Online Privacy and the European Controversy—Let’s Get the Ends Straight, Then the Means

by Andy Oram
June 18, 1999

As negotiations broke down late in May between the United States and European Union concerning privacy legislation, news reports warned that European citizens would be able to sue American companies for practices that violate their privacy. The cross-Atlantic debate adds urgency to privacy questions that more and more Americans have been asking, as they buy products over the Web and divulge personal information in online forums.

Designers of major Web sites have learned that it’s good public relations to post privacy notices. But the current furor over online notices, the emerging specification called P3P ("Platform for Privacy Preferences"), and branding programs like TRUSTe or BBBOnline can become a distraction from deeper issues. For that reason, if for no other, the EU’s pressures are healthy for the U.S.

Suppose that you’ve collected somebody’s credit card and address information for a transaction. You’ve promised that you won’t disclose the information to anyone else, and that’s great. But suppose a malicious employee uses the information to order himself a new set of golf clubs? Or that you fail to take reasonable security precautions and an intruder steals the information? And how does a customer know you’ll adhere to the policy you posted?

Privacy, in short, is not something that can be solved on the Web. Postings and protocols can merely help companies adhere to policies set elsewhere. TRUSTe and BBBOnline—as well as by U.S. government standards like the FTC’s Fair Information Practice Principles—do cover a lot of privacy safeguards, such as access (letting users see and correct the data stored on them), security, and enforcement (having an independent organization check the company, and allowing the user to obtain compensation for violations). But still, privacy principles in the U.S. tend to be honored in the breach. For instance, the number of sites posting privacy policies has skyrocketed in the past year since the FTC made a public stink about it. But Marc Rotenberg, Director of the Electronic Privacy Information Center, testified to Congress in May about the superficiality of compliance:

The most recent survey allows that the posting of just one element of Fair Information Practices could constitute a privacy policy. Thus the industry was able to say, "Of the 364 websites surveyed, 65.7% had posted at least one type of privacy disclosure." At a certain point, you cannot lower the bar any further.

Yes, when it comes to privacy, you have to read the fine print. To show how wide the gap is between the U.S. and EU positions, even after months of negotiating, consider one of the "safe harbor" principles that the U.S. proposed:

An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties (where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice).

The principle would be satisfied by a blanket statement like, "We may share information with other organizations offering services that may interest you," which opens the door for rampant sales to direct marketing firms. In fairness, the principles also say that an organization must inform individuals about "the types of third parties to which it discloses the information." But still, this is far less restrictive than the EU Directive on Data Protection, which says:

Member States shall provide that personal data must be…collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

That pretty much cuts direct marketing out of the picture. Since American industry runs on direct marketing, they feel they can’t live with the EU restrictions—and that irreconcilable difference will prove a wider gap than the Atlantic Ocean itself, which data can cross over in the blink of an eye.

The U.S. companies stress two requirements that clash with practices elsewhere: there can be no "one size fits all approach," and self-regulation is less burdensome than government intervention. Just for the sake of experiment, let’s try to put together a self-regulating mechanism that would provide privacy as good as laws along the EU model.

Start with the P3P protocol, which allows Web servers to advertise policies and users to specify through their Web clients what policies they prefer. P3P is clearly relevant only to a self-regulation regime, because where there are strict laws in effect there are is nothing to "prefer" and no competing policies from which to choose.

P3P, while it was designed to be flexible, doesn’t always fit actual privacy needs. For instance, one of the key principles of privacy is that an organization should discard information after it is no longer needed for its original purpose. But Karen Coyle of Computer Professionals for Social Responsibility points out that P3P doesn’t offer expiration times. (This observation is one example from her general critique of the specification.) Any issue concerning the length of time data is retained has been relegated to one field in the W3C’s proposed policies (called the "harmonized vocabulary"). The critical element of assurance also appears as an option—not a requirement—in this vocabulary.

To make P3P a force for user data protection, the browser would have to give the user easy access all these options. Not only would it have to implement the assurance and retention fields, but it would have to ruthlessly shut down access to Web pages that try to weasel information out of users under weak policies. The companies manufacturing browsers, one can assume, are more sympathetic to the needs of marketers than of end-users. But a default brower setting of "Send all your cookies, take all my secrets" won’t cut it in terms of privacy protection.

Industry standards and codes of conduct are not inimical to privacy protection. (The EU directive encourages them.) But the legal solution possesses the advantage of clarity; proponents of self-regulation have a long way to go to prove their solution will work.


Andy Oram is an editor at O’Reilly Media. This article represents his views only. It was originally published in the online magazine Web Review.