Mano a mano with John McCain

At a committee hearing on online privacy, the senator asks me some tough questions and doesn't like what he hears.

Published October 6, 2000 4:23PM (EDT)

Sen. John McCain stared down at me, broadcasting his typical uncompromising glare. "Is it a violation of privacy for lists of campaign contributors to be sold?" he asked.

Now let's see, I thought. Distributing lists of campaign contributors is good, right? But distributing lists of people's names, especially for a profit, is bad. What should I say?

"Well, as a democratic society, we've made a decision that it is worth the cost to privacy for campaign financing information to be made publicly available," I finally said. I'm not sure if that's an exact quote or not -- I was pretty shaken up. I couldn't figure out the answer.

McCain, R-Ariz., was clearly peeved. He said, more or less, that he didn't need me to explain to him the purpose of the campaign finance disclosure laws. No, he wanted me to answer the question: Does selling the list of campaign contributors violate privacy?

I was testifying Tuesday morning during a meeting of the Senate Committee on Commerce, Science and Transportation. McCain had invited me to speak before the full committee on three online privacy bills that were being considered -- the Consumer Internet Privacy Enhancement Act, the Consumer Privacy Protection Act and the Online Privacy Protection Act of 1999. But now he was grilling me, turning up the pressure by asking a question that seemed to demonstrate the inherent self-contradiction between my liberal democratic leanings and my pro-privacy beliefs.

The hearings were taking place inside Room 253 of the Russell Office Building. McCain was in the middle of the committee table -- a huge raised desk that inscribed a majestic half-circle inside the northern side of the room. I was sitting at the witness table with three others. On my left was George Vradenburg, AOL's senior vice president for global policy, and Scott Cooper, manager of technology policy for Hewlett-Packard. On my right was Marc Rotenberg, director of the Electronic Privacy Information Center.

When it came to our stances on privacy legislation, the four of us were split down the middle. Both Vradenburg and Cooper had spoken in favor of the Consumer Internet Privacy Enhancement Act and the Consumer Privacy Protection Act -- two bills that do little more than codify today's Internet privacy status quo. Both require only that Web sites post a privacy policy that describes what information they collect, and that companies give consumers a chance to "opt-out" or ask that their personal information not be collected.

The Consumer Internet Privacy Enhancement Act would also have the Federal Trade Commission engage the National Research Council to write another study on online privacy -- a study that wouldn't be finished for more than a year.

Along with Rotenberg, I had spoken in favor of the Online Privacy Protection Act, a bill put forth by Sen. Ernest F. Hollings, D-S.C. Really, it's the only privacy bill of the three being considered. The Online Privacy Protection Act mandates "opt-in" -- that is, it prohibits the transfer of personal information to third parties, or use of personal information for purposes other than that for which it was collected, unless the Web sites explicitly get permission from the consumer. The bill also gives consumers the right to access -- that is, consumers would have a legal right to see the personal information that's collected on them.

Now that's a privacy bill! The Hollings bill would, furthermore, create an Office of Online Privacy within the Federal Trade Commission and give federal protection to whistleblowers within companies that violate the law -- protection that's crucial, since frequently it takes insiders to reveal egregious privacy practices.

Which is why the gentlemen from HP and AOL were so opposed to it.

The hearing came hard on the heels of a report issued by the Federal Trade Commission that called upon Congress to pass legislation protecting online privacy -- a report that identified notice, choice, access and security as the key elements of any policy. But in their prepared comments, Vradenburg and Cooper repeatedly said that they supported legislation that embodied only notice and choice. Cooper, speaking for HP, said that access was simply too hard to do -- what's worse, said Vradenburg, giving consumers access to their own personal information might make the information available to hackers as well. And security was too complex to mandate in a piece of legislation.

The give and take between the senators and the representatives of the computer industry was lively. Sen. John Rockefeller, D-W.Va., chastised the executives, saying that if brokerage firms can figure out how to let people trade stocks with security, then surely a company like HP can figure out a way to let people access their own personal information. And Sen. Richard Bryan, D-Nev., criticized AOL's insistence that people who do not "opt-out" are giving their support to the company's marketing practices. "That's the effect of opt-out," he said. "Silence is acquiescence. I don't think that most Americans see that as an effective protection."

Indeed, most AOL users don't like those pop-up messages that try to sell you something every time you log in, but few AOL users take the initiative to navigate through the service's screens to turn them off. Can you imagine somebody navigating to the AOL Marketing Preferences section and clicking the button, "Yes, I do want to receive special AOL member-only pop-up offers"? It's like sending e-mail to a spammer: "Please send me your low-interest-rate credit-card offers." That's why companies like AOL are in favor of opt-out, rather than opt-in.

A few minutes before the session had to end, Sen. John Kerry, D-Mass., made an impassioned speech detailing a wide variety of threats to personal privacy. It was a good speech and I agreed with many of the threats that he identified -- the dangers of having medical information, banking information and even genetic information flowing over the Internet, completely out of a person's control.

But then Kerry said that the Consumer Internet Privacy Enhancement Act did the best job of protecting consumer's privacy! And I just couldn't believe what he was saying. Here was Kerry, the Democratic senator from the liberal state of Massachusetts, supporting a bill that did pitifully little to protect consumer privacy. I opened my jaw, stunned. But Kerry wasn't finished: He stated that the continued growth of the Internet depends on information services remaining free, by which he really meant "supported by advertising." Congress should be careful with any legislation that it passes, Kerry warned, lest it kill the free Internet.

This is the same argument that Doubleclick has been making through the Network Advertising Initiative: Don't pass privacy legislation, or you will kill the free Internet. I raised my hand and said that Americans did not have to sacrifice their privacy in order to preserve the free flow of information on the Internet. "Just because the technology makes it possible to identify a person viewing a banner advertisement doesn't make that an effective business model." Instead of building comprehensive profiles, all advertisers need to do is advertise consumer electronics on electronics-oriented Web sites.

And that's when McCain asked me his question. I stopped dead in my tracks, and stumbled through my first answer. Then I took a deep breath and tried again. The crucial issue had to be the selling aspect.

"In general," I said, "I'm opposed to private companies selling information that is collected at taxpayer expense and that the government should be making available for free in electronic form."

After all, there are many companies that are selling this information, from court cases to patents. It's fairly big business in Washington, and if the government did a better job making the information available in electronic form, some of the arguments about advertiser-supported Web sites might fall away.

But McCain would hear none of it. He requested again that I answer his question, and when I couldn't do that, he went on to the next speaker.

The hearings were over in another 10 minutes or so, but McCain's questions nagged at me for the rest of the day. Clearly, the privacy of campaign contributors is violated when their names and that information is made publicly available. But once we have made the decision to make campaign contribution information public, the next question is "how will this information be used?" My answer, that this information should not be sold by businesses, but should be given freely in electronic form by the federal government, really had nothing to do with the privacy of the contributors.

As a privacy advocate, I inevitably feel some kind of disgust whenever lists of names and personal information are sold. But is it wrong? Perhaps not. If we want this information distributed, why not have private industry do it?

The real privacy issue, I realized, has less to do with the selling of the information, and more to do with what is done with the information after it is sold:

  • If the information is used to perform an analysis of the role of money in politics, or to correlate donations with voting patterns, it does not further violate the contributors' privacy; this is the reason that the information was originally collected.

  • If the information is used to solicit the contributors for donations to museums or public radio, or to join a country club, then it does violate the contributors' privacy; these uses run counter to the original reason that the information was collected.

    And in fact, I realized, this is the fundamental difference between opt-in and opt-out legislation.

    An opt-out system requires a tremendous amount of knowledge and the initiative on the part of the person whose information is being collected. Few campaign contributors realize that records of their contributions are bought, sold and made available on the Internet. With an opt-out system, these contributors would have to register to request that their personal information not be misused, otherwise it could be. With an opt-in system, the contributors would have to say, "Yes, please send me solicitations, please call me at home, please send me junk e-mail."

    I wish that I had been able to think faster on my feet. McCain's question could have given me the perfect entrie to explain why opt-in makes more sense than opt-out.

    Fortunately, I or others may have that chance next spring. With less than two weeks left in the legislative term, none of these bills will be forwarded to the full Senate for consideration. Instead, new bills will be drafted early next year, after the election and the inevitable congressional reshuffling.

    Ironically, President Clinton had his privacy invaded more thoroughly than any other president in U.S. history, yet his administration has done painfully little to enhance the privacy protections of most Americans. We can only hope that the next president's administration -- and the next Congress -- will do better.

  • By Simson Garfinkel

    "Simson Garfinkel is a frequent contributor to Salon, the Chief Technology Officer of Sandstorm Enterprises, and the Chief Scientist of Broadband2Wireless, Inc."

    MORE FROM Simson Garfinkel

    Related Topics ------------------------------------------

    John Mccain R-ariz.