
          
Reliant Global Services L.L.C.
13305 Birch Street
Suite 102
Omaha, NE 68164
June 22, 1998

Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration
Room 4898
14th St. and Constitution Ave., NW
Washington, D.C. 20230

Dear Ms. Coffin:

Having read the paper "Elements of Effective Self regulation for
Protection of Privacy" and the associated set of questions posed
by your organization, I offer the following comments.  Please
note that I am speaking only for myself, as an IT professional
with over 30 years of experience in the DoD, Federal, State, and
commercial information processing arenas.  My comments do not
represent an official position of the firm with which I am
currently employed.
General:  Privacy is going to be extremely difficult to protect,
regardless of whom is responsible.  Information of the most
intimate and detailed kind is simply so available for explicit
and implicit capture, and so easily manipulated and exchanged
that any notion of 'regulating' its use in any absolute,
controlled form is, for want of any better description, just
plain silly. 
In the 'real world' of shopping plazas and strip malls, to cite
just one example, we can readily distinguish between acts of
'window shopping', 'browsing in a store', 'making a purchase',
and 'responding to a customer preference survey', and to
recognize / know, as a result, the degree of privacy I must be
willing to surrender in order to complete each of the acts. 
While I 'know' for example that I must 'explicitly' give someone
my credit card number in order to complete a charge purchase, I
also 'know' that I any request to 'explicitly' provide my card
number to someone before I can enter a store and look around is
suspect.  In terms of 'implicit' capture of information, I also
'know' that someone may be counting visitors to a store or
peeking through mirrors to look for potential shoplifters, which
is clearly okay, but I also 'know' that someone filming me in a
dressing room and displaying the results on television without my
'explicit' consent is illegal.
In 'cyberspace', the boundaries are not so clear.  'Window
shopping' via the Internet requires just about as much of a
surrender of privacy as 'making a purchase'.  Long before I can
do either act, someone has captured a wealth of information about
me ranging from my credit card number to where I live and work. 
Consummating ANY act on the Internet enables a great deal more
personal information to be either explicitly or implicitly
captured (or both).  When do I usually sign-on...my ISP provider
needs to know for capacity planning purposes.  Did I 'visit' your
Web site today...the creator of the site and its host all want to
know to decide if the site is attracting sufficient numbers of
visitors.   Does my on-line service use 'captured' demographic
data to sell advertising space...of course, just as television
uses the statistically derived equivalent Nielson numbers.
I see only one viable approach to guarding privacy in the 'cyber'
world - making the invasion of it, clearly defined in terms of
misuse, a federal crime, and give a federal agency responsibility
for proactive enforcement of the law.  Using one of the 'real
world' shopping examples...you can protect your store's assets by
any reasonable means - mirrors in dressing rooms, security
cameras, patrolling watch dogs, whatever.  What you cannot do is
invade privacy through misuse any of those means, as evidenced by
allowing non-security personnel to look into dressing rooms or
strip-searching visitors at random or by showing dressing room
films over your local cable access channel.
Questions contained in notice: 
1. All of the elements are necessary to some degree, however,
accountability and consequences are CRITICAL. Positive control
over private information must be maintained...from capture to
utilization and exchange. The only way to ensure such control is
maintained will be through audits / accountability checks and
through administration of severe consequences when such a failure
is uncovered.  Ideally, all private information would be
protected to the same degree that financial information is. 
Given that achieving this degree of protection would be costly,
the near-term effect of requiring such protection would be to
raise the cost of entry for anyone desiring to do business via
the web.  One viable and possibly less-costly (per individual)
alternative might be to set up a single agency or service, one
that could be closely monitored by the community and regulated by
the Government, to handle 'private information'...with any other
organization or person not appropriately licensed and controlled
unable to capture or distribute it.   This could be accomplished
voluntarily or the Government could mandate it. Registering with
the central org would be like applying for a Social Security
card...done once at an early age; maintained over the years as
demographic and other private data changed.  Once an account for
your 'private' information was established, anyone you needed to
interact with (or who needed to interact with you) would utilize
the controlled services of the intermediate organization to
verify identification, etc.  With the information this
centralized, controlled organization would possess, its power
would be great and the temptations to abuse that power many. 
Unfortunately, in cyberspace, we are no longer arguing about
whether some person or some agency will have such power and face
such temptations...all that is FACT.  The only really open issues
are to what degree can this reality be managed and how can any
such management be imposed at this time.
2. My response to question 1 above discusses one way protection
could be implemented.
3. I do not know of any fully effective privacy policies.  The
best we have are those implemented and executed through
automation, with proactive human oversight.  Every system I know
of that has been designed to 'protect' information or its
dissemination has been subverted or overcome in some way.  
People routinely ignore policies, even those who set such
policies up, if sufficient reason for violation can be
'rationalized'.  In the end, accountability and consequences are
the only practical way of optimizing policy adherence.
4. I think that the draft discussion paper is comprehensive
enough, in terms of elements.  My comments on enforcement
mechanisms are contained in the response to question 1.
5. Yes, consumer limitations should, in fact MUST, be imposed on
any third-party provided information by the original 'capturer'. 
I do not see any other way than that I presented under 1 above.
6. The operating 'model' that comes to mind is the banking
industry - substituting 'private information account' for 'bank
account'.  Every handler of a 'private information account'
should be subject to the same kind of regulation and  oversight
that any handler of a 'bank account' gets, and should feel the
same level of concern over protection of someone else's
information given them in trust that they would feel over
protecting someone else's money given to them under similar
circumstances.
7. Based on the 'model' presented under 6 above, I would see
similar consequences for failure to adhere to rules and
regulations: heavy fines, prison sentences, and closing of a
business.  This model and these mechanisms have worked pretty
well for the banking industry, as the record shows.
8. I do not really see any way to make privacy self-regulation
effective.  Any / all self-regulation schemes require development
of and adherence to a shared belief in the process among the
members of a defined community.  Concept cannot be applied to the
Internet world.
9. 
No comment.
10. Self-regulation cannot protect privacy on-line.  See response
to 8 above.
11. Obviously, the cost to business in general of protecting
privacy under a self-regulation scheme will be significantly less
than the cost of complying with legislation or regulation.  That
is because most firms will only pay lip service to privacy
protection, many will ignore the issue, and some will base their
entire business plan around NOT protecting privacy.
12. See my General comments / discussion above for an answer to
this question.
13. Given the knowledge and experience gained over my years in
data processing, I operate in cyberspace accepting the notion
that anything I send, enter, record, etc. is subject to
'exposure' and should not be considered private. 
14. I think you have to start from the principle 'privacy of
information is the fundamental right, and the private individual
controls any surrender of that right' (Re read your John Stuart
Mills for more insight).  One self-sufficient person living all
alone somewhere does not need to surrender any privacy rights in
order to function. Belonging to a community (which most of us do)
requires some privacy rights be surrendered (if I want mail
delivered, I have to give out my address, etc.)
As we join communities, in the real or cyber world, we
'surrender' some privacy rights...both explicitly and implicitly.
When I give the power company the information needed to set up an
account for me, I realize the 'explicit' surrender (don't fill in
the info needed, you don't get power), and accept the 'implicit'
surrender (as a new power company customer I will likely get
appliance ads and other targeted offers through the mail). 
Of note here are two things: I explicitly surrendered the right
only the information needed to join the community of power users,
and the implicit surrender grew directly out of the explicit
(meaning, the pool of private information was limited to that I
had to explicitly surrender).
Parties clearly have the right to collect and use 'explicitly'
surrendered private information, as long as the information
collection was based on need and the surrender was really
'explicit'.

Sincerely,
Frank J. Hannaford
5412 Grand Avenue
Omaha, NE 68104
Phone:    402-453-4326
Email:    frank20@home.com
l  Page 3      June 22, 1998