by Hon. Orson Swindle

Progress On Point
Periodic Commentaries on the Policy Debate
Release 8.4 n March 2001

This past year, I had the opportunity to read or hear speeches from a number of private sector leaders on the subject of privacy. Two of these speeches, by IBM Chairman Lou Gerstner and AOL Time Warner CEO Jerry Levin, struck me because of their similar messages. Speaking about the roles of government and the private sector in technology policy, each strongly suggested that “the private sector must lead.” I wholeheartedly agree, for current-day civics tells us that if the private sector fails to lead, politicians and government bureaucrats will try to.

There is no better example of this reaction than online privacy and the information revolution. Consumers are growing more and more concerned about protecting their privacy. Privacy advocates have been vigorously lobbying for the government to get involved. This past year, not surprisingly, Congressional activity concerning privacy was in full swing, with dozens of bills introduced in Congress that would, to one degree or another, legislate privacy practices for businesses in electronic commerce.

Obviously, privacy is a serious subject. People are justifiably concerned as they become more and more aware of the capacity of telecommunications, computers, and other electronic devices to collect information, often without their even knowing it. When that information is personally identifiable and when it is transferred to others without permission, concerns increase dramatically.

Responding to real and perceived concerns, last Spring a majority of the Federal Trade Commission chose to make some legislative recommendations to Congress that in my mind raise more issues than any legislation need resolve. No one should dispute the notion that privacy concerns are serious. We all agree on that. That’s not the issue. The question is, how do we solve the problems posed by the issue of protecting personal privacy, in both the online and the offline worlds of commerce? I believe that if government and politicians feel that they must “do something” about consumer privacy concerns, we simply must get it right the first time. The consequences of getting it wrong could be extremely costly.

Who is in the best position to decide how, and who is more capable of protecting consumer privacy? The Federal Trade Commission is filled with extremely competent and hard-working professionals trying to do good as they see it. Government bureaucracies frequently possess an attitude that they can solve most problems of those they perceive as being incapable of finding solutions for themselves. During the period of “malaise” in the Carter Administration, some suggested that the people were the problem and government was the solution to curing our ills. My friend Jack Kemp had it right when he suggested the government was the problem, and the people were the solution. The debate continues, and solving privacy concerns is center stage. Can solutions best be found in government’s bureaucracy, or can the private sector make it happen?

The FTC has been studying this issue for years, examining the manner in which consumers and businesses are engaged in electronic commerce and, of particular interest, what they are doing to protect personal privacy. The Commission has conducted three surveys since 1998, in which we have assessed how many websites are addressing privacy concerns by posting notices of privacy practices and explaining what they do with the information they collect. In our first survey (1998), we discovered that only 14 percent of surveyed sites had posted any form of privacy notice. In our 2000 survey, almost 90 percent of all sites were posting some form of privacy notice or disclosure, and among the top 100 most visited websites, 100 percent were posting some form of privacy practice notice.

Throughout this process, I have been an advocate for industry’s taking the lead in solving this problem through self-regulation. And, for two years, the Commission agreed that self-regulation was the best approach. In spite of this and the significant progress, suddenly last year the Commission -- over my objections -- urged Congress to impose a mandatory regulatory scheme covering all consumer-oriented commercial websites. And this was done without any objective justification.

The regimen the Commission proposed is based on four "fair information practices" -- Notice, Choice, Access and Security -- which the majority at the Commission described as “widely accepted.” I asked, "Widely accepted by whom?" It turns out, in fact, that these principles do not seem to be accepted, as a practical matter, very widely at all -- not even by government itself. For example, a General Accounting Office assessment of how widely the government has accepted and employed these FTC-suggested mandatory principles revealed that less than three percent of all government agencies were abiding by the "widely accepted" rules. One is reminded of the old adage, “do as I say, not as I do.”

I have called the FTC's report and recommendation for broad, sweeping privacy regulation "embarrassingly flawed." Obviously, strong words, but in my view, the Commission has ignored some basic tenets of sound policy.

For example, it is a basic tenet of regulatory action that the government should get involved only when the marketplace has failed. As a general matter, the marketplace works pretty well in this country -- better than the European model in which government is much more involved, especially in the privacy issue. In the case of privacy practices, there has been no evidence of market failure -- certainly nothing warranting the extreme measures proposed by the Commission.

A second tenet is that regulation should be based upon an analysis of its costs and benefits. But there was no effort to evaluate the costs and the benefits of the regulatory solution the Commission prescribed. I think we owe it to the American taxpayers, and to those in the private sector who are risking their capital, to analyze the impact of what we suggest they do. But there has been no effort to do that. In fact, there was no empirical evidence that the Commission’s regulatory prescriptions would make a difference one way or the other. For example, one of the arguments made for regulation was that electronic commerce is being hurt because some people fear the loss of their personal privacy and therefore will not shop online. There is no evidence of that. In fact, online sales between October and December, 2000 surged to $8.7 billion, a 36 percent increase over the prior quarter. The fourth quarter marked the first time that online sales accounted for more than one percent of total retail sales.

Two of the practices the FTC proposed mandating were access and security. In fact, early last year, we had a very distinguished advisory group, comprising of 40 experts, that analyzed the issues of access and security. The group focused on developing a specific approach for accomplishing these goals in a practical way and determining how much it would cost to do so. At the end of five months, lots of drafting and several meetings, the advisory group came to the conclusion that creating a practical and workable system was a complex task and likely would be extremely costly. Yet, the FTC majority recommended that Congress mandate access and security, disregarding the fact that the advisory group considering just such a task for us had no concrete idea how to do it. We suggested that Congress impose the requirement and the Federal Trade Commission somehow work out the details.

To be successful, industry has to make the privacy concerns of customers and the general public a part of its corporate culture. Acting responsibly to protect consumer privacy has to permeate the structure of the organization, so when goals are established, procedures are being developed, and software and devices are designed, their impact on customer privacy is always in the equation.

Industry also needs to lead by educating members of Congress about the benefits of this marvelous new technology and about the costs of unreasonable and unnecessary regulation. And industry needs to take the lead in educating the public and building a sense of confidence. What people don’t understand causes them concern. Consumers need to understand the benefits of electronic commerce, and why, for example, “cookies" make it work even better and thus aren’t automatically evil.

Last, industry needs to lead responsibly, and that includes taking a hard look at all of its practices and ensuring everything it is doing is both legal and ethical. Most assuredly, the dominant driving force behind government regulation of the Internet will be the real or perceived failure of business to act responsibly.

As for government regulators and politicians, we need to look before we leap. The desire to “do good” is often doomed to terrible results. We need to remember that the law of unintended consequences is always lying in wait. Double-edged swords are commonplace in government regulation. In the information technology business, a misjudgment, no matter how noble the intent, could lead to terrible consequences.

Once government laws and regulations are enacted, reversing them is most difficult. I believe it was our wonderful philosopher for the common man, Will Rogers, who once said, “All government programs have three things in common: a beginning, a middle, and no end.”

Orson Swindle is a Commissioner on the Federal Trade Commission. The views expressed here are his own, and do not necessarily represent those of the Commission, other Commissioners or staff. This paper is based on remarks delivered before the Governor's Commission on Information Technology, Richmond, Virginia, August 31, 2000.