WASHINGTON -- The second day of the Commerce Department's summit on Internet privacy wasn't pretty, with civil libertarians and consumer advocates grilling companies and personal-data industry trade associations over the alleged failure of their self-regulatory policies.
"I feel battered," said Truste executive director Susan Scott, leaving the podium after defending the group's year-old privacy initiative in a grueling Wednesday session with privacy advocates Robert Biggerstaff, Bob Gellman, Beth Givens, and Marc Rotenberg.
Truste, a joint project of the Electronic Frontier Foundation and Commerce Net, evaluates Web sites' privacy policies and awards a seal of approval meant to reassure consumers that the site handles personal information responsibly.
"The Truste mark implies someone has a good privacy policy in place," said Biggerstaff. "That's simply not true."
Whether or not the seal really means anything is in dispute. While Rotenberg, from the Electronic Privacy Information Center, credited Truste with creating "some useful ideas for self-assessment," he and others roundly criticized the group's watered-down approval process.
"How do you get from the level of having a privacy policy to the level of having a good privacy policy?" he asked.
That question, of course, is at the heart of the current concern over privacy standards which led to this two-day summit. With networked databases becoming increasingly sophisticated at collecting private information to create detailed individual profiles, the drafting of data protection policies has become critical. Adding to the sense of urgency is the growing role the collection of private information plays in a burgeoning online economy.
A year ago, the Clinton administration issued the "Framework for Global Commerce." At the time, the president was lauded for his hands-off approach to the nascent Internet economy. Both industry leaders and civil libertarians praised the government for resisting the urge to march in and legislate what it didn't understand. In return, Clinton extracted a promise that the industry would regulate its own privacy standards.
So far, industry has failed to live up to that promise. A recently released Federal Trade Commission report found that a mere 14 percent of 1,400 Web sites posted anything even resembling a privacy policy.
The looming October implementation date of the European Union's Data Protection initiative lends additional urgency to the situation. The EU directive, which establishes strict safeguards of personal data, has the potential to disrupt international trade with Europe, where a series of far-reaching personal privacy laws are already in effect.
Despite grumbling from Clinton, Vice President Al Gore, and presidential adviser Ira Magaziner, the administration still seems reluctant to take action. A Department of Commerce report on the state of self-regulation, originally scheduled for release 1 July, has been pushed back to give industry one more chance to do something.
Indeed, the administration was initially so intent on letting industry handle the situation that it opened itself up to charges from privacy advocates that it had "essentially delegated to the private sector the responsibility for organizing" this week's public meeting on self-regulation. In the end, the Commerce Department took charge of the event and invited players from all sides.
This, at last, generated signs of life from the industry. The week kicked off with a flurry of announcements seeming to indicate that industry could self-regulate after all.
Truste announced that it had signed Microsoft as a sponsor and licensee. The Better Business Bureau announced BBB Online, its online privacy program. The Individual Reference Services Group (IRSG), whose members include notorious data sieves Equifax, Experian, and Metromail, launched a privacy Web site. Dell Computer Corporation inaugurated a formal privacy policy.
The capper, though, came when nearly 50 companies and associations announced the creation of the Online Privacy Alliance. Members of the alliance are bound to support effective self-regulatory policies, agree to enforcement of those policies, and operate within existing laws and regulations.
Privacy advocates were not impressed. "It bears noting that you're starting from ground zero in terms of privacy protection," Rotenberg told BBB Online's Steven Cole.
"This is one of the more cynical policies I've seen," Gellman told Ron Plesser of IRSG.
"I think I need a Quaalude," echoed Biggerstaff. "What you've got here is a toothless tiger."
A more tempered Beth Givens of the Privacy Rights Clearinghouse noted that at best, the IRSG policy protected only a "narrow slice of the pie."
The only protective system receiving high marks was the Online Privacy Alliance, but there was still room for criticism.
"I give the sytem an 'A' for principles," Rotenberg told former FTC Commissioner Christine Varney, who is advising the group. But Rotenberg noted that the program failed to deal with enforcement issues.
Gellman panned the alliance. He said it only barely supported the Fairness in Information Practices that are spelled out in guidelines from the Organization for Economic Cooperation and Development.
Those guidelines specify limitations on the amount and type of information that can be collected, an explanation of why it was collected, limitations on how data can be used, security safeguards, and accountability for companies that have unlawfully obtained or used private information.
Besides lacking teeth, Gellman said, the alliance plan failed to limit the ways information can be used or to provide a plan for notifying consumers. "There must be limits on what can be done with data," he said.
"It can't be a case that if a customer doesn't object, you can do anything."
While the private sector failed to satisfy anyone that it is capable of establishing adequate data protection policies, technologists seemed optimistic that they could place control over personal data back in the hands its original owners with P3P, a forthcoming standard under development at the World Wide Web Consortium.
"What I've been hearing industry say is that protecting privacy is too complicated, too expensive," said Steve Lucas of MatchLogic, Inc. "But if we approach privacy technology with the same vigor that we've approached data-collection technology, we can make some real progress."
In fact, technology was the summit's ray of light for industry advocates. Panelists plugged the loosening of export regulations covering data-scrambling technologies. The potential of anonymizing technology was discussed; this would allow companies to create complex individual profiles without identifying the consumer. And P3P, which aims to automate a "privacy policy" negotiation between users and Web sites, also had a hearing.
While there was disagreement on the extent to which privacy must be protected by legislation, no technologist denied that the protection must be there. Otherwise, they conceded, the Internet will fail as a mass medium.
"The $64 billion dollar question is, 'Can we assure people that their privacy will be protected?'" said Junkbuster's Jason Catlett, "
"If [we] don't don't act now," he warned. "Sally [Shopper] and her friends will disappear forever."
