Privacy advocates in Washington, D.C., have been busy in recent months.
Groups such as the Center for Democracy and Technology (CDT), the Center for Digital Democracy (CDD) and the Electronic Privacy Information Center (EPIC) have sounded alarms on several privacy-related issues before the U.S. Congress and federal agencies.
CDT, more recently joined by Microsoft and Google, has long pushed Congress to pass comprehensive privacy legislation that would set the ground rules for businesses that handle personal information. Several lawmakers have recently called for a broad privacy law.
Representative Joe Barton, a Texas Republican, complained about targeted advertising campaigns during a speech at a forum on Internet privacy earlier this month. Although there have been recent privacy complaints about a targeted ad service offered by NebuAd, other online ad networks put cookies on computers without telling the owners, he said.
“Nobody in the world has a right to know anything about me unless I let them,” Barton said.
No one expects Congress to pass a major privacy bill this year — passing major legislation is difficult in the months approaching a national election, and a comprehensive privacy bill hasn’t even been introduced. But several privacy advocates say momentum for a new privacy law seems to be building, with a real push likely in 2009.
“There is a perfect privacy legislation storm developing that should propel a bill in the next Congress,” said Jeffrey Chester, CDD’s executive director.
Among the privacy issues debated recently in Washington:
— Privacy groups, including CDD and EPIC, raised concerns about Google’s late 2007 acquisition of online advertising network DoubleClick, and some have also questioned the privacy implications of Google’s recent advertising deal with rival Yahoo.
— Privacy groups and some lawmakers have protested experiments by a handful of broadband providers to use a targeted ad service from NebuAd. The NebuAd service tracks the Web habits of broadband users in an effort to deliver more relevant ads, but during the past couple of months, privacy groups have complained that NebuAd uses common Internet attacks to track users and that some broadband providers didn’t notify their customers.
— Congress debated and passed an extension to a controversial U.S. National Security Agency surveillance program that targets suspected terrorists and people communicating with them. The new surveillance law, given final approval this month, provides some additional court oversight to the NSA program, but it also will likely give legal immunity to telecom carriers that participated in the program while it was not under court oversight.
— Several other privacy-related issues are before Congress: How to ensure privacy of electronic health records, whether to require private companies to report data breaches to customers whose personal information has been compromised, and how to improve the cybersecurity of government agencies.
A series of data breaches reported in early 2005 created a push for a data-breach notification law, but Congress has failed to pass legislation. However, the controversy over broadband providers, including Charter Communications, testing NebuAd’s targeted ad service has brought privacy issues back to the forefront.
During a hearing last week, several lawmakers questioned NebuAd Chairman and CEO Robert Dykes about why the company requires broadband customers to opt out of having their Web habits tracked instead of taking an approach where they opt in to the targeted ad service.
The NebuAd controversy has helped create a push for new privacy legislation, CDD’s Chester said. In addition to the privacy issues, the NebuAd service stirred up concerns from advocates of network neutrality, who don’t want broadband providers interfering with Web content, Chester noted.
“The bungled attempt by Charter … to get into the online ad business has created a serious new layer of opposition to online marketing and data collection,” he said. “One aspect of the online ad business — ISP monitoring — has helped potentially create a bipartisan coalition to pass some form of legislation. Ironically, we now may be able to set a standard for a bill where opt-in becomes the rule for all — not just for ISPs.”
During two hearings this month, Dykes defended NebuAd’s service, saying it does not collect personal data that can be linked to specific users. NebuAd also anonymizes the information it collects, and not even the U.S. government could get access to that data, he said.
Dykes, facing questions from lawmakers last week, wouldn’t commit to changing his service to opt-in. Instead of opt-in permission, “it’s much more important that the consumer is well-informed,” he said.
But Dykes seemed to embrace a comprehensive privacy law when he called for a “consistent” set of laws governing how businesses should handle personal information. “I don’t think one set of companies should be penalized,” he said.
Representatives of Microsoft and Google repeated their calls for a broad new privacy law. Microsoft has been pushing for one since 2005, but too often, Congress has focused on narrow issues, such as spyware, breach notification or health records, said Mike Hintze, associate general counsel at Microsoft, in an interview.
“More and more companies have sort of come to the realization that there’s … a lot of regulation out there, but it’s fractured and inconsistent,” he said. “Traditional lines of industries are merging and converging, and that overlapping legislation, as a result, is very unclear how it applies to new business models and new technologies.”
CDD’s Chester suggested that Google and Microsoft may be trying to out-position each other in the privacy debate. “Google wants privacy legislation because it’s a real headache for them politically,” he said. “But I believe they wish to see a relatively weak bill enacted which creates an opt-out regime and forecloses on stronger state action. Microsoft sees a potential competitive advantage in being the better-privacy-than-Google company.”
Pablo Chavez, senior policy counsel at Google, disputed Chester’s reading of the privacy debate. Google has called for legislation that would create strong penalties for companies that violate privacy laws, he said in an interview.
“What we’re looking for is a national standard that provides uniform protections for consumers across the country,” he said.
But asked if all online companies should get opt-in permission before they collect personal data, Chavez said there’s a difference between the NebuAd model and many other sites or ad networks that collect personal data. While NebuAd intercepts broadband subscribers’ Web surfing habits, many other sites follow generally accepted ways of collecting data, he said.
A strong, clear policy allowing Web users to opt out of data collection is “appropriate for third-party advertising,” Chavez said.
Beyond the debate about opt-in versus opt-out, there are a lot of issues that need to be worked out before Congress can pass comprehensive privacy legislation, said Brock Meeks, communications director for CDT. Several industries, including the financial sector, have raised concerns about how a new privacy law would affect them, he said in an e-mail interview.
“We still face a high hurdle,” Meeks said. “Although a good group of corporations have agreed in principle that a baseline privacy bill is needed, there isn’t much agreement on how that type of legislation should be crafted. It’s a tremendously complex issue, a lot of moving parts. We may have succeeded in getting all those pieces into one box, but we’re a long way from putting that puzzle together.”