|
Privacy on the Internet: Everyone a Data Protection Officer?
Keynote Presentation
Alan F. Westin
Introduction
It has been said that a keynote speech should have the same relationship to the conference as the fan does to the fan dancer of earlier strip-tease days. That is, it should go before the subject and stir audience interest but it should not try to cover the subject completely.
In that spirit, let me try to stir your interest in today's proceedings by exploring four main themes:
- How should we think about the Internet as a new medium, and how do privacy issues here compare with our experiences
with and the dynamics of privacy in the hard-copy, off-line worlds?
- Who are today's Internet users, and what does survey research in 1997 tell us about the experiences, concerns, and attitudes of U.S. Net users about online communication, commerce, and privacy?
- What is government doing in the United States to examine these online privacy issues, and what effects are these activities having?
- What are the possible roles of individual Net users in asserting (heir own privacy boundaries, and is it possible that (he Net may turn out to be the most individually-responsive privacy medium in history?
Now, to stir your interest...
1.) How should we think about the Internet as a new medium, and how do privacy issues here compare with our experiences with and the dynamics of privacy in the hard-copy, off-line worlds?
The Internet now reaches well over 100 nations, and has somewhere between 50-75 million global users (depending on whose estimates you are most comfortable with). There are over 16 million hosts, of which four million are commercial sites.
A current story in the U.S. illustrates how pervasive the Internet is becoming. A third grade geography teacher asked her class what the capital of the nation was. ,,Washing-ton, D.C/4 one student volunteered. ,,Good," said the teacher, ,,and who knows what D.C' stands for?" Another student quickly responded: "I know - dot com."
So how should we understand this increasingly pervasive activity in many organizational and personal lives, particularly in the advanced-technology democracies?
The Internet, it seems to me, should be recognized as an explosive new medium where the full array of human conduct plays out, and all the traditional tensions in democratic society over individual privacy, public disclosure, and society-protecting surveillance will have to be confronted in new settings.
- As a powerful new electronic medium, the Internet is reshaping patterns of communication, information exchanges, and - potentially - commerce. It has become a mass media preoccupation, and virtually everyone agrees that Internet development holds enormous potential for new and creative social, business, and political activity.
- But the Internet also replicates all the vices and pathologies of contemporary society, from consumer fraud and intrusive advertising to circulation of hate speech, soliciting obscene materials, promoting terrorist projects, and criminally stalking children and women. As in the earliest frontier days in America, the Internet abounds with modern day cattlemen, sheep-herders, farmers, saloon keepers, whores, and hacker-gunmen, with the influences of the schoolmarm, minister, sheriff', and judge also struggling to be heard and felt.
- The online and Net worlds also reproduce all the basic tensions about individual privacy, public disclosure, and society-protecting surveillance that democratic societies struggle with in the off-line world with new dangers and new opportunities just coming into focus.
With this general perspective, let me turn to a dose look at the Internet world and the privacy risks and opportunities it is generating.
2.) Who are today´s Internet users, and what docs survey research in 1997 tell us about the experiences, concerns, and attitudes of U.S. Net users about online communication, commerce, and privacy?
In the Spring of 1997, Privacy & American Business commissioned Louis Harris & Associates to conduct the first statistically representative survey of the 42 million adult Americans (18 and older) currently using the Internet. The survey provided four U.S. populations for analysis and comparisons:
- total adult computer users (about 100 million);
- computer users on the Internet (about 42 million);
- computer users with online services but not on the Internet (about 28 million); and
- computer users not yet online or using the Net (about 49 million).
The survey report (written by Louis Harris, with an Interpretive Essay by myself) also compared the orientations of these four populations to the results on privacy-trend questions of the total U.S. adult public (about 190 million), based on 1995 and 1996 Harris-Westin privacy surveys.
First, who are the Computer users, both on and not yet on the Net?
- Demographically, Computer users are younger, have more education, and higher incomes than the general public. Net users are even younger, more affluent, and better educated than Computer users not on the Net.
- Computer users as a group, and the Net and Online user sub-groups, share overall business-privacy concerns at the same high levels as the general public. In 1995, 80 % of the total public felt that ..Consumers have lost all control over how personal information about them is collected and used by companies." An identical 80 % of computer users agreed with this statement in 1997, with 82 % of Net users agreeing.
- On the other hand, Computer users are less fearful of technology than the general public. Where 63 % of the general public agreed in 1995 that ..technology is almost out of control/4 only 55 % of 1997 computer users and 36 % of Net users shared that view.
- Computer and Net users are less distrustful of institutions (measured by the Har-ris-Westin Distrust Index) than the general public. Where the general public registered 71 % in High and Medium distrust in 1995, only 60% of Computer users in 1997 registered such distrust, with Net users at 56%.
- In another important overall comparison, U.S. Computer users and the general American public share a preference for voluntary over regulatory policies to protect consumer privacy. If businesses and industry associations adopt good privacy protection policies, 72 % of the general public said in 1995 they would prefer that approach; in 1997, 70 % of computer users and 72 % of Net users agreed with that view of voluntary being preferable to regulatory as a general matter. (However, as noted below, the U.S. public often favors sector-specific legislation, when it feels problems are outpacing voluntary efforts.)
- Only 5 % of Net users and 7 % of Online-Service users say they have personally been the victim of what they thought was an invasion of their privacy. Receiving unwanted email advertising and having personal information required or captured at web sites were the intrusions most complained of. This is a low level of direct invasion when compared to the 25 % of the public that reported in 1995 that they have had their privacy invaded in the ofT-line world, and 35 % is some particular consumer-information sectors.
- Moving from experiences to perceptions, online and Net users expressed a wide range of concerns over threats to the privacy and security of their activities online. Specifically:
- 53 % of Net users and 57 % of Online-Service users say they are concerned that information about wdiich sites they visit will be linked to their e-mail address and disclosed to some other person or organization without their knowledge or Consent. Not surprisingly, 55 % of Net users say the ability to choose not to give their real name is important to them in using the Internet.
- 59 % of Net users who send and receive e-mail are concerned that the contents of what they communicate will be obtained by some Person or organization without their knowledge or consent.
- 42 % ofthos;e receiving unsolicited e-mail advertising say ,,it's getting to be a real pain" and want ,,to stop getting these messages." If there were a procedure for removing their e-mail addresses from unsolicited advertising, over a third (37 %) of e-mail users would want their names removed from all solicitations. (This compares with only 17 % of Computer users who would remove their names from all regular postal mailings.)
- 75 % feel there are privacy problems in putting state and local government's public records with personally-identified information on the Internet, even though these are available today to anyone in manual form and organizations can buy computer tapes of such records for business, legal, and research purposes.
- Computer users divide about equally on whether there is a significant difference between collecting marketing information from children in the off-line and online worlds. But, many practices generally accepted in marketing to children in the off-line world are strongly rejected for online conduct. When asked to assume that the purpose for gathering the information cited was the only use that a company would make of various types of information about children presented in a series of questions, majorities of computer users rejected the acceptability of all the types of uses presented.
- 59 % of computer users say it is not acceptable to ask children for e-mail addresses for the purpose of gathering statistics on site visiting, and 58 % oppose asking for such addresses to improve a businesses product.
- 73 % of computer users say it is not acceptable to obtain the real names and addresses of children when they register to use a site, or to purchase products.
- And, 90 % say it is not acceptable (74 % ,,not at all acceptable") for companies to rent or sell the real names and addresses of their child registrants or customers to third parties for marketing.
- 75 % of computer users are NOT confident that companies on the net that are marketing to children would follow the policies they set forth on how they would handle the childrens information they collect.
Reflecting these privacy concerns, especially where the potential safety of children are involved, a majority of Computer users say they favor legal action.
- 94 % of Computer users say that companies collecting information from children should he held legally liable for violations of their stated policies.
- When asked which of three roles ..government" should take in approaching ..Internet privacy issues," a majority of all Computer users - at 58 % - favor passing laws NOW for how personal information can he collected and used on the Internet." 24 % favor government recommending standards but not passing laws now, and 15% say government should ,,let groups develop voluntary privacy standards but not take any action now unless real problems arise." However, only 47 % of Net users favor enacting government laws now, while those Computer users not using the Net or an online service favored government laws at 65 %.
- It should be noted that the question on government approaches came at the end of a detailed survey exploring potential threats to privacy and security, and especially after the series on children's privacy issues. Also to be noted is that the
question did not specify whether state or federal governments should be the rule setters; just what kind of controls government would set, how these would be monitored, and which government agency would act as the enforcing agent; and what kinds of penalties and remedies would be installed. We can expect that the attitudes of computer users and especially Net users would be significantly affected by the alternatives presented on those matters.
In comparative terms, it is useful to note that the views of computer users overall, and online and Net users specifically, generally follow the patterns that past privacy surveys have found to operate as driving factors in the off-line world.
- Past Harris-Westin surveys have found that two-thirds majorities of the American public (and computer users as a sub-group) oppose creation of a federal regulatory agency covering the entire private sector (as in the European data protection commissions' model). But strong majorities will favor sector-specific legislation at the state or federal levels when the perception is that serious breaches of privacy and confidentiality are taking place and voluntary controls by industry or private groups are either ineffective or not adopted widely enough. Examples have included legislation that would forbid employers or health insurers to use genetic tests for employment or underwriting purposes, and federal laws protecting privacy and confidentiality of medical records and the increased electronic movement of personally identified health information. Computer-user support for "government" action on the Net suggests that the Net is seen as a "sector" in which voluntary policies are not yet perceived as present.
- In past privacy surveys, trust in the practices of an industry in handling its customers' personal information in a "proper" or responsible" way and ..respecting its confidentiality" came through as a major factor in helping the majority of the public (our 55 % ..Privacy Pragmatists") to decide whether to give their personal information for organizational uses under privacy-policy promises or whether they would favor passing legislation to mandate the rules. In the 1997 online privacy survey, with ten industries that handle consumer information presented for judgment, a majority of respondents gave high ratings (in the 68-80 % ranges) to employers, hospitals, banks, and Companies making Computer hardware and software. But online companies - those offering Online Services, direct Internet access, and marketing products on the Net - received low confidence ratings, in the low 40 % levels. This placed them alongside credit bureaus and direct-mail marketers, two groups that have traditionally received low-confidence ratings in privacy surveys.
- The answers to most of the key questions relating to privacy concerns and policy preferences in our 1997 survey followed exactly the level of confidence in the three online businesses - the lower the confidence in online firms, the more privacy-oriented the positions. This was true, for example, with all the questions involving children's privacy; concern about the confidentiality of e-mail content;
concern about putting public records on the Net; desire to remove their e-mail address from all unsolicited marketing; and support for passing government laws now on Internet privacy.
Since 70 % of U.S. Computer users generally favor voluntary policies over legislative rules for consumer privacy protection, the explanations for a majority of total Computer users favoring government action now for the Internet he in a combination of factors (in addition to the effects of low confidence in online companies):
- There has been a steady drumbeat of largely alarming stories in both the mass and online/computer media about privacy and security risks on the Internet. These often present the situation as one in which no current tools or policies are available to protect users, and that staying off the Net, not using one's credit card for purchases, and never volunteering personal information are the sensible ways to proceed. Along with movies and TV programs depicting hackers and privacy invaders trolling the Net and finding helpless victims, the media coverage has sent a message to many millions of viewers and readers that Orwells progeny own the online world.
- Industry association policies and guidelines for collecting and using consumer information online and on the Net are in a very early stage of roll out. Most of them were developed in 1996, and the most important ones are 1997 products, some just issued in late May or early June, and some to be presented at the Federal Trade Commission's Workshop on Consumer Privacy Online in mid-June. These include policies from the Direct Marketing Association, the Interactive Services Association, and others it is highly doubtful that respondents to our survey in April of 1997 had heard about these, or had any experiences with them with which to decide how well they worked.
- The survey recorded remarkably low awareness by online service subscribers of the information-handling policies of their current service provider. Almost three out of four online service users (71 % plus 3 % don't know) said they were not aware of,,any rules or policies [that their] online service has as to how it will use the information it maintains or collects about [their] online usage .."
- A series of questions about how web site visitors decide whether to give registration-type information when they visit sites documented that most web site visitors are NOT today encountering dear, up-front declarations of information policy from most sites they visit. Net users say getting such information would have a major effect on their decisions whether to provide personal information, but 79 % say they have declined to give information to sites not explaining their policies, and 8 % say they have given false information.
- There was also very low awareness of software tools for exercising individual control over information and communication practices.
- 75 % of e-mail users said they weren't aware of any procedure or technique to remove their e-mail address from companies or organizations sending them advertising materials.
- 45 % of parents with children using the Net said they were not aware of any software programs that let parents automatically limit the websites their children visit or the personal information they can provide to sites.
It is also dear that very few members of the computer-using public have yet heard about new control approaches such as the e-Trust information labeling and independent- certification system for designating commercial web sites, or the privacy policies and preferences program being developed by the Center for Democracy and Technology, with strong business and public-interest group support.
Finally, strong interest was expressed by the privacy-concerned respondents in getting free and easy-to-use software tools that would allow them to state their preferences as to how they would wish their personal information to be used by business or organizational web sites, and even to conduct dialogues with such sites over just how such uses could be made acceptable. Similar strong interest was expressed by parents in getting and using software that would allow them to control what personal information their children could give to Internet sites or in chat rooms.
What are the implications of these survey results and their underlying explanations for the online and Internet industries, businesses marketing online, technologists, public-interest groups, government bodies, and individual online users.
Some surveys record confusion and indecision on the part of the public on controversial issues, or such low levels of knowledge or interest that the results offer little help to the public policy-making process. This survey, I believe, is just the opposite. It offers a dear call to all the communities sharing responsibility for the unique entity that is the Internet to hear and respond effectively to the concerns of Net and online users (and also computer users not yet online) that communication, information-exchange, and consumer commerce must be made more privacy-secure than either perception or reality make it today.
The results are certainly a summons to intensified action by the online and Internet industries and all companies hoping to create broad commerce on the Net. These groups must move guidelines and policies from paper to the daily online world. They must also give strong support to the development, distribution, and effectiveness-testing of personal privacy-enhancing tools: such as personal-information-control software tools; digital signatures and biomctric identifiers to assure more secure personal identification; and casy-to-usc encryption programs.
The low confidence that the survey results registered in the trustworthiness of online companies means that online business groups will have to engage in major educational and verification programs to demonstrate that the policies and tools they support do provide an effective platform for reasonable online privacy.
If- as this survey documents - the growth of Internet use and especially Internet communication and commerce depend on increasing user confidence in the medium's ability to provide reasonable privacy protection, there is cause for careful optimism. When a mass market and a major societal resource of the scope of the Internet depends as much as users say it will on providing consumer and citizen confidence, the stake for business and government in making that happen is enormous.
3.) What is government doing in the United States to examine these online privacy issues, and what effects are these activities having?
Clearly, government leaders in the U.S. are concerned about and intend to be active in examining online and Internet privacy issues.
Executive Branch Actions
At the Executive Branch level, the Federal Trade Commission held two important workshops in June of 1996 and 1997 examining the collection and uses of personal information in cyberspace. Several dozen witnesses appeared at each worksho - from business and industry associations, the online technology communities, consumer and privacy advocates, and legal experts. And, the full array of online privacy issues were examined - unsolicited advertising (spamming), online ..lookup" Services offering location information on individuals, ,,cookie" technology for identifying and tagging visitors to web sites, harvesting the comments of participants in forums, collection and uses of information from children on the Net, the status of filtering tools and other personal control mechanisms for users, identification "marks" attesting to information collection practices of a web site, etc.
At both of its workshops, the FTC concluded that there were serious privacy issues that needed immediate attention, especially in light of the Louis Hams-Privacy & American Business survey findings of computer-user concerns reported at the 1997 hearing. But the FTC endorsed the development of voluntary standards by industry and wide dissemination of personal-control software as the measures to be. taken now. However, the FTC emphasized that its legal authority covering deceptive practices would enable it to prosecute any organization that violated the online information policies that it advertised to online visitors or customers, as well as the power to endorse industry-developed privacy policies and immunize such industry enforcement from threats of anti-trust violation.
Another highly active executive agency, the National Telecommunications and Information Administration (NTIA), in the U.S. Department of Commerce, sponsored the production and has just published a collection of analyses on the uses, advantages, and problems with self-regulation in cyberspace. The report, Privacy and Self-Regulation in the Information Age, offers a sophisticated set of commentaries ranging across the ideological spectrum, and is a valuable addition to the U.S. dialogues on how to approach setting privacy standards in the online environments.
As for the Clinton Administration itself, the President, Vice President Gore, and several Cabinet Secretaries held a White House event in July announcing and endorsing a report on Electronic Commerce by Presidential Assistant Ira Magaziner. In its section of privacy, the Magaziner Report emphasized that assuring the proper handling of personal information online was both a policy requirement and a necessary condition for the growth of electronic commerce. In this area, the Administration believes, given the rapidly-changing nature of online development and the need to balance privacy interests with free speech and consumer-choice values, ,,the private
sector must lead." But the Clinton Administration said that government would watch closely for concrete progress, and would not hesitate to step in if voluntary efforts and technology tools were insufficient.
The Congressional Scene
Bills have been introduced in Congress to address half a dozen key online privacy issues - from spamming and junk email controls and protection against release of personal public-record information on the Internet to requirements for adult consent before information about children is gathered online. While Congressional committee hearings have been held on some of these issues, experts believe that only the childrcns privacy bills have any serious prospects for floor action and enactment in the 1997-98 period.
What effects have these Executive and Congressional actions had so far? Actually, they have spurred considerable activity. First, they have fed the U.S. mass media, and provided the raw material for widespread public education on threats to privacy and possible responses in the online world, as well as giving consumer, privacy, and children's rights advocates an important platform for their positions. Second, they have energized businesses and industry groups to address the development and promulgation of voluntary actions, from Privacy Notices on Web Site Home Pages to detailed industry codes for online marketing. Third, they have prompted substantial funds being committed and a rising customer market for technology tools such as parental controls, information filters, and special ,,trust marks" to assure individuals (with third party verification processes) of how their personal information will be used if they visit or patronize businesses online.
Most important, these government steps and solid survey research findings have served notice on business and industry leaders that there will be no substantial use of electronic commerce by American online consumers if reliable and effective privacy policies are not enunciated and implemented. In a market economy, that claim on management attention has extraordinary force, and is already fueling serious business actions.
4.)What are the possible roles of individual Net users in asserting their own privacy boundaries, and is it possible that the Net may turn out to be the most individually-responsive privacy medium in history?
Even though consumers have ultimate veto power over online economic activity, we might be pessimistic about the future of privacy in cyberspace were it not for the fortunate simultaneous arrival of what have come to be called "privacy-enhancing technologies." These include easy-to- use encryption software; the personal-control and parental-control software already mentioned; anonymous payment mechanisms (draw-down money cards, electronic purses, third-party payment systems, etc.); bio-metric identifiers for secure confidential transactions; and a wide variety of techniques for preserving anonymous communications and transactions online.
The fact that there are already both market-incentives and positive market responses for such personal-privacy technologies is a dramatic new development in information-technology and society relations since World War Two. Until now, virtually all inventions and applications supported organizational interests and enhanced organizational power, at the expense of ,,data subjects". Now, however, assuming that public demand, market incentives, and legal rules all are promoted to support individual-choice approaches online, there are good possibilities that a new balance of information power can be achieved in the 21st century. We can envisage a situation in which every person signing onto the Internet will, in effect, be sitting at the control panel, indeed, serving as their own Data Protection Commissioner in cyberspace.
Conclusions
I began by saying that (he Internet world is reproducing and will continue to reproduce all of the tensions among personal privacy, public disclosure, and protective surveillance that democracies face in the off-line world. Calling privacy a "human right" and creating regulatory structures does not eliminate the hard choices that the enhanced communication and commercial opportunities of the Internet bring.
What makes me optimistic is that there seems to be such a firm sense among Computer users in the US and elsewhere that informational privacy must be addressed, and that individual notice-and-choice is the core principle to pursue.
It will take much passionate advocacy, collection of,,horror stories" and ,,cautionary tales", and assembling of empirical experience with both voluntary and regulatory approaches if privacy values are to be installed in cyberspace. But, this is not beyond either the creative competence or the societal power of privacy supporters, and this meeting can help to start the process of finding our way.
|
|