CDT's data privacy page

Testimony of Deirdre Mulligan, Staff Counsel, Center for Democracy and Technology

before the

House Committee on Commerce Subcommittee Telecommunications, Trade, and Consumer Protection

July 21, 1998

I. Introduction and Summary

The Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify on the issue of individual privacy in the online environment.

CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values on the Internet. One of our core goals is to enhance privacy protections for individuals in the development and use of new communications technologies.

In the invitation I received to testify, the Committee identified several key questions that must be answered if we are to have an informed dialogue about privacy on the Internet. The crux of the Committee's questions can, I believe, be summed up as: "who should lead?"

CDT believes that it is time for Congress and relevant stake-holders to develop a bi-partisan national privacy policy for the Internet. Self-regulation, while a necessary component of the electronic marketplace, has proven, on its own, to be insufficient. However, to move forward we must acknowledge two important concepts: self-regulation is a necessary component of protecting privacy in the global and decentralized electronic commerce environment; and, privacy legislation can aid privacy and electronic commerce by creating a level policy and practice playing field and a viable benchmark for oversight, enforcement, and redress.

We believe that Congress should enact legislation enabling the Federal Trade Commission to craft baselines for protecting privacy during commercial interactions. In addition, Congress should continue to explore and develop other legislative proposals to protect privacy, explore the role of technology in protecting privacy and methods by which the government can promote the development of privacy-enhancing technologies, and explore the creation of a privacy infrastructure including a federal entity to develop privacy policy for both the public and private sectors.

II. Who should lead: the role of privacy legislation in regulating private sector activities

The Federal Trade Commission's report served as a wake up call. It jump-started industry efforts, galvanized privacy and consumer groups, and intensified the Administration's review of its chosen stance on privacy protection. As you heard this morning, the FTC's review spurred some increased efforts in the private sector. While we welcome the renewed efforts of industry, we strongly believe that industry acting alone will continue to fall short of the goal of providing pervasive privacy protections. It is clear to us that a more comprehensive and vigorous approach is required. However, we must also recognize that legislation will not on its own provide complete privacy protection. Privacy protection must build upon the strengths of existing efforts -- self-regulatory and technical -- but fold them into a comprehensive system of enforceable privacy protections.

III. Crafting Legislation

Debate over the capacity of self-regulation and market forces to adequately address privacy concerns is common in the privacy and consumer protection arenas. Advocates often take the position that self-regulation is inadequate due to both a lack of enforcement and the absence of legal redress to harmed individuals. Industry tends to favor strongly self-regulation, stating that it results in workable, market-based solutions while placing minimal burdens on affected companies. These positions, while in tension, have both accurately described the self-regulatory process. A close look at the enactment of federal privacy legislation over the years reveals some common elements that move both parties toward supporting legislation, and supports CDT's belief that the time is right to enact a federal baseline of privacy protections for the electronic environment.

IV. Recommended legislative proposals to protect individual privacy including children's privacy

It is time to develop and move a national privacy policy forward. Such a policy must provide for the adoption and implementation of substantive policies that protect privacy throughout the private sector, the creation of legally enforceable privacy rights for individuals, the establishment of a national infrastructure to develop and oversee privacy policy, and support for privacy-enhancing technologies.

At this time, legislation is needed to accomplish two of these goals: the adoption and implementation of privacy policies in the private sector and the creation of legally enforceable privacy rights for individuals.

V. Technology and Privacy

In addition to crafting federal rules to protect privacy, we must look to technologies that protect privacy. Such technologies can provide protection across the global and decentralized environment of the Internet where law or self-regulation may fail. Technology can provide a shield around the individual's actions, communications and identity, providing confidentiality, pseudonymity or anonymity. It can also serve as a mediator or facilitator capable of expressing and monitoring data practices and policies.

Unfortunately, society is best acquainted with technologies that enable personal activities and commercial behavior to be tracked. Traditionally advances in technology have met the government and private sector's proclaimed need to monitor, evaluate, and trace the behavior of individuals. Technology has eroded individual privacy by enabling massive data collection and manipulation, enhancing the ability to track activities, and fostering the use of data for purposes unintended and unforeseen by the individual data subject. In past years, national legislatures and international bodies have often stepped in to address risks to individual privacy posed by advances in these kinds of technologies.

Current trends in computing offer an opportunity to shift the relationship from privacy versus technology to privacy enhanced by technology. The effects of distributed network computing are not yet clear in the area of privacy. Interactive media has increased the non-consensual, surreptitious collection of personal information and greatly facilitated tracking of personal and commercial behavior. These trends, if left unaddressed, will continue technology's tradition of eroding individual privacy. However, there is growing evidence that the rapid decrease in cost and expertise needed to develop and use information technology coupled with the decentralized nature of the global network can be harnessed to significantly alter technology's traditional relationship to privacy.

A number of technologies have been put forward for protecting or enhancing privacy in networked environments. They vary from tools that provide near anonymity to those that seek to provide openness about data practices and foster informed decisions by individuals. The technologies differ in their ability to respond to and support the varied privacy concerns that arise in relationships, interactions and roles.

As discussed above, networks generate, collect, and store vast amounts of data -- yet individuals are rarely aware of these activities. In that context, technologies are under design to facilitate transparency of data practices, enable consent to be withheld or communicated, minimize data collection, provide anonymity, and enable secure exchanges of information where appropriate. Many technologies that support privacy rely on cryptography. Cryptography is essential to ensuring individual privacy in network environments. Various applications of cryptography provide individuals, and entities, with mechanisms to protect communications and information while in transit and during storage, and to shield the individual's identity. It is a key element of technologies such as digital certificates and electronic cash. Cryptographic methods also offer new opportunities to minimize the collection of personal data, by enabling secure but anonymous payments, transactions, and interactions." Technology coupled with policy can play an important role in fostering the implementation of privacy protections on global information networks like the Internet.

Technology can provide a shield around the individual's actions, communications, identity, or any combination thereof, providing confidentiality, pseudonymity or anonymity. Digital technology generates, collects, and captures a vast amount of data about the flow of information, communications, and interactions. Where the individual's identity is revealed, or can be readily derived, in connection to these activities the digital environment creates an unsurpassed capacity for tracking of personal activities and commercial behavior. Technologies that minimize or eliminate the collection of information about the individual's identity are essential to privacy protection in the online environment.

A number of technologies have been developed that eliminate the collection of identity information, thereby enabling anonymous transactions. Eliminating the collection of information eases the task of protecting privacy. Technologies that prevent entities from collecting data allow individuals to engage in activities without privacy ramifications. By eliminating data collection, tools of anonymity mitigate the need for other principles of data protection. However, anonymity alone will not support the full range of interactions, relationships, and communications individuals engage in on international networks.

"Anonymizers" protect an individual's identity while "surfing," or browsing, the World Wide Web. Functioning as a proxy or intermediary between the individual's browser and the server from which they are retrieving information, the Anonymizer removes information that could potentially reveal the individual's identity to others. In general they should be accountable for complying with measures which give effect to Fair Information Practice principles. Because they may provide a central point of information about an individual's activities, their compliance with these principles is especially important, particularly with regard to the establishment of: frequent cycles of log destruction; limits on reuse; limits on access by third-parties; and security safeguards.

Digital Cash can vastly reduce the need for the collection and revelation of identity information. By providing alternative methods of authenticating value, the online environment can afford cash-like anonymity while providing some of the protections against theft associated with traditionally data intensive payment mechanisms. The ability to engage in cash-like transactions in the online environment is important to the protection of privacy. The enhanced data generation and collection that occur during the process of browsing a virtual store front (a merchant's World Wide Web site) increases the privacy concerns associated with the revelation of identity during the payment process. The capacity to connect information far in excess of the specifics of a given financial transaction to the individual's identity increases the risks to individual privacy relative to the offline world.

Like Anonymizers, the development of electronic payment mechanisms that protect privacy hinges on the use of strong cryptography and the creation of a robust public key infrastructure to support its use.

Digital Certificates can allow for the verification of an individual's permission to engage in activities, access information, or enter restricted areas without verifying the individual's identity. They can also be used to verify identity. Digital certificates and other credentialing mechanisms can limit the need to collect personal data by verifying attributes rather than identity. However, they are just as likely to be used to tie identity and attributes together with a single certified digital identity. Digital certificates can be issued on a purpose-specific basis, in which case it would be possible to limit the collection of information that could be used for other purposes. However, digital certificates can also be designed for multiple purposes, making it harder to control the collection and use of information.

In response to public and policy-maker concerns regarding the surreptitious collection of information some of those responsible for network specifications and standards are moving towards designs and implementations that make data generation and collection more obvious. Concern over the privacy implications of "cookies" and particularly the collection of information about individuals' activities across unrelated Web sites enabled by some implementations, caused a ripple through the technical community. The initial response was the addition of a "cookie prompt" which alerts individuals that a Web site wishes to place a "cookie" on their browser. Broader responses include the current attempt by members of the Internet Engineering Task Force (IETF) to address privacy concerns with a rewrite of the "cookie" standard, and the availability of various technological tools that allow users to delete and/or disable "cookies."

The World Wide Web Consortium's (W3C) Platform for Privacy Preferences (P3P) is a technical effort to provide a framework for implementing fair information practice principles on the Internet. The P3P effort attempts to leverage the unique characteristics of the Internet -- interactivity, real-time communication, and capacity to facilitate and support end-user decisions -- to facilitate privacy protection. The goal of the P3P project is to provide a common framework upon which various privacy policies and laws can be expressed, communicated, and complied with.

The Platform for Privacy Preferences provides a simple communication tool and language for the expression of data practices. In addition, the Platform for Privacy Preferences allows individuals to consider the data practices of an entity before interacting with it. Openness about data practices is likely to enhance the individual's ability to make choices that protect privacy and assist with the implementation of national and international policies.

The privacy "language" recently released by the W3C's Platform for Privacy Preferences Vocabulary Working Group is intended to be descriptive, as opposed to normative. It allows various statements of information practice, thereby supporting various policies and legal regimes. As it is intended for global use, the language was crafted with attention to existing fair information practice principles as reflected in national laws and self-regulatory codes. While it has been critiqued for being both over- and under-inclusive, the vocabulary is a first attempt to provide a language for privacy practices on the Web.

P3P does not establish preset limits on the collection of personal information, however it promotes the ability of the individual, or those acting on their behalf, to set their own limits on the collection of information by others.

The development of technological tools that enhance privacy should be promoted. Tools that facilitate anonymous interactions and those that allow individuals to control the flow of personal information once revealed are important to the protection of privacy in the online environment. The technological mechanisms examined above are responsive to some of the obstacles the Internet poses to traditional methods of policy implementation. Many can be independently deployed by the individual and require no reliance on, or agreement with, the government or other party. They may provide protection in environments that lack legal or other policy protections for privacy, lessening concerns about citizens' interactions with entities outside national borders. They may also provide protection which exceeds that available under existing law. In addition, while they may not answer the normative question, "What is the appropriate policy?" the existence of technologies that support data privacy will force decisions about data collection and use into stronger relief.

The rise of technologies that empower individuals to affirmatively control personal information on international networks presents an opportunity to fundamentally shift the balance of power between the individual and those seeking information. However, they must be viewed within the larger context of other efforts to produce cohesive privacy protections in the online environment. Currently US encryption policy is interfering with the availability of technical tools that protect privacy. Congress should seek to increase the availability of encryption and promote the development of other privacy-enhancing technologies.

VI. Conclusion

Privacy protections must keep pace with changes in technology and society's use of technology. As we consider privacy in the changing communications environment we must question past assumptions and the legal distinctions based upon them. More importantly, we must ask whether they provide protections reflective of our commitment to individual privacy autonomy, dignity, and freedom. Privacy protection in the electronic commerce environment will best be achieved through a combination of legislation, self-regulation and technology.

Establish limits on the disclosure and use of personal information by private entities. Both the Federal Trade Commission and the Department of Commerce are engaged in initiatives designed to promote "fair information practice principles" in the online environment. We are encouraged that Congress is exploring protections for individual privacy during private sector activities. In considering this issue we recommend that Congress: 1) authorize the Federal Trade Commission to establish baselines for protecting privacy grounded in the Code of Fair Information Practices developed by the Department of Health, Education and Welfare (HEW) in 1973 and the Guidelines for the Protection of Privacy and Transborder Flows of Personal Data, adopted by the Council of the Organization for Economic Cooperation and Development in 1980; and 2) amend the Electronic Communications Privacy Act to clarify limits on government access to personal information and limit disclosures to third-parties.

Encourage the development and implementation of technologies that support privacy on global information networks. Technological mechanisms for protecting privacy are critically important on the Internet and other global medium. Developing meaningful privacy protections in the online environment requires us to realize that our laws and Constitutional protections may not follow our citizens, their communications, or their data as it travels through distant lands. Technology can provide protections regardless of the legal environment.

Strong encryption is the backbone of technological protections for privacy. Today technical tools are available to send anonymous email, browse the World Wide Web anonymously, and purchase goods with the anonymity of cash. The World Wide Web Consortium's Platform for Privacy Preferences, currently under development, will provide an underlying framework for privacy -- allowing Web sites to make their information practices available to visitors and individuals to set privacy rules that control the flow of data during interactions with Web sites. This effort has involved non-profit, for-profit, and government representatives.

The US should encourage the development of privacy-enhancing technologies that address the need either to eliminate data collection, or where data collection occurs: to limit the data collected; to communicate data practices; and to facilitate individualized decision-making where consistent with policy.

Collaborate with other governments, the public interest community, and the business community to develop global solutions for the decentralized network communications environment. Traditional top-down methods of implementing policy and controlling behavior, be they international agreements, national legislation, or sectoral codes of conduct enforced by the private sector, offer incomplete responses to the privacy issues arising on the global information infrastructure. Implementing privacy policy in the decentralized, global, and borderless environs of international networks raises difficult questions of effectiveness and enforcement. The US should work with all parties -- other governments, international bodies, and the public interest and for-profit communities to build consensus on appropriate policy. Providing a seamless web of privacy protection to individuals' data and communications as it flows along this international network may require new tools -- legal, policy, technical, and self-regulatory -- for implementing policy. The US should actively participate in their crafting.

Thank you for the opportunity to participate in this important discussion about protecting privacy in the online environment.