Comments submitted to the Federal Trade Commission on March 26, 1999
On the Internet, as in the flesh, there are only two ways for businesses to garner information about an individual’s private life. One is for that individual – call him Fred – to provide the information, usually in exchange for a discount or other benefit. The other way is for the business to obtain that information without Fred’s knowledge or consent. Both methods have fallen under intense scrutiny in recent months, and various government agencies, including the Federal Trade Commission (FTC), have intimated that government needs to intervene in the electronic marketplace – to an extent above and beyond the ways in which it protects against fraud in the physical one.
Fortunately, consumers are already protected from businesses who abuse either method of compiling customer information. People generally desire security in their transactions, but they don’t always desire it at the expense of everything else – and in a free society, making the tradeoff between personal privacy and the benefits of offering information about oneself is part of a competent adult’s portfolio of prerogatives. In many ways, the free market and the proto-civic institutions of the Net have already produced and distributed an array of privacy-protecting devices without aid (and despite threat of hindrance) from the government. Moreover, those devices are easily available to the Freds of the world, not just the Bills and the rest of the geek elite.
The first method of garnering information, wherein Fred turns over his information to firms of his own accord, concerns policymakers mostly insofar as it concerns children. Paternalism may or may not have its place in American policymaking. But if Fred wants to give away information in exchange for some benefit, then he ought to retain the freedom to do so. If Fred is not responsible for himself, though, then the state may have a stronger rationale for intervening.
Given the decentralized nature of the Web, the easiest way for parents to prevent their children giving away private information is to control computer access and make clear rules about what information is "stranger-okay." That is, make clear the difference between publicly posting one’s favorite basketball team and one’s phone number. Parents are better suited to do this than the government is because children possess extremely diverse levels of Net skills and savvy. It is important for those children who know what not to say to be allowed into information-requesting sites. A blanket government rule prohibiting information-gathering from children would unnecessarily "dumb down" the variety and number of sites catering to children. On the Net, where information is still the most important and valuable commodity, the only way to ensure quality content for children is to ensure that providing content aimed at them pays dividends. The surest way to convert the Net into a combination geektopia and red-light district is to discourage child-oriented sites.
Moreover, many "censorware" products block adult-oriented sites from a child’s use, and it is difficult to provide a site operator with information if one cannot access the site in the first place. These products are controversial, since they can (and sometimes do) unintentionally block acceptable sites or incorporate political bias into the sites they block, but nonetheless they provide a good, if blunt, instrument for ensuring that, if children input information, they will do so only to benign areas of the Web. Censorware is really just an electronic aid to enforcing the parental rules mentioned above, especially when there is more than one computer in the household (one for the parents and one for the kids).
In general, then, voluntary exchange of information for some other good or service should not be regulated or even discouraged. Total control over one’s personal information does not have infinite value; the success of "frequent shopper" cards at Safeway and other grocery store chains shows that rational people are quite willing to trade information not just about their preferences in groceries but their addresses, telephone numbers, etc. for (often substantial) discounts. The only stumbling block comes when children, who may not understand these tradeoffs, start giving away information. That sort of problem does not require regulation, merely parenting – and that task, with regard to the Internet, has grown easier thanks to various products produced by the market precisely because developers already realize the value to parents in being better able to shepherd their children through the Web.
Fred buys a compact disc from a Web-based retailer, providing his real name, address, credit card number, phone number, and other sensitive information. The retailer records that information in a database and then sells it, along with hundreds of other records, to another merchant. Here the element of consent is removed, since Fred hasn’t gotten anything from the second merchant. Should there be a law prohibiting this sort of practice?
First, a little common sense is called for. When we hear the voice of a salesman on the other end of the phone line, most of us put up our guard. Some even hang up the phone as soon as they hear a salesman’s voice, since giving information to a salesman practically guarantees that it will be sold to someone else. How do we know this? It’s common sense. When we fill out forms, applications, and surveys in exchange for free samples at the supermarket, we expect much the same thing.
The Net is young. Common sense about its realities is still filtering into the general population. According to a January 1999 study by the Pew Center for the People and the Press, the number of Americans regularly using the Internet has doubled over the past two years. New users will acclimate to the Net and its often arcane ways, but that process cannot occur overnight. We do not regulate the learning of foreign languages, even though beginners may make some embarrassing gaffes when they try to speak before they develop a wide vocabulary. Moreover, if federal rules begin to dominate site conduct, no one will bother to acquire any common sense about what to put in the little online forms and under what circumstances it is safe to do so. The fact is that the current debate too often centers on just two actors: the government and "the industry" (a grossly inaccurate blanket term for all firms who do business on the Net). That analysis completely omits the users and customers, who are treated either as sheep ready for the shearing or abstract non-entities altogether. They do not receive their due as – crucially – adaptable human beings.
Net users can learn, just as campers and K-mart shoppers learn too. Department store watchers know when the sales are, and know where to look for bargains. They know brands and makes of goods in which they are interested. Even in the parts of stores they don’t frequent, they still know what the general etiquette and "ways of doing things" are – don’t try on clothes for three hours without buying, and don’t leave your wallet out when you’re in the dressing room. We do not need rules requiring signs saying much the same thing at every turn. Similarly, we do not need rules dictating specific privacy policies on Web sites – and the lack of such requirements does not at all mean that no one will adopt or respect privacy policies.
Finally, it is very easy to forget that transfer of credit information is not everywhere and always a bad thing. Credit card fraud is common enough that most people worry about it – the majority of Internet users who do not make purchases via the Web cite credit security as their reasons for refraining. But some people have terrible credit ratings, and can only recover their credit by ensuring that banks and other financial institutions have access to their credit records. Stifling the exchange of credit information will tie down those people – people not usually among the well-off, who may need credit just to get back on their feet after a financial misstep or youthful indiscretion. Some people decry the easy availability of consumer credit. But consider the alternative: a nation in which only the rich can borrow capital.
Hence, cookies serve a useful purpose. But they can also serve nefarious purposes, when they are used to collect information about a user’s home system and send it to a marketer, who may then use it to send unsolicited e-mail, or to a hacker, who might use the machine’s Internet Protocol address to crash it during a sensitive communication or activity. So it is worthwhile to consider how to manage cookies, and how to keep the ones you want and discard the ones you don’t want.
It turns out not to be all that difficult. First of all, most Web browsers allow users to block cookies entirely. But that sledgehammer approach also denies the user the full functionality of the Web. Luckily, there exist programs collectively known as "cookie cutters," which make it much easier for the average user to monitor incoming and already-present cookies, and remove the questionable ones. Many cookie cutters are free, and available for download at a number of sites around the world. (The majority of cookie cutters can be downloaded in less than five minutes on a low-end modem connection.) This is just one example of programs that arose due to user demand, and which satisfies an important privacy concern – control over the programs sent by others on the Web into one’s computer. Cookies did not impel "self-regulation" by sites that use them; instead, a user-centered solution arose. Such solutions are a product of the collective ingenuity of the Web’s denizens and developers, and cannot be approximated by a single committee or commission’s regulations, no matter how well considered and drafted.
Another way to block cookies is through the use of a proxy server. A server is a computer that acts as an intermediary between "clients" (the terminals most of us use to work or play games) and the other computers with content we want to view (most often, other users’ clients). A proxy server is just a second server that a user can route his Internet connection through, thereby masking the nature of his actual server. This comes with a tradeoff, of course, since it takes longer for a packet of information to travel to a client when it has to go through two servers instead of one. The Anonymizer is a good example of a commercially available proxy server. With the Anonymizer, a user does not need to purchase a second server – rather, the arrangement is closer to a rental. The user gets an anonymous account, and simply visits the Anonymizer before he goes somewhere sensitive. That way, a site attempting to send anything to his computer hits the electronic "wall" created by the Anonymizer. Cookies as well as simple programs designed to track and trace a user’s movements bounce off. A proxy server is currently the best protection of online privacy short of actually refusing to log on. It stands to reason that firms would offer rental of such a service, as the Anonymizer has done, since many people don’t want or need the trouble of maintaining their own proxy servers.
The Anonymizer is a good example of the opposite side of the privacy tradeoff. Just as many people are willing to trade their personal information for money or other benefits, others are willing to pay for increased protection of that information. And when people are willing to pay for a service, the market will provide it.
The proliferation of privacy policies on (especially) commercial Web sites has led to skepticism about the level of accountability. Without the force of law, how can a user be sure that a site will honor what it says about its dealings in information? The answer is based partly on basic economic principles, and partly on enforcement by what one might term proto-civic institutions – infant watchdogs that keep an eye on Web sites, and establish a brand or "seal of approval" with high recognition value. Just as the circled letter "U" signifies "kosher" to millions of Jews in the U.S. and abroad, so too can Net institutions develop similar symbols without a government rule defining it as such.
In addition, market forces have accelerated in cyberspace. It is much, much easier to simply enter a competitor’s Web address when one’s first-choice firm disappoints in some way, whether it be through a poorly-done or slow-loading Web site, or something more serious. That provides an additional rationale to avoid regulation – since market accountability is enhanced when customers may instantaneously change their minds about where to shop, the incentives for firms to respond to customer preferences for enhanced privacy or greater restraint with entrusted information are stronger.
The Internet has been around for a decade now, but it is still young. As it matures, more and more people unfamiliar with its ways and means will give it a try, and encounter difficulties. But consumer unfamiliarity with the Internet should not precipitate government regulation. The single strongest element in protecting online privacy will be common sense, and that will only evolve over time, as people are free to succeed and fail in their online endeavors. In the meantime, the various sectors of the Internet’s population have developed useful applications, readily available to the average user, to help guard against some of the pitfalls of electronic commerce and conversation. And institutions have cropped up to promulgate a system of norms and standards that can evolve to suit the Internet’s peculiarities far more quickly and closely than a set of pages in the Federal Register. Regulatory intervention in the development of those institutions and standards would be more than just a policy disaster. It would be a tragedy.