Capitol Comment 284 – Privacy: While Legislators Debate, Others Innovate

Privacy is this year’s ubiquitous issue. It can be found on bookshelves, magazine covers, the evening news, and in campaign speeches. Privacy applies to different aspects of people’s lives, from medical records to financial records to shopping habits. Definitions of privacy vary, but it might be best described as the control we have over information about ourselves.

There are many questions about privacy that do not have clear answers. The Constitution does not explicitly mention a “right” to privacy, yet language exists in the fourth, fifth, and ninth amendments to suggest that such a right may exist. As such, when is this right violated? Is personal information collected by government or businesses a threat to our privacy? And how does the Internet change the way we have approached privacy in the past?

For some politicians, the answers are simple – too simple. Protecting privacy is great election year rhetoric, and many politicians see promises of privacy protection – often through coercive government mandates – as a great way to score points on the campaign trail.

But what, exactly, are the threats to privacy and what is the best approach to deal with these threats? The White House wants new regulations, the sooner the better. Lawmakers in Congress are not so rash. They recently formed a Congressional Privacy Caucus to examine the issue. There is also pending legislation (H.R. 4049) to create a bipartisan Privacy Protection Commission that would examine the problem in detail and determine what regulation – if any at all – is necessary. And while these legislators debate how to protect consumer privacy, two groups of people will be developing technologies that put consumers in control of their own information.

The first group is the World Wide Web Consortium (W3C), a group of industry leaders, academics, Internet user organizations, and public policy experts. These people are responsible for setting the core technical standards for the World Wide Web. The second group is the innovators and entrepreneurs who see privacy concerns as an opportunity to develop privacy-enhancing business models and products. They hope that if they can build better mousetraps – in this case, ones that protect privacy – the world will beat a path to their doors.

For the last two years, the W3C has been developing the Platform for Privacy Preferences (P3P). The P3P project was started to meet the demand by consumers for a better uniformity and easier understanding of the various privacy policies of Web sites.

The first precaution savvy Internet users take to protect their privacy is to read the privacy policies found on most Web sites. These policies describe in detail what information the site collects, whether the information is linked to your personal identity, and how the organization or individual responsible for the site uses your information (for example, is it sold to other companies?). These policies are often criticized, and rightly so, for being complex, legalistic, and difficult to understand.

The P3P standard would make privacy policies easy to find, understand, and evaluate. New versions of Web browsers would come equipped with this protocol. Consumers would be able to adjust settings on their browsers as to the type and amount of information they want to disclose. When Internet users visit a Web site, their browser would use P3P to determine if the privacy policy of that particular site matches the privacy preferences of the user. If they do, the browser would download the Web site. If a site’s privacy policy does not match the user’s settings, the browser would flash a warning, alerting the user to the discrepancy. The user is then able to make a decision whether or not to proceed.

There are benefits to sharing information over the Internet. Some Web sites recommend products or services according to the items individuals have purchased from them in the past. Consumers find this a convenience, and the business benefits too, as consumers are alerted to products and services they might not otherwise find. There are also risks; some Web sites may share information their users may not want disclosed. The P3P standard in itself would not improve the privacy policies of Web sites, but it would inform the consumer as to how his or her personal information is to be used.

When companies share information, it is usually for marketing purposes. To cut costs, companies spend as little money as possible, which means they need detailed demographic and lifestyle information to target their most likely audience. Firms collect this information and sell or trade it to one another, a practice developed long before Al Gore invented the Internet. This practice is easily vilified, especially by politicians on the campaign trail or government regulators looking for new regulations to enforce.

But if a firm were to develop a way to directly target consumers without storing hordes of personal information in a central database, they would have a great advantage over their central-database-dependent competitors. Encirq, a San Francisco-based company, proposes to turn the traditional direct-marketing model backwards. Their method stores personal information and develops a personal profile on a consumer’s hard drive; targeted advertisements are then anonymously downloaded from Encirq’s server.1 The result is a win-win situation, marketers reach a highly-targeted audience, and consumers need not disclose their personal information.

These two technologies – P3P and Encriq’s marketing model – are privacy solutions developed without government intervention or regulation. They exist because individuals saw a consumer demand for better privacy, and found a way to supply solutions to meet that demand (and to make some money in the process). It is possible that by the time legislators finish debating the privacy “problem,” a market free of privacy regulations will have already solved it.

1 Susan Kuchinskas, “By Invitation Only,” Business 2.0, June 13, 2000, pp. 268-278, also see Encirq’s Privacy and Online Marketing Overview.