global internet privacy rights - a pragmatic approach

8/2/2019 Global Internet Privacy Rights - A Pragmatic Approach

1/28

WAFA 5/31/20092:06:55PM

131

Global Internet Privacy Rights: APragmatic Approach

TIM WAFA*

I.INTRODUCTION

The Internet has brought the world closer together by facilitatingcheap, efficient, and secure global commerce and communication.Academics, web-enthusiasts, and private businesses have workedtirelessly to build upon the success of this revolutionary medium.However, there are two major obstacles that stand in the way of

achieving a utopian online world, one which most effectivelybalances the goals of efficiency, privacy, and ease of use. These twoobstacles can be categorized as: (1) the need to standardize andimprove Internet technology; and (2) the need to streamline theexisting global online privacy rights framework. Technologystandardization has been tackled in an effective and organizedfashion by the global technology community. The last decade hasseen a successful effort between private business and publicconsortiums to accelerate the standardization of technical systemsthat allow myriad internet systems to reliably interface with oneanother.1 This achievement has allowed developers and end-users toreap the benefits of a well-defined and -policed systems foundation.

Website developers have the assurance that their deployed contentwill be accessible by end-users without significant compatibilitychallenges.

* Mr. Wafa earned a Bachelor of Science Degree in Engineering and the distinguishedSan Filippo Merit Scholarship from Santa Clara University. In 2003, he received FacultyRecognition for Technical Excellence for his role on the project, Multimedia Data overWireless Networks, at the prestigious Computer Society International Design Competition(CSIDC). Mr. Wafa currently attends Loyola Law School where he is a candidate for JurisDoctor (JD, 09), with an emphasis on Intellectual Property, Information Privacy, HIPAA andSarbanes-Oxley (SOX). Mr. Wafa has been the recipient of numerous accolades while in lawschool, including First Honors (conferred upon the student achieving the highest grade) in aneclectic selection of coursework (e.g. Technology and Privacy Seminar, Corporate Ethicsand Accountability" and Commercial Real Property Transactions). He has providedenterprise information systems consultation services to leading healthcare, legal and bankinginstitutions. Mr. Wafa is a member of the Institute of Electrical and Electronics Engineers(IEEE), the Healthcare Information and Management Systems Society (HIMSS) and theCenter for Advanced Study and Research on Intellectual Property (CASRIP).

1. JEFFREY ZELDMAN, DESIGNING WITH WEB STANDARDS: HOW XML CONQUEREDTHE WORLD & OTHER WEB STANDARDS SUCCESS STORIES 101-02 (New Riders 2003),available at,http://books.google.com/books?id=wUGTSdey6TwC&pg=PA101&lpg=PA101&dq=internet+standards+success&source=web&ots=balYUFH7Z1&sig=1niGKmcBkyobE4KO5zQF_Batdrc#PPA101.


2/28

WAFA 5/31/2009 2:06:55PM

132 INTELL. PROP. L. BULL. [Vol. 13:131

Unfortunately, the streamlining of global privacy-rights hassuffered from a lack of meaningful progress. The existing globalprivacy rights framework lacks coherence. It is an amorphous

hodgepodge of conflicting requirements, differing foundationaldefinitions (e.g. what is privacy), and divergent policy motivations.2Internet data is increasingly flowing around the globe and during itssplit-second journey it passes through multiple jurisdictions, each withits own data privacy framework. While it is widely accepted thattodays global privacy rights regime has complicated the ability ofinformation service providers to collect, store, and share data abouttheir online customers,3 very little work has gone into analyzing theeffects of the existing framework on competition and the businesscommunity. This paper seeks to shed light on the implications of thecurrent global privacy framework on business efficiency.

Three significant issues have arisen as a byproduct of todayscomplex global privacy framework. First, the future of online privacyrights regulation is unclear and this uncertainty increases transactioncosts and discourages small entrepreneurs from participating in theglobal Internet marketplace. Second, the disjointed and oftencompeting policy motivations of todays multi-jurisdictional privacyrights regime has brought about an impotent regulatory environment,where jurisdictions are reluctant to pursue legitimate action againstprivacy-rights violators for fear of chilling online commerce in theirterritories. Finally, and perhaps most importantly, the existingprivacy rights system is in danger of being replaced by an even moredefective system; the front-runner replacement system.

II.COMPARING EXISTING ONLINE PRIVACY FRAMEWORKS

Internet traffic and global online commerce have grown togetherat exponential rates.4 That growth has remained vibrant in the face ofsevere global economic headwinds. The United States, the EuropeanUnion, and various Asian countries each have a unique frameworkfor dealing with privacy issues. Many commentators argue that theAmerican and European systems have evolved differently as a resultof the different underlying values and traditions of their respectivesocieties.5 In a recent article on MSNBC.com, the American public

2. Bob Sullivan, Privacy Lost: E.U., U.S. Laws Differ Greatly, MSNBC.com (Oct. 19,2006), http://www.msnbc.msn.com/id/15221111/.

3. U.S. Dept of Commerce, Safe Harbor Overview,http://www.export.gov/safeharbor/SH_Overview.asp (last visited Nov. 7, 2007).

4. InternetWorldStats.com, Worldwide Internet Usage Usage By World Regions,http://www.internetworldstats.com/stats.htm (last visited Nov. 7, 2007). Forrester Researchrecently projected that online retail sales will grow to $159 billion in 2009, 11 percent above2008 sales figures. Helen Leggatt, Forrester: Growth Forecast for 2009 Online Retail Sales,BizReport (Jan. 1, 2009),http://www.bizreport.com/2009/01/forrester_growth_forecast_for_2009_online_retail_sales.html.

5. See Sullivan,supra note 2.


3/28

WAFA 5/31/2009 2:06:55PM

2009] GLOBAL INTERNET PRIVACY RIGHTS 133

was distinguished from the European public as being paranoid abouttheir government and prone to limiting government power as muchas possible.6 The American view stands in stark contrast to the

intrinsic trust Western Europeans put in their governments to protectthem from unscrupulous corporations.7 The philosophicaldifferences have manifested themselves in divergent legal systems,each viewing privacy through a unique lens and offering differingguidelines on when and how protection should be afforded. In manyparts of Europe personal information cannot be collected or sharedwithout the consumers explicit permission and consumers have aright to review their data and correct inaccuracies.8 Moreover,companies that process data must register their activities withEuropean governments9 and European employers cannot read theiremployees private emails even though those emails are being read oncompany computers during working hours.10 The willingness of theChinese populace to engage in online commerce without privacyprotections may be a natural extension of their upbringing citizensof a country who have come to expect little privacy in most parts ofdaily life may not care about online privacy in the same wayAmericans and Europeans do.

A. PRIVACY IN THE UNITED STATES

Privacy laws in the United States have grown in a haphazardfashion.11 A mixture of common-law, federal, and state statutory lawforms Americas framework for protecting privacy.12 Although theConstitution omits the word privacy entirely,13 U.S. courts have

acknowledged an unenumerated right to privacy.14 In Griswold v.Connecticut,15 Justice Douglas asserted that specific guarantees inthe Bill of Rights have penumbras, formed by emanations from thoseguarantees that help give them life and substance.16 Douglas wenton to suggest that various guarantees emanating from the first, third,and fourth amendments suggest zones of privacy.17 While federal

6. Id.

7. Id.

8. Id.

9. Id.

10. Id.11. Sullivan,supra note 2.

12. Id.

13. U.S. Const., available athttp://encarta.msn.com/encyclopedia_761569008_4/constitution_of_the_united_states.html (lastvisited Nov. 23, 2008)

14. Unenumerated Rights, Wests Encyclopedia of American Law,http://www.enotes.com/wests-law-encyclopedia/unenumerated-rights (last visited Nov. 23, 2008).

15. Griswold v. Connecticut, 381 U.S. 479 (1965)

16. Id. at 484.

17. Id.


4/28

WAFA 5/31/2009 2:06:55PM


courts have largely followed the Griswold line of reasoning on theright to privacy, not all legal scholars accept it as gospel. In 1981,current Chief Justice John Roberts wrote that, such an amorphous

right is not to be found in the Constitution.18 In addition to the case-law establishing a constitutional right to privacy, numerous Federalstatutes require the government to protect the privacy of citizens invarious aspects of their daily lives.19

States are also active in regulating privacy. California has had abreach notification law for many years, which requires,

[A] state agency, or a person or business that conducts business inCalifornia, that owns or licenses computerized data that includespersonal information, as defined, to disclose in specified ways, anybreach of the security of the data, as defined, to any resident ofCalifornia whose unencrypted personal information was, or isreasonably believed to have been, acquired by an unauthorizedperson.20

Nevada recently enacted the nations first data encryption law,requiring businesses to use encryption when using electronic means totransfer customers personal data outside their organization.21Michigan has legislation pending which would go even further thanthe Nevada Bill, by requiring businesses to encrypt stored consumerdata.22

B. PRIVACY IN THE EUROPEAN UNION

Unlike the United States, the European Union (E.U.) attemptedto centralize privacy rights by enacting a directive in 1995 thatimplemented a common framework for its member nations.23 Sincethen, the directive has been amended numerous times to includeupdates on how to deal with emerging issues such as the retention of

18. Memorandum from John Roberts, Special Asst. to the U.S. Attorney General, toWilliam French Smith, U.S. Attorney General (Dec. 11, 1981), available athttp://www.factcheck.org/UploadedFiles/Roberts-Memo.pdf.

19. Examples of these statutes include: (1) The Privacy Act of 1974, 5 U.S.C. 552(b)(2006) (prevents the unauthorized disclosure of personal information held by the federalgovernment); (2) the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (2006) (protectsconfidentiality of information gathered by credit reporting agencies); (3) the Sarbanes-OxleyAct, Pub. L. No. 107-204, 116 Stat. 745 (2002) (mandates certain privacy standards for thefinancial industry; and (4) the Healthcare Insurance Portability and Accountability Act

(HIPAA) regulations, 45 C.F.R. 160, 162, and 164 (2008) (seeks to protect theconfidentiality, integrity, and availability of certain [electronic protected] health information.).

20. California Security Breach Information Act, Cal. Civ. Code Ann. 1798.82 (West2008) .

21. Nev. Rev. Stat Ann. 597.970 Ann. (West 2008).

22. S.B. 1022, 2008 Sen., Reg. Sess. (Mich. 2008); Posting of Richard Gainer to DavisWright Treimane Privacy Blog, http://www.privsecblog.com/archives/122012-print.html (Feb. 27,2008).

23. Council Directive 95/46, On the Protection of Individuals With Regard to theProcessing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L281/31)(EC), available at http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf.


5/28

WAFA 5/31/2009 2:06:55PM


electronic data24 or the protection of privacy in the electroniccommunications sector.25 Notwithstanding this progress, thecentralization of privacy rights in the E.U. is not fully streamlined.

Each of the twenty-six E.U. nations maintains an independentagency. Each agency is tasked with interpreting the privacy directiveand enforcing privacy regulations.26 This highly localizedenforcement and implementation regime provides E.U. nations withsome latitude on how to interpret privacy directives.27

C. PRIVACY IN ASIA

Privacy laws in Asia are even less congruent than they are in theUnited States or the European Union. Like the European andAmerican frameworks, the laws of Asian nations reflect unique socialtraditions but vary significantly in the degree of privacy protection

they provide to their citizenry.28 On the one hand, industrializeddemocracies in Asia, such as South Korea and Japan, offer relativelyhigh levels of protection to their citizens.29 On the other hand, thehighly authoritarian Asian countries, such as China and Vietnam, areless protective,30 and go to great lengths to scrutinize every bit of datatransmitted to and from their country.31

Privacy protections in Asia, Europe and the United States arehighly localized in the way they implement and enforce privacy rules.Some systems are privacy-friendly, while others refuse to recognizeprivacy as a right to be conferred at all.

III.IS THE EXISTING PRIVACY FRAMEWORKDEFICIENT?

A. THE EXISTING SYSTEM WORKS IF IT AINT BROKE, DONT FIX IT!32

Statements made by forward-thinking privacy advocatesduring the early years of online shopping were full of doom and

24. Council Directive 2006/24, 2006 O.J. (L 105) (EC), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML.

25. Council Directive 2002/58, 2002 O.J. (L 201) (EC), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML.

26. Council Directive 95/46,supra note 23, art. 9.

27. Peter McLaughlin, Cross-Border Data Flows and Increased Enforcement, IEEESecurity & Privacy (Sept. - Oct. 2008),http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286b108bcd45f3/index.jsp?&pName=security_level1_article&TheCat=1001&path=security/2008/n5&file=pri.xml&.

28. McLaughlin,supra note 27.

29. Caslon Analytics, Privacy Guide Asia, http://www.caslon.com.au/privacyguide6.htm(last visited Mar. 27, 2009).

30. Chris Pounder, Why the APEC Privacy Framework is Unlikely to Protect Privacy,Out-law.com (Oct. 15, 2007),http://www.out-law.com/page-8550.

31. Xiao Qiang, Who are Chinas Top Internet Cops?, China Digital Times (Sept. 28,2007), http://chinadigitaltimes.net/2006/09/ho_is_chinas_top_internet_cops.php.

32. Urban Dictionary,http://www.urbandictionary.com/define.php?term=if+it+aint+broke%2C+dont+fix+it (lastvisited Nov. 7, 2007).


6/28

WAFA 5/31/2009 2:06:55PM


gloom; these groups argued that consumers would not embrace onlinecommerce unless privacy protections were improved.33 In 2001,United States Federal Trade Commission (FTC) Chairman

Timothy Muris stated, there is no question that consumers aredeeply concerned about the privacy of their personal information . . .how its being used . . . and who is using it. 34 Indeed, U.S. consumershave expressed dissatisfaction about deficiencies in the existingprivacy framework in the U.S., demanding more governmentintervention to address the problem.35 As a result, the ElectronicPrivacy Information Center (EPIC), a public interest research centerbased in Washington, D.C., suggested that electronic commercewould not reach its full potential unless the U.S. played an active roleto ensure that online consumers feel comfortable conductingbusiness.36 Throughout the late 1990s and early into this decade,government regulators and privacy groups relied heavily on surveysto extrapolate the monetary damage that the existing privacyframework was having on electronic commerce. A lack of meaningfullegislative action on strengthening privacy regulation has served tobreed only more public discontent in the current decade.37

Nonetheless, with U.S. online retail sales reaching $175 billion in2007 alone,38 Internet commerce defied prognosticators who werecertain that consumer trepidation about their privacy would prevente-commerce from thriving. The success of online commerce in theface of widespread consumer concern begs an important question ifso many people are hesitant to shop online because of privacyconcerns, then why have online sales boomed at an exponential rate?

Some experts reconcile the discrepancy by discrediting surveys as awhole. 39 However, others argue that surveys are not the problem. 40

33. Anthony Miyazaki & Ana Fernandez, Consumer Perceptions of Privacy and SecurityRisks for Online Shopping, 35 J. CONSUMER AFF. 27, 29 (2001), available athttp://findarticles.com/p/articles/mi_hb3250/is_1_35/ai_n28837254/?tag=content;col1.

34. Timothy Muris, Chairman, Federal Trade Commission, Address at the 2001 PrivacyConference in Cleveland, OH (Oct. 4, 2001), available athttp://www.ftc.gov/opa/2001/10/privacy.shtm. Also, 80 percent of online shoppers said theywere concerned about how much data was stored or available online. Keith Regan, OnlinePrivacy is Dead Now What, E-Commerce Times (Jan. 2, 2003),http://www.ecommercetimes.com/story/20346.html.

35. EPIC and Forrester Research estimated that privacy concerns resulted in 2.8 billiondollars of lost sales in 1999. According to those surveys, 57% of those polled believed the

government should pass laws for how personal information can be collected and used on theInternet . . . [and]only 15% supported letting groups develop voluntary privacy standards (self-regulation), but not take action until real problems arise. ELEC.PRIVACY INFO.CTR.,PUBLICCOMMENT ON BARRIERS TO ELECTRONIC COMMERCE (Mar. 17, 2000),http://www.epic.org/privacy/internet/Barriers_to_E-commerce.html.

36. Id.

37. Privacy 08, http://privacy08.org (last visited Mar. 27, 2009).

38. Linda Rosencrance, E-commerce Sales to Boom for Next 5 Years,Computerworld.com (Feb. 5, 2008),http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061108.

39. According to one Cato Institute analyst report, economists have always been


7/28

WAFA 5/31/2009 2:06:55PM


They blame a lack of consumer education and a campaign ofdisinformation by Internet companies that give end-users a falsesense of security about their online privacy. 41 There is a disconnect

between consumer expectations and business practices: about 55percent of those surveyed by the Samuelson Clinic at UC Berekelyand the Annenberg Public Policy Center at the University ofPennsylvania falsely assumed that a companys privacy policesprohibited it from sharing their addresses and purchases withaffiliated companies.42 Similarly, nearly four out of ten onlineshoppers falsely believed that a companys privacy policy prohibits itfrom using information to analyze an individuals activities online.43In fact, sharing information with third parties and using informationto analyze consumer behavior are common practices. Regardless, thesuccess of the Internet is a global phenomenon. Users from countrieswith little or no privacy protection are still making commercial use ofthe medium. Chinese consumers have few privacy protections, yetthey engage in online transactions as aggressively as netizens fromnations with strong privacy protections.44 Moreover, it may beimportant to distinguish between the privacy that can be lost in anonline commercial transaction and other voluntary online activities.(e.g., creating Myspace pages, anonymous blogs, etc.). Citizens ofauthoritarian regimes may be willing to participate in online shoppingbut may curtail other more expressive online activities, which couldexpose them to scrutiny and punishment by their regimes.

Another factor that supports the acceptability of the existingprivacy system is the increased willingness of younger netizens to

voluntarily allow their private information to be leveraged by serviceproviders.45 Some commentators argue that there is no campaign ofmisinformation or disinformation by service providers; the young andtechnologically sophisticated are aware of how their information willbe used and have no problem with it.46 Social networking sites likeMyspace and Facebook have taken the Internet by storm; their

suspicious of using surveys to determine customer preferences . . . because what counts areactions not words. . . . If concerns about privacy emerge in an ephemeral manner in response toa prompting from a survey and are never acted upon, they are not worth transforming intoregulatory goals. SOLVEIG SINGLETON,CATO INSTITUTE,SELF-REGULATION:REGULATORYFAD OR MARKET FORCES (1999), available athttp://www.cato.org/pubs/wtpapers/990507report.html.

40. Jaikumar Vijayan, Most Consumers Clueless About Online Tracking,

Computerworld.com (Nov. 2, 2007),http://www.pcworld.com/article/id,139212-pg,1/article.html.41. Id.

42. Id.

43. Id.

44. Id.

45. Net4TV, Security and Privacy: I Really Dont Care (Sept. 26, 1999),http://www.net4tv.com/Voice/Story.cfm?storyID=1481.

46. Posting of C.G. Lynch to CIO.com blog, Why (Most) Facebook Users Dont Careabout Privacy,http://advice.cio.com/c_g_lynch/why_most_facebook_users_dont_care_about_privacy (Feb. 17,2009, 14:34 EST).


8/28

WAFA 5/31/2009 2:06:55PM


repository of behavioral information on users is a goldmine toadvertisers. Peter Levinsohn, president of Fox Interactive Media,owners of MySpace, described the profiling and advertising

technology contained in MySpace as an opportunity to provideadvertisers with a completely new paradigm.47 Many in theoverwhelmingly young demographic who frequent these sites arehappy to allow website operators to leverage their behavioral data. 48For example, Mark Gong, a 26-year-old photojournalist fromWashington, runs the 3,000-member Wanderlust group on MySpaceand expresses an interest for foreign films like Lost in Translationand The Spanish Apartment on his profile.49 Not surprisingly, thisdisclosure of personal preference has defined him as a prime targetfor travel ads on MySpace from companies like ShermansTravel.com,a travel deal site. Im not opposed to advertising, Mr. Gong said.They have got to make money.50

Whether the willingness of younger users to expose personaldata signals a shift in generational attitudes or reveals a naveconstituency remains to be seen. Some commentators argue thatyounger generations are not fully cognizant (or simply throw cautionto the wind) about the dangers posed by the new paradigm.51When privacy intrusions have been explicit, end-users outragetowards services providers has generally been vocal and harsh.Facebook recently came under strong criticism when end-users beganto notice that their private purchases were being monitored andrevealed to their friends and family.52 Facebook also receivedcriticism for a recent attempt to make a draconian change to its

terms of service.53

The change would have ensured that Facebookretain[ed] ownership of all content uploaded, even if the user chose todelete it.54

Never before has the technology or level of online traffic existedto interlink databases in such a sophisticated manner. Experts ondigital privacy say it is inevitable that marketers will know, not onlywhich sites somebody has visited, but who is doing the surfing.55 Jeff

47. Brad Stone, MySpace to Discuss Effort to Customize Ads, N.Y.TIMES, Sept. 18, 2007,at C1, available athttp://www.nytimes.com/2007/09/18/technology/18myspace.html?pagewanted=1.

48. Id.

49. Id.

50. Id.

51. Wallstreet Journal Blog, Facebook Users Share too Much,http://blogs.wsj.com/biztech/2007/08/14/facebook-users-share-too-much/ (Aug. 14, 2007).

52. Anick Jesdanun & Rachel Meltz, Facebook Users Complain of New Tracking,ASSOCIATED PRESS, Nov. 11, 2007, available athttp://www.newsvine.com/_news/2007/11/21/1113567-facebook-users-complain-of-new-tracking.

53. Jesse Perez, Why Facebook Behaves Like an Arrogant Frat Boy, LiveNews Australia(Mar. 25, 2009), http://livenews.com.au/home/why-facebook-behaves-like-an-arrogant-frat-boy/2009/3/25/184829.

54. Id.

55. Louise Story, F.T.C. to Review Online Ads and Privacy, N.Y.TIMES, Nov. 1, 2007, at


9/28

WAFA 5/31/2009 2:06:55PM


Chester, the executive director of the Center for Digital Democracy,says that marketers are tracking where your mouse is on the page,what you put in your shopping cart, what you dont buy.56 It is a

very sophisticated commercial surveillance system.57The ability of online companies to collect and exploit private

user data is not just a vehicle for generating advertising revenue; it ishaving a serious impact in the courtroom as well. 58 Reports aretrickling in of search terms and online videos being used in criminalcases as evidence to convict defendants.59 In the winter of 2006, awireless hacker pled guilty when his Google searches were used asevidence against him.60 The defendant ran a Google search over thenetwork using the following search terms: how to broadcastinterference over wifi 2.4 GHZ, interference over wifi 2.4 Ghz,wireless networks 2.4 interference, and make device interfere

wireless network.61

While court papers did not describe how the FBIobtained his searches (e.g. through a seized hard-drive or directlyfrom the search-engine), Google has indicated that it has the ability toprovide search terms to law enforcement if given an Internet addressor Web cookie.62 In 2005, prosecutors in a North Carolina murdercase introduced as evidence search phrases pulled from a seized harddrive.63 The defendant was found guilty in part because he searchedfor the words neck, snap, break, and hold before his wifewas killed.64 Whether Internet users are aware of the broadimplications that privacy infringement (in both the legal andnormative sense) has and will continue to have on their daily lives ishard to gauge. One analogy that is particularly appropriate was made

by an NBC correspondent covering privacy in the modern age. Heeloquently stated, Privacy is like health, when you have it, you dontnotice it. Only when its gone do you wish youd done more to protectit.65

In spite of consumer surveys and expert warnings, the existingprivacy system may work. Consumers are engaging in onlinecommerce and social networking activities at phenomenal rates and

C1, available athttp://www.nytimes.com/2007/11/01/technology/01iht-privacy.1.8139691.html.

56. Id.

57. Id.

58. Declan McCullagh, Police Blotter: Google Searches Nab Wireless Hacker, CNET

News.com (Dec. 20, 2006), http://www.news.com/Police-blotter-Google-searches-nab-wireless-hacker/2100-1030_3-6144962.html.

59. Adam Liptak, Finding The Facts Of a Case Via Video, N.Y. TIMES, Mar. 2, 2009, atA12, available at http://www.nytimes.com/2009/03/03/us/03bar.html?_r=1&hp.

60. Id.

61. Id.

62. Id.

63. Elinor Mills, Google Searches Become Evidence in Murder Case, CNET News.com(Nov. 11, 2005), http://www.news.com/8301-10784_3-5947342-7.html

64. Id.

65. Sullivan,supra note 2.


10/28

WAFA 5/31/2009 2:06:55PM


many users are happy to disclose personal information in exchangefor free access to sites and services. However, the lack ofprotection and lack of uniformity in a global framework still raise

significant logistical and efficiency challenges that must be addressed.

B. THE EXISTING SYSTEM IS DEFICIENT

Even though the last decade has seen a surge in onlinecommerce, it would be nave to ignore the significant problemscreated by the existing privacy framework. Many problems that ChiefInformation Officers (CIOs) face in deploying web content may bethe result of systemic flaws in todays multi-jurisdictional privacyenvironment.66 When a real-time environment like the Internet isforced to operate in such a regime, inefficiencies arise.

One of the great benefits of the Internet is that it provides a

reliable, flexible, and relatively fast global platform. Engineers havespent millions of hours perfecting the technology that ensureseffective real-time communication on a grand scale. But theefficiency gains provided by Internet technology are diminished bylegal requirements that force companies to design systems thatconform to multiple local privacy standards. Online companiescannot assume that their satisfaction of privacy and data-retentionstandards in one region will automatically satisfy the requirements ofother regions.67 Executives and Internet professionals are forced tocontend with tough decisions, which may include: (1) whether to buildone website that conforms to the strictest privacy guideline ormultiple sites in which each is tailored for the specific jurisdiction in

which it operates; (2) whether to hire an army of lawyers, eachexperienced with the privacy laws of a particular geography, to draftprivacy guidelines or simply adopt guidelines from other websites;and (3) whether to analyze and de-centralize their underlyingsoftware (often a blackbox to outsiders) to ensure local compliance.In order for companies to effectively meet the wide-ranging andunique privacy obligations around the globe, they must devotesubstantial resources to stay on top of regulatory changes and ensurethat their data collection, sharing, and information retention policiesare always compliant. This is not only a logistical problem fororganizations, but also an inefficient expenditure of capital thatdetracts from the scalability the Internet should provide. Companiesthat choose to adopt strict privacy guidelines (or are compelled toadopt strict guidelines because they do not have the financialwherewithal to comply with a multi-jurisdictional regime) risk

66. Shane Ham, Center for Democracy and Technology, Internet Privacy: The Case ForPre-emption (Mar. 28, 2009), http://www.cdt.org/privacy/ccp/statepreemption2.pdf.

67. See Avner Levin & Mary Jo Nicholson, Privacy Law in the United States, the EU andCanada: The Allure of the Middle Ground, OTTAWA L.&TECH J. 357, 361 (2005), available athttp://www.uoltj.ca/articles/vol2.2/2005.2.2.uoltj.Levin.357-395.pdf.


11/28

WAFA 5/31/2009 2:06:55PM


detrimentally impacting thefunctionality of their solutions. Lostfunctionality in a demand elastic

environment like the Internet canhave significant consequences forthe viability of a company. Forexample, laws requiring that privatedata (e.g. the search terms that acertain user account has executed)be wiped off servers underminesearch engines ability to monetizetheir services through the creation ofbehavioral profiles.68

Sunnyvale, California based

Yahoo! is a leading search enginerecognized by Internet users aroundthe world. Yahoo! has been inoperation since the mid-1990s andenjoys a reputation as being user-friendly.69 The company goes togreat lengths to promote their user-friendly philosophy Yahoo! evencreated a separate website dedicatedto privacy issues.70 As of March 28,2009, Yahoo! has thirty-ninedifferent privacy policies.71 The

company regularly updates these jurisdictionally-specific policies toremain compliant with the laws ofthe various countries in which itoperates. Yahoo! could choose toadhere to the strictest standard at alltimes, but that decision coulddiminish their ability to attractconsumers and advertisers, who are,respectively, drawn to richfunctional features and comprehensive user profiles. So while theworld has spent billions of dollars standardizing global technology

68. Miguel Helft, Google to Offer Ads Based on Interests, N.Y.TIMES, Mar. 11, 2009, atB3, available athttp://www.nytimes.com/2009/03/11/technology/internet/11google.html?ref=technology.

69. Posting of Bill Langston to Yahoo! Shine blog, Yahoo More User-Friendly ThanGoogle, http://shine.yahoo.com/channel/none/yahoo-more-user-friendly-than-google-170348/(May 18, 2008, 11:41 PDT).

70. Yahoo! Privacy International, http://info.yahoo.com/privacy/ (last visited Mar. 29,2009).

71. Id.


12/28

WAFA 5/31/2009 2:06:55PM


systems to streamline international commerce, the gains oftechnology standardization have been offset by an increase intransaction costs stemming from the multi-jurisdictional privacy

regime.

IV. THE U.S. BARKNOT BITEERA OF REGULATION IS COMING TO

AN END

How have global Internet companies been able to navigate thechallenges of an inefficient legal framework? Some large companiessuch as Yahoo! have gone out of their way to comply with variousinternational standards, but the vast majority of Internet businesseshave opted to do nothing, gambling that regulatory bodies willcontinue to shy away from an aggressive approach towards enforcingprivacy laws. Most regulatory bodies are keenly aware of the

dilemma facing online companies and have avoided enforcing the lawfor fear of chilling online commerce.72

Using the U.S. as an example, in the early years of the Internet,the FTC rarely took action against high-profile opponents. When itdid, it imposed little more than slaps on the wrist.73 In 2002, forexample, the FTC charged Eli Lilly with unauthorized disclosure ofpersonal information in violation of Section 5(a) (Unfair/DeceptiveActs) of the Federal Trade Commission Act after it disclosed the e-mail addresses of its 669 Prozac Reminder Service subscribers.74 EliLilly agreed to settle by signing a consent agreement that required itto establish and maintain a four-stage information security program

that would administratively, technically, and physically safeguardconsumers personal information against any reasonably anticipatedthreats or hazards to its security, confidentiality, or integrity, and toprotect such information against unauthorized access, use, ordisclosure.75 Any violation of the agreement would expose Eli Lillyto civil fines not exceeding $11,000.76 As of November 2007, Eli Lillyboasted a market capitalization of $59 billion and generated a grossyearly profit of $12 billion.77 While this settlement was dishearteningfor its lack of force against an egregious offender, the FTCscomments were even more appalling. Instead of criticizing Eli Lillyfor its negligent and unprofessional practices, FTC CommissionerOrson Swindle applauded the company for its long-standing efforts

72. Solveig Singleton, How Privacy Regulation Will Chill Commerce, Cato.org (Dec. 13,1999), http://www.cato.org/pub_display.php?pub_id=4912.

73. Press Release, Federal Trade Commission, Eli Lilly Settles FTC Charges ConcerningSecurity Breach (Jan. 1, 2002), available at http://www.ftc.gov/opa/2002/01/elililly.shtm.

74. Id.

75. Id.

76. Id.

77. Yahoo! Finance, Eli Lilly Income Statement 2007,http://finance.yahoo.com/q/is?s=LLY&annual (last visited Nov. 17, 2007).


13/28

WAFA 5/31/2009 2:06:55PM


in development of privacy practices, acceptance of responsibility forthe internal failures that resulted in the alleged violation of theirprivacy policy, and willingness to take appropriate steps to correct

mistakes.78 Moreover, Mr. Swindle deemed Eli Lilly a model forothers to follow.79 As the Internet reaches critical mass, the U.S. andmany other governments are feeling emboldened to enforce privacylaws. This effect can be best described by analogy. When a businessfirst opens or seeks to attract customers, it will often employ astrategy called loss leading.80 Loss leaders are products sold belowcost to attract shoppers. 81 Ideally, shoppers attracted to the store bythe loss leader product will end up buying other products as well.82Retailers hope for a net positive transaction.83 During the early daysof Internet shopping, many online stores used free shipping or deepdiscounts on products to facilitate their loss leader strategy.84However, as the Internet matured and the demand for customeracquisition by businesses cooled, loss leader utilization dropped.85The same dynamic will likely take hold with respect to Internetprivacy regulation. Congress has been reluctant to over-regulate theInternet in its infancy for fear of undermining its growth. In fact, acongressional moratorium banned all internet access taxes until2014.86 But governments around the world are finally starting to viewthe Internet as a mature medium and willing to consider taxing it.France has taken the lead and recently passed legislation to impose a1% tax on all Internet access starting in 2009.87 As regulatoryagencies in the United States get more comfortable with thetechnology that drives the Internet and online shopping becomes

more entrenched in the daily life of netizens, agencies will put morebite into their compliance campaigns.

Just as consumers eventually lose the benefits associated withloss leading, anecdotal evidence suggests that the era of an

78. Press Release, Federal Trade Commission, Eli Lilly,supra note 73.

79. Id.

80. Investopedia, Loss Leader Strategy,http://www.investopedia.com/terms/l/lossleader.asp (last visited Apr. 29, 2009).

81. Id.

82. Id.

83. Id.

84. Peter Sayer, Amazon Ordered to End Free Delivery on Books in France,

InfoWorld.com (Dec. 17, 2007), http://www.infoworld.com/article/07/12/12/Amazon-ordered-to-end-free-delivery-on-books-in-France_1.html.

85. Bob Tedeschi, E-Commerce Report; Discounts Might be a Good Way to Build a RetailClientele -- but not Until On-line Shoppers Become More Price Conscious, N.Y.TIMES, May 31,1999, at C3, available athttp://query.nytimes.com/gst/fullpage.html?res=9E03E6D91530F932A05756C0A96F958260&n=Top/News/Business/Small%20Business/E-Commerce.

86. Jim Puzzanghera, Congress Approves Internet-Tax Moratorium, L.A.TIMES, Oct. 31,2007, at C1, available athttp://articles.latimes.com/2007/oct/31/business/fi-nettax31.

87. Candice Novak, The Future of Internet Taxation, USNews.com (Nov. 26, 2008),http://www.usnews.com/articles/business/technology/2008/11/26/the-future-of-internet-taxation.html.


14/28

WAFA 5/31/2009 2:06:55PM


unenforced regulatory privacy framework may be nearing an end.88Recent statements made by U.S. governmental entities and industry-insiders have alluded to an impending paradigm shift.89 In June 2007,

the FTC started to complain vigorously about the need to improvecooperation with foreign partners.90 The commission cited thechallenges individuals have had in seeking legal recourse for privacyviolations,91 and the hurdles confronted by law enforcement[when] pursuing matters outside their jurisdiction.92 Industryinsiders are well aware of this push toward tougher laws and strongerenforcement. Randall Rothenberg, president and CEO of theInteractive Advertising Bureau, stated:

The state of the industry is excellent, yet its also at risk . . . anti-consumer advocates are out to stifle the industry, including theFTC, which wants complete regulation of cookies themselves andcould require opt-in stipulations for all online ads. As last weeks

hearings suggest, [the FTC] feel[s] the time for fact-finding is over,its now time to regulate.93

Stricter regulations and greater frequency of enforcement actionsare likely to significantly increase costs on companies that have thusfar been able to put privacy issues on the back burner. Theinefficiencies of todays disjointed regulatory environment will rise tothe surface and throw the investment and small business communityinto a panic, as the risks and liabilities of online businesses areadjusted upward. When investors are faced with undefined riskstemming from a lack of regulatory clarity, a natural contraction incapital investment tends to take place.94 The reluctance to investdecreases the overall number of participants in the marketplace and

diminishes the competitive forces that drive down costs andencourage innovation.95 This is likely to hurt small businesses morethan large businesses because smaller businesses generally operate onthinner margins and lack the financial wherewithal to comply withmulti-jurisdictional privacy requirements.

V.ATTEMPTS TO STANDARDIZE

Technologists and business leaders have long disapproved of a

88. Press Release, Federal Trade Commission, FTC Joins Foreign Partners inRecommending Enhanced International Cooperation to Enforce Privacy Laws (June 14, 2007),

available athttp://www.ftc.gov/opa/2007/06/oecd.shtm.89. Id.

90. Id.

91. Id.

92. Id.

93. David Kaplan, Regulation Is Threat to Online Ads, IAB Warns, N.Y.TIMES, Nov. 7,2007, available at http://www.nytimes.com/paidcontent/PCORG_316655.html?ref=technology.

94. Jun Ishii & Jingming Yan, Investment Under Regulatory Uncertainty: U.S. ElectricityGeneration Investments Since 1996 1 (Center for the Study of Energy Markets, Working PaperNo. 127, 2004), available athttp://www.ucei.berkeley.edu/PDF/csemwp127.pdf.

95. Id.


15/28


16/28

WAFA 5/31/2009 2:06:55PM


A more contemporary attempt to streamline the interfacing ofvarious jurisdictional frameworks was launched by the Organizationfor Economic Co-Operation and Development (OECD), a thirty-

nation forum that promotes economic growth, trade, anddevelopment.105 The OECD has issued a number of non-bindingrecommendations to enhance multilateral cooperation in enforcingprivacy regulations.106 The first recommendation was for all membernations to create a master point-of-contact list to better coordinaterequests for assistance between nations.107 The secondrecommendation was utilization of a baseline request document thatwould ensure key items of information are included each time arequest for assistance is made between nations.108

While the safe harbor and OECD recommendations attemptedto streamline the interfacing between disparate privacy models, there

was a separate attempt to bring about global privacy conformitythrough technology. The effort was launched in 2000 by the WorldWide Consortium (W3C), an international consortium whichdevelops protocols and guidelines for the world-wide-web. Notsurprisingly, the same technologists who had collaborated onstandardizing inefficient Internet systems recognized the inefficiencyof the global privacy regime and tried to tackle the framework from apurely technical angle.109 The W3C working group was comprised ofthink-tanks, software developers, the federal government, andInternet service providers. Its aim was to improve the transparency ofwebsite privacy policies.110 In 2002, this working group published animplementation guide called The Platform for Privacy Preferences

(P3P).111

P3P enables Websites to express their privacy practices in astandard format that can be retrieved automatically and interpretedeasily by user agents.112 Essentially, P3P policies present a snapshotsummary of how the site collects, handles and uses personalinformation about its visitors. P3P applications compare this summaryto the users own set of privacy preferences, and inform the user when

http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited Apr. 6, 2009).

105. Organization For Economic Co-Operation and Development, About Us,http://www.oecd.org/pages/0,3417,en_36734052_36734103_1_1_1_1_1,00.htm (last visited Apr.29, 2009).

106. Press Release, Federal Trade Commission, FTC Joins Foreign Partners,supra note 88.

107. Id.

108. Id.

109. World Wide Consortium, The Platform for Privacy Preferences 1.0 Specification,http://www.w3.org/TR/P3P/#Introduction (last visited Apr. 29, 2009).

110. World Wide Consortium, Workshop on the Future of P3P,http://www.w3.org/2002/p3p-ws/pp/ (last visisted Apr. 29, 2009). Participants included: Citibank,America Online, Microsoft, Fidelity, the Federal Trade Commission, various universities,TRUSTe, the Office of the Attorney General of NY, and the European Commission.

111. World Wide Consortium, The Platform for Privacy Preferences 1.0 Specification,supra note 109.

112. Id.


17/28

WAFA 5/31/2009 2:06:55PM


these preferences do not match.113 Thus, users need not read theprivacy policies at every site they visit.114

Because P3P was really nothing more than a solution that

facilitated end-user notice and choice, but was at the mercy of websiteoperators to support, it was never capable of providing acomprehensive solution. In the years following its inception, P3Pfailed to impress the end-user community or privacy advocates.115Not only did the system fail to provide a mechanism for oversight,P3P could be used by the unscrupulous to give end-users a false senseof security about the legitimacy of a websites privacy claims. MichaelKapy, a technologist from IBM, strongly urged the removal of P3Psupport in the FireFox browser.116 Live Leer, a PR manager forOpera Software, a popular alternative web-browser, explained thedeliberate lack of P3P support in their browser. There have been

some issues with how well P3P will protect privacy, and for thatreason we have decided to wait until these are resolved.117 In ascathing report issued by EPIC, P3P was harshly criticized forproviding Pretty Poor Privacy. The report disparaged P3Ps (1)failure to establish true privacy standards, (2) inability to excludenon-compliant sites, and (3) inability to enforce privacy policies.118 Inpractice, because of sporadic adoption, P3P provided little to noprotection119 and most browsers dropped support for the standard.120

VI.THE FUTURE GLOBAL PRIVACY REGIME

The safe harbor, OECD, and P3P platform lacked the substanceto provide a comprehensive solution that satisfied consumers,providers, and technologists. None of the proposals established abaseline structure that could bring order to the current challenges.Assuming that a streamlined global privacy framework could beestablished, what would the system look like?

In 2005, the Asia Pacific Economic Cooperation (APEC) setout to provide the first comprehensive legal framework on the issue

113. P3P Toolbox, What is P3P and How Does it Work?,http://www.p3ptoolbox.org/guide/section2.shtml (last visited Apr. 11, 2009).

114. World Wide Consortium, Platform for Privacy Preferences (P3P) Project,http://www.w3.org/P3P/ (last visited Apr. 29, 2009).

115. Posting of Michael Kaply to https://bugzilla.mozilla.org/show_bug.cgi?id=225287#c12(Apr. 28, 2004, 05:15: 44 PTD).

116. Id.

117. Jason Levitt, P3P: Protector of Consumers Online Privacy, INFORMATIONWEEK,Aug. 20, 2001, at 44, available at http://www.informationweek.com/story/IWK20010816S0004.

118. ELEC. PRIVACY INFO. CTR. & JUNKBUSTERS, PRETTY POOR PRIVACY: ANASSESSMENT OF P3P AND INTERNET PRIVACY (2000), available athttp://epic.org/reports/prettypoorprivacy.html.

119. Chris Oakes, The Trouble with P3P, WIRED, June 25, 1998, available athttp://www.wired.com/science/discoveries/news/1998/06/13242.

120. Id.


18/28

WAFA 5/31/2009 2:06:55PM


of global data privacy.121 APEC is made up of twenty-one members,including Australia, Canada, China, Japan, Russia, and the UnitedStates.122 The APEC members constitute approximately 57 percent of

the worlds Gross Domestic Product and 45 percent of the worldstrade.123 At the heart of the APEC Privacy Framework is a set ofnine principles that apply to personal information about a livingindividual processed by a personal information controller, a personor organization who controls the collection, holding, processing, oruse of personal information.124 The APEC framework, stronglyadvocated for by the corporate titan Google, seeks to ensure thecontinued growth of online commerce. Central to the APECframework is the goal of building consumer trust and confidence inthe privacy and security of online transactions and informationnetworks.125 APEC seeks to address the concern that individualshave about the harmful consequences from the misuse of theirinformation126 which could have adverse implications for globalbusiness and economics.127 Moreover, the framework seeks toovercome regulatory systems that unnecessarily restrict this [data]flow or place burdens on it. . . [because they have] . . . adverseimplications for global business and economies.128

The APEC proposal has had its share of critics and supporters.APEC supporter Eric Schmidt, CEO of Google, wrote that APEC-like proposals

would increase transparency and consumer choice, helping peopleto make informed decisions about the services they use as well asreducing the need for additional regulation. For business [sic]agreed standards would mean being able to work within one clear

framework, rather than the dozens that exist today. This wouldhelp stimulate innovation. And for governments, a commonapproach would help dramatically improve the flow of databetween countries promoting trade and commerce.129

While Schmidts editorial accurately reflects many of theproblems with todays framework, the APEC solution he proposesdoes little to address those issues, and in many ways exacerbates the

121. APEC ELEC. COMMERCE STEERING GROUP, APEC PRIVACY FRAMEWORKFACTSHEET,http://www.apec.org/apec/news___media/fact_sheets/apec_privacy_framework.html (last visitedApr. 11, 2009).

122. About APEC, http://www.apec.org/apec/about_apec.html (last visited Apr. 11, 2009).123. Hon. Philip Ruddock, Attorney-General, Remarks at the Office of the Privacy

Commissioner [Australia] and Microsoft Breakfast Forum 8 (2007),http://privacy.gov.au/news/speeches/sp04_07.pdf.

124. Pounder,supra note 30.

125. Id.

126. Id.

127. Id.

128. Id.

129. Peter Fleischer Privacy blog, Eric Schmidt on Global Privacy,http://peterfleischer.blogspot.com/2007/09/eric-schmidt-on-global-privacy.html (Sept. 19, 2007).


19/28

WAFA 5/31/2009 2:06:55PM


problem. APEC would give private corporations carte blanche toexploit private user data through an overly flexible, self-regulated,interpretive system and provide no mechanism for oversight.

The fundamental problem with the APEC framework is that itdoes not provide the level of granularity needed to adequately protectprivate data in accordance with its principles.130 Nations can exploitloose diplomatic language to interpret the APEC however they seefit.131 Dr. Chris Pounder, editor of Data Protection Quarterly,maintains that the APEC proposal was heavily deficient as a result ofdiplomatic wrangling and this resulted in the fudging of importantissues132 and principles that are ambiguous.133 Pounder concedesthat ironing out a framework via APEC was a major leap forwardsince many countries that belong to APEC are not fully developedin their democratic structures and some Asiatic national governments

contain a strong authoritarian streak. Some privacy progress in thesestates is better than no progress.134 It should also be pointed out thatthe APEC framework is not binding on member nations because itwould not have been ratified otherwise. China, not surprisingly, hasresisted adopting the recommendations.135 Since the Internet is aglobal platform, it needs a solid set of baseline standards. The vagueprinciples that the APEC rules present have little practical impact onensuring corporate compliance or end-user privacy.

VII.COMPETING FORCES -SELF-REGULATION,NO-REGULATION, OR

TOP-DOWN REGULATION?

The future of global Internet privacy is being fiercely debated bygovernments, private market participants, and the public.136 So vocaland scattered are the various opinions in this debate that even someleading corporations, such as Yahoo!, have been unable to buildconsensus within their own ranks, causing them to delay takingofficial positions. When asked to comment on proposals such as theAPEC framework, a Yahoo! representative made the followingindecisive statement:

Yahoo! is dedicated to protecting the privacy of our users. It is acornerstone of the trusted relationship that we have built withconsumers. We are involved in a number of discussions, internally,and with others in the industry about the best methods for

130. Pounder,supra note 30.

131. Id.

132. Id.

133. Id.

134. Id.

135. Id.

136. Kenneth Corbin, The Privacy Debate Beyond Google-DoubleClick,InternetNews.com (Mar. 13, 2008),http://www.internetnews.com/security/article.php/3733801/The+Privacy+Debate+Beyond+GoogleDoubleClick.htm.


20/28

WAFA 5/31/2009 2:06:55PM


protecting consumer privacy. Those important conversations willcontinue in the months ahead .137

Google, on the other hand, supports APEC and is lobbying hard

to push the framework onto international regulators.138 In order todetermine why Google is pushing for the APEC framework whileother companies have abstained from taking a position, it is helpful toexplore the various schools of thought and examine the competingforces that seek to shape tomorrows privacy framework.

There are three major schools of thought that encompass thedebate on what the future of online privacy should look like. Oneview, which espouses top-down regulation, favors stringentregulatory oversight and would require companies to follow a well-defined minimal standard of privacy.139 The closest real-worldexample of such a system would be the privacy framework put forthby the European Union, which emphasizes government participationin regulating online privacy.140 A second view discourages mandatedenforcement of any privacy protection. Supporters of this view are:(1) authoritarian and despotic governments, (2) individuals/groupswho view government and corporate entities as untrustworthy, and(3) free-market (laissez-faire) capitalists who believe the marketshould be left to its own devices.141 A third view advocates forindustry self-regulation on grounds that companies in control oftechnology are in a better position than government actors to createprivacy rules, implement compliance monitoring, and manageenforcement.142 Proponents of this view can be seen as straddling theother two views, since they do not necessarily want weak consumer

protection, but also resist top-down regulation and enforcement.In the corporate context, the debate about how privacy should behandled is slightly more nuanced. There is a strong push forcompanies to generate profits by monetizing functionality andbuilding as many profit-centers as possible. Outsell Inc., a leadinganalyst of the publishing and information industry, forecasts totalU.S. advertising spending will grow 5.8 percent in 2007, withadvertisers planning to increase their online advertising by 17.8percent in 2007, faster than any other major media type.143

137. Elinor Mills, Google Proposes Global Privacy Standard, ZDNET (Sept. 13, 2007),http://news.zdnet.com/2100-9588_22-6207927.html.

138. Peter Fleischer Privacy blog,supra note 129.

139. GREGORY F.REHMKE,NATIONAL CENTER FOR POLICY ANALYSIS, THE EVOLVINGTECHNOLOGIES OF INTERNET PRIVACY 6-7, Apr. 27, 2001,http://www.ncpa.org/pub/bg156?pg=5 ().

140. See Council Directive 95/46,supra note 23.

141. James Glassman, Online Privacy, Reason.com (May 29, 2000),http://www.reason.com/news/show/36057.html.

142. Center for Democracy and Technology, Guide to Online Privacy,http://www.cdt.org/privacy/guide/protect/ (see section on Industry Self-Regulation)(last visitedApr. 29, 2009).

143. Convera, http://www.convera.com/solutions/servicePublisher.asp (last visited Nov. 7,


21/28

WAFA 5/31/2009 2:06:55PM


Moreover, Outsell Inc. predicts that as [b]ehavioral targetingbecomes a mainstream online advertising technique those publisherswith search history information about their target audience can

expect to increase yields more effectively across their web sites andnot just on search results pages.144 The temptation on the part ofcorporations to expand advertising margins by leveraging behavioralprofiles seems almost irresistible. But there is a strong countervailingforce, as most tech organizations have entrenched and vocal geeksin those organizations that strongly oppose the diminishment of end-users privacy rights. These geeks are often founders of large andpowerful technology companies, as was the case with Linus Torvalds,creator of the Linux operating system.145

Unfortunately, more often than not, the drive for profitsovercomes even the most impassioned corporate privacy geek. But

there may be good business justification for pursuing privacy-friendlypolicies. Internet consumers could one day abandon companies thatdo not offer strong privacy protection.146 Former FTC ChairmanChristine Varney referred to this possibility in the early days of themodern Internet. In 1996, she said: in the online world, privacy maybecome a market commodity, given adequate levels of governmentinitiatives and public education.147 If end-users begin to perceive acompany like Google as a privacy piranha, they may switch to aprivacy-friendly site in droves. Companies seem to be aware of thispossibility.148

As the mainstream media has increasingly scrutinized onlineprivacy policies, various search engines have responded by

reassessing their corporate practices when dealing with user data. In2007, CNET reported that in the last few months the search enginebusiness has experienced its own version of cutthroat competition: aprivacy policy war with Google, Ask.com, and Microsoft vying tooutdo one another.149 In response to earlier privacy surveysconducted by news organizations, search engines began to tightensome of their quantifiable privacy protections.150 In early 2007,Google agreed to set expiration dates on retention of user data,151

2007).

144. Id.

145. Linux, Biography of Linus Torvalds, http://www.linux.org/info/linus.html (last visited

Nov. 7, 2007).146. Christine A. Varney, Commissioner, Fed. Trade Commn, Address at the Privacy &

American Business National Conference, Consumer Privacy in the Information Age: A ViewFrom the United States (Oct. 9, 1996), available athttp://www.ftc.gov/speeches/varney/priv&ame.shtm.

147. Id.

148. Declan McCullagh, How Search Engines Rate on Privacy, CNET News.com (Aug. 13,2007), http://www.news.com/2100-1029_3-6202068.html.

149. Id.

150. Id.

151. Danny Sullivan, Google Responds To EU: Cutting Raw Log Retention Time;


22/28

WAFA 5/31/2009 2:06:55PM


and Ask.com promised to stop recording user search historiesaltogether.152 Google also has shortened the lifespan of its cookiesfrom expiring in 2038 to expiring two years from the users last visit.153

New ventures have launched to address the privacy concerns of end-users and privacy advocates. IxQuick.com, a meta-search-enginecompany started in 1998, deletes all user search data within 48hours.154 The company claims to have become profitable over the lasttwo years by leveraging its unique privacy-friendly philosophy togarner a wide audience of end-users.155

The debate on how best to address privacy concerns is notlimited to the business sector; competing interests are alsoskirmishing on the legislative front.156 Recently, legislative billscompletely at odds with one another have been introduced to addressdata retention requirements.157 In early 2007, Republican Lamar

Smith of Texas sought to introduce a provision in the SAFETY Actwhich would have given the attorney general discretion to write therules on what data information companies would have to retain andhow long they would have to retain them.158 Smith identifiedmandatory data retention as the number one tool law enforcementneeded to identify and prosecute Internet sexual predators.159 Privacyadvocates such as Lauren Weinstein, co-founder of People forInternet Responsibility, said Smiths proposal was far too vague.[The] bill is so incredibly bad that it opens up a whole array of thingsthat can go wrong, because theres nothing in this legislation toprevent the attorney general from simply saying, Save everythingforever.160 Weinstein called data retention the single most

important issue relating to privacy, free speech, and technology.161

Another legislative bill proposed by Representative Ed Markey,Democrat from Massachussets, would require every web site operatorto delete information about visitors, including e-mail addresses, if thedata is no longer required for a legitimate business purpose.162 The

Reconsidering Cookie Expiration, SearchEngine Land (June 12, 2007),http://searchengineland.com/google-responds-to-eu-cutting-raw-log-retention-time-reconsidering-cookie-expiration-11443.

152. Jennifer LeClaire, Ask.com Gives Privacy Control to Users, Top Tech News (Dec. 11,2007), http://www.toptechnews.com/story.xhtml?story_id=02300243I5FJ.

153. Sullivan,supra note 151.

154. IxQuick.com, IxQuick Protects Your Privacy,

http://us.ixquick.com/eng/protect_privacy.html (last visited Nov. 7, 2007).155. IxQuick.com, Q&A, http://us.ixquick.com/eng/press/qa.pdf , (last visited Nov. 7, 2007).

156. Ellen Nakashima, Bill Would Make ISPs Keep Data on Users, WASH.POST, Feb 13,2007, at D03, available at http://www.washingtonpost.com/wp-dyn/content/article/2007/02/12/AR2007021201337.html.

157. Id.

158. Id.

159. Nakashima,supra note 156.

160. Id.

161. Id.

162. Declan McCullagh, Bill Would Force Web Sites to Delete Personal Info, CNET


23/28

WAFA 5/31/2009 2:06:55PM


bill would apply to every U.S. web site, even ones run by individuals,bloggers, nonprofit groups, and charities.163 The bill was referred tothe Subcommittee on Commerce, Trade, and Consumer Protection in

February of 2006, but no further action has takenplace as of April of2009.164

The chaotic state of the privacy debate may be the opportunetime for a corporate titan to push its own agenda. As a leader inleveraging user data, Google would benefit most from an unregulatedmarket-space. But as mentioned previously, Google is aware thatregulation is coming and they want to get ahead of the problem.165The scrutiny that online companies are under by the mainstreammedia, the technology community, and the government is reallyhitting home for some tech executives. Jerry Yang, CEO of Yahoo!,was grilled and humiliated on Capitol Hill for providing private user

data to Chinese authorities that resulted in the detention and allegedtorture of political dissidents.166 Yahoo! settled the case for anundisclosed sum and said it would provide financial support to thefamilies and back a humanitarian relief fund to support other politicaldissidents and their families.167 With all the scrutiny that websiteoperators are under, it is hard to imagine that they would push for anunregulated space. Corporate behemoths have to push for the nextbest thing, self-regulation. But many commentators argue that theline between self-regulation and no regulation is hard to distinguish.168Solveig Singleton of the Cato Institute points out that true market-based self-regulation blurs into no regulation at all, with eachcompany regulating itself according to internal standards of customer

or client service and no third party oversight.169

Googles push for global regulators to adopt the APEC

framework should be of great concern to the general public. Bytaking advantage of its huge user base and functional superiority,Google could easily undermine the rights of users by (1) deceptivelyportraying themselves as privacy advocates; (2) taking advantage ofthis image to slowly and methodically monetize and exploit increasingamounts of customer data; and (3) push for a purely self-regulatedglobal framework (like APEC) which would facilitate their ability toexploit vague language in order to operate in a regulatory vacuum.

News.com (Feb. 8, 2006), http://www.news.com/Bill-would-force-Web-sites-to-delete-personal-

info/2100-1028_3-6036951.html.163. Id.

164. Govtrack, H.R. 4731: Eliminate Warehousing of Consumer Internet Data Act of 2006,http://www.govtrack.us/congress/bill.xpd?bill=h109-4731 (last visited Apr. 29, 2009).

165. Kaplan,supra note 93.

166. Eric Auchard, Yahoo! settles with Chinese dissidents, SYDNEY MORNING HERALD,Nov. 14, 2007, available at http://www.smh.com.au/news/technology/yahoo-settles-with-chinese-dissidents/2007/11/14/1194766770407.html.

167. Id.

168. Singleton,supra note 39.

169. Id.


24/28

WAFA 5/31/2009 2:06:55PM


VIII.WHAT SHOULD THE REPLACEMENT SYSTEM LOOKLIKE?

The preceding analysis sought to expose the flaws of the existing

system and the potential dangers of the APEC/Google replacementsolution, which either falls short because of vagueness or lacksuniform regulation altogether. Finding a viable solution that balancesefficiency concerns while still ensuring privacy and respecting culturalsensitivities is no easy task, but there are several important featuresthat a successful system should contain. These include, (1) top-downregulation, (2) aggressive enforcement, and (3) innovative auditingprocedures.

A. TOP DOWN REGULATION HAS A ROLE TO PLAY

While private industry may encourage self-regulation, it is

important to recognize the dangers of relying exclusively on such anapproach. The release of private data can inflict irreparable harm onusers. In a perfect marketplace where end-users are provided with anadequate degree of notice to help them make purchasing decisions, amarket-driven solution may be viable. Unfortunately, todaysmarketplace does not provide such a luxury. The complexity, fluidity,and one-time nature of online shopping makes it unlikely that mostusers will receive the notice needed to make efficient choices.Assuming users are informed about corporate privacy policies andpractices, a market driven solution would still only be viable ifconsumers could turn to meaningful alternatives. Unfortunately,oligopolies control critical aspects of the Internet and the temptation

for them to exploit end-user data is significant.170 As of September2007, the top four search engines (Google, Yahoo!, MSN, and AOL)controlled nearly 92 percent of searches; while the top ten controllednearly 97 percent of searches.171 This compelling evidence revealsthat the marketplace lacks the functionally equivalent alternativesnecessary to facilitate a market-based solution. Moreover, relying onoligopolies to provide privacy protection is unwise in light of businessmodels that make the leveraging of private user data extremelylucrative. Even if viable alternatives do start to emerge, smallercompanies would be in danger of being acquired or squashed byoligopolies who have the financial wherewithal and incentive to crushthem before they become a threat.

170. Fred Aun, Social Nets Sit on Goldmine of Behavioral Data, Says Jupiter, ClickZ(June 19, 2007), http://www.clickz.com/3626212.

171. Enid Burns, Top 10 U.S. Search Providers, September 2007, SearchEngineWatch.com(Oct. 26, 2007), http://searchenginewatch.com/showPage.html?page=3627422 (rounding out thetop ten, in descending order, are: Ask.com; My Web Search; Comcast; BellSouth; SBC YellowPages; and My Way).


25/28

WAFA 5/31/2009 2:06:55PM


B. AUDITING OF POLICIES IN A SYSTEMATIC WAY IS CRITICAL

The FTCs existing recommendations for protecting online

privacy are weak.172

The commission recommends that users get acopy of their credit report173 and warns that users should realizethat those reports may be obtained by others.174 Even leadingprivacy organizations have a hard time giving consumers usefuladvice about how to stay protected online TRUST-e, a leadingprivacy-rights organization, makes a vague recommendation on itswebsite that users should be careful and choose wisely.175Consumers do not have the information or practical choices to heedthis advice each time they shop online. We live in a fast-paced worldwhere corporate policies are difficult to scrutinize and interpret. Theinability of governments or privacy advocates to give concreteguidance on how to protect personal data stems not from the

ineptitude of those groups, but rather, from the lack of tools that theexisting system provides.

One powerful tool to quickly and easily ensure privacyprotection would be to mandate that all websites engaged incommercial activity (e.g. any website generating revenue throughadvertising, sales, or donations) receive an annual privacy audit andan ensuing grade. CertifiedSecure is a privacy auditing firm based outof the Netherlands that audits websites and data providers to ensurethat their practices meet minimum privacy standards.176 The firminvestigates the processes, technology, and data-retention andhandling practices of companies to ensure compliance with well-defined requirements guided by industry best-practices that are evenmore granular than those proposed by European Union initiatives.177These requirements include: (1) documentation procedures (e.g., thatall stored private information and its retention period be classifiedand documented); (2) storage practices (e.g., that all privateinformation be stored when explicitly required by law or whenrequired by the business model of the collector); (3) security (e.g.,that all inter-system communications containing private informationuse advanced encryption); and (4) privacy policy validation (e.g., thatcompany practices comport to the online privacy policy put forth bythe company).178 Auditing is a time tested strategy that can helpstreamline operations by elucidating areas of weakness, increase

172. Regan,supra note 34.

173. Id.

174. Id.

175. Id.

176. Certified Secure, Website Privacy Protected Checklist,http://www.certifiedsecure.nl/checklists/cs-spec-checklist-privacy-protected.pdf (last visited Nov.7, 2007).

177. Id.

178. Id.


26/28

WAFA 5/31/2009 2:06:55PM


proactivity on the part of those being audited to meet theirresponsibilities, and improve transparency about a company to thegeneral public.

The auditing process for websites would be comprised of anumber of steps. First, sites deemed covered entities (e.g. those thatmeet the commercial test laid out above) would be required toregister with a newly formed regulatory agency charged with onlineprivacy regulation. This agency would maintain and certify qualifiedauditors (private companies or individual agents) who would betasked with facilitating the inspection and audit of the coveredentities. Certified auditors would be tasked with the identification ofall critical components (see paragraph above) necessary to ensure aprivacy friendly experience for end-users. Once an audit andinspection report were completed, the auditor would provide a copy

to the website operator and provide them an opportunity toremediate problematic issues. If the issues were not remediated in atimely manner, the auditor would disclose that the site was privacyunfriendly, place the site on a public watchlist, and encouragevisitors to avoid transactions with this business until the issuesbecome resolved. Depending on the egregiousness of the violation,fines may be levied against noncompliant covered entities. Fundingfor this process could be facilitated by a small levy on commercialwebsites or by way of a nominal fee as part of the annual auditregistration. Without mandating audits, there is no way to ensurecorporations are meeting their privacy obligations to users and noeasy way for consumers to objectively gauge how one site compares

to another. In the same way that consumers (and clean businesses)have found restaurant health and safety code ratings a valuable tool,end-users (and privacy friendly web operators) would likely findaudits and inspections of online privacy a very valuable tool.

IX.CONCLUSION

The current global privacy system is overly complex anddysfunctional. As a result, regulatory bodies have avoided legitimateaction against privacy law violators for fear of chilling onlinecommercial activity. Even though compliance action has thus farbeen minimal, it is not implied that this trend will be perpetual. If

and when regulatory agencies begin taking stronger action to protectconsumer privacy, the existing privacy framework will be unable tocope because of its inherent lack of uniformity. Businesses willcontinue to be confused as to their responsibilities across multiple jurisdictions, and Internet investment will contract as the cost ofcomplying with the previously un-enforced potpourri of jurisdictionallaws becomes overly burdensome.

If, on the other hand, regulatory bodies maintain the status-quo(characterized by weak enforcement of divergent legal standards),


27/28

WAFA 5/31/2009 2:06:55PM


consumer privacy rights will continue to suffer. Unscrupulouscompanies and individuals armed with new technologies (behavioralprofiling, advanced cookies, interlinked databases etc.) will be able to

exploit user data without fear of repercussion. Action must be takento head off the disaster ahead, but the lead replacement system, theAPEC Privacy Framework, is not a good solution. APEC would giveprivate corporations carte blanche to exploit private user datathrough an overly flexible self-regulated interpretive system andwould provide no mechanism for oversight.

Some argue that a truly comprehensive global privacy frameworkwill never come about because it would be impossible for the nationsof the world to reach consensus on the granular issues that wouldneed to be standardized for such a framework to succeed. Otherscontend that public interest groups and international citizens (as

represented by their governments) will be unable to protect privacybecause powerful business lobbies will stop at nothing to assert theirown agendas. Privacy is a deeply personal issue that is sensitive to theimpulse of public opinion. Although cynical views may prevail in theshort-run, the outcome may change as the public is increasinglyexposed to the ramifications of the new privacy paradigm in: (1) thelegal world (with questionable online searches being used againstcitizens in court); (2) the burgeoning black-market for identity theft(as security breaches become more and more prevalent); and (3) inthe intentional or inadvertent exposure of private facts that Internetsearches facilitate. If and when the public does wake up to the harmsthat widespread collection and dissemination of private data can

cause, it is critical that a viable global privacy framework be set up toquickly facilitate the protections the public seeks.

Long ago, a respected group of leading technologists claimed itwould be impossible to effectively standardize Internet technologybecause of conflicting views about which methodologies were mostefficient. In 1992, these individuals, led by David Clark, coined thefamous computing phrase, [W]e reject: kings, presidents, and voting.we believe in: rough consensus and running code.179 Some of themost remarkable and innovative solutions were produced during thisage of standardization, as the international community pooled itsresources and worked using a collaborative and open-sourceapproach to come to a rough-consensus.180 This collaborative

standardization approach has been refined over the years andcontinues to enjoy much success, as evidenced by the popularity ofopen-source solutions such as Linux and Firefox. If technologystandardization can be achieved through rough global consensus, then

179. Andrew L. Russell, Rough Consensus and Running Code and the Internet-OSIStandards War, 28 IEEE ANNALS OF THE HIST. COMPUTING 48, 49 (2006), available athttp://www2.computer.org/portal/web/csdl/doi/10.1109/MAHC.2006.42.

180. Id.


28/28

WAFA 5/31/2009 2:06:55PM


surely international actors can agree to legal standards that ensure theright to privacy.

global internet privacy rights - a pragmatic approach

Documents