|
 |
|
|||||
 |
Testimony Of
Ari Schwartz
Associate Director
Center for Democracy and Technology
before the
Senate Committee on Commerce, Science, and Transportation
Subcommittee on Consumer Affairs,
Foreign Commerce and Tourism
July 17, 2002
Chairman Dorgan and Members of the Committee, the Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about the Federal Trade Commission (FTC) and its role in consumer and privacy protection.
Over the past seven years the FTC's activities in the area of information privacy have expanded. The Commission has convened multiple workshops to explore privacy, issued several reports, conducted surveys, and brought several important enforcement actions in the area of privacy. The Commission's work has played an important role in bringing greater attention to privacy issues and pushing for the adoption of better practices in the market place.
Two years ago, CDT testified that (t)he work of the Federal Trade Commission -- through its public workshops, hearings... provides a model of how to vet issues and move toward consensus.
Chairman Muris has successfully continued the consultation and education process, working with public interest groups and industry on key issues and taking enforcement actions or instituting rulemakings on several important new fronts.
CDT and other public interest and consumer groups have been pleased with the Commission's thoughtful approach to creating a National Do Not Call Registry.
The registry will provide consumers with an easy way to cut down on unwanted telephone calls and will offer industry a streamlined means of complying with the growing number of state and self-regulatory Do Not Call
lists.
CDT has also been pleased with the Commission's extensive new educational effort with the public and industry on privacy notices, ID theft, wireless privacy, spam, and other issues. It should be noted that each of these areas is clearly within the FTC's jurisdiction to prevent deceptive trade practices.
However, CDT would like to see the Commission use its new resources to stop unfair information practices as well as deceptive ones. These unfair practices include: lack of meaningful notice and choice; the ability to correct and amend personal information; and inadequate security safeguards.
It has long been CDT's belief that unfair information practices are already covered by the Commission's current authority. Yet, the long-standing hesitancy of the Commission to proceed has made it necessary for Congress to confirm this authority in law. Although Chairman Muris has suggested that general federal privacy legislation is unnecessary, CDT sees an urgent need for legislation similar to S. 2201, the Online Privacy Protection Act, as passed by the full Senate Commerce Committee earlier this year. Privacy protections in law - enforced by the FTC - are an essential ingredient of building and maintaining consumer confidence in the networked economy. We thank you, Chairman Dorgan, as well as Chairman Hollings and the other Senators who worked so hard to move this issue forward in the Committee. CDT looks forward to continuing to work with you to see such a measure signed into law.
CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values on the Internet. One of our core goals is to enhance privacy protections for individuals in the development and use of new communications technologies. We thank the Chairman for the opportunity to participate in this hearing and look forward to working with the Committee to develop policies supporting civil liberties and a vibrant communications infrastructure.
The FTC has used its current jurisdiction to take basic steps to protect the privacy of Americans in several innovative and balanced ways. The Commission is the government's leader in consumer privacy policy and should be commended for its current work in the area given its limited view of its own jurisdiction.
Last fall, Chairman Muris said that the Commission would increase privacy enforcement by 50%. According to internal figures, the Commission believes it is on track to reach this goal. This dramatic increase was on top of the new attention given to privacy issues that had begun five years earlier.
In particular, over the past two years, the Commission has worked in ten areas of interest to CDT:
Do Not CallRegistry
Under the 1994 Telemarketing and Consumer Fraud and Abuse Prevention Act,[1] the Commission was given the authority to regulate telemarketing sales. The Commission's regulations, named the Telecommunications Sales Rules (TSR), were put into effect in 1995.[2] The TSR placed some basic time, place and manner restrictions on calls and left the door open to revisiting the rule if it was not adequately protecting consumers.
Some have said that telemarketing is merely an annoyance and not a privacy concern and therefore stronger rules are not necessary. CDT disagrees. We define privacy as individual control over one's personal information. Control over one's telephone number and other personal information is central to the privacy issue in the modern world.
The American public seems to agree with us. An AARP study of New Jersey residents showed that 77% viewed telemarketing first and foremost as an invasion of privacy; 10% a consumer rip-off, and only 2% a consumer opportunity.[3]
The Commission has responded to the public concern about telemarketing by issuing a notice of proposed rulemaking, reopening the TSR and seeking public comment about how the rule could be rewritten to put consumers back in control of their telephones.[4] As a part of this process, the Commission has proposed the creation of a do not call
registry, similar to those already in existence in 15 states. On this proposal, over 42,000 public comments have been submitted to the Commission. Over 90% of them support the proposed Do Not Call
registry.
CDT believes that consumer choice should play an essential role in telemarketing: Telemarketing should not be banned, but consumers should be able to decide what kind of marketing calls they want and when they want to receive them. Currently, consumers must take one of several different approaches to remove their names from telemarketing lists. They must (1) sign up for the Direct Marketing Association's do-not-call list; (2) enlist the help of some or all of twenty different state laws that include do-not-call provisions; and/or (3) contact individual companies to direct them to place them on a company-based do-not- call list. Currently, consumers must find their way through this complex maze of options.
CDT, in coalition with other consumer groups, filed extensive comments with the Commission supporting the proposed new Do-Not-Call list.[5] (The coalition were also the creators of ConsumerPrivacyGuide.org - a Web site designed to educate consumers on what they can do to protect their own privacy.) Our joint comments state that institution of a national Do-Not-Call
list by the FTC would provide consumers with a straightforward, easy-to-exercise mechanism to remove their names from telemarketing lists. The FTC initiative would lift the burden from consumers who must either use the DMA service or a state do-not-call request on a company-by-company basis.
We stressed in our comments that the FTC's Do-Not-Call
initiative should not dilute or undercut the protections afforded consumers by the states against invasive telemarketing. Further, as we pointed out, it is critical that consumers are not charged a fee to be placed on the Do-Not-Call
list -- consumers' ability to protect the privacy of their personal information should not be contingent upon their ability to pay a fee.
CDT has been pleased with how the public process on this important issue has progressed. To date it has been a model example of how a complex but important issue can be addressed through an open, public process. We hope that the Commission will follow an equally inclusive process when it issues its final draft of the rule.
The FTC has generally served a valuable role working with and educating the business community about privacy best practices and implementation of fair information practices. An important example is the work the FTC has undertaken in the area of privacy notices. The millions of confusing privacy notices mailed to consumers under the Graham-Leach-Bliley Act highlighted the difficulties encountered in providing consumers with clear, comprehensive and easily understood notice.
While significant work had been undertaken by the business community and advocates to explore and develop better ways to effect good notice, the FTC workshop held in late 2001 was an important opportunity to raise issues to be resolved and share findings in a public discussion. Participants were able to voice concerns, note accomplishments and chart out areas for future research.
Forums such as these are important tool in highlighting and encouraging efforts to address specific privacy issues.
The Commission taken several useful steps regarding the issue of unsolicited commercial email, or spam:
unsubscribeor
remove merequests were being honored. The study reported that the majority of consumer requests were not getting through. The Commission thereupon sent out warning letters to spammers.
While the Commission, given its limited view of its jurisdiction, has taken these exemplary first steps in research, education and enforcement regarding unsolicited commercial email, CDT would like to see it given more power to tackle fraudulent spam Further appropriate steps could be taken under provisions in the CAN SPAM Act (S. 630),sponsored by Senators Burns and Wyden and recently passed by the full Commerce Committee. CDT is hopeful that we can begin to turn the tide on spam while still protecting the First Amendment right of anonymous non-commercial/political speech online.[6]
Under the new financial services law, the Commission has jurisdiction over important financial institutions such as insurance and mortgage companies. In an August 2001 survey, CDT found that these companies were among the worst in posting privacy notices on Web sites. That month, we filed a complaint with the FTC about several mortgage companies that were not posting notices as required by the FTC's GLB regulations. While the Commission has not officially closed the case, the five remaining Web sites have now posted privacy policies.
CDT believes that there is probably still more basic, but important enforcement work that the Commission could to do in the area of privacy notice for insurance and mortgage companies.
The FTC has been a leading agency in the prevention and prosecution of identity theft through its identity theft program. The program contains three key elements: the Identity Theft Data Clearinghouse;[7] consumer education and assistance resources; collaborative enforcement efforts involving criminal law officers and private industry.
The Identity Theft Clearinghouse currently holds more than 170,000 victim complaints and serves as an important tool for 46 federal and 306 state and local law enforcement agencies, including the US Secret Service, the Department of Justice, the US Postal Inspection Service, and the International Association of Chiefs of Police. The FTC has also been increasing outreach programs to educate law enforcement officials on how the Clearinghouse database can be used to enhance investigations and prosecutions.
In regards to consumer education and assistance resources, the FTC has held training seminars for law enforcement officials at all levels in an attempt to give law enforcement the necessary tools they will need to combat identity theft. The FTC has also implemented a nationwide, toll-free hotline that consumers can call if they have become a victim and a Web site that consumers can access to file a complaint and gain helpful prevention tips.
The Commission's work in this area shows that it can be a leader with other law enforcement agencies, serving as the main contact to the public. Hopefully the Commission's work, along with the passage of new legislation in this area, can help to cut down on what many believe to be the fastest growing crime in the country.
In December 2000, the Commission held a workshop entitled "The Mobile Wireless Web, Data Services and Beyond: Emerging Technologies and Consumer Issues."[8] As this subcommittee knows well, the wireless privacy issues have been a growing concern for consumers due to the emerging use of location tracking technologies to provide consumers with enhanced services. It was clear from the workshop that the staff and Commissioners have the understanding and skills necessary to undertake a serious privacy or security investigation in this area if it is warranted. However, the Commission has taken little action in this area since the workshop. CDT urges the Commission to follow-up with another workshop in this area as wireless technologies and location applications progress.
Online profiling is the practice of aggregating information about consumers' preferences and interests, gathered primarily by tracking their movements online. It remains one of the most complex and opaque issues in privacy. Consumers are concerned because they know someone is watching, but they don't know who, how or to what end.
In November 1999, FTC examined online profiling, focusing on the use of the resulting profiles to create targeted advertising on Web sites.[9] In June and July of 2000, the FTC issued a two-part report on online profiling and industry self-regulation.[10] The Commissioners unanimously commended the Network Advertising Initiative (NAI) for its self-regulatory proposal that seeks to implement Fair Information Practices for the major Internet advertisers' collection of online consumer data. The July report also asked Congress to enact baseline legislation to protect consumer privacy. In addition to its several reports, the FTC has also held a series of public workshops on data mining in an effort to educate consumers as well as it itself.[11]
The reports and workshops that the FTC has undertaken in this area have represented the best work done in this area internationally. Unfortunately, since Chairman Muris has taken office, little public work has been continued in this area. We hope that the Commission will return to this area, one that causes concern to so many consumers.
The FTC has taken several steps to educate consumers on computer security. In addition to holding workshops, the FTC is drafting a guide for consumers on how to stay safe online using a high-speed Internet connection. The guide details how users can protect their computers from viruses and hackers by explaining security features such as firewalls and updating virus protection software. The FTC has worked diligently to make the report both understandable and appealing to the average consumer through careful analysis and easy to read text. The Commission has continued to work with consumer groups to ensure that the guide is easy to use and contains the necessary information. In addition, FTC held a public workshop in May to examine issues surrounding the security of consumers' computers.[12]
Earlier this year, the Commission continued its ongoing assessment of the state of Internet privacy which began five years ago and has been repeated twice since. This year, the Commission embraced a report[13] organized by the Progress and Freedom Foundation and conducted by the Ernst and Young accounting firm. The results show significant improvement in the number of privacy policies posted and the growth of the new privacy protocol, the Platform for Privacy Preferences (P3P).[14] This positive growth is due, in part, to the educational work of the Commission.
On the other hand, the study found that self-regulatory seal programs have actually been shrinking. This is mainly due to the bankruptcy of many dot com players, but it also indicates that we are entering a time of a major privacy gap. Some companies are actively involved in the privacy issue and are doing their best to build trust . Meanwhile, a small number of free-rider companies are doing no work on privacy. The marketplace has remained confusing to the average consumer and many prefer to sit on the sidelines until baseline privacy is assured.[15]
CDT hopes that Congress will continue to support and monitor the FTC's privacy sweeps - and we urge the Commission to work with a wide range of organizations and academics, including consumer groups, when preparing the parameters and methodology for future sweeps.
In 1998, Congress passed the Children's Online Privacy Protection Act (COPPA)[16] in order to protect children's personal information in interactions with commercial sites. The FTC was required to enact a rule to implement COPPA and in doing so it clarified issues concerning coverage and liability, modified several definitions that would have interfered with children's ability to participate, speak and request information online, and made every effort to create a predictable and understandable environment for the protection of children's privacy online.
Since issuing its final Rule implementing COPPA, the FTC has taken several effective and necessary steps to enforce and enhance compliance with COPPA. This past spring, the FTC released a package of initiatives that included:
Etch-A-SketchWeb site, resulting in a $35,000 civil penalty.
You, Your Privacy Policy and COPPAto help children's Web site operators draft COPPA-compliant privacy policies.
While there is still work to be done, the COPPA experience demonstrates that the FTC can develop workable privacy rules in complex and sensitive areas that go well beyond its traditional arenas.
While the Commission's privacy work has been successful, it has also been limited mainly to areas of deceptive or fraudulent practices. CDT believes that this limited focus is preventing the Commission from taking on urgently needed actions in the privacy area.
CDT believes that a comprehensive, effective solution to the privacy challenges posed by the information revolution must be built on three components: industry best practices propagated through self-regulatory mechanisms; privacy as a design feature in products and services; and some form of federal legislation that incorporates Fair Information Practices - long-accepted principles specifying that individuals should be able to "determine for themselves when, how, and to what extent information about them is shared."[17] Legislation need not impose a one-size-fits-all solution. However, as a starting point, strong privacy legislation is urgently needed to cover sensitive personal information such as privacy of medical and financial records. For broader consumer privacy, there need to be baseline standards and fair information practices to augment the self-regulatory efforts of leading Internet companies, and to address the problems of bad actors and uninformed companies. Finally, there is no way other than legislation to raise the standards for government access to citizens' personal information increasingly stored across the Internet, ensuring that the 4th Amendment continues to protect Americans in the digital age.
On May 17, 2002 the Senate Commerce Committee passed S. 2201, the Online Privacy Protection Act. S.2201 would set a true baseline of privacy protection and would give the FTC the clear authority to go after companies engaging in unfair information practices.
During the Committee process, Senator McCain asked the FTC Commissioners to give their views on S.2201. In response, Chairman Muris gave five reasons that such a bill was not necessary at that time.[18] CDT disagrees strongly with the Chairman. While CDT continues to work with the FTC to help advance self-regulatory efforts, privacy enhancing technologies and public education, we believe that these efforts alone are not and cannot be enough to protect privacy or instill consumer confidence on their own.
CDT commends the Senate Commerce Committee for its excellent work in improving S.2201 during the Committee process. We hope that the Committee continues to push for the FTC's expanded jurisdiction in this area.
The Committee also asked CDT to address the issue of rescinding the exemption that prevents the Commission from exercising general jurisdiction over telecommunications common carriers.
The idea of creating a level playing field is appealing, particularly when some communications services fall within the jurisdiction of the FTC. In particular, lifting the restriction in certain areas - such as billing, advertising and telemarketing -could ensure that the agency with the most expertise in these areas is taking a leading role.
However, rescinding the exemption completely could lead to duplication of government regulation and/or confusion for consumers in certain areas. For example, telecommunications companies are already subject to the Customer Proprietary Network Information (CPNI) rules administered by the Federal Communications Commission, which limit reuse and disclosure of information about individuals' use of the phone system including whom they call, when they call, and other features of their phone service. At this point, we are not sure it would be wise to take this issue away from the FCC. Similar questions may arise with other issues: Which agency would take the lead? By which rules would a complaint about deceptive notice be addressed? How will these decisions be made?
The Commission has been thoughtful in these areas in the past, so it is likely that any concerns could be addressed. Yet, if this proposal moves forward, the Commission would need to be able to have a detailed examination and plan for dealing with similar areas of overlap.
The FTC is to be commended for taking some very laudatory steps to address the serious and widely shared concerns of the American public about privacy. Indeed, as the foregoing review of issues demonstrates. The FTC already has sufficient expertise to take on general privacy protection responsibilities. However, the Commission has, in our view, taken an unduly narrow view of its jurisdiction, such that Congressional action is needed to establish a baseline of fair information practices in law. We will continue to work with this Committee and the Commission to find innovative, effective and balanced solutions to the privacy problems posed by the digital age.
1 15 U.S.C. 6101-6108
2 16 CFR Part 310
3 http://research.aarp.org/consume/nj_telemarketing.pdf
4 http://www.ftc.gov/bcp/conline/edcams/donotcall/pubs/NDNCR_therule.pdf
5 http://www.ftc.gov/os/comments/dncpapercomments/04/consumerprivacyguide.pdf
6 For more information on CDTÕs views on the CAN SPAM act, please see our recent Policy Post http://www.cdt.org/publications/pp_8.12.shtml
7 http://www.consumer.gov/idtheft/
8 A staff summary of the event was released in February 2002 http://www.ftc.gov/bcp/workshops/wireless/.
9 Public Workshop on ÒOn-Line ProfilingÓ -- http://www.ftc.gov/bcp/profiling/index.htm
10 http://www.ftc.gov/os/2000/06/onlineprofilingreportjune2000.pdf and http://www.ftc.gov/os/2000/07/index.htm#27
11 http://www.ftc.gov/bcp/workshops/infomktplace/index.html
12 http://www.ftc.gov/bcp/workshops/security/index.html
13 http://www.pff.org/pr/pr032702privacyonline.htm
14 CDT was the originator of the P3P concept and has continued to work on the specification and its adoption. More information about P3P can be found at http://www.w3.org/p3p and http://www.p3ptoolbox.org
15 Business Week has conducted a number of surveys showing that privacy is the number one concern of both those who are not online and those who are online, but do not shop online. The most recent is available at http://businessweek.com/2000/00_12/b3673006.htm. Jupiter Communications has estimated that $18 billion in consumer transactions did not take place online because of privacy concerns (McCarthy, John, ÒThe InternetÕs Privacy Migrane,Ó presentation, SafeNet2000, December 18, 2000].
16 15 U.S.C. 6501
17 Alan Westin. Privacy and Freedom (New York: Atheneum, 1967) 7.
  |
The Center For Democracy & Technology |