In a meeting participants described as civil but contentious, 40 companies, advocacy groups, academics, elected officials and industry experts convened in Washington for the fourth and possibly last time today to hammer out recommendations to the Federal Trade Commission (FTC) on online privacy.
Members of the committee include some of the highest-profile names in the debate over online privacy, ranging from hard-core privacy advocacy groups such as the Electronic Privacy Information Center (EPIC) to Web advertising firm Doubleclick--the subject of an FTC privacy probe--and the Direct Marketing Association.
Unable to reconcile their differences and come up with recommendations, participants have decided instead to settle on a draft list of options the FTC can choose from before it reports to the U.S. Congress with its own recommendations.
"This is like a committee of mothers of Columbine students and the NRA getting together to recommend a policy on gun control," said observer Jason Catlett, president of online privacy advocacy group Junkbusters. "We're not going to arrive on a single position."
The Advisory Committee on Online Access and Security (ACOAS) expects to complete its report May 15. The FTC will then report to Congress, as it has been doing since 1998, on how it should legislate on the issue of online privacy.
Some participants in today's meeting applauded the group's ability to be civil and constructive despite members' diametrically opposing interests, but noted moments of particular tension. In one of these, according to participants, the DMA asked that the term "right" to privacy be struck from the record.
"That sort of bristles with privacy advocates who see a fundamental privacy right," said Catlett.
Committee members said their challenge lies not only in accommodating irreconcilable differences in their report, but in crafting suggestions for handling private data in starkly contrasting online settings.
"What we've discovered is that it would be virtually impossible to come up with one model that fits all business," said Larry Ponemon, a partner in PricewaterhouseCoopers who describes himself as the firm's "privacy geek." "You have health care vs. pure business vs. consumer commerce sites vs. financial services."
One issue at the top of the committee's agenda is figuring out how Web sites can let visitors know how their personal information such as names and credit card numbers will be used. A related challenge is determining how a consumer can determine how much data a site holds about him or her.
Members are grappling with the question of how Web sites should secure personal data they collect. Sites such as CD Universe have lost control of visitors' private information thanks to computer break-ins.
While advocacy groups lobby Congress to take action on the privacy issue, companies including Microsoft--an advisory committee member--and standards organizations are honing in on technological solutions to the online privacy debacle.
"We're coming down on a side that is a balance between self-regulation and regulation," said Ponemon. "Self-regulation can work but only where there are enforcement options. There would have to be rather stiff measures against companies that fail to comply. We think there will be a need for independent verification or audits, done by firms like PricewaterhouseCoopers or VeriSign."
The FTC could not be reached for comment. But sources said the agency expects to deliver its report based on the advisory committee's work over the summer.