Comments Received -- June 13-21, 1998
###
From: Marvin George, yesone@c2i2.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 12:28am
Subject: privacy responses
1. Name:
Marvin George
2. Email:
yesone@c2i2.com
3. Affiliation:
citizen
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
The notices are starting to show up. I haven't got to much junk mail from the web sites and I
don't take it seriously enough. Maybe because I live in a small community they don't bother. If I
saw them using the information for ads or junk e-mail I would take notice. I get ads at certain
sites that don't take consiuderation of what I told them. If I saw them using the information in
negative manner I would write my elected representatives about it. If they are tailoring the ads to
what I want to be informed then I say it is worthwhile.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
In most cases they don' give any choices over secondary uses. This is not right and should be
asked who they are giving the information too. This is something that be checked on the form. I
would like to see a check box on the sale of information to give the person to opt out of it. They
may send spam out but state that you requested information on that service from another
company. They may even send you regular junk mail. The bottom line is you control the ability
to sell your name.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
This is something that should be allowed and mandated as condition change and what the
obtained from the cookie that they install in your computer. They should allow you to see what
they have tracked of you be able to correct it. This should be mandated because it could effect
you on job, loan and so forth as companies will demand that data.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
The FTC just put a consent order to geocities for doing something with the privacy information.
The FtC should take action if they violate the privacy of an indiviual as they did geocities. You
should put in compliant to the FTC and have them take action against the site if under US Law or
have them obtain from the country they come from. The use of fines should be used as a last
resort. There is very little you can accomplish in suit except make the lawyer rich off of you.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
I don't believe a child should ask to give out information unless the parent gives it out. The
parent is better able to size up the situtation better the child. I believe it should regulated by the
government.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
I think first you give a chance for self regulation and if that fails then government regulation
should take place.
Question 7: What experiences have you encountered online in which privacy has been an issue?
Question 8: What experiences have you encountered online in which privacy has been an issue?
I think the rules of privacy should apply to them and more so. They know what you buy week
after week and they can pretty well tell company your whole personality in reference grocery
card. They should be under the same restiction. Medical records should be sealed and only
given to your health insurance company and no one else unless you approve it.
Question 9: Other Comments:
###
From: Brian T. Fix, ay104@yfn.ysu.edu
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 12:33am
Subject: privacy responses
1. Name:
Brian T. Fix
2. Email:
ay104@yfn.ysu.edu
3. Affiliation:
None
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
One does not typically see notices telling you what companies are doing with the information
about you. However, some sites (www.linkexchange.com, www.planetall.com as two examples)
tell you from the outset that your information will not be used in any way, shape, or form.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Yes, many sites do offer this.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
Yes.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Companies should be held accountable via the way of fines AND possible legal recourse by the
owner of the information.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Companies should NOT be able to use ANY information from children, regardless of the site's
content. Children's information should either be destroyed or heavily guarded by the owner of
the particular site(s).
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
This question is a two-edged sword. If the industry adopts these measures voluntarily, one
would be subject to some places that still allow people's information to be used as a secondary
means. However, if the government intervenes, these companies will figure out loopholes or cry
a violation of their First Amendment Rights.
Question 7: What experiences have you encountered online in which privacy has been an issue?
None that I know of.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Absolutely. Whatever records are yours should NOT be able to be accessed by ANYONE
except yourself and the originator of the service(s) provided.
Question 9: Other Comments:
These issues must be solved to end a myriad of other problems such as stalking, spamming, and
other problems related to such practices.
###
From: Carlos Alvarez, carlos@theriver.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 12:38am
Subject: privacy responses
1. Name:
Carlos Alvarez
2. Email:
carlos@theriver.com
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
Very few sites include this information. It is extremely important to me.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Some do, some don't. No site should sell your information, or send you e-mail, unless you have
specifically opted in.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
I don't know, this is not an issue to me.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Civil suits should be possible for anyone who is damaged or has costs associated with privacy
violations. Fines are appropriate for companies that fail to protect privacy.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
I think the issue is the same as adults, or actually less of a problem.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
I would rather see industry self-regulated and consumers making intelligent decisions.
Consumers should make more effort to stop their information from being misused.
Question 7: What experiences have you encountered online in which privacy has been an issue?
Junk mail (postal and e-mail) sent because of subscriptions or orders placed online.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Yes, all of it is equally important.
Question 9: Other Comments:
###
From: Thomas Losh, manager@tech-center.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 12:44am
Subject: privacy responses
1. Name:
Thomas Losh
2. Email:
manager@tech-center.com
3. Affiliation:
Talons Interactive
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
I rarely see notices about what companies will do with the information gathered from public
visitors.
If I do see such a notice it is usually bureied at the very bottom of the page in very small print as
a link to another page.
The information, if present is often worded in such a way that I am still unsure what the actual
policy is.
It is becoming increasingly important to me to know what use will be made of information I
provide over the Internet.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Some do, some don't. For those that do ther is usually a small pre-checked box that must be
un-checked to keep from having information provided used for purposes other than what I, the
visitor, intend.
I would prefer to have the choice default to NOT "requesting" additional information, with an
adequate explanation of what can be expected if one chooses to check the box.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
Seldom do companies allow users to see the data they have gathered, often not even mentioning
that they haf aquired the information.
I would prefer to know what information is being gathered, what use it willl be put to, and have
the option of not allowing the information to be collected.
In those increasing instances where a company will not even allow access to web pages without
some sort of user information, I would like to know what the information will be used for,
and what additional information will be added to it.
I would like to be able to delete and/or correct information that companies have gathered about
me, but that is rarely offered.
The importance of this is increasing as more companies gather more information.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Companied that release personal information without the express consent of the person or
persons involved should face fines for doing so, and should be able to be sued by the interested
parties.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
The same thing as for adults, but with the added thought that chilldren often are not aware of
the problems inherent in providing personal information to strangers.
Severe penalties should be available for those abusing children's trust.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
Some laws may be necessary, since not all companies/organizations are able to be trusted.
Some sort of fallback needs to be put in place to allow individuals and/or the government to go
after the 'bad actors.'
Question 7: What experiences have you encountered online in which privacy has been an issue?
I hae personall encountered very few incidences of having my personal information gathered or
used in a manner that I did not wish.
This is primarily because I go to sometimes great lengths to ensure that it doesn't happen.
Not everyone can be expected to do this, however nor should we be required to.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Maybe not the same, but certainly very similar rules.
The ease and speed with which information can be gathered and analysed
is creating a problem in many areas. As more things become entrenched
in computer databases, the problem increases.
Question 9: Other Comments:
###
From: Victor Escobar, sydbarrett@mindspring.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 2:47am
Subject: privacy responses
1. Name:
Victor Escobar
2. Email:
sydbarrett@mindspring.com
3. Affiliation:
N/A
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
No. And if I do, they're usually in 4pt type way at
the bottom of the screen. I shouldn't have to hunt
for such disclaimers.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
No, only a strict minority. As a rule, there is
no option to regulate or filter use of my information.
It is even worse with the advent of `cookies' used
on most new web pages.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
If they do, I have to wade through dozens of pages
to find it. Again, I shouldn't have to, and they
should be held liable to the same standards as those
in the print media.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Use the same standards as print media. They should
be fined for a first offence and sued for each sub-
sequent one.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Instead of those laughable `click here if you are 18'
buttons, sites should have REAL screening. Anyone
who thinks a precocious child will tell the truth is
at best naive. Sites should be required to affiliate
themselves with a Adult Verification Service (such as
Adult Check, Adult Sights, &c.).
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
Yes, because if left up to industry, it won't happen.
By the same token, I don't think that government should
dictate HOW it will be protected. Leave actual
implementation to private industry.
Question 7: What experiences have you encountered online in which privacy has been an issue?
I'd say spam is the biggest issue. Getting mail
from sites who sold my email address to unscrupulous
merchants.
Question 8: What experiences have you encountered online in which privacy has been an issue?
YES!!!!!
Question 9: Other Comments:
Many businesses are leery of conducting transactions
online simply because they can't guarantee the safety
of their customers' information. If there were some
sort of legal infrastructure in place, commerce online
would explode.
###
From: Gordon Certain, dsch96a@msn.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 10:13am
Subject: privacy responses
1. Name:
Gordon Certain
2. Email:
dsch96a@msn.com
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
I sometimes see notices about what happens to information I provide. I really appreciate those
notices, especially those which are explicit.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Generally they do not give me control of secondary use. I would like them to always provide
me with control of secondary use including "unsubcribe", passing e-mail address to others,
getting or not getting unsolicited e-mails.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
The only one I've noticed is Microsoft. Yes it is important. I recently retired and I have no way
in most cases to redirect e-mails from my company address to my home address.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Monetary fines & liability suit are good solutions. Loss of their domain name is also a potential
punichment.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Limits should be placed on what is asked for and what is done with the info.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
Industry will NOT UNIFORMLY DO ANYTHING unless it is legally required.
Question 7: What experiences have you encountered online in which privacy has been an issue?
I have not been impacted TO MY KNOWLEDGE but I am always concerned.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Yes, especially medical records. In fact, more stringent information access controls must apply
to medical records because that information is not really provided voluntarially when insurance
is involved.
Question 9: Other Comments:
Thanks for the "privacy policy" statement on this page. In addition to being there, it says the
right thing.
###
From: James J. Pottmyer, PottmyerJ@acm.org
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 11:49am
Subject: privacy responses
1. Name:
James J. Pottmyer
2. Email:
PottmyerJ@acm.org
3. Affiliation:
private sector IT itegrator
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
No, No
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
The best companies (e.g., Microsoft) are conscientious about this. This should be the model for
others.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
Seldom. This is the area I would most like to see improved.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
"Common carriers" should get some protection from being named as parties in suits, but they
should be subject to fines for malfeasance or egregious misfeance or nonfeasance.
Others should be subject to suits, but class-action suits should be "nationalized" in some
consistent way.
There's an obvious definitional problem where a "common carrier" (who agrees to carry all
traffic at preestablished tariffs) is involved in the same corporate entity with other businesses.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Emphasize parental responsibility. I'm against the idea of requiring adults to carry digital
passports.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
The government should not be overly anxious to regulate on the basis of potential problems.
Question 7: What experiences have you encountered online in which privacy has been an issue?
none
Question 8: What experiences have you encountered online in which privacy has been an issue?
The principles of being able to access data on oneself and correct them or add exculpatory data
should apply uniformly to online and offline systems of records.
Question 9: Other Comments:
###
From: Martin Weiner, martin16@juno.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 12:56pm
Subject: privacy responses
1. Name:
Martin Weiner
2. Email:
martin16@juno.com
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
No.
Yes.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Yes.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
Yes.
Very.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Yes.
Yes.
Yes.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Iformation from minor children should not be
solicited or collected.
I don't know how this could be accomplished except
for parental supervision or banning such
solicitatations on _ children's_ sites.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
No.
I don't trust the gov. or industry.
Protect yourself. Ban _cookies_.
Use strong encryption.
Question 7: What experiences have you encountered online in which privacy has been an issue?
Personal info. available without my consent.
Question 8: What experiences have you encountered online in which privacy has been an issue?
You bet!
Question 9: Other Comments:
###
From: Tony Conte, tc1000@pipeline.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 1:58pm
Subject: privacy responses
1. Name:
Tony Conte
2. Email:
tc1000@pipeline.com
3. Affiliation:
Lawyer
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
I don't typically see such notices, but I don't really care what companies do with such
information. I think entirely too much is being made of the fact that companies collect
such information. I could care less that they may use this information to send my sales
pitches. I'm free to discard anything that is of no interest, and if sometime comes of which
I am interested I would be glad to receive it.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Not normally. However, it is of entirely no concern to me that companies may use
such information for commericial purposes.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
I have not noticed this, but if the only information they collect is the fact that I may have
visited a particular WWW site what would there be to correct?
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
No, I do not believe that there is any individual right to stop anyone from collecting any
information about visits to WWW sites. I see no reason why companies should not be
allowed to make free use of such information for commercial purposes.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Nothing. Children are no different from adults.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
No, the government should stay entirely out of regulating information gathering.
Question 7: What experiences have you encountered online in which privacy has been an issue?
None.
Question 8: What experiences have you encountered online in which privacy has been an issue?
I don't believe that there should be any laws regulating the collection of information.
Question 9: Other Comments:
###
From: Dennis Glatting, dennis.glatting@software-munitions.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 2:55pm
Subject: privacy responses
1. Name:
Dennis Glatting
2. Email:
dennis.glatting@software-munitions.com
3. Affiliation:
US citizen
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
Generally I do not see notices. Some sites have notices but are difficult to find, long, and/or
not understandable by the common person.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Only a small percentage of the sites offer a choice. A high percentage of those preselect
a default where the information is shared. I want a non-default opt-in, rather than a
default opt-out.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
The correction of data is important to me, but is rarely an option. Generally I am afraid
to correct the information, such as my address and phone number, because I don't
want the amount of solicitations to increase.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Economics talk. The population should be able to exact financial retribution from such
companies, perhaps imprisonment too.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
I don't think there should be a special designation for children. Privacy should
unconditionally apply to everyone.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
Believing the industries will self regulate is naive. Legislation is required.
Question 7: What experiences have you encountered online in which privacy has been an issue?
SPAM. Much SPAM. Even from "reputable" companies.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Yes!
Question 9: Other Comments:
What options do I really have to protect my privacy? None. The legislatures, a high
percentage of the time, side with business interest, rather than the interest of the
people. I beg the legislatures to give me freedom from unsolicited commercial e-mail,
postal mail, and telephone calls. It costs my business one hour a day to deal with
spam. It cost me 15-45 minutes six days a week to deal with unsolicited commercial
postal mail-substantially longer if I pursue their sources to be removed from their
contact lists too. At home we no longer directly answer the telephone, rather all calls
are screened and Caller ID used, to the extent possible, to identify and log callers.
Why do we have to build fortresses around our lives and incur unnecessary expense
simply to support the self-interest of the advertisement business? Please, legislate me
my privacy.
###
From: Jeff A. Hale, privacy@rt66.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 3:58pm
Subject: privacy responses
1. Name:
Jeff A. Hale
2. Email:
privacy@rt66.com
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
No -- such notices are few and far between. Greater public awareness of the privacy issues
involved in mere web browsing, not to mention advanced applications, is needed.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
No -- nearly all websites I visit (with the exception of WIRED I believe) do not, as a course of
business, let the browser or customer know about secondary uses of their information (cookies,
e-mail, or other identifiers).
At the very least, there should be a "privacy notice" on the first page of each site, informing the
browsers and potential customers about ANY uses of their identifiers -- not just secondary uses.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
No they generally don't. In this day and age, even correcting information from the major credit
rating services (TRW, Equifax, etc.) is difficult at beats and often a long-term, painful process. I
went through this with TRW a few years ago, and had to fight to get several erroneous credit
"negatives" removed -- which I had never incurred!
As for websites, I doubt that many are adequately informing their browsers and potential
customers about procedures for accessing and/or correcting personal data. The main exception
seesm to be the many "find someone over the web" sites -- which generally allow you to access
your own information and delete/hide it if you wish.
But what about prior notice? Shouldn't these "locator" services and sites be forced to first
contact all of the people they intend to list and ask them if they mind their public data being
posted for the world to see?
The counter arguement I always hear -- that they are merely listing/posting/using "PUBLICLY
AVAILABLE INFORMATION" just doesn't wash with me. A huge part of the problem is that
personal information has been allowed to get out into the public arena largely without the parties'
knowing it (telephone listings excepted). For example, if a college or university decides to post
student grades for the world to see (even on the web -- this is happening today) and lists them
with Social Security numbers, this is just begging the crooks and identity thiefs to use the
numbers for bogus reasons. Now, this would qualify as "publicly available information," right?
And it opens the door for information sucking mega-sites and corporations (not to mention the
numerous government agencies which desire personal information) to acquire all of these SS #'s
-- and presto! -- your SS # is now "out there" in the public domain. You were never asked about
whether you wanted your most personal of a!
ll identifiers to be in the public domain -- but it now is -- whthout your permission. And
removing it from the dozens (perhaps hundreds) of data files and sites could take you the rest of
your life.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
The penalties must fit the crimes, so no set formula would seem to be fair.
If, on the other hand, you can demonstrate personal injury as a result of your personal
information being released by a particular company or site (extremely difficult to prove I'd bet),
their should be avenues for legal recourse.
But educating citizens to their privacy rights is a vital first step -- and then maybe have coalitions
of privacy organizations adopt guidelines for information sites/providers.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Their rights are the same as for other citizens. If peiple are preying on children by posting
intrigueing sites and then taking advantage of them (sexually or otherwise), they should face
legal penalties.
But someone who posts a nude photo of an 18 year old (or whatever the age of consent is), and
observes REASONABLE adult verification procedures to prevent childrens' access, should not
be hunted down and fined. Our government should spend its time with violent offenders, hard
drug dealers, and abandon CDA-like witch hunts.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
Government laws are never as effective as voluntary compliance -- if you can adequately
educate the public so that they are aware of the existing privacy protection laws, etc.
But additional legislation protecting privacy rights should be passed.
Question 7: What experiences have you encountered online in which privacy has been an issue?
I hate the sites which "steal" your e-mail without your consent, automatically e-mail you with a
stupid response, and refuse to offer the browser the option of NOT having his/her private e-mail
address gobbled up in this manner.
I also hate unsolicited spam -- but who doesn't?
Question 8: What experiences have you encountered online in which privacy has been an issue?
The proliferation of information services and data collection agencies is getting out of hand.
The bottom line here should be expanding the average citizen's control over his or her personal
information; people gathering and using this information should give PRIOR NOTICE OF
INTENT.
Question 9: Other Comments:
Great idea to solicit public comment in this manner and forward it on to policy/law makers.
CDT is one of the real warriors for privacy awareness and education.
One suggestion: try harged to link what you are doing with the thousands of pro-privacy hackers
and cyberpunks out there. They need your assistance, and you could probably learn a thing or
two from them as well. Maybe conduct a web search of sites which support EPIC/CDT/EFF
campaigns (even those that just link with them) and contact their authors with feelers about
possible collaborations.
###
From: Don K. DeGroat, EWCHIEF@aol.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 7:05pm
Subject: privacy responses
1. Name:
Don K. DeGroat
2. Email:
EWCHIEF@aol.com
3. Affiliation:
Libertarian Party of California
Question 1: When you go to Web sites, do you typically see notices telling you what
companies are doing with information about you? Is this important to you?
An accurate representation of where any submitted information is projected to go is
always important. One always is guided in their candor by what is to be the end
result of provided information or answers to questions. How much that candor could
hurt the respondant, the subject of the response or innocent parties.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information,
or let you opt-out of mailings)? If so, what kind of choices? If not, what would you
like to see them offer?
Typically sites I visit that might use my response or forward my email address
to others have a box to be checked if I do not wish to be included in such a
transfer of information. I think this is very important and ethically mandatory
that respondants be offered an opportunity to control secondary uses of any provided
information including the fact that one responded at all.
Question 3: Do you find that companies give you the ability to access and correct
data that you have provided about yourself? How important is this to you?
Anyone asking for data must provide an avenue to correct or update that data.
Question 4: How should companies be held accountable for failures to protect
privacy? Should they be fined? Should you be able to sue them?
Personal suits should be the avenue for any damaged individual who's expectation
or assurance of privacy was voided by anyone accessing the damaging information.
Fines indicate to me that a government bureau would be involved in determining
whether a company failed to protect privacy, I don't see that as a government
function. Additionally, the money from fines typically never reach a damaged party
but rather fill government coffers. A fine is simply a risk to unethical companies
and is of no concern to ethical ones. Government hopes a fine will prevent violations
but I feel they are a small deterent when stacked against the prospect of getting caught,
prosecuted and found guilty.
Question 5: The collection of information from children is an especially sensitive
area. What Should be done to protect children's privacy online?
Nothing. That is my function as a parent. The myrid types of "babysitting"
software presently available to parents are more than enough to restrain a child's
wandering about the internet and parental guidance should be more than enough to
protect their children from being harmed. Any information provided on-line by
their children should be a parents concern just as it would be if their child was
talking to someone face-to-face.
Question 6: Do you think that if industry adopts all of these measures that your
privacy will be protected? Would you rather see government make laws to regulate
privacy on the Internet?
Industry will regulate itself and, based on their interaction with me,
I will decide what risks to my or my family's privacy are involved.
The government has no place in regulating the free exchange of information in any medium.
Question 7: What experiences have you encountered online in which privacy has been an issue?
Usually just addressing the security involved in transmitting account numbers
and whether my name would be passed to other interested parties.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Ethical uses of information will cause ethical people and businesses to be
self governing in regard to this information. Therefore I think the same rules
are already in place.
Question 9: Other Comments:
The internet must remain clear of any kind of government control.
###
From: Steve Meyer, sewerrat@mindspring.com
To: NTIA.NTIAHQ(privacy)
Date: 6/13/98 8:52pm
Subject: privacy responses
1. Name:
Steve Meyer
2. Email:
sewerrat@mindspring.com
3. Affiliation:
what?
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
I don't see them often enough.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Generally, you get a check box that you have to proactively check in order NOT to be put on a
mailing list. This should be the default, and it should be mandatory to have such a box.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
I haven't really encountered this.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Fines and lawsuits will clear this up REAL quick.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
No children's oriented sites should request information...EVER!
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
Industry should do the job, but government may have to punish those who don't comply.
Question 7: What experiences have you encountered online in which privacy has been an issue?
Using your email address on USENET will just get you on mailing lists. Now I have to alter
my email address for news groups.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Absolutely! In spades!
Question 9: Other Comments:
###
From: "K. Axelson" kaxelson@panix.com
To: NTIA
Date: 2/14/98 11:58pm
Subject: feedback on privacy issues
Dear Sirs,
With regard to your request for public comment on Internet privacy
issues:
Please consider reviewing the fact that when you make a query on
AltaVista, the results page contains an ad with your query embeded in
the http string of an ad at the top of the page (try it and see).
This has been going on for several years.
This causes your browser to send your query to the marketing company
doubleclick during the request to obtain the image of the ad.
Your IP address is also sent.
If you have a 'fixed IP' address, as I believe about half of all net
users do, then there is the possibility that an ongoing logging of
these ad requests could constitute a searchable database of your
queries for anyone who can associate the IP address with you, which
shouldn't be hard to do by sharing marketing informtion collected
from sites where you do identify yourself personally (while your IP
address is captured to the log, as always) and then crossreferencing
it to the Doubleclick log (if any).
Doubleclick and AltaVista should explain why they do not achieve
their apparent goal of sending someone an ad related to their query, by
anonymizing the ad request by AltaVista sending for it, and then
AltaVista putting it on your results page. This seems technically
reasonable but they deliberately chose not to do it.
AltaVista is said in statistics to be getting at least 10% of all Web
search engine queries. Therefore sending these identifiable queries
to a marketing firm who has made no representation of how they use
the data, and who in fact does not have to receive the data in an
identifiable form to customize an ad, could constitute a privacy
problem.
Kind Regards,
K. Axelson
NYC, NY
CC: Kent Leonard
###
From: Kenneth Voss, kenvoss@aol.com
To: NTIA.NTIAHQ(privacy)
Date: 6/14/98 12:03am
Subject: privacy responses
1. Name:
Kenneth Voss
2. Email:
kenvoss@aol.com
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
Not typically.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Sometimes, but not always. Usually it is a request to provide your name and address to other
vendors.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
Only at the time the information is collected. I haven't noticed any ability to change the
information at a later date.
This is of some importance, but I believe it is more imporant to only supply information one is
willing to part with and to do so with that awareness and with accuracy.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
Individuals who want to purchase from or participate in a companie's online offerings so be
aware of the privacy risk as they should be about other media (i.e. catalogs, magazines, etc.). It
would be nice if the companies themselves provided some cautionary warning.
If a company fails to properly protect the information as they have promised the consumer, then
the consumer should be able to take action against them. Particularly if that failure or misuse is
significantly harmful.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
As with any of a child's other activities, it is the parents' responsibility and duty to protect them
and supervise them. If a parent wishes to allow their children to use the Internet, it behooves
them to properly educate the child and, depending of the maturity of the child, supervise their use
of it.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
My privacy is my responsibility. I do not need to give away any information that I feel
uncomfortable with revealing. There are practical and software tools available to protect one's
privacy and even ensure anonymity.
I believe that any government intervention would inevitably lead to control and censorship and
would have a serious debilitating effect on the free exchange of ideas and commerce.
It is the buyer that must beware!
Question 7: What experiences have you encountered online in which privacy has been an issue?
I have been most concerned with the few purchases I have made via the Internet using my credit
card numbers and other personal information. I accepted the risk because I trusted the companies
involved and only if the information was adequately encrypted.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Again, the consumers' parting with personal information to private companies in exchange for
tangible benefits is the responsibility of the consumer and liability of the private company. My
main concernin is with public records (such as DMV records, tax records, etc.) which are
compulsory. The information taken from us forcibly by public entities must be strictly guarded
and protected whether it is on- or offline.
Question 9: Other Comments:
The Internet is on of the last avenue of free expression and free enterprise. It offers great
advantages with a concommitant risk. Users of this new forum who wish to benefit from it's
freedom must educate themselves as to its risks and the tools available to protect themselves.
The use of government force to control and regulate the Internet would be the end of its main
purpose and promise.
###
From: John Kay johnk@javanet.com
To: NTIA.NTIAHQ(privacy)
Date: 6/14/98 1:21am
Subject: Consumer privacy
Dear Shirl Kinney;
While looking for information regarding the legal viability of
Electronic/Digitally archived documents and legal guidelines I chanced
up you requests for commentary in regards to "A Framework for Global
Electronic Commerce". Since I work in the IT industry I would like to
add in my thoughts to help out in defining future policies.
First off I think that Self-regulation of privacy issues by all
industries is a nobel idea but will fall by the way-side in certain
manufacturing and service industires because of their volitile market
and low-margin pricing strategies which require the push for larger
market shares to maintain profitablity. Instead I would suggest that
regulation and standards be handled either by the International
Standards Organization, who offer consumer certifications of compliances
(i.e. ISO 9001) for the global marketplace, or possibly a Consumer
advocational body like the Better Business Buerau.
The main difficulty really lies in the scope of definition of what
should be encompased by the term "Consumer privacy rights". The best
tact to take to address this issues is to either create or revise a
"Consumer's Bill of Rights" which would, if it doesn't already exist,
articles pertaining to privacy as well as many others regarding consumer
rights for legal actions against businesses. By no means do I hope that
such a "Bill of Rights" should interfer with the ethical and profitable
business practices in present and future incarnations.
The largest irritating business practice in use today are unsolicited
mail (a.k.a. junk mail) sent from a purchased mailing list or customer
list, and the ever pervasive "Telemarketing". I have encountered the
good and bad varieties of these techniques and have found that usually,
at least in telemarketing, that harasment usually stems not from the
company but rather the employee making the call. I have worked as a
telemarkter for a little bit to make ends meet, but we had a "soft-sell"
policy. We nevered harassed or tried to be so aggressive as to be
harrasing. This is where I view the need to start clear-cut policies
disseminated to the general public on this particular type of harrasment
and how to combat it. When it comes to privacy most consumers are
powerless right now. Mailing lists can be bought and sold like any
other type of product right now. Data should flow to allow big and
small business alike to have access to the publicum in order to make the
public aware of the products and services they offer - this stimulates
competition - but at what cost to the consumer? Harassment by over
zealous representatives? And who can buy your data? Right now, as I am
aware, any business can buy data on groups of people or even highly
defined groups for the right price.
So what do we do? Stifle competition by restricting data flow which
might be cruical to a businesses survival or allow rampant data sharing
generating more unsolicited information, which we consumers either throw
away or delete wasting time and resources. Do we allow a company
devoted to consumer data wharehouse gobs of consumer buying trends and
histories, and then market lists to companies producing such products
and services we purchase with frequency? This might reak of a "Big
Brother/Big Corporation" situation, but I wouldn't be suprised if there
are already business that do just that. So should we make the solicitor
be responsible for the transmission of their "Private data" or the
seller and or the collector of the data? I would probably suggest the
latter; make the collector and/or seller of such information liable for
harasment or damages caused there by becasue they are the one who are
profiting from "your data / your services or product of existance". The
solicitor may also incure penalties, specifically monetary, for their
harrasing techniques, but the sellers and collectors make their monies
whether a sale occurs or not and you never see a cent of that money
which you earned by feeding their database through your living and
consuming products and services.
To summerize their DOES need to be a type of data accounting
(origination), data collectors and sellers are ultimately responsible
for damages caused by abuses of "personal data" and consumers need a
recourse in order to either collect these damages or stop their
"personal data" from leaving their services and products providers'
consumer databases. I hope that I have added something, at minimum a
citizen's vote, to your considerations regarding this issue of personal
data privacy. If you feel that my opinion has not been clear or you
want to ask me any questions regarding my opinion, then please feel free
to contact me at this address.
Sincerely,
John K.
P.S. sorry about any mispellings I don't have a spell checker on my
e-mail client.
###
From: Buster Rhoades
To: NTIA.NTIAHQ(privacy)
Date: 6/14/98 10:33pm
Subject: privacy responses
1. Name:
Buster Rhoades
2. Email:
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
I've never seen a notice telling me what the companies are doing with the information about me.
This is VERY important to me. I make it a policy to protect my privacy; I'm appalled that others
are using and selling personal information about me.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
I've only been asked for my permission to send me more information once, and this was after
they'd already bombarded me with advertisements. It seems to be the rule to not even hint that
my information is going to turn into a source of revenue for the web site owner. I don't like junk
e-mail anymore than I like unsolicited telemarketing calls. We should be given the choice as to
whether we want to be followed up on in any way.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
I haven't run into this problem.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
They should be fined and we should be able to sue them as well.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
The laws governing privacy should apply to all ages.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
There will always be some companies that won't willingly adopt the measures. I feel that laws
have to be made to ensure our privacy. Companies that don't comply have to be made to suffer
a consequence, or they'll just continue to abuse others' privacy.
Question 7: What experiences have you encountered online in which privacy has been an issue?
I found my name, address and telephone number, along with a detailed map to my house! This
was on one of the "people finder" search engines. There's no reason information like this should
be offered, and no good will come of supplying it. I was able to have my name and address
removed
(it took 3 months), but you have to know you're there before you can ask to be removed. There's
probably a dozen more that have this information that I'm not aware of.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Absolutely! So much information is available about individuals today, that laws have to be
made
to protect them. Our privacy should be more important than a company making money off of our
information every time we do something.
Question 9: Other Comments:
###
From: Stephen Marinick, stevem@primenet.com
To: NTIA.NTIAHQ(privacy)
Date: 6/15/98 12:07am
Subject: privacy responses
1. Name:
Stephen Marinick
2. Email:
stevem@primenet.com
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
No, I seldom see such notices. This issue is very important to me.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
A few Web sites allow me to opt out of mailings, but most provide no such control. I would like
to see much more control offered over any and all secondary uses of information I provide,
including an option to limit the use to the stated purpose.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
This option is offered more frequently, but I'm rarely given the opportunity to remove my data
from a company's records if I choose to do so. This option is important to me.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
I think fines and other economical measures provide an excellent incentive for companies to
protect privacy, and in rare cases a suit may be appropriate.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Children's privacy should be protected in exactly the same way and to the same degree that the
privacy of adults is. I feel the best way to do this is to clearly state the implications of providing
data, what the use of that data will be, and for children, a suggestion that they get adult assitance
before providing any data.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
I think these measures will help protect my privacy. Government should NOT regulate privacy
on the Internet.
Question 7: What experiences have you encountered online in which privacy has been an issue?
I often get unsolicited commercial email from companies that appear to have extracted my
email address from some unrelated database without my permission. This could be a Usenet post
or some online transaction.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Yes, they definitely should.
Question 9: Other Comments:
I think it's important to educate Americans about privacy - most have no idea how much they
give up on a daily basis, or how devastating the consequences could be. Privacy is an essential
cornerstone of a democratic society.
###
From: Greg Paulsen, gregor19@hotmail.com
To: NTIA.NTIAHQ(privacy)
Date: 6/15/98 12:06pm
Subject: privacy responses
1. Name:
Greg Paulsen
2. Email:
gregor19@hotmail.com
3. Affiliation:
netizen
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
Mostly, there seems to be no notice, in which case
I provide little or no information. Many sites do
indicate the target of information they ask for.
In these cases I can make an informed decision on
whether or not to provide any personal information.
It is a very important issue to me.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Many sites I visit do ask permission for secondary
uses of any info I may provide, e.g., whether or not
I want to subscribe to netzines, e-mail offerings,
etc. I would like to see a default button (or
check box) choice on whether I want my info sold
to other sites/mailing lists; the default should
be "No" so that I don't have to do anything unless
I want them to sell my info.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
Many sites do provide a "correction" button.
All should have such.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
The law should provide for both fines and lawsuits
for such egregious cases as AOL's with Timothy M.,
the gay sailor outed through his private account.
Financial info must be protected in the same way.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
As a parent, I know I must try to oversee my daughter's
net use; but >>NO<< info provided about or by kids
should be sold to ANY outside party by any website
or net provider.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
The proof is in the pudding, but I would be happy
to keep the govt as far out of the recipe as proves
possible.
Question 7: What experiences have you encountered online in which privacy has been an issue?
There are questions I won't answer in surveys.
Also, without strong encryption, I am loath to use
credit cards or any other financial information on
the net. The only transactions I've done have been
through classified ads, and I have had good luck,
never having been defrauded in perhaps a dozen
purchases from private parties. I have paid by
check or money order through snail mail.
Question 8: What experiences have you encountered online in which privacy has been an issue?
Definitely. I have had the sad experience of floods
of junk mail coming from the sale of my name and
address by one charitable organization to many
others. Needless to say, I no longer contribute
to the org in question.
Question 9: Other Comments:
The federal government, from the White House to the
FBI and on down, needs to realize the importance
of the availablility of strong encryption to the
net-using public. No governmental agency should
be provided with a back door key to our private
messages and transactions. They (claim they)
worry about organized crime. I worry about cop
corruption, and abuse by authorities.
Americans are put at a great disadvantage by the
foolish policy now in place.
###
From: "Earl Horsefield"
To: NTIA.NTIAHQ(privacy)
Date: 6/17/98 12:45pm
Subject: Privacy Comments
I don't believe that the private sector can or will do any
form of effective self-regulation. An example of self-regulation
that doesn't work is that of the media. TV is a disgrace as is
Moving Pictures and Videos. As a citizen, a Federal Employee, and
a (Ordained Permanent) Deacon in the Catholic Church I object to
any effort for Government to abrogate it's responsiblility to any
private group or organization. Privacy of citizens is a Public Trust
that can ONLY be addressed by government regulation, not
guidelines or self-imposed restraint. Only with laws that punish
trespassers severely will Privacy violations be stopped.
Earl R. Horsefield 303 Pine Ave Cuba MO 65453-1618
ehorsefield@cuba-mo-net.com
Address answers to home email above not the work email I
am sending this from during my lunch hour (Flexitime)...
###
From: Erez Klein mail@erez.org
To: NTIA
Date: 6/17/98 2:53pm
Subject: privacy responses
1. Name:
Erez Klein
2. Email:
mail@erez.org
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
Not usually. I'm always interested in these matters, but I can form my own opinions based upon
the technology being used at the site and the type of business that it is. It is important, but this
should be a 'buyer beware' issue. It is really no different than giving info over the phone to
someone you don't know. Public education is the key. Unfortunately with only about half the
people in the US knowing how many stars are on the flag...what hope is there??
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Usually a choice is given in regards of receiving email notifications of like info in the future.
Don't give out your info if you're not sure should be taught.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
No. It is more important that the companies be able to identify you to be certain that you are
modifying your own data as opposed to someone elses. Also, what is to say that a person would
enter the correct info? This is more important than the info as the quality of the info needs to
have value if it is to be relied upon.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
If they are negligent they should be fined. If there are damages they should be sued. If they are
intentionally negligent they should be held criminally liable.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
If you don't know who submitted the info how can you regulate it. I can say I'm a child online.
Who's to know. Once a method to identify people online exists this element can come into play.
Until then stay out of the way of freedom.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
Absolutely not. Individuals must be vigilent over their own privacy and not expect it to be given
to them, legislated etc. No laws to curb Internet use at all please.
Question 7: What experiences have you encountered online in which privacy has been an issue?
None. I understand what is going on.
Question 8: The Elements Paper focuses on the 'online world'. Many experts are more
concerned about the 'offline world' collections, such as information collected through grocery
store cards, medical records, driving records, etc. Should the same rules apply to these
collections?
Stringent rules should apply to the offline world. Leave the Internet alone. The offline world
has accountability, the Internet does not!
Question 9: Other Comments:
If you want security you must give up some privacy. If you want privacy, security will suffer.
These are the same facts that exist in the paper world we are accustomed to. Why should anyone
expect the Internet to be different?
###
From: Bill (Willim36@aol.com)
To: NTIA
Date: 6/17/98 11:46pm
Subject: privacy responses
1. Name:
Bill
2. Email:
Willim36@aol.com
3. Affiliation:
???
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
No,I have never seen any.Yes,it is.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
I haven't seen any.I don't want anyone sending me anything from the imformation that they
gleamed from me while I was on the internet.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
yes,usually.very important.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
I am not sure.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
This is a shot in the dark,but it might be a good idea to have a network or website or server that
is dedicated to the privacy of children.Even perhaps special software encrypted especially for the
use of children so that when they get online they would be safe from predators.Just a thought.I
think that libraries would benifit from something like this.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
I don't think that the gov.regs.would be sufficient.Self preservation is a good motivator.If
people show industry that they want security bad enough,perhaps they will supply it.
Question 7: What experiences have you encountered online in which privacy has been an issue?
cookies
Question 8: The Elements Paper focuses on the 'online world'. Many experts are more
concerned about the 'offline world' collections, such as information collected through grocery
store cards, medical records, driving records, etc. Should the same rules apply to these
collections?
I think that privacy is privacy.The internet just takes different tools to accomplish the task.
Question 9: Other Comments:
thankyou.
###
From: Rob Biggerstaff RRBIGGE@westvaco.com
To: NTIA.NTIAHQ(privacy)
Date: 6/19/98 9:42am
Subject: Comments
Attached are my comments for the Privacy Conference and RFC.
Format is WordPerfect 6.x
Please advise upon receipt.
_________________________
June 8, 1998
Robert Biggerstaff
POB 614
Mt. Pleasant, SC 29465
Jane Coffin
Department of Commerce, Office of International Affairs,
National Telecommunications and Information Administration (NTIA)
Room 4898
14th St. and Constitution Ave., NW
Washington, DC. 20230
(202) 482-1890.
privacy@ntia.doc.gov
Ms. Coffin,
In the interest of truth in advertising, I would like to preface
my remarks with some information about myself and my involvement
in privacy issues. I was one of the panelists on the Federal
Trade Commission's Privacy workshop last June. I am a degreed
engineer and I have spent my entire professional career
designing, developing, and working with computer networks and
database systems, both in the private sector and for systems used
by the United States government. While not a zealot or fanatic, I
would describe myself as someone with a heightened sense of
privacy issues. This is a direct result not of any personal
experience where I have been the victim of any crime or invasion
of privacy, but rather the result of my "inside knowledge" of the
Internet, computer databases, their uses -- and misuses. I also
run an Internet website devoted to educating the public about the
misuses of information, and some steps that they can take to
minimize their risks.
I am also the President of the National Association Mandating
Equitable Databases (the NAMED, Inc.), a nonprofit consumer
organization chartered to help educate the public about unsafe
data industry practices and to assist consumers in "opting out"
and otherwise asserting their rights over the use of personal and
private information.
INTRODUCTION
No business sets out to intentionally injure consumers' privacy.
What I see, as a professional, is "collateral damage" - misuse
(intentional and unintentional) of data gathered for legitimate
purposes. Profiling users, with the user's permission, to see
how your Internet site is being utilized is a legitimate use.
Using it to build a profile of people to sell and use for other
purposes is not a legitimate use. Using it to market to children
is not a legitimate use (see e.g. Levi Strauss Mailing Targets
Teen Girls, DM News, June 5, 1998.
http://www.dmnews.com/articles/1998-06-01/1040.html). Collecting
information necessary to process a subscription or billing is
legitimate. Using that information to populate third party
lookup services is not. Using a credit report to decide whether
or not to make a loan to a consumer is a legitimate use. Using
it to commit identity theft is not.
As a counter to some of the invasive data practices, an
unintended result is intentionally falsified information. If you
can't assure me you are only going to use this information about
me for legitimate purposes and that you'll never release it to
anyone else, I won't give it to you. And if you require me to
provide things like a name and address, I'll simply provide false
information. I've done it as has nearly every other Internet
user at one point or another. I have personally seen instances
where over half of the names and e-mail addresses provided by
users were fake. The end result is unreliable data that is
nearly worthless.
It is the legitimate businesses that are hurt by this intentional
obfuscation. A few horror stories of people hurt by illicit use
of data causes scores of people to falsify data, even when given
to reputable companies. I recently filled a prescription at a
drug store. The pharmacist asked for my social security number
("SSN"), address, phone, and birthdate. I provided false
information because there was no explanation of the need or use
of the information, and no guarantee of confidentiality. Even if
such a guarantee was given, I would have still given false
information since there is no real method to assure compliance or
to redress a violation of that promise.
The lesson to be learned from this is that in the long run,
legitimate business that depend on information will be enhanced
by laws protecting privacy and the use of personal information.
By eliminating illicit use, consumers will be less apprehensive
about providing accurate data to legitimate firms. The one
instance of a national pharmacy chain compromising customer's
privacy (CVS) has caused me and thousands of others to now
distrust all pharmacies.
RAW MATERIAL OF THE INFORMATION ECONOMY
Sensitive personal and private information is the hazardous
material of the information industry. And like a hazardous
chemical, it demands rigorous controls and handling precautions
from those who chose to use it. If a leak occurs, it can remain
undetected for years, only to surface far away from the source of
the leak, and cause damage decades later. I have never been one
to foist unnecessary regulation onto business, but the status quo
is unacceptable. We should not have to wait for the "Love Canal"
of the information age before we take action.
INFORMATION IS MONEY
Now, more than ever before, information is money. Some
companies, recognizing the future value of information are
collecting vast quantities of data on consumers, even though they
have no way to actually use the information.... at least not yet.
Huge data 'vacuums' are hoovering up every piece of consumer data
they can find.... partially for speculative or anticipatory use,
but also as a hedge against future regulations on the collection
or dissemination of such information. Data sellers are also
pushing to obtain as much sensitive information as they can
before laws and regulations stop their activities. I have seen
numerous advertisements from data brokers, hawking their wares
with phrases such as "get it now while you still can", and "buy
your copy before new privacy laws close these records."
This is not a new phenomenon, but it has been enabled by 1) the
increase in power and capabilities of personal computers, 2) the
explosion of digital information on the Internet, and 3) the
inexpensive way that massive amounts of data can be archived,
duplicated, and sent around the country - Computer CD ROM disks.
For example, at least one vendor is selling financial data that
is over 20 years old, since that data was grandfathered by
privacy laws passed later. Another example is the state of South
Carolina. In 1995, that state sold to direct marketers the
driver's licence information (name, address, birthdate, height,
weight, etc.) of all 3.6 million South Carolina drivers. Even
thought the practice has now been made illegal and the database
was only sold once, marketers continue to this day to sell a CD
ROM with the 1995 data on it. This data continues to be used by
other marketers and database vendors to populate and expand other
databases and lookup services.
For any effort at control to be effective, it must apply to all
data regardless of when or how it was obtained.
LOSS CONTROL PARADIGMS
Security of sensitive information presents unique challenges in
the information industry. Traditional loss-control paradigms
don't apply. For example, a hardware store takes steps to
physically secure a saw from being stolen, since if the saw is
stolen, the store has lost a valuable piece of tangible property.
The saw, once lost, can not be sold, and the store has to pay for
another saw to replace it.
With information as an asset, the rules are changed. If someone
illegally accesses a computer with sensitive personal information
in it, they don't actually take the information, they copy it.
The original is still in its place. In general, the owner has
not incurred a tangible loss (other than the loss of a potential
sale to the person who stole the data rather than paying for it.)
The traditional incentive - prevent theft to reduce tangible loss
- is practically nonexistent with digital data. In fact, there
is a disincentive to implement loss prevention where the cost of
the protection exceeds the value of the potential loss. However
the loss to the consumer is not taken into the vendor's
calculations.
For example, consider a manufacturer who has a tank where a
chemical is stored. The chemical is inexpensive, and even if it
all leaked out and had to be replaced, the cost to the
manufacturer would only be a few hundred dollars to replace the
lost material. Why would he spend thousands of dollars on a new,
leak-proof tank in order to prevent a few hundred dollar loss?
The millions of dollars in damage to the environment and his
neighbors' ground water is not part of the manufacturer's
equation.
Similarly, the "leaking" of personal and private information is
not a tangible "loss" to the vendor who sells it, but it can be
serious loss to the consumer. Where is the incentive for a
vendor to implement encrypted transfers, verify the identity of
the recipient, keep an audit log, or audit for compliance? These
costs do not improve their product or create more sales.... but
they are an absolute necessity protecting his neighbors and
society.
Also, since a copy of information is as good as the original,
once sensitive data is compromised, it can be mass duplicated and
redistributed at will. Personal information truly is a genie
that can not be coaxed back into the proverbial bottle.
INDUSTRY EVASION
Consider also the example of PublicData.com. In 1997, this
Internet web site purchased the complete rolls of Texas drivers'
license records and auto tags, and placed this data on the
Internet - for free. Any person could visit this site, and get
the home address, birthdate, height, weight, and other
information on anyone in Texas, including President Bush and his
wife Barbara. Anyone could find the name, home address, and
other information with just a Texas licenses tag number. As a
response, the state of Texas it illegal to provide such
information on the Internet. The result? To the chagrin of
Texas officials and the distress of Texas residents, the
PublicData.com web site simply moved offshore, escaping the reach
of Texas law, and is now a commercial information broker,
charging a fee for access to its databases.
Anyone with an interest in the regulation of personal and private
information access should consider the example of PublicData.com
very carefully. The Internet provides the perfect medium for
doing two things - providing information and evading laws on
providing information. Once information is released, it can not
be controlled. The only protection, is to stop the release at
its source.
AN ANALOGY TO CABLE TV
In considering regulations and other issues of Internet, consider
an analogy of the Internet to Cable TV. You enter a monthly
service agreement with a service provider, whereby you receive
access to a number of channels (sites) and you have the ability
to obtain other channels (sites) if you join/pay/register for
them. There are also pay-per-view channels (sites). Your viewing
habits can be easily tracked and recorded. There are some
channels (sites) for all types of special interests... including
some patently for adults only, and some offering information on
controversial topics such as abortion, birth control, AIDS,
drugs... the list is endless. Service providers, with the
assistance of the cable operators, have the ability to identify
individual viewers of each channel (site). A complete dossier
of what you view (visit) can be compiled and used for innumerable
purposes - some innocuous, and some malicious.
Public disclosure or commercial use of information about your
viewing habits (cable or Internet) has serious impacts on
privacy, on your ability to exercise first amendment, and on
other constitutional freedoms. We are all aware of intrusive
marketing ploys, that collect all manner of personal information
via a web site and then use it to further populate massive
databases. There have already been examples of "front" sites
(such as the Cult Awareness Network) purporting to be "for" or
"against" a particular cause (such as abortion), when in reality
they were being run by the "other side" as a scam to obtain names
and addresses of "opponents" in order to target them for
harassment, ridicule, or just to keep "on file" in case the
subject ever ran for office or otherwise stepped into the public
spotlight. This is not a situation unique to the Internet. Many
companies have set up toll free "1-800" numbers, purporting to
offer free information about some medical condition, the weather,
or other service. However, the real purpose of these systems is
to capture the name and telephone number of callers in order to
build a massive database of people suffering from the disease or
interested in the issue served by the 1-800 service.
Computers never forget. Will a web site visit resulting from a
one time curiosity with hemp production or a college term paper
on abortion turn into weapon to be brandished by an enemy 30
years hence? I believe it should not. Should visiting a site
about a militia group in the news put you on a dozen mailing
lists and identify you as a supporter of neo-Nazi groups?.
Absolutely not.... but this result is the state of technology and
information practices today.
Congress recognized with the Cable Communications Policy Act of
1984 (47 U.S.C. �� 521 et seq) ("the Cable Act") that viewing
habits and other records associated with a consumers' cable TV
account were deserving of extra protections, partially because of
the high regard for personal liberty and privacy, and protecting
the citizens right to seek entertainment and information on cable
TV without fear that records of their viewing habits would be
subject to misuse or disclosure. There are also similar federal
laws covering other consumer data such as movie rental and
telephone records.
There is no logical reason for limiting these controls on release
of personal information to cable TV records. Look at the recent
headlines. Special Prosecutor Kenneth Starr is attempting to
force a bookseller to disclose what books were purchased by a
consumer. Such records... if available for the asking... would
certainly chill a consumer's desire and ability to freely choose
the books they wished to read. The same holds true for any
publishing medium... including the Internet. The irony is that
if he was a direct marketer, the special prosecutor could likely
buy almost any information he wanted on a consumer's purchases.
CONCLUSION
I believe that the limits placed on cable television records
would be well suited as a model for regulation of web site
records. Indeed, with massive computerization of all aspects of
retail sales and information collection (such as supermarket
"shopper" cards, personal dossier database such as Axciom, and
the explosion of irresponsible Internet based information brokers
such as "Dig Dirt" and "Sherlock") I believe the Cable Act model
may need to extend to all manner of commercial entities that
collect, store, and release consumers' personal information not
already covered by federal law (such as credit reporting
agencies).
I leave the reader with the following hypothetical. If judge
Bork were nominated to the Supreme Court today, and instead of
revealing his video tape rentals, his Internet site visits were
revealed, disclosing an occasional visit to controversial sites,
what would be the reaction? What about his book purchases at
Amazon.com? His chat-room discussion on America on Line? What
about his purchases at an on-line shopping site? What about
records, attributed to Judge Bork, of the prankster pretending to
be Judge Bork while visiting racist Internet sites? I believe
the response to such disclosures would be the same as we saw
after the release of Judge Bork's video rental records.... swift
action by Congress. I hope we don't have to wait for damage to
be done before reasonable action is taken.
1. The discussion paper sets out nine specific characteristics of
effective self regulation for privacy: awareness, choice, data
security, data integrity, consumer access, accountability,
consumer recourse, verification and consequences. Which of the
individual elements set out in the draft discussion paper do you
believe are necessary for self regulation to protect privacy? To
what extent is each element necessary for effective self
regulation? What are the impediments and costs involved in
fulfilling each element of a self regulatory scheme? What are the
competing interests in providing each element? How would the
inclusion of each element affect larger, medium sized, and
smaller companies? What advantages or disadvantages does each
element hold for consumers? What are the challenges faced by
companies in providing each element? How do these challenges
depend upon the size and nature of the business?
A choice is only valid if the information and premises the choice
was made on are valid. All the elements are part of the
information foundation necessary to enable an informed choice.
Most of these elements are already in place to varying degrees in
different industries. However, they are implemented to the
degree that benefits the seller of the data, and not the
consumer. For example one of the credit bureaus implements a
password protected computer system for subscribers to dial in and
pull credit reports. However, the system's design is more in
keeping with verifying billing information and ease of use
rather than preventing illicit access. For example, the
passwords are only two digits long and are never changed. In
most cases, userIDs and passwords are assigned and remain the
same for years. As a computer security professional, I find such
practices woefully inadequate to protect such information.
The same company publishes and distributes false and misleading
information on their security practices. One can only assume
that such mis-information is aimed as falsely assuring the public
and staving off regulatory action.
When considering application to businesses of varying sizes,
regulation of the information industry is different than others.
Where a small contractor or manufacturer has only a minimal
impact individually on pollution or employment practices, those
regulations often have legitimate exemptions for the small
business. In the information industry however, things are
different. A small information broker can set up shop in just a
few days for less than the price of a new Yugo. Unlike a small
retail shop who is limited in the number of customers it can
serve by the location and size of the store, an Internet "store"
can serve millions of customers a day. While one small store
front selling credit reports over the counter can only cause a
small leak, a similar broker set up on the Internet can cause a
flood, selling thousands of credit reports in one day. This is
why even a small number of companies who fail to comply with
"voluntary" standards will render any privacy protections
useless. Anyone who wants illicit data will simply use one of
the brokers who don't comport to the voluntary guidelines.
The explosion of fly-by-night information brokers on the Internet
also causes me great concern. Many of these companies are not
concerned with anything other than whether or not your check
clears the bank. Anyone can sign up and get telephone records,
credit reports, medical data, unlisted phone numbers... the list
is endless. This explosion of information brokers is catalyzed
by the growth in power of personal computers and the Internet's
ease of collecting and distributing information.
2. The draft discussion paper notes that individual industry
sectors will need to develop their own methods of providing the
necessary requirements of self regulation. How might companies
and/or industry sectors implement each of the elements for self
regulation?
Nothing has been proposed that is not either already in place or
a simple adaptation of existing business practices. Collecting
one more piece of customer information (can this data be re-sold)
is simple. This isn't rocket science. Don't collect information
you don't need. Don't collect or use data without first telling
the consumer what you are doing. Give the consumer the right to
opt-out and to see all information you hold on them. Protect all
information you hold from misuse. If you decide to sell
information, make positive ID of the recipient and keep accurate
logs.
3. Please submit examples of existing privacy policies. In what
ways do they effectively address concerns about privacy in the
information to which they apply? In what ways do they fail?
I have no individual examples of such policies to submit, but I
would like to make three observations about those that I have
seen.
1. They rarely exist.
2. Where they do exist, they are hidden away and difficult to
find - the equivalent of the 'small print' on a contract.
3. They are grossly in favor of the maker, and against the
consumer. One example is Microsoft, which says you can opt-
out of solicitation from third parties, but you have no
ability to opt-out of allowing Microsoft to sell to other
database companies and marketers, any data you provide to
Microsoft or anything else Microsoft learns about you.
4. Are elements or enforcement mechanisms other than those
identified in the draft discussion paper necessary for effective
self regulation for privacy protection? If so, what are they? How
might they be implemented? In addition to the fair information
practices and enforcement mechanisms stated in the discussion
draft, are there other privacy protections or rights essential to
privacy protection?
Three things come to mind. First is anonymous access and access
logs. If release of information without permission is to be
regulated, how can illicit access be proven? How can it be
audited? Just like inquiries on a credit report, you must keep
an accurate log of all people you have provided my data to.
Without it, there is no audit trail. Anonymous access must not
be allowed.
Similarly, recipients of data must be able to identify the source
of data they obtain. For example, lets say I find my name and
personal information being sold without my permission in a
database of people who like jazz music. I suspect that data was
sold by a jazz music website that I had told to NOT release my
personal information. How can I prove it? Right now, I slightly
alter the spelling of my name or address when registering
products or websites, in order to trace the source of the leak.
This should not be necessary. I should be able to contact the
database, and require them to tell me from whom they obtained my
data. Without this critical audit trail, any other regulation -
voluntary or mandatory - is eviscerated.
Third, is the creation of new data products from multiple
sources. Congressman Frank Horton said in 1966 that:
"One of the most practical of our present safeguards of
privacy is the fragmented nature of personal
information. It is scattered in little bits across the
geography and years of our life. Retrieval is
impractical and often impossible. A central data bank
removes completely this safeguard."
A single personal computer now has more power than all the
computers owned by the entire US government in Congressman
Horton's time. A single PC can be outfitted with off the shelf
products for less than $10,000 that can hold the name, SSN,
address, and birthdate of every adult in the country. By merging
databases with seemingly innocuous data, new databases can be
created that are a much larger threat that any of the subparts.
These are in essence the "data banks" that Congressman Horton
warned about.
For example, a user visits a web site about allergy treatments
which collects the user's E-mail address, and sells this info to
a direct marketer. All this database says is that these E-mail
addresses are interested in allergy remedies. By using a
different database of global E-mail addresses, the marketer can
determine the name and address of the E-mail address holder.
With a name and address, they can obtain the phone number from
any number of resources. With a name and address, they can
obtain the user's SSN, and demographics such as income and race.
Now they can re-publish a database of name, address, telephone,
SSN, birthdate, age, sex, race, income, etc., of allergy
sufferers.
This compilation of information from multiple sources creates new
comprehensive databases that are much more invasive than the sum
of their parts. By combining otherwise innocuous information
together into a central database can transform innocent tidbits
of information that are not independently sensitive, into a
highly sensitive dossier.
5. Should consumer limitations on how a company uses data be
imposed on any other company to which the consumer's information
is transferred or sold? How should such limitations be imposed
and enforced?
Traditionally, marketing databases are "seeded" with names and
addresses designed to catch people violating terms of use. If
you purchase a mailing list to send out a one-time mailing, but
you re-use the mailing list in violation of the contract, these
"seed" addresses will expose you. But if a marketer buys a
database, and transfers it to a third party who uses it for a
lookup service, there is no way for the original vendor to know
of this use.
Individual consumers do not have the ability to "seed" their
personal information to track where it goes. They have no way of
knowing when their personal information is added to a lookup
service. When they do discover it, they have no way to determine
from where the information was obtained. This is why leaks of
information can never be found - there is no trail of bread
crumbs to the source.
I believe there is a need for a confidential brokerage service.
If I have a database, and I have promised privacy to my customers
in exchange for them giving me their information, I must not
release it to third parties. A marketer wants to send free
coupons to my customers, but I can't give him their addresses.
He could give me the coupons and I could mail them, but then what
proof does he have that I mailed them and didn't just throw them
away?
A confidential broker could take the marketer's coupons, and my
mailing list, and confidentially use my mailing list to address
his coupons to my customers. My customers' privacy is not
compromised.
However, a more sinister aspect of re-use beyond intended
purposes exists. As more business is based on information and
data, the value of information as an asset increases. A common
phenomena is a business whose major asset is not the building it
owns or the manufacturing facility - it is the data that it has
compiled.
A business may be able to compile a very comprehensive database
of very personal and private information because of rigorous
assurances to the subjects that their information will be used
only inside the company and will not be released for any other
purposes whatsoever. That database could be an irresistible
fruit to a direct marketer who could buy the company (or enough
stock to control it) just to obtain the database.
Take for example Catalina Marketing in St. Petersburg Florida
(http://www.catmktg.com/news.htm). Catalina Marketing contracts
with over 11,000 supermarkets that, using "frequent shopper" or
similar cards, collect and record every single item purchased by
each consumer. What would happen if, in 10 years, an insurance
company bought Catalina Marketing to get their database. Then,
using this database, the insurance company could deny insurance
to someone because they had bought too much fatty food in the
last 10 years. They could sell the data as a lookup service to
employers doing background checks to see if an applicant buys
alcohol or cigarettes. They could even identify single women
applicants who buy birth control for the "discriminating employer
who prefers morally wholesome employees." And every bit of this
is legal.
6. Please comment specifically on the elements set out in the
draft discussion paper that deal with enforcement (verification,
recourse, and consequences) and suggest ways in which companies
and industry sectors might implement these. What existing
systems and/or organizations might serve as models for consumer
recourse mechanisms, and explain why they might or might not be
effective? Would a combination of elements from existing systems
and/or organizations be effective? How might verification be
accomplished? What would constitute adequate verification, i.e.,
in what instances would third-party verification or auditing be
necessary, and in what cases would something such as self
certification or assertions that one is "audit-ready" suffice?
What criteria should be considered to determine the kind of
verification that would be appropriate for a company or sector?
What constitutes "reasonable access?" What are the
costs/impediments involved in providing access? What criteria
should be considered to determine "reasonable access" to
information for a company or sector?
First, industry has often cried wolf with the perceived injury of
new regulations. Second, when it is the right thing to do, it
needs to be done when the cost is reasonable. The information
industry has had a free reign to pillage personal information at
will, and now it is time to accept more responsibility in return
for their membership in the society of man. The "wild west" of
unfettered access and exploitation of personal and private
information must end. In fact, the longer the industry remains
unregulated, the more Draconian eventual regulation will be
perceived. Had reasonable regulation been imposed from the
beginning, we would not even ask these questions today.
Since comprehensive privacy protections - either voluntary or
mandatory - have not been in place in this country, it is
difficult to predict with any specificity the details of
compliance verification systems. Being purely speculative, I
believe an adaptive combination of both self-verification and
third-party verification would be reasonable. For example, a
self verification and minimalist third party verification along
with compiling of complaints would be a first tier of "grading."
Companies with high grades for compliance can continue self-
verification and minimal third-party verification. Those with
lower grades will be hoist of their own petard... and subjected
to more rigorous third-party verification until such time that
they can demonstrate the leadership to obtain higher grades. As
a company's level of compliance changes, its level of
verification will adapt to that level of compliance.
An adaptive system that rewards compliance with lower costs of
verification creates the incentive for companies to comply
voluntarily.
One excellent method of verification is empowering consumers as
the primary enforcement mechanism. So called "private attorney
general" statutes, such as the Telephone Consumer Protection Act
(47 U.S.C. 227) work very well in this regard, as they
effectively deputize 200 million Americans to enforce the law.
Statutory damages such as the TCPA or the Cable Act provide an
appropriate level of compensation both for the injury to the
victim, and to compensate them for the time and effort in
enforcing the law.
7. In the section on consequences, the draft discussion paper
states that "sanctions should be stiff enough to be meaningful
and swift enough to assure consumers that their concerns are
addressed in a timely fashion." Identify appropriate consequences
for companies that do not comply with fair information practices
that meet this goal, and explain why they would be effective.
One problem is that traditional market sanctions don't come into
play. Consumers can not "vote with their feet" by taking their
business elsewhere unless 1) the consumer is informed and 2) the
consumer actually does business with the company. Consider
credit bureaus. The consumer does not "pick" which credit bureau
to do business with, or which credit bureau has the franchise to
sell that consumer's data. If a local bank decided to sell name,
address, SSN, birthdate and other credit "header" data on its
customers to anyone who paid $2.00 for it, that bank would soon
go out of business, since consumers would 1) know about it and 2)
would take their business elsewhere. However that is exactly
what the credit bureaus do because they have no allegiance to the
consumer, and the consumer has no ability to take their business
elsewhere.
Another aspect of traditional penalties associated with
regulation of information access, is demonstrated by the FCRA. A
consumer can generally take action only against someone who
obtains information in violation of the FCRA, not the company who
provides it. In addition, a consumer must usually demonstrate
actual damages. These hurdles combine to form a nearly
insurmountable burden to anyone seeking redress against illicit
use of their information. So few cases can surmount these
burdens, that the companies can simply pay the losses from a rare
successful complaint rather than put more effective access
controls in place.
a. Penalties for unauthorized release, not just
unauthorized access. While a person who accesses
information for illicit purposes is certainly doing a
wrongful act, a company who does not perform due
diligence in determining the identity of the recipient
and the recipient's right to access the data is failing
their duty to protect the data from unauthorized use.
We don't allow dynamite or guns to be sold without a
license check and positive ID of the recipient. Data
such as credit headers can just as easily be used to
commit crime. Similarly, records of web site visits,
Internet purchases, and other Internet activities can
be used to embarrass, extort, and otherwise injure
consumers.
b. Liquidated damages. The failure to follow safe
information practices leads to many injuries of
consumers. But in most of these cases, the injuries
are not quantifiable. It is difficult to put a price
on the feelings of fear and dread that sweep over you
when you find out someone has obtained your credit
report or DMV records without your knowledge or
permission. The time spent in contacting banks and
credit card companies to respond to potential security
threats is time the victim should not have to spend. A
$1,000 civil penalty for the release of information
without verification of the identity and permissible
use by the recipient should be available, independent
of any necessity to prove any actual damages. Such
"private attorney general" statues are well known and
work well. As an example, the Telephone Consumer
Protection Act (47 U.S.C. 227) provides for this type
of enforcement. It has worked extremely well in
practically eliminating junk faxes and automated
telephone solicitation calls. The Cable Communications
Policy Act of 1984 (47 U.S.C. �� 521 et seq) is another
good model for private enforcement of privacy
regulations.
8. What is required to make privacy self regulation effective?
Self-regulatory systems usually entail specific requirements,
e.g., professional/business registries, consumer help resources,
seals of accreditation from professional societies, auditing
requirements. What other elements/enforcement mechanisms might be
useful to make privacy self regulation effective? How have these
enhanced or failed to enhance a self-regulation regime?
As explained earlier, seals of accreditation, registries, etc.,
only come into play when the consumer can choose whether or not
to do business with that company. In the case of lookup
services, information brokers and credit bureaus, such choice is
non existent. It would be wonderful if enhanced privacy could be
considered a value added service, and traditional market forces
could operate, but that is not the case today.
On the other hand, where licenses are required for a specific
field (attorneys, private investigators, etc), having licenses
contingent upon compliance to fair information standards can work
given 3 things:
a. Swift and sure enforcement. There must be a high
likelihood of getting caught.
b. Meaningful punishment. A slap on the wrist is
insufficient. It must be considered a significant
transgression that if repeated, would threaten the
professional license.
c. Regulatory Necessity. The license that is subject to
revocation or suspension must be legally necessary for
doing business in that field.
9. Self regulation has been used by the business community in
other contexts. Please provide examples and comment on instances
in which self regulation is used in an industry, profession or
business activity that you believe would be relevant to enhance
privacy protection. In what ways does self regulation work in
these instances? In what ways does it fail? How could existing
self-regulatory regimes be adapted or improved to better protect
privacy?
The measures in the draft are all premised on the consumer being
to make a choice. But that choice, in order to be a real choice,
has to be an informed one. I am unaware of any self regulation
of privacy related issues that has been even moderately
successful. The guidelines proposed by the DMA last summer are
woefully inadequate.
With regard to voluntary guidelines in the marketing industry, I
think one example is worth noting. The Direct Marketing
Association ("DMA") encourages its members to use the Telephone
Preference Service ("TPS") in their telemarketing campaigns.
This is a list of consumers who have taken an affirmative act to
tell telemarketers that they do NOT want to receive telemarketing
calls. The result? In 1991, the DMA testified before Congress
that out of over 3,500 DMA members, less than 90 actually used
the TPS. Many DMA members actively tell consumers that to reduce
unwanted telemarketing calls, they should contact the DMA and
register in the TPS. However many of these members who promote
the TPS to consumers as a way to reduce the number of
telemarketing calls, do not use the TPS themselves!
10. Please comment on the extent to which you believe self
regulation can successfully protect privacy online. Are there
certain areas of online activity in which self regulation may be
more appropriate than in others? Why?
At this time, I am unaware of any self regulation of online
privacy related issues that have been or could be even moderately
successful. This is dictated by several things.
First, consumers are for the most part unaware of the perils of
misuse of personal and private information. It took Love Canal
to wake the country up to chemical pollutants. It will
unfortunately take a similar catastrophe to demonstrate to the
American people the dangers of information misuse.
Second, as explained earlier, a single noncompliant information
outlet can do very serious damage in a very short time. Self
regulations, by its voluntary nature, will always be under
inclusive, and fail to bring many companies into compliance.
Third, the financial incentives are all wrong. An information
broker can sell a header report on the Internet for $50.00, but
the report only costs the provider $2.00. The entire transaction
can be automated, no human hands have to be involved... the end
user inputs all the data, and the web server does the rest. The
results can be returned instantly. Why should anyone engaged in
this business comply with "voluntary" standards when the result
is a reduction in sales, and an increase in costs? With
financial incentives like this, there will always be illicit
providers who will flout voluntary guidelines.
11. Please comment on the costs business would incur in
implementing a self-regulatory regime to protect privacy. How do
these costs compare to the costs incurred to comply with
legislation or regulation?
With regards to websites, the vast majority of information
collection is automatic or entered by the user themselves.
Giving users the ability to delete their information, or a field
to indicate that the information is not to be re-release or sold
would be inexpensive to implement. Indeed, in most cases, web
sites have gone to extra expense just to obtain and store
information that is totally unnecessary to the operation of their
web site... this information is being obtained solely for
marketing purposes.
A greater cost is the lost profits to those companies of sales of
personal data from people who previously had no option to "opt-
out." If 50% of the people opt-out, that reduces the income from
the subsequent sale of the consumers' information. In some
instances, the sale of consumer information is a significant
source of income. As an example, some speciality magazines and
other subscription services derive more income from the sale of
subscriber info than they do from the subscriptions themselves.
I do not believe however, that there is any right to continued
unjust enrichment from the continued sale of information that
should not have been sold, or even collected, in the first place.
12. What issues does the online environment raise for self
regulation that are not raised in traditional business
environments? What characteristics of a self-regulatory system in
a traditional business environment may be difficult to duplicate
online? Does the online environment present special requirements
for self regulation that are not present in a traditional
business environment? Does the traditional business environment
have special requirements that are not presented in the online
environment? What are these requirements?
The power of personal computers and the connectivity of the
Internet are major differences between Internet paradigms and
those of traditional businesses. However, the key with respect
to privacy is the nature of the medium - digital data.
Digital data can be massaged, manipulated, indexed, sorted, and
compiled at the speed of light. Traditionally, name, address,
and other information was collected on paper application or
membership form. The costs of actually entering all this data
into a computer was prohibitive. The increase in the value of
the data, and reductions in the cost of obtaining it in
electronic form has change the equations significantly. By
having the user enter the information themselves, this hurdle is
removed. The digital medium is the single most important element
that has enabled the assault on privacy. More data can be
collected at more points than ever before.
Another concern is the ability of an information broker to set up
shop on the Internet with no physical place of business, no
business license, and no other controls on them. While many
reputable businesses operate this way, so do many disreputable
ones. It is easy to find dozens of information brokers on the
Internet... many having come into existence in the last few
months.
The anonymity of the Internet also presents certain problems.
Without controls to require information providers to verify the
identity of the recipients of the information the brokers are
selling, anyone can obtain practically anything anonymously. I
have personally obtained information under a false name, and had
it sent to an anonymous e-mail address. It is a stalkers
paradise. The Internet enables this type of surreptitious
activity.
13. What experiences have you encountered online in which privacy
has been at issue? In what instances has privacy appeared to be
at risk? In what instances is it well protected? In what ways
have businesses or organizations been responsive to privacy
concerns? How difficult have you found it to protect your privacy
online? What circumstances give rise to good privacy protection
in a traditional business setting or online?
Many times, web sites ask for personal information. Because of
my professional knowledge of computers and databases, I
personally refuse or provide false information. However, most
users do not, and thereby expose themselves. I have refused to
use America On Line and some other services who I know or suspect
of rampant privacy abuses. While I as an expert find these
precautions a mere inconvenience, most users do not share my
level of knowledge or expertise and would find such precautions
burdensome if not impossible to implement. They are generally
unaware of the risks such disclosures may entail, and they are
not able to take the precautions that I take. Placing the burden
of 'protection' on the unknowing user is unacceptable.
14. The Administration's A Framework for Global Electronic
Commerce cites the need to strike a balance between freedom of
information values and individual privacy concerns. Please
comment on the appropriate point at which that balance might be
struck. What is the responsibility of businesses, organizations
or webpages to protect individual privacy? To what extent do
these parties have a right to collect and use information to
further their commercial interests? To what extent is it the
individual's responsibility to protect his or her privacy?
Freedom of information does not mean that information must be
made available anonymously and in bulk. It does not mean unjust
enrichment. It does not mean invasion of privacy. It does not
mean false light. Freedom of information means that government
is not conducted behind closed doors. It means that the
government's papers are open to inspection by the governed. It
does not mean a website had carte blanch to record and report on
everything I do without my permission. It does not mean that a
business can make a condition of sale, the release of personal
and private information beyond that legitimately needed for
business needs.
The doctrine of sic utero tuo ut alienum non laedas is still the
law in this country. You must not use your property or business,
to injure me. It also means that you must not knowingly enable
others to hurt me with your products. The digital age has
removed the protections Congressman Horton spoke of. Data is no
longer scattered in little bits here and there. Identity theft,
invasion of privacy, and threats to personal security are all
real injuries that are enabled by lax data handling practices.
The goal must be to protect consumers from the misuse of their
information... regardless of who actually misuses it.
###
From: Dan Maceda dmaceda@erols.com
To: NTIA...
Date: 6/21/98 10:00am
Subject: privacy responses
1. Name:
Dan Maceda
2. Email:
dmaceda@erols.com
3. Affiliation:
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
No,but when I do the message is frequently too long and written in legaleze.
Yes I want to know who is collecting what and for what purpose.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Sometimes. Some let you opt out of mailings from their sponsors or other sponsors they think
you might want to hear from.
I want the ability to opt in by choice and the default to be opt out.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
No. I wrote to one and asked to have myself removed from their database and wanted to know
what had been collected. They did remove me I beleive but only after I sent a form through the
mails. They did not tell me what they had collected.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
They should be fined and they should be able to be sued.
They should have to notify any and all others they have sold the information to that it was
collected in violation of the law.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
No information should be collected from children. Only the adult responsible fot the childs'
welfare should be able to provide information for or about the child.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
I think that only laws with strong enforcement provisions backed by international treaties are
likely to ensure privacy.
Question 7: What experiences have you encountered online in which privacy has been an issue?
I sent a question to a site and received an email back that said they didn't understand the
question but it include my home phone number which I hadn't provided.
Question 8: The Elements Paper focuses on the 'online world'. Many experts are more
concerned about the 'offline world' collections, such as information collected through grocery
store cards, medical records, driving records, etc. Should the same rules apply to these
collections?
Yes. There is some justification for collecting information about individuals but none for
keeping the information in a form that allows the individual to be identified. There is no
reasonable purpose for combining the information from store cards, medical records, driving
records, etc. to produce a profile of a person.
Question 9: Other Comments:
###
Privacy Protection on the Internet: The
Marketplace Versus the State*
Richard S. Rosenberg
Department of Computer Science
University of British Columbia
Vancouver, BC, Canada V6T 1Z4
###
Study submitted:
IP Address:
Your Internet Identity" by Russ Smith of Consumer.Net, March 29, 1997
###