Self-regulation and privacy

  Six silly excuses for postponing privacy rights

The following article was written by Junkbusters President Jason Catlett; a somewhat different version first appeared in December 1999 on CBS Marketwatch.

The United States has historically--until about 25 years ago--led the world in privacy rights. From measures responding to specific technologies such as the telephone, the VCR and cable TV, to legislation in the 1970's establishing privacy rights for individuals against the Federal government and credit reporting agencies. But since then the US has lagged other developed countries in establishing privacy rights applying to non-governmental organizations--largely due to the lobbying of these companies. Their arguments against privacy rights are often silly excuses for stopping the damage to privacy done by companies that mistreat personal information.

Is accepting a commercial surveillance society the price we have to pay? Of course not. Is allowing corporations to damage our society and our freedoms a tenet of the American way? No, not for a country that values liberty over convenience. Such struggles are a part of our history, from Boston's rebellion against the British East India Company's tea monopoly, through the slavery of the 19th century cotton industry, to the sweatshops of New York and the early dark satanic assembly lines of Detroit. Today we enjoy tea, T-shirts and the Taurus with little cause for guilt, because socially corrosive practices have been mitigated by laws, regulation, and individual rights. The loss of privacy is not the necessary price of post-industrial prosperity, any more than pollution was the price of industrial prosperity. Although it took time to muster the political will to stop toxins being routinely dumped into our lakes and rivers, today no sane person would advocate self-regulation by chemical companies as sufficient for environmental protection. But Internet industry lobbyists asks us to continue to believe in an equally preposterous policy for privacy.

Americans want their privacy back, but present law doesn't give them the legal rights they need to protect their own privacy interests. Thirty years ago, the Fair Credit Reporting Act articulated some of those basic rights: that a person should be able to see and correct personal information about him or her, that it be limited to relevant and timely information, and that its use be restricted to purpose for which is was collected. But this law applies only to companies that sell credit reports. These principles of "fair information practice" should apply by law to all entities, governmental and corporate. That's the only way we'll have any privacy in the 21st century.

Most people believe they should have certain rights to control the commercial use of information about them. Privacy is not an absolute right--it must be carefully balanced against the right to free speech for example-- but it is a fundamental human right. During the debate we hear several familiar excuses from those who oppose legislation guaranteeing such rights.

The silliness of their excuses can be quickly seen by applying them to comparable questions such as civil rights and the environment.

1. Excuse: "The federal government is a prime violator of privacy, therefore the federal government shouldn't legislate on privacy."

   As silly as saying: The Department of Defense (or the IRS or the FBI) have have done a lot of bad things, therefore the government shouldn't be involved in laws about murder or property rights.

   Privacy legislation should create rights for individuals, not huge governmental agencies. The Telephone Consumer Protection Act of 1991 took exactly this approach: give individuals the right to sue for $500 any marketer who calls them at 3am.

2. Excuse: "Market forces and media scrutiny are enough to force companies to respect privacy. Privacy will become a competitive weapon."

   As silly as saying: "Market forces will stop companies polluting. Vigilant reporters will expose and stop abuses by the telemarketing industry. Class action suits and ``seals of approval'' make consumer product safety laws unnecessary. Safety will become a competitive weapon in the airline industry. The FAA isn't needed because passengers won't fly on airlines that frequently crash their planes."

   Economists use the name "negative externality" for a downside that isn't accounted for in the market, and know it can't fix them alone.

3. Excuse: "Privacy legislation would be bad for the economy."

   As silly as: "The emancipation of slaves would be bad for the economy" or: "Regulation would ruin the consumer credit business."

   The credit bureaus tried this line 30 years ago, were overruled, and were proved 100% wrong. It's also as silly as saying that creating an Environmental Protection Agency would ruin the chemical business or the oil business.

   On the contrary, surveys now routinely show that the number one factor limiting growth in ecommerce is that people fear they have no recourse if their personal information is misused. Consumer confidence from legally guaranteed rights will grow the market, not shrink it. The $50 limit on credit card liability didn't destroy the industry, it enabled it.

4. Excuse: "The Internet is international, so there's no point having privacy laws."

   As silly as: "The Internet is international, so there's no point having copyright laws (or patent laws or taxation laws)" Wrong. Companies have sought and obtained strong protection against copyright infringement. Consumers should have strong protection against privacy violation.

5. Excuse: "Technology is too difficult for the government to understand. They can't get it right."

   As silly as: "Technology is too complex to be understood by the US Patent Office, or the Pentagon, or the President, or the people of the United States." Such technocratic arrogance is deeply offensive to the democratic values of this country. It's also directly contradicted by recent experience: the Federal Trade Commission's 100-page rule for the Children's Online Privacy Protection Act of 1998 was widely praised by privacy advocates and trade groups alike.

6. Excuse: "It's already too late to save privacy. There's already so much data about us we have lost all hope of control forever."

   As silly as: "The environment is already too damaged by pollution."

   The Great Lakes got cleaner this decade. We can get privacy back within a decade or two.

  The Better Business Bureau's BBBOnline Privacy seal

For background, see our news page. [Wired News] [Senate Testimony of Russell Bodoff]

  Open letter 4/21 to BBB Online about Equifax

Mr Russel Bodoff
Senior Vice President and Chief Operating Officer, BBBOnLine

Dear Mr Bodoff

Privacy advocates were astonished at the Better Business Bureau's decision last week to award a ``privacy seal'' to Equifax, a company with one of the worst records on privacy in the country. We write to ask several questions that go to the issue of the competence and credibility of BBB's privacy seal program. We call on your organization to state for the public record its answers to the following questions.

1. Was BBB largely aware of the facts listed below concerning Equifax's history on privacy?
2. Did BBB take Equifax's history into account before awarding the seal?
3. It is generally BBB's policy to take into account the history of a company's behavior on privacy before awarding a privacy seal?
4. Does BBB consider it misleading or deceptive to award their privacy seal to an organization with a history of systematic violations of Federal privacy law?
5. Is BBB is considering revoking the seal that granted to Equifax?

Equifax's record on privacy is extensive, but in case you are unfamiliar with it this paragraph provides a brief summary. One of the few Federal laws on privacy is the Fair Credit Reporting Act of 1974 (FCRA). Equifax has a long history of breaking this law, according to the Federal Trade Commission, the agency charged with its enforcement. In 1995, the FTC reached an agreement with Equifax in an enforcement action accusing the company of systematically violating the FCRA. The agreement requires Equifax to accept a consumer's version of disputed information unless it knows otherwise, to reinvestigate disputes within 30 days, to document the rate of accuracy in its reports, to verify derogatory information in its files, to advise consumers if derogatory information under dispute reappears in a consumer's file, and to assure that buyers of its reports in fact have permissible purposes under the FCRA to use credit reports. All of these things Equifax had not been doing, according to the FTC. One provision of the FTC order was that Equifax take special precautions when selling to resellers. Instead, Equifax purchased one of the resellers most commonly cited for violating the FCRA. In 1996, Equifax purchased a 70-percent controlling interest in CDB Infotek, an "information broker" or reseller of credit reports that in 1992 had reached a similar agreement with the FTC over the FTC's charges that CDB systematically violated the FCRA.

Based on information published by BBB about the seal program, we fear that BBB was constructed to use a similar tactic of evasion as that of another seal program, TRUSTe. In a recent incident with Microsoft, TRUSTe found that Microsoft breached consumer privacy but not their licensing requirements. (See http://www.junkbusters.com/microsoft.html for more details.) That license draws a subtle distinction between the web site and the company. We consider such distinction deceptive and unfair, because this consumers do not understand it and because it gives a false impression that their privacy will be protected by the company. We hope that your answers to the questions above will quickly clarify whether the BBB privacy seal is systemically flawed or unreliable in its execution.

Sincerely

Jason Catlett, Junkbusters Corp.
Simon Davies, Privacy International
Robert Ellis Smith, Privacy Journal

  Email reply 4/21 from BBB Online

Mr. Catlett,

We have received your letter of April 21, 1999, inquiring about the BBBOnLine's decision to award its Privacy Seal to Equifax. As the business application for BBBOnLine states, "All communications to BBBOnLine Privacy regarding an applicant's eligibility for the BBBOnLine Privacy program shall be kept confidential, subject only to the disclosures required in the context of a Dispute Resolution Procedure for enrolled seal participants." Therefore, we are not at liberty to discuss the details of any particular seal application.

Your inquiry relates to a 1995 FTC agreement applicable to certain practices of Equifax we assume were alleged to have occurred prior to that date. It is important to understand that the BBBOnLine Privacy Seal program certifies the current information practices of its seal participants, with respect to information collected online. The program's eligibility standards and compliance assessment process, which you may find at our website http://www.bbbonline.org, are designed to elicit a clear and comprehensive picture of the information practices that are currently in place. Our eligibility requirements also require all seal participants to notify BBBOnLine of all material changes to their privacy policies and practices or of any other modification which could impact the seal participant's standing, prior to implementation. Thus the BBBOnLine seal does not reflect the past practices or policies of any particular seal participant, or practices pertaining to information collected other than online.

The Better Business Bureau's 100% brand recognition and its 86 years of experience in self regulation and dispute resolution is a commodity that requires us to maintain and promote the highest standards of ethical business practices. We appreciate your inquiry and interest in the integrity of BBBOnLine Privacy seal and we welcome this opportunity to address the concerns you have raised. If you have specific information regarding Equifax's compliance with BBBOnLine Privacy program standards, we would welcome receiving it.

Russ Bodoff
SRVP& COO
BBBOnLine

  Forrester slams self-regulation

According to E-Commerce Times, a report issued September '99 by Forrester Research, Inc., harshly criticizes the level of privacy provided by ecommerce sites. The following summary is taken from EPIC Alert.

[The Forrester report] finds that 90 percent of Web sites fail to comply with basic privacy principles. The report strongly contradicts the findings of the Federal Trade Commission, which recently told Congress that industry self-policing is working. "The vast majority of such policies, like those of the Gap, Macy's and JC Penney, use vague terms and legalese that serve to protect companies and not individuals."

The report also notes that "clever interactive tools such as Reel.com's Mood Matcher -- which helps customers find movies based on their moods -- and PlanetRx's personalized prescription filler make it possible for companies to collect "highly intrusive psychographic data that individuals would rarely provide on a standard registration form."

The report suggests that the FTC, rather than producing reassuring messages to the industry, should push companies to take bigger and faster strides towards complying with already established privacy principles. Forrester also suggests that companies should be required to make customer profiles available to users, including all parties with whom data is shared, and provide the ability for customers to control who the information is shared with and the option to remove themselves from lists. Finally, the report says that "because independent privacy groups like TRUSTe and BBBOnline earn their money from e-commerce organizations, they become more of a privacy advocate for the industry -- rather than for consumers. The FTC should call for a consumer-based organization to provide principles and redress."

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/regulation.html