Privacy Needn’t Crumble Before Cookies and Spam

Washington is hellbent to pass new “privacy” legislation. Polls say it is on everyone’s mind, and new technologies are making many people nervous: “Carnivore” lets the FBI sniff out e-mail; “cookies” and “Web bugs” help Web site operators track Internet surfing habits; information submitted online facilitates the sending of junk e-mail--”spam”--marketing messages; and wireless devices essentially beam our locations in real time.

None of this is entirely new. The FBI has been tracking and intercepting criminals electronically for decades; acquisition and analysis of consumers’ shopping and spending preferences, habits and patterns have long been a staple of sophisticated marketing; direct mail targeted to potential buyers through the post office has a substantial track record; and locational information--well, this is new. Still, imposing “new” solutions on the Internet prematurely may very well have what Sen. Christopher J. Dodd (D-Conn.) feared would be “deep unintended consequences.”

The fact is, very little bad has happened on the Internet privacy front. Even online advertising company DoubleClick Inc., which has been profoundly under siege for considering a business plan to combine information about customer transactions from both online and off-line sources, was recently cleared by the Federal Trade Commission because the company never actually violated any of its privacy commitments.

There is, however, a genuine, terrible privacy problem exacerbated by the Internet. It is identity theft--the appropriation of someone else’s identity for the purpose of committing a crime. The vast amount of information publicly available to criminals facilitates identity theft. The government estimates that more than 500,000 people are victimized each year, and it is costing consumers and financial institutions enormous sums of money, while victims suffer battered credit ratings and considerable psychological damage.

Yet most of the privacy legislation being considered in Washington and in the states will not stop or slow identity theft. In fact, it may divert attention--and resources--away from deterring and catching criminals. So instead of worrying about “cookie” policies, Congress and state legislatures should turn forthwith to legislation to deter identity theft, right? Amazingly, they have. In 1998, Congress passed the “Identity Theft and Assumption Deterrence Act,” and last year it enacted the “Internet False Identification Prevention Act of 2000.” In a nutshell, Congress has criminalized identity theft, and so have 22 states specifically, while another 17 have relevant legal prohibitions.

The solution, therefore, is not new laws but more aggressive enforcement of the existing ones. Now, at the behest of House Banking Committee Chairman James A. Leach (R-Iowa) and others in Congress, the Justice and Treasury departments and the FTC have begun ramping up efforts to fight identity theft crimes. The FTC even unveiled a new Web site for information about identity theft, www.consumer.gov/idtheft.

More of these anti-crime privacy initiatives are needed. If “privacy is . . . the civil rights issue of this decade,” as Rep. Edward J. Markey (D-Mass.) commented recently, then Capitol Hill must provide more oversight and more dollars to guarantee that as much energy as possible is deployed in the war against identity criminals. On the other hand, Congress could fritter away its attention span on new laws that merely make legitimate businesses jump through hoops to use marketing techniques long utilized off-line as well as online. Pandering to inchoate anxieties will not promote what is needed--vigorous enforcement of existing laws--nor will it deter concrete and severely harmful invasions of privacy.

Of course, there are other real privacy issues besides identity. One of them concerns location information that is beamed from cell phones, pagers and other wireless devices. According to testimony at an FTC wireless privacy hearing in December, industry is not fooling around on this. The same technology that lets cell phone companies report the location, within about 55 yards, of wireless 911 calls to the police also provides wonderful marketing temptations. But the companies recognize that they cannot avail themselves of these opportunities unless customers agree. In other words, corporate responsibility and business incentives will tend to go hand in hand where customers have tangible privacy concerns.

Complex new privacy regulation could actually crowd out more valuable, real protections and tip the balance against people getting legitimate information that they may find valuable. Commercial use of information about spending and browsing patterns may be annoying, but it is not necessarily an unreasonable invasion of privacy.

In contrast, Social Security numbers, bank and credit card numbers, passwords, medical treatment files, children’s names and similar data are acutely personal. If federal and state laws are deficient in protecting this information, they should be revised to provide direct and uncomplicated protection. But complicated new regulatory regimes that merely target online marketing practices do no honor to privacy as the civil right of the decade.