Privacy holes signal need for standards

Just over the last few weeks, the likes of Intel, Microsoft, Yahoo, Excite, and Macromedia have faced problems in protecting users' personal data.

Though the breaches varied in seriousness and reach, the sheer number of them underscores what Hong Kong's privacy chief and other international officials said last week at the Computers, Freedom & Privacy conference in Washington: Although the United States dominates in Net innovation, usage, and investment, its data protection policies are lacking and are beginning to trail those of the rest of the world.

Part of the problem is that self-regulation alone will not curb privacy abuses, according to some privacy advocates. Many of them are calling on Congress to pass new legislation to focus companies' attention on privacy concerns. But privacy advocates face the resistance of many in the Net industry and the Clinton administration, who say new laws are not needed, and self-regulation should be given a chance to work.

To Ari Schwartz, policy analyst for the Center for Democracy and Technology, the recent breaches indicate that Net companies aren't paying enough attention to privacy.

"Privacy has not been the first concern when these systems go up," Schwartz said. "Privacy doesn't get as much attention as it should."

Along with causing problems for Net users, privacy issues also stand to thwart the Net's growth. For example, a recent study from trade group Information Technology Association of America and Ernst & Young named privacy as a top barrier to the growth of Internet commerce.

Schwartz said threats to privacy online are a "pervasive" problem. Although companies say they understand privacy concerns, he said there are often gaps between companies' policies and how they implement them.

"The policy people talk about privacy on one hand and the software designers implement it differently than the policy people have been discussing it publicly," Schwartz said.

Although Schwartz said that strong self-regulatory schemes are important in curbing privacy abuses, he and the CDT are calling for legislation that would establish a baseline standard for privacy protection. He said such legislation would enable prosecutors to go after sites that don't meet the standards.

Echoing Schwartz, Jason Catlett, president of Junkbusters, also said that privacy legislation is needed. He noted that consumers have grown to expect a certain level of service from companies they patronize offline; for example, General Motors or Ford couldn't just say "whoops" if the brake system on one of their cars failed.

"People would not accept that in the physical world, and they shouldn't accept that kind of lame excuse in the online world," Catlett said.

Catlett said the problem is that there is little economic incentive for Web companies to focus on protecting privacy. He said what is needed is a law that would provide statutory damages for people whose privacy has been violated.

"If there isn't a strong means of redress for consumers whose privacy is violated, then companies will not spend the money to engineer and oversee their information systems to minimize these errors," Catlett said.

But Sydney Rubin, spokeswoman for the industry-backed Online Privacy Alliance, said companies are already focusing on online privacy--and are spending the money to prove it. She pointed to company privacy policies, resources spent on enforcing the policies such as hiring employees to monitor them, and industry support for privacy seal programs such as Truste and BBBOnline.

While Rubin acknowledged that the threat of legislation has helped to focus the online industry on privacy, she questioned what new laws would accomplish, especially in the case of technology-related breaches.

"It's not clear how you legislate against software mishaps," Rubin said. "How do you legislate the imperfections out of technology?"

Rubin said that deceptive trade practice and fraud laws already exist to curb the worst privacy abuses. She added that the Online Privacy Alliance had already established a baseline for privacy protection, and that its children's privacy policy served as the model for last year's Children's Online Privacy Protection Act.

"This is not a new problem--it is a new technology," Rubin said. "There's lots of things to be worked through, and industry is working through them."

Proof of protection
Like Rubin, Paola Benassi, product operations manager at Truste, said Web sites have made significant moves to protect online privacy. She pointed to the sites' posted privacy policies and to the 550 sites that have signed up with Truste's seal program.

Truste works with Web sites to develop privacy statements and then monitors the sites' compliance with those statements. Sites that meet Truste's guidelines earn its seal of approval.

If one of its member Web sites is accused of violating its privacy policy, Truste can conduct an audit, drop the company from its seal program, or refer the matter to the Federal Trade Commission, Benassi said. Plus, companies that violate their privacy policies face both media scrutiny and the possibility of litigation.

Although Benassi conceded that new laws might be needed to protect financial and health care information online, she said special laws are not needed to protect privacy in other areas.

"We don't have those kinds of things in the offline world," she said. "Why should we need them in the online world?"

Benassi said Truste had received about 60 privacy complaints involving sites using its seal in the last year. Of those, she said none had led to a site being referred to the FTC or dropped from the seal program. Only one site had been subjected to an audit.

That Truste has taken only one punitive action indicates that the program is working and that its member sites are willing to correct mistakes, she said.

"In the real world, mistakes happen," Benassi said. "We work with sites so that they change their practices or change their privacy statements."

But that might not be enough to satisfy critics. Already, Rep. Edward Markey (D-Massachusetts) has said he will introduce legislation that gives Web users more control over how their personal information is used on the Internet. Sen. Conrad Burns (R-Montana) has drafted similar legislation in the Senate.

Although the Clinton administration has opposed new Internet privacy laws, it has indicated that it might support them if they become necessary. A Commerce Department official said the administration is awaiting the results of several privacy studies currently being prepared.

"Our position has always been we want to give self-regulation a chance to work," the official said. But, she added, "if the industry does not take it seriously enough, then legislation would be called for."

Jeanne Schaaf, senior telecom analyst at Forrester Research, said some kind of privacy legislation is inevitable.

"I don't think the industry, with even its best intentions, will be able to satisfy the issue of legal remedies," Schaaf said. "And I think Congress is less likely than the administration to give the industry the benefit of the doubt."