Privacy Mavens Delve into Thicket of Issues

Poised for years to deal with the privacy issue, politicians, lobbyists, consumer advocates, and even banking executives are at long last having their field day.

Privacy has gotten hot enough that two interest groups-the Banking Industry Technology Secretariat and the Smart Card Forum-were able to hold seminars within days of each other last month without overlapping or exhausting the subject matter.

The meetings were in different cities and had different casts of characters, but both aired a full range of issues and viewpoints on a double-edged sword.

Privacy activism could bring new regulations not especially welcomed by financial institutions, as suggested by White House proposals on May 4 that included credit card and mortgage marketing rules and tougher enforcement of the Truth-in-Lending Act.

Yet research shows that banks are generally trusted. Perhaps they can capitalize on this by assuring an uneasy public that the Internet and other technologies will not violate their privileges.

But nobody is quite sure how privacy will ultimately play out, nor how to go about turning it to a strategic advantage.

BITS, an offshoot of the Financial Services Roundtable of Washington, held its forum May 12 in Chicago. Across town, thousands were convening at Cardtech/Securtech, an international conference on smart cards and other technologies that some promoters view as potential privacy protection tools.

BITS brought together a small group of what the secretariat's chief executive officer, Catherine Allen, described as "privacy czars." These are people managing the privacy issue for their banks, whether full-time or as part of other responsibilities. (Ms. Allen founded the Smart Card Forum when she worked at Citibank in the early 1990s.)

The BITS audience included Karen Alnes, director of privacy policies at Wells Fargo Bank; Julia Johnson, Bank One Corp.'s recently appointed director of information policy and privacy; and Gail Magnuson, a Bank of America senior vice president active in BITS' "core privacy team."

People such as these are elevating privacy compliance to a level of importance akin to that of the Community Reinvestment Act. BITS' action on the subject speaks to the awareness of the top industry executives who sit on its board, which is led by First Union Corp. chairman Edward E. Crutchfield.

International Business Machines Corp. senior consultant Rebecca Whitener walked the BITS group through P3P, the Platform for Privacy Preferences Project.

A speech on this proposed standard of the World Wide Web Consortium might not otherwise be heard outside a major Internet or computer convention.

But if bankers are going to assert their trust advantages on the Net and elsewhere, they will want to become conversant with various privacy protection tools and self-regulatory frameworks.

P3P creates a system for consumers to grant various permissions for use of their personal details. In effect, a negotiation takes place whenever there is a request to exceed a previously granted permission.

An IBM paper on P3P enumerated other self-regulatory programs such as TRUSTe certification and the Council of Better Business Bureaus' BBBOnline seal of approval, each enjoying some degree of industry backing.

Regardless of how P3P ends up, said the white paper, "the concept, the underlying principles, and the process followed in its development (have) already advanced the dialogue of how technology can be used to help address the complex issue of e-business privacy protection."

"Banks would be well advised to begin to plan their responses to a future that, with or without P3P, will certainly include continuing pressure to address privacy issues and find ways to give more control over the uses of personal information back to the consumer," IBM concluded.

The Banking Industry Technology Secretariat has developed, with help from Ms. Whitener and IBM Global Security Services, a "decision tool" to help sort out the costs if P3P or another type of regime goes mainstream.

Gary Roboff, the Chase Manhattan Bank senior vice president who spearheaded the BITS decision tool effort, said at a meeting of the group in March that consumer demand for any "extensive menu of privacy choice" would be "a big deal, and we'd have to respond to that."

In Chicago last month, Mr. Roboff conceded that almost any such privacy framework would require extensive customer education.

He pointed to the lack of acceptance of SET, the MasterCard-Visa Secure Electronic Transaction protocol for Internet payments, which turned out to be "too complex for real life."

"If technology like (P3P) is accepted, it will require an iterative learning process to make it work," Mr. Roboff said.

The Smart Card Forum's speaker lineup May 20 in Washington brought out various shades of philosophical gray.

Rep. Vernon J. Ehlers, R-Mich., vice chairman of the House Science Committee and a physicist by training, expressed support for liberalized data encryption rules, putting him on the same side as the high-technology business sector and many consumer advocates who view strong encryption as a privacy enhancer.

But he urged industry leaders to form policy and standards-setting bodies of their own, rather than assume that the legislative process will work to their liking. And he said the high-tech lobby could do much better in developing "mutual trust and respect" with Congress.

Daniel E. Geer Jr., vice president and senior strategist of Certco Inc., a data security spinoff of Bankers Trust Corp., seemed to be as much a privacy absolutist as, say, Marc Rotenberg of the Electronic Privacy Information Center, another Smart Card Forum panelist.

Privacy is "the boundary condition between rights and privileges, a boundary evidently in dispute everywhere and forever," Mr. Geer said.

Wary of the effects of large institutions' accumulation and potential abuse of data bases, Mr. Geer would err on the side of strong privacy protections.

"We must make all acquisition and use of personal information forbidden, absent explicit permission to do otherwise," this technology advocate said. Borrowing from the late Barry Goldwater, he said, "Extremism in the defense of liberty is no vice."

Mr. Rotenberg, president of the Washington-based privacy group known as EPIC, put in a plug for the European Union's approach to privacy protection.

The EU Directive on Privacy Protection, which took effect last Oct. 28, sent shudders through multinational banks and other corporations. If enforced literally, it would prevent companies from countries with less stringent privacy standards-namely, the United States-from marketing in their accustomed way to European consumers.

Mr. Rotenberg said major corporations would do well to comply with the directive and set a higher domestic standard in the process.

"The EU policy is simple and direct," he said. "Let's adopt it."

Stewart Baker, a partner in the Washington law firm Steptoe & Johnson and a former National Security Agency general counsel, said, "I agree with Marc." The EU policy is "extraterritorial and effective, simple and overarching. Multinational companies will have no choice but to comply."

Yet there is plenty of murkiness.

As a prop, Mr. Baker brought a quiz that included a question about two Internet sites: Portal A is in Europe, not posting a privacy policy but asserting that it is governed by France's strong data protection laws. Portal B in the United States has a stated policy against transferring consumer data to third parties. But both A and B routinely provide customer data to an on-line merchant that has invested in the two portals.

Which would more likely be the subject of a government investigation? Despite the supposed lax U.S. standard, Mr. Baker said it is Portal B-for deceptive trade practices.

Which would be more likely to be deemed by the European Commission as having insufficient government oversight? Ironically, Portal A.

"This can be like trying to write rules for personal-space violations and good table manners," Mr. Baker said.

David L. Aaron, under secretary of commerce for international trade, reported that his negotiations with European authorities were at a critical juncture. Mr. Aaron has been working on "safe harbor" principles to enable U.S. companies to operate in Europe. "A few nagging difficulties threaten to slow us down," he said.

The EU was asked to accept compliance with a self-regulatory scheme like BBBOnline as a proxy. The Europeans wanted something stronger, and Mr. Aaron was complaining of "territorial over-reaching."

Mr. Aaron said financial services concerns have figured prominently. He has argued that because U.S. financial companies are heavily regulated, Europe should deem them "adequate with regard to privacy protection."

But the Europeans hold to their view that the United States is "not heavily regulated," Mr. Aaron said. He pledged to push for safe harbor treatment and to make the rules "as unburdensome as possible."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER