June 1997

Electronic Privacy Information Center

Washington, DC

SUMMARY The Electronic Privacy Information Center (EPIC) reviewed 100 of the most frequently visited web sites on the Internet. We checked whether sites collected personal information, had established privacy policies, made use of cookies, and allowed people to visit without disclosing their actual identity. We found that few web sites today have explicit privacy policies (only 17 of our sample) and none of the top 100 web sites meet basic standards for privacy protection. However, anonymity continues to play an important role in online privacy, with many sites allowing users to access web services without disclosing personal data. EPIC recommends that sites continue to support anonymity while developing policies and practices to protect information privacy.

INTRODUCTION The protection of privacy is one of the most important issues on the Intemet today. Internet users routinely report that privacy protection is one of their greatest concerns. Morc Internet sites are collecting personal information from users through online registrations, surveys, and forms. Information is also collected from users surreptitiously with "cookies." Web users are understandably concerned about the potential loss of privacy. We set out to determine what privacy policies and practices were actually in place on the most popular web sites today. We were interested in determining when personal information was being collected. We wanted to see if web sites had explicit privacy policies and how good those policies were. We were curious il sites made it possible for individuals to view their own information collected at the site. We checked to see if users could visit a site anonymously. We also wanted to look at the use of cookies. A summary of our findings follows. The complete survey is in the Appendix. SCOPE OF SURVEY We surveyed the Top 100 web sites as reported by on June 5, 1997. According to 100hol, the site "lists the most popular sites on the web excluding browser companies, ISP's, colleges, and Adult sites." The list is compiled daily in cooperation with Alta Vista. We are aware that there are several other services that compile lists of popular Internet sites, but we think the 100hot list provides a good sample of popular sites. A review of these sites also offers a snapshot of current privacy practices on the Internet today. ABOUT SECURITY, ENCRYPTION AND SPAM For purposes of this survey, we decided to examine the collection of personal information and the existence of privacy policies on the Internet. We did not look at the adequacy of security standards, such as whether credit card transactions receive sufficient protection, the availability of good encryption, or the privacy issues related to "spam" (unsolicited commercial e-mail). These are all important issues for on-line privacy and should bc examined in a separate study. COLLECTION OF PERSONAL INFORMATION One of the first issues we considered was whether personal information is collected at the surveyed web site. For the first part of this query, we were specifically interested in whether the site collected Personally identifiable Information (PII), such as name or address, directly from the user. We counted email addresses as PIL, even though it is possible to spoof an email address and it is not always clear to whom an email address refers. EPIC REPORT · Buster Bowen: Persone Precy and

Page: 1 the Imemer

Many web sites (49 of our sample) collect personal information through on-line registrations, mailing lists, surveys, user profiles,
' and order fulfillment requirements. However, some web sites, such as CNN, TV Guide, the Washington Post, and the Weather
Channel, do not generally collect any personally identifiable information.
We were not able to determine whether web sites are linking data collected on-line with other databases. This classic computer
matching technique is oftentimes one of the first indicators of a privacy problem. It is also likely to emerge as a significant issue in
the near future. For example, America Online is matching its active member list with demographic and psychographic data
obtained from Donnelley Marketing ("America Online Scoops Into Subscriber's Incomes, Children, " Privacy Times. May 30,
1997). We think this issue bears further examination.
We were next interested in trying to determine how many web sites actually had privacy policies. Our first conclusion was that
finding a privacy policy is not an easy task. We tried a number of different techniques to locate privacy policies.

• We looked at the home page for the term "privacy" with the Find command in the browser software
• We searched the FAQ page for the site for the term "privacy".
• We looked at the legal terms and conditions page for the site for the term "privacy"

• We looked at the customer agreement and similar pages at the site for the term "privacy" There are other search methods we might have tried, such as running a search engine with the domain name and the word "privacy" but this seemed to us to be beyond the call of duty. Wc fck that users should be able to locate privacy policies quickly and casily and that a privacy notice should be clear and conspicuous. We excluded privacy policies that were posted to a web site that were actually internal privacy policies for a company and its employees. We found that only 17 of the sites that we visited actually had privacy policies, and few were easy to find. ADEQUACY OF PRIVACY POLICIES There are many different privacy policies, but all good policies share certain characteristics: they explain the responsibilities of the organization that is collecting personal information and the rights of the individual who provided the personal information. Typically, this means that an organization will explain why information is being collected, how it will be used, and what steps will be taken to limit improper disclosure. I also means that individuals will be able to obtain their own data and make corrections if necessary. For our web survey, we were primarily interested in whether the site told the user why personal information was being collected and how it would be used. If a site didn't make some effort to provide this basic information, we classified it as having an inadequate privacy policy. Several web sites provided reasonably good privacy notices., for example, tells users that it does not rent or sell its mailing list to anyone. But Amazon also advises users, "If you would like to make sure we never sell or rent information about you to third parties, just send an e-mail message to" We thought this statement created unnecessary ambiguity is an otherwise good policy. Several sites post notices stating that individuals using their sites cannot transmit information that violates privacy, but have no privacy policies themselves. SECONDARY USE RESTRICTIONS In examining the few privacy policies that we found, we considered the extent to which users are able to restrict the secondary usc of their personal information. Eight of the surveyed sites provide some degree of use limitation. The use limitations are mainly limited to determining whether the collecting organization will be authorized to share (or sell) the information to a third party. ACCESS TO ONES OWN DATA One of the important goals of most privacy laws is to ensure that individuals have the ability to inspect personal information that is collected by others and to make corrections if necessary. This is to ensure that individuals know what information about them is available to others, and also to encourage data collectors to be more forthcoming about how personal information is gathered. We were interested in finding whether web sites made it possible for users to access the information that the site collected about them. We couldn't find any site in our sample that currently allows users to access their own file, with the exception of Firefly. The Firefly web site allows users to create a personal profile, to access the profile, and to revise the profile. Firefly provides a good example of user control over a personal profile on the Internet.

[blocks in formation]

ANONYMITY We were interested in whether users could access sites without disclosing personally identifiable information. Given their nature, we did not look closely at surreptitious techniques that may allow web servers to collect identifying information, such as email addresses or TCIPAP addresses, from web clienis. We found that every site at least provides access to the home page and most sites let users visit many services on the site without disclosing any personally identifiable information. We thought the widespread practice of allowing anonymous browsing. even on the most popular web sites, was an important indicator of how privacy is actually protected on the Internet. By avoiding the collection of personal information, web sites encourage users to visit sites. In the physical world, we note that very few stores require the collection of personal information before allowing someonc to enter. We suspect that preserving anonymity may be the easiest way to protect on-line privacy. COOKIES There has been a great deal of controversy about the cookies feature in browser software. On the one hand, cookies make it possible for a web server to "recognize" a web client and enables certain features that are useful for surfing and on-line commerce, such as retaining screen preferences, storing passwords, and creating virtual shopping carts. Ar the same ume, cookies also enable the surreptitious collection of information from the user. We were interested to see how many of the top 100 web sites enabled the cookies feature. We visited each web site and then checked our cookies file to see if a new line was added. We did not, of course, visit every page or every linked site at each site we visited, so we may have missed some pages that generate cookies. Of the 100 sites, 24 enable cookies. The cookies feature is often used for registration and password storing, but may also be used to create logs of user interests and preferences (for instance, tracking

particular articles that a user accesses at an on-line news site). We thought it was noteworthy that none of the sites that enabled cookies told the user that information

about the user was being placed on the user's system. We think that more could be done to make such transactions "transparent" -- that is to say, readily apparent to the user.

CONCLUSION Even though privacy is one of the top concerns among Iniemet users, few webs sites today actually have privacy policies or provide users with information about privacy practices. This makes it almost impossible for users to make informed decisions about their on-linc activities. Maay have argued for notice and consent procedures and self-regulation to protect on-line privacy. But a review of the top 100 web sites reveals that only a handful provide any meaningful privacy notice. There is also virtually do indication that any meaningful steps have been taken to protect user privacy by self-regulatory means. In the absence of meaningful privacy policies, net surfers today also have little assurance that personal information that is provided at a web site might nou be misused. Not surprisingly, many users are reluctant to disclose personal information and some provide false information when asked. Although privacy policies are virtually non-existent on the Internet today, we found that anonymity continues to play an important role in protecting on-line privacy. Many of the top web sites allows users to visit without giving up personal information. Anonymity plays a particularly important role for those sites, such as CNN, that are providing news and information to the on-line community. It is more difficult to assess how cookies are being used. Sites that have registration or membership, such as Disney or the New York Times, use cookies to store information on the user's system. But other sites enable cookies for purposes unrelated to registration. We don't think users reasonably can be expected to examine cookie files on their hard disks to track cookies usage. Techniques to provide users with more information about privacy practices, such as eTRUST and other similar branding techniques, should be encouraged. These services should provide clear and meaningful designations for privacy practices. They should also be backed up with

regular auditing. We also have doubts about proposed techniques, such as P3, that require users to disclose privacy preferences. We think that good privacy policies should provide meaningful information for users about web site practices and not require users to disclose

personal information. Many users are also likely to consider their privacy preferences to be, well, private.

[blocks in formation]

We suspect that one of the simplest and most effective solutions to on-line privacy is to continue the practice of anonymity. Anonymity is already widespread on the Internet -- virtually all of the sites that we surveyed allowed users to use the sile without disclosing who they were. When personally identifiable information is collected, web sites should develop clear privacy policies.

RECOMMENDATIONS Users of web-based services and operators of web-based services have a common interest in promoting good privacy practices. Strong privacy standards provide assurance that personal information will not be misused, and should encourage the development of on-line commerce. We also believe it is mallei of basic faimess to inform web users when personal information is being collected and how it will be used.

• Web sites should make available a privacy policy that is easy to find. Ideally the policy should be accessible from the

home page by looking for the word "privacy."

Privacy policies should stare clearly how and when personal information is collected. • Web sites should make it possible for individuals to get access to their own data.

Cookies transactions should be more transparent

• Web sites should continue to support anonymous access for Internet users. Protecting privacy will be one the greatest challenges for the Internet. Until clear practices arc established and good policies put in place, our advice is simply this: "Surfer beware."


GYU'S WWW User Surveys. One of the best sources for information about the attitudes of Internet users toward privacy issues is the semi-annual survey conducted by the Graphics, Visualization, and Usability Center of the Georgia Institute of Technology. More information about public actitudes toward privacy may be found al the EPIC. Privacy Survey page. QECR Privacy Guidelines. Many privacy policies are derived from the 1980 Guidelines on Privacy and Transborder flows of the Organization for Economic Cooperation and Developucal (OECD). Other related policies may be found at the International Privacy Documents archive of Privacy International. EPIC Privacy Archive. The EPIC Privacy Archive contains an extensive collection of documents, reports, news items, policy analysis and laws related to privacy issues.


The Electronic Privacy Information is a public interest research organization, based in Washington, DC.

Electronic Privacy Information Center
666 Pennsylvania Ave., SE Suite 301

Washington, DC 20003
+1 202 544 9240 (tel) +1 202 547 5482 (fax)

EPIC REPORT. Surtor Boware. Personel Pinoy and the Interner

Page 4

Mr. COBLE. The gentleman from America's heartland, Professor, it's good to have you with us. STATEMENT OF PROFESSOR FRED H. CATE, LOUIS F. NIEZEN


Mr. CATE. Thank you very much, Mr. Chairman and members of the subcommittee. I appreciate the opportunity to be here.

When I was invited to come today I was asked to address only one question, perhaps in an effort to control my natural longwindedness. That question was: “Does Congress need to take additional action now to protect personal privacy in electronic communications?” My answer is no, and I suppose I could stop there. But, I have four more minutes so let me use that time hopefully wisely.

I'm not suggesting that the extraordinary proliferation of information technologies and services are not presenting important privacy issues or even privacy problems, but rather that further Congressional action in this field at this time is premature and perhaps may be unnecessary altogether. I base that on four considerations, which I will just briefly review.

First, we are in the midst of, not at the end of phenomenal technological innovation that is prompting these new concerns about privacy. Now that to me argues against legislative action at this time, especially in a field such as privacy in which both legislation and judicial interpretations have sought to protect a “reasonable expectation" of privacy. It seems inadvisable to attempt to define a reasonable expectation in the midst of such extraordinary change.

Second, in recent years we have witnessed an increase not only in concerns about privacy, but also in the tools available to consumers to protect that privacy, and in the self-regulatory actions of industries responding to consumer demands. As a result, individuals today have greater opportunities than ever before both to participate in the world around them through the Internet and other digital technologies, but also to protect their privacy while doing so.

And I would just add here that Congress and the Administration should certainly heighten that protection, particularly through allowing high-level encryption, one of the most important technological means of allowing individuals to protect privacy online.

Third, Congress has already provided considerable and valuable protection for privacy, for example, through the Electronic Communications Privacy Act. Congress has also created in citizens and regulators, such as the FTC, further legal rights and legal authority to protect privacy. The FTC, as we already have heard, has focused considerable public attention on privacy issues, it is facilitating the development and enforcement of industry self-regulation and codes of conduct, and it's bringing pressure to bear on companies that are inadequately attentive to consumer privacy issues.

Now I'm not suggesting there may never be a need for legislation to deal with specific information issues, such as children, or sensitive medical information, but rather than the existing authority created by Congress is sufficient to deal with most privacy concerns.

Finally and most importantly I would just take this opportunity to remark that privacy is not an unmitigated good. As the Federal Reserve Board noted in its recent report on financial fraud to Con

« ForrigeFortsett »