The Electronic Privacy Information Center (EPIC) has practically accused the FTC of being derelict in its duties to protect Internet user’s privacy. This attitude is revealed among the public comments filed in response to the FTC’s proposed Policy Framework on privacy.
EPIC has been an advocate of privacy protection for consumers since it was formed in 1994, when the Web was just a baby. EPIC argues in its comment that businesses should be required to adopt clearer privacy policies regarding information they collect on consumers because policies vary widely, are obtuse (sometimes purposely) and frequently change. The group complains that the FTC “mistakenly endorses self-regulation and ‘notice and choice’” of a company’s practices. Furthermore, EPIC says the FTC can already investigate deceptive business practices that invade privacy under Section 5 of the statute under which it operates, but that it doesn't. The FTC "fails to explain why it has not used its current Section 5 authority to better safeguard the interests of consumers," EPIC states.
The Federal Trade Commission is pouring over 442 public comments filed in response to its proposed Policy Framework. The Information Law Group posted its analysis of the comments earlier this week and, in an earlier blog post, I looked at how Microsoft’s response highlighted its proactive privacy approach but overlooked its privacy protection failings. Here, I’m noting the diametrically opposed views on the proposed regulations from privacy rights groups urging reform and business groups promising they can regulate themselves just fine, thank you. Other advocates for privacy protection filing comments included the Consumer Federation of America and the Center for Democracy and Technology.
On the other side of the issue stand groups like the Interactive Advertising Bureau (IAB), representing sellers of online advertising, which depend on obtaining as much information as they can about Internet users to target ads. The IAB states that it “believes that the appropriate approach to addressing consumer online privacy issues is through industry self-regulation and education.” Where have I heard this before? Oh, perhaps in every response to every regulation ever proposed anywhere on the planet Earth.
“Existing and emerging robust self-regulatory principles address privacy concerns while ensuring that the Internet can thrive, thereby benefiting both consumers and the U.S. economy,” IAB argues.
To be sure, Internet businesses have good intentions and can point to instances where they have built “privacy by design” into their digital goods and services. Microsoft, for instance, told the FTC it already deletes the IP addresses linked to Bing searches after six months and deletes cookies after 18. And it introduced a “Do Not Track” feature called Tracking Protection in its new Internet Explorer 9 web browser (Firefox 4 has one, too). But Microsoft has made its share of privacy mistakes, such as assisting law enforcement and intelligence agencies in obtaining private user data, failing to encrypt the cloud-stored data of its Live@edu users and reportedly using ads as a cover for data mining.
Microsoft is not the only Internet business with a privacy protection problem, though. EPIC petitioned the FTC in 2009 to investigate Google over security breaches in its cloud computing service. And Facebook, despite numerous complaints about its envelope-pushing data mining practices at the expense of privacy, urged the FTC to provide privacy protection without imposing “restrictions [that] could limit Facebook's ability to innovate.” You’ll have to do better than that Zuck.
I’m all for innovation and entrepreneurship, which is the life blood here in Silicon Valley. But this is a case where innovation is moving faster than our ability to understand it and think through all its implications. It’s great that companies are proactive on addressing privacy issues but we’ve seen too many examples of privacy breaches to think that the industry alone can provide the right balance between privacy and commerce.