Electronic Communications |
|
15 June 2000
Excerpts: FTC, Industry Experts on Online PrivacyGovernment and leading internet advertisers discuss privacy, regulationWith e-commerce expanding at an exponential rate, "profiling done by network advertisers raises serious privacy concerns among many consumers" said U.S. Senator John McCain June 13 as he opened a hearing of the Committee on Commerce, Science and Transportation. The Federal Trade Commission (FTC) and leading online advertisers testified on Internet privacy and how it may be violated by online profiling. Online profiling is the practice of gathering information about Internet consumers, often without their knowledge or consent, through various technological tools that track a user's movements to various sites on the Worldwide Web. These personal preferences are stored by network advertisers and later used to target advertisements to specific users each time they log onto the Internet. Although consumers may benefit from advertisements designed to fit their interests, many concerns have been raised about the potential for abuse. With children's personal data, and financial and medical histories increasingly available online, unregulated profiling clearly presents a threat to consumer privacy. It is currently very difficult for consumers to avoid, or "opt-out," of these collection practices. Jodie Bernstein, director of the Bureau of Consumer Protection at the FTC, described the pros and cons of online profiling in detail and said, "The Commission is committed to the goal of ensuring online privacy for consumers and will continue working to address the unique issues presented by online profiling." Bernstein also highlighted ongoing FTC and industry efforts to encourage self-regulation. Internet consultant Richard M. Smith described to the committee how online profiles are compiled, focusing on numerous technological tools, which can link online profiles to specific users, putting the privacy of consumers at greater risk. Representatives from DoubleClick and Engage, Inc., the two largest online advertising companies, both emphasized the importance of industry self-regulation, citing current technological and legislative commitments to do so. Following is an excerpt of the Bernstein statement:
(begin excerpt)
Prepared Statement of Jodie Bernstein, Dir. of Bureau of Consumer Protection the Federal Trade Commission on "Online Profiling: Benefits and Concerns"
Before the Committee on Commerce, Science, and Transportation United States Senate Washington, D.C. June 13, 2000
I. Introduction and Background A. FTC Law Enforcement Authority The FTC's mission is to promote the efficient functioning of the marketplace by protecting consumers from unfair or deceptive acts or practices and to increase consumer choice by promoting vigorous competition. As you know, the Commission's responsibilities are far-reaching. The Commission's primary legislative mandate is to enforce the Federal Trade Commission Act ("FTCA"),which prohibits unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce. With the exception of certain industries and activities, the FTCA provides the Commission with broad investigative and law enforcement authority over entities engaged in or whose business affects commerce. Commerce on the Internet falls within the scope of this statutory mandate. B. Privacy Concerns in the Online Marketplace Since its inception in the mid-1990's, the online consumer marketplace has grown at an exponential rate. Recent figures suggest that as many as 90 million Americans now use the Internet on a regular basis. Of these, 69%, or over 60 million people, shopped online in the third quarter of 1999. In addition, the Census Bureau estimates that retail e-commerce sales were $5.2 billion for the fourth quarter of 1999, and increased to $5.3 billion for the first quarter of 2000. At the same time, technology has enhanced the capacity of online companies to collect, store, transfer, and analyze vast amounts of data from and about the consumers who visit their Web sites. . . . C. The Commission's Approach to Online Privacy - Initiatives Since 1995 Since 1995, the Commission has been at the forefront of the public debate concerning online privacy. The Commission has held public workshops; examined Web site information practices and disclosures regarding the collection, use, and transfer of personal information; and commented on self-regulatory efforts and technological developments intended to enhance consumer privacy. The Commission's goals have been to understand this new marketplace and its information practices, and to assess the costs and benefits to businesses and consumers. In June 1998 the Commission issued Privacy Online: A Report to Congress ("1998 Report"), an examination of the information practices of commercial sites on the World Wide Web and of industry's efforts to implement self-regulatory programs to protect consumers' online privacy. The Commission described the widely-accepted fair information practice principles of Notice, Choice, Access and Security. The Commission also identified Enforcement - the use of a reliable mechanism to provide sanctions for noncompliance - as a critical component of any governmental or self-regulatory program to protect privacy online. In addition, the 1998 Report presented the results of the Commission's first online privacy survey of commercial Web sites. While almost all Websites (92% of the comprehensive random sample) were collecting great amounts of personal information from consumers, few (14%) disclosed anything at all about their information practices. . . . On May 22, 2000, the Commission issued its third report to Congress examining the state of online privacy and the efficacy of industry self-regulation. Privacy Online: Fair Information Practices in the Electronic Marketplace ("2000 Report") presented the results of the Commission's 2000 Online Privacy Survey, which reviewed the nature and substance of U.S. commercial Web sites' privacy disclosures, and assessed the effectiveness of self-regulation. In that Report, a majority of the Commission concluded that legislation is necessary to ensure further implementation of fair information practices online and recommended a framework for such legislation. II. Online Profiling On November 8, 1999, the Commission and the United States Department of Commerce jointly sponsored a Public Workshop on Online Profiling. As a result of the Workshop and public comment, the Commission learned a great deal about what online profiling is, how it can benefit both businesses and consumers, and the privacy concerns that it raises. A. What is Online Profiling? More than half of all online advertising is in the form of "banner ads" displayed on Web pages - small graphic advertisements that appear in boxes above or to the side of the primary site content. Often, these ads are not selected and delivered by the Web site visited by a consumer, but by a network advertising company that manages and provides advertising for numerous unrelated Web sites. In general, these network advertising companies do not merely supply banner ads; they also gather data about the consumers who view their ads. This is accomplished primarily by the use of "cookies" which track the individual's actions on the Web. The information gathered by network advertisers is often, but not always, anonymous, that is, the profiles are frequently linked to the identification number of the advertising network's cookie on the consumer's computer rather than the name of a specific person. In some circumstances, however, the profiles derived from tracking consumers' activities on the Web are linked or merged with personally identifiable information. Once collected, consumer data is analyzed and can be combined with demographic and "psychographic" data from third-party sources, data on the consumer's offline purchases, or information collected directly from consumers through surveys and registration forms. This enhanced data allows the advertising networks to make a variety of inferences about each consumer's interests and preferences. The result is a detailed profile that attempts to predict the individual consumer's tastes, needs, and purchasing habits and enables the advertising companies' computers to make split-second decisions about how to deliver ads directly targeted to the consumer's specific interests. . . . Although network advertisers and their profiling activities are nearly ubiquitous, they are most often invisible to consumers. All that consumers see are the Web sites they visit; banner ads appear as a seamless, integral part of the Web page on which they appear and cookies are placed without any notice to consumers. Unless the Web sites visited by consumers provide notice of the ad network's presence and data collection, consumers may be totally unaware that their activities online are being monitored. B. Profiling Benefits and Privacy Concerns Network advertisers' use of cookies and other technologies to create targeted marketing programs can benefit both consumers and businesses. As noted by commenters at the Public Workshop, targeted advertising allows customers to receive offers and information about goods and services in which they are actually interested. Businesses clearly benefit as well from the ability to target advertising because they avoid wasting advertising dollars marketing themselves to consumers who have no interest in their products. Additionally, a number of commenters stated that targeted advertising helps to subsidize free content on the Internet. Despite the benefits of targeted advertising, there is widespread concern about current profiling practices. The most consistent and significant concern expressed about profiling is that it is conducted without consumers' knowledge. The presence and identity of a network advertiser on a particular site, the placement of a cookie on the consumer's computer, the tracking of the consumer's movements, and the targeting of ads are simply invisible in most cases. The second most persistent concern expressed by commenters was the extensive and sustained scope of the monitoring that occurs. Unbeknownst to most consumers, advertising networks monitor individuals across a multitude of seemingly unrelated Web sites and over an indefinite period of time. The result is a profile far more comprehensive than any individual Web site could gather. Although much of the information that goes into a profile is fairly innocuous when viewed in isolation, the cumulation over time of vast numbers of seemingly minor details about an individual produces a portrait that is quite comprehensive and, to many, inherently intrusive. . . . C. Online Profiling and Self Regulation: the NAI Effort The November 8th workshop provided an opportunity for consumer advocates, government, and industry members not only to educate the public about the practice of online profiling, but to explore self-regulation as a means of addressing the privacy concerns raised by this practice. In the Spring of 1999, in anticipation of the Workshop, network advertising companies were invited to meet with FTC and Department of Commerce staff to discuss their business practices and the possibility of self-regulation. As a result, industry members announced at the Workshop the formation of the Network Advertising Initiative (NAI), an organization comprised of the leading Internet Network Advertisers - 24/7 Media, AdForce, AdKnowledge, Avenue A, Burst! Media, DoubleClick, Engage, and MatchLogic - to develop a framework for self-regulation of the online profiling industry. . . . III. Conclusion The Commission is committed to the goal of ensuring privacy online for consumers and will continue working to address the unique issues presented by online profiling. I would be pleased to answer any questions you may have. (end Bernstein excerpt)
Following is an excerpt of Smith's testimony:
(begin excerpt)
On Internet Privacy and Profiling Senate Commerce Committee June 13, 2000
Richard M. Smith
. . . . Regardless if online profiling systems make economic sense or not, from a privacy standpoint, they present some real dangers. These systems are monitoring people as they surf Internet. What data is being collected and what is being saved away is not made very clear. All of the uses of this data are not disclosed and may change over time. Also in spite of claims by Internet ad companies that the profiles are anonymous almost all of these companies maintain separate databases with personal data that can be combine with the anonymous profiles at anytime using cookie synchronization. However the real danger that I see with online profiling is that Internet ad companies have set up extensive monitoring systems to provide data for profiling. It is almost like they have put hidden microphones in our homes and our offices and they listening to what we do all day long. Pretty obviously if you deploy hidden microphones, you are going to pick up information which is personal in nature. And this is exactly what I have found on my own computer. The data collection systems that the Internet ad companies are currently running are getting personal and sensitive information that almost everyone will agree is none of the business of these companies. The problem here is one of collateral damage. Data Spills
The first problem that I have seen at many Web sites is the problem of data spills. A data spill is where information that is typed into a form at a Web site is accidentally sent off to an Internet ad company. Data spills are caused by poor Web site design. Because I do logging of my Internet traffic from my computer, I can detect data spills. In a two-month period, I found close to 10 data spills of personal data to DoubleClick. These data spills include things like my name, home address, Email address, and birth date. Web sites that were sending off this data to DoubleClick included well-known sites like AltaVista, RealNetworks, HealthCentral, Quicken, and Travelocity. . . . In the near term, I am hoping to see Internet ad companies publicly commit to not use this unsolicited personal data from data spills. The best place to do this I think is in their privacy policies. The idea here is to acknowledge the problem that Web sites may accidentally give away personal data, but the Internet ad networks will discard it and not make use it. Over the long term, there is a simple technology solution to the problem that can be implemented by Web browser companies. This solution involves eliminating referring URLs for being sent in situations where a data spill is likely to occur. Referring URLs can contain the personal data in a data spill. Web Bugs
Besides banner ads, Internet Ad companies also track users with something I've nicknamed "Web Bugs". A Web Bug is an invisible image on a Web page that sends back the cookie of an Internet ad company to their servers. The main purpose of a Web Bug is to track what pages users are going to the Internet. Given that images are invisible on the page, the average user has no way of knowing that they are being tracked in this manner. In addition, to my knowledge, no Web site or Internet ad company has every disclosed the use of Web Bugs in their privacy policies. Pretty obviously, people in the Internet ad business do not call these invisible images "Web Bugs'. Instead they use names like "clear GIFs", "1-by-1 pixels", "tracker GIFs", and sensors. Since no one has come up with a consistent name for them, I will continue to use the term "Web Bugs". Even though there has not been very much public discussion about Web Bugs, they seemed to be employed by most Internet marketing companies. In my discussions with these companies, I have been told that they are used for these purposes:
Although Internet ad companies represent that they do not do profiling of sensitive areas such as children, medical, financial, and sexual issues, most of them will use Web Bugs on pages that deal with these areas. Here are a few illustrations of Web pages that employ Web bugs that I believe most people will find troubling:
(http://metlife.com/Salescareers/Apply/Docs/online_interview.html)
The Procrit Web site is the most interesting use of Web Bugs on the list. Procrit is product of Ortho Biotech which is a subsidiary of Johnson and Johnson. The drug is used to fight anemia in patients with a number of different conditions including AIDS, cancer, and kidney disease. Hidden image files from DoubleClick are strategically placed on the Procrit Web site in order to distinguish if someone is at the site because they are interested in treatments because of AIDS vs. cancer vs. kidney disease. Needless to say, I believe that most visitors to the Procrit site would be very surprised to learn they are being monitored in this way. . . . Over the last 3 or 4 years, the industry has settled on the use of Web site privacy policies to inform consumers about what data is being collected by a Web site and what is done with the data. Today almost all popular Internet sites have privacy policies in places. In most areas these privacy policies do an acceptable job of inform a consumer what they can expect with information. One very notable exception is the use of online profiling at their sites. In addition, all of the major Internet ad companies also have privacy policies that describe how banner ad networks work, what data is being collected by these networks, and the details of online profiling. Also, most of the Internet ad companies offer an "OPT-OUT" to allow consumers the ability to turn off tracking and profiling. However, there is one major flaw with the privacy policies of Internet ad companies. Consumers have almost no way of ever seeing these privacy policies. The problem here is the Internet ad companies are hidden in the background at Web sites and consumers by and large do not know anything about the companies. Web sites, in the own privacy policies, have not helped the situation very much for consumer. . . . Conclusion
The bottom line for me on online profiling is that Internet ad companies are getting too much data about us. Their ad networks function as tracking systems. They gather data about us from search strings, banners ads on Web pages we visit, data spills, and Web Bugs. Clearly the data collection systems of the Internet ad companies are gathering more information about us than is necessary to show banner ads... (end Smith excerpt)
Following is an excerpt of Jaye's testimony:
(begin excerpt)
Testimony of
Hearing Before Commerce Committee
June 13, 2000
Privacy-Driven Technological Innovation is Further Empowering Industry and Consumers Themselves to Raisethe Bar Continued technological innovation promises our online industry - and the web visitors themselves - sophisticated yet simple tools to support consumer privacy interests. I can report first-hand that the online industry has indeed brought to bear in the interest of consumer privacy the same zeal for technological breakthroughs that have characterized - and fueled - the Internet itself. The result: a remarkable progression of emerging solutions that will offer consumers previously unimagined forms of notice, choice and protection of their own personal privacy demands. Emerging tools offer not only instantaneous and automatic notice and choice, but more than that, they also would empower consumers essentially to set for themselves just what measure of privacy they demand - and to avoid any sites that fail to meet their personal standards. The Platform for Privacy Project (P3P) at the World Wide Web Consortium (W3C) would enable a web server to communicate automatically how it collects and shares user data so users can define what privacy standards they prefer for that particular site or in general. Engage was a co-author of the P3P Protocol Specification. Beyond this, we are very excited about a specific application of P3P in the context of "TrustLabels" for cookies. . . . This technology critically serves the goal of universal compliance with privacy standards. It permits consumers to compel online businesses to be privacy-sensitive because those businesses that attempt to set a cookie and do not meet consumers' privacy demands will cause a warning alert to be displayed on the computer screen of the user, allowing a choice (probably "NO") to be made solely by the consumer regarding whether to permit the business to collect data. . . .The bad actor will actually be locked out of the marketplace. This, more than any regulation, will drive universal compliance with seal programs. And, on the Internet, such technology-based enforcement does not stop at national borders. . . . Extending Privacy-Sensitive Practices Through Industry Self-Regulation Along with this commitment to developing robust technological tools to empower consumers, online industry leaders have relied on a complementary set of additional tools to raise the bar industry-wide for the protection of consumer privacy:
The potent combination of technological innovation, industry standards, contractual requirements extending those standards, enforceable privacy seal programs, consumer and industry privacy education, and FTC enforcement offers a highly reliable and uniquely effective response to online privacy concerns. These initiatives bolster what are already formidable marketplace checks on online businesses' protection of consumer privacy. The needs of our customers to attract - and not repel - consumers will ensure that we get the job done. But so too is it critical to ensure that we do not needlessly undermine the effectiveness of online advertising by freezing the development of new technological tools to meet consumer and business needs. Instead of setting a floor that turns into a ceiling as well, the power of the market and the dynamism of technological innovation promise continued remarkable developments to protect privacy interests. As I suggested at the outset, the viability of e-commerce, of our advertising-supported Internet, and thus of all the Internet's tremendous economic and societal benefits depends on it. (end Jaye excerpt)
|
|
This site is produced and maintained by the U.S. Department of State. Links to other Internet sites should not be construed as an endorsement of the views contained therein. 
|
 IIP Home | Global Issues |