Industry and consumer advocacy groups will square off this week before the Federal Trade Commission over the best way to protect user privacy online: industry self-regulation or federal legislation.
Beginning tomorrow in Washington, D.C., the FTC's Bureau of Consumer Protection will hear four days of public testimony on hot-button topics ranging from children's privacy online to "look-up" services, searchable online databases that contain individuals' personal information.
The agency and Congress will eventually decide whether private businesses should be left alone to set standards for collecting surfers' personal information, or if federal regulation is needed to discourage the misuse of personal data on the Net.
"The workshop comes at an excellent time," said Marc Rotenberg, director of privacy lobbyist Electronic Privacy Information Center (EPIC), which backs some online privacy legislation. "It's almost a national education on privacy issues, which is very important right now."
Last year, FTC commissioner Christine Varney challenged the industry to create guidelines for collecting, distributing, and disclosing the uses of private data from consumers. Now the FTC will check that work.
"What we're trying to show is that the industry is doing a good job of self-regulation," said Tim Dick, president of WorldPages, an online look-up service. "We also hope that a distinction is made between technically public records, such as tax records, and information which is consented for publication."
If the Internet industry doesn't sway official Washington with self-regulation efforts, a raft of bills in Congress are waiting to legislate online privacy. At least a dozen bills have already been introduced on Net privacy to keep kids' names off marketing lists, bar publishing Social Security numbers, ban junk email, and stop online services from selling personal data on subscribers.
Online privacy has been hotly debated as the Internet becomes increasingly commercialized. Many Web sites that register users request personal information, including names, zip codes, email addresses, even marital status or household income. Privacy advocates worry that such personal data might be abused or passed along to someone else.
But businesses with Web sites say they need the information to develop better products and to dish up ads and content specific to a surfer's interests.
Getting a jump on the hearings, EPIC today released a report on personal privacy on the Net. Titled "Surfer Beware," it reviews privacy practices of top Web sites, examines the state of Net privacy policies today, and recommends online privacy measures.
"There's still a lot of anonymity online, and we view that as positive," said EPIC's Rotenberg. "Anonymity is the firm bedrock of privacy, and we're going to encourage people to respect anonymity."
Public comments submitted for the FTC's hearing frequently cite the Lexis-Nexis P-TRAK look-up service, which for ten days last June displayed Social Security numbers before a public outcry forced Lexis-Nexis to back off.
Lexis-Nexis will testify on its new policies and lobby for making databases like P-TRAK available, citing their utility for locating pension fund beneficiaries, uniting separated families, and collecting child support. The company's internal policies preclude it from displaying information about minors, revealing personal medical information, and divulging sensitive credit report data.
But many public interest groups argued that self-regulation isn't enough in comments before the hearings.
"Self-regulatory efforts have been useful in encouraging database operators to establish effective privacy policies and procedures. However, they are limited by the fact that not all databases adopt them and that there is no meaningful penalty for failing to adopt or adhere to them," the National Consumers League wrote in a statement.
Added the Center for Democracy and Technology: "There is a need to provide parents with tools and policies that respond to their concerns about their children's privacy...Parents have different concerns...Policies and technical tools must address the diversity of values, views, and parenting styles." The Center for Media Education also backs regulations on child privacy.
Industry antiregulation forces are pinning their hopes on private-sector initiatives like eTRUST. The group, initially sponsored by privacy advocate Electronic Frontier Foundation and e-commerce trade group Commerce.Net, will announce tomorrow that it will go live with its "trust marks" for Web sites. The marks indicate what sites do with information collected about visitors.
The program has three marks: "No Exchange" means no personally identifiable information will be used by the site; "One-to-One" means the site itself will collect and use personal data but won't give it to others; and "Third Party" means the Web site may give personal data to others.
Fees for using the marks will range from $500 to $5,000 annually. Pledging $100,000 each for the program are retailer Lands End, publisher Wired, and high-tech firms AT&T, CyberCash, IBM, Tandem, Oracle, and Netscape.
About 50 companies participated in a pilot test starting late last year. The program also will change its name to TRUSTe because of a trademark dispute over the original eTRUST name.
A Web standards initiative, another nongovernmental approach, also will get a boost this week when Netscape and software tools vendor Firefly Network add new supporters to the 60 backers of their Open Profiling Standard proposal, which has been submitted to the World Wide Web Consortium standards body.
OPS is intended to put individuals in control of what private data Web sites collect on them so sites can customize content or services for their individual tastes.
But an earlier standards effort to control the use of software "cookies"--digital tags that some Web sites attach to visitors' Web browsers to track their activity--has been caught in a crossfire between privacy advocates and Internet marketers.
Likewise, the Direct Marketing Association, a trade group for the direct-mail industry, with the Interactive Services Association, an industry association of online services, last year urged a self-regulation program to let consumers opt out of direct-mail appeals.
But the Privacy Rights Clearinghouse, in comments for this week's hearings, slammed the DMA-ISA self-regulation results.
"These self-regulatory approaches have some major shortcomings that bring into question the ultimate efficacy of the self-regulatory approach," the clearinghouse states. It mentions specifically the lack of "mechanisms for compliance and enforcement," asking, "Will noncompliant entities be fined or sanctioned in some other way?
In response, the DMA this week will introduce a 24-page booklet for parents on Internet privacy and other topics.
Courtney Macavinta is reporting from the Federal Trade Commission hearings in Washington, D.C. Tim Clark is reporting from California.