|
GOVERNMENT REGULATION OF WEB
PRIVACY: CONGRESS TAKES A FIRST STEP
In ruling the Communications Decency Act of 1996 unconstitutional, U.S. District Court Judge Dalzell stated: ". . . the strength of the Internet is chaos, so the strength of our liberty depends upon the chaos and cacophony of the unfettered speech the First Amendment protects." The strength of the Internet is, as the judge describes, the unfettered freedom of participants on the Web to engage in communications without government interference. This point, having been recognized by the courts, and Congress in its commitment not to tax the Internet, has one exception: The protection of the consumer privacy. On October 7, 1998, the House of Representatives passed H.R.
3787, a new version of the Communications Decency Act which requires all
"Internet Access Services" to take steps to verify the age of adult Web
site viewers, such as the use of age verification systems and blocking
software. The bill contains an embedded feature targeted for privacy
of information submitted by a child user in connection with age verification:
(B) shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the person making such communication and the recipient of such communication. FTC Report Web entrepreneurs have been reluctant to resist
the temptation of compiling, using and selling demographic information
derived from consumers, particularly children, who visit Web sites.
Trade organizations such as the Direct Marketing Association and the Better
Business Bureau's Children's Advertising Review Unit have urged E-merchants
to adopt privacy policies and post them on their Web sites. Likewise,
other trade groups such as the Association of National Advertisers and
the American Association of Advertising Agencies have notified their members
to post their privacy policies. In July of 1997, however, the Federal
Trade Commission announced that it would conduct random research to determine
whether E-merchants had voluntarily complied with the recommendations of
these trade organizations.
The FTC recommends that Web sites "directed to" children twelve years old and younger be required to verify parental consent before collecting personally identifiable information that will enable someone to contact the child, or information that will be publicly posted or disclosed to third parties. In other words, a child's parents must give their consent before personal information is received from a child. If a Web site requests only an e-mail address, parents need only be notified that they may request that the e-mail addresses not be kept in databases. But such a recommendation carries with it many drawbacks from a practical standpoint. Legislation vs. Self-Regulation Proponents of government regulation of Web privacy cite several areas of extreme concern: Medical records, information gathered from children, the marketing of personal information from credit reports, and identity theft. Medical information is now available in cyberspace, purportedly limited to the patient and doctor communications. These communications, however, are frequently protected only by a simple password which can be overcome by clever hackers. Only ten states now have partial protections for the confidentiality of medical information on the Internet. Likewise, young children are not able to give meaningful consent to the use of their personal information and are not aware of the consequences when they respond to requests for it on-line. Finally, personal information derived from credit reports is unrestricted, ironically partly at the fault of the FTC itself. Under a questionable decision issued in 1993, the FTC permits the sale of "header information" from credit reports without the usual audit trail required under the federal Fair Credit Reporting Act. This includes information such as social security numbers, unlisted phone numbers, and mothers' maiden names. The release of this information, be it sourced at children, medical records, or credit reporting agencies, is not only offensive to our sensibilities to privacy in general, but has led to a new crime on the Internet: "Identity theft." Identity theft is a crime wherein an imposter, with remarkably accurate personal information, is successful in causing E-merchants to believe that they are someone they are not. The imposter freely executes commercial transactions, charging them to the victim who has no idea what is going on until the bills arrive. The crime inevitably results in a destruction of credit reputation and aggressive, sometimes unrelenting collection efforts against the wrong person. Persons and organizations that continue to argue for self-regulation, on the other hand, call for a certification system wherein users recognize a familiar logo or trademark indicating membership in trade organizations that are sensitive to consumer privacy issues. In other words, the consumer public will theoretically come to be trained to do business only with members of reputable trade organizations who post and honor their own privacy policies. The Direct Marketing Association "(DMA)" has already developed privacy principles for its members selling on-line. Proponents of self-regulation claim that privacy performance is now taking hold, and private sector efforts are paying off. "Seals of approval" for Web sites are now being used by the Better Business Bureau, the On-Line Privacy Alliance, and a commercial venture known as "Truste". Web sites that bear these insignias promise non-disclosure, which promise would presumably be legally enforceable if breached. The FTC, however, recommends government intervention, although not without some very practical problems. Can Government Regulation Work? The United States Supreme Court itself adopted the factual finding of Judge Dalzell when addressing the constitutionality of the Communications Decency Act by stating the obvious: "There is no effective way to determine the identity or age of a user." In other words, there simply is no practical way of verifying the age of a Web surfer. This threshold determination is necessary under the FTC scheme. But even assuming a child is truthful in admitting his or her age, verifiable parental consent is yet another problem. The FTC acknowledges the problem by stating: Mechanisms for obtaining actual or verifiable parental consent include having the parent: mail or fax a signed form downloaded from the site; provide a credit card number; or provide an electronic (digital) signature. An e-mail message submitted without a digital signature may not be adequate to assure parental consent, since the site operator has no means of knowing whether the message is from a parent or from a child. The FTC's proposed regulations are therefore impracticable from a commercial standpoint. Furthermore, the FTC seems to ignore the fact that the Internet is a global jurisdiction. Certainly the FTC does not propose that Congress pass legislation to regulate the world. The United States simply cannot reach foreign Web sites to enforce its Internet rules. A one-sided regulatory scheme applicable only to American E-merchants may go so far as to create an unfair competitive edge in favor of foreign businesses that are not burdened by such regulations. Conclusion The real issue with regard to consumer privacy on the Internet is not whether privacy protections are warranted, but how they can and should be implemented. Although the FTC has correctly identified a problem of privacy pertaining to child input, the proposed regulation simply will not work. Furthermore, when government regulation begins, government taxation inevitably follows. Given that Congress is committed to abstaining from taxation of Web transactions, it would appear unlikely that regulation along the lines proposed by the FTC will come to pass. On the other hand, Congress may, in a more
precise fashion, choose to simply ban activities involving the use of private
information regardless of when and how it is obtained. The Direct
Marketing Association suggests that some activities be criminalized such
as the use of the lists to perpetrate fraud, exposure of personal information
to persons and organizations who would harm its users such as children,
identity theft, and invasion of the doctor-patient confidentiality relationship.
Legislation which targets the use of personal information, combined with
a private-sector certification program, would seem to be the best first
step toward protecting consumer privacy on the Internet.
|
[Home] [Profile] [Legal Topics] [Litigation Management] [Pro Bono] [Map]