W3C Workshop on the Future of P3P
November 12-13, 2002, Dulles, Virginia, USA
David A. Stampley1
Many individuals sense that, by participating in e-commerce, they pay an unseen price in data that is intrusively gathered and subsequently used to further intrude upon them. Even in consumers' dealings with familiar companies, consumers find themselves entering into transactions that invite them to repose blind trust in remote parties veiled by an unfamiliar medium. Analysts estimate that United States consumers' reticence will cost billions of dollars in lost opportunities over the next several years. The privacy costs imposed on individuals are impossible to quantify.
Consumers' concerns are embodied in a new vocabulary of information intrusion that includes "identity theft," "spam," "web bugs," "tracking," "profiling" and, with lesser press at the moment, "price-pointing," and "weblining," in which one's own information contribution results in a higher price or denial of opportunity. A responsive vocabulary has also emerged. Its terms, such as "privacy policy," "clear and conspicuous disclosure," "robust notice and choice," "sensitive data," "opt-out," "trusted affiliate," and "personalized experience," have not allayed individuals' fears that participating in e-commerce has hidden costs and latent consequences.
The existence of a privacy debate signifies that consumers and businesses would very much like to engage in mutually satisfactory relationships but disagree on what constitutes intrusion and how to overcome it. But that debate leads a life of its own, offline.
Online, the hyper-flexibility of the Web allows the parties to communicate with and through each other in novel configurations. E-commerce, however, has not included a companion, inline protocol that, throughout all or part of the arc of a data relationship, can help the parties assert their commercial interests and confidently negotiate, control, and verify the privacy costs associated with their interactions.
This privacy communications deficit has motivated efforts to develop online language systems for privacy.2 To aid in considering how such a language might help United States consumers and businesses avoid privacy problems, or the perception of them, this paper looks to examples from the record of formal resolutions of prior privacy conflicts-government enforcement actions addressing consumer privacy.
As consumers have moved online, the laws protecting them have followed. In a number of instances, enforcement actions in response to consumers' privacy concerns, online and offline, have resulted in out-of-court settlements. The privacy values identified in these documents provide a resource for considering the scope of a language of privacy.
In drawing inferences from the language of a settlement, it is important to bear in mind that, generally speaking, it does not represent a court's decision that a business violated any law; it does not signify that the business admits doing anything wrong or agrees with the government's factfindings and legal conclusions. Bearing titles such as "Assurance of Voluntary Compliance," "Assurance of Discontinuance," "Consent Order," or simply, "Agreement," the settlement language typically documents the parties' agreement that, in response to some action by the government, the business will cease engaging in specified conduct or undertake specified actions.
Generally, consumer protection laws in the United States apply to a company's actions, statements, or failures to speak that tend to be materially false, deceptive, misleading, fraudulent, or unfair, regardless of the company's intent.
Using this language framework, if the government alleges that a company defrauded consumers because its privacy policy contained material misrepresentations, it does not necessarily mean the government is accusing the business of setting out to deceive consumers through its privacy policy. Intent is not a factor. The allegation may well mean that, through some conduct, the company breached a commitment in its privacy policy, perhaps even unknowingly. Both AltaVista and Infobeat stated in separate settlements with the New York attorney general that they were unaware that their Web page coding caused visitor registration data to be transmitted via referer URL to the third-party advertisers providing Web-page banner ads.
The conduct contradicting the commitment may even be a single, accidental event. For example, in Eli Lilly's settlement with eight state attorneys general last June, it attributed the exposure of its prozac.com subscribers' email addresses to a programming error in coding a one-time mass mailing.
Note also that consumer protection laws encompass not only statements, but also actions, practices, and failures to disclose. The New York attorney general found that, prior to mid-1999, Chase Manhattan Bank had violated consumer protection laws by failing to provide sufficiently conspicuous and detailed information to its credit card and mortgage customers that it was marketing their personal information to nonaffiliated, third-party direct marketers. The attorney general also alleged a violation in Chase's failure to provide a more convenient means of choice regarding the information sharing.
The materiality of consumers' expectations can be a key factor in identifying whether a practice or statement rises to the level of a consumer protection concerns. Generally, a company's conduct implicates consumer protection concerns when it would tend to matter to consumers in their ability to make informed commercial choices-in the vernacular, "If I had known they were going to do that with my data, I'd wouldn't have gone to that site."
The materiality of issues such as identity theft, choice and personally identifiable information, sensitive data, and spam is already well established. The agreed-upon terms of settled cases, below, provide some insight into other issues that might fall within the scope of an emerging privacy vocabulary:
Access: In DoubleClick Inc.'s agreement3 with New York and nine other states, the third-party ad server agreed that, should it engage in even pseudonymous profiling, it will develop a facility to allow a consumer to view the data categories associated with the consumer's cookie.
Affiliate transparency: DoubleClick also agreed to contractually require first-party client sites to disclose their participation in profiling and committed to aggressively monitor its first-party clients' sites to ensure their compliance with the contractual disclosure requirement.
Outside the settlement context, federal statutory provisions relating to medical and financial privacy, HIPAA and Gramm-Leach-Bliley, address the sharing of data among first parties and affiliates
Non-PII: The terms of the DoubleClick settlement deal in large measure with data that is not personally identifiable, but is linked to a pseudonymous identifier through a user's cookie.
Change in data use: Toysmart's bankruptcy settlement4 included an agreement for the destruction of its customer database rather than its sale as an asset. DoubleClick agreed to restrict its use of previously collected user data to the privacy policy in place at the time of collection. DoubleClick also agreed to provisions applying to prospective changes in its privacy policy, including notifying subscribing users via email and thus eliminating the need for consumers to "check back here periodically" in order to receive notice of policy changes.
Verifiability of privacy commitment: A number of privacy settlements, such as state settlements with DoubleClick, Ziff Davis Media,5 and Eli Lilly,6 and the Federal Trade Commission's settlement with Microsoft,7 include a requirement that the company verify its compliance with the settlement terms by providing the government party with an external review or audit. Further, under the terms of the DoubleClick settlement, the company agreed to make the external review conclusions available to consumers by posting them in its Website privacy policy.
Security: The terms of a settlement with Ziff Davis Media require the company to reform its network security practices. Eli Lilly's settlement required it to establish change protocols for modifications to Web-based systems that deploy consumer data.
What do these cases mean for a privacy-related communications? One point might be that, inevitably, part of the privacy debate will be resolved offline in an evolving value system based on the vocabulary of consumer protection. A second point might be simply that any time an actor selects words to describe an action, there is a some risk that other persons may perceive that the accepted meaning of the words does not fairly correspond to the action.
A third point might be that, in an unfamiliar and opaque online world in which consumers have no means to follow their data around, consumers are likely to have material expectations about practices as well as promises.
At a global level, not only are consumers unable to follow their data around, they have been unable to process the privacy policies that are available; businesses have applied mechanized collection and analysis tools to consumer data but not to their own privacy self-reporting. Consumers have been relegated to a clumsy, click-read-and-remember world. This information asymmetry is aggravated by consumers' inability to detect in real time the identities and collection activities of the domains with whom they have been placed in contact by the first party sites they chose to visit.
In this environment, consumers could benefit from access to relevant, automated privacy disclosures expressed in a standardized vocabulary.
Even with an automated system of point-of-contact disclosure, consumers will continue to need a reasonable means to learn of policy changes that might impact their privacy assumptions based on past disclosures. The need for businesses to undertake affirmative, alternative privacy notifications is especially great for the consumer who established a relationship on a Website but continued it in a non-Web environment, such as text-based email or mobile media.
Consumers might benefit indirectly from a business culture change brought on by standardized and automated disclosures. Otherwise, consumers face increasing threats in a world of business models built on affiliate and outsourcing relationships with varying degrees of oversight. The risk to consumers is exacerbated by tensions and communications failures among management, marketing, budgeting, and information technology areas. Where businesses have complex and dispersed decision structures, a standardized privacy vocabulary, syntax, and access mechanism for privacy disclosures might help businesses discuss and detect data uses that are privacy-risk-prone or inconsistent with prior disclosures.
Consumers' greatest need lies outside the scope of their communications with a business about its intended data practices. Consumers typically have no direct means to monitor most data practices, which surely will continue to limit consumers' confidence in e-commerce and ability to help it function more responsively. Even if a business publicizes its privacy audits, this reassurance is after-the-fact and far removed from the consumer's transaction level. Consumers must continue to rely almost completely on the business's accuracy of disclosure and its ability, with little substantive interaction, to discern consumer concerns that lie outside the framework of the currently available vocabulary, syntax, and platform.
Whether by drawing back the curtain on the various domains touching the consumer through their graphics on web pages or by giving consumers access to data and accompanying metadata about custodianship and usage, consumers must have some reliable means to know what is happening and has happened with their data. Meaningful commercial choice means consumers' having the ability, based on a business's performance, to distinguish among the good, the bad and, inevitably, the ugly. Each spam email or, worse yet, each case of identity theft, leaves a consumer wondering who spilled the data and what other undesirable uses of it continue unseen.
Perhaps one outgrowth of a machine-readable privacy language would be consumers' ability to exchange their own e-commerce metadata, such as comparisons of companies' machine-readable privacy policies or compilations of e-commerce experiences expressed in a standard privacy vocabulary. Consumers could not only benefit from, but also participate in, the potential for a language to grow from an initial vocabulary and syntax that reflects one party's current practices to a language that describes the outcomes of past e-commerce interactions and promotes continuity and success in future consumer-to-business relationships.
Finally, the dynamic of privacy settlements is instructive. It is not necessary to design an interaction model in which consumers must literally know and trust online parties, especially since, through technology or business arrangement, those parties may be unseen, dynamically introduced, or not even yet identified during the consumer's initial interaction. What is necessary is that consumers be able to participate in a process in which they can reasonably rely on the outcome, even in dealing with parties whose interests may not be completely mutual. As in a settlement in which adversarial parties disagree on the facts and values but agree on a plan for going forward, consumers need the information, control, and verification that make it worthwhile for them to sidestep the debate and engage in the process.
1 David A. Stampley, Assistant Attorney General, Internet Bureau, brings e-commerce privacy enforcement actions on behalf of New York State Attorney General Eliot Spitzer, including the DoubleClick Inc., Eli Lilly and Company, and Ziff Davis Media Inc. cases. He is a former systems analyst.
Note: This paper represents the author's personal opinion. It is offered as a contribution to discussion in a workshop setting. It does not purport to comment, officially or unofficially, on the merits or legal effect of any particular party's rights, technologies, or practices.
2 This paper employs the term "language" in a nontechnical sense.
3 Available at http://www.oag.state.ny.us/press/2002/aug/aug26a_02.html.
4 See http://www.oag.state.ny.us/press/2001/jan/jan11a_01.html.
5 Available at http://www.oag.state.ny.us/press/2002/aug/aug28a_02.html.
6 Available at http://www.epic.org/privacy/medical/lillyagreement.pdf.
7 Available at http://www.ftc.gov/opa/2002/08/microsoft.htm.