Remarks of J. Howard Beales, Iii, Director, Bureau of Consumer Protection, Federal Trade Commission, Before the 2003 Symposium on the Patriot Act

• Publication year: 2003

Remarks of J. Howard Beales, III, Director, Bureau of Consumer Protection, Federal Trade Commission, Before the 2003 Symposium on the Patriot Act, Consumer Privacy, and Cybercrime⁰

I. Introduction

I am delighted to be here this morning. Among the many issues confronting law enforcers today, consumer privacy and cybercrime are among the most challenging. The Federal Trade Commission's ("FTC") role as the nation's chief consumer protection agency requires us to focus carefully on these, and a whole host of consumer protection, issues, using the unique tools available to us. Even as we track trends and adopt new technologies, our fundamental mission remains the same: to identify the most egregious forms of fraud and deception;¹ to bring cases, on our own and with our law enforcement partners;² and to educate ourselves about emerging issues, the industry about complying with the law, and consumers about how best to protect themselves from fraud and deception.³

Today, I want to discuss the FTC's efforts to address consumers' concerns about personal privacy and the critical role that online and offline security play in that program.

II. Fighting Internet Fraud

First, let me say a word about our role in fighting one growing type of cybercrime—consumer fraud. Although the Internet has empowered consumers with instant access to a breadth of information about products and services that would have been unimaginable twenty years ago, fraud artists have also proven adept at exploiting this new technology for their own gain. They are the ultimate "early adopters" of new technology. And, they've seized on the Internet as a ready vehicle to find victims for their scams. In fact, our consumer complaint data show that consumers increasingly report the Internet as the initial point of contact for fraud and that the Internet has now outstripped the telephone as the source of first contact for fraud.⁴

Many of these frauds are simply online variations of familiar offline scams. However, we also see more sophisticated practices that exploit the very technology of the Internet, sometimes going as far as literally taking control of the consumers' computers away from them.

To combat these new frauds, the FTC has brought over 200 Internet-related enforcement actions. This is also one of a number of areas where we are looking for ways to work closely with criminal law enforcement agencies. For example, last year the Commission sued John Zuccarini for "mousetrapping" consumers.⁵ Zuccarini registered some 6,000 domain names that were misspellings of popular websites. Surfers who looked for a site but misspelled its Web address were taken to the defendant's sites.⁶ Once they arrived, Zuccarini's websites were programmed to take control of the consumers' Internet browsers and hold the consumers captive while they were forced to view dozens of websites advertising products such as online gambling, psychic services, and adult websites. The obstruction was so severe in this case that consumers were often forced to choose between taking up to twenty minutes to close out all of the Internet windows, or turning off their computers and losing all of their "pre-mousetrap" work.

After being sued, Mr. Zuccarini disappeared.⁷ Fortunately, as a result of a cooperative working relationship between FTC attorneys and the United States Attorney's Office for the Southern District of New York, he was arrested in a south Florida hotel room.⁸ At the time of his arrest, Mr. Zuccarini was surrounded by computer equipment and cash, all of which were seized by criminal authorities. He was not left empty-handed, however. A United States Postal Inspector served him with the Final Court Order in our case.

Similarly, we all know that unsolicited commercial e-mail, or spam, is a nuisance, but we now know it is also a ready source of fraud. We are probably the only people in the country that actually like to get spam, and we are currently collecting over 100,000 spams a day that are forwarded to us from all over the country. When we looked at the content of this spam, we found that two-thirds contained clear indicia of falsity.⁹ Just one example is spams selling bogus domain names. After September 11th, these spams even urged consumers to "Be Patriotic! Register .USA Domains," and at one point even peddled ".God" domain names.¹⁰ The only trouble is, neither domain is usable on the Internet. We estimate these scammers took in more than one million dollars before we got a court order shutting them down and freezing their bank accounts and other assets. And again we got help from our law enforcement partners, this time the Office of Fair Trading of the United Kingdom, where the defendants were located.¹¹

III. Emergence of Consumer Privacy Issues on the Internet

In addition to fighting online fraud, protecting consumer privacy is a priority of the FTC's consumer protection program. Privacy has always been an important issue for American consumers. Fueled by the development of the Internet, privacy emerged as a major consumer issue in the mid-1990s. Given the breadth and depth of the concerns, almost everyone in government wanted to do something about consumer privacy. What to do was less clear. Although consumers expressed high levels of concern about their perceived loss of privacy,¹² they also expected and relied on the benefits of our information-driven economy. For example, few consumers seem worried about the many companies that have to share their information to clear checks or, for that matter, to process ATM transactions. They generally understand that the information must be collected and shared to complete the transaction. Indeed, surveys reveal that most Americans are "privacy pragmatists," who care about privacy but are willing to share information when they see tangible benefits, and they believe care is taken to protect that information.¹³

By the time FTC Chairman Timothy Muris and I arrived at the Commission in June 2001, the agency had spent several years developing a sophisticated understanding of privacy issues through conferences and workshops. Industry, spurred by consumer interests and the Commission's activity, had begun addressing consumers' concerns, especially by posting privacy policies on commercial websites. Nevertheless, at that time many people equated support for privacy protection as support for legislation requiring "notice, access, and choice" (otherwise known as "Fair Information Practices") before personal information was collected on the Internet.¹⁴ That seemed to us to be an odd form of consumer protection. Why should information collected via paper and pencil be treated differently than the same information collected online? And why should legislation discriminate against the burgeoning development of e-commerce?

IV. The New Framework

One of our first efforts was to develop a framework for addressing consumers' privacy concerns. Privacy was a new topic for us, one that we studied in-depth. We held dozens of meetings with groups with diverse perspectives on privacy—ranging from consumer groups to trade associations to information technology executives to professors. We read academic, legal, and policy literature in addition to numerous briefing memos from the FTC staff. We found widespread agreement on the importance of privacy issues and the importance of the FTC in protecting consumers' privacy.

The debate over privacy showed clearly the importance of relying on strong principles to guide an institution like the FTC through new territory. Grappling with the issues surrounding privacy required careful consideration of the basic questions of common law—why should the government protect privacy and what role should the government play in defining and enforcing privacy rules for private exchange? Strong principles were needed to ensure that if the Commission went beyond enforcing a particular contract provision to provide new "rules of the game," it would develop those rules based on a deep understanding of the issues and an appreciation of the possible harm of restricting the many consumer benefits that an information-based economy offers.

V. The Inadequacy of "Fair Information Practices"

One of our first steps was to evaluate the adequacy of the Fair Information Practices ("FlPs") approach to privacy protection. This is an appealing model because it is seemingly based on consumer consent, on contracts between consumers and businesses. In practice, however, consent is illusory. For most consumers, the costs of exercising the choice—although not high—are not worth the perceived benefits. Consider the billions of privacy notices sent to consumers under Gramm-Leach-Bliley ("GLB"). Very few consumers have exercised their right to opt-out of information sharing. Part of the problem, no doubt, is the difficulty of understanding some of the notices. Hopefully, we can improve the notices, but a more fundamental problem exists. Exercising just one opportunity to opt-out may take only a few minutes, but opting out for each of the companies you do business with would take much longer. Consumers have many other options—not to mention demands—for their time, from paying bills to getting dinner on the table and to helping children with homework. Given that time is scarce and even reading the notice takes effort that could be spent elsewhere, it is not surprising that few consumers opt-out, even when it is seemingly easy.¹⁵

Nor is opt-in the solution. Because most consumers will not expend the time and effort to consider the choice, opt-in is only the correct default if most fully-informed consumers would refuse to share information.¹⁶ Explaining the benefits and costs of information sharing is beyond the competence of even the best drafted short notice. We cannot make people focus on this, or any other, issue. With GLB privacy notices in particular, we led people to the privacy question, and they chose not to choose.

Thus, the FlPs model has...