who give up information have rights. The principles are well established in our legal tradition. Privacy protection should not end where the Internet begins. Amend the Electronic Communications Privacy Act Congress should specifically consider expanding the scope of privacy provided to subscriber information under Section 2703 of ECPA. Currently, the statute only prohibits the disclosure of such data to “governmental entities” unless they obtain legal process authorizing the disclosure. This prohibition should be extended to the disclosure of subscriber information to any third party. One of the reasons why the Navy was able to obtain information concerning Mr. McVeigh from AOL is that ECPÅ places no restrictions on service providers unless the requester identifies himself as a government agent, which the Navy investigator failed to do. Further, the current statutory regime fails to recognize that significant harm can result from the disclosure of personal information to non-governmental actors. Had Mr. McVeigh been a private sector employee, ECPA would have provided absolutely no protection, despite the fact that he could have lost his job in much the same way. Any requester should be required to provide legal authorization before receiving personal information from a service provider. With respect to governmental access, ECPA should be amended to prohibit the use as evidence of information obtained in violation of Section 2703, in the same way that Section 2515 prohibits the use of illegally obtained wire or oral communications. Finally, the civil action provision contained in Section 2707 should be amended to make clear that a cause of action will lie against a governmental entity that obtains information in violation of Section 2703. Support Passage of Internet Privacy Bill and the Children Privacy Bill The Consumer Internet Privacy Protection Act of 1997 (HR 98) would prevent an "interactive computer service" from disclosing to a third party a subscriber's personal information without that individual's written content. This is a good starting point but will leave uncovered many areas that should receive protection. Representative Franks bill, the Children Privacy Protection and Parental Empowerment Act also provides important safeguards. Establish a Privacy Agency In 1973 the Department of Health, Education and Welfare established a special panel to study privacy issues arising from the growing use of automated date processing equipment.21 That report led to the development and passage of the Privacy Act of 1974, perhaps the most important privacy law in our country. But that report also made clear, as have subsequent reports, that the cornerstone of an effective federal policy is a permanent privacy agency. It is critical today that a privacy agency be established. We simply do not have the expertise, commitment, or understanding in the federal necessary to develop the policies necessary to address the enormous challenges that we are facing. Many of the decisions that are made with significant consequences for privacy protection lack adequate representation of privacy concerns. In countries across the world, efforts are underway to address these privacy concerns. The European Union is moving forward on the implementation of extensive privacy directive that will establish legal rights for all citizens in the European Union countries. Non-EU countries, including Japan and Canada, are pursuing comprehensive privacy polices. Techniques for anonymity are being promoted in Germany, the Netherlands and elsewhere. Strong medical privacy legislation is in place in New Zealand. In the United States, even with the efforts of the Federal Trade Commission, there is little sense that we are making progress. Privacy concerns are rising. The public is not persuaded by the current policy. Business Week put it well in an editorial earlier this month: Time is running out for the Net community. The public does not trust its promises for self-regulation to ensure privacy. The polls show that people don't believe that these voluntary standards are working. Any spot check of Web sites shows that few make any serious effort to protect privacy. It's no wonder that the public wants the government to step in immediately and pass laws on how personal information can be collected and used. Even Silicon Valley libertarians who believed in voluntary standards for years are no longer so sure. As the economy shifts increasingly from an industrial to an information base, an individual's private data take on an economic utility unknown in the past. So, too, does a person's economic behavior in the electronic realm. Future 21 Records, Computers, and the Rights of Citizens (1973). growth depends on the security of that data and the comfort level for that behavior. Both civil society and economic growth depend increasingly on privacy.22 The United States has long been a beacon of individual liberty and a champion of individual rights. Our greatest challenge today is to carry forward that tradition into the information age. For Internet users today and into the future, that will mean protecting the right of privacy. References P. Agre and M. Rotenberg, eds., Technology and Privacy: The New Landscape (MIT Press 1997) J. Cohen, “A Right to Read Anonymously: A Closer Look at Copyright Management in Cyberspace," U.Conn.L.Rev. (1996) W. Diffie and S. Landau, Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press 1997) S. Friewald, "Uncertain Privacy: Communication Attributes After The Digital Telephony," 69 S. Cal. L. Rev. 949 (1996) International Working Group on Data Protection, Data Protection and Privacy on the Internet, Data Protection and Privacy on the Internet (1996) [http:// www.datenschutz-berlin.de/diskus/13-15.htm] National Information Infrastructure Task Force, Information Policy Committee, "Options for Promoting Privacy on the National Information Infrastructure" (1997) Organization for Economic Cooperation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) [http:// www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM] Organization for Economic Cooperation and Development, Cryptography Policy Guidelines (1997) [http://www.oecd.org/dsti/iccp/crypto-e.html] P. Regan, Legislating Privacy: Technology, Social Values, and Public Policy (University of North Carolina Press 1995) M. Rotenberg, "Communications Privacy: Implications for Network Design," Communications of the ACM (1995) M. Rotenberg, “Data Protection in the United States-A Rising Tide?" The Computer Law and Security Report 38-40 (January-February 1998) M. Rotenberg, “In Support of a Privacy Protection Agency in the United States," Government Information Quarterly (Winter 1991) P. Schwartz and J. Reidenberg, Data Privacy Law (Michie 1996) B. Schneier and D. Banisar, The Electronic Privacy Papers (John Wiley 1997) 22 BusinessWeek, "Privacy: The Key to the New Economy," p. 128 (Mar. 16, 1998). ELECTRONIC PRIVACY INFORMATION CENTER SURFER BEWARE: PERSONAL PRIVACY AND THE INTERNET June 1997 Electronic Privacy Information Center SUMMARY The Electronic Privacy Information Center (EPIC) reviewed 100 of the most frequently visited web sites on the Internet. We checked whether sites collected personal information, had established privacy policies, made use of cookies, and allowed people to visit without disclosing their actual identity. We found that few web sites today have explicit privacy policies (only 17 of our sample) and none of the top 100 web sites meet basic standards for privacy protection. However, anonymity continues to play an important role in online privacy, with many sites allowing users to access web services without disclosing personal data. ÉPIC recommends that sites continue to support anonymity while developing policies and practices to protect information privacy. INTRODUCTION The protection of privacy is one of the most important issues on the Internet today. Internet users routinely report that privacy protection is one of their greatest concerns. More Internet sites are collecting personal information from users through online registrations, surveys, and forms. Information is also collected from users surreptitiously with "cookies." Web users are understandably concerned about the potential loss of privacy. We set out to determine what privacy policies and practices were actually in place on the most popular web sites today. We were interested in determining when personal information was being collected. We wanted to see if web sites had explicit privacy policies and how good those policies were. We were curious if sites made it possible for individuals to view their own information collected at the site. We checked to see if users could visit a site anonymously. We also wanted to look at the use of cookies. A summary of our findings follows. The complete survey is in the Appendix. SCOPE OF SURVEY We surveyed the Top 100 web sites as reported by www.100hot.com on June 5, 1997. According to 100hot, the site "lists the most popular sites on the web excluding browser companies, ISP's, colleges, and Adult sites." The list is compiled daily in cooperation with Alta Vista. We are aware that there are several other services that compile lists of popular Internet sites, but we think the 100hot list provides a good sample of popular sites. A review of these sites also offers a snapshot of current privacy practices on the Internet today. ABOUT SECURITY, ENCRYPTION AND SPAM For purposes of this survey, we decided to examine the collection of personal information and the existence of privacy policies an the Internet. We did not look at the adequacy of security standards, such as whether credit card transactions receive sufficient protection, the availability of good encryption, or the privacy issues related to "spam" (unsolicited commercial e-mail). These are all important issues for on-line privacy and should be examined in a separate study. COLLECTION OF PERSONAL INFORMATION One of the first issues we considered was whether personal information is collected at the surveyed web site. For the first part of this query, we were specifically interested in whether the site collected Personally Identifiable Information (PII), such as name or address, directly from the user. We counted email addresses as PII, even though it is possible to spoof an email address and it is not always clear to whom an email address refers. Page: 1 EPIC REPORT."Burler Beware: Personal Privacy and the Internet" Many web sites (49 of our sample) collect personal information through on-line registrations, mailing lists, surveys, user profiles, and order fulfillment requirements. However, some web sites, such as CNN, TV Guide, the Washington Post, and the Weather Channel, do not generally collect any personally identifiable information. We were not able to determine whether web sites are linking data collected on-line with other databases. This classic computer matching technique is oftentimes one of the first indicators of a privacy problem.. It is also likely to emerge as a significant issue in the near future. For example, America Online is matching its active member list with demographic and psychographic data obtained from Donnelley Marketing ["America Online Snoops Into Subscriber's Incomes, Children,” Privacy Times, May 30, 1997]. We think this issue bears further examination. PRIVACY POLICY We were next interested in trying to determine how many web sites actually had privacy policies. Our first conclusion was that finding a privacy policy is not an easy task. We tried a number of different techniques to locate privacy policies. • We looked at the home page for the term "privacy" with the Find command in the browser software • We searched the FAQ page for the site for the term "privacy" We looked at the legal terms and conditions page for the site for the term "privacy" • We looked at the customer agreement and similar pages at the site for the term "privacy" There are other search methods we might have tried, such as running a search engine with the domain name and the word "privacy," but this seemed to us to be beyond the call of duty. We felt that users should be able to locate privacy policies quickly and easily and that a privacy notice should be clear and conspicuous. We excluded privacy policies that were posted to a web site that were actually internal privacy policies for a company and its employees. We found that only 17 of the sites that we visited actually had privacy policies, and few were easy to find. ADEQUACY OF PRIVACY POLICIES There are many different privacy policies, but all good policies share certain characteristics: they explain the responsibilities of the organization that is collecting personal information and the rights of the individual who provided the personal information. Typically, this means that an organization will explain why information is being collected, how it will be used, and what steps will be taken to limit improper disclosure. It also means that individuals will be able to obtain their own data and make corrections if necessary. For our web survey, we were primarily interested in whether the site told the user why personal information was being collected and how it would be used. If a site didn't make some effort to provide this basic information, we classified it as having an inadequate privacy policy. Several web sites provided reasonably good privacy notices. Amazon.com, for example, tells users that it does not rent or sell its mailing list to anyone. But Amazon also advises users, "If you would like to make sure we never sell or rent information about you to third parties, just send an e-mail message to never@amazon.com." We thought this statement created unnecessary ambiguity in an otherwise good policy. Several sites post notices stating that individuals using their sites cannot transmit information that violates privacy, but have no privacy policies themselves. SECONDARY USE RESTRICTIONS In examining the few privacy policies that we found, we considered the extent to which users are able to restrict the secondary usc of their personal information. Eight of the surveyed sites provide some degree of use limitation. The use limitations are mainly limited to determining whether the collecting organization will be authorized to share (or sell) the information to a third party. ACCESS TO ONES OWN DATA One of the important goals of most privacy laws is to ensure that individuals have the ability to inspect personal information that is collected by others and to make corrections if necessary. This is to ensure that individuals know what information about them is available to others, and also to encourage data collectors to be more forthcoming about how personal information is gathered. We were interested in finding whether web sites made it possible for users to access the information that the site collected about them. We couldn't find any site in our sample that currently allows users to access their own file, with the exception of Firefly. The Firefly web site allows users to create a personal profile, to access the profile, and to revise the profile. Firefly provides a good example of user control over a personal profile on the Internet. |