AUSTIN, Texas--Many privacy watchdogs want stricter laws--not industry self-regulation--to shield personal data on the Net. But they got mixed signals from a former Clinton administration official and a current policy guru, who tackled the issue here at the eighth Computers, Freedom, and Privacy Conference (CFP).
The online privacy debate is rooted in an international struggle to implement consistent guidelines for the gathering and subsequent use of Netizens' names, email and home addresses, and phone numbers, as well as such sensitive information as Social Security numbers or employment history and salaries. If in the wrong hands, such data could be used to commit fraud or could be sold without permission. Experts say fear of this activity is stifling electronic commerce--which the White House wants to see flourish.
This scenario is why Web site creators can expect to see new laws regarding the collection and use of online consumers' personal information, charged former Federal Trade Commissioner Christine Varney, who left her post in August. At the FTC, Varney led probes of online privacy practices during the past two years, but stuck to the administration's line that online companies could govern themselves. (See related story)
Now that she works with e-commerce companies, Varney is yanking her sparkling endorsement of self-regulation. "I'm not sure it's going to work with privacy," she told the crowd at the CFP yesterday.
After FTC hearings last summer, Varney said laws aimed at protecting children's data could be necessary. But her statements this week took a much harder edge than those of a Clinton spokesman.
Brian Kahin, a senior policy analyst at the White House Office of Science and Technology, attempted to give his own glimpse into the future of Internet policy in his keynote speech. Contrary to Varney, he reiterated the administration's now-familiar stance: that industry should self-regulate when it comes to safeguarding consumers' online privacy as well as other activity, such as barring children's access to adult material on the Net.
The marketplace is making great progress, he said, so the best thing for government to do is stay out of the way. He signaled only one area where regulation was needed to boost participation in e-commerce. "Until we have a rule against junk email, like we have for junk fax, then the industry will always have a bad-apple problem," he said.
"Privacy is going to be an interesting test case for self-regulation," he added. "If self-regulation doesn't work, we may be in for an international policy problem."
That international conflict already is here, and boiling over. The tangled web surrounding privacy on the Net touches a number of policy areas, including the debate over encryption--which makes digital messages unreadable if intercepted--as well as digital signatures.
Many nations want to mandate or encourage voluntary key-recovery or key-escrow systems, in which citizens store the code that unlocks their communication with a licensed third party or the government. The policies are set up to serve criminal investigations or simply to hold a spare key for businesses and consumers who lose their only copy.
The controversial U.S. law prohibits exporting strong encryption, and requires those products to ultimately accommodate a third-party key escrow system. But Congress is considering a plan that requires users of federally funded networks to build a back door for law enforcement to read encrypted messages.
France, for example, has strict limits on crypto and requires third-party copies of keys, as CFP attendees heard today during a panel. Unlike the United States, France has stringent privacy protections for personal data collected via the Net. Also, France has established a Data Protection Agency that monitors data collection practices and investigates consumer complaints.
"Our constitutional tradition in the U.S. gives our citizens stronger laws to combat the government's privacy abuses," Joel Reidenberg, a professor at Fordham University School of Law, said today after participating in the law panel on France. "But in the privacy sphere, the French have much stronger laws to protect their privacy from [commercial entities]."
Actually, many of the United States' digital privacy tactics slam up against international schemes, which is a big topic of debate at the conference.
Case in point: A European Union privacy directive that goes into effect at the end of the year conflicts with U.S. enterprise practices. E.U. members must make sure that electronic data collectors post privacy policies, disclose how the data will be used, and give people access to their data so they can make changes or object to it being used at all. Members must set up an authority to monitor the policy, and there is legal recourse if companies violate the rules.
The rules also state, "The transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited," unless "the data subject has given his consent."
This provision could lead to a privacy practice train wreck in December, when E.U. members essentially could be forced to "cut off" access to sites around the world that don't adhere to its rules.
However, the Organization for Economic Cooperation and Development (OECD) is working to bridge the gap between the E.U. and countries that favor industry self-regulation to protect online consumers' private information, according to spokespersons attending CFP.
In 1980, the OECD established privacy guidelines that have since been adopted by countries around the world, and are the model for some marketplace guidelines. Earlier this week, in Paris, the group held workshops to hammer out differences between nations' polices, which U.S. delegates from the Commerce Department and FTC attended.
"The problem of self-regulation at the moment is not self-regulation itself. It's the effectiveness. Internationally there is sort of a patchwork approach, and it needs to be harmonized," French Judge Anne Carblanc of the OECD said today. "There are various instruments for protecting privacy, and we try to find out where there are gaps and make proposals to help."
The OECD is pushing the use of prominently placed labels, such as those by Truste, which leads Net users directly to a site's privacy statement. A nonprofit, Truste promises to monitor sites to make sure they are complying with the policies. The OECD principles also require a mechanism for consumers to file privacy abuse charges, for example.
"Network technologies raise new risks for the privacy of data, but technology also is part of the solution," added Teresa Peters, an administrator for the Information Computer and Communications Policy division of the OECD. "Self-regulation is going to play an important role--it has to--but it's important that this is supported by government policy."