Published in the Seattle Post-Intelligencer
Distributed by Copley News Service<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
September 27, 2000
Headline: Feds Should Make Web Cookie Crumble: Would you rather trust Charles Schwab, Wal-Mart or L.L. Bean with your private financial information, or the government?
If you feel slightly queasy when a waiter disappears with your credit card for 20 minutes, just think about the Internal Revenue Service downloading your electronically filed tax forms and leaving a "cookie" on your computer to follow you around the Web. If you believe your privacy is secure in dealings with the government, you might want to think again - particularly in light of a new report commissioned by US Rep. Steve Horn, chairman of the House Subcommittee on Government Management, Information and Technology.
Drawing on information gathered by the General Accounting Office and the various inspector generals serving throughout the executive branch, Horn found that when it comes to protecting your privacy with secure computer systems, the federal government as a whole earned a D-minus-minus.
That's not very reassuring to citizens who are compelled to entrust their government with very personal information such as Social Security numbers, income tax filings, employment and immigration status and medical histories. It's particularly disturbing when so many government officials and politicians are complaining about the danger of private-sector misuse of personal financial information.
Federal Trade Commission member Orson Swindle made a compelling point when he congratulated the FTC for supporting industry guidelines for self-regulation when it comes to safeguarding privacy on the Internet. Swindle noted that the commission contradicted itself in supporting self-regulation yet calling for sweeping new regulatory oversight of Internet privacy practices. As he puts it, "My colleagues, unwilling to accept a self-regulatory approach, find it necessary to support a highly regulatory scheme for an entire industry. I fear the legislative recommendations will create an incentive for industry to discontinue seeking self-regulatory solutions." In fact, as the Horn report now makes clear, if there is any need for new oversight, we should start with the government itself. Horn and the GAO applied the same industry-developed standards backed by the FTC, including notice to customers of information collection, customer opt-out and security guidelines. Of the 24 federal agencies held up to scrutiny, more than one out of four received a failing grade, and only two (the Social Security Administration and National Science Foundation) received as much as a B.
In practical terms, this means that you and I can't be sure we know when our government is collecting information about us online, and we have even less assurance that such information is protected from third parties. In June, Wired News reported that many federal agencies are using "cookies" to track and gather information on users of their Web sites, including the Federal Reserve, the Immigration and Naturalization Service, the Justice Department and the Energy Department. These practices were ongoing, despite governmentwide guidance issued by the Office of Management and Budget that was supposed to limit agency use of "cookies" to track people on-line. Combined with the excellent work done by Horn, this gives our citizens little reason to expect the government to be their best friend when it comes to protecting on-line privacy. What about the private sector? Despite the self-regulation guidelines approved by the FTC, companies that provide goods, services and information online are not generally required by law to follow specific practices and procedures. Even so, private-sector options for protecting your personal and financial privacy are proliferating. As Jessica Melugin of the Competitive Enterprise Institute points out, "The profit motive involved in protecting privacy online is so strong that products for that express purpose are widely available to consumers." Melugin cites, among other products, the Anonymizer browser that blocks unauthorized parties from monitoring your online activities, and the Enonymous Advisor, which rates Web sites' privacy policies so consumers can evaluate their risks before they browse.
It's in the nature of the private sector, particularly in a time of rapid technological change like the Internet era, to come up with a wide range of solutions to new problems like online privacy and test them in the marketplace. Not all the products will survive and not all will suit the needs of all users. But it should be clear by now that we're better off trusting the market's invisible hand to look out for our interests online than a one-size-fits-all system of government regulation. Even if government bureaucrats could think through all the problems and come up with objective solutions, they couldn't possibly anticipate the way technology and the marketplace will change tomorrow, next week or next year. The market is, by definition, much more responsive to changes in the way we live, work and do business.
If you're still not convinced, remember that government has already collected more information on us all than any private company ever could. If the government has lax computer security and privacy policies, we're all put at risk. If a private company invades our privacy, only a discrete set of customers will be damaged. We need to minimize that risk, starting with the industry's guidelines for self-regulation. But let's also read Horn's report and demand that government earn our trust where protecting privacy is concerned. Government has important work to do, but as Milton Friedman put it, "Hell hath no fury like a bureaucrat scorned."
Jack Kemp is co-director of Empower America and Distinguished Fellow of the Competitive Enterprise Institute.