Read an Excerpt
Morality and Work
By Tibor R. Machan
Hoover Institution PressCopyright © 2000 Board of Trustees of the Leland Stanford Junior University
All rights reserved.
Privacy and Electronic Commerce
Every opinion and lifestyle variant known to humankind has found a home somewhere on the Internet, so it should come as no surprise that the global network has also spawned diverse and deeply held positions on the subject of online privacy. It might seem that the very nature of the net, with its open participation and millions of entry points around the globe, runs counter to many traditional notions about privacy. But labeling "Internet privacy" an oxymoron is not likely to end the debate. The explosion of web sites actively collecting, mining, and sharing information about individual Internet users has prompted a serious policy division between those countries (notably the United States) that support self-regulation of Internet privacy practices and those that have enacted government measures to protect personal data. Privacy has also emerged as a touchstone for consumer concerns about the Internet, fueled by media revelations of behind-the-scenes web data collection practices.
This chapter discusses the major issues that have emerged in the debate over on-line privacy, with a particular focus on the differences between the regulatory outlook in the United States and that in the European Union. It raises three related policy questions:
Is the appropriate balance between privacy and information disclosure best negotiated between the individual users and the web sites they choose to visit or is some type of regulation or external review required to improve current privacy practices?
Does the U.S. reliance on corporate self-regulation put it on a collision course with the European Union and other regions that have opted for government-enforced privacy protection standards?
Would insistence on protecting the privacy of individual information collected via the web promote on-line business growth by boosting consumer confidence in electronic commerce, or is it more likely to constrain competition on the net and stifle entrepreneurial opportunities?
To help answer these questions, the chapter synthesizes a growing body of published opinion, survey results, and position papers on the central issues posed by privacy on the web:
The challenges of defining information privacy in the context of electronic commerce
The pros and cons of private sector self-regulation in comparison to government-led policy and legislation in dealing with on-line privacy and the treatment of personal information on the Internet
The forces that are influencing corporate self-regulation in the United States and the impact of these forces on web privacy practices to date
I conclude that the critical issue is more fundamental than the debate over government regulation versus self-regulation of on-line privacy. Even more important is the short-term value that companies place on unreported collection of user information compared to the longer-term value of building customer trust. The Internet is awash in information, but trust is still in short supply and high demand. Linking privacy best practices to the premium placed on trusted on-line relationships, educating the public about how to make intelligent choices about information disclosure, and continuing to expose the covert collection of on-line user information by any company are essential in order for privacy and electronic commerce to coexist.
Changing the Parameters of Privacy
Information privacy concerns have, of course, accompanied the adoption of many technology innovations that are now part of our daily lives. Mass circulation newspapers have combined with the telegraph and telephone to feed an age-old curiosity about the rich and famous with late-breaking gossip news. In fact, the intrusive behavior of the press over a century ago inspired a landmark Harvard Law Review article by Samuel D. Warren and Louis D. Brandeis that defined the essence of privacy as "the right of the individual to be let alone." In 1928, as a Supreme Court justice, Louis Brandeis dissented to the Court's support of another technology — government wiretaps — to underscore his conviction that privacy was "the most comprehensive of rights and the right most valued by civilized men."
Long before the Internet became a household word, it was clear that celebrities and criminals were not the only citizens subject to scrutiny. The everyday activities of most Americans are now routinely recorded and analyzed by a variety of governmental and commercial organizations. From telephone calls to ATM withdrawals and credit card purchases, from supermarket discount cards to doctors' visits and drivers' licenses, we generate data with almost every move we make. Collection and analysis of that data trigger a variety of incursions on our "right to be let alone," from piles of advertising in our mailboxes to phone solicitations at the dinner hour to audit flags on our income tax returns.
Detailed information on an individual's credit, health, and financial status, on characteristic purchasing patterns, and on other personal preferences is readily available on centralized computer databases and is the engine behind the multibillion-dollar direct marketing industry. A May 1999 survey on privacy in The Economist notes that "the trade in consumer information has hugely expanded in the past ten years. One single company, Axicom Corporation in Conway, Arkansas, has a database combining public and consumer information that covers 95% of American households." A Forbes cover story in November 1999, "I Know What You Did Last Night," highlights the way different slices of consumer data can now be pulled together to create a composite picture of any individual's life. "Computers now hold half a billion bank accounts, half a billion credit card accounts, hundreds of millions of mortgages and retirement funds and medical claims and more. The web seamlessly links it all together. As e-commerce grows, marketers and busybodies will crack open a cache of new consumer data more revealing than ever before."
To provide some controls on the maintenance of such data, and to give citizens a chance to review and correct potentially damaging conclusions about creditworthiness and employability, Congress and state governments enacted a series of consumer protection laws and guidelines starting in the 1970s. The first, the Fair Credit Reporting Act of 1970, spells out requirements for credit investigation companies to give public notice of their information collection activities and to provide subjects with an opportunity to review and comment on information about themselves. The Cable Communications Policy Act of 1984 applies even more rigorous standards to the protection of personal information about cable service subscribers. Cable providers cannot collect personal information about subscribers without their explicit consent and must provide explicit opt-out opportunities even for mailing lists that are not directly related to providing cable services. Information that is no longer needed in order to provide service must be destroyed by the cable operator in a timely fashion. This act protects consumers from having their cable providers track (and resell) information about their viewing habits and preferences and provides for subscribers who feel their privacy has been violated to sue for damages. Even more rigorous criminal law penalties are attached to the Video Privacy Act of 1998 that protects records about personal rental of videos. Individuals must give explicit written permission (opt-in) to share this information outside the original purpose for which it was collected.
A number of states have adopted similar principles for oversight and access to governmental and private databases about individual residents. The state of California includes an article in its state constitution recognizing the right to privacy, and many states have passed laws or issued regulations protecting specific types of information including telephone calling patterns, health and financial records. More recently, New York and other states have considered legislation to protect on-line privacy for consumers. Despite this array of existing legislation, the amount of personal consumer information that is routinely collected and stored continues to increase dramatically from year to year. As the amount of data skyrockets and the software tools to profile and analyze that information become more sophisticated and readily available, the risks associated with unwanted exposure or inappropriate access to sensitive elements of those data are also on the rise.
Even though most of the personal information in question has come from interactions with banks, credit card associations, direct mail houses, and other organizations that started mining personal data for profit long before the net burst into prominence, public concern about privacy protection today tends to focus on the Internet. If our society and its citizens have been living with pervasive personal data collection over the past several decades, why has the Internet become such a focal point for concerns about individual privacy? Are we holding the Internet up to a standard of privacy protection that has been abandoned in our dealings with other media? In answering this question it is useful to consider how the Internet challenges traditional notions of privacy and how different disciplines are attempting to address the difficulties of protecting and even of defining what constitutes personal privacy in the context of a multifunctional, easily customizable, and still evolving global network.
The Eyes of the Beholders
Here is a self-administered privacy test that is frequently used to illustrate the spectrum of opinion on what constitutes a privacy issue in different settings:
Imagine that you are spending the afternoon at a shopping mall, partly browsing but also intending to purchase a number of things that reflect your individual interests and needs — everything from videos and books to gifts, to a prescription refill and some personal hygiene items. Unbeknownst to you, a marketing firm has hired someone to follow you around, recording everything you look at, noting any questions you ask, what you select for purchase, and how you pay for it. As you are about to leave the mall, this person approaches you with an offer for a discount on future purchases that makes you suspect that all your activities have been closely monitored.
What is your reaction to the discount offer? Would you be happy to take the discount with no questions about how it was tailored to your interests? Would you demand to know more about what information the observer had collected and what would be done with it? Would you feel that this type of surreptitious observation was less of a service and more of an unwanted intrusion on your privacy? Now shift the focus of the scenario to browsing and buying on the web. Does this change your reaction to the discount offer?
There are no consistent answers to these questions, and the wide range of reaction mirrors the different ideas that people have about private/public boundaries and comfort levels with sharing personal information. Before the Internet, the scenario and the responses to it might have been of academic interest in defining privacy boundaries, but they would not have had much real-life application. Following customers around on their shopping excursions was not financially viable for companies in the physical world, so they relied on other, more cost-effective, means of consumer profiling and data collection. Tracking shopper's behavior on the Internet is, however, efficient and increasingly common. Instead of contemplating a hypothetical scenario, on-line consumers face the reality of constant scrutiny.
The real-time application of information collection, behavior monitoring, and data-mining activities has been significantly enhanced by the Internet, enabling new approaches to interactive marketing and the personalization of advertising messages through a variety of new media tools and technologies. Sophisticated online tools enable even the smallest companies to obtain and analyze types of customer information that were previously impossible to compile or available only to those corporations with massive marketing budgets. Gartner Group predicts that 85 percent of the world's largest companies will have an active on-line marketing program by the end of 2000. These programs typically include the ability to track the path that on-line users take through the company's own web site, what documents the user opens, what searches take place, how long a user spends on any part of the site, and what items are placed into shopping carts. All this data can then be linked to whatever personal information the user may have shared with the company by filling out a registration form, requesting a special service, and so on.
Many users are not aware that their on-line behavior is so readily recorded and analyzed. Even fewer know that services like DoubleClick contract with a number of the most popular web sites to pool on-line browsing information for an even richer and more detailed profile of consumer behavior across all of its clients. When DoubleClick announced plans in the summer of 1999 to acquire Abacus Direct, an off-line database-marketing company, privacy advocates quickly raised objections. They asserted that merging the Abacus database — an enormous file with individual names, addresses, and buying patterns of more than 88 million catalog shoppers — with the on-line tracking power of DoubleClick would concentrate too much personal consumer information in the hands of one company. DoubleClick does not currently link its on-line behavior profile services to individual names and addresses, but the merger raised the possibility of future products with even more detailed personal reports. Despite a flurry of criticism and discussion in public policy and privacy circles, the merger announcement and its implications for on-line privacy never penetrated the general consumer consciousness. One reason is that the techniques and technologies that underpin both on-line tracking and personalization service are still mysterious to the average Internet user. Another is that DoubleClick and similar services operate behind the scenes, and, unlike the decision to fill out a form on a web site, their data-gathering activity never becomes visible to the average Internet user.
For the hundreds of companies that develop and market such on-line tracking and data-mining capabilities, the development of these technologies and their adoption by millions of web sites represent vital entrepreneurial opportunities. Clearly, these on-line data-tracking and analysis products are much in demand. For all types of companies that do business on the web, learning as much as possible about visitors is a precondition for offering customized services and may be the key to growth and expanded revenues. Unless there is some external pressure to place limits on how much customer information is collected, or how it is used, it seems likely that on-line data-mining practices will be fine-tuned and expanded as quickly as the technology that supports them.
If companies on the Internet continue to soak up information as fast as customers can click through a web site, then privacy will be hostage to technology. A small percentage of web-savvy and technically astute users may register their objections and find ways to subvert those practices they define as a violation of their privacy. Small groups of consumers may adopt the new tools and services that are emerging to provide on-line anonymity by serving as a single trusted proxy for the individual. Others may have no problems with full disclosure to any web site and may simply wish to be informed in advance that tracking is taking place. In the absence of any accepted guidelines clarifying the scope of acceptable data collection or regulation limiting the use of personal information, questions about the appropriate balance of privacy and disclosure would have to be weighed by the individual consumer and then negotiated with each web site that is visited. Even a brief review of legal, ethical, economic, and philosophical approaches to the issue of privacy protection will illustrate that this type of negotiation is likely to be a daunting proposition.
From the ethical and the legal perspective, it is important to establish whether the Internet is intrinsically a public place — that is, a location where it is clear to users that their actions and communications can be readily observed. The flexibility of the Internet and the multiple functions that it serves for most users make the answer less obvious than it might initially appear. Many users understand that their participation in a chat room or a query to a popular search engine or clicking on a banner ad is likely to be observed and recorded. But what about their registration on a financial information services web page or their on-line purchases or their one-to-one messages. Are these subject to the same level of scrutiny and onward transfer?
Excerpted from Morality and Work by Tibor R. Machan. Copyright © 2000 Board of Trustees of the Leland Stanford Junior University. Excerpted by permission of Hoover Institution Press.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.