Establishing Digital Trust: Don't Sacrifice Security for Convenience
WASHINGTON -- A House panel Thursday morning took up the question of whether a law establishing a so-called "do-not-track" mechanism to set limits on how much personal information Web companies can collect is needed to protect consumer privacy online.
The hearing of the House Energy and Commerce Committee's consumer protection subcommittee comes just a day after the Federal Trade Commission released a draft report advocating a Web-wide opt-out mechanism patterned after the popular Do Not Call registry that restricts the activities of telemarketers.
The debate is preliminary at this stage, with no legislation backing the proposal having yet emerged and the congressional session drawing to a close. Rep. Ed Markey (D-Mass), the co-chairman of the bipartisan Congressional Privacy Caucus, announced at the hearing that he plans to introduce a bill next session that would establish a ban on Internet companies collecting information about children.
Markey was one of the architects of the 1998 Child Online Privacy Protection Act (COPPA), the last major act of Congress that set up boundaries for safeguarding kids' information online. Some advocacy groups and lawmakers have called for an overhaul of the COPPA statute, which Markey today pointed out is a relic of the "B.F. era -- before Facebook." The FTC is reviewing the law and plans to release its recommendations for modernizing COPPA in the next few months, according to David Vladeck, director of the FTC's Bureau of Consumer Protection, who testified at today's hearing.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Vladeck emphasized that the do-not-track mechanism the agency is proposing would not necessarily entail a federally administered registry of Web users who had opted out, but that despite the work of some major Web companies and advertising trade associations, the FTC leadership has become convinced that the government needs to take a more forceful role to protect consumers.
"In our view, self-regulatory efforts have thus far fallen short," Vladeck said. "I recognize that industry has come up with some solutions," he added. "Our concern is that those efforts have fallen short."
The FTC report proposed a browser-based mechanism that would broadcast users' do-not-track requests to Web sites, ad networks and other entities in the online data exchange. The agency has not taken a position on how the do-not-track mechanism should be implemented, either from a technical perspective or how it would be organized and operated. He suggested that it could even be administered by a private-sector organization, provided that the government was granted enforcement authority to pursue actions against bad actors who didn't play by the rules.
"We're not proposing the creation of a list, nor are we proposing a centralized system managed by the government," Vladeck said, responding to some critics who have charged that a do-not-track regime threatens to erode the same privacy protections it would be designed to strengthen.
The report the FTC issued yesterday is open to public comment through the end of January, with a final version due out later next year.
But Rep. Ed Whitfield (R-Ky.), the ranking member of the subcommittee, said he was skeptical about the technical feasibility of a do-not-track mechanism, and that in holding up the Do-Not-Call registry as a model, "we're not really comparing apples to apples."
"I'm not sure the technology is in place to establish such a mechanism," Whitfield said, noting that each of the major browser makers has been experimenting with different variations of a universal tracking opt-out, but warning that government oversight of the technical aspects of the software threatens to insert bureaucracy into a fast-moving area where it is ill-suited to regulate. "The question would be, is the government really the best entity to make that decision."
Daniel Weitzner, the associate administrator for policy at the Commerce Department's National Telecommunications and Information Administration (NTIA), countered that "there is a growing agreement in the technical community" that it is eminently feasible to develop a do-not-track mechanism that would tell third-parties that certain actions are not to be recorded, but that the bigger challenge would be to ensure that websites and other data players comply with those messages.
"It's not that hard to send out a do-not-track signal, the question is who's going to listen that signal," Weitzner said.
The Commerce Department is preparing its own report on Internet privacy, which Weitzner said is expected to be completed "certainly in weeks, not months, is our expectation."
Both he and Vladeck emphasized that a do-not-track mechanism would not be an all-or-nothing proposition, that for such a system to balance consumers' privacy with the revenue engine behind much of the free content on the Web -- advertising -- it would have to offer users what Vladeck described as "very broad and granular control."
"Historically the privacy debate has been framed as this sort of opt-in/opt-out stark choice," Weitzner said. "I think our goal should be to move beyond that."
"I think it's a mistake to assume that giving people more control means a reduction in advertising revenue," he added.
Keep up-to-date with privacy and government policy news; follow eSecurityPlanet on Twitter @eSecurityP.