Testimony Of
Ari Schwartz
Policy Analyst
The Center for Democracy and Technology

Before

The House Committee on Government Reform
Subcommittee On Government Management, Information and Technology
April 12, 2000

HR 4049
Privacy Commission Act


Overview

Mr. Chairman and Members of the Committee, the Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about privacy in the online environment and HR 4049, a bill to establish the Commission for the Comprehensive Study of Privacy Protection. CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values on the Internet. One of our core goals is to enhance privacy protections for individuals in the development and use of new communications technologies. We thank the Chairman for the opportunity to participate in this hearing and look forward to working with the Committee to develop policies that support civil liberties and a vibrant Internet.

I hope to offer the Committee CDT's view on the importance of privacy; what can be done to protect it; and, specifically, what this Committee can do to help. I will attempt to outline three major points:

  1. Privacy is a key concern for the future. The digital economy has created new threats to privacy. Americans are openly concerned about these threats.

  2. Multiple approaches are needed to protect privacy. Self-regulation, new privacy-enhancing technologies, and baseline legislation must all play a role if privacy is to be protected in the future.

  3. A commission to study privacy could help, but must not be used as an excuse to delay. For 30 years, federal commissions have played an active role in shaping privacy in America. We must neither duplicate past work, nor allow a commission to prevent legislation on issues examined by previous commissions from moving forward. This is particularly important in the areas of Internet, medical and financial privacy.


Privacy is a key concern for the future.

I would like to first address privacy, people's expectations of privacy, and the ways in which the evolution of the Internet may threaten personal privacy. As many of you know, the Center for Democracy & Technology has long been an advocate for protecting privacy on the Internet.

CDT believes that a starting point for thinking about privacy online should be individuals' long-held expectations of autonomy, fairness, and confidentiality. By autonomy, we mean the individual's ability to browse, seek out information, and engage in a range of activities without being monitored and identified. Fairness requires policies that provide individuals with control over information that they provide to the government and the private sector. In terms of confidentiality, we need to continue to ensure strong protection for e-mail and other electronic communications. Policy efforts should ensure that those expectations are respected online as well as offline. These expectations exist in both the public and the private sectors.

As it evolves, the Internet poses both challenges to and opportunities for protecting privacy. The Internet accelerates the trend toward increased information collection that is already evident in our offline world. The trail of transactional data left behind as individuals use the Internet is a rich source of information about their habits of association, speech, and commerce. When aggregated, these digital fingerprints could reveal a great deal about an individual's life. The global flow of personal communications and information coupled with the Internet's distributed architecture presents challenges for the protection of privacy.

Recent surveys confirm that more Americans are alarmed by the growing threats to privacy. For example, a March 10, 2000 Business Week Poll [ 1 ] shows that 41% of those online are very concerned about the use of their personal data. This was up from 31% in the same magazine's 1998 study. [ 2 ] More telling are the 63% of those who have been online, who have not shopped online, but are very concerned about personal privacy. A September 1999 Wall Street Journal Poll indicated that privacy is the top concern of Americans for the next century. A Wired Magazine survey in the latest issue showed that when American adults are asked what they like least about the Internet they respond that privacy is the number one issue, three times greater than that of any other concern.

These concerns are not unfounded. Almost every day, another privacy concern or security violation surfaces in the news. In the past two months alone we have seen privacy problems at such well-known companies as DoubleClick, [ 3 ] H&R Block, [ 4 ] Intuit, [ 5 ] and TWA [ 6 ] along with countless others. We will not be able to realize the promise of the Internet to promote e-commerce growth sand social interaction online if people cannot protect their privacy.


Multiple approaches are needed to protect privacy.

Protecting privacy on the Internet requires a multi-pronged approach that involves industry self-regulation, technology, and legislation.

  1. Industry Self Regulation
    Consumers and Congress must continue to press the Internet industry to adopt privacy policies and practices such as notice, consent mechanisms, and auditing and self-enforcement infrastructures. We must realize that the Internet is global and decentralized, and thus relying on legislation and governmental oversight alone simply will not assure privacy. Because of extensive public concern about privacy on the Internet, the Internet is acting as a driver for self-regulation, both online and offline. Businesses are revising and adopting company-wide practices when writing a privacy policy for the Internet. Efforts that continue this greater internal focus on privacy must be encouraged.
  2. Privacy Enhancing Technologies
    On the technology front, while the Internet presents new threats to privacy, the move to the Internet also presents new opportunities for enhancing privacy. Just as the Internet has given individuals greater ability to speak and publish, it also has the potential to give individuals greater control over their personal information. For example, the World Wide Web Consortium's Platform for Privacy Preferences ("P3P") will enable individuals to more easily read privacy policies of companies on the Web, and could help to facilitate choice and consent negotiations between individuals and Web operators. Many companies are now embracing this technology, and Microsoft announced last week that it will implement P3P in upcoming consumer technologies. [ 7 ] We must continue to promote the development of privacy-enhancing and empowering technology.
  3. Baseline Legislation
    Finally, CDT believes that we must adopt some form of legislation that incorporates into law Fair Information Practices -- long-accepted principles specifying that individuals should be able to "determine for themselves when, how, and to what extent information about them is shared." [ 8 ] Legislation is necessary to guarantee a baseline of privacy on the Internet, but it is not one-size-fits-all or reactive legislation. As a starting point, privacy legislation is urgent in key sectors such as privacy of medical and financial records. For broader consumer privacy, there needs to be baseline standards and fair information practices to augment the self-regulatory efforts of leading Internet companies, and to address the problems of bad actors and uninformed companies. Finally, there is no way other than legislation to raise the standards for government access to citizens' personal information increasingly stored across the Internet, ensuring that the 4th Amendment continues to protect Americans in the digital age.


A commission to study privacy could help, but must not be used as an excuse to delay.

A Congressional commission could be an excellent starting point for thoughtful Congressional action on complex consumer and government privacy issues. But it is essential that Congress not allow a commission to slow progress in other areas.

Congressionally appointed privacy commissions of the sort contemplated in HR 4049 could help in each of these three areas. In fact, over the last 30 years, dozens of federal government commissions, workshops and advisory boards have put together some of the most complete and important work on privacy. However, while these federal commissions have provided some of the best theoretical work in the privacy area worldwide, they have not often translated into real privacy protections for individuals. For example, the National Information Infrastructure Advisory Council put together a set of principles in 1995 agreed upon by industry, privacy advocates and government officials, yet these principles have not been used since their creation.

In developing a new commission, we urge the committee to:

CDT would like to see four specific areas examined in detail:

  1. Updating the Privacy Act of 1974

    As mentioned in HR 4049, the Privacy Act of 1974 was designed to protect the personal records of individuals held within the federal government and halt the spread of the Social Security Number as an identifier. As early as 1977, a Congressionally-appointed Commission found that the Privacy Act was not as effective as Congress had hoped. [ 9 ] To make matters worse, the Office of Management and Budget (OMB) has not updated its Privacy Act Guidance since a year after the Act passed.

    The advent of the Internet requires that the Privacy Act be revisited. A 1997 OMB Watch study showed that government Web sites were clearly violating the Privacy Act, [ 10 ] and an April, 1999 CDT study showed that only a third of government agencies had privacy policies on their Web sites. [ 11 ] With an OMB report on agency compliance with the Privacy Act and a GAO study on privacy notices on Government Web sites expected soon, now seems an ideal time for a Congressional Commission to work with the National Institute of Standard's Computer Systems Security and Privacy Advisory Board to move the Privacy Act into the 21st century.

  2. Public Records [ 12 ]

    The issue of public records is a difficult one. Members of this subcommittee, with jurisdiction over both the Privacy Act and the Freedom of Information Act, know that decisions must often be made to balance the important democratic principles of privacy and openness. However, these two great American values need to be looked at not as competitors, but as teammates, in as much as they both lead to greater government accountability. The Internet age has shown that we can no longer assume that just because a record that reveals personally identifiable information is stored in a dusty back room, it is protected. Similarly, government documents currently not exempt in any way, should be on the Internet and open to view -- a process that has failed to date. [ 13 ] A commission could help Congress, and this subcommittee in particular, examine how to insure that privacy is protected while undertaking the process of making government more accountable by putting more government documents online.

    Most public records are at the state and local level. Almost two years ago, Vice President Gore called for a dialogue between states and the federal government to address these issues. [ 14 ] While some basic education seems to be under way, no results or information from this dialogue are publicly available. A commission that met in various locations around the country, such as the one proposed in HR 4049, would be in a much better position undertake the task at hand.

  3. Access and Security

    The principles of access and security are agreed upon fair information practices, but definitions and implementations of these practices vary widely. The Federal Trade Commission (FTC) Advisory Committee on Online Access and Security was created to begin to build consensus on the most difficult of these issues. The Advisory Committee is due to issue its final findings in the form of guidance to the FTC next month. The Commission proposed in HR 4049 could review the work of the Committee and look into how it can most effectively be implemented in both the public and private sectors.

  4. Individual Right of Action

    Existing federal privacy law has had difficulty allowing Americans redress when a privacy violation has been found. In particular, Privacy Act cases are rarely brought to court because of the barriers for individuals to show both harm as well as a direct violation of the law. [ 15 ] It is difficult to say what should happen after a privacy violation since the costs to the individual are not easy to measure and often permanent -- once information is out in the world it is hard to bring it back. While the importance of the individual right of action plays an important role in allowing citizens to actively protect their own privacy, we must also examine the ideas of regulatory and non-regulatory privacy agencies, which could be more effective in investigating and highlighting invasive practices in both the public and private sectors. The Commission should examine this issue and provide Congress with recommendations on redress for the future.

While these four areas may not be a complete list of the issues that a Congressional Commission should examine, they represent the type of vital concerns that need to be looked into in greater detail.


Commission Structure

CDT is also concerned that the Commission is currently too time consuming for organizations with limited staff resources. The Commission is set to have 20 hearings in 18 months. The staff time in travel alone from any organization willing to commit to participate would be overwhelming. This is particularly difficult for civil liberties and consumer groups who already have resource difficulties. A modified schedule of 12 or 8 meetings (3 or 2 in each geographical region) in 18 months seems more appropriate.


Conclusion

The Internet privacy legislation currently in front of Congress cover a wide range of issues. Many of these have been well documented in work undertaken by previous commissions and advisory boards. Studying privacy to map protections for the future must remain a high priority and should continue to explore new areas. A commission that would take on the more difficult issues facing privacy would be welcomed. However, such a commission must not be allowed simply to derail legislative hearings and actions on privacy for another 18 months as daily stories of privacy invasions and consumer concerns continue to multiply. While the commission is doing its important work in the areas outlined above, we hope that you will join us in working on ensuring greater corporate and government responsibility, privacy enhancing technologies and legislative efforts to protect privacy.


Appendix

A History of Federal Government Privacy Commissions, Workshops and Advisory Boards in the Digital Age

The following is a partial listing of federal government privacy initiatives and the resulting recommendations over the past 30 years. While the focus here are initiatives that directly affect the privacy of government and online services, there have also been a large number of health privacy and several financial privacy initiatives. [ 16 ]

1970- 1979

Health Education and Welfare Advisory Committee on Automated Personal Data Systems, 1972 [ 17 ]

In 1972, Elliot L. Richardson, then Secretary of the U.S. Department of Health Education and Welfare (HEW), appointed an Advisory Committee on Automated Personal Data Systems to explore the impact of computerized record keeping on individuals. In the committee's report, published a year later, the Advisory Committee proposed a Code of Fair Information Practices. These practices have been the basic element for all future Fair Information Practices and future U.S. laws, including the Privacy Act of 1974.

The basic principles of the 1973 Code are as follows:


Privacy Protection Study Commission of 1977 [ 18 ]

In 1977, at the height of the initial controversy over the legality of computer matching, the Privacy Protection Study Commission, charged with studying the issues raised by the Privacy Act and recommending future legislation, issued its report: Personal Privacy in an Information Age. The Commission was created by the Privacy Act in a provision adopted during final negotiations and accepted as less controversial than creating an Executive branch oversight agency.

The Commission's report recommended that the Privacy Act be more vigorously enforced, and suggested a number of ways to make the Act more effective. The Commission found that the Privacy Act did not lead to the benefits originally expected from the passage of the Privacy Act. The report included a proposed revision of the Act that clarified ambiguities, provided individuals with broader remedies, and tightened the exemptions in the Act. The Commission also recommended that Congress pass additional information privacy legislation to protect information held in private sector databases. Including a set of Fair Information Practices that employers would voluntarily follow when collecting data about individuals for hiring purposes and have served as a basis for many subsequent guidelines.

The Fair Information Practices from the report are as follow:

While these principles have become a basis for future initiatives, several of the most important recommendations of the Commission -- particularly on the Privacy Act of 1974 and laws covering private sector information -- have largely been ignored.


1980 - 1989

Organization for Economic Cooperation and Development Guidelines (OECD) on the Protection of Privacy and Transborder Flows of Personal Data [ 19 ]

In late 1980, the OECD issued Guidelines concerning privacy. The US provided input through a private sector government collaboration headed by the National Telecommunications Infrastructure Administration (NTIA) in the Department of Commerce and the Bureau for International Communications and Information Policy in the State Department. [ 20 ]

Although broad, the OECD guidelines set up important standards for future governmental privacy rules. These guidelines underpin most current international agreements, national laws, and self-regulatory policies. Although these guidelines were voluntary, about half of OECD member-nations had already passed or proposed privacy-protecting legislation in 1980. The United States endorsed the OECD Guidelines. By 1983, 182 American companies claimed to have adopted the standard although very few ever implemented practices that mapped to the guidelines.

The OECD Guidelines are as follows:

The principles remain an international standard for privacy in the computer age.


Computer System Security and Privacy Advisory Board (CSSPAB) [ 21 ]

In 1987 Congress established the CSSPAB as a public advisory board as a part of the Computer Security Act. The Computer Security Act specifies that the Board's mission is to identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy.

The CSSPAB is composed of twelve members, in addition to the Chairperson, who are recognized experts in the fields of computer and telecommunications systems security and technology. The board examines those issues affecting the security and privacy of sensitive unclassified information in federal computer and telecommunications systems. The CSSPAB's authority does not extend to private-sector systems or federal systems which process classified information.

The CSSPAB advises the Secretary of Commerce and the Director of the National Institute of Standards and Technology (NIST) on computer security and privacy issues pertaining to sensitive unclassified information stored or processed by federal computer systems. The Board reports its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and appropriate committees of Congress.


1990 - 2000

National Information Infrastructure Advisory Council

In March 1995, the National Information Infrastructure Advisory Council, led by Secretary Ronald Brown at the Department of Commerce, was composed of 37 members, mostly from the private sector, was organized into three ŚMega-Projects' including one on privacy, security, and intellectual property. The Privacy project developed a set of Principles issued in the larger report entitled: "Project Common Ground."

The NIIAC Principles are as follows:


Information Infrastructure Task Force Principles for Providing and Using Personal Information [ 22 ]

The technology boom of the 1980s and 1990s caused many countries to review privacy guidelines. New privacy safeguards were needed to correspond with the booming use of computers in data collection. In the U.S., The Information Infrastructure Task Force's (IITF's) Information Policy Committee issued a series of Principles for Providing and Using Personal Information in June 1995. The statement of principles included a call for all participants of the National Information Infrastructure to observe several rules:

These guidelines were widely criticized by the privacy community as a retreat from the HEW and OECD guidelines. [ 23 ]


FTC and NTIA Initiatives

The FTC and NTIA have been more actively involved in addressing online privacy issues since the beginning of the massive growth of the World Wide Web. In April 1995, the FTC staff held its first public workshop on privacy on the Internet, and in November of that year the Commission held hearings on online privacy as part of its extensive hearings on the implications of globalization and technological innovation for competition and consumer protection issues.

In 1995, completed a paper entitled "Privacy and the NII: Safeguarding Telecommunications-Related Personal Information" [ 24 ] focused on privacy and online services. The overall purpose of the paper was to provide an analysis of the state of privacy in the United States as it relates to existing and future communications services and to recommend a framework for safeguarding telecommunications-related personal information. The analysis found "a lack of uniformity among existing privacy laws and regulations for telephony and video services" and recommended "a uniform privacy standard to provide notice and consent" as suggested in the IITF document.

In June 1996, the FTC conducted a two-day workshop to explore privacy concerns raised by the online collection of personal information, and the special concerns raised by the collection of personal information from children. The workshop looked into a wide range of issues including industry self-regulation, technology-based solutions, consumer and business education, and government regulation. The FTC in a December 1996 staff report entitled Consumer Privacy on the Global Information Infrastructure released a report based on the workshops. [ 25 ] A second workshop in June 1997 delved more deeply into these issues. As the Commission explained in its 1998 Report to Congress, "in all of these endeavors the Commission's goals have been (1) to identify potential consumer protection issues related to online marketing and commercial transactions; (2) to provide a public forum for the exchange of ideas and presentation of research and technology; and (3) to encourage effective self-regulation." [ 26 ]

On June 23-24, 1998, the NTIA held a public meeting on Internet privacy. [ 27 ] This meeting was meant to be a dialogue, roundtable and working session with academia, industry representatives, privacy advocates, public interest groups and Washington Policymakers.

The forum addressed the following issues:

On November 8, 1999, The National Telecommunications and Information Administration ("NTIA") of the United States Department of Commerce and the Federal Trade Commission held a public workshop on "online profiling," the practice of aggregating information about consumers' preferences and interests, gathered primarily by tracking their movements online, and using the resulting consumer profiles to create targeted advertising on Web sites. The agencies sought public comment addressing various issues related to the practice of online profiling, thousands of individuals participated. [ 28 ]

On March 31, 2000, the FTC hosted the first meeting of the Advisory Committee on Online Access and Security. [ 29 ] The purpose of the Advisory Committee is to provide advice and recommendations to the FTC on implementation of access and security fair information practices by domestic commercial Web sites. In particular, the Advisory Committee will address providing online consumers reasonable access to personal information collected from and about them and maintaining adequate security for that information. The Committee is expected to finalize its work in May 2000.


Endnotes. Links will open in a new browser window.

1. Green, Heather; Mike France and Marcia Stepanek and Amy Borrus. Business Week. March 20, 2000. http://www.businessweek.com/2000/00_12/b3673006.htm

2. Green, Heather with Catherine Yang and Paul C. Judge. A Little Net Privacy, Please. Business Week. March 16, 1998 http://www.businessweek.com/1998/11/b3569104.htm

3. Schwartz, John. "Web Firm Halts Profiling Plan: CEO Admits Mistake in Face of Probes, Privacy Complaints." Washington Post. March 3. 1999. A1.

4. Macavinta, Courtney. "Breach exposes H&R Block customers' tax records." CNet News.com. February 15, 2000. http://news.cnet.com/news/0-1005-200-1550948.html?tag=st.ne.1002.

5. Junnarkar, Sandeep. "Intuit plugs leaks to DoubleClick." CNet News.com. March 2, 2000 http://news.cnet.com/news/0-1007-200-1562341.html?tag=st.cn.1.

6. Konrad, Rachel. Airline's mistake exposes email addresses. CNet News.com.. March 21, 2000 http://news.cnet.com/news/0-1007-200-1580221.html?tag=st.cn.1.

7. Meland, Marius. "Microsoft, AOL Become Privacy Gatekeepers." Forbes.com. April, 7, 2000. http://biz.yahoo.com/fo/000407/mu2547.html

8. Alan Westin. Privacy and Freedom (New York: Atheneum, 1967) 7. See the appendix of this testimony for a listing of Fair Information Practice Principles and how they have developed over time.

9. Privacy Protection Study Commission. 1977. Personal Privacy in an Information Society. Washington, DC: Government Printing Office.

10. OMB Watch. "A Delicate Balance: The Privacy and Access Practices of Federal Government Web Sites." August, 19997. http://ombwatch.org/ombw/info/balance/exec.html

11. Center for Democracy and Technology. "Policy vs. Practice: A Progress Report on Federal Government Privacy Notice on the World Wide Web." April, 1999. http://www.cdt.org/privacy/fedprivacystatus.shtml

12. Public records that contain personally identifiable information include, but are not limited to: drivers licenses, driving records, motor vehicle registration and titles, property tax records, voting registration records, occupational licenses, use licenses (eg, ham radio, CB radio), firearms permits, court records (eg., bankruptcy, divorce), law enforcement records, political contributions, Security and Exchange Commission filings, financial disclosure filings, hunting and fishing licenses, US Postal Service address records, and vital statistics.

13. A CDT and OMB Watch joint report entitled "Ten Most Wanted Government Documents" details some of the failures of EFOIA and other federal open records laws -- http://www.cdt.org/righttoknow/10mostwanted/

14. http://www.cdt.org/privacy/gore_press.980811.html

15. The difficulties that individuals have had are well documented in the "Civil Remedies" section U.S. Department of Justice Office of Information and Privacy's Freedom of Information and Privacy Act Overview. September 1998 Edition. p. 711.

16. A more complete detailed summary will be available in Priscilla Regan's "Changing Institutional Roles and Responsibilities," a book chapter for Information Privacy: Looking Forward, Looking Back, edited by Mary Culnan, Robert Bies, and Michael Levy (forthcoming: Georgetown University Press).

17. United States Department of Health, Education and Welfare. 1973. Records, Computers and the Rights of Citizens. Washington, DC: Government Printing Office.

18. Privacy Protection Study Commission, 1977.

19. http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM

20. Regan, Forthcoming

21. http://csrc.nist.gov/csspab/

22. http://www.iitf.nist.gov/documents/committee/infopol/niiprivprin_final.html

23. See CDT's March 1995 comments to the IITF for an example: http://www.cdt.org/privacy/comments_iitf.html

24. http://www.ntia.doc.gov/ntiahome/privwhitepaper.html

25. http://www.ftc.gov/reports/privacy/privacy1.htm

26. http://www.ftc.gov/reports/privacy3/index.htm

27. http://www.ntia.doc.gov/ntiahome/privacy/confinfo/agenda.htm

28. http://www.ntia.doc.gov/ntiahome/privacy/index.html

29. http://www.ftc.gov/acoas/index.htm