|
Privacy
in a Digital World: Industry Must Lead or Government Will
by
Hon. Orson Swindle
Reprinted with
permission from the Progress & Freedom Foundation
Orson
Swindle is a Commissioner on the Federal Trade Commission.
The views expressed here are his own, and do not necessarily represent
those of the Commission, other Commissioners or staff. This paper
is based on remarks delivered before the Governor's Commission on
Information Technology, Richmond, Virginia, August 31, 2000.
This
past year, I had the opportunity to read or hear speeches from a
number of private sector leaders on the subject of privacy. Two
of these speeches, by IBM Chairman Lou Gerstner and AOL Time Warner
CEO Jerry Levin, struck me because of their similar messages. Speaking
about the roles of government and the private sector in technology
policy, each strongly suggested that "the private sector must
lead." I wholeheartedly agree, for current-day civics tells
us that if the private sector fails to lead, politicians and government
bureaucrats will try to.
There
is no better example of this reaction than online privacy and the
information revolution. Consumers are growing more and more concerned
about protecting their privacy. Privacy advocates have been vigorously
lobbying for the government to get involved. This past year, not
surprisingly, Congressional activity concerning privacy was in full
swing, with dozens of bills introduced in Congress that would, to
one degree or another, legislate privacy practices for businesses
in electronic commerce.
Obviously,
privacy is a serious subject. People are justifiably concerned as
they become more and more aware of the capacity of telecommunications,
computers, and other electronic devices to collect information,
often without their even knowing it. When that information is personally
identifiable and when it is transferred to others without permission,
concerns increase dramatically.
Responding
to real and perceived concerns, last Spring a majority of the Federal
Trade Commission chose to make some legislative recommendations
to Congress that in my mind raise more issues than any legislation
need resolve. No one should dispute the notion that privacy concerns
are serious. We all agree on that. Thats not the issue. The
question is, how do we solve the problems posed by the issue of
protecting personal privacy, in both the online and the offline
worlds of commerce? I believe that if government and politicians
feel that they must "do something" about consumer privacy
concerns, we simply must get it right the first time. The consequences
of getting it wrong could be extremely costly.
Who
is in the best position to decide how, and who is more capable of
protecting consumer privacy? The Federal Trade Commission is filled
with extremely competent and hard-working professionals trying to
do good as they see it. Government bureaucracies frequently possess
an attitude that they can solve most problems of those they perceive
as being incapable of finding solutions for themselves. During the
period of "malaise" in the Carter Administration, some
suggested that the people were the problem and government was the
solution to curing our ills. My friend Jack Kemp had it right when
he suggested the government was the problem, and the people were
the solution. The debate continues, and solving privacy concerns
is center stage. Can solutions best be found in governments
bureaucracy, or can the private sector make it happen?
The
FTC has been studying this issue for years, examining the manner
in which consumers and businesses are engaged in electronic commerce
and, of particular interest, what they are doing to protect personal
privacy. The Commission has conducted three surveys since 1998,
in which we have assessed how many websites are addressing privacy
concerns by posting notices of privacy practices and explaining
what they do with the information they collect. In our first survey
(1998), we discovered that only 14 percent of surveyed sites had
posted any form of privacy notice. In our 2000 survey, almost 90
percent of all sites were posting some form of privacy notice or
disclosure, and among the top 100 most visited websites, 100 percent
were posting some form of privacy practice notice.
Throughout
this process, I have been an advocate for industrys taking
the lead in solving this problem through self-regulation. And, for
two years, the Commission agreed that self-regulation was the best
approach. In spite of this and the significant progress, suddenly
last year the Commission -- over my objections -- urged Congress
to impose a mandatory regulatory scheme covering all consumer-oriented
commercial websites. And this was done without any objective justification.
The
regimen the Commission proposed is based on four "fair information
practices" -- Notice, Choice, Access and Security -- which the majority
at the Commission described as "widely accepted." I asked,
"Widely accepted by whom?" It turns out, in fact, that these principles
do not seem to be accepted, as a practical matter, very widely at
all -- not even by government itself. For example, a General Accounting
Office assessment of how widely the government has accepted and
employed these FTC-suggested mandatory principles revealed that
less than three percent of all government agencies were abiding
by the "widely accepted" rules. One is reminded of the old adage,
"do as I say, not as I do."
I
have called the FTC's report and recommendation for broad, sweeping
privacy regulation "embarrassingly flawed." Obviously, strong words,
but in my view, the Commission has ignored some basic tenets of
sound policy.
For
example, it is a basic tenet of regulatory action that the government
should get involved only when the marketplace has failed. As a general
matter, the marketplace works pretty well in this country -- better
than the European model in which government is much more involved,
especially in the privacy issue. In the case of privacy practices,
there has been no evidence of market failure -- certainly nothing
warranting the extreme measures proposed by the Commission.
A
second tenet is that regulation should be based upon an analysis
of its costs and benefits. But there was no effort to evaluate the
costs and the benefits of the regulatory solution the Commission
prescribed. I think we owe it to the American taxpayers, and to
those in the private sector who are risking their capital, to analyze
the impact of what we suggest they do. But there has been no effort
to do that. In fact, there was no empirical evidence that the Commissions
regulatory prescriptions would make a difference one way or the
other. For example, one of the arguments made for regulation was
that electronic commerce is being hurt because some people fear
the loss of their personal privacy and therefore will not shop online.
There is no evidence of that. In fact, online sales between October
and December, 2000 surged to $8.7 billion, a 36 percent increase
over the prior quarter. The fourth quarter marked the first time
that online sales accounted for more than one percent of total retail
sales.
Two
of the practices the FTC proposed mandating were access and security.
In fact, early last year, we had a very distinguished advisory group,
comprising of 40 experts, that analyzed the issues of access and
security. The group focused on developing a specific approach for
accomplishing these goals in a practical way and determining how
much it would cost to do so. At the end of five months, lots of
drafting and several meetings, the advisory group came to the conclusion
that creating a practical and workable system was a complex task
and likely would be extremely costly. Yet, the FTC majority recommended
that Congress mandate access and security, disregarding the fact
that the advisory group considering just such a task for us had
no concrete idea how to do it. We suggested that Congress impose
the requirement and the Federal Trade Commission somehow work out
the details.
To
be successful, industry has to make the privacy concerns of customers
and the general public a part of its corporate culture. Acting responsibly
to protect consumer privacy has to permeate the structure of the
organization, so when goals are established, procedures are being
developed, and software and devices are designed, their impact on
customer privacy is always in the equation.
Industry
also needs to lead by educating members of Congress about the benefits
of this marvelous new technology and about the costs of unreasonable
and unnecessary regulation. And industry needs to take the lead
in educating the public and building a sense of confidence. What
people dont understand causes them concern. Consumers need
to understand the benefits of electronic commerce, and why, for
example, "cookies" make it work even better and thus arent
automatically evil.
Last,
industry needs to lead responsibly, and that includes taking a hard
look at all of its practices and ensuring everything it is doing
is both legal and ethical. Most assuredly, the dominant driving
force behind government regulation of the Internet will be the real
or perceived failure of business to act responsibly.
As
for government regulators and politicians, we need to look before
we leap. The desire to "do good" is often doomed to terrible
results. We need to remember that the law of unintended consequences
is always lying in wait. Double-edged swords are commonplace in
government regulation. In the information technology business, a
misjudgment, no matter how noble the intent, could lead to terrible
consequences.
Once
government laws and regulations are enacted, reversing them is most
difficult. I believe it was our wonderful philosopher for the common
man, Will Rogers, who once said, "All government programs have
three things in common: a beginning, a middle, and no end."
Return
to Internet Index
|