Prepared Remarks of
Chairman, Federal Trade Commission
CYBERBANKING AND ELECTRONIC COMMERCE CONFERENCE
February 2, 1998
* The views expressed are those of Chairman Pitofsky, and do not necessarily reflect those of the Commission or other Commissioners.
Over one hundred years ago, Louis Brandeis and Samuel Warren wrote some words that resonate in a remarkable way today:
The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world ... so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasion upon his privacy, subjected him to mental pain and distress far greater than could be inflicted by mere bodily injury.(1)
Some of the words are dated by today's standards. But the key themes remain equally relevant to today's fast-paced global, technology-driven economy, as they were to the industrial economy of the late nineteenth century.
I would like to talk today about the emerging electronic marketplace, the FTC's regulatory responsibilities in this area, and more particularly about privacy concerns that must be addressed if that marketplace is to achieve its full potential.
The marketplace is changing and becoming more complex. One by-product of these changes is the development and growth of an Internet market that is filled with information that can be accessed and stored in unprecedented ways. The development of that marketplace offers a very positive potential. It rewards innovation, decentralizes economic power and offers consumers the prospect of convenient low-priced access to custom-designed products. Also, unless subverted by anticompetitive, fraudulent, or irresponsible behavior, the Internet offers the prospect of opening the marketplace of ideas to a vast array of new voices. But another by-product of the new marketplace is that it has brought back to life some (perhaps) latent privacy concerns, and has engendered new ones owing to the vast range of personal information that can be captured and made available in the online medium. If I order a product through a catalog or at a store, the merchant knows what I bought, and depending upon how I pay, a credit card issuer may also know. But, the merchant is not likely to know what else I looked at in the store or catalog, which an online merchant may. And, once online, I may or may not be able to choose to make payment in an anonymous manner.
Commerce on the Internet is growing rapidly. Approximately $500 million to $750 million in consumer goods were sold over the Internet in 1996, and estimates for 1997 ranged from over $800 million to $1.5 billion.(2) We all know that is only the beginning. For a relatively small amount of money, any person can set up a site on the Internet and become a global marketer, and the revenues can be enormous.
Before turning to privacy issues, I should note that the FTC's traditional and primary responsibility is to challenge fraud, deception and unfairness in the marketplace. In that connection, the Commission has devoted considerable resources to tackling fraud on the Internet, which also affects consumers' willingness to go online. The FTC has brought approximately two dozen cases against garden variety frauds such as pyramid schemes(3) and credit repair scams,(4) which easily have migrated to the online medium. Some frauds, however, use technologies unique to the Internet. In one case, the Commission sued an entity that essentially hijacked consumers' modems. When a consumer viewed its site, the viewer program disconnected the computer from the consumer's own access provider and dialed an international telephone number purportedly linked to Moldova, one of the Russian Republics. Charges continued to accrue until the computer was turned off. The telephone bills reflected the costly international calls.(5)
With respect to privacy, over 100 pieces of legislation already have been introduced in Congress and in state legislatures. Efforts to develop technological responses through filtering devices or otherwise are well underway. Serious self-regulatory initiatives have been proposed and some have been implemented. Because of the dynamic nature of this industry, my preference is for self-regulation. Should it not work, however, legislative initiatives will gather more steam.
During the past two and one-half years, the Commission has hosted a series of hearings and workshops(6) and solicited comment from the private and governmental sectors, consumers, privacy advocates and experts in interactive technology to identify concerns about online privacy issues and to encourage industry self-regulatory initiatives. The Commission and its staff have issued a number of reports describing online practices and relevant technological developments, and sent opinion letters delineating what types of practices might violate the Federal Trade Commission Act.(7) The Commission also is a member of the Consumer Electronic Payments Task Force, established by Treasury Secretary Rubin and chaired by Comptroller of the Currency, Eugene Ludwig, whose mission is to "identify and explore issues affecting consumers raised by emerging electronic money technologies."(8) In connection with that Task Force, the Commission hosted a public workshop in July 1997 addressing issues related to the privacy and security of electronic payments.
We have learned that consumers care about the security and confidentiality of their personal information in the online marketplace. Survey data indicate that consumers have less confidence in how online companies handle personal information than offline businesses. The data further show that a substantial number of online users would rather not use information or products available through a Web site if that means providing the site with personal information without knowing about the site's information practices.(9) The perceived lack of security of online payment systems is another reason consumers who go online are concerned about shopping or banking.(10)
Three areas that deserve particular attention relate to invasions of privacy with respect to children, the scope of information available through "look-up services," and use of personally identifiable information obtained on the Internet for marketing purposes.
Special attention must be paid to the fact that online usage by children is growing. A 1997 survey indicates that approximately 9.8 million children (under age 18) go online, which is a five-fold increase from 1995. Children use the Internet for a variety of activities including homework or informal learning, playing games, browsing or for e-mail/chat rooms.(11) These young people are not shopping or banking online, but parents still have serious concerns about the online collection and use of personal information from children. A 1997 survey indicates that 97 percent of parents whose children use the Internet believe Web sites should not collect, sell, or rent personal information on children; 80 percent object to a Web site requesting a child's name and address when the child registers, even if such information is used only internally.(12)
As an initial response to these concerns, FTC staff recently issued an opinion letter outlining several principles that should apply generally to the collection of personally identifiable information from children online. First, staff said that it would be a deceptive practice under Section 5 of the FTC Act to represent that a Web site was collecting personally identifiable information for one purpose -- such as to play a game -- when in fact the information is used for another purpose -- such as marketing. Second, and more far reaching, staff said that under Section 5's unfairness authority, it is likely illegal to collect personally identifiable information from children -- such as name, e-mail or home address, or telephone number -- and sell or disclose such information to third parties without providing notice to parents and the opportunity to control the use and collection of the personally identifiable information.(13)
FTC staff also conducted the "Kids Privacy Surf Day" on October 14, 1997. We found that 86 percent of the 126 child-oriented sites visited collected personally identifiable information on children and most did not seek prior parental permission or allow parents to control the collection and use of the information. Those Web sites surveyed were told that their practices might violate the FTC Act, and we have made public on several occasions that staff will systematically review in March 1998 how Web sites collect personally identifiable information.(14)
Another set of issues concerning commerce on the Internet involves computerized database services -- called "look-up services" or " individual reference services" -- that sell personal identifying information. The Commission recently issued a report to Congress that provided much eye-opening information on the breadth and availability of personal information that can be sold to the public over the online medium.(15)
The report indicated that there are at least two sources for personal information that can be accessed through the look-up services: "non-public" and "public" sources. Non-public sources include what is called "credit header" information, which is that portion of the credit report purchased from a credit reporting agency that contains an individual's name, address, aliases, Social Security number, current and prior addresses and telephone number.(16) Additionally, non-public information on an individual's financial status, employment background, credit history and medical records can be found in a "credit report," but the dissemination of that information by a credit reporting agency is strictly regulated under the Fair Credit Reporting Act.(17)
Public sources of personal information include real property records, marriage and divorce records, driving records and licenses, voter registration records, civil and criminal court records and filings with the Securities and Exchange Commission.(18)
Sources for public and non-public information have existed for decades. But, two things are different today. First, the availability or accessibility of the information no longer necessitates driving around from the courthouse to the DMV or contacting a credit reporting agency; one need only be able to go online -- typically having a subscriber relationship with one of the look-up services.(19)
Second, while records have existed for decades, some are now increasingly available in electronic form, allowing for different merging and sorting of information, and theoretically making it relatively simple for "dossiers" to be complied on individuals, with much rich, personal information.
It is easy to be alarmed by such possibilities. We might envision a nosy neighbor snooping on us or, far worse, usurpation of a social security number and other identifying information resulting in consumer identity theft.(20) At the same time, however, online sources provide important assistance to law enforcement agencies (including the FTC), and may be used by others, for example, to locate missing children or heirs. These examples illustrate another important point highlighted by Commission's database report: Balanced against consumers' privacy concerns are the many legitimate and valuable uses for such personally identifying information.
Privacy concerns and the use of personal information for marketing purposes were not addressed by the Commission in its database report.(21) This is an important issue, however, and one that raises a similar tension between privacy considerations and the beneficial uses of such information. I understand, for example, that this is an issue of particular interest to financial service providers who amass financial information on their customers and make increasing use of it, along with other internal data, for cross-marketing purposes. This process -- sometimes referred to as data mining -- likely offers important benefits to consumers as well as businesses. But, especially as consumers increasingly use online services for banking, and as various online and offline databases are merged, it makes sense to be alert to privacy concerns regarding this practice that will no doubt arise with greater frequency.
Let me turn now to some issues relating to self-regulation.
At the FTC's June 1997 workshop on Consumer Privacy, many companies pledged to undertake self-regulatory approaches, such as posting privacy policies and information practices on Web sites, to protect consumer privacy online. In March, we will conduct "surf days" to determine whether such privacy policies are posted and whether companies honor consumers' expressed privacy preferences. Also, the Commission will prepare a report to Congress in June that will include an assessment of industry's self-regulatory efforts.
Throughout the workshops and hearings and Consumer Electronic Payments Task Force meetings, the Commission has urged self-regulatory approaches in the first instance. There are a variety of reasons self-regulation makes sense. The marketplace is undergoing rapid change. Industry and consumers are well situated to know what is needed and where immediate concerns lie.
At least two recent examples of self-regulation provide promising signs. I mentioned earlier that the workshops and meetings conducted while examining computerized databases provided impetus to a relatively new industry to create and implement a self-regulatory framework. The Individual Reference Services Group ("IRSG") has drafted self-regulatory principles, which, among other things: (1) restrict the overall availability of "non-public" information in ways that depend on the qualifications of the user (e.g., a law enforcement officer versus a commercial user versus the general public); (2) allow consumers access to the "non-public" information maintained on them, permit consumers to correct inaccuracies in the information and restrict distribution of the non-public information to the general public; and (3) establish annual compliance reviews of signatories that will be made public.(22) In its report to Congress, the FTC generally commended the principles adopted by IRSG, but also recognized that they do not address certain important concerns raised about the computer database industry. For example, the principles offer few restrictions on the use of "public" record information and do not enable consumers to access and ensure the accuracy of public source information on them.(23)
One aspect of the IRSG principles is especially interesting. Signatories who are information providers are not to sell information to any look-up service that does not comply with the principles. The current signatories include major suppliers of non-public information, among which are three national credit bureaus, which are the primary suppliers of "credit header" information. As such, this self-regulatory program may significantly impact the practices of businesses that choose not to comply with the principles.(24) The IRSG principles embody many essential elements of a good self-regulatory initiative: standards, commitment, and an enforcement mechanism so that non-participants are encouraged to participate.
A similar effort to use self-regulation to address consumer privacy-related concerns was taken by the Direct Marketing Association (DMA). DMA sought to require its members to honor consumers' requests to be removed from mail and telephone solicitation lists; disclose to consumers whether and how they disseminate information on them; and, if requested, to refrain from transferring customer information to others. DMA sought and received a staff advisory opinion that such requirements would not violate federal antitrust laws.(25)
The IRSG and DMA initiatives raise interesting questions about forms of self-regulation that are not merely statements of principles, but that impose penalties on members (or non-members) who fail to abide by those principles. We recognize that some companies are honestly concerned that the enforcement vehicle -- for example, exclusion from an association that adopts self-regulation guides -- could raise charges of "boycott" under the antitrust laws. I believe that antitrust should not stand in the way of legitimate self-regulation, so long as the rights of the alleged violator are protected and self-regulation is not used as a cloak or camouflage for otherwise illegal activities. I hope in the near future that the Commission will be able to spell out in greater detail a view that antitrust should not and will not be a barrier to legitimate self-regulation.
We intend to continue to work honestly and in a cooperative spirit with any group that is seriously engaged in effective self-regulation. I continue to believe that self-regulation is the preferred course to follow. If it fails, there will be no alternative except an active government participation. Moreover, it is unlikely that all interests will best be served by a fragmented regulatory regime in which federal, state, and even international regulations overlap in such a way as to create uncertainty about the scope of permissible behavior.
1. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, Harv. L. Rev. 193, 196 (1890) (discussing invasions of privacy inflicted by the press).
2. See E-Commerce Dollar Projections, http://www.e-land.com/e-stat_ages/ec_proj.htm.
3. E.g., FTC v. Fortuna Alliance, L.L.C., Civ-No. C96-799M (W.D. Wash. Feb. 24, 1997).
4. E.g., FTC v. Consumer Credit Advocates, 96 Civ. 1990 (S.D.N.Y. Mar. 19, 1996).
5. FTC v. Audiotex Connection, Inc., CV-97-0726 (E.D.N.Y. Apr. 24, 1997).
6. The initial workshop on privacy was held in April 1995. Additional hearings held in October and November 1995 were part of a lengthy series of hearings examining the implications of globalization and technological innovation for competition issues as well as consumer protection issues. A workshop in June 1996 focused on issues posed by the online collection of information from consumers, including children. A four-day workshop in June 1997 addressed computerized databases containing identifying information on consumers; unsolicited commercial e-mail; and more broadly consumers' -- including children's -- online privacy.
7. E.g., FTC Report to Congress: Individual Reference Services, December 1997; Letter from Bureau of Consumer Protection Director to Center for Media Education, July 15, 1997 (staff opinion letter discussed infra); FTC Staff Report: Public Workshop on Consumer Privacy on the Global Information Infrastructure, December 1996; FTC Staff Report: Anticipating the 21st Century: Consumer Protection Policy in the New High-Tech, Global Marketplace, May 1996. The Commission also recently testified before the House Subcommittee on Financial Institutions and Consumer Credit, Committee on Banking and Financial Services, on the Implications of Emerging Electronic Payment Systems on Individual Privacy, September 18, 1997.
8. 62 Fed. Reg. 19173, 19174 (1997). The Task Force plans to issue a report in the spring.
9. Privacy & American Business Report, Vol. 4, No. 3 (1997) (reporting on Louis Harris & Associates and Alan F. Westin's National Survey of Computer Users). These important survey findings were first announced at our June 1997 workshop.
10. Testimony and written statement of Catherine A. Allen, CEO, Banking Industry Technology Secretariat, presented at July 17, 1997 Hearing of Consumer Electronic Payments Task Force, hosted by FTC (citing survey conducted by Yankelovich and Associates that 85 percent of the women versus 50 percent of the men who regularly go online indicate they will not do much shopping or banking until more security and privacy safeguards are in place).
11. Interactive Consumers Research Report, Vol. 4, No. 5, May 1997 (discussing results of FIND/SVP's 1997 American Internet User Survey).
12. Privacy & American Business Report, Vol. 4, No. 3 (1997) (reporting on Louis Harris & Associates and Alan F. Westin's National Survey of Computer Users).
13. Letter from Bureau of Consumer Protection Director to Center for Media Education, July 15, 1997 (responding to petition requesting the Commission to initiate a law enforcement action against a Web site that offered itself as a "playground" for children aged 4 to 15).
14. See FTC Press Release: FTC Surfs Children's Web Sites to Review Privacy Practices, Dec. 15, 1997.
15. FTC Report to Congress: Individual Reference Services, December 1997.
16. The Commission's report did not consider privacy concerns arising from use of non-public marketing information (e.g., information that is obtained from purchase transactions, magazine subscriptions and warranty cards), in part, because under guidelines issued by the Direct Marketing Association, marketing information is not to be used for non-marketing purposes. Id. at 6 & n.43. The report, however, observed that some marketing information may be sold for non-marketing purposes. Id. at 6 & n.44. A self regulatory program developed by a number of look-up services, see infra, renounces the inclusion of marketing information in their databases.
17. Id. at 5-6 & n.42.
18. Id. at 4-5.
19. As discussed below, members of the individual reference services industry have developed a set of self-regulatory principles, which take effect at the end of 1998, that restrict the availability of non-public information to the general public and to certain other types of users of such information (such as law firms or businesses), and afford consumers the ability to review and restrict some of the non-public information on them that may be accessed by the general public. See id. at 25-30.
20. Typically, consumer identity theft is viewed only as an offline problem, whereby someone obtains identifying information from a source (such as a look-up service) and uses it to obtain credit in the name of anther person. Now, reports of online consumer identity theft are emerging whereby someone steals the password of a consumer using an Internet service provider and assumes the consumer's online identity. See Jared Sandberg, Hackers Prey on AOL Users with Array of Dirty Tricks, Wall St. J., Jan. 5, 1998 at B1.
21. See note l6 supra.
22. FTC Report to Congress: Individual Reference Services, December 1997 at 25-28.
23. Id. at 29-30.
24. Id. at 29.
25. Letter from Bureau of Competition Assistant Director to Counsel for DMA, Sept. 9, 1997. See FTC Press Release: Mandatory "Do Not Call" Lists for Direct Marketing Association Members Would Not Violate Antitrust Laws, FTC Staff Says, Oct. 14, 1997.