Issues Found in Complaints

Perception and Recourse

In our literature review, we found multiple surveys whose data suggests that users are very concerned about privacy and do not want websites to collect and share their personal information without permission. Yet, the number of complaints made to the various organizations is low relative to the number of Internet users.

Website operators and direct marketing agencies might point to this low volume and claim that users don’t care about data collection. However, that would be a misinterpretation of the data. It is apparent from our research that users do care. The low number of complaints conforms to our hypothesis that users file complaints only when two conditions are met: 1) they perceive an invasion of their privacy, and 2) they know where to file a complaint.

However, most users are unaware of the majority of the data collection and sharing that goes on. Consumers may have heard that websites can track their behavior, but the tracking is done passively, and is therefore not salient in the minds of the users.

In the case of ZabaSearch, some users were made aware of the FTC’s complaint form via the Privacy Rights Clearinghouse website, which was referenced by the media. Thus, they had knowledge of where to file a complaint. In all likelihood there is no particular agency to which users are most likely to express privacy concerns. More often than not users probably direct their complaints to the specific entity with which they have a concern, particularly when the user has a direct relationship with that entity.

That users care about their privacy and often complain directly to the website involved is supported by evidence from the incident involving Facebook’s Beacon initiative in November 2007. That system enabled e-commerce sites to share data about their transactions with Facebook, which in turn posted the data on its users’ public news feeds. In this case, users were made aware of a use of private information that they had not authorized. Furthermore, users could voice their objections to the practice by joining a protest group on the site itself. Over 50,000 users joined the group in ten days (over 80,000 in one month) strongly suggesting that users do care about privacy [Story].

Recommendations

Greater Access/Transparency

The biggest concern among the complaints we coded was the lack of control. Users do not want websites to collect or share data without permission, and they want the ability to access, edit, and delete records about themselves.

We recommend regulation by which websites must allow users to see all the data that has been collected about them, not just user-provided information. Additionally, users should also be allowed to see with whom their data has been shared. The imposition posed upon companies by such a requirement could be greatly mitigated by merely requiring that websites provide users with the information they have about the user in a form no less convenient than the form in which it is available to the company.

Authority and Metrics

Our analysis of user complaints brings to the fore a larger problem with data collection policy in the United States: no one knows who is in charge of protecting privacy. The fairly low number of complaints to the various organizations we contacted reveals that users don’t know who to complain to.

According to the FTC’s Privacy Initiative web page, it safeguards consumer privacy by enforcing the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act. It also states that the FTC strives to educate “consumers and businesses about the importance of personal information privacy” [Federal Trade Commission, “Privacy Initiatives”].

We recommend that the FTC become more aggressive in protecting privacy on the Internet. It should strive to get a larger picture of user concerns by making more users aware of the complaint assistance system. One possible way to achieve this is to require websites that collect personal information about users (other than the automated IP logs) to include a link on their privacy policies to the FTC’s website. This would direct users to the FTC and help it gain insight into user concerns.