Comments Received -- June 22-29, 1998
###
Reliant Global Services L.L.C.
13305 Birch Street
Suite 102
Omaha, NE 68164
June 22, 1998
Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration
Room 4898
14th St. and Constitution Ave., NW
Washington, D.C. 20230
Dear Ms. Coffin:
Having read the paper "Elements of Effective Self regulation for
Protection of Privacy" and the associated set of questions posed
by your organization, I offer the following comments. Please
note that I am speaking only for myself, as an IT professional
with over 30 years of experience in the DoD, Federal, State, and
commercial information processing arenas. My comments do not
represent an official position of the firm with which I am
currently employed.
General: Privacy is going to be extremely difficult to protect,
regardless of whom is responsible. Information of the most
intimate and detailed kind is simply so available for explicit
and implicit capture, and so easily manipulated and exchanged
that any notion of 'regulating' its use in any absolute,
controlled form is, for want of any better description, just
plain silly.
In the 'real world' of shopping plazas and strip malls, to cite
just one example, we can readily distinguish between acts of
'window shopping', 'browsing in a store', 'making a purchase',
and 'responding to a customer preference survey', and to
recognize / know, as a result, the degree of privacy I must be
willing to surrender in order to complete each of the acts.
While I 'know' for example that I must 'explicitly' give someone
my credit card number in order to complete a charge purchase, I
also 'know' that I any request to 'explicitly' provide my card
number to someone before I can enter a store and look around is
suspect. In terms of 'implicit' capture of information, I also
'know' that someone may be counting visitors to a store or
peeking through mirrors to look for potential shoplifters, which
is clearly okay, but I also 'know' that someone filming me in a
dressing room and displaying the results on television without my
'explicit' consent is illegal.
In 'cyberspace', the boundaries are not so clear. 'Window
shopping' via the Internet requires just about as much of a
surrender of privacy as 'making a purchase'. Long before I can
do either act, someone has captured a wealth of information about
me ranging from my credit card number to where I live and work.
Consummating ANY act on the Internet enables a great deal more
personal information to be either explicitly or implicitly
captured (or both). When do I usually sign-on...my ISP provider
needs to know for capacity planning purposes. Did I 'visit' your
Web site today...the creator of the site and its host all want to
know to decide if the site is attracting sufficient numbers of
visitors. Does my on-line service use 'captured' demographic
data to sell advertising space...of course, just as television
uses the statistically derived equivalent Nielson numbers.
I see only one viable approach to guarding privacy in the 'cyber'
world - making the invasion of it, clearly defined in terms of
misuse, a federal crime, and give a federal agency responsibility
for proactive enforcement of the law. Using one of the 'real
world' shopping examples...you can protect your store's assets by
any reasonable means - mirrors in dressing rooms, security
cameras, patrolling watch dogs, whatever. What you cannot do is
invade privacy through misuse any of those means, as evidenced by
allowing non-security personnel to look into dressing rooms or
strip-searching visitors at random or by showing dressing room
films over your local cable access channel.
Questions contained in notice:
1. All of the elements are necessary to some degree, however,
accountability and consequences are CRITICAL. Positive control
over private information must be maintained...from capture to
utilization and exchange. The only way to ensure such control is
maintained will be through audits / accountability checks and
through administration of severe consequences when such a failure
is uncovered. Ideally, all private information would be
protected to the same degree that financial information is.
Given that achieving this degree of protection would be costly,
the near-term effect of requiring such protection would be to
raise the cost of entry for anyone desiring to do business via
the web. One viable and possibly less-costly (per individual)
alternative might be to set up a single agency or service, one
that could be closely monitored by the community and regulated by
the Government, to handle 'private information'...with any other
organization or person not appropriately licensed and controlled
unable to capture or distribute it. This could be accomplished
voluntarily or the Government could mandate it. Registering with
the central org would be like applying for a Social Security
card...done once at an early age; maintained over the years as
demographic and other private data changed. Once an account for
your 'private' information was established, anyone you needed to
interact with (or who needed to interact with you) would utilize
the controlled services of the intermediate organization to
verify identification, etc. With the information this
centralized, controlled organization would possess, its power
would be great and the temptations to abuse that power many.
Unfortunately, in cyberspace, we are no longer arguing about
whether some person or some agency will have such power and face
such temptations...all that is FACT. The only really open issues
are to what degree can this reality be managed and how can any
such management be imposed at this time.
2. My response to question 1 above discusses one way protection
could be implemented.
3. I do not know of any fully effective privacy policies. The
best we have are those implemented and executed through
automation, with proactive human oversight. Every system I know
of that has been designed to 'protect' information or its
dissemination has been subverted or overcome in some way.
People routinely ignore policies, even those who set such
policies up, if sufficient reason for violation can be
'rationalized'. In the end, accountability and consequences are
the only practical way of optimizing policy adherence.
4. I think that the draft discussion paper is comprehensive
enough, in terms of elements. My comments on enforcement
mechanisms are contained in the response to question 1.
5. Yes, consumer limitations should, in fact MUST, be imposed on
any third-party provided information by the original 'capturer'.
I do not see any other way than that I presented under 1 above.
6. The operating 'model' that comes to mind is the banking
industry - substituting 'private information account' for 'bank
account'. Every handler of a 'private information account'
should be subject to the same kind of regulation and oversight
that any handler of a 'bank account' gets, and should feel the
same level of concern over protection of someone else's
information given them in trust that they would feel over
protecting someone else's money given to them under similar
circumstances.
7. Based on the 'model' presented under 6 above, I would see
similar consequences for failure to adhere to rules and
regulations: heavy fines, prison sentences, and closing of a
business. This model and these mechanisms have worked pretty
well for the banking industry, as the record shows.
8. I do not really see any way to make privacy self-regulation
effective. Any / all self-regulation schemes require development
of and adherence to a shared belief in the process among the
members of a defined community. Concept cannot be applied to the
Internet world.
9.
No comment.
10. Self-regulation cannot protect privacy on-line. See response
to 8 above.
11. Obviously, the cost to business in general of protecting
privacy under a self-regulation scheme will be significantly less
than the cost of complying with legislation or regulation. That
is because most firms will only pay lip service to privacy
protection, many will ignore the issue, and some will base their
entire business plan around NOT protecting privacy.
12. See my General comments / discussion above for an answer to
this question.
13. Given the knowledge and experience gained over my years in
data processing, I operate in cyberspace accepting the notion
that anything I send, enter, record, etc. is subject to
'exposure' and should not be considered private.
14. I think you have to start from the principle 'privacy of
information is the fundamental right, and the private individual
controls any surrender of that right' (Re read your John Stuart
Mills for more insight). One self-sufficient person living all
alone somewhere does not need to surrender any privacy rights in
order to function. Belonging to a community (which most of us do)
requires some privacy rights be surrendered (if I want mail
delivered, I have to give out my address, etc.)
As we join communities, in the real or cyber world, we
'surrender' some privacy rights...both explicitly and implicitly.
When I give the power company the information needed to set up an
account for me, I realize the 'explicit' surrender (don't fill in
the info needed, you don't get power), and accept the 'implicit'
surrender (as a new power company customer I will likely get
appliance ads and other targeted offers through the mail).
Of note here are two things: I explicitly surrendered the right
only the information needed to join the community of power users,
and the implicit surrender grew directly out of the explicit
(meaning, the pool of private information was limited to that I
had to explicitly surrender).
Parties clearly have the right to collect and use 'explicitly'
surrendered private information, as long as the information
collection was based on need and the surrender was really
'explicit'.
Sincerely,
Frank J. Hannaford
5412 Grand Avenue
Omaha, NE 68104
Phone: 402-453-4326
Email: frank20@home.com
l Page 3 June 22, 1998
###
From: Lothar Rabstein, rabstein@freespace.net
To: NTIA.NTIAHQ(privacy)
Date: 6/23/98 6:56am
Subject: privacy responses
1. Name:
Lothar Rabstein
2. Email:
rabstein@freespace.net
3. Affiliation:
none (private citizen)
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
No
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
Usually they do. If they offer something I don't like there is always the "delete button".
Businesses can only survive, if they offer things to me I am likely to buy. They have no interest
to do otherwise.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
Usually, however this is not high on my priorities
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
If there is evidence, that their actions caused me real harm, I will sue them.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
Children are not fully developed citizens and are under the supervision of their guardians or
parents. Thus they do not and should not have an independent right to privacy.
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
Yes, I am opposed to government making any more laws, than those who already exist. I see
governments on all levels as being the worst intruder on individual privacy. There is too little
sense of ownership of the collected government data within government to feel easy about this.
There ought to be limits on the amount of data collected by government about its citizens.
Question 7: What experiences have you encountered online in which privacy has been an issue?
None
Question 8: The Elements Paper focuses on the 'online world'. Many experts are more
concerned about the 'offline world' collections, such as information collected through grocery
store cards, medical records, driving records, etc. Should the same rules apply to these
collections?
We cannot reverse the clock, and what's done is done. We must stop trying to "regulate"
everything and give people the repsonsibility to protect themselves. Usually people live up to
this. This is NOT a government's job.
Question 9: Other Comments:
Commerce works at its best, when left alone. Government intervention into commerce should
be limited to preventing the formation of monopolies in Commerce, and if they must exist for
practical reasons, to tightly oversee such monopolies so they do not abuse their power, which
would be a natural outcome of human greed.
###
From: CAROL JACOBSON, MNGRANNY@WEBTV.NET
To: NTIA.NTIAHQ(privacy)
Date: 6/23/98 12:06pm
Subject: privacy responses
1. Name:
CAROL JACOBSON
2. Email:
MNGRANNY@WEBTV.NET
3. Affiliation:
INDEPENDENT
Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you? Is this important to you?
NO-- I DON"T SEE ANY "NOTICES". AND YES IT IS IMPORTANT TO ME.
Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer?
SOME DO ASK ABOUT BOTH THINGS. MOST DO NOT.
Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself? How important is this to you?
AGAIN, SOME DO BUT NOT ALL OF THEM.
Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them?
YES THEY SHOULD BE HELD ACCOUNTABLE. WE SHOULD BE ABLE TO SUE IF
WE HAVE BEEN HARMED IN ANY WAY.
Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online?
I DO NOT KNOW "WHAT" SHOULD BE DONE, ONLY THAT CHILDRENS PRIVACY
SHOULD MOST DEFINITELY BE PROTECTED. IS IT POSSIBLE TO DO THIS?
Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected? Would you rather see government make laws to regulate privacy on the Internet?
I THINK THAT ANY MEASURES, LAWS, OR REGULATIONS THAT ARE PASSED
WOULD PROBABLY HELP BUT----PEOPLE SHOULD BE VERY CAREFUL WHAT
INFORMATION THEY GIVE OUT OVER THE "NET" I ALWAYS HAVE ASSUMED
THAT ANY INFORMATION I GIVE OUT OR E-MAIL I SEND IS OUT THERE IN
"CYBER-SPACE" FOR ANYONE TO GRAB ONTO, READ, OR USE.
Question 7: What experiences have you encountered online in which privacy has been an issue?
NONE. I DO NOT SEND ANYTHING E-MAIL ETC THAT WOULD BE OF A PRIVATE
AND/OR SENSITIVE NATURE OR CONTENT. PRIVATE FAMILY MATTERS OR
CONVERSATIONS ARE NOT SENT OVER THE WEB. ONLY DAY TO DAY TYPE TALK.
OTHER PEOPLE SHOULD BE CAREFUL AND DISCREET TOO. WHO KNOWS WHO OR
WHAT IS KEEPING TRACK?
Question 8: The Elements Paper focuses on the 'online world'. Many experts are more
concerned about the 'offline world' collections, such as information collected through grocery
store cards, medical records, driving records, etc. Should the same rules apply to these
collections?
I THINK IT SHOULD NOT BE SO EASY FOR ANY TOM, DICK, OR SUSIE TO GET
INFORMATION. THEY OUGHT TO HAVE TO PROVIDE MORE THEN A FEE OR A
VERBAL EXCUSE FOR WHY THEY WANT OR NEED THE INFORMATION. I REALIZE
THAT LAW ENFORCEMENT PEOPLE ETC USE THESE ITEMS TO TRACK CRIMINALS
( OF ONE SORT OR ANOTHER)
Question 9: Other Comments:
I DO NOT KNOW IF I HAVE MADE MYSELF VERY CLEAR. I DO KNOW THAT IT
SHOULD NOT BE SO EASY TO GET INFORMATION FROM SO MANY SOURCES
ABOUT SO MANY PEOPLE.
###
From: Tom Conway
To: ntia.doc.gov
Date: 7/6/98 9:59pm
Subject: Re: Privacy is Phony Issue
>>>> 06/23 10:02 PM >>>
>I cannot understand the ruckus being raised over the gathering of
>information on the WWW. I cannot see anything wrong with companies
>keeping track of who visits their WWW sites or selling such information.
In my opinion this is a phony issue being manufactured by anti-business
activists who are obsessed with this issue. I frankly have no concern
about the owners of WWW sites collecting information about my use of the
WWW - which information belongs to the site owner not the consumer.
>
>Sincerely,
>
>Thomas Conway
>
>P.S. I'm not involved in any way in any Internet business.
###
Drafting a Privacy Policy? Beware!, by
Eric Goldman, Esq. (Article submitted to Cyberspace Lawyer Magazine)
###
From: Bram Diepenbrock, BD94585@concentric.net
To: NTIA.NTIAHQ(privacy)
Date: 6/24/98 12:04am
Subject: The sale of private information.
You need to set up a system in which there are SEVERE PENALTIES for
those who transfer ANY personal information, with DOUBLE PENALTIES for
those who do so connivingly FOR MONETARY BENEFIT.
Included in these are: All financial institutions, Banks, and Credit
Reporting Companies.
Sincerely,
Bram Diepenbrock, MBA, SCREA
###
From: Bram Diepenbrock BD94585@concentric.net
To: NTIA.NTIAHQ(privacy)
Date: 6/24/98 12:04am
Subject: The sale of private information.
You need to set up a system in which there are SEVERE PENALTIES for
those who transfer ANY personal information, with DOUBLE PENALTIES for
those who do so connivingly FOR MONETARY BENEFIT.
Included in these are: All financial institutions, Banks, and Credit
Reporting Companies.
Sincerely,
Bram Diepenbrock, MBA, SCREA
###