July 28, 2000
Senate Commerce Committee
United States Senate
Washington, DC 20510
We are writing to you to express our concern that the proposal to sanction online profiling, negotiated by the Federal Trade Commission with the Network Advertising Initiative and announced yesterday, fails to provide adequate safeguards for Internet users and will encourage the development of invasive data collection practices that threaten not only the privacy of American consumers but also the health of the Internet economy.
We first brought the Committee's attention to the problem of online profiling at the hearing in July 1999 when we described the risks to Internet privacy that would result from the merger of Doubleclick and Abacus Direct and the planned development of detailed profiles on Internet users. At the recent hearing we reported on the significant public response to the proposed deal, the lawsuits brought by the state attorney generals, and the decision of Doubleclick to withdraw its profiling plan until the privacy issues were satisfactorily resolved.
In between, we conducted several reviews with other technical experts and pursued a legal analysis that led to our decision to lodge a formal complaint with the FTC in February of this year alleging that Doubleclick had engaged in fraudulent and deceptive trade practices. The FTC-NAI deal announced yesterday responds in large part to these earlier developments.
It is our opinion that the FTC-NAI plan is flawed in three critical respects:
First, the FTC-NAI plan fails to provide individuals with adequate privacy protection consistent with current US law. In other areas where detailed profiles on individuals are created, a statutory right has been established to ensure that individuals have the right to access the information contained in the profile, to limit the use of the data, and to provide remedies where abuses occur. This was the approach taken with regard to federal records in the Privacy Act and also the approach taken with credit reports in the Fair Credit Reporting Act. It is also the approach taken with medical records in most states across the country. We do not see why Internet advertisers, who could create far more detailed profiles of the personal lives of Americans than any of the sectors currently subject to legislation, should be able to escape the fundamental obligations that would otherwise be established in law.
Second, the FTC-NAI plan encourages the development of Internet advertising models based on the collection and use of personally identifiable information. This represents a radical departure from the current advertising model that allows merchants to reach customers with targeted messages but still allows customers to maintain their privacy and to prevent invasive profiling. You will recall that our objection was specifically to profiled-based advertising and not to advertising per se. We Believe the FTC has simply failed to consider adequately the technical and policy implications of profile-based advertising.
Third, the FTC-NAI plan permits the linking of offline identity with online profiles without the clear affirmative consent of individual concerned. This is simply an unsatisfactory basis to begin tracking Internet users. Under the plan, a person who enters personal data online and fails to notice the disclosure that profiling will begin, or fails to properly follow the opt-out procedure specified by the online profiler, will be branded with a cookie-based tracking technique. Placing a repeated burden on the individual to preserve anonymity from online profilers is not only unfair, it also raises exacerbates technical difficulties in maintaining user privacy. The current practice of online advertisers is to place an "opt-out" cookie on the computers of people who indicate they do not wish to be tracked. However, users understandably believe that deleting cookies will improve their privacy; they do not realize that this step in fact removes the record of their request to be anonymous. Further, implementations of cookie-based opt-out out procedures have been plagued with functional defects. Opt-out is simply unsatisfactory and inappropriate here.
We note that in your letter of June 21 to Chairman Pitofsky you wrote to express concern that "self-regulation negotiations that exclude consumers from the bargaining table represent an inadequate attempt at developing the appropriate policy regarding privacy protection. Accordingly, we strongly urge you and your staff to include consumer privacy groups in your discussions as theses negotiations move forward."
We were invited to participate in one session in which FTC staff briefed us on the proposal. We were not permitted to keep a copy of the draft document that had obviously, over a period of several months, undergone extensive discussion and circulation among the members of the NAI. There was little opportunity to review the proposal or seek the advice of other technical and legal experts. It was clear to us that the FTC was not interested in making significant changes in the proposal at that point in the negotiation.
If we had been provided a meaningful opportunity to participate in this process, we believe that a more favorable outcome might have resulted. That would have been an outcome that recognized the privacy risks associated with online profiling and would have provided stronger privacy safeguards for Internet users.
We have enclosed a paper that describes in more detail the specific problems with the FTC proposal and that recommends specific steps that should be taken to address the privacy problems created by online profiling. The paper is also available online at http://www.epic.org/privacy/internet/NAI_analysis.html. We've worked round the clock to make this available to you today so that you will have the opportunity to more fully review the FTC-NAI proposal.
We would welcome an opportunity to meet with or your staff, or to participate in a further hearing on this matter.Sincerely yours,