Förderverein Informationstechnik und Gesellschaft

FC: Privacy self-regulation and the Emperor's New Cl

------- Forwarded Message Follows -------
Date:          Wed, 28 Jul 1999 19:32:46 -0400
From:          Declan McCullagh <>
Subject:       FC: Privacy self-regulation and the Emperor's New Clothes

[It is tempting to be drawn into the debate over whether privacy
"self-regulation" (a misnomer: it's not self-regulation if government
officials are threatening to screw you over if you don't do what they
want) is working or not. But that's asking the wrong question. A
better one is why the government should step in and stifle a vibrant
Internet marketplace wherein some sites say they will never give out
your personal info and others say they may in exchange for lower
prices or other benefits. Companies can experiment with what works
best, and consumers will patronize the sites where they feel most
comfortable. Sounds good to me. But folks like Marc -- able advocates,
to be sure -- want the Feds to impose a one-size-fits all regulation
and deny consumers this choice. --Declan]


Date: Wed, 28 Jul 1999 12:37:40 -0400
To: Declan McCullagh <>
From: Marc Rotenberg <>
Subject: Privacy Self-Regulation and The Emperor's New Clothes

July 27, 1999
Communications Subcommittee of the Senate Commerce Committee
(unedited transcript)

ROTENBERG: Thank you very much, Mr. Chairman, Senators Wyden,
Rockefeller and Bryan -- for the opportunity to be here. You
probably know a bit about EPIC. We conducted the first comprehensive
web privacy survey back in '97 and the FTC thought it was such a good
idea they did it the next year. And of course we've also been involved
in a lot of the campaigns and worked with you on the encryption issue.

I'd like to be able to join the chorus this morning and tell you
that self-regulation is moving in the right direction and more needs
to be done. But that's not my honest view. My honest view is that
self-regulation to protect privacy is much like the emperor's new
clothes. Everybody looks at it, says "oh how nice, how fine," but in
fact the new clothes of the emperor don't protect his privacy any more
than self-regulation is protecting consumers on the Internet.

And I can point to several instances in the FTC report to
demonstrate just how serious the problem is today. Much is made of
this 66 percent number in the Georgetown survey, repeated in the FTC
report, and widely cited by industry leaders as an indication of
progress and success. Let me tell you what's behind that 66 percent
number. What that number says is that more and more web sites are
telling people that come to their site: We collect personal
information about you and we use it for marketing and other purposes.

That privacy notice, more than any other type of notice, is what
people are seeing increasingly on the Internet when they to go web
sites and wonder what is happening to their personal information. And
at the point that 100 percent of web sites have that privacy notice,
there is going to be very little privacy on the Internet.

The reason, simply stated, is a privacy policy is not the same as
privacy protection. You can have privacy policies that say in effect:
we collect your information and do with it whatever we wish. That's
our policy.

Now it's true, of course, if you don't like that policy, you don't
have to go to that web site. And I agree with people who say,
correctly, you always have the choice not to go to a site that has a
bad privacy policy.

But guess what? If web sites across the Internet increasingly adopt
those types of privacy policies, what's going to happen over time?
People will have this choice: Either to use the Internet for commerce
and a whole host of other neat things that are great to do and give up
their privacy -- or stay off the net. That is the choice that
consumers are increasingly facing because these privacy policies do
not actually provide privacy protection.

Now you get glimmers of this in the FTC report. At one point in the
report, the FTC acknowledges that there really aren't safeguards in
place; that less than 10 percent of web sites even have the set of
policies that the FTC thinks are necessary, let alone whether they're
enforced, which was an issue not even considered in the FTC report
that I think should be considered. Are those policies actually being

But then says: But let's not legislate too soon. It's a rapidly
changing industry, a new technology. We really don't understand it. We
don't want to make a mistake. Let's see how things shake out.

And let me tell you the problem with that approach. If we were
talking about Y2K protection; if we were talking about the
development of security standards, no one would say let's wait after
January 1st and see what kind of Y2K problems we have to deal with.
And if we were talking about computer security, no one would say,
well, let's see how many systems are broken into and what our actual
damage is before we really deal with the issue of making our system
safe to put online.

Good protection means advance planning; it means anticipating
problems and developing the policies and procedures so that the
likelihood of risk, the likelihood of mis-use is reduced. And that's
what privacy legislation tries to do. It doesn't say to businesses, we
don't want you to succeed, or we want to tie your hands, or you
shouldn't do neat marketing of offer great products.

It says if you're going to do these things, let's do it in a way
where there's some basic privacy safeguards in place, so that people
know what they're getting into when they give up personal information.
And if they have some problems, they have a place to turn. And I can
tell you we've had a lot of privacy legislation in this country
directly in response to the development of new technologies.

We did it in '84 with the Cable Act. We did it in '86 for
Electronic Mail -- the Electronic Communications Privacy Act. We've
done it for auto dialers and junk faxes. The Privacy Act of 1974 --
the most significant privacy law in this country -- came about in part
because of public concerns about the automation of records held by
federal agencies. People didn't say well, you know, we shouldn't have
federal government. I mean, maybe some people said that, but they said
if we're going to automate these records, let's put in place a legal
framework to protect the rights of our citizens.

And I think we're in the exact same place as we approach the 21st
century. We have wonderful new tools, wonderful new opportunities.
Everyone agrees that the Internet is going to be a fantastic engine of
economic growth. But the real choice, the critical choice in the
privacy debate is: Will American consumers be forced to give up their
privacy as the cost of using the online services? And I think the
answer to that question should be no. I think S. 809 is a wonderful,
wonderful proposal. I'd make some changes, but I think it's an
excellent start. And it sets us in the right direction to give
consumers the kind of safeguards they need online, allow business to
go forward, and to make sure that we don't wake up tomorrow morning
and find that it's too late because privacy is gone.

Thank you very much.

[EPIC Statement for the Record:]

Marc Rotenberg, director                *   +1 202 544 9240 (tel)
Electronic Privacy Information Center   *   +1 202 547 5482 (fax) 666
Pennsylvania Ave., SE Suite 301     * Washington,
DC 20003   USA              +

---- POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to with this
text: subscribe politech More information is at