Title: Private Parts Author: Wendy M. Grossman (www.pelicancrossing.net) Publication: Scientific American Date: February 1999 URL: http://www.scientificamerican.com/article.cfm?id=private-parts copyright: Wendy M. Grossman This is the version submitted before editing and copy-editing. Please quote only from the published version.

One of Presidential aide Ira Magaziner’s last acts before leaving the White House was to hand over to the Clinton administration a report on cyberspace issues which recommends greater consumer protection and privacy rights, but advises leaving these to industry self-regulation rather than government intervention. The report follows a series of similar recommendations, such as a two-year moratorium on Internet taxation, and other policies designed to keep the Internet free of regulation while it grows and continues to develop.

Regulation has never been popular on the Net, which tends to be most vocally populated by people who dislike authority and welcome freedom. There has been vociferous opposition to government regulation of free speech (the Communications Decency Act and its successor, the Child Online Protection Act), Internet taxation, the access charges telephone companies want to levy on ISPs (so far nixed by the FCC), and, of course, the Clinton Administration’s persistent domestic and international efforts to block the spread of strong cryptography. This is the paradox: one of the chief reasons why Netizens want cryptography deregulated is to protect privacy, and while Netizens do quibble about the language of bills attempting to outlaw junk email, the constant flow of spam has done a lot to make privacy protection laws acceptable to the Net. The Clinton administration, on the other hand, stubbornly clings to regulating cryptography, while saying that allowing the market to regulate itself is the best way to protect privacy. The US seems to be in a minority in thinking so, and in clinging to self-regulation it’s out of step both with other countries and with the American public, who in polls cite privacy concerns as a serious deterrent to the growth of electronic commerce.

We’d be free to sit around and debate all this in our own time if it weren’t for one thing: in October, the European privacy directive came into force. This is a legally binding document that requires all European member states to pass legislation meeting the directive’s minimum standards. The supporting bill in Britain, for example, has already been passed by Parliament and received Royal Assent; no starting date has been announced, but it’s presumed to be early in 1999. The kicker in the directive and supporting legislation as far as the US is concerned: besides giving European consumers much greater privacy rights, the legislation prohibits member states from transferring data to countries which do not have equivalent protection.

Privacy activists have been warning the US for some time that since the US has no such legal protection, it’s entirely possible that US companies may find themselves prohibited from transferring personal data for processing, either to business partners or to their own overseas subsidiaries. Nonetheless, the administration still (and the recent report states this clearly) clings to the idea that market pressures will force industries to regulate themselves.

A white paper written by the Online Privacy Alliance, an association boasting members such as AOL, Bank of America, Bell Atlantic, IBM, EDS, Equifax, and the Direct Marketing Association, outlines how they think this can work. Publicly announced corporate policies and industry codes of conduct, backed by the enforcement authority of the FTC and state and local agencies, coupled with specific sector-by-sector laws to protect the privacy of specific types of information, the paper argues, will add up to a “layered approach” sometimes referred to as “safe harbor” that the OPA insists will add up to the same level of protection as the European directive.

As the paper points out, there are many privacy laws already in existence in the US, starting with the Fourth Amendment and leading up to the 1998 Children’s Online Privacy Protection Act, which directs the FTC to promulgate regulations to control the collection, use, and disclosure of personal information obtained by commercial sites from anyone under 13. No such law is proposed for adult online users, who arguably have as much or more to lose, though several schemes – TRUSTe, BBBOnLine -- do exist to try to give the Web some consistent privacy standards. The paper’s conclusion is that the US doesn’t need privacy regulation.

Simon Davies, director of Privacy International and a visiting fellow at the London School of Economics, disagrees. “When the US government approaches this issue, they approach it as if it were a domestic affair,” he says. “Safe harbor is condemned by everybody because it lacks all the primary requirements for effective protection.”

Under the self-regulatory model, customers have to do all the legwork: they have to do the complaining and the investigating, and muster the proof that their privacy has been invaded. Any arbitrator is hampered in such a regime, because companies are notoriously reluctant to give third parties access to internal records that may be commercially sensitive. Meanwhile, says Davies, companies are “pathologically unable to punish themselves,” so a customer seeking redress is unlikely to find any without that third, external party. Worse than that, a lack of effective regulation means that even if companies successfully regulate themselves there are no curbs on government invasions of privacy – which is probably the greater concern, especially because of projects under consideration like putting all medical data online, switching to electronic delivery for benefits payments, and asking banks to notify government officials if customers display a change in their banking habits. The US may be in for a shock if Europe, flexing its newly unified muscles in a globally networked world, refuses to budge and companies find themselves unable to trade because of data flows. Davies, for one, thinks this is an all too likely scenario.

“They still think that because they’re American they can cut a deal, even though they’ve been told by every privacy commissioner in Europe that safe harbor is inadequate,” he says with exasperated amusement. “They fail to understand that what has happened in Europe is a legal, constitutional thing, and they can no more cut a deal with the Europeans than the Europeans can cut a deal with your First Amendment.”

Title: Private Parts Author: Wendy M. Grossman (www.pelicancrossing.net) Publication: Scientific American Date: February 1999 URL: http://www.scientificamerican.com/article.cfm?id=private-parts copyright: Wendy M. Grossman This is the version submitted before editing and copy-editing. Please quote only from the published version.