| November 28, 1999 Secretary
Submitted by: Lucy Garrick GeoTrust, Inc. submits these comments for the Federal Trade Commission Public Workshop on Online Profiling held in Washington, D.C. on November 8, 1999. GeoTrust is a commercial organization with two complementary goals. First, we aim to help consumers determine the trustworthiness of entities on the Worldwide Web. (GeoTrust uses the term "consumer" to include any individual or business Web user who wishes to acquire products, services or information on the Web. This includes new and emerging forms of commerce, such as the exchange of personally identifiable information (PII) for discounts or special offers.) Second, GeoTrust attempts to advance ethical and open business practices among Web publishers and Web site hosts, such as Internet service providers, shopping portals, and other site hosts/communities. Web Based on numerous market studies exploring consumer confidence on the Web, GeoTrust has developed a generic model for online trust. This model identifies the five primary elements necessary to when judge the trustworthiness of a given site. This model also provides modular flexibility to address, in depth, the specific trust elements of trust-seal providers, vertical market service providers (e.g., financial or healthcare services) or site hosts wishing to develop "trusted communities" for Web users. The five broad categories of online trust include the following:
GeoTrust’s primary objective is to become an information resource bridging individual or business consumers and Web sites. Our services will allow online consumers to make informed choices about financial or other types of exchange with Web sites. GeoTrust makes this possible with a tool that is easily accessible and can be automatically integrated into the Web surfing experience through a Web browser. This tool will provide a fully automated system that combines various sources of data about a site, including their own disclosures, making this information available to consumers in a consistent, clear and understandable form. GeoTrust’s own methodologies are reviewed and approved by an external Ethics Advisory Council (EAC) consisting of thought leaders in public policy, consumer protection, technology and commerce who understand the implications of technology and trust as they relate to e-business and the emerging economy. Since issues of online trust are multi-faceted and highly complex, GeoTrust will introduce its services in phases, consistent with an evolving online market and technology. The first phase is scheduled for the first quarter of 2000 and will involve determining the trustworthiness of those sites sharing a commercial affiliation with a group of select Web site hosts. GeoTrust believes that performing the services of a trust aggregator serves the interests of the various stakeholders in the growth and development of the Web. This includes consumers, government agencies, investors and Web businesses. Trust aggregation is an approach that pulls together the various elements of online trust in an accessible and easily understood form for businesses and consumers, thereby promoting industry self-regulation. Since the Online Profiling Workshop focused primarily on the use of online profiling in advertising and direct marketing, GeoTrust’s comments are intended to augment that information. The comments have also been organized to be consistent with the workshop agenda, which looks as follows:
OVERVIEW: ONLINE DATA AGGREGATION AND PROFILING In light of today’s commercial online practices, the term "consumer" must be broadened to include new types of exchanges like the disclosure of personal information for products, services, discounts, special offers, information or advice. The aggregation of consumer information (personal behaviors, preferences and interests) in order to create or target advertising on Web sites is but one use of online profiling illustrating the opportunities and challenges to consumers and Web businesses. Furthermore, personal information profiling is by no means limited to online advertising. It is also used to provide individual credit ratings, personal online services and to protect personal privacy as in the case of the Direct Marketing Association Mail Preference Service. Companies traditionally engaged in personal profiling include, but are not limited to, the following:
Many techniques are employed to collect personal preferences and information. These include, but are not limited to:
The fact that personal information is collected both online and offline is significant in that data matching and data mining technologies and techniques already exist that allow the merging of various online and offline data sources. Also, many U.S. businesses today are specializing, outsourcing many internal functions. This further complicates the collection, use, storage and ownership of personal information. PII is therefore increasingly considered a corporate asset for online businesses outside the advertising industry. The same is true for government agencies, telecommunications, financial services and healthcare, all of which are regulated and have been considered to operate in the public interest. PROFILING: THE VALUE AND RISKS TO CONSUMERS AND BUSINESSES During the Online Profiling Workshop, online advertising services made a clear and reasonable argument for the need to collect personal information. This PII underwrites the free content and Web services that have made the World Wide Web a compelling new medium, attracting millions of new users each month. The growth of the Web has indeed contributed to the availability of new and innovative online services, and to the health of the U.S. economy. But it is also important to note that in addition to underwriting some of the costs of Web site operation, personal profiling has allowed Web sites to reinvent the rules for commerce. Today, sites employ novel methods for matching user preferences and behaviors with offers for cost savings and personalized products/services, building a closer relationship between buyers and sellers. Many Web users have eagerly embraced such developments. Still, in numerous studies, U.S. online consumers have cited privacy as an overriding concern. Some recent trends supporting this include:
These trends are further supported by The Georgetown Internet Privacy Policy Survey of 1999, which reported to the Federal Trade Commission the extent to which commercial Web sites have posted privacy disclosures based on fair information practices. This study focused on 364 of the most frequently visited Web sites and indicated that 65.7 percent had posted some type of privacy statement. Many privacy disclosures were inadequate, failing to provide information regarding other elements of fair information practices (i.e., notice, choice, access and security).
Through the ongoing support of the Federal Trade Commission, Department of Commerce, non-profit organizations, trade associations and privacy advocates, the online industry continues to make progress on issues related to online privacy and consumer protection. This progress should be duly acknowledged for it is a difficult task to synchronize the changes brought about by technology innovation with current and yet unimagined business models and practices. Further, a recent survey by Privacy and American Business indicated that with notice and opt-out many consumers approve of the exchange of their personal information for banner ad and offer personalization. It should also be recognized that In spite of good intentions and significant progress, the industry will likely continue to stumble over privacy and trust issues (such as seen in the Real Networks privacy incident of October 1999) as technology innovations and industry codes of conduct continue to evolve. The approach, then, becomes two-fold:
THE POTENTIAL FOR SELF-REGULATION Although much of the controversy about privacy regulation has centered on the effectiveness of self-regulation and opt-in versus opt-out in privacy policies, it seems clear that there will always be distinct roles for both government regulation and industry self-regulation. Government regulation will be needed to provide a framework for sanctioning those who purposefully seek to harm consumers, though it cannot be a panacea for protecting consumer rights. There are two related regulatory issues that must not be ignored in this discussion.
The most practical and effective solution for protecting consumer privacy will be to "fight fire with fire." This implies the use of technological innovation and new business models to create a more effective means for industry self-regulation. To do this, increased consumer pressure for self-regulation must be added to that which is already present from the online industry and government, thus allowing competitive advantage to form new uniform codes of conduct for the behavior of online businesses. It is now possible to implement privacy management systems capable of bringing together the interests of consumers, the industry and government. A dynamic solution can also be developed that enables the Web to address important issues. Below is a list of some of those issues and their potential solutions:
CONCLUSION The issues of online technology, privacy and trust are complex, multi-faceted and global in scope. To effectively address these issues will require cooperation, innovation and continued vigilance. We have barely begun to tap the potential of networked communications offered by the World Wide Web. It is my impression that each new program initiated by the FTC and the DoC inspires the industry to further prove its ability to self-regulate. I appreciate the opportunity to share our views on this important topic. |