Privacy Protection on the Internet: The Marketplace Versus the State* Richard S. Rosenberg Department of Computer Science University of British Columbia Vancouver, BC, Canada V6T 1Z4 Abstract -- There is a battle being fought in the U.S., and elsewhere, with respect to the protection of privacy on the Internet. In response to public concern, various government bodies in the U.S., Canada, and Europe have explored ap- proaches to the protection of personal privacy on the Internet, with differing results. At the same time, Internet consumer and civil liberties groups, and business and newly emerging indus- try groups, have proposed their solutions to the perceived prob- lems. In this paper, we will articulate the various positions and attempt to identify and evaluate the dominant themes. In the end, we will propose an approach that requires government interven- tion, sometimes referred to as the European model. *Wiring the World: The Impact of Information Technology on Society, Proceedings of the 1998 International Symposium on Technology and Society, IEEE Society on Implications of Technology, June 12-13, 1998, Indiana University South Bend, South Bend, Indiana, USA, pp. 138-147. I. INTRODUCTION Privacy refers to the social balance between an individualΉs right to keep information confidential and the societal benefit derived from sharing information, and how this balance is codified to give individuals the means to control personal information. [1] In [2] and [3], a variety of issues were presented that relate to the differing positions taken by governments in the U.S. and Canada, and the European Union on their respective roles in the protection of personal privacy on the Internet. [4] includes an extensive treatment of the current U.S. approach to this issue. In this paper, a further elaboration will be pre- sented and current positions described. There appears to be a continuing reluctance in the U.S. for any comprehensive role for the federal government in the regulation of the gathering, collection, storage, and dissemination of personal informa- tion. However, it will be argued that in this instance, ap- pearances are deceiving. This apparent position stands in stark contrast to the European Privacy Directive, that com- mits the member governments of the European Union (EU), among other things, to ensure that private information on Europeans is protected everywhere in the world. The Directive will take effect in 1998, and the response of the U.S. is of major concern. The government of Canada has an- nounced that it is prepared to enact legislation by the end of this year, that will satisfy the EU; it will be based on the Canadian Standards Association (CSA) Model Code, that has already won the approval of the EU. Also important for the present purposes are the positions taken by such pressure groups as the Electronic Privacy Information Center (EPIC), Electronic Frontier Foundation (EFF), Center for Democracy and Technology (CDT), and Computer Professionals for Social Responsibility (CPSR). Although recognizing the need to protect personal privacy, they have taken a variety of stances, usually against a legisla- tive role for government. A confounding factor is the deter- mination of the U.S. government to be the keeper of the keys in any public key encryption scheme and the crucial role that encryption plays in the privacy debate. However, space con- straints preclude a discussion of the relation between cryp- tography, privacy, and government regulation. The general mistrust of the federal government in the U.S. seems to pre- clude any deviation from the past segmental approach to pri- vacy protection in favor of a more comprehensive one. These pressure groups reflect this attitude in the formulation of their policies and are more similar in their views to the govern- ment and industry groups than they are to the European ap- proach. In section II, a number of challenges to the protection of personal privacy on the Internet will be outlined as back- ground to the positions taken by the government, the private sector and civil liberties groups in the U.S. Section III will include the official position of the Canadian government with respect to its proposed privacy legislation and the European Union's Privacy Directive, to take effect in October 1998. In section IV, the U.S. government's current statements with respect to privacy protection on the Internet will be reviewed and compared with industry positions and those adopted by civil liberties groups as well. Finally, the paper will con- clude with a position in favor of government regulation. Thus, it will be the task of this paper to clarify and orga- nize a variety of positions on the protection of personal pri- vacy on the Internet and to argue for an approach in the U.S. based on a stronger role for the Federal Government. In spite of the spirit of mistrust referred to above, the threat to per- sonal privacy resides in the private sector to a greater degree than it currently does in the public sector and only a gov- ernment agency can adequately protect the public interest in this vital area. II. PRIVACY CHALLENGES on the INTERNET It is generally recognized that the Internet presents a num- ber of challenges to the protection of personal privacy that begins with the collection of personal information and con- tinues with its storage, accumulation, refinement, and sale; most of this process is not readily apparent to the consumer. Many examples exist, but only a few will be discussed. First, however, we might mention briefly a couple of ser- vices readily available on the Web. Any regular Internet user is familiar with DejaNews, a service that enables the recovery of named postings to Usenet newsgroups over the past few years. While these postings are public, it may be somewhat unnerving never to be able to escape possible youthful indis- cretions. DocuSearch provides an online investigative service for those in need. Its advertising notes that, "For the infor- mation-impaired the world can be a dangerous place. . ." [5] See [6] also for more information on online sleuths. A. Cookies Cookies are probably the most widely used tool to gather information about visitors to Web sites. Although most Internet users are familiar with the term, both the uses and misuses of cookies are largely a mystery. Cookies (or persis- tent client side information) are pieces of text deposited by a Web server either on the user's hard drive or at the visited Web site. Their ostensible purpose is to provide the Web site with information about visitors to assist them more effi- ciently on subsequent visits. See [7] an [8] for more informa- tion. However, there are a number of privacy concerns; for one thing, the user may not wish to have this information collected and stored, and for another, he or she may be con- cerned about other uses to which the information may be put. It is possible to be informed by the browser that a re- quest is being made for a cookie to be deposited, but only if an option on the browser is set in advance, a feature not gen- erally advertised. Furthermore it may be virtually impossible to visit some sites if permission to deposit a cookie is not given. B. The Timothy McVeigh Case This case is being presented to indicate the lack of privacy protection available to Internet users. Mr. McVeigh (not to be confused with the McVeigh convicted in the Oklahoma City bombing) was a veteran of the U.S. Navy who was dis- charged "under the statutory policy colloquially known as 'Don't Ask, Don't Tell, Don't Pursue'." [9] Information that lead to this dismissal was obtained by the Navy from America Online's (AOL) profile information of its sub- scribers, in violation of AOL's privacy policy. Mr. McVeigh is seeking to overturn his discharge because he contends that the Navy "violated his rights under the Electronic Communications Privacy Act ("ECPA"), 18 U.S.C Section 2701 et seq." For many, this case illustrated how insecure online information is and how devastating the effects of its unauthorized release could be. C. The Media Acknowledge Privacy Issues Over the past year, major news media have directed public attention to privacy issues in general and the Internet in par- ticular. For example, in August 1997, Time did a cover story with the provocative title, "The Death of Privacy." After presenting a variety of privacy threats, the article con- cludes with the section, "Here's how you can block those prying eyes:" € Software: Intermute, a Java application to block undesired access to your computer when you are online. PGP 5.0, a powerful encryption program to guarantee the confidentiality of your messages to trusted recipients. PGP Cookie Cutter, a Windows 95 utility to delete se- lected cookies. € Internet Anonymity: Anonymous remailers, to strip away identifying informa- tion on e-mail messages. Lucent personalized Web assistant, an application to be used for identifying yourself at a Web site, that shields your true identity. Anonymizer.com, a Web site to be visited before you visit other Web sites, that provides you with an anonymous identity. [10] A number of online privacy sites are also recommended but what is not is direct government action. The burden is placed on the consumer, whether technologically sophisti- cated or not to protect his or her privacy. The Washington Post has reported on privacy issues on a regular basis as has The New York Times. On March 8 and March 10, 1998 the Washington Post ran a three-part series on privacy issues with links to many previous stories on its online version. In [11], we learn that, Twenty-four hours a day, Acxiom [of Conway, Arkansas, a gi- ant information service tucked near the rolling Ozark foothills] electronically gathers and sorts information about 196 million Americans. Credit card transactions and magazine subscriptions. Telephone numbers and real estate records. Car registrations and fishing licenses. Consumer surveys and de- mographic details. Thus the increasing assault on privacy is acknowledged on a regular basis by the media and reflects a growing concern by Internet users. How to deal with this concern, may be a matter of debate. However, GVU's 8th WWW User Survey [12] reported that the issue of most concern among the ap- proximately 10,000 Internet Users who responded, was pri- vacy. Furthermore, "Most respondents agree strongly (39%) or somewhat (33%) that there should be new laws to protect privacy on the Internet." [Emphasis added] III. CANADA AND EUROPE In order to set the scene for an overview of the U.S. gov- ernment's position on Internet privacy, it is useful to exam- ine the privacy landscape in the European Union as well as Canada. The European Union's Privacy Directive has serious implications for international trade and will be discussed be- low. A. Canadian Standards Association Model Code for the Protection of Personal Information There is currently no federal privacy legislation in Canada that applies to the private sector. Canada does have a Privacy Commissioner but his role is largely advisory, to respond to the concerns of Canadians about privacy issues related to the activities of federal government ministries. The private sector is a patch work of voluntary privacy codes, where they exist at all, except for the province of Quebec that has privacy leg- islation in place that covers both the public and private sec- tors. [13] On September 20, 1995, the Canadian Standards Association (CSA) passed a resolution, accepting the Model Code for the Protection of Personal Information as a national standard for Canada. [14] The Code was based on the Organization for Economic Cooperation and Development (OECD) Privacy Guidelines, adopted in 1981 [15],. which Canada had accepted. The Code was produced by the CSA Technical Committee on Privacy, that represented business, consumer, government, and other organizations. It should be noted that this committee included representatives of the Canadian Direct Marketing Association, Equifax Canada, American Express Company, and the Canadian Bankers Association. Unlike their American counterparts, these com- panies accept a much more active role for government. The following Ten Principles were enunciated: 1. Accountability 2. Identifying Purposes 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, and Retention 6. Accuracy 7. Safeguards 8. Openness 9. Individual Access 10. Challenging Compliance These principles are only meaningful with accompanying commentary, not given here. They do represent a general consensus in Canada of what constitutes adequate privacy protection, if embedded in a system that includes an effective complaint resolution mechanism. Indeed, they have already been adopted voluntarily by a number of organizations, in- cluding the banking industry, as was the intention of the CSA. The Code has also been proposed to the International Standards Organization (ISO) as a possible quality standard for the ISO 9000 series. B. Canadian Government's Plans The Canadian government has made a strong commitment to the CSA Model Code. In 1994, the government created the Information Highway Advisory Council (IHAC) to pro- vide recommendations with respect to a wide range of issues associated with the impending Information Highway, includ- ing access, content regulation, intellectual property rights, and of course, privacy. In its first report, IHAC made several recommendations with respect to privacy. While endorsing the CSA Model Code, IHAC urged the federal government , in Recommendation 10.2 b. [16], to create a level playing field for the protection of personal in- formation on the Information Highway by developing and im- plementing a flexible legislative framework for both public and private sectors. Legislation would require sectors or or- ganizations to meet the standard of the CSA model code, while allowing the flexibility to determine how they will re- fine their own codes. In its response to IHAC's privacy recommendations, the federal government made the following commitment [17]: As a means of encouraging business and consumer confidence in the Information Highway, the ministers of Industry and Justice, after consultation with the provinces and other stake- holders, will bring forward proposals for a legislative frame- work governing the protection of personal data in the private sector. [Emphasis added] In September 1996, Alan Rock, the then Justice Minister, reinforced this commitment, although he disappointed pri- vacy advocates by the relatively slow pace of the process [18]: "It will take to 2000 by the time we work out a consensus and get legislation, but we're determined to do it because it's the right thing to do." Effective privacy protection, however, will require "a revo- lution in the thinking of business and the community, similar to what's taken place with respect to environment protection." In the most recent phase of this process, The Task Force on Electronic Commerce, a joint effort of Industry Canada and Justice Canada, released a discussion paper on proposed privacy legislation in February 1998. [19] This paper sees the problem facing the federal government in the following way: Legislation that strikes the right balance between the busi- ness need to gather, store, and use personal information and the consumer need to be informed about how that information will be used and assured that the information will be pro- tected is the key to building the consumer trust and market certainty needed to make Canada a world leader in electronic commerce. It is clear that the driving force behind the government's efforts to introduce privacy legislation is to reassure potential consumers in the electronic marketplace that it is a safe envi- ronment, that their personal information will be protected, not by a voluntary business approach but by government legislation, and that this protection will be globally effective. A number of stumbling blocks exist, however, both inter- nally and externally. Within Canada, the federal government has jurisdiction over interprovincial trade and world trade. Each province, has control over intraprovincial trade and as mentioned above, except for Quebec, no privacy legislation exists for the private sector. Thus, it is Ottawa's task to get the provinces on board to develop seamless legislation; otherwise, the consumer will have no assurance that his or her personal information is pro- tected by legislation both provincial and federal. What about commercial activities that originate beyond the borders of Canada? Of primary concern are Europe and the U.S., which differ dramatically in their approach to the protection of per- sonal information. The European Union (EU) has enacted legislation to protect the movement of personal information among its member countries and from those countries to the rest of the world. The U.S., aside from very narrow legisla- tion in certain specific areas, is inclined to depend on the marketplace to protect personal information because it is seen as good business practice to do so. C. European Privacy Directive In 1995, the European Parliament passed what has come to be called the European Privacy Directive [20] It will take effect in the fall of 1998 and it may have some unpredictable effects on world trade, especially between the European Union and the U.S. Of particular concern are Article 25 Principles and Article 26 Derogations of Chapter IV - Transfer of Personal Data to Third Countries. Selections from these articles follow to indicate the nature of the antici- pated difficulties: Article 25 Principles 1. The Member States shall provide that the transfer to a third country of personal data which are undergoing process- ing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.[Emphasis added.] 2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the na- ture of the data, the purpose and duration of the proposed pro- cessing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the pro- fessional rules and security measures which are complied with in that country. Article 26 Derogations 1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that: (a) the data subject has given his consent unambiguously to the proposed transfer; or . . . 2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of pro- tection within the meaning of Article 25 (2), where the con- troller adduces adequate safeguards with respect to the pro- tection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropri- ate contractual clauses. The U.S. does not currently have adequate privacy legisla- tion in place and there is little prospect that it will enact such legislation in the near future. What is likely to happen when the European Privacy Directive takes effect? D. Implications for the U.S. It is clear from the quoted sections of the Privacy Directive that much depends on the interpretation of the phrase, "ade- quate" level of protection. It may be possible that giant companies such as IBM, AT&T, and Microsoft will be able to satisfy the requirement by demonstrating that the volun- tary practices they have in place are adequate. In fact, it is ar- gued in [21] that, "An across-the-board legislative response, that mimics European law is the wrong approach. A better approach is self-regulation by the industries and firms most likely to be affected." Based on discussions that Swire and Litan [21] have had with both European and U.S. govern- ment officials, they predict the following outcomes: € The EU is unlikely to issue an across-the-board- find- ing that U.S. privacy protections are inadequate. Instead, it is likely to make adequacy determinations on a sector and prac- tice-specific basis. € The EU is likely to decide that some U.S. industries that have specific laws governing the use of personal informa- tion do meet the adequacy test. The credit reporting industry is an example. € Unless a generic compromise is soon found, the EU is very likely to demonstrate its seriousness about the Directive by initially singling out one or more U.S. companies or sec- tors as not meeting the adequacy test and thus subject to data transfer prohibition of the Directive. High on the potential target list, in our view, are firms in the direct marketing indus- try, the insurance industry, and any company handling per- sonal medical information . . . To avoid major disruptions, given that no comprehensive federal privacy legislation is likely to be passed, the authors recommend that the Administration create a special office within the Department of Commerce to deal with all matters affecting electronic commerce, including privacy concerns, of course. Second, industries should be encouraged to adopt strong voluntary privacy codes and to assist their member companies to use these codes in an effective and verifiable manner. A more comprehensive treatment of the impact of the Privacy Directive is contained in [22]. The authors report on five concerns that are motivated by an early analysis of the Directive; they follow, in abbreviated form: 1. "The Europeans are not going to tolerate the existence of 'data havens' " that operate beyond the reach of the Directive. 2. "[T]he initial determination of 'adequacy' will remain with the national data protection agencies." 3. " . . . once these issues enter the [European] Commission they are likely to be influenced by wider political and eco- nomic concerns" 4. " . . . will 'adequacy' just be measured against the princi- ples of the directive or also against the methods of enforce- ment and oversight?" 5. " . . . neither the supervisory authority nor the data con- troller has the power to scrutinize the processing of personal data in another jurisdiction, nor can they be fully satisfied that data subjects can exercise their privacy rights." It should be apparent that considerable uncertainty exists with respect to the impact of the Privacy Directive on world trade, that involves the movement of personal information. A closer examination of the status of privacy protection in the U.S. may further add to this uncertainty. IV. UNITED STATES Space limitations preclude a detailed analysis of the ac- tions taken by the Administration over the past few years in the formulation of a privacy policy for the National Information Infrastructure (NII). A series of discussion pa- pers, reports, and workshop and conference proceedings have been released to make the case, that a voluntary approach by the relevant industries, rather than by the heavy hand of gov- ernment bureaucracies, will offer the best way to protect the legitimate privacy interests of Internet consumers, while permitting business to function efficiently and effectively. A. The Administration's Agenda ... technology should not be used to break down the wall of privacy and autonomy free citizens are guaranteed in a free so- ciety. The right to privacy is one of our most cherished free- doms. As society has grown more complex and people have become more interconnected in every way, we have had to work even harder to respect the privacy, the dignity, the au- tonomy of each individual. [23] The President went on to make the following ringing de- fense of privacy [23]: As the Internet reaches to touch every business and every household and we face the frightening prospect that private information -- even medical records -- could be made instantly available to the world, we must develop new protections for privacy in the face of new technological reality. (Applause.) Whatever these "new protections" were intended to be, the record shows that the role of government, other than perhaps in such areas as medical records and child privacy, is to ad- vise, to pressure, and to advocate, but not to legislate. This is consistent with U.S. federal policy over the past 25 years, where privacy protection has been narrowly construed to ap- ply to such areas as credit records, educational records, and video rental records. The Clinton Administration has created a number of vehi- cles to promote its views with respect to the shape of the NII. Within the White House there is the Information Infrastructure Task Force (IITF); the Department of Commerce houses the National Telecommunications and Information Administration (NTIA). These agencies have is- sued a series of studies and statements that have shaped the privacy debate in the U.S. For example, in early 1995, IITF issued a set of Draft Principles for Providing and Using Personal Information. While these Principles adequately cover the major privacy issues, that are raised by the new technology, they are not intended to have the force of law: "As made clear in the Preamble, the Principles do not have the force of law; they are not designed to produce specific an- swers to all possible questions; and they are not designed to single-handedly govern the various sectors that use personal information." [24] This view is consistently maintained. Indeed, later that year, the NTIA's Office of Policy Analysis issued a White paper in which it endorsed the IITF Principles and continued the "official" line [25]: This approach, if embraced by industry, would allow ser- vice providers and their customers to establish the specific level of privacy protection offered in a marketplace transac- tion, free from excessive government regulation, so long as the minimum requirements of notice and consent are satisfied. . . For these reasons, NTIA believes that it is in the private sec- tor's interest to adopt the privacy framework outlined in this paper, without waiting for formal government action. [Emphasis added.] A little more than one year ago, IITF issued a major draft document, that explored in detail a variety of options for "Promoting Privacy on the National Information Infrastructure." [26] The report identifies the following "core" question: What is the best mechanism to implement fair information practices that balance the needs of government, commerce, and individuals, keeping in mind both our interest in the free flow of information and in the protection of information privacy? At one end of the spectrum there is support for an entirely market-based response. At the other end of the spectrum, we are encouraged to regulate fair information practices across all sectors of the economy. In between these poles lie a myriad of options. What are the viable options proposed in this draft? A number of approaches are presented: € An Enhanced Sectoral Approach including specific legislation for medical records privacy and children's pri- vacy as well as raising the profile of privacy in the market- place. € Creation of a Federal Privacy Entity (a) with regulatory authority, although not consis- tent with past and current practice in the U.S. (b) without regulatory authority but able to coordi- nate government privacy activities, to represent the Administration's view, to advocate strong privacy prac- tices, to act as ombudsman, to provide advice, and to edu- cate the public. € Creation of a Non-Governmental or Advisory Entity. These possibilities should be evaluated in the context of long-standing criticisms of U.S. privacy policy as included in the draft. Among these are the emphasis on a sectoral or fragmented approach, the lack of a specific responsible federal agency, such as the data commissioners of many European countries, no federal advocacy agency, no federal coordinat- ing agency for diffuse privacy concerns, and no enforcement mechanisms for voluntary efforts in the marketplace. When the European Privacy Directive takes effect in October of this year, many of these concerns will receive considerably more attention than they have up to now. Of course defenders of the current approach argue that by locating privacy protection in the marketplace, the heavy hand of government bureaucracy can be avoided. Furthermore, they point out that it is in the long term inter- ests of business to protect the privacy of their customers and to avoid embarrassing incidents. It is also in the self interest of consumers to provide certain personal information in order to obtain products and services at more affordable costs. Such are the dimensions of the current privacy debate in the U.S. B. Civil Liberties and Consumer Groups One curious aspect of the privacy debate is that many civil liberties and consumer groups seem to be suspicious of gov- ernment involvement in the regulatory process, while at the same time they are highly critical of privacy violations in the private sector. The suspicion of government appears to be deep-seated and widespread across the political spectrum. The right points to Waco and other occasions of massive government intrusions into private lives; the left reminds us of the Nixon Whitehouse and all sides view with great sus- picion attempts by the Clinton administration to impose a single encryption strategy with government as the keepers of the (private) keys. So, in some sense, it is hardly surprising that calls for improved privacy protection for personal infor- mation have been directed towards the companies and busi- ness that deal with such information. In this regard, consider the following statement by Computer Professionals for Social Responsibility (CPSR) [27]: Protection of privacy is best achieved through cooperation between employers, service providers, software developers, governments, and information collectors. The burden of pro- tection should fall on those collecting or using data, not on the multitudes of scattered individuals who are using a vari- ety of electronic systems to go about their daily activities. Accomplishing this goal is a complex technical and social matter, requiring an industry-wide effort that governments, at best, should help to coordinate and, at the very least, should not hinder. This document provides guidelines that might be used by principled institutions to guarantee proper respect for the privacy and dignity of employees, customers, and citi- zens. [Emphasis added.] It should be remembered that CPSR is a very activist or- ganization that has undertaken a number of campaigns to in- form the public about computer-related threats to the public well-being. Granted, the government has frequently been the target, such as in the campaigns against Star Wars and the Communications Assistance for Law Enforcement Act (commonly known as the FBI Wiretap Bill). Nevertheless, by marginalizing the government's role, CPSR seems to be arguing for a private sector to exercise the kind of social re- sponsibility it has given little indication it is willing to do. Taking this position one step further, Electronic Frontier Foundation (EFF), probably the most powerful users group on the Internet announced in 1996 that it was entering into a partnership with CommerceNet to establish eTRUST (later renamed TRUSTe), "a global initiative for establishing con- sumer trust and confidence in electronic transactions. Tapping the combined strength of industry and public inter- ests, eTRUST is designed to address the issues of consumer trust in the Internet marketplace." [28] It was intended that eTRUST would design a recognizable logo that companies committed to its principle would display. "Though eTRUST will address privacy and security concerns ini- tially, the eTRUST brand will grow to encompass a variety of other consumer interests." The single most important Web site for privacy issues is managed by the Electronic Privacy Information Centre. In June of 1997, it issued a critical report on the privacy prac- tices of "100 of the most frequently visited web sites on the Internet." [29] Having reported on serious deficiencies in pri- vacy practices across the board, EPIC's recommendations in- clude the following: € Web sites should make available a privacy policy that is easy to find. Ideally the policy should be accessible from the home page by looking for the word "privacy." € Privacy policies should state clearly how and when personal information is collected. € Web sites should make it possible for individuals to get access to their own data. € Cookies transactions should be more transparent. The final two sentences again reveal a reluctance to turn to government for help in guaranteeing privacy protection on the Internet: "Protecting privacy will be one the greatest challenges for the Internet. Until clear practices are estab- lished and good policies put in place, our advice is simply this: 'Surfer beware'." So rather than lobby for comprehensive privacy protection, enforced by legislation, the best that EPIC can offer is the electronic version of Caveat Emptor. In a recent hearing before the House Subcommittee on Courts and Intellectual Property, Marc Rotenberg, Director of EPIC, after reviewing the sorry sate of privacy on the Internet did make some recommendations with respect to government actions, as follows [29a]: € Amend the Electronic Communications Privacy Act to expand the scope of privacy protection provided to subscriber information under Section 2703 of ECPA. € Support Passage of the Internet Privacy Bill and the Children Privacy Bill. The former would prevent an "interac- tive computer service" from disclosing to a third party a sub- scriber's personal information without that individual's con- sent. € Establish a Privacy Agency These proposals are probably the closest that any privacy pressure group has come to recommending comprehensive privacy legislation. Another prominent Internet civil liberties organization that also believes in a partial legislative solution is the Center for Democracy and Technology (CDT). A recent press release concerning a Web site that apparently misused medical data supplied by visitors, concluded with this sentence [30]: "While we press for passage of comprehensive legislation for medical records and await a response to our complaint from the Federal Trade Commission, CDT urges entities operat- ing on the World Wide Web to respect the privacy of Internet users." Also testifying before the same Subcommittee, Deirdre Mulligan, Staff Counsel for CDT, made several recommen- dations, including the following [30a]: € Heighten the standard for access to transactional data. € Create a privacy entity to provide expertise and insti- tutional memory, a forum for research and exploration, and a source of guidance and policy recommendations on privacy issues. € Collaborate with other governments, the public inter- est community and the business community to develop global solutions for the decentralized network communications envi- ronment. C. Industry Groupings To reinforce their opposition to any government interven- tion, some of the major companies that deal with personal information on the Internet (virtually all companies) have begun positioning themselves by forming associations, that advertise strict adherence to a set of privacy principles or a privacy code. There is obviously the expectation that devel- oping a recognizable commitment to privacy protection will have the double benefit of reassuring the public that doing business on the Internet will not compromise its privacy and that government's role should not be to pass privacy legisla- tion. TRUSTe (formerly eTRUST) mentioned previously, an- nounced further developments in 1997. Such companies as AT&T, IBM, Oracle, Wired Ventures, Coopers & Lybrand, and KPMG, have joined a global initiative sponsored by TRUSTe, "for establishing consumer trust and confidence in electronic commerce." [31] In more detail, the press release goes on to say that "TRUSTe assures online consumers' privacy through a progressive policy of informed consent uti- lizing a branded system of 'trustmarks' which represent a company's online information privacy policy." Three trade- marks will be used to indicate different levels of privacy pro- tection offered: € No Exchange - no personally identifiable information is us € One-to-One Exchange - data is collected only for the site owner's use. € Third Party Exchange - data is collected and provided to specified third parties but only with the user's knowledge and consent. On June 11, 1997 as the Federal Trade Commission opened hearings on threats to consumer online privacy, a number of companies including bitter rivals, Netscape and Microsoft, IBM, The New York Times, and about one hun- dred others, announced, "that they are cooperating to build upon the previously proposed Open Profiling Standard (OPS), which provides a framework with built-in privacy safeguards for the trusted exchange of profile information be- tween individuals and Web sites." [32] The importance of this effort is clearly stated as follows: "The overall effort by the high-technology industry is to persuade the public and the Government that the industry can give consumers the technology tools necessary to protect their own privacy on- line, without the need for Federal regulation." [33] The World Wide Web Consortium (WWWC), proposed a set of privacy options that Web sites could offer Users [34]: € I want to access all Web sites € I will allow sites to share my data € Sites may share my data if I can review the Information € Sites may use my data internally only € Sites may use my data only for the specific reasons I give them € I want to be nearly anonymous Browsers would permit users to set the preferences they pre- fer under a wide range of circumstances, thereby alleviating them from further concern. No role for government is envi- sioned. Various industry proposals, such as the previous one, would seem to have an obvious popular appeal except for the fact that they are obviously self-serving. Those most inter- ested in using personal information are promising to take good care of it. One argument against government privacy regulations is that it would be foolish to put the fox in con- trol of the hen house. With the vast amounts of personal in- formation in private databases, surely the same argument can be made about the private sector. In addition, most volun- tary systems lack adequate complaint mechanisms. Depending on business to adjudicate privacy complaints re- sponsibly is chancy at best. V. RECOMMENDATIONS A. Opinion Surveys on Privacy In order to propose recommendations for assuring Internet users that their privacy concerns are being addressed, it seems appropriate to listen to those users. Previously in this paper, the privacy results in GVU's 8th WWW User Survey were reported. Other surveys have been conducted with simi- lar results. For example, about two years ago, DirectNews reported the following results of a poll about direct marketers [35]: € more than three-fourths of the 62% who said they'd like to see data-use restrictions would favor such laws even if it meant their not getting catalogs or mail about things that interest them. € A whopping 83% of the survey participants said there should be a law requiring an opt-in procedure for names to be included on mailing lists. A Lou Harris poll conducted in February 1998 for Business Week, revealed a general uneasiness about privacy protection. [36] Curiously, one question, which did not ap- pear in the magazine but was made available at the Business Week Web site, is very important for the present purposes: "Here are three ways that the government could approach Internet privacy issues. Which ONE of these do you think would be best at this stage of Internet development ? € Government should let groups develop voluntary 19% privacy standards, but not take any action now unless real problems arise € Government should recommend privacy 23% standards for the Internet, but not pass laws at this time € Government should pass laws now for how 53% personal information can be collected and used on the Internet. € None of the above 2% € Don't know 3% In response to another question, "61% not online say they stay off the Net because they feel personal information and communications are not protected. B. The Press is Concerned This concern has been growing and is reflected in the popular press, including the usually anti-government, business press. Consider the following sampling of opinion over the past few years: € Congress can help by passing legislation that tells government agencies, hospitals, and any quasipublic [sic] institution to simply stop selling data about people unless individuals specifically permit it in writing. . "[37] € While voluntary compliance might be preferable in an ideal world, it's not likely to work in the real world. The re- ality is that the absence of government prodding has resulted in too many companies doing too little to protect consumers' privacy rights."[38] € The public would be better served by Federal rules more sharply restricting the ability of marketers to obtain and sell information on consumers. Better yet: Consumers should hold legal title to their data, so that it cannot be gathered or traded without their consent. [39] € Time is running out for the Net community. The public does not trust its promises for self-regulation to ensure pri- vacy. The polls show that people don't believe that these voluntary standards are working. . . It's no wonder that the public wants the government to step in immediately and pass laws on how personal information can be collected and used. [40] C. Cookies Again The use of cookies by most Web sites, including many government ones as well, is a constant irritation for con- sumers when they are made aware of the fact that information about their viewing and shopping habits is being captured, on a regular basis, industry explanations to the contrary notwithstanding. But cookies also provide a challenge to the adequacy provisions of the European Privacy Directive. Consider the following arguments [41]: € Conditions include that personal data must be "pro- cessed fairly and lawfully" and only "collected for a specified, explicit and legitimate purpose". € No further processing which is incompatible with the original, legitimate purpose is permitted. € Processing must be "adequate, relevant and not exces- sive in relation to the purpose" as well as "accurate and, when necessary, kept up to date". € Data may be stored for "no longer than is necessary for the purposes for which the data was collected". € Processing may only take place if the person to whom the personal information refers (i.e., the "data subject") "has unambiguously given his consent", or if processing is other- wise necessary out of legal or contractual obligations to the data subject. Exceptions allow processing in the public inter- est or the vital interest of the data subject, or if no fundamental privacy interests of the data subject are at stake. The author concludes that, "Almost all features and as- pects of the cookie concept can be used to violate the Directive's principles. Cookies make unwitting and auto- matic access to personal user data possible." D. Recommendations The public is concerned about controlling personal infor- mation on the Internet. North American politicians are con- cerned about the European Privacy Directive. Internet en- trepreneurs, large and small, are concerned about the future of electronic commerce and the inhibiting effects of lack of trust by current and potential consumers. In spite of a general mis- trust of government, recent polls have shown that U.S. citi- zens are prepared to have the Federal Government pass Internet privacy legislation. Therefore, the Canadian experi- ence may be relevant and instructive. A National Privacy Committee (NPC) should be appointed by the President with representation from civil liberties and consumer groups, Internet Service Providers, direct marketers, information, product, and services providers, lawyers, government offi- cials, and Internet users. Its purpose is to prepare guidelines for government legisla- tion for Internet privacy protection. The CSA Model Code could play a useful role as an example of a globally accept- able privacy code. The notion of an extra-governmental pro- cess to achieve adequate privacy protection should be appeal- ing to citizens apprehensive about intrusive governments. Business must finally accept the reality that only when the laws of the land govern the use of personal information on the Internet will its potential finally be realized. And the Federal Government will surely go along with the will of its citizens and the commitment, however reluctant, of the busi- ness community. VI. CONCLUSIONS It is generally acknowledged that there exist serious con- cerns about privacy on the Internet. Internet users have ex- pressed their growing apprehension about what happens to information acquired during visits to Web sites. Furthermore, they have voted with their wallets by not spending the amounts of money anticipated by many. Industry efforts to convince the Internet community and the public at large that the Internet is safe, convenient, and use- ful, have not been entirely successful. Press releases and statements by large corporations that they are trustworthy and mindful of the privacy rights of Internet users have not been received with open arms, if the polls are to be believed. It remains for the will of the people to be realized in com- prehensive legislation, for government to exercise its respon- sibility in protecting the legitimate rights of the people, and for the Internet to realize its potential as a relatively safe place to do business. A diffuse mistrust of government is no reason to permit the Internet to be governed by corporate rules alone. There is a balance to be drawn between govern- ment bureaucracy and a completely unregulatedmarketplace. VII. BIOGRAPHY Richard S. Rosenberg, an Associate Professor in the Department of Computer Science, at The University of British Columbia, Vancouver, B.C., received the B.A.Sc. degree in Engineering Physics (1961) and the M.A.Sc. in Electrical Engineering (1964) from the Faculty of Applied Science, University of Toronto. He received the Ph.D. in Communications Sciences (1967) from the University of Michigan. From 1984-1986, he was the Director of the Computer Science Division in the Department of Mathematics, Statistics, and Computer Science at Dalhousie University, Halifax, Nova Scotia. His research interests are in Artificial Intelligence with a special interest in natural language interfaces to databases and in the social impact of computers with specific interests in privacy, freedom of expression, intellectual property rights, universal access, work and education. He has supervised 25 masters and 6 Ph.D. students. He has written papers on such issues as freedom of expression, privacy, ethics, and access. He has written the following books: Computers and the Information Society, New York: John Wiley & Sons, 1986, 397 pp. The Social Impact of Computers, San Diego, CA: Academic Press, Second Edition, 1997, 522 pp. (First Edition 1992, pp. 375) VIII. ACKNOWLEDGMENT The influence of David Flaherty, the Freedom of Information and Privacy Commissioner of British Columbia is gratefully acknowledged. Of course, the author is respon- sible for the contents of this paper. The financial support of the Natural Sciences and Engineering Research Council of Canada is acknowledged. IX. REFERENCES [1] Information Security and Privacy in Network Environments, U.S. Congress, Office of Technology Assessment, 1994, Washington, DC: U.S. Government Printing Office. [2] R. S. Rosenberg, "The politics of privacy on the global information highway." In J. Berleur and D. Whitehouse (Eds.), An Ethical Global Information Society, London: Chapman & Hall, 1997, pp. 275-288. [3] R. S. Rosenberg, "The politics of privacy on the informa- tion highway," Global Networking '97, International Telecommunications Society and International Council for Computer Communications, vol. II, June 1997, pp. 174-183. [4] R. S. Rosenberg, The Social Impact of Computers, 2nd Edition, San Diego, CA: Academic Press, 1997. [5] Accessed from the Web site with URL: on September 25, 1997. [6] N. Bernstein, "On line, high-tech sleuths find private facts," The New York Times, September 15, 1997, pp. A 1, A 12. [7] CIAC Information Bulletin, I-034: Internet Cookies, Computer Incident Advisory Capability, U.S. Department of Energy. Accessed from the Web page with URL: on March 14, 1998. [8] R. O'Harrow Jr., "Picking up on 'cookie' crumbs," Washington Post, March 9, 1998, p. F 25. [9] Timothy R. McVeigh v. William Cohen et al., Civil Action No. 98-116, United States District Court for the District of Columbia, January 26, 1998. Accessed from the Web page with URL: on February 9, 1998. [10] J. Quittner, "Protecting your privacy," Time, August 25, 1997. Accessed from the Web page with URL: on August 22, 1997. [11] R. O'Harrow Jr., "Are data firms getting too personal," Washington Post, March 8, 1998, p. A 1. [12] GVU's 8th WWW User Survey, Georgia Technical University's Graphic, Visualization, & Usability Center. Accessed from the Web page with URL: on February 10, 1998. [13] Quebec Act respecting the protection of personal infor- mation in the private sector. 1993, Bill 68 (1993, chapter 17), National Assembly of Quebec, Second Session, Thirty Fourth Legislature. [14] "Model Code for the Protection of Personal Information," CAN/CSA-Q830-96, March 1996, Ontario, Canada: Canadian Standards Association. Available at the Web site with URL: . [15] "Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data," Organization for Economic Cooperation and Development, 1981, Paris: OECD. [16] Connection, Community, Content: The Challenge of the Information Highway, Final Report of the Information Highway Advisory Council, 1995. Ottawa, Canada: Industry Canada. Available from the Web site with URL: . [17] Building the Information Society: Moving Canada into the 21st Century, Ottawa, Canada: Industry Canada, 1996, p. 25. Available from the Web site with URL: . [18] A. Duffy, "Privacy bill not expected until 2000," Vancouver Sun, September 19, 1996, A 6. [19] The Protection of Personal Privacy: Building Canada's Information Economy and Society, Ottawa, Canada: Industry Canada, 1998. Available from the Web site with URL: . [20] Directive 95/EC. Directive of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data And on the Free Movement of Such Data. October 1995. Available from the Web page with URL: . [21] P.P. Swire and R.E. Litan, "Avoiding a showdown over EU Privacy Laws," Brookings Policy Brief Series no. 29, Brookings Institution, February 1998. Accessed from the Web page with URL: on February 1, 1998. [22] C.J. Bennett and C.D. Raab, "The adequacy of privacy: The European Union Data Protection Directive and the North American responses," The Information Society, vol. 13, 1997, pp. 245-263. [23] President W.J. Clinton, Commencement Address at Morgan State University, Baltimore, MD, May 18, 1997. Accessed from the Web page with URL: on December 10, 1997. [24] Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information, Information Infrastructure Task Force Working Group on Privacy, January 19, 1995. Available from IITF Web site with URL: . [25] Privacy and the NII: Safeguarding Telecommunications-Related Personal Information, NTIA, Office of Policy Analysis and Development, Washington, DC., October 1995. Available from Web page with URL: [26] Options for Promoting Privacy on the National Information Infrastructure, National Information Infrastructure Task Force, April 1997. Available from the Web page with URL: . [27] "CPSR electronic privacy principles," Computer Professionals for Social Responsibility, September 1996. Available from the Web page with URL: . [28] "CommerceNet and Electronic Frontier Foundation Partner to Implement eTRUST," Press Release, October 16, 1996. Available from the Web page with URL: . [29] "Surfers beware: personal privacy and the Internet," Electronic Privacy Information Center, June 1997. Accessed from the Web site with URL: . [29a] M. Rotenberg, Testimony and Statement for the Record on Communication Privacy before the Subcommittee on Courts and Intellectual Property, House Judiciary Committee, U.S. House of Representatives, March 26, 1998. Accessed from the Web page with URL: on March 30, 1998. [30] "Web site criticized by CDT in complaint to Federal Trade Commission changes privacy policy," Center for Democracy and Technology, February 26, 1998. Accessed from the Web page with URL: on March 10, 1998. [30a] D. Mulligan, Testimony, House Committee on the Judiciary, Subcommittee on Courts and Intellectual Property, U.S. House of Representatives, March 26, 1998. Accessed from the Web page with URL: on March 30, 1998. [31] "TRUSTe, formerly eTRUST, launches commercial avail- ability," Press Release, TRUSTe, June 10, 1997. Available from Web page with URL: . [32] "Firefly, Netscape and Microsoft cooperate to build upon previously proposed OPS standard for personalization with privacy," Press Release, June 11, 1997. Available at the Web page with URL: . [33] S. Lohr, "Rare alliance on privacy for software," The New York Times, June 12, 1997, pp. C 1, C 7. [34] S. Machlis, "Wrestling with Web privacy," Computerworld, June 23, 1997, pp. 47-49. [35] "Consumers worried about privacy," DirectNews, June 17, 1996. Accessed from the Web page with URL: [36] H. Green, C. Yang, and P.C. Judge, "A little privacy, please," Business Week, March 16, 1998, pp. 98, 99-100, 102. Complete poll results can be obtained from the Web page with URL: . [37] Editorial [with reference to the cover story, "Database Marketing"], Business Week, September 5, 1994, p. 98. [38] Editorial, USA Today, October 25, 1995. [39] D. Caruso, The New York Times, June 3, 1996, p. C 5. [40] "Privacy: the key to the new economy," Editorial, Business Week, March 16, 1998, p. 126. [41] V. Mayer-Schφnberger, "The Internet and privacy legisla- tion: cookies for a treat?" West Virginia Journal of Law & Technology, vol. 1, no. 1, 1997. Available from the Web page with URL: