- As Prepared for Delivery -
The Obama Administration came into office with a commitment to privacy protection. The Obama Campaign’s Technology Policy White Paper said: “As president, Barack Obama will strengthen privacy protections for the digital age and will harness the power of technology to hold government and business accountable for violations of personal privacy. . . . Barack Obama supports restrictions on how information may be used and technology safeguards to verify how the information has actually been used.”
Fulfilling this promise is a key goal of the Internet Policy Task Force, created by Secretary of Commerce Gary Locke this April. The Department is engaged in a broad review of the four key public policy challenges facing the Internet: (1) enhancing privacy; (2) ensuring cybersecurity; (3) balanced copyright protection; and (4) ensuring the global free flow of information. Our decision to address this range of Internet issues arises from the significant and growing social and economic contributions the Internet makes to our lives. According to the U.S. Census, domestic online transactions are currently estimated to total $3.5 trillion annually. Digital commerce is a leading source of job growth as well, with a new study showing that between 1998 and 2008, the number of domestic IT jobs grew by 26 percent, four times faster than U.S. employment as a whole. By 2018, IT employment is expected to grow by another 22 percent.
I. Overarching Principles Guiding the Internet Policy Task Force’s Review of Privacy
Privacy has been the Task Force’s first order of business. Our effort is guided by two overarching principles:
First, preserving consumer trust is essential to the sustainability and continued growth of the digital economy. If users do not trust that their personal information is safe from misuse, they will worry about using new Internet-based services, thus threatening economic growth.
Second, Internet policy implicates a broad array of interests—industry, consumer, civil society, academic, and governmental—and we need a policy development process that includes all of these stakeholders. We must learn from the unique multi-stakeholder processes that have helped build and operate the Internet in order to arrive at best practices that can protect user privacy according to a flexible but enforceable set of rules.
In the years following the commercialization of the Internet (starting roughly around 1995), an era that we call Internet Policy 1.0, the government imperative was to seek unrestrained growth of the Internet as a promising new medium. During this first phase of Internet policymaking, early online privacy engagements between the Commerce Department, the FTC, and commercial and non-commercial private sector stakeholders collaborated to establish a model for addressing emerging privacy challenges. These efforts led to progress toward voluntary, enforceable privacy disclosures and opt-out opportunities. The premise of this effort was that voluntary industry commitments would develop faster and provide more flexibility than legislation or regulation.
Today, we are in the third decade of Internet policy-making. There’s little question that multi-stakeholder organizations have played a major role in the design and operation of the technical aspects of the Internet and are directly responsible for its success. Our approach, which we call Internet Policy 3.0 recognizes that the interplay among technical standards and design, multi-stakeholder institutions, voluntary best practices, and laws and regulations is essential to ensure that the Internet continues to meet its economic and social potential.
But has the current model really worked well enough in the privacy arena? Should we consider continued reliance on it? As experienced Web users, we all know that few people read privacy policies. Even if you try, the language is usually disappointingly vague and confusing. If most individual web users don’t actually read and make choices based on posted policies, then are these policies really delivering the transparency that our reliance on the Internet requires? Would it have been preferable for us to engage in a different policy approach during the early days of the Internet, such as having Congress or the FTC enact a set of substantive privacy rules for Web companies to follow?
As privacy scholars Professors Deirdre Mulligan and Ken Bamberger (University of California, Berkeley I-School and Law School) recently wrote, this type of dynamic, hybrid system in which both private and public stakeholders participate may well yield actual privacy practices that are more responsive to evolving consumer privacy expectations than would a traditional rulemaking system. The rate at which new services develop, and the pace at which users form expectations about acceptable and unacceptable uses of personal information, is measured in weeks or months. We all know that rulemakings at agencies such as the FTC or the FCC take years and could result in rules addressing services that may be long abandoned.
But at the same time, in response to the Privacy and Innovation Notice of Inquiry that we released in April, a wide range of commenters from both industry and civil society told us that the current privacy environment must be strengthened.
In other words, we need to build on the innovation-promoting strength of our current model while at the same time increasing consumer trust.
What specifically needs to be done to strike this new balance? First, we feel that it is time that we commit to a set of baseline privacy principles. To borrow from one of the responses we received to our Notice of Inquiry, baseline FIPPs are something that consumers want, companies need, and the economy will appreciate. This baseline would include a full set of fair information practice principles (FIPPs) – widely accepted guidelines that establish obligations concerning how online entities collect and use personal information across the many commercial contexts in which personal data is being used. We need to investigate the appropriate safety net for when the marketplace fails to meet the consumer expectations tied to these baseline FIPPs.
Second, consistent with our multi-stakeholder model, we realize that government is not going to have all the answers. A multi-stakeholder strategy for implementation will be critical to ensure that we end up with a framework that is rational and provides businesses with clear markers about how to meet their obligations, but is also dynamic, to keep information practices in line with consumer expectations as technologies and markets evolve.
With or without legislation, we believe that the centerpiece of Internet privacy protection is to upgrade the role of voluntary but enforceable codes of conduct, provided they are developed through open, inclusive multi-stakeholder processes.
The discussion of Do Not Track proposals is a perfect illustration of the need for robust, multi-stakeholder process to develop voluntary but enforceable codes of conduct. Let me start by saying that individual choice and individual control over the flow of information to and from the user has been a foundation of Internet policy from its inception. For example, user empowerment technology (including filtering, blocking, and monitoring tools) has provided families with the means to protect their children from viewing inappropriate material online. There have been some similar developments in the area that the “do-not-track” concept is intended to address—online behavioral advertising. As Web users became aware that cookies could be used to track their activities on a single Web site as well as across multiple sites, browser developers provided their users with the means to block and manage cookies in a variety of ways. More recently, members of the online advertising industry developed common principles about the collection and use of tracking information, and the industry is rolling out a system to help consumers manage their tracking preferences online. To the extent that these tools provide effective protection for individual choices, government properly avoids regulations that would otherwise restrict the flow of information.
Any Do-Not-Track system would necessarily have two components: first, a technical mechanism (hopefully built into Web browsers) that provides the user a way to signal his or her intent not to be tracked or profiled depending on the context; and second, an understanding between individual web users and all of the various commercial (and non-commercial?) services on the Web that engage in tracking as to exactly what sort of behavior those services would avoid. The technical mechanism may take some work to implement, but is a straightforward engineering task. The second, agreement on what is meant by the “do-not-track” sign on, say, the user’s browser, is a more complex task, requiring agreement on policy and best practices among a number of players including users, advertisers, marketers, technology companies, and other intermediaries.
Some users want to avoid tracking altogether. But many users want more nuanced choices. That is, users might be happy to have certain Web sites collect and store some information about browsing habits when it serves the users’ interests, but they might want to avoid other tracking or profiling that they consider intrusive or simply of no benefit to them. In the first instance, a user may want sites to remember his or her preferences, account information, or even to provide certain types of customization. However, that same user might also want to prevent the creation and use of profiles that allow marketers or advertisers to learn details about his or her buying habits. Reaching agreement on this more complex set of choices, beyond just the technology, will require careful work.
So today’s debate over the feasibility of “do-not-track” is an illustration of a larger problem: the overarching need for a more dynamic framework that can incentivize the creation of industry codes of conduct, while also being flexible enough to keep pace with innovation. The robust, dynamic framework to be proposed by the Commerce Department’s green paper will provide increased ways to address new applications and technologies like do-not-track. Specifically, the Commerce Department’s Internet Policy Task Force will look for opportunities to convene industry and consumer groups to reach voluntary agreements on issues such as affording users better ways to control the flow of personal information and to signal their choices to companies online. Our Department’s Task Force is also well situated to work collaboratively with the FTC to encourage industry to create workable models in these and other areas. Once crafted and adopted by stakeholders, the FTC can use its enforcement authority to ensure compliance with these voluntary agreements.
III. Conclusion: Roles in the Multi-stakeholder Process
In closing, I’d like to say a few words about the roles of various stakeholders in the privacy debate: users, consumer and privacy advocates, businesses, and the Federal Trade Commission.
Users: you are right to expect a Web experience that enables you to exercise meaningful control over how your personal information is collected and whether third parties are using your information in a manner that is inconsistent with your expectations.
Privacy and Consumer Advocates: The Web is a work in progress so your role as a voice for consumer interests is important in the technology design process and technical standards bodies such as the Internet Engineering Task Force (IETF) and World Wide Web Consortium (W3C). It is important to be represented in the public policy debate, of course, but the user voice, as represented by consumer advocates, is vital in the process of shaping the global Internet technology environment on which we all depend.
Business and technology companies: You’ve been extraordinarily innovative in developing new products and services that add value to the online economy through intensive use of personal information. Various individual companies and industry groups are now applying that innovative spirit to tools that give users the transparency and control over their personal information that they deserve. Keep it coming!
Federal Trade Commission: The Commerce Department salutes the groundbreaking work that the Commission has done over the last fifteen years on online privacy protection, beginning when the Web was young and growing with it as it has expanded.
While some countries justly worry about the lack in the United States of a modern set of FIPPs across all sectors, , they know that we have a (if not the) world-class consumer and privacy protection enforcement agency. To paraphrase Peter Hustinx, the European Union Data Protection Superintendent, in remarks he made on the stage at the International Data Protection and Privacy Commissioners Conference in Jerusalem (October 2010): During the 1970s and 80s, the U.S. and Europe were together on privacy. In the 1990s we diverged, during which time Europe was stronger on principle and the U.S. stronger on implementation. Now, we have things to learn from each other. I couldn’t agree more with Mr. Hustinx and note that when he refers to implementation, he is mostly talking about two components 1) voluntary but enforceable codes of conduct and 2) the work of the Federal Trade Commission.
The Commerce Department looks forward to continuing to work with all of these stakeholder groups as we continue to develop new tools, new best practices, and evolving social consensus about how to handle personal information online. Our challenge is to create a framework that enlarges U.S. prosperity and democratic values while providing meaningful tools to empower individuals to make informed and intelligent choices for protecting their privacy.