engage in profiling are hidden from the individual. They reach through the Web site with whom the individual has chosen to interact with and, unbeknownst to the individual, extract information about the individual's activities. In the rare instances where an individual is aware of the fact that a third party is collecting information about them, they are unlikely to be aware that this information is being fed into a growing personal profile maintained at a data warehouse.
While several of the companies engaged in profiling state that they do not correlate information with identifying information such as name, email, address, this does not on its own address the privacy concerns at issue. The detailed nature of the profiles and the capture of information that can be reasonably associated with a specific individual raise questions about the claims of anonymity and promises of non-identifiability. While the companies, in some instances, may not be using the information in identifiable form, the information may be quite capable of revealing the individual's identity.
Equally troubling is the possibility that any one of these companies might unilaterally decide to change its terms of service and retroactively attach identities to these extensive profiles -- contradicting the statement relied upon by consumers. We have seen Web sites and online service providers attempt to change their privacy practices and terms of service. While some have come under heavy fire and stepped back, we are certain that many have gone unnoticed by consumers and advocates alike. A change in policy that so fundamentally alters the privacy expectation of consumers should not be permitted unless consumers have unequivocally consented.
As these companies merge with each other and with companies such as Abacus that maintain detailed personally identifiable profiles about individuals' offline activities, the consolidation of offline and online profiles will erode the distinction between online and offline identity. Online companies are aware of the sensitivity this raises. Consumers have shown an aversion to having their online activities tied to their identity.
Finally, recent revelations about government demands for access to individual profiles created in the consumer marketplace warn us that even the most benign information, such as grocery purchases, that provides insights into individuals' behavior are sought out by the government.
Similar concerns, led CDT and other advocates to file a complaint asking the FTC to enjoin the shipment of the Intel Pentium III Processors equipped with unique identifiers.[ 1 ] Our complaint stated that the deployment of the Intel Pentium III Processors equipped with unique identifiers did not comport with concepts of privacy protection. We specifically noted that the PSN threatened consumer privacy by failing to provide consumers with effective notice of how data is handled and by facilitating the collection of personal information without consumers' consent -- two bedrock principles of fair information practice.
Like Intel, the profiling companies have recognized that their activity poses a threat to online privacy. And like Intel, their opening response to privacy concerns is inadequate.
We welcome the opportunity to participate in this workshop and hope that this proceeding will shed light on profiling and the privacy concerns it raises. We look forward to working with all participants to protect individual privacy.
|I. What is "online profiling"?|
The practice and risks of profiling.
"Profiling" is the collection of detailed data about an individual or a group of people (living in the same area or belonging to the same ethnicity for example). Profiling can be the compilation of information in a clearly identifiable fashion -- including information such as full name or social security number. It may be the collection of information about a unique individual, but without information about who the individual is -- a DC metro card for example contains a profile of your trips but it does not contain any information about you. The term also includes the creation of a profile that does not contain information about a specific individual but is used to make decisions or impute traits to individuals who match this profile. For example, the widely condemned "racial profiling" does not use information about unique individuals, but rather imputes traits to individuals based on a characteristic.
"Online profiling" The term online profiling captures the above activities when they occur on the Internet. Profiling in the online environment can be split into a few categories. First, individual Web sites or online service providers can collect information from users -- both information provided by the individual and click stream or navigational data. This data may be captured for a limited duration -- session specific -- or may be collected and maintained as an ongoing portrait of the individual. It may be directly tied to a unique individual, to a pseudonym or to a specific, named individual.
With growing frequency, navigational and other data is being captured by third parties -- advertising networks or "profiling companies." With the permission of the Web site, but not the individual, these profiling companies place unique identifiers on individuals' computers. These identifiers are then used to track the individual as they surf the Web. The individual's profile grows with time, because online profiling is a continuing collection of his online behavior, despite the fact that the individual disconnects. The navigational data collected may include information such as, Web sites and Web pages visited, the time and duration of the visit, search terms and other queries, purchases, "click through" responses to advertisements, and the previous page visited. In addition to long lists of collected information, a profile may contain "inferential" or "psychographic" data -- information that the business infers about the individual based on the behavioral data captured. From this amassed data, elaborate inferences may be drawn, including the individual's interests, habits, associations, and other traits.
|II. How do the information collection practices of "profiling companies" differ from those of others operating on the Internet?|
It is true that data is collected about individuals at Web sites and by online service providers. From the outset it is important to recognize that the activities of the "profiling companies" highlights the complexity of privacy issues and the need for a broader and deeper examination of privacy on the Internet. But, the activities of the "profiling companies" or advertising networks under discussion today threaten privacy in ways that merit special consideration.
Unlike an online service provider or Web site with whom an individual initiates a relationship, advertising networks do not directly serve consumers. Rather, advertising networks establish relationships with Web sites and portals, whereby they are permitted to extract information from consumers without asking them directly.
It is important to note that if a series of Web sites desired to exchange information about individuals to create the type of profiles enabled by advertising networks they would need to collect and disclose information about visitors in identifiable form. To engage in such a practice, under the Federal Trade Commission's framework a Web site would have to follow four basic Fair Information Practices when handling personal information: provide notice to consumers; gain consumer's consent prior to using data for unrelated purposes (or at least provide an opt-out); allow consumers to access and correct personal information; and provide redress to consumers where these practices are breached. Of utmost importance is the consent of the individual.
The profiling activities under discussion today fail to meet this standard in the following ways.
Notice: Fair Information Practices require individuals to be provided a description of the purpose and uses the entity makes of personal information. This notice should be clear, conspicuous, understandable and occur prior to the collection of personal information.
By and large, consumers are unaware of the profiling activities engaged in by advertising networks. Web sites do not provide individuals information about the profiling activities of advertising networks. The advertising networks themselves are unknown to consumers and if an individual learns of a companies existence it is likely to be well after data has been collected.
Individuals are not provided with notice prior to the collection of information. Nor are the notices provided by the advertising networks at their Web sites sufficient to enable consumers to make informed decisions about participation. The lack of notice is particularly troubling in this context because the collection of information by these companies is a secondary use over which individuals should have control -- in addition to effective notice.
Consent: The Fair Information Practices require businesses to gain consent prior to using personal information collected for one purpose for another purpose.
When an individual visits a Web site, enters a search term, or engages in other online activities the data generated should be used to support the activity, unless the individual has consented to additional uses. The FTC's guidance in this area requires at a minimum the right to opt-out of unrelated uses of personal information.
The profiling activities at issue here are not the purpose of the individual's interaction with the Web site. While whether the data is at this point tied to a specific known individual or tied to a unique, but not specifically identified individual is critical to the final privacy analysis, in either form it raises privacy concerns. For in this case, like the "look-up" services previously examined by the FTC, the entire business model is built upon the secondary use and compilation of information. Whether the information is used in an identifiable fashion at the start, at some other point, or never, is only one part of the equation. For the information collected and tied to a unique identifier allows businesses to make decisions about the individual and in many cases can be readily used to specifically identify the individual tracked. Faced with an attractive business model or a civil or criminal subpoena, it is extremely likely that the profiles maintained by these services in clearly identifiable form or in profiles attached to unique identifiers could identify, or at least be used to identify, individuals.
Access and Correction: Fair Information Practices require individuals be able to access and correct personal information.
The ability to see and correct information that entities maintain on you is a critical component of information privacy. Particularly when decisions are being made about the individual on the basis of such data. In this instance, individuals experience of the Web is being altered based on information associated with their online persona. Access and correction rights must be provided here.
Remedies: Where violations of these practices occur, individuals must be able to seek relief.
It is unclear how an aggrieved individual would be made whole.
|III. Heightened Risks to Individual Privacy and Consumer Trust.|
The profiling activities of these companies pose unique risks to consumer privacy and consumer trust. As these companies continue to merge with themselves and offline profilers, they will hold detailed profiles on an increasingly large segment of the population. These profiles will have been created without the participation of the individual. They will have been created through the surreptitious and non-consensual collection of detailed navigational data. The profiles may become -- as the business plans and SEC disclosures of some companies portend -- fully associated with individuals, combining information about on and off line behavior.
This tracking can harm individual privacy and consumer trust in several ways.
A. Harms to Privacy
There are several core "privacy expectations" [ 2 ] that individuals have long held, and which should carry over to their interactions on the Internet, that are at risk due to these online profiling activities.
When individuals surf the World Wide Web, they have a general expectation of anonymity. More so than in the physical world, if an individual has not actively disclosed information about herself, she believes that no one knows who she is or what she is doing.
The introduction of networked profiling activities like those at issue here, threatens this expectation by providing a means of surreptitiously tracking and monitoring individuals' behavior. The practice of assigning unique identifiers to individuals and capturing information about every stop a person makes on the Web can lead to extremely detailed "profiles" of individuals' online lives.
The use of a single identifier across various online interactions may also enable unscrupulous individuals and those seeking to profit from information about individuals to more efficiently correlate detailed profiles. The collection of information by profiling companies at Web sites that offer products and services that reveal sensitive information about individuals such as health conditions raises particularly troubling privacy concerns.
B. Chilling the use of the Internet and the search for information
Tracking and monitoring of Internet usage can have a negative effect on individuals' access to information. The anonymity that the Internet affords individuals has made it an incredible resource for those seeking out information. Particularly where the information sought is on controversial topics such as sex, sexuality, or health issues such as HIV, depression, and abortion; the ability to access information without risking identification has been critical. This is not a new revelation. Protecting privacy and anonymity has consistently been recognized as an important component of ensuring full exercise of the First Amendment freedom to seek out information. But privacy is not just theoretically related to free expression. Our public policies, including laws that protect the confidentiality of library patron's records and the confidentiality of video store patron's records exist because they are critical to ensuring the public's right to read and view information.
Studies in both the online and offline world reveal that an actual or perceived lack of privacy chills individual's access to information. A 1989 study found that teenagers who used computer assisted games to gain information about pregnancy prevention sought out more information than those who were enrolled in health education classes.[ 4 ] Among the reasons for pursuing computer assisted health education, the authors stated that "Patients have indicated that they prefer computer to human interviewing or advice regarding sensitive topics such as sexuality. Computer-assisted instruction has been shown to enhance interactive skills with regard to sexuality without the sensitive personal exposure of class or groups sessions."[ 5 ] The privacy and confidentiality provided by computer-assisted education was critical to ensuring that students sought out desired information. Similarly, a more recent study found that online access was critical to gay youths' ability to come to terms with their sexual orientation. The ability to gain information without risking exposure of their identity was pivotal.[ 6 ]
The profiling activities of these advertising networks pose a significant risk to consumers' privacy. Individuals should not be the subject of this profiling -- whether it is occurring in fully identifiable form or through the use of a unique identifier -- against their will. At this time, we believe that individual's informed consent must be obtained by these companies prior to the collection of personal information from consumers. This issue merits additional consideration by the Commission.
The surreptitious creation of detailed dossiers of individuals' online behavior has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are continuously monitored and in some cases fully identified. If the practices of these companies are allowed to spread unchecked we believe that individuals' control over the use and disclosure of their personal information will be further eroded. Survey after survey informs us that the surreptitious collection and compilation of data represented by these companies breeds consumer mistrust.
The proliferation of these profiling systems will needlessly erode anonymity and expand the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. The segment of the online business community that has committed itself to promoting more responsible practices in the online environment may find its work to increase consumer participation and trust undermined. Studies have found that the collection of information and the tracking of individuals' activities makes individuals' reluctant to participate in online life.
Technical and policy solutions must be developed that provide strong protections for individual privacy and anonymity, and allow individuals to benefit from the customization possible on the Web. The practices of the advertising networks do not meet this standard.
[ 1. ] On February 26, 1999, the Center for Democracy and Technology (CDT), the Privacy Rights Clearinghouse, and Consumer Action filed a Complaint and Request for relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of the deployment of the Intel Pentium III Processor Serial Number (PSN). Specifically, the Complaint requested that the Commission enjoin the shipment of Intel Pentium III Processors equipped with a unique PSN and to enjoin computer manufacturers from shipping Pentium III PSN-equipped computers unless the PSN was turned "Off" in a secure manner. In addition to this specific and immediate relief, the complaint also requested that the Commission commence an investigation into the privacy issues posed by the Intel Pentium III PSN, because we believe that a broader examination of the privacy implications of the PSN and other computer and Internet-based identifiers is critically needed to ensure that a privacy framework guides the development and deployment of online authentication tools. Our complaint argued that the introduction of the PSN was a violation of individual privacy and, therefore, an unfair and deceptive trade practice under Section 5 of the FTC Act. The complaint charged that the impending release of the Intel Corp.'s Pentium III chip with an identifying serial number would harm consumers' privacy.
[ 2. ] The phrase "expectations of privacy" is used here with intent. Despite case law suggesting that our the legal protections afforded to our expectations of privacy are limited by the technical and social possibilities for surveillance, we believe that, as a society, we do share some basic expectations of privacy. Privacy legislation enacted by Congress in response to some of the Court's decisions lends credence to this notion.
[ 3. ] See CDT's privacy survey page: http://www.cdt.org/privacy/survey.
[ 4. ]. Adolescent Pregnancy Prevention by Health Education Computer Games: Computer-Assisted Instruction of Knowledge and Attitudes, David M. Paperny et. al, Pediatrics Vol. 83 No. 5, May 1989.
[ 5. ]. Id.
[ 6. ]. 1997 survey conducted by Oasis Magazine and !OutProud!, the National Coalition of Lesbian, Gay, Bisexual and Transgender Youth, reported that 68% of gay youth were able to come to terms with their sexual orientation as a result of online access. (See letter submitted by GLAAD to the FTC, March 17, 1999.