The Woodrow Wilson Center Sovereignty in the Digital Age Series
Let me start this discussion by complimenting the Woodrow Wilson Center in its resolve to discuss issues relating to the digital age - especially as those challenges relate to the globalization of commerce. We are at the outset of a revolution in commerce, both in manufacturing and marketing, that surpasses anything we have seen since the communications and transportation developments at the end of the 19th century. The challenge to the private and public sector is to encourage that revolution, but contain the excesses that revolutions often produce.
I will discuss today issues relating to fraud, invasions of privacy, and international rules of law as they pertain to electronic commerce. My agency, the Federal Trade Commission, has been a participant in the debate, and has contributed to resolutions of some of these issues. In one sense, we are active because we are pursuing our fundamental mandate to protect consumers from deceptive and unfair practices and restraints of trade. In a broader sense, we seek to protect the Internet itself and ensure that lack of consumer confidence in the medium does not impair its ability to realize its full potential. We see electronic commerce as a profoundly pro-consumer development. It offers consumers a range and variety of products, and a source of relevant information with which consumers can protect their own interests, that exceeds anything we have seen before.
As with all radical economic developments, there are potential downsides:
1. The Internet has become a fertile field for fraud. It allows fraud promoters to mimic legitimate business more convincingly, reach potential victims efficiently, elude detection by maintaining anonymity, and frustrate enforcement officials by locating (or relocating when detected) in remote jurisdictions that have no relevant law or no serious enforcement.
2. The technology of the Internet -- its ability to marshal and sort vast amounts of information, sometimes without the online consumer even knowing information is being collected -- is a new and potent threat to traditional privacy values.
3. Because electronic commerce respects no borders, cooperation and coordination in international law enforcement -- a set of problems not really very pressing in more conventional forms of marketing -- becomes increasingly essential to protect consumers and protect the medium.
4. Finally, there is a subject no one should neglect. The electronic commerce revolution, for all its promise, may widen the divide between the have's and have not's, between nations and even within nation states. As we celebrate the promise of the digital revolution, we must also acknowledge the threat it poses to individual welfare and to the stability of international order.
The Federal Trade Commission has been an early and active participant in the discussion of electronic commerce challenges and in the development of appropriate legislation. As early as 1995, the agency began conducting workshops, hearings, and seminars to try to get ahead of the curve on major developments. Its fundamental statute, authorizing it to challenge fraud and unfairness on behalf of consumers, and to challenge anti-competitive practices in order to protect the free market, has given the agency a special role to play in weighing the appropriateness of regulation and enforcing existing laws. The FTC's commitment of resources to electronic commerce has expanded more quickly and substantially than its commitment to any other area subject to its jurisdiction.
The challenge to policy makers is neither to over-regulate, and unnecessarily stifle development of this extraordinary medium, nor under-regulate, and thereby allow unprincipled and greedy participants to impair its potential development.
Let me turn then to some background data on the development of electronic commerce and some discussion of the particular enforcement activities of the agency.
A. Snapshot of Today: Current Data on Online Usage
The pace of development of the online marketplace is extraordinary. To reach audiences of 50 million Americans, radio took 38 years, network television took 13 years and cable television 10 years.(2) Yet once the first web-browser became widely available, it was only three years before the Internet reached close to 50 million domestic users.(3) Worldwide, an estimated 171 million people use the Internet, up from 121 million a year ago.(4)
More than a quarter of people with access to the Internet have purchased goods or services online. Looking at this past holiday season, consumers spent an estimated $7 billion shopping on the Internet -- more than twice the amount they spent online over the holidays in 1998.(5) Some expect annual consumer sales on the Internet to skyrocket from $15 billion in 1999 to $78 billion in 2003.(6) According to one poll, holiday shopping revenues were driven largely by the purchase of books, computer software and hardware, toys, CDs, videos and flowers, and the average annual amount spent online was $1225.(7)
There has been a comparable explosion in online advertising. Online ad revenues in the U.S. grew from nearly $300 million in 1996 to almost $2 billion in 1998, and to over $1.6 billion in the first half of 1999.(8)
As with so many technological developments, statistics do not fully take the measure of the impact of Internet developments on society. In terms of communication of ideas, access to information, and relationships among people -- even more than its impact on the commercial marketplace -- it is of course a revolutionary set of developments.
B. Fraud: Existing Regulation Fills the Bill - So Far
There are two striking features about fraud on the Internet. First, we have seen frauds that are more oppressive in taking advantage of vulnerable audiences than any in many decades. It has become the new preferred medium of the snake oil seller and con-artist. Frauds that the FTC has challenged include health scams (magnetic therapy devices and shark cartilage said to cure cancer, AIDS, and arthritis) business opportunity scams (deceptive promotion of high-tech ventures involving investments in Internet "shopping malls") and pyramid frauds (high-tech chain letter techniques that recruit as many as 25,000 consumers through phony sales promotions).
Second, the new technology allows creative people to develop fraudulent schemes that are unique to the high-tech medium. A few examples illustrate the point:
In FTC v. Audiotex Connections, Inc.,(9) the defendants allegedly induced consumers to download a special viewer program by making representations that consumers could access "free" computer images. Defendants' software, however, actually hijacked consumers' connections with their computers without their knowledge and connected them to a high-priced international long distance telephone system that purportedly routed calls through Canada to Moldova, a Russian republic, and then back to the United States. The defendants made their money through kick-backs from foreign telephone companies.
In FTC v. Pereira,(10) the defendants allegedly made unauthorized copies of various Web sites, including those of Paine Webber and the Harvard Law Review, and inserted coded instructions in those copycat sites that automatically redirected unwitting consumers to adult sites run by defendants. The software then trapped them at the new site. In effect, the technology resulted in hijacking (i.e., directing the browser to an unwanted Web site) and then mouse trapping (i.e., keeping the browser there against the user's will). Defendants profited from the increased value of advertising space on the sites due to the increased number of consumers who visited - unwittingly. The defendants who set up the diversion were in Portugal and those who supplied pornographic material on the unwanted Web site were located in Australia; the only U.S. connection is that the victims were located in the United States.
It is hard to say why the online commerce marketplace has become such a favored locale for fraud. Existing civil and criminal enforcement rules - including definitions of fraud, circumstances in which disclosures are mandated, rules on what constitutes clear and conspicuous disclosure -- are all applicable and adequate to Internet enforcement. Perhaps potential fraud artists think of the online commerce world as "the Wild, Wild West," where there is no sheriff and no one is watching. We have tried to address that concern by bringing more than 100 Internet-related cases in recent years. We have obtained injunctions halting illegal schemes and, importantly, collected over $20 million in redress for victims and frozen another $65 million in pending cases. Our law enforcement actions have stopped consumer injury from Internet schemes with estimated annual sales of more than $250 million.
At the same time, the Securities and Exchange Commission, Department of Justice, U.S. Attorneys offices and State Attorneys General also have been aggressive in their enforcement efforts. If scam artists believe that the online universe is a free-fire zone where anything goes, they ought to change their minds.
Perhaps the most effective response to online fraud has been the establishment in 1997 by the Commission of "Consumer Sentinel" -- a consumer fraud complaint database available online to local, state and federal law enforcement officials across the United States and Canada. These officials can access data that provide information about potential wrongdoers and that show trends at the local, national and international level. Consumer Sentinel has over 225,000 complaints with the number increasing, sadly, by 6,000 a month. About 25 percent of the complaints are received directly online, and we can and do receive complaints from outside the U.S. and Canada. When the next "tech fraud" appears, as it surely will, it will be detected first on Consumer Sentinel.
C. Privacy Concerns
Issues of privacy have dominated much of the debate on the prospect and limitations of consumer participation in the online marketplace. According to a recent survey, a strong majority of U.S. Internet users - 61 percent - indicate that they have refused to purchase a good or service from Web sites because they were unsure about how their personal information would be used.(11) A 1998 survey had concluded that consumers who do not use the Internet ranked concerns about privacy as the top reason for not going online.(12) These are not unreasonable apprehensions. As I mentioned earlier, technology makes it possible to collect, store, manipulate and market personal information on an unprecedented scale and occasionally collect information in ways that may not be evident to the average consumer.
To date, much of the online debate has centered around several options -- do nothing to protect consumer privacy ("hands off the Internet"), industry self-regulation, or government regulation. Given the invasions of privacy that we have seen in the early stages of development of online commerce - some involving the illegal collection of personal information from kids(13) - and the constant concern by online participants about invasions of their privacy, the do-nothing option does not seem appealing.
The purported choice between industry self-regulation and government regulation to some extent misses the point. We already have piecemeal or proposed regulations in several sectors. These include:
1. Children: Prior to the Internet, it would have been unthinkable for marketers to collect detailed personal information from young children without the consent of their parents. Confronted with evidence of the increasing use of the Internet to do just this, Congress quickly passed the Children's Online Privacy Protection Act in 1998. The Act directed the Commission to issue rules governing the online collection and use of personally identifiable information from children under age 13. Children are not miniature adults, and the rules require Web site operators to provide notice and obtain verifiable parental consent before collecting or disclosing information from children. The rules take effect this April.
2. Medical Records: Medical records are extraordinarily sensitive. The Department of Health and Human Services recently issued proposed regulations creating for the first time national standards protecting health information that is transmitted or maintained electronically. Among other things, the proposal would limit the release of medical information without written consent for purposes unrelated to treatment and payment.
3. Financial Records: Like medical records, financial records also contain sensitive personal information. The significant revisions to the federal banking laws in the Gramm-Leach-Bliley Act include privacy protections for personal financial information. Financial institutions will have to provide notice to consumers before sharing such information with affiliates and both notice and the ability to opt-out before sharing it with non-affiliates. The Commission and many other federal agencies are in the process of developing a set of proposed regulations implementing those privacy protections that will be issued for public comment in the near future. The Federal Trade Commission actively supported legislation involving children's online privacy and financial privacy, and will weigh in on HHS's proposal to protect medical privacy. It is clear the broad landscape of privacy protections is changing. The pressing question remains, however: What is to be done about across-the-board protection of adult online privacy? Is broad regulation justified?
To date, a majority of the Commission has concluded that self-regulatory initiatives should be given a full opportunity to operate. Industry groups like the Better Business Bureau Online, TRUSTe and the Online Privacy Alliance have seriously and responsibly addressed online privacy questions and tried to bring members along, and individual companies such as Disney, IBM and America Online, and trade associations like the Direct Marketing Association, have pressed for the protection of privacy. To a limited extent, results have been encouraging. In 1999, a study showed the posting of privacy disclosures had increased in one year from 14 percent to 66 percent of Web sites surveyed, which is a remarkable improvement in a short period.(14)
Nevertheless, much remains to be done. According to the last survey, over one third of the Web sites had no privacy disclosure at all.(15) And we all know that many posted privacy policies are hard to locate, read, or understand. Further, other aspects of what have come to be known as fair information practices, like the requirement that online participants have a reasonable opportunity to see what information has been collected about them and to correct errors that creep into a database, have barely been addressed.
The Federal Trade Commission will conduct a comprehensive survey later this month, addressing the question of whether self-regulation has continued to improve the protection of consumer privacy. The survey will look beneath the surface to see if online privacy polices are adequate in terms of clear disclosure of what type of information is collected and what is done with it, whether consumers can exercise choice about how information is collected and shared, whether access to information is afforded along with any ability to correct errors, and what, if any, sort of security is provided. This will be a qualitative, not simply quantitative examination. Results of that survey should illuminate this important debate.
I also await the report of the Advisory Committee the Commission recently formed to advise the Commission on the cost and benefit issues of access and security in the online context. The report is expected in May and it too will provide information highly relevant to our discussion.
An interesting development in recent months is proposed legislation in several states that would mandate privacy protections, often in terms that vary from state to state. For example, California proposes to restrict Internet service providers from disclosing personal information without consent; New York is looking broadly at restrictions on the collection and disclosure of personal information by both online service providers and financial institutions, among others. Without comprehensive federal legislation, it is possible that something of a vacuum will be created and states may enter, not always with consistent proposals, to protect the privacy of their citizens. There may soon come a point when the business community will have to decide whether it prefers a single comprehensive federal rule, or a situation in which a variety of state rules create difficult to follow mandates.
Another recent development in the privacy debate, which was the subject of an FTC/Department of Commerce workshop this past November, concerns online profiling. Through the placement of cookies on a user's browser,(16) a company can record where an individual goes online, know what ads he has seen before and pursued, and in so doing develop a profile of his interests. Viewed in a good light, this enables a company to ensure you do not see the same ad time and time again, and to expose you to ads that are more likely to be of interest. But, I am troubled by who is out there watching and collecting information. Would we really welcome a television ad having the technological ability to know a viewer has seen it, know to show a different ad during the next commercial break, and know what other programs and ads the viewer sees?
Some posit that no personally identifiable information is collected by this online profiling; that at most, the profile is of a browser that has no knowable street or e-mail address or owner's name. Still, I question whether that addresses all privacy concerns raised by this surreptitious extraction of potentially rich information where there is no reasonable expectation by the consumer that his purchases or even interests in particular products are being watched.
Even more troubling concerns are raised by the possible merger of this information with offline databases. I know self-regulatory initiatives are in the pipeline to ensure that no merger of online and offline profiles occurs without adequate notice and choice protections. Similarly, efforts are underway to educate consumers that a surreptitious collection of information may occur and to allow them to opt out of such collections. Needless to say, online profiling presents extraordinary challenges.
I want to make one additional point on the privacy debate. While much of the attention to issues of privacy has related to the online universe, concerns about the merging of online and offline databases suggest that considerations of purely offline acquisition and use of personally identifiable information are likely to receive greater attention. It is at least worth considering why the same arguments that lend such force to efforts to protect online privacy do not apply with roughly equal weight to information gathering in the offline world. A recent survey reiterates consumers' ongoing heightened concerns about online privacy, but makes clear that consumers have high levels of privacy concerns in the offline marketplace as well.(17) We should not ignore these concerns.
D. E-Commerce on a Global Scale
Globalization offers businesses a vastly larger market and consumers more choice, but it also presents complexities and greater risks. The dilemma can be stated quite simply:
1. When a business goes online, it may subject itself to the jurisdiction and systems of law of every country around the world. Is that fair?
The seller's connection with the jurisdiction of the purchaser may be tenuous and remote. It may have limited control over who accesses its advertising and sales messages once they are launched in cyberspace, and it may have no intention to make a sale in particular jurisdictions. Laws about permissible targets of marketing, discounts, product safety and required disclosures vary greatly from country to country -- even within countries -- and are fairly constantly in flux. Can sellers, especially mom&pop operations, do business in an environment that is so unpredictable and imposes such substantial burdens? Or should the law and courts of the seller, and only the seller, govern?
2. On the other hand, when consumers go online, they may lose the benefit of domestic consumer protection laws. Is that fair?
Consumers are accustomed to domestic law that tends to protect their interests, and they are accustomed to having this law apply when they do business from home with distant companies, like mail-order sales. They may be astonished at how little protection they are accorded in the country of the seller (assuming the consumer even knows the seller is located in a foreign country, let alone which country). Given the costs of travel, delay, lack of familiarity with local law, a system of remedies that depends on the law and courts of the seller, and not the law where the consumer lives, may mean no remedy at all. Arguably the law that applies in the location of the buyer should control.
As we learned at an FTC public workshop on this very topic last summer, no simple answer is available.
On the international level, we see real strides being made by the OECD, which recently issued non-binding guidelines based on the overarching principle that online shoppers are entitled to effective consumer protections that are not less than they receive offline. The Guidelines offer building blocks to instill consumer confidence and give guidance to businesses about what are "best practices" online.
But, the Guidelines do not resolve the core questions of jurisdiction: What happens when a U.S. consumer buys from a seller located in a foreign country or a consumer in a foreign country buys in the U.S.? Whose laws apply and where does the consumer sue? There are pros and cons to the county-of-origin approach and country-of-destination approach. I know some businesses favor the certainty and security offered by allowing parties to choose the applicable law by contract, using the country-of-origin's laws as the default. A similar approach has worked well in the business-to-business context. At the same time, I have a sense that business appreciates that this is not now the case and is not a likely outcome in the business-to-consumer arena. Here, the purchasers may be less sophisticated and may have less incentive, given the high number of low-dollar transactions, to invest the time and money to negotiate protective terms. In addition, there are real concerns about encouraging a race to the bottom, where businesses have an incentive to operate in jurisdictions with weak consumer protections. Moreover, governments will not lightly pass off the responsibility of protecting their citizens to unfamiliar jurisdictions that offer lesser consumer protections. I suspect neither approach alone is likely to become the rule of law.
These jurisdictional and choice of law issues would be less troubling if we could reach international convergence on consumer protection laws. This is a difficult process. I am skeptical we will achieve broad, substantive convergence in the near future. Of course, bilateral treaties have been highly effective in the past and could complement multilateral efforts such as the OECD and the 29-country International Marketing Supervision Network.
We know from the FTC's workshop on international consumer protection issues last summer and work of the Global Business Dialogue on E-Commerce, among others, that industry representatives around the world are developing ways to address the concerns of online consumers. For example, I know that seal programs are evolving along with novel escrow and insurance plans.
At a minimum, and as recommended in the OECD Guidelines, Alternative Dispute Resolution ("ADR") processes can and should provide vehicles for redress and certainty at acceptable costs. The credit card companies already are resolving many Internet disputes through their chargeback system. Also, there is no reason ADR cannot be implemented using the Internet itself as the forum for resolution. This spring, the FTC and the Department of Commerce plan to host a workshop devoted exclusively to the applicability of ADR programs to online consumer transactions, which we hope will spur the development and use of ADR online.
I know there are other initiatives underway to address international consumer protection issues. As we have seen in the context of online privacy, the question should not be framed in terms of private sector programs versus government regulation. Both will be needed to support the global market.
Let me sum up by noting the extraordinary opportunity presented to us. We are at the forefront of an international revolution and can take part in shaping it. I look forward to working with you in ensuring e-commerce is left alone to flourish but not neglected so that consumers and businesses are too uncertain or even afraid to venture into it.
1. Chairman of the United States Federal Trade Commission. The views expressed are my own and do not necessarily reflect the views of the Commission or other Commissioners.
2. Morgan Stanley Dean Witter, The Internet Company Handbook at 205 (June 1999).
3. Intelliquest Information Group, Inc. Worldwide Internet Tracking Service 4th Quarter Report (January 2000).
4. CommerceNet, CommerceNet Global Partners and Nua Lt., World Wide Statistics.
5. Jupiter Communications, Inc., Online Holiday Sales Hit $7 Billion, Consumer Satisfaction Rising (Jan. 13, 2000) (estimating Nov. and Dec. 1999 online sales of $7 billion, compared to $3.1 billion for those months in 1998) reported at www.jup.com/company/pressrelease.jsp?doc=pr000113).
7. Ernst & Young 1999 Post-Holiday Survey (covering 1300 Net users).
8. Internet Advertising Bureau 2nd Quarter 1999 Internet Ad Revenue Report.
9. CV-97-0726 (E.D.N.Y. filed Feb. 13, 1997).
10. No. 99-1367-A (E.D. Va. filed Sept. 14, 1999).
11. P&AB, Vol. 7, No. 1 (Jan. 2000) (summarizing results of The IBM-Harris Multi-National Consumer Privacy Survey (1999)) at 3, 11.
12. Business Week/Harris Poll: Online Insecurity, Business Week, Mar. 16, 1998 at 102.
13. Liberty Financial Cos., Inc., Docket No. C-3891 (Final Order Aug. 12, 1999); GeoCities, Docket No. C-3849 (Final Order Feb. 12, 1999).
16. The cookies technology allows a Web site server to place information about a consumer's visits to the site on the consumer's computer in a text file readable only to that Web site server. The cookie assigns each consumer a unique identifier so that the consumer can be recognized in later visits to the site. Advertisers are now able to assign a cookie to the computers of users who visit sites in advertising networks and to follow those users from site to site by reading information stored in that cookie at each site.
17. See supra note 11.