Protecting Privacy and Security of Personal
Privacy protection has been a public policy concern for decades. However, rapid technological changes, the rapid growth of the Internet and electronic commerce, and the development of more sophisticated methods of collecting, analyzing, and using personal information have made privacy a major socio-political issue in the U.S., Europe, and other areas. Privacy issues have attracted the attention of the media, politicians, government agencies, businesses, and privacy advocates. In addition, the public is becoming increasingly sensitized to the protection of their personal information. Nonetheless, some people appear to be willing to trade-off various degrees of personal privacy for discounts on merchandise, free computer hardware, software, or e-mail, and other benefits. Privacy concerns are reflected in opinion polls and surveys. For example, a recent survey by Privacy and American Business showed that 81% of Net users, and 79% of users who buy products and services on the Net, expressed concern about potential threats to their personal privacy while online. While only 6% of Net users said that their online privacy had been violated, 70% to 72% were worried about unauthorized access and use of their e-mails, web site tracking and personal profiling.(1) This survey also showed that only 23% of consumer users of the Net paid for information or purchases online.
In other words, despite the dramatic growth in the use of the Internet from less than 10 million people in 1995 to about 150 million in 1998, three out of four people did not engage in electronic commerce activities last year. A more recent survey by Odyssey indicated that 47% of households with Internet access made at least one purchase online during the last six months. The Department of Commerce forecasts 250 million Internet users in the year 2000 and over a billion users during the first decade of the next century.(2) But, concerns about privacy, security, fraud, unsolicited commercial e-mail (spam), and other problems are likely to deter some people from consistent, rather than occasional, online shopping. Confidence that their privacy and security will be protected in the online environment will greatly contribute to widespread consumer acceptance and use of e-commerce.
Unfortunately, much less is known about consumers' attitudes toward information security than privacy. The privacy survey, cited above, indicates that 40% of those who were deterred from using the Internet were concerned about the security of their financial transactions. Some people may consider security and privacy as separate matters; others may view them as related elements of personal data protection. We do not have enough evidence to show whether consumers are willing to trade off some aspects of personal privacy for greater security, or whether such tradeoffs are even necessary. How concerned are consumers about hackers gaining unauthorized access to their accounts or personal files? Do consumers approve of security measures such as unique identifiers in computer chips and software that help authenticate PC users? Do consumers agree that personal security identifiers can help to prevent fraud and systems intrusions, and that increased security measures can enhance their privacy by better protecting personal information? While more research is necessary to find answers to these questions, it is clear that if the percentage of Internet users who shop and transact other business online is to significantly increase, more people must become comfortable that their security and privacy will be safeguarded.
There is no single, easy solution to privacy and security protection. Instead, privacy and security protections can be achieved through a combination of industry guidelines, self-regulation, consumer action, and, if necessary, laws and regulations, which may vary by country, region, or industry sector. In the U.S., the scope of privacy protection laws and regulations varies by industry and geography. Some industry sectors, such as financial services, are already covered by privacy protection laws and regulations in the U.S. and overseas. There are, however, increasing concerns that medical and health records, genetic information, and government information files remain largely unregulated. Finally, since the Internet crosses both industry and geographic boundaries, legislative and regulatory attempts will be made to protect the online privacy and security of consumer information.
Role of Online Privacy Self-Regulation
Both the private sector and the Clinton Administration support a self-regulatory approach to online privacy protection. But, the U.S. government is urging industry to develop meaningful ways to provide consumers with better privacy disclosure, greater consumer choice, and access to personal information. Industry is being prodded to develop mechanisms that protect information security and data integrity, and to enforce company privacy policies. The private sector has responded with a variety of self-regulatory initiatives in an attempt to forestall potentially onerous legislation or regulations that could impede the growth of electronic commerce. For example, the Online Privacy Alliance, comprised of companies and trade associations, was formed to promote privacy self-regulation. The Better Business Bureau has developed the BBBOnline Privacy Program which verifies, monitors, and reviews company privacy policies and practices, provides a consumer dispute resolution mechanism, awards web page seals to companies that comply with good privacy practices, and provides education programs. TRUSTe and the American Institute of Certified Public Accountants also offer privacy assurance programs and web page seals to companies that meet their privacy standards. Companies that collect information about consumers in their databases have adopted privacy audits and standards. The Direct Marketing Association is implementing a privacy compliance program that requires its member companies to provide consumers with the opportunity to opt-out of having their information used for marketing purposes. Many industry trade associations have also issued privacy protection guidelines and best practices to their members. A growing number of companies voluntarily disclose their privacy policies and practices in print and on their web pages. In addition, new technological solutions are being developed and applied to better protect consumer information online. Despite such efforts, skeptics believe that legislation or regulations are needed to guarantee protection of the public's privacy - both online and offline.
Consumer Influence on the Protection of Personal Privacy and Security
Consumers are increasingly aware that ubiquitous, more powerful computers and widespread access to the Internet make it easier for legitimate and shady businesses as well as government agencies to collect, access, and use personal information. Consequently, consumers have become more assertive in demanding that their personal information be protected and that they be given greater control over the collection and use of such information. Such activism has caused businesses and governments to change their procedures or modify their products. The following recent examples indicate the influence of the public and the media on privacy policies or practices of both governments and industry:
The above examples illustrate how consumer Internet users and privacy advocates are taking actions to oppose perceived privacy and security threats. In addition, individual Internet users can take steps to protect their personal data from identity thieves, hackers, and scam operators, and limit unwanted marketing solicitations and spams. Smart users are: only doing business with reputable companies that they know and trust; opting-out of receiving marketing solicitations; using secure web sites; disabling cookies; preventing Internet access to personal files; protecting their passwords; and encrypting their files. It is also becoming more common for Internet users to assume false identities or to purposely provide misleading information to web sites in order to protect their privacy and security.
The Internet will continue to shift market power toward consumers, who can decide how much they want to pay for what they want to buy, and let sellers compete for their business. Electronic commerce enables companies to customize their products and services to suit the individual consumer. To meet the specific preferences of individuals, companies will have to tailor their marketing based on consumers' personal information about their shopping habits, likes and dislikes, as well as demographic and other characteristics. Such an exchange of information raises potential privacy and security concerns.
To help assuage consumer concerns about online security, various electronic authentication methods have been developed to allow buyers, sellers, and other parties to verify each other's identities and to ensure that electronic messages, documents, or communications have not been altered or tampered with during transmission. Electronic authentication techniques are expected to provide a greater level of user confidence in transacting business over the Internet. These techniques should also reduce fraud, unauthorized access to personal information, and network security breaches. This technology is expected to help facilitate electronic commerce by enabling consumers and businesses to conduct many different types of electronic transactions. These might include the purchase and sale of goods and services, and the payment, receipt, and settlement of funds. All of these could be accomplished more quickly, easily, and securely electronically than via paper-based transactions.
European Influence on U.S. Privacy and Security
The European Union has adopted a comprehensive Directive on Data Protection. It includes a prohibition on the transfer of personal information from the EU to other countries that do not provide consumers with an "adequate" level of privacy and security.(3) The European standard for adequacy is generally stricter and more comprehensive than that of the U.S. and most other countries. Therefore, if certain industry sectors are considered to have inadequate data protection safeguards in place, U.S. multinational companies with offices in Europe could be blocked from transferring information on individuals to the U.S. Such blockages could affect Internet, intranet and extranet transactions, as well as computer records and paper based information. This could seriously impede both electronic and traditional commerce activities.(4) In addition, restrictive privacy legislation in the U.S., Latin America, and Asia may be modeled on the EU Directive.
Ongoing negotiations between the U.S. and EU are designed to avoid blockages of data flows between Europe and the U.S. The Department of Commerce has developed a safe harbor proposal that would protect U.S. companies from data flow blockages if they adhere to prescribed privacy principles. Still, some European countries may not subscribe to aspects of the safe harbor concept and decide to enforce their laws to block information flows. A European privacy advocate plans to file complaints against some large U.S. multinational companies in an attempt to induce EU data protection authorities to block the transfer of consumer information from Europe to the U.S. Meanwhile, the Council of Europe's Committee of Ministers has adopted a recommendation on the protection of personal data on the Internet.(5) This recommendation includes a set of privacy protection guidelines for service providers and users of the Internet.
Trend Toward Increased Regulation
Two key public policy issues face lawmakers and regulators in the U.S. and overseas. Can the private sector be trusted to adequately protect the personal data privacy and security of consumers? Should governments impose stricter regulation of privacy and security to guarantee consumer protection? Those who advocate stricter regulation rationalize that more people will use the services of legitimate businesses and engage in electronic commerce if they have confidence that those who violate their privacy or security will be punished. Opponents of greater regulation argue that the global electronic-driven marketplace will be stifled if heavy-handed laws and regulations impede the free flow of information. What is often not recognized is that legislation designed to further protect consumer data may make the public feel more secure that personal privacy and security are protected. At the same time, however, it may also disrupt the flow of information, add to the cost of products and services, and slow economic growth.
Congressional concerns over the privacy and security of personal information led to the 1998 enactment of federal laws that criminalize identification theft and fraud, protect children's online privacy, prohibit the federal government from requiring Social Security numbers to be placed on drivers' licenses, and prohibit the assignment of unique identifiers to health records. In addition, Congress considered, but did not pass, legislation to further protect financial information, to protect online privacy generally, to protect the privacy of medical and genetic records, and to permit businesses to export and employ robust encryption without government constraints. While the encryption bills were intended to protect the privacy and security of consumer information from criminals, law enforcement authorities were concerned that they could compromise national security. Despite modest congressional results in 1998, many states enacted numerous privacy laws affecting health care, financial services, direct marketing, telecommunications, and online services.
The recently enacted "Children's Online Privacy Protection Act"(6) requires companies to obtain prior parental consent to collect and use personal information about children for marketing or other purposes. While the intent of this legislation - to protect children from online predators - is admirable, it sets a precedent that could lead to enactment of a comprehensive federal online privacy law that requires prior consent from other online users before a company may use personal information. Such an opt-in approach to consent could have a significant effect on electronic commerce. This is because most people are unlikely to make the effort to provide prior permission, thereby cutting themselves off from opportunities to obtain new, improved, or lower cost products and services. As an alternative, most businesses would prefer to apply the current opt-out system to the online environment. This would allow consumers who choose to do so to notify companies that they do not want personal information to be used for marketing purposes.
Legislative and Regulatory Outlook for Privacy and Security
The 106th Congress is expected to seriously consider both online and offline privacy protection legislation and many states are likely to act too. Legislation introduced, but not passed, in the last Congress and in many states is likely to be reintroduced, along with new online privacy bills. For example, Congressman Bruce Vento (D-MN) has reintroduced legislation to regulate the use, by interactive computer services, of personally identifiable information provided by subscribers to such services. H.R. 313, the "Consumer Internet Privacy Protection Act of 1999," prohibits interactive computer services from disclosing or using subscriber information without the subscriber's prior informed written consent, and permits subscribers to access their personal information in the files of interactive computer services, at no cost.
Some legislative proposals may require companies to provide consumers with clearer and more conspicuous notices of their privacy policies and practices by posting privacy notices and displaying privacy seals on their web pages. Other proposals may attempt to restrict the types of information that can be shared for cross marketing between corporate affiliates, and prohibit the disclosure of customer information without prior consent. For example, Senator Paul Sarbanes (D-MD) has introduced S. 187, the "Financial Information Privacy Act of 1999." This bill would require the prior consent of the customer of a financial institution before confidential information is disclosed or shared with third parties that perform contractual services. This would include data processing, marketing, or other functions for banks, securities firms, and other financial institutions.
Protecting the confidentiality of personal health, medical, entitlement, and benefit records is of growing public policy concern. Recently, a computer security error permitted thousands of patients' records to become accessible to anyone who visited the University of Michigan's health center web site. In 1998, both the CVS drugstore chain and Giant Food supermarkets provided personal prescription information to a company that used the information to market suggested treatments to patients. Consumers were incensed that their records were transferred without their knowledge and consent. In 1997, the Social Security Administration shut down its online system, which permitted people to check the status of their benefits, because security design flaws could have resulted in unauthorized access to recipients' personal information.
Legislation has been introduced in Congress and various states to protect the confidentiality of patient records and to impose criminal and civil penalties for unauthorized use of protected information. Legislation has also been introduced to restrict Internet service providers from disclosing and using Social Security account numbers or other personal identifiers. The interconnected nature of the multifaceted health care sector (with providers of insurance, private and government benefit programs, payment, processing and other systems) makes it difficult to protect the privacy and security of sensitive personal information. While the Internet and other online systems provide new ways to improve health and benefit providers' efficiency and service quality and to contain escalating costs, care must be taken to protect consumer privacy and security in ways that do not negate such benefits to the public.
Recent Congressional concerns over privacy and security are reflected by the movement of two bills in March of this year. The House of Representatives approved H.R. 514, the "Wireless Privacy Enhancement Act of 1999" by a vote of 403 to 3. The bill imposes penalties for intentional interception or disclosure of conversations on wireless devices like cellular telephones. In addition, the House Banking and Financial Services Committee approved legislation to restrict sharing of personal health and medical information between the insurance and banking businesses of a financial services holding company. The Committee also approved legislation that makes it a federal crime to obtain personal financial information under a false pretext. It also requires depository institutions to provide customers with clear and conspicuous disclosure of their privacy policies.
As mentioned above, in order to raise the level of privacy protection in the U.S., some
legislation may be based on concepts found in the European Data Protection Directive.
Legislation may be introduced to restrict: data mining and warehousing, target marketing,
and consumer profiling; the collection and use of health, medical, and other sensitive
customer information; and access to and use of public record information. Some of these
proposals, if enacted, could affect e-commerce transactions, the use of personal
information stored on smart cards, as well as online electronic billing and payment
systems that consolidate account information.
The U.S. does not have a uniform federal law that applies to electronic authentication. Instead, more than 40 states have passed laws that recognize digital signatures as acceptable substitutes for physical ones. Unfortunately, these state laws vary and often conflict, creating legal uncertainty as to which laws apply to interstate transactions, and thereby impede future growth of electronic commerce. The National Conference of Commissioners on Uniform State Laws (NCCUSL) is developing a uniform model law on electronic transactions. Approval by a majority of the states, however, is expected to take at least five years.
International uniformity of non-restrictive guidelines governing electronic authentication is also essential for electronic commerce (which has no geographic boundaries) to function efficiently. The U.S., which supports the elimination or modification of paper-based barriers to electronic transactions, is promoting international adoption of relevant provisions of the United Nations Commission on International Trade Law (UNCITRAL) 1996 Model Law on Electronic Commerce. However, the U.S. opposes detailed, restrictive rules for electronic authentication being developed by some countries, on the grounds that these would disrupt the free flow of information and stifle innovation. There is a concern, shared by industry, that some countries or groups of countries would establish restrictive regulatory structures for electronic authentication. These could be used to challenge the validity of authentication methods and techniques that have not been licensed or approved by them. To avoid such problems, the U.N. and the European Parliament are working on uniform international guidelines that will provide the framework for consumers, businesses, and governments to participate in electronic commerce in a safe, efficient, and consistent manner.
Finally, legislation has been reintroduced in Congress to permit the export and use of robust encryption by U.S. companies, and to prohibit the use of encryption for criminal purposes. While the outlook for passage of legislation has improved, continued opposition by law enforcement authorities and the Clinton Administration may once again prevent enactment. Meanwhile, in an attempt to balance privacy interests and security concerns, the U.S. has liberalized its restrictions on U.S. companies to permit financial institutions and selected other firms to export and use robust 128-bit encryption products that ensure the authenticity, integrity, and privacy of electronic communications.
Both privacy and security are politically popular areas of concern, with growing public awareness and activism in the U.S., Europe, and in many other countries. Therefore, the temptation to legislate and regulate to protect the public may outweigh the consequences of restricting both online and offline commerce. Furthermore, legislation designed to apply to offline business operations may have a significant unintended impact on online transactions, and vice versa. To avoid enactment of restrictive legislation, industry must demonstrate that it is acting fairly and responsibly to protect consumer privacy and security and that additional laws or regulations should deal with specific abuses that cannot be cured by other means. On the other hand, the burden is on business to show where federal legislation is necessary to enhance electronic commerce, with clear benefits and consumer protections. Finally, elected and public officials should be informed of the costs and consequences to consumers, businesses, and the economy of legislative or regulatory proposals to protect privacy and security. Such proposals should be rejected unless the public benefits clearly outweigh the risks of not acting.
1. Louis Harris & Associates and Dr. Alan Westin, "E-Commerce & Privacy: What Net Users Want" (1998).
2. U.S. Government Working Group On Electronic Commerce, "First Annual Report" (November 1998).
3. Directive 95/46/EC of the European Parliament and the Council (October 1995).
4. Peter P. Swire & Robert E. Litan, "None Of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive," Brookings Institution Press (1998).
5. Recommendation No R(99)5 of the Committee of Ministers to Member States for the Protection of Privacy on the Internet (February 1999).
6. P.L. 105-277 (October 1998).