The Government and Online Privacy

Copley News Service, 09/27/2000

Would you rather trust Charles Schwab, Wal-Mart or L.L. Bean with your private financial information, or the government?

If you feel slightly queasy when a waiter disappears with your credit card for 20 minutes, just think about the Internal Revenue Service downloading your electronically filed tax forms and leaving a “cookie” on your computer to follow you around the Web. If you believe your privacy is secure in dealings with the government, you might want to think again — particularly in light of a new report commissioned by Congressman Steve Horn, chairman of the House Subcommittee on Government Management, Information, and Technology.

Drawing on information gathered by the General Accounting Office and the various inspectors general serving throughout the executive branch, Horn found that when it comes to protecting your privacy with secure computer systems, the federal government as a whole earned a D minus minus.

That’s not very reassuring to citizens who are compelled to entrust their government with very personal information such as Social Security numbers, income tax filings, employment and immigration status and medical histories. It’s particularly disturbing when so many government officials are complaining about the danger of private-sector misuse of personal financial information.

Federal Trade Commission member Orson Swindle made a compelling point when he congratulated the FTC for supporting industry guidelines for self-regulation when it comes safeguarding privacy on the Internet. Swindle noted that the commission contradicted itself in supporting self-regulation yet calling for sweeping new regulatory oversight of Internet privacy practices.

In fact, as the Horn report now makes clear, if there is any need for new oversight, we should start with the government itself. Horn and the GAO applied the same industry-developed standards backed by the FTC, including notice to customers of information collection, customer opt-out and security guidelines.

Of the 24 federal agencies held up to scrutiny, more than one out of four received a failing grade, and only two (the Social Security Administration and National Science Foundation) received as much as a “B.” In practical terms, this means that you and I can’t be sure we know when our government is collecting information about us on-line.

Back in June, Wired News reported that many federal agencies are using cookies to track and gather information on users of their Web sites, including the Federal Reserve, the Immigration and Naturalization Service, the Justice Department and the Energy Department. These practices were ongoing, despite government-wide guidance issued by Office of Management and Budget that was supposed to limit agency use of cookies to track people on-line.

What about the private sector? Despite the self-regulation guidelines approved by the FTC, companies that provide goods, services and information on-line are not generally required by law to follow specific practices and procedures. Even so, private sector options for protecting your personal and financial privacy are proliferating.

It’s in the nature of the private sector, particularly in a time of rapid technological change like the Internet era, to come up with a wide range of solutions to new problems like on-line privacy and test them in the marketplace. Not all of these products will survive, and not all will suit the needs of all users. But it should be clear by now that we’re better off trusting the market’s invisible hand to look out for our interests on-line than a one-size-fits-all system of government regulation. Even if government bureaucrats could think through all the problems and come up with objective solutions, they couldn’t possibly anticipate the way technology and the marketplace will change tomorrow, next week or next year. The market is, by definition, much more responsive to change.

If you’re still not convinced, remember that government has already collected more information on us all than any private company ever could. If the government has lax computer security and privacy policies, we’re all put at risk. If a private company invades our privacy, only a discrete set of customers will be damaged. We need to minimize that risk, starting with the industry’s guidelines for self-regulation.

But let’s also read Horn’s report and demand that government earn our trust where protecting privacy is concerned.