October 18, 1999

Secretary
Federal Trade Commission
Room H-159
600 Pennsylvania Avenue, N.W.
Washington, DC 20280
Sent Via Overnight Delivery and Electronic Mail

Re: Public Workshop on Online Profiling Session II: Implications of online profiling technologies for consumer privacy Online Profiling Project - Comment, P994809
Docket No. 990811219-9219-01

Dear Sir or Madam:

I am writing today on behalf of the Electronic Frontier Foundation (EFF), a nonprofit, public interest organization working to protect rights and promote responsibility in the electronic world. EFF is the leading global organization linking technical architectures and legal frameworks to support the rights of individuals in an open society. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression, privacy, and access in the information society.

I would like to direct my comments to a topic that is particularly troubling to EFF, question 2 of Session II: Implications of Online Profiling Technologies on Consumer Privacy." The focus will be specifically on question #12, "Are consumers' privacy interests implicated by the collection, compilation, sale and use of information collected by online profiling companies? If so, please describe." In a word, the answer is "yes." The collection and misuse of consumers' personal identification information by private corporations has been occurring at an alarming rate. The implications are enormous. Profiling allows corporations to create incredibly detailed dossiers about individuals' lives, which can lead to creation of markets for secondary uses of that information that the consumer could never have imagined. Few consumers realize the privacy implications of these profiling practices.

Companies have been constructing very detailed profiles about their customers, storing the information they collect in databases where the information can be analyzed and merged with other databases. Privacy policies listed on web pages barely disclose that they are collecting this data, let alone storing it and using it to create profiles. According to the FTC report to Congress in June 1999, "the vast majority of even the busiest Web sites have not implemented all four substantive fair information practice principles of Notice/Awareness, Choice/Consent, Access/Participation, and Security/Integrity."⁽¹⁾ This results in consumers being virtually powerless to control personal information about themselves from being shared among marketers. Storage of vast amounts of personal information in databases raises all of the same fair information practices issues as when companies track consumers on their web sites. In addition, numerous reports have shown that the vast majority of consumers are concerned about their privacy. The report "Beyond Concern: Understanding Net Users' Attitudes About Online Privacy" (Online Privacy Report)⁽²⁾, revealed that 87% of US respondents who use the Net were either somewhat or very concerned about threats to their privacy online. Consumers should have the ability to at the very least "opt-out" of data collection plans so that they can prevent profiles from being constructed about them. They should also be able to determine what information is being stored be assured that the information is correct and secure.

This sharing and selling of personal information and any resulting profiles based on that information can have detrimental effects regarding activities that we take for granted in a free society, particularly in the area of free expression. Up until recently, we have had the freedom and ability to read and seek out information without being constantly monitored and identified. Now, pieces of information that had little meaning when viewed separately are now being aggregated, resulting in extensive profiling of individuals. For example, the merger of companies Double Click and Abacus has given the new single company the ability to merge the online advertising database of one company with the junk mail database of the other, thus marrying the offline and online behaviors of consumers into one database. The profiles created from information in the new database show a much more detailed view of individual consumer behavior than either of the separate databases could have shown alone. Once consumers become informed of the extensive abilities of corporations to track and profile consumers' online habits, consumers may be less likely to visit particular web sites, engage in e-commerce, or post to newsgroups, particularly if there are negative consequences, such as a potential employer gaining access to that profile and making hiring or firing decisions based on the contents.

Collecting personal information and using the profiling based on that information may also impair consumers' ability to gather information about goods or services. Roger Clarke, in his paper, "Profiling: A Hidden Challenge to the Regulation of Data Surveillance" found that profiling in the private sector can lead to "electronic redlining." Profiles can be used to "allow companies to pre-judge the future behavior of consumers, leading some of these firms to ignore certain types of people, and thereby limit[ing] such persons' access to information about goods and services." In the offline world, this has happened when the "combination of consumer profiling with 'geodemographic clustering' techniques are used to identify calls from low-income neighborhoods identified by their telephone exchange, so that they can be routed to a busy signal, a long queue, or a recorded message suggesting that the desired information service is not presently available."⁽³⁾ This type of "electronic redlining" could also occur online as profiling becomes more sophisticated.

In addition, online profiling techniques are becoming more sophisticated, yet privacy protections haven't increased. To make matters worse, privacy policies and seal programs are not well read or well understood, yet, consumers consistently say they are concerned about online privacy. In the Online Privacy Report, the authors found that the top concerns of respondents were 1) whether their information was going to be shared, 2) whether the respondent was specifically identifiable, and 3) how the information collected was going to be used. These three concerns where shared by at least 69% of the respondents. 49%, a much lower percentage than the top three concerns, rated as very important whether or not a site had a privacy policy. When the respondents were asked about online privacy seal programs by specifically mentioning particular well-known brands, respondents were more likely to consent to giving personal information. But when the authors did not mention specific brand names, they were much less likely to be willing to share information, suggesting that they do not yet fully understand how the seal programs work in conjunction with privacy policies.⁽⁴⁾ Consumer education about privacy policies and seal programs is needed to help combat this problem.

The debate regarding self-regulation has been very lopsided, with the needs of companies marketing programs consistently outweighing the privacy needs of consumers. The result is that consumers have been forced to try to negotiate protections for their own data, if they even realize that they should take steps to protect their personal information. Privacy policies are deficient, only employing notice, not the rest of the fair information practices guidelines. Sheila Anthony's statement in the FTC report to Congress in June of 1999 stated that according to the two studies cited in the report, 93% to 99% of surveyed sites collect personal information about consumers, but only 10% to 20% of those sites have privacy disclosures incorporating all of the fair information practices guidelines.⁽⁵⁾ Lack of disclosure in privacy statements means that consumers can't make informed decisions regarding their privacy online. Meanwhile, marketers continue to tout self-regulation as the best solution.

Privacy protections are being reduced in some areas, increasing the need for regulation. For example, the 10^th Circuit Court recently ruled against the FCC and held that phone companies have First Amendment interests in the consumer proprietary network information (CPNI) of phone records. The CPNI include the numbers dialed, and the duration and frequency of these calls.⁽⁶⁾ Privacy interests of consumers were found suspect, when they were acknowledged at all. The availability of the CPNI information is another bit of very personal information that can be fed into existing profiles and aggregated with other data to be used to great advantage by marketers. This information can be merged with information collected about consumers online, much like the Double Click and Abacus example cited above.

Sale and use of personal information can also have potentially severe consequences. The Privacy Rights Clearinghouse reports that the number of calls they receive about identity theft continue to rise. All the identity thief needs is a social security number; something easily purchased from those who trade in personal information. Identity theft can result in individuals being turned down for jobs, being falsely arrested for crimes committed by the identity thief, and destroyed credit ratings.

To conclude, the proliferation of new corporate databases filled with personal information used to construct profiles is undermining consumer privacy. Lack of controls on how information is shared or sold contributes to the decrease of privacy for consumers. The continuing loss of privacy due to better abilities to profile without any more privacy protections being put in place may inhibit individual participation in commerce and society. In addition, privacy protections in some areas are being eroded, further diminishing privacy. Finally, the collection, sale and use of personal information, with potentially severe consequences, implicate privacy interests. Reports of identity theft have steadily been increasing, often with few remedies available to consumers.

Thank you again for giving us the opportunity to submit comments for the upcoming workshop. Please contact me at 415-436-9333, ext. 106 if I can clarify any of the above comments.

Sincerely,

Deborah Pierce
Staff Attorney

Online Profiling Project - Request to Participate, P994809

Docket No. 990811219-9219-01

Request to Participate: Public Workshop on Online Profiling
Session II: Implications of online profiling technologies for consumer privacy

Shari Steele, Director of Legal Services would like to participate as a panelist for Session II, "Implications of online profiling technologies for consumer privacy." Shari Steele is the Director of Legal Services for EFF. She has spoken on numerous panel discussions on the issues raised by extensive profiling of individuals.

Ms. Steele has written amicus briefs and participated on the legal teams on several precedent-setting cases for electronic communications, including ACLU v. Reno II (the case now (1999) pending before the 3rd Circuit Court of Appeals challenging the Child Online Protection Act), and Bernstein v. Department of Justice (where the export control laws on encryption were found to be unconstitutional by the Ninth Circuit Court of Appeals).

Ms. Steele has spoken about civil liberties law in newly emerging technologies on the CBS Evening News with Dan Rather, C-SPAN's Washington Journal, The Today Show, CNN, the BBC, and National Public Radio's Morning Edition, All Things Considered and the Diane Rhems Show. Ms. Steele has been asked to advise the NTIA on hate crimes in telecommunications, the U.S. Sentencing Commission on sentencing guidelines for the Computer Fraud and Abuse Act and the No Electronic Theft Act, and the National Research Council on U.S. encryption policy. Ms. Steele has testified before the Federal Trade Commission and has spoken about Internet law as part of the Smithsonian Institution's lecture series on the Internet, the ABA's TechWorld Conference, the National Law Journal's annual Computer Law Conference, and the National Forum for Women Corporate Counsel. Ms. Steele has also been an invited speaker at dozens of universities and computer groups.

Please also see our attached written comments for this session.

1. FTC, "Self-Regulation and Privacy Online: A Report to Congress" (1999)