Comments Received -- June 30-July 6, 1998

###

From:      Deborah Drews, QShaniqua@AOL.com
To:        NTIA.NTIAHQ(privacy)
Date:      6/30/98 11:53am
Subject:   privacy responses

  1. Name:  

  Deborah Drews



  2. Email:  

  QShaniqua@AOL.com



  3. Affiliation:  

  private citizen



  Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you?  Is this important to you? 

  Yes and no.  Some people will say "this site is just for fun" or something to that effect.  Not all
do, though.  But, I must be honest to say I don't always pay attention either!  Sorry to sound
wishy washy.

But yes, it IS important to me to know what they are doing with my information.



  Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer? 

  Some DO ask for permission for additional information and allow you to opt-out of mailings.
Many, however, do not. 

I would like to be able to go to a web site, any web site, and not have then 20 pieces of "junk
mail" generated by visiting that site.  



  Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself?  How important is this to you? 

  No they do not.  To my knowledge once you have given something you can't change it.  I don't
know that I have encountered something like this, though.



  Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them? 

  YES YES YES!!!!!!



  Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online? 

  I do know that many porn sites SHOW PORN BEFORE ASKING IF YOU ARE 18!!!!!!!!  I
have heard this time and time again.  This should not be done!  If you want access to sites that
contain this material, there should be a special place to go to find it - it should NOT INVOLVE
CHILD PORNOGRAPHY IN ANY WAY SHAPE OR FORM AND IT SHOULD ONLY BE
ACCESSIBLE TO PERSONS OVER 18 (although to me, they are "children" too!)



  Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected?  Would you rather see government make laws to regulate privacy on the Internet? 

  Yes, I know a lot of people who would JUMP ALL OVER ME for saying that.. but I don't want
some wacko finding me or finding out where I live, etc.... it is a scary world out there....



  Question 7: What experiences have you encountered online in which privacy has been an issue? 

  I have gone to a site where I have say, for example, sent a greeting card, and then received 10
pieces of junk mail pertaining to that site.  This should not happen... you should be able to go
where you want without being "followed"



  Question 8: The Elements Paper focuses on the 'online world'. Many experts are more
concerned about the 'offline world' collections, such as information collected through grocery
store cards, medical records, driving records, etc.  Should the same rules apply to these
collections?  

  YES!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



  Question 9: Other Comments: 

  For the most part I do not have a problem with this.  I do, however, have a problem with
ANYONE knowing about me or "watching me" ie through the food I purchase, etc.,
INCLUDING THE GOVERNMENT!!!!
          
###

From:      Ferrante Pierantoni, pierantoni@aipa.it
To:        NTIA.NTIAHQ(privacy)
Date:      7/2/98 2:28am
Subject:   privacy responses

  1. Name:  

  Ferrante Pierantoni



  2. Email:  

  pierantoni@aipa.it



  3. Affiliation:  

  AIPA



  Question 1: When you go to Web sites, do you typically see notices telling you what companies
are doing with information about you?  Is this important to you? 

  no



  Question 2: Do Web sites that you visit give you control over secondary uses of your
information (for example do they ask your permission to send you more information, or let you
opt-out of mailings)? If so, what kind of choices? If not, what would you like to see them offer? 

  yes, they ask They ask my permission but nobody know what they do.



  Question 3: Do you find that companies give you the ability to access and correct data that you
have provided about yourself?  How important is this to you? 

  no usually we have no access to data about ourself.
It is very important.



  Question 4: How should companies be held accountable for failures to protect privacy? Should
they be fined? Should you be able to sue them? 

  No fines, it is only a burocratical question.
We sould be able to sue them.



  Question 5: The collection of information from children is an especially sensitive area. What
Should be done to protect children's privacy online? 

  teaching children as early it is possible.



  Question 6: Do you think that if industry adopts all of these measures that your privacy will be
protected?  Would you rather see government make laws to regulate privacy on the Internet? 

  No, governement regulation of privacy is just a burocratical toy.



  Question 7: What experiences have you encountered online in which privacy has been an issue? 

  none



  Question 8: The Elements Paper focuses on the 'online world'. Many experts are more
concerned about the 'offline world' collections, such as information collected through grocery
store cards, medical records, driving records, etc.  Should the same rules apply to these
collections?  

  yes, sure



  Question 9: Other Comments: 

  if it is not possible to enforce a law, that law must be dropped out.

###

From:      "Steiger, Bill" bill.steiger@ltgov.state.wi.us
To:        "'privacy@ntia.doc.gov'"
Date:      7/3/98 6:07pm
Subject:   Comment on "Elements of Effective Self-Regulation for Protection  of Privacy"

July 3, 1998



Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information Administration
Room 4898
14th Street and Constitution Ave., N.W.
Washington, D.C.  20230

Dear Ms. Coffin:

I am writing to comment on the Department of Commerce staff discussion
paper "Elements of Effective Self-Regulation for Protection of Privacy,"
as outlined in Docket No. 980422102-8102-01.

The Internet's virtually instantaneous global flow of information is
already transforming the way we work, study, shop, and play.   For
businesses and consumers alike, the prospect of internet-based
electronic commerce offers the promise of expanded choice, greater
efficiency, and heightened cost savings. No previous trading network has
ever approached the web's value as a medium to link buyers and sellers,
in real time, anywhere on earth.  Perhaps only the printing press has
held such possibility for phenomenal, empowering economic change.

Here in Wisconsin, dozens of companies are already beginning to
capitalize on the commercial potential of the Internet.  Mail-order
merchandising, professional services, and temporary employment are just
a few of the kinds of industries in our state that are growing rapidly
through this new medium.  

Nevertheless, a serious obstacle remains to the mass acceptance of the
Internet as an every-day marketplace:  privacy.  Electronic commerce
will never live up to its full potential if consumers do not feel safe
and secure as they surf the web.  In a recent poll conducted by Louis
Harris and Associates and Dr. Alan F. Westin of Columbia University, 81
percent of all Internet users and 79 percent of on-line shoppers
expressed concern about on-line invasion of privacy.  

I share and understand these reservations.  As a state official and the
father of three children, I am particularly attuned to the need for
increased safeguards against the unauthorized gathering of confidential
financial information, medical records, and data on children over the
Internet.

At the very least, commercial websites should prominently display their
privacy policies and write them in easy-to-understand language.
Consumers should be able to decide what, if any, personal information to
provide; to choose whether to participate in on-line marketing; and to
exercise an option to subscribe or unsubscribe to services at any time.
Sites should specifically state what information they collect from
visitors and for what purposes, and whether they rent or sell that
information to third parties.

Calls for governmental regulation in this area, however, are premature.
The genius of the Internet is precisely its freedom from excessive state
intervention.  Just as with direct mail, targeted marketing in
cyberspace benefits all of us, whether consumers or businesses:
consumers can receive offers and information tailored to their
interests, and firms can better hone their appeals to the most likely
buyers of their products and services.  The collection of some personal
data is necessary to ensure that Internet commerce runs smoothly, and
users should continue to have the choice to participate in on-line
marketing if they so desire.  

I recognize that studies have recently indicated that only a small
percentage of websites are currently following industry self-regulation
policies.  Yet I still believe that both federal and state officials
should exercise forbearance in the coming months to allow Internet
merchants and marketers to implement the private sector rules developed
by the Direct Marketing Association, Truste, and others.  Industry
should remain on notice, however, that their failure to clean up
disturbing practices such as unsolicited commercial e-mail ("spam") or
devise clearer guidelines for so-called "cookie practices" (the
surreptitious collection of information by tracking users' click
streams) will make calls for government action harder to resist.  

I urge the Clinton Administration to continue to work closely with
private industry to allow the Internet to grow as a vibrant bazaar of
ideas, goods, and services.  Industry-developed mechanisms now exist to
preserve security and privacy for consumers, and we should give them
time to gain widespread adoption before imposing government control over
the freest market in the world.

Sincerely, 



Scott McCallum
Lieutenant Governor
State of Wisconsin
 



CC:        "Hull, Lisa" lisa.hull@ltgov.state.wi.us

###

  Email privacy (Tuesday morning)

See also coverage by Wired News.

When I telephoned my mother in Australia over the weekend and told her that I had been invited to Washington to address senior members of the Clinton Administration and hundreds of other very important people on the privacy implications of sending a piece of electronic mail, she wondered what on earth could have happened recently to bring so much high-powered attention to such a simple little thing.

``Well Mom,'' I said, ``there are lots of privacy risks with email that aren't obvious unless you've spent the past few years studying that kind of thing.''

``Like what, dear?'' asked my mother.

``OK, while we're talking on phone now, you wouldn't expect that what we say might be listened to by some teenager in Finland would you?''

``No, of course not. The phone line to Australia wouldn't run through Finland, and how could a teenager dig it up anyway?''

``That's the difference,'' I said. ``Email travels on an unpredictable route through computers on the Internet, which is a network of lots of different computer networks around the world. If any of those computers had been broken into by hackers, they could have been programmed to send copies of the email somewhere else.''

``But surely companies will fix that. It's a security problem. Couldn't they use some kind of secret code?''

``Actually, encryption's kind of a complicated subject in Washington right now. Let me give you a different example. You wouldn't expect that my local phone company could sell the fact that I called you to a chain of florists so they could send me a postcard reminding me that Mother's Day was coming up, would you?''

``Now that you mention it dear, you did forget this year. Maybe if they did that you would remember next year.''

``Sorry, Mom. I won't forget again. It's not just the florists that can buy that information. The phone company isn't allowed to tell anyone who you call. But the way American law stands now, the company you get to send your email can sell their knowledge of what you do online to telemarketers, for example.''

``Really? The telemarketers don't seem to call us in Australia.''

``Yes, I remember. Here's another example. If you throw away your old telephone, you wouldn't expect that someone who picks it out of the trash would be able to open it up and get a recording of a conversation you had on it years ago, would you?''

``Of course not. Are you trying to tell me that computers keep your email, even after they've been told to delete it?''

``Exactly. Remember Oliver North?''

``Of course. Is he going to be at your talk?''

``I don't think so, Mom. Lt. Colonel North already found out the hard way that he should have deleted the backup copies of his email too.''

``Then it sounds like the company that made the software he was using didn't do a very job. Computers should come with privacy as standard equipment, not an optional extra. Are there any other privacy problems that they have have? You know your father and I are thinking of getting email ourselves.''

So I told her about a dozen dangers to her privacy from email, that most of you all probably know already. I explained how her email address could be captured by junk emailers, and how often she would be spammed with pitches for hard-core pornography and get-rich-quick scams. And that even big software companies companies have been known to program their products to grab email addresses off people's computers and secretly include them along with online registration information. I warned her that her Internet provider might put her email address in a public directory unless she told them not to.

I told her that if she sends a personal message to one of her friends at work, that someone else at that company might read the message, perfectly legally. I told her that anything she sent might be kept on computers for decades, and might be forwarded to people she didn't wouldn't want to read it. I said that every message she sent would be timestamped and marked with the IP address where she connected to the Internet at that time - kind of like Caller-ID. She asked me if it was possible to stop that, so I explained about anonymous remailers and the problems they have.

I warned my mother that it was easy for people to forge email headers to pretend to come from her, and how she could verify digital signatures on email. I tried to explain public key cryptography, how certificate authorities worked, and how many different cryptosystems are based on the same mathematical ideas as the secret codes that she could use to stop people from reading her email.

I cautioned her never to run a program that was attached to an email sent by a stranger, because it might introduce a virus or erase all her files. I said that if she even looked at a Web page someone sent her in an email (possibly spam), that the site could tell when she had read it, where she was connected at the time, and would even be told what kind of computer and software she was using and the name of the file where that email was kept on her computer.

And I said that a cookie might appear on her computer without her noticing.

My mother didn't believe this could happen until I explained that the word was a technical term for a customer number that a web site stores on her computer, and that any time she visited that web site in the future she would be identified by the number. This disturbed her because she thought that the Web was just like watching TV except that you sit closer to the screen. She had assumed that nobody was watching when she changed channels.

I explained how if she lets any young children use her computer, they might go to the Web site of a toothpaste company and be fooled into sending email to the ``tooth fairy,'' which was really a computerized marketing program that might use the messages for decades to target advertising at the child's family.

I told her if she got a free email account she would have to divulge to the company a lot of information about herself, and that there probably wasn't much she could do if this information was abused.

When we had finished this long catalog of privacy risks she said to me, ``Jason, cyberspace doesn't really sound like a very safe place.''

``It isn't,'' I agreed. ``And that's what I'll be saying to the folks in Washington.'' But I think they know that already. And I think they're concerned for their mothers. And for the their children. And for their children's' children.

``Well I hope they can fix all those things then, because your father and I aren't going to use email if our privacy isn't protected.''

My mother isn't the only person in the world to have said this. This year's Business Week survey showed that the number one reason people give for putting off using the Internet is not that it's too complicated or expensive, but that they fear for their privacy. Business people often ask questions like ``What are we going to do about all these people who are afraid to get online? What will make them buy from our Web sites?'' But there's a more at stake here than just money; at issue is the fundamental human right of privacy, which President Clinton has called ``one of our most cherished freedoms.'' The question is not what we can do about those people and their fears, but what we can do for those people and their liberties. Or to adapt President Kennedy's inaugural address: Ask not what the consumer can made to do for your company, but what your company should be made to do for the citizen. Ask not what the Internet will do for you, but what together we can do for the freedom of mankind.

  Filtering banner ads (Wednesday afternoon)

See also coverage by Wired News.

Yesterday I appealed to online marketers' send of altruism by talking about my mother. Today I'm going to appeal to their sense of self-interest by talking about their customers. Let's see which is more persuasive.

Picture, if you will, your ideal online consumer. Let's call her Sally. Professor Alan Westin's survey for Privacy & American Business tells us that she's 54% male, 18-39 of age, and earns more than $50,000. To a marketer she's very attractive, at least demographically and psychographically. Of course, the marketer has never seen her face.

Sally is also very concerned about her privacy online. She's well educated, and is used to adopting new technology to protect her own interests. She's probably heard that her ISP or online service may be legally selling to marketers any level of detail about her behavior online. Sally has long felt ambivalent about direct marketing. She likes the convenience and variety, but she is suspicious of the industry's methods. She is constantly reminded of the consequences of privacy violations by spam and telemarketing calls. She gets a ton of direct mail. She is what marketers call ``over-stimulated.''

How has Sally's perception of banner ads changed over time? In 1995 they were a novelty, something to speculate about. In 1996 Sally typed "MCI" into a search engine and an ad for a competing long-distance company came back. This was interesting, possibly useful, but with a hint that someone was watching what she typed. In 1997 the ads became bigger and slower to download. They had become intrusive, with distracting animations, popups and the occasional pornographic ad that offended her. In 1998 Sally learned that there was a real privacy issue. Most banners she saw were not served by the site she was visiting, but by ad networks, which see each page that Sally views containing one of their ads. The network had her identified with a cookie, which might be tied to her offline identity. The ad has become an instrument of surveillance.

Sally is horrified. ``Stop the Internet,'' she says. ``I want to get off. But I can't get off. My life is already on the Internet. It would be harder than giving up TV,'' she thinks. ``Ah, where's my remote control for the Web? Where is the mute button for this surveillance?''

Sally quickly discovers that there are now available as retail software and freeware a huge range of technologies which can block cookies, other disclosures of identities, and even filter out banner ads. Here is the remote she seeks. But it's more powerful than with TV, in that once she installs one, she'll hardly ever see another ad.

Now let's switch the point of view to the online advertiser. The industry has grown in less than four years from nothing to a billion dollars this year, and probably several billion next year. Better targeting has produced far higher revenue per ad. Technologies for anonymizing, blocking and filtering threaten the explosive growth that everyone is expecting. All the IPO filings of the ad networks disclose this threat to their business model. Downstream, content providers who depend on ad revenue to support the development and maintenance of their sites find their investment decisions clouded by even further uncertainty. The world faces an enormous loss of opportunity here: the richness and diversity of the Web as a medium of expression may be diminished.

What I find particularly tragic is that this is so unnecessary. I know as a computer scientist that it's technically feasible to design methods to efficiently serve ads without invading privacy. The $64 billion question is whether this can be done in time, and whether guarantees can be put in place to assure people online that their privacy will be protected. Lawmakers are acting slowly (though this could change overnight, as the example of Judge Bork and the Video Privacy Protection Act of 1988 showed), so right now the fastest-moving force is consumer self-protection, not industry self-regulation or real regulation. It's Sally.

So here's my plea to online marketers, particularly ad networks: Deliver real privacy protection fast. Because if you don't, Sally and her friends are going to push the button on your fledgling billion-dollar industry, and you'll never see or hear from them again.

  Comments on Elements of Effective Self Regulation

These answers given below are in response to the questions asked in a Federal Register Notice by the Department of Commerce. The questions concern their discussion paper Elements of Effective Self-Regulation for Protection of Privacy.

• 1.1 The discussion paper sets out nine specific characteristics of effective self regulation for privacy: awareness, choice, data security, data integrity, consumer access, accountability, consumer recourse, verification and consequences. Which of the individual elements set out in the draft discussion paper do you believe are necessary for self regulation to protect privacy?
  
  The question of which are necessary ignores the fact that no combination of self-regulatory measures would be sufficient to protect the privacy of the American citizen.

• 1.2 To what extent is each element necessary for effective self regulation? What are the impediments and costs involved in fulfilling each element of a self regulatory scheme? What are the competing interests in providing each element? How would the inclusion of each element affect larger, medium sized, and smaller companies? What advantages or disadvantages does each element hold for consumers? What are the challenges faced by companies in providing each element? How do these challenges depend upon the size and nature of the business?
  
  No comment on this question.

• 2. The draft discussion paper notes that individual industry sectors will need to develop their own methods of providing the necessary requirements of self regulation. How might companies and/or industry sectors implement each of the elements for self regulation?
  
  No comment on this question.

• 3. Please submit examples of existing privacy policies. In what ways do they effectively address concerns about privacy in the information to which they apply? In what ways do they fail?
  
  Abacus Direct Corporation runs a ``co-op database,'' a massive pool of behavioral data about consumers from about a thousand ``member'' direct marketing companies, which gives them a comprehensive picture of the lives of tens of millions of Americans. These nice-sounding ``cooperative'' arrangements are among the more Orwellian inventions of the industry. Their privacy policy mentions nothing about their core business model; instead its main focus appears to be PR. Here is an excerpt.

  Privacy of consumer information is important to Abacus' business. Indeed, maintaining this privacy is one of Abacus' most significant responsibilities. In connection with meeting this responsibility, Abacus is an active member of the Direct Marketing Association and participates in and promotes projects regarding consumer privacy. We also encourage our Members to honor requests that they "do not mail" to consumers who specify that they do not want to receive mailings. Abacus also educates its Members and employees regarding issues and laws regarding individual privacy rights.

  Like many privacy policies, this one sounds wonderful provided it is read inattentively and without background knowledge. A closer search of the policy shows that it omits the crucial information of how consumers opt out of Abacus' database. It fails to disclose the fact that Abacus ignores or refuses to process written opt-out requests mailed by consumers directly to Abacus Direct. Abacus merely processes the DMA's Mail Preference Service, which obliges consumers to deal with a third party and to re-register every five years (a challenge to most people's calendars or to-do lists). A casual reader might take Abacus' statement that they "encourage our Members to honor requests" to mean "does not require Members to honor requests," but might presume this indicates that Abacus Direct would themselves honor a direct request. Directness in the Direct Marketing industry is all too often a one-way street. Our experience of working with Abacus for well over a year (entailing several letters, a dozen emails, and attempts by the DMA to mediate) has demonstrated their steadfast refusal to allow simple first-party opt out requests by mail.

  Links to over fifty privacy policies are listed in http://www.junkbusters.com/links.html#policy on the Web. Many of these are just as vacuous as the paragraph quoted above, in the sense that there is little or nothing that they stop the company doing. A vacuous privacy policy is like a pseudo-scientific theory that cannot be falsified by any empirical evidence. Vague statements such as ``we strive to consider our valued customers' preferences'' reassure only the gullible. Of course most privacy policies are the product of PR people and lawyers, so they are made to sound nice while exposing the company to absolutely no risk no matter how badly it behaves.

  It is difficult to display an absent privacy policy, but the FTC have demonstrate that many organizations (presumably including most of the bad actors) post no privacy policy. The deficiency with a missing policy is that it does not restrict the organization in any way.

• 4. Are elements or enforcement mechanisms other than those identified in the draft discussion paper necessary for effective self regulation for privacy protection? If so, what are they? How might they be implemented? In addition to the fair information practices and enforcement mechanisms stated in the discussion draft, are there other privacy protections or rights essential to privacy protection?
  
  Possibly necessary, but no addition would be sufficient. (See 1. above). Enforceable rights under law are needed.

• 5. Should consumer limitations on how a company uses data be imposed on any other company to which the consumer's information is transferred or sold? How should such limitations be imposed and enforced?
  
  Yes, citizens should have rights over all use of data concerning them according to fair information practices in the sense of the OECD Guidelines. They should have a private right of action (including statutory damages) against companies whose practices breach the principles. See EPIC's submission.

• 6.1 Please comment specifically on the elements set out in the draft discussion paper that deal with enforcement (verification, recourse, and consequences) and suggest ways in which companies and industry sectors might implement these.
  
  Expecting self-enforcement to be even slightly effective against a typical company is highly optimistic, and against a bad actor is downright gullible. Trade associations cite expulsion as their ultimate force against wrong-doers, yet it will obviously not stop a bad actor. The idea that associations could extend their influence beyond their membership would probably fall afoul of anti-trust legislation.

• 6.2 What existing systems and/or organizations might serve as models for consumer recourse mechanisms, and explain why they might or might not be effective? Would a combination of elements from existing systems and/or organizations be effective? How might verification be accomplished? What would constitute adequate verification, i.e., in what instances would third-party verification or auditing be necessary, and in what cases would something such as self certification or assertions that one is "audit-ready" suffice? What criteria should be considered to determine the kind of verification that would be appropriate for a company or sector? What constitutes "reasonable access?" What are the costs/impediments involved in providing access? What criteria should be considered to determine "reasonable access" to information for a company or sector?
  
  No comment on this question.

• 7. In the section on consequences, the draft discussion paper states that "sanctions should be stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion." Identify appropriate consequences for companies that do not comply with fair information practices that meet this goal, and explain why they would be effective.
  
  Peoples' lives are ruined by unfair information practices. Companies should equally face ruin as a consequence of sustained, willful, recklessly dangerous information practices. They are unlikely to volunteer for such a prospect. It must be imposed by government, which has a responsibility to protect its citizens.

• 8.1 What is required to make privacy self regulation effective?
  
  Nothing will make self-regulation deliver adequate privacy protection. Regulation by another is necessary.

• 8.2 Self-regulatory systems usually entail specific requirements, e.g., professional/business registries, consumer help resources, seals of accreditation from professional societies, auditing requirements. What other elements/enforcement mechanisms might be useful to make privacy self regulation effective? How have these enhanced or failed to enhance a self-regulation regime?
  
  No comment on this question.

• 9. Self regulation has been used by the business community in other contexts. Please provide examples and comment on instances in which self regulation is used in an industry, profession or business activity that you believe would be relevant to enhance privacy protection. In what ways does self regulation work in these instances? In what ways does it fail? How could existing self-regulatory regimes be adapted or improved to better protect privacy?
  
  The history of telemarketing gives an excellent example of how self-regulation failed to protect privacy; a law was needed and was passed in 1991. It gave individuals a private right of action and $500 statutory damages. No vast bureaucracy was needed to enforce the law; individuals sue in small claims courts. This prospect has reduced most of the industry's excesses.

• 10. Please comment on the extent to which you believe self regulation can successfully protect privacy online. Are there certain areas of online activity in which self regulation may be more appropriate than in others? Why?
  
  Self-restraint may reduce some abuses by larger players (what Peter Swire calls elephants). The smaller bad actors (which he calls mice) will not restrain themselves.

• 11. Please comment on the costs business would incur in implementing a self-regulatory regime to protect privacy. How do these costs compare to the costs incurred to comply with legislation or regulation?
  
  The costs of complying with regulations would be substantial, which explains why businesses are spending large amounts of money lobbying to stop the government imposing them. Each business will attempt to minimize its costs by doing as little as possible, which translates into the least regulation that is politically achievable. Here lies a "tragedy of the commons": the consumer population is therefore being left unprotected, resulting in distrust and non-participation.

  It is fair to impose costs due to regulation on all companies, indeed it is more fair than expecting good actors to volunteer for expenses that will not be borne by their less altruistic or less farsighted competitors. All automobiles sold in the US must meet basic safety standards; it would be preposterous to expect manufacturers to voluntarily choose their own minimum requirements and to rely on consumers' preference for safe cars. Advocates of self-regulation are asking the Administration to believe an equally preposterous premise, that companies should choose minimum privacy standards, and (even more implausible) that they should be the ones to ensure these standards are maintained. This makes as much sense as putting the Fortune 500 companies in charge of setting taxation policy for the IRS, and for running its compliance division.

• 12. What issues does the online environment raise for self regulation that are not raised in traditional business environments? What characteristics of a self-regulatory system in a traditional business environment may be difficult to duplicate online? Does the online environment present special requirements for self regulation that are not present in a traditional business environment? Does the traditional business environment have special requirements that are not presented in the online environment? What are these requirements?
  
  The Internet tends to amplify and accelerate phenomena of the offline world. Lack of privacy being exposed on the Internet stems from the fundamental lack of legal rights of American citizens, not from any quality of the Internet. The World Wide Web has helped make the implausibility of self-regulation evident, as Philip Agre points out.

  The whole idea of self-regulation never made much sense; it presupposes that the great majority of firms are motivated to join a trade association, and that this trade association's staff members are motivated to overcome their inherent conflict of interest by penalizing their own employers by enforcing codes of conduct when privacy violations occur. This scenario was already implausible in the old economy with its dominance by large, stable firms. It is even less plausible in the new digital economy, where new technology permits small firms to create impressive Web storefronts for no capital and companies come and go at the flick of a switch. Even the term "fly-by-night company", which epitomizes our notions of fraudulent trading, is a vestige of the old economy, with its presupposition that large, static firms are the norm and that small, flexible, rapidly changing companies are suspect. It follows that... self-regulation is an anachronism in the new economy.

• 13. What experiences have you encountered online in which privacy has been at issue? In what instances has privacy appeared to be at risk? In what instances is it well protected? In what ways have businesses or organizations been responsive to privacy concerns? How difficult have you found it to protect your privacy online? What circumstances give rise to good privacy protection in a traditional business setting or online?
  
  Sunshine is the best disinfectant, as the Fair Credit Reporting Act showed: when people have the opportunity to see data kept about them and to correct it, companies are forced to be more honest and bear a larger share of the costs arising from their use of personal data.

  For examples of risks to online privacy, see the text of addresses by Junkbusters' President on email and online advertising at the DoC meeting.

• 14. The Administration's A Framework for Global Electronic Commerce cites the need to strike a balance between freedom of information values and individual privacy concerns. Please comment on the appropriate point at which that balance might be struck. What is the responsibility of businesses, organizations or webpages to protect individual privacy? To what extent do these parties have a right to collect and use information to further their commercial interests? To what extent is it the individual's responsibility to protect his or her privacy?
  
  A party should have a right to exploit personal information only to the extent that their practices are fair. The question of balance has been well explored in literature of fair information practices, covering exceptions for cases such as medical research. The data subject can choose not to enforce his rights, but he should have adequate rights guaranteed by law. The American citizen does not yet have adequate rights.

Copyright © 1996-8 Junkbusters ® Corporation. Copying and distribution permitted under the GNU General Public License. 1998/07/06 http://localhost:1080/hd/commerce.html

###

Before the

Washington, D. C. 20230

Elements of Effective Self Regulation ) Docket No. 980422102-8102-01
For the Protection of Privacy and     ) RIN 0660-AA13
Questions Related to Online Privacy   )
                                      )

Bell Atlantic is pleased to submit its comments and Privacy Principles in response to the NTIA’s Notice and Request for Public Comment regarding Elements of Effective Self Regulation For the Protection of Privacy and Questions Related to Online Privacy.

I. Existing Privacy Protection Policies

Bell Atlantic commends the NTIA for its leadership in investigating approaches for handling and protecting customer information on-line. We are pleased to describe our efforts to disclose our information practices and offer consumers choice regarding the online collection and use of consumer information.

Prior to the merger last summer between Bell Atlantic and NYNEX, both companies had privacy policies. These policies were combined upon the merger, and apply to all our businesses, including our on-line businesses. We believe we now have a leading-edge privacy policy, and we are working hard to implement it throughout our company.

Under our policy, we give customers information, choices, and flexibility in what individual information we obtain, how we use it, and whether we disclose it. Our policy is designed to ensure that Bell Atlantic respects and protects the privacy of customer information. The Bell Atlantic Privacy Principles are attached, and are available on our website at http://www.bellatlantic.com.

Generally, our policies apply in a similar manner both on-line and off-line. If anything, the on-line world gives Bell Atlantic more opportunities to inform customers of its privacy polices, and gives customers more as well as more convenient opportunities to learn about and exercise their privacy options. Set out below are portions of Bell Atlantic’s privacy policies, and some examples of how they apply to both our on-line and off-line businesses:

• Our policy requires us to inform users how individual information obtained about them is used, as well as their options regarding its use. Our on-line businesses do this by means of privacy statements on our websites. Our off-line businesses, e.g. telephone, do this by means of brochures, bill inserts, and recorded announcements, and we are in the process of putting some of these disclosures on the web as well. For both types of businesses, we foster discussions and interaction with consumers on privacy and other issues through our local, state, and regional consumer advisory boards; these groups have input into our privacy policies and our means of communicating them.
• Our policy requires us to give users opportunities to control whether and how we use individual information about them to sell them products and services. In an on-line context, for example, contests sponsored by BigYellow allow contestants to opt out of receiving e-mails from BigYellow about additional contests. Off-line examples include our do-not-call and do-not-mail lists, and we are exploring means of enabling consumers to make these choices on-line.
• Our policy requires us to enable users to control whether and how we disclose individual information about them to other entities, with some exceptions such as when disclosure is required by law. We do not have any on-line examples because currently we do not disclose information supplied to us by users of our websites and on-line services. Off-line examples would include the opportunity to exclude name and number from directory listings, or to have name/number blocked from caller ID.
• Our policy requires us to safeguard individual customer information. We do this for both our on-line and our off-line businesses by making sure employees understand their obligation not to misuse customer information, and by using technological means to make our databases secure.
• Our policy requires us to consider consumer privacy when planning and introducing new services, and inform customers of the privacy implications of these services. This is something we do in the course of product development for both our on-line and our off-line businesses.

Bell Atlantic’s Privacy Principles give us the flexibility to apply the policies differently depending on the different privacy expectations of customers of our different businesses. How we apply our policies depends above all on the sensitivity of the information involved. We use notice and opt-out to give choices regarding our use and disclosure of some information – for example, a customer can be excluded from our White Pages listings and/or from directory assistance, can block name and number from caller ID, can stop us from calling or writing for marketing purposes, can be excluded from our reverse directory services, can choose not to receive certain e-mails. On the other hand, we simply do not disclose other, particularly sensitive information outside Bell Atlantic, except as requested by a customer or as required by law. Examples of the sensitive information that we treat in this manner are: (1) mobile phone listings; (2) bellatlantic.net customer e-mail addresses; (3) telephone usage information. In all cases of disclosure outside Bell Atlantic, we are giving customers control as required by our Principles – but we are giving a greater or lesser measure of control depending on the sensitivity of the information and what we understand that our customers expect.

Our privacy policy is based on company responsibility coupled with customer empowerment. We believe our privacy policy gives customers the confidence that nothing is going on behind their backs. We tell customers – here’s the type of information we obtain, this is how we use it, these are your options – and the customer is empowered to act. We believe that an empowered, confident customer is one who is likely to stay with us and come back to us to satisfy his or her need for additional services. And we see the on-line world as a place that will enhance customer empowerment by providing the ability to quickly and easily find out about privacy and exercise the appropriate choices.

II. Comments on the Elements Paper and Discussion of Competing Interests

In general, Bell Atlantic agrees with the principles of fair information practices set out in the "Elements of Effective Self Regulation" discussion paper. The paper is really very well done. We believe the Bell Atlantic Privacy Principles embody all nine elements. Below we will discuss each of the elements in the paper in turn.

A. Awareness

This may be the most important element of all. Bell Atlantic agrees with the paper’s discussion of the ways in which companies should raise consumer awareness, but would suggest re-naming this element "Notification and Education." The most a company can do is provide prominent notifications and conduct consumer education, as is discussed in the paper. It then becomes the consumer’s responsibility to look for the notice, read it, become "aware" of a company’s information practices, and exercise choice regarding the use of information. Bell Atlantic would also suggest that government can play a major role in raising consumer awareness, in concert with industry and privacy advocates. Thus, we believe that "notification and education" is the fair information practice that industry should follow, while "awareness" can be achieved through industry’s efforts with help from government, privacy advocates, and consumers themselves.

In addition, this element should incorporate the idea that customers should understand the benefits as well as the privacy implications of company use of individual information. There are clear-cut benefits in terms of convenience and opportunities for consumers if companies are allowed to use individual information in providing and marketing products and services. For example, a telephone company like ours can analyze a customer’s buying patterns and offer those customers who qualify calling plans that will save the customers money or services that will better meet the customers’ needs. Consumers who use shopping cards can receive discounts, coupons and free product samples. Consumers who lose their receipts and wish to return items can do so if stores retain information about purchases in their databases. On-line, consumers have the convenience of opening a page they have last visited when they return to a site, and can receive targeted marketing of products and services that actually interest them. Electronic commerce, as it takes off, promises to make searching for information, planning vacations, banking, shopping, and many other transactions simple and convenient. If companies with which consumers communicate can help consumers in these endeavors by using their data, the experience is likely to be extraordinarily useful for the consumer.

Of course, it is important to make sure that consumers receive these benefits without unwanted intrusion on their privacy. Thus, it is appropriate to obtain affirmative consent before making certain uses of sensitive information. It is also necessary to ensure that consumers are educated and able to protect their interests. For example, consumers need to understand that they can configure their browsers to reject "Cookies," that they can opt-out of unwanted use and disclosure of their information, and that they can stop unwanted telemarketing calls and mailings. The point of telling consumers about the benefits as well as the potential intrusion of these uses of information is to enable the consumer to determine the appropriate balance – between the ability to be aware of new opportunities and privacy protection – that suits that individual consumer.

B. Choice

The importance of choice regarding how information is used depends upon the sensitivity of the information. Thus, the ability to exercise choice is very important in the case of sensitive information, and the corollary to this is that stronger means of exercising choice such as affirmative consent may be appropriate. Less-sensitive information, such as the fact that someone is a customer of a particular company, may be more appropriately protected by means of the opportunity to opt out from disclosure of such information.

Another factor that impacts the importance of choice is how the information will be used, in particular: (1) whether it will be used internally or disclosed to third parties, and (2) whether its use will involve marketing methods the customer may find intrusive. Internal use of customer information by a company with a relationship with the customer generally does not impact privacy. Thus, it is not expected that a company will give a customer the opportunity to stop the company from using information about transactions that the company needs in order to bill the customer in the ordinary course of the customer/company relationship. Aggregating individual information so that identities cannot be determined for purposes of market analysis is another use that does not impact privacy and that companies are not expected to allow customers to prevent. This changes, however, when the company uses customer information to contact the customer for marketing purposes by means of telemarketing, direct mail, or e-mail, and when the company wishes to sell customer information to another company for that company’s marketing purposes. These types of uses of the information become uses that affect privacy, and it becomes important to provide the customer with opportunities to control these types of uses of customer information.

The reason for using different means of providing choice, depending on the sensitivity of the information and upon the intended use, is because of the need to balance the interests and costs involved. Obtaining affirmative consent can be paralyzing for a business, because providing such consent is not likely to be high among the priorities of the average busy customer. Yet, the purposes for using information may be quite beneficial to that customer – for example, many people do buy products through telemarketing, indicating that the opportunity to learn about these products over the phone is of value to these people. Notice and opt-out are much easier for both the company and the customer – those customers who do care about the use of the less sensitive types of information about them will opt-out, while the majority will continue to receive the coupons, catalogs, free products, and other promotional offers that can benefit the company, the consumer, and the economy.

C. Data Security

Proper use and protection of information is a very important element of effective self-regulation, one that many discussions of the subject ignore. Part of protecting customer data is having a strong internal compliance program that communicates to employees their obligation to properly use and protect the data, and that imposes consequences for the failure to do so. And, the other part of this is using technological means, such as "firewalls," to protect against malicious access and use of data from unauthorized sources. This element is crucial, since failure to protect the data in this manner could have serious consequences for privacy. It could be much worse to have a malicious individual accessing and using an individual’s information for personal reasons, than to have a company mistakenly use the information to try to sell the person something.

Bell Atlantic suggests that the data’s "reliability for its intended use" belongs in the Data Integrity element, and that the Data Security element should focus solely upon protecting the data from improper use. Accuracy of the data, while important, raises different privacy concerns than security. Accuracy is more about preventing carelessness in recording the data, rather than protecting it from improper disclosure and use, and the consequences for the consumer from inaccuracy are generally not as serious from the standpoint of privacy.

The concept of "reasonable" precautions is important because it allows for differences depending on the sensitivity of the information. A step that is "reasonable" for protecting less sensitive information may not suffice when it comes to protecting very sensitive information.

The statement that "Companies should also strive to assure that the level of protection extended by third parties to whom they transfer personal information is at a level comparable to its own" should be tempered by an understanding of the costs that would be involved in policing such a requirement. Where a company can control the behavior of the transferee, this requirement is practical. For example, Bell Atlantic requires that all its wholly-owned affiliated companies adhere to its privacy policies, and also requires its contractors, suppliers, and others that handle Bell Atlantic customer information for Bell Atlantic purposes to protect that information at the same level that Bell Atlantic uses. However, where a company cannot control a transferee’s behavior, this requirement will not work, and it really should be up to the customer whose information will be disclosed. Once a customer has been notified of the option to opt out, and has not exercised that option, the company should be free to release the data for the purposes that were explained to the customer, without the burden of policing how that data may be used subsequently. For example, Bell Atlantic provides services, such as Caller ID and a reverse directory service called Call 54, that reveal information about a person if that person has not opted out. Bell Atlantic has no way of controlling how the party who receives the name and number of a caller or the name and address associated with a particular telephone number uses that information.

A final note on data security is the importance of strong encryption for protecting communications and transactions on line. Bell Atlantic advocates strong commercial encryption and opposes any broad or vaguely-defined government access to private voice or data communications. Consistent with this policy, the Company supports free choice of cryptography products for consumers and non- regulatory, market-driven approaches to the development of cryptographic methods. Particularly, Bell Atlantic supports deregulating the export of commercial cryptography products and opposes government restrictions on domestic uses of encryption.

D. Data Integrity and Consumer Access

Bell Atlantic believes the elements of Data Integrity and Consumer Access are integrally linked. Consumer access to data is really a means of ensuring that the information is accurate and relevant. Thus, it may be appropriate to combine these two elements into one, as Bell Atlantic has done in our Privacy Principles. Bell Atlantic’s Principle 5 states that "Bell Atlantic strives to ensure that the information Bell Atlantic obtains and uses about customers is accurate," and the explanation of this Principles includes the concept of "reasonable access" by customers to the information we have about them.

Bell Atlantic is working to improve customer access to information we have about them. Today, Bell Atlantic’s telephone companies make information available to customers on the customer’s bill, and by means of answering questions posed to Bell Atlantic service representatives. We are working to put access to a customer bill and a customer’s account record on-line, so that customers will have this additional, convenient way to access information about their accounts.

It is very important to maintain a concept of "reasonable" access to information. Some information that Bell Atlantic maintains about customers, while necessary to Bell Atlantic’s provision of service, would be very costly to retrieve, and of no use to a customer in any event. An example are the records of facilities used to service a particular customer. This record is currently maintained in a system that is very difficult to use, and for which our personnel must be trained in order to even read and interpret the system’s output. We would maintain that it is not reasonable to provide access to such a system to a residential customer, although if a customer had questions about this information, it might be reasonable for us to research the question and get back to the customer with the answer. In addition, there are unreasonable forms of providing access to information – an example would be opening up company premises for on-site inspection of information. This would be an unnecessarily costly means of providing what can reasonably be provided by methods more convenient to the company and the customer.

E. Accountability

Important parts of accountability are not addressed in the "Elements" paper. These include (1) holding employees accountable for protecting data and using it properly, and (2) having internal compliance programs. These aspects are keystones of Bell Atlantic’s privacy policies. For more than a century, customers have counted on Bell Atlantic to respect and protect the privacy of customer information. We do hold ourselves accountable to our customers in this area. If we make a mistake that infringes on a customer’s privacy in violation of our policies, we fix the problem.

Bell Atlantic employees’ obligations are included in our Code of Business Conduct, which all employees sign. We publicize and remind employees of these obligations through security reports and articles in our employee newsletter. We include privacy in our ethics and compliance training, and there are serious consequences for employees who fail to follow our privacy policies. We encourage employees to be proactive in helping us protect privacy by bringing things that may be inconsistent with our privacy policies to Senior Management’s attention. As a compliance matter, we monitor and track compliance, treating our privacy policies on a par with our Federal Sentencing Guidelines obligations.

Customers have many avenues for bringing complaints to our attention. Customer may call our service representatives or our Presidents’ Hot Line, and now customers may e-mail us as well. Our local, state, and regional consumer advisory panels are also avenues where consumer members raise privacy and other issues. We intend to continue our tradition of protecting customer privacy as we move into new on-line businesses. We perceive it as simply good business to maintain high standards for the protection of individual privacy.

We currently handle verification through our internal compliance and internal auditing program. We are actively looking at external verification procedures such as website "seals" of approval. We are keenly aware that, should we experience a failure in protecting customer information, customers themselves will bring it to our attention thus acting as a form of external verification that the "Elements" paper should also recognize.

With respect to consequences, for a company like Bell Atlantic the consequences of a privacy breach – bad publicity and negative repercussions to our reputation – are very serious. Our self-imposed consequences, which include the obligation to fix a problem once it is discovered, are akin to injunctive relief. And, the threat of a Federal Trade Commission or State Attorneys’ General action (questions of jurisdiction over common carriers aside) could also mean severe consequences in terms of lost reputation, lost customers, costs, and possibly monetary payments.

The ultimate consequences for a company that does not step up to responsible privacy protection practices will be felt in the marketplace. As customers become more aware of the difference between good and bad privacy practices, and begin looking for evidence of good practices on-line, those companies that do not do a good job in this area will suffer a loss of customer confidence and a loss of customers themselves.

III. Regulation vs. Self-Regulation

Educating consumers, and helping industry educate their customers, is an important role for government to play. The FTC and the Administration, in particular, have been doing a great deal to encourage and help industry inform customers about companies’ privacy policies and the individual’s privacy rights and responsibilities. Education is a prerequisite to customers exercising their choices and exerting their muscle to influence good privacy protection in the marketplace.

The importance of consumers in protecting their own privacy cannot be overstated. The consumer is ultimately responsible for his or her own awareness of privacy policies and options, for making the appropriate choices, and for choosing not to do business with companies with inadequate privacy practices. The on-line world should be recognized as a place in which consumer empowerment is enhanced, where it is easy to find out about privacy and convenient to exercise options to protect it.

When it comes to regulation in this area, government should tread very lightly. The government should limit its regulatory actions to narrow, targeted responses to specific abuses that have not been adequately addressed by self-regulatory efforts. Regulation which is overly broad or premature will simply stifle innovation in an emerging market that has vast potential for serving consumer needs.

In areas in which information collected is not likely to be particularly sensitive, and where a particularly vulnerable population is not likely to be involved, Bell Atlantic does not believe government regulation serves any useful or appropriate public policy goals. No abuses of the collection and use of information have been shown that would justify prophylactic measures that might stifle the development of technologies and conveniences that people want. In fact, most problems of which Bell Atlantic is aware were swiftly corrected as companies concerned with their image responded to consumer outrage.

Industry is working hard to regulate itself. In particular, the work of the Online Privacy Alliance represents a significant step forward in the industry’s recognition of its responsibilities in this area. It may well be that the marketplace will drive companies to do the right thing with respect to customer information. If companies do not adopt acceptable information use practices, customer demand may well see to it that companies with strong privacy protection policies succeed and others do not. The wisest course for government, consistent with our country’s system and philosophy of government, is to give industry and the marketplace a reasonable chance and to avoid enacting stifling regulation.

Two areas in which government action could be appropriate in helping to protect information are in the areas of encryption, discussed above, and identity theft. Companies as well as individuals are the victims when a malicious person impersonates another to fraudulently obtain information, products or services. Government action to make identity theft itself a crime could go a long way to discourage this pernicious practice.

In Bell Atlantic’s view, government should not impose restraints on uses of information that would enable the industry to provide targeted products and services which consumers have indicated they want. Instead, government should continue to have a prominent role in informing the industry and consumers about developments in this area. Regulation, if warranted at all, should be along the lines of the industry’s self-regulatory guidelines and principles.

Respectfully submitted,

/s/ Shelley E. Harms__

Shelley E. Harms

Executive Director

Bell Atlantic

1095 Avenue of the Americas

New York, NY 10036

212-395-1583

Shelley_Harms@smtp.nynex.com

For Bell Atlantic

July 6, 1998

Technology is changing the way companies do business -- and changing the way they collect and use information about customers. Used responsibly, that information can help companies serve customers better. But, with advances in communications technology come growing concerns -- by customers and policymakers -- about maintaining the privacy of individual customer information.

We take privacy concerns very seriously. NYNEX and Bell Atlantic were built on more than a century of customer service and trust, and work hard to uphold that tradition. Both companies have been guided by strong codes governing the privacy of customer communications and information. With our merger, we have combined the best of both codes to establish Privacy Principles for the new Bell Atlantic.

These Privacy Principles state our commitment and define our policy on safeguarding customer privacy. We think these guidelines are among the most progressive in the industry. They balance customer concerns about privacy with their interest in receiving quality service and useful new products. This is especially important at a time when emerging telecommunications services present us with new business opportunities and new challenges to protecting customer privacy.

We recognize that some of our customers may be more concerned than others about the information we obtain about them. Our Principles give customers choices and flexibility regarding how we use that information. And the Principles guide our employees in handling customer information so that private information remains private.

At Bell Atlantic, we’re committed to safeguarding customer privacy. We require our employees, partners and suppliers to protect the privacy of information about our customers. We’re putting customers first -- and that’s the key to success in this new kind of marketplace.

Ray Smith

Chairman and Chief Executive Officer

Ivan Seidenberg

Vice Chairman, President and Chief Operating Officer

These ten Principles express Bell Atlantic’s commitment to assuring strong and meaningful customer privacy protection in an era of rapidly changing communications technology and applications. The Principles are guidelines to help us work with our customers to properly use individual information acquired through a variety of lines of businesses. The goal is simple: balance our customers’ concerns about privacy with their interest in receiving quality service and useful new products.

The Principles are based on the concepts of notice, choice and control. Bell Atlantic is committed to informing customers, and giving customers choices, about how we use information about them. Above all, the Principles are designed to ensure that Bell Atlantic will respect a customer’s desire for privacy.

These Principles apply to our use of "individual customer information" -- that is, information about specific customers. Information that does not reveal a customer’s identity is not individual customer information. For example, "aggregated information," such as the number of customers who have purchased Call Waiting in a particular state, or the number of users to access a Web site in a particular day, does not raise privacy concerns and is not covered by these Principles.

Under each Principle, we provide an explanation and list examples to give our employees and customers a sense of how these Principles are applied. The examples are intended to be illustrative, not all inclusive. Additional information about our privacy policy is available at our Bell Atlantic Web sites.

Principle 1: Bell Atlantic obtains and uses individual customer information for business purposes only.

###

###

Before the

United States Department of Commerce

Washington, D.C.

Comments

of

on the Elements of Effective Self Regulation

for the Protection of Privacy and Questions Related

to Online Privacy

July 6, 1998

The Information Industry Association (IIA) generally supports the elements enunciated by the Department, and congratulates NTIA for taking the lead in fostering the growth of electronic commerce. We are cognizant of the fact that consumers and other users of online information services may perceive a threat to their personal privacy interests and experience apprehension in doing business on the Internet. As with any new medium, user comfort will increase over time. We recognize that change is difficult and want to ensure that customers of information products and services experience a high degree of comfort as soon as possible. To this end, IIA endorses the principles in the Elements Paper, with a few caveats.

Essentially, the caveats stem from the decentralized nature of the Internet and the absence of one, easy-to-regulate "Internet Industry." It is this decentralized structure that will ultimately afford individual users and society as a whole unfettered access to the invaluable information that fuels our market economy and our democracy. We urge the Department not to be distracted by the smoke-and-mirrors surrounding online issues, and to focus on the numerous benefits that will arise from refraining from government intervention. Additionally, we ask the Department not to discount the power of market forces and the choices consumers make every day based on their preferences and their pre-existing relationships with companies. Companies have been effectively dealing with individual privacy prior to the advent of the Internet, and will continue to do so with necessary adjustments. While the harms from the misuse of personally identifiable information in the online environment have thus far been minimal and largely speculative, the benefits are numerous and very real.

Lastly, we would add that truthful and informative disclosure or "transparency" coupled with proportionate accountability or substantiation forms the foundation of an effective self-regulatory framework. While choice may be desirable, it may not be appropriate or realistic in every situation. Similar practical concerns must be considered in relation to principles governing access and correction. However, IIA agrees strongly that a company has an obligation to document and support the representations it makes to the user/consumer. With adequate disclosure through a prominently displayed privacy policy, there is a presumption that the company is offering truthful and nondeceptive information. If a consumer’s trust in such a disclosure is breached, the Federal Trade Commission (FTC), state authorities, and other government agencies have proven enforcement mechanisms already in place to address such circumstances. Radically new solutions are not needed. Although the display of a seal may prove desirable for some companies, it should not be mandatory online any more than it is in the conventional marketplace. If company privacy policies, including options for consumer recourse, are prominently displayed and adequately proportionate to the nature of the information collected, then the need for the blanket imposition of a seal becomes moot.

Implementation begins with a company’s privacy or fair information practices policy. Companies that are committed to fair information practices and eager to make their customers more comfortable in an online environment will draft and prominently post privacy policies. These policies will state what information is collected, how it is used, whether it is provided to unaffiliated third parties, and the procedures for voicing a complaint. If feasible and cost-efficient, the company will offer the consumer choice with respect to the use of their information. If such choice is not possible or practical, the company will clearly say so in its privacy disclosure. In its policy, a company will offer a contact procedure or name of a person designated to handle privacy complaints. Additionally, companies will engage in consumer education efforts, possibly partnering with other industry groups or government, to promote the observance of privacy policies and fair information practices. Consumers will hold businesses accountable for their representations, and will either do business elsewhere or lodge a complaint. Initially, this complaint may be with the alleged offender. Beyond internal enforcement, consumers should be educated as to alternative means of resolution. This could include informing them about traditional enforcement authorities or special programs for dispute resolution that may involve third parties. Because the information industry encompasses such a broad spectrum of companies with a variety of clients and customers, IIA does not presume to dictate how to structure the implementation of these elements. We have every confidence that businesses will fashion the appropriate tools to safeguard privacy within the flexible framework of the summarized above, and that legitimate consumer interests in privacy will be fully protected.

Enclosed is a copy of IIA’s Fair Information Practices Principles, Implementation Guidelines, and web template. These documents were created to provide our member companies with the tools to formulate their own corporate policies on privacy protection. For the most part, they are substantially similar to the DOC Elements paper in that they offer guidelines for what constitutes meaningful disclosure and notice, and advise companies to offer choice, access and correction when appropriate. They also stress the importance of developing effective accountability mechanisms to address consumer complaints and efficient resolution of these matters. Like the Elements Paper, the IIA Principles highlight the need for flexibility. Because of the vast diversity of companies within the information industry, it is the responsibility of individual companies and industry sectors -- within the parameters of these principles -- to develop guidelines that are more precisely tailored to their businesses or industry sectors. The web template or sample privacy policy provides a general outline for the development of a privacy policy posting on the Internet. Both the Implementation Guidelines, which provide companies with a checklist for the development of corporate privacy practices, and the web template reflect the guidelines encompassed in the Fair Information Practices Principles. All of these documents are meant to facilitate the learning process regarding privacy on the Internet, so that companies may adapt their current practices and initiate new ones to address consumer concerns about participating in electronic commerce.

Overall, IIA believes that the Department of Commerce’s draft discussion succeeds in recognizing a wide spectrum of enforcement mechanisms and stressing the need for flexibility in addressing the issues presented by each industry sector. The draft does not include a discussion of market forces and the sufficiencies of existing business models, including the development of business-consumer relationships. Aside from this, the draft acknowledges a wide variety of accountability mechanisms, which IIA endorses as the preferred approach to enforcement. American business may be able to identify new and ingenious methods of accountability in its efforts to address privacy issues, but at this time we are unable to identify methods other than the previously stated market forces and those stated by the Department.

IIA encourages member companies to share the personally identifiable information they possess only with those companies which have an equal respect for preserving personal privacy. This can be implemented through contractual arrangement or by simply not engaging in business with companies that do not share this vision. If companies do not comply, existing contract law offers enforceable remedies. Non-disclosure can also be achieved by not selling information to third parties, and so stating on the web site, but this is not a viable option for all companies.

Our Fair Information Practices Principles state:

Although issues of enforcement and access are addressed throughout this paper, this question presents an opportunity to offer models representative of IIA companies that have already developed and are in the process of refining particularly effective self-regulatory regimes.

Company A, for example, has been committed to creating a comprehensive and effective privacy program for the past several years. Company A is a large, multinational information provider with a highly organized internal infrastructure. It has both the corporate staff and the financial resources to develop an extensive privacy program internally. The company has determined that, because of the nature of their business and the types of information collected from the user, an external audit procedure is not necessary. In the event that a consumer has a specific concern regarding how their information is being collected and used, or about privacy in general, Company A has a comprehensive infrastructure already in place to address these concerns. Its privacy policy, clearly displayed at or near the points of collection, offers contact information regarding how to communicate with a "privacy officer" so that the investigative process may ensue. Additionally, Company A has created several committees on privacy and an intricate privacy hierarchy to deal with complaints. Company A has also determined that privacy violations are considered ethical violations, punishable by disciplinary action or even termination.

Company B’s business is very diverse, and in some areas, already subject to regulation from the FTC and other regulatory authorities. For those aspects of business subject to regulation, Company B engages in a third-party certification procedure or outside audit to ensure compliance with its stated privacy policy and with existing law. For those services offered that are not currently regulated, Company B conducts periodic random internal audits of its business units and makes the results publicly available annually. This ensures accountability to the ultimate adjudicator -- the customer.

Company C started operation last year and is just now beginning to realize a profit. Although rich in innovative ideas, Company C has a small staff and an equally small annual budget . Yet, Company C is very much aware of the importance of ensuring user privacy in order to foster customer relationships and bolster consumer confidence. It is also aware that it will have to embark upon a different road to accountability than that of Company A or Company B in order to stay within its operating budget and stay in business. Accordingly, Company C’s leaders decide that they will not collect personally identifiable information other than that necessary to complete online transactions, that they will not sell or disclose collected information to third parties (although they will use aggregate information for internal product development and marketing purposes, which they believe is reasonable for consumers to expect) and that they will clearly communicate their information practices to the consumer (complete with contact name). Company C knows that if it does not act responsibly with the entrusted information, it risks losing business and possibly exposing itself to legal or regulatory enforcement.

The above models are not peculiar to the Information Industry Association; rather, they are representative of many companies doing business successfully in an online environment. Our membership encompasses a wide spectrum of organizations providing information both online and off, and that is why the above illustrations of successful self-regulatory schemes are particularly valuable.

When implementing complaint procedures, IIA encourages companies to respond to consumer requests for information and grievances within a designated timeframe that ensures predictability and effective resolution. If consumers are not satisfied with the disposition of their case, in some instances companies may provide an appeals process. In other instances, companies may inform consumers of their options. These options may include small-claims court, the FTC, and other traditional enforcement mechanisms. As with any consumer complaint, it is in the best interest of both the company and the individual to expeditiously address the grievance and resolve the problem. The consequence for the company may be loss of business, loss of credibility with both customers and other businesses, or even a lawsuit. Whatever redress is fashioned, it is important that the attention and resources devoted to recourse be proportionate to the alleged offense. It is also important to allow each company to handle such complaints according to their business practices, so that they may continue to maintain trusted relationships.

Let the market decide. Without the imposition of blanket restrictions dictating one-size-fits-all enforcement, each entrepreneur and enterprise can solve privacy problems for themselves and disclose to the user how they came to do so. The ingenuity that developed a decentralized information network can only be snuffed out by a centralized, archaic approach. There should be a presumption in favor of industry and the benefits to the consumer and citizen derived from industry. We are not currently in a privacy crisis and yet each one of us is traceable. Cash is largely a thing of the past, and, even in the off-line world, all of us leave a trail of personally identifiable numbers and words in our

wake with every transaction. The privacy concerns created are genuine, but far less concrete than the undeniable benefits -- in terms of convenience, cost savings, and choice -- that derive from the free flow of personally identifiable information.

So why are we expecting a privacy crisis once our identities take to the Information Superhighway? We cannot pass laws or impose regulations that would prevent every conceivable misuse of information or fraudulent conduct in either world. Rather than generating scenarios for harm and attempting to fashion omnibus, commercially restrictive solutions, both business and consumers would be better served with targeting solutions to proven problems. If and when legitimate threats to privacy do surface, the existing legal frameworks and responsible business practices, including truthful disclosure and a commitment to accountability, should be diligently employed to protect both consumers and businesses.

Self-regulation has a long and illustrious history, and has proven successful in industries such as advertising, broadcast, commodities, and motion pictures. IIA, however, does not purport to be an expert on the various models of self-regulation or the development of these models over the years. Accordingly, we must defer to the experts in this field who have devoted much time and resources to the theories and practices surrounding self-regulation.

Companies know that if they do not self-regulate, they will not survive in the marketplace. We believe that, if a sectoral approach is taken, self-regulation can protect personal privacy online to a great extent. We recognize that a different self-regulatory structure would be appropriate for a site collecting information from children or dealing with sensitive financial information than a site that merely displays a homepage and collects no information whatsoever. A different accountability mechanism is needed for the consumer who feels his banking information has been misused as opposed to the individual who seeks to correct an address label. Additionally, a third-party audit procedure may be appropriate for a look-up service but may be viewed as unduly excessive for a newsletter publisher. As companies self-assess the sensitivity and uses of the information they collect and look to similarly situated companies for an industry

standard, they will formulate proportionate accountability mechanisms. They will also take into account consumer demand for a particular type of system and will consider the particular needs of their unique customer base.

The costs required to implement a self-regulatory regime will differ from company to company, depending on the size of the operation and the nature of the services provided. For example, a company that does not collect personally identifiable information from its web page and states so clearly in its privacy policy will not need to invest a great deal of company resources in its privacy program. Conversely, a company that collects information as a prerequisite to, or as an integral part of, providing a service to its customers may need to develop an internal privacy bureaucracy with "privacy officials" or may need to invest in an outside audit firm to monitor compliance with self-regulatory standards if the information is particularly sensitive. These associated costs to developing a comprehensive privacy program could prove substantial. In some instances, such an investment may be viewed by the company and the industry sector as a necessary cost of doing business. In other instances, where the sensitivity of the information is not as great, such procedures could be viewed as excessive and unnecessarily expensive. The cost associated with a privacy program should be proportionate to the type of information collected and the foreseeable harms that could result from the misuse of personally identifiable information in that particular context.

A blanket imposition of certain elements proposed in the Department of Commerce paper without regard to cost and proportionality could result in financial hardship for many information providers functioning successfully in today’s economy. Comprehensive access to an individual’s information, for example, may not be feasible from a company perspective given the limitations within a company’s infrastructure. Often, companies store information about a single individual in several completely separate databases. These databases may not currently have the ability to integrate their information and it would prove very expensive to require the replacement of this embedded technology with newer systems. Unfettered access to billing documents and public record information could result in both substantial economic and societal harm. And a choice to consumers to "opt-out" of uses other than marketing and solicitation could adversely affect product development, shipping procedures, published directories, billing procedures, and the integrity of public records. Companies should state for what purposes the information is being collected and how that information will be used. If choice is not available, companies should disclose this to the user and provide explanation as to why this may not be feasible.

The cost of self-regulation would be far less than the cost for companies to comply with government regulation in the area of online privacy. These costs would be borne not only by business, but by individual users and society as a whole. Regulation would have to be narrowly tailored to address the potential harms resulting from the misuse of personally identifiable information in order to comply with the First Amendment. The Supreme Court has stated that the government may regulate speech if it can identify harm that is more than speculative. Edenfield v. Fane, 507 U.S. 761, 770-771 (1993). Regulation must be narrowly tailored to address that specific harm, and the government must have a substantial interest in preventing that harm. Thus, the government must consider whether it has a substantial state interest in regulating the private sector’s use of personally identifiable information, whether such legislation could be drafted without proving overbroad, and whether a targeted harm can be articulated. If these factors cannot be satisfactorily addressed, it is likely that such a regulation would not survive constitutional scrutiny.

As previously discussed, the Internet business community encompasses every industry, ranging from small mom-and-pop operations to multinational corporations. Drafting legislation to regulate this broad range of business activities in regard to the collection and use of personally identifiable information would likely result in unnecessary cost to the taxpayer, as such a behemoth endeavor would drain government resources. Enforcement would probably be erratic and extraordinarily difficult, at best. Implementing such legislation would likely prove burdensome, excessive, and often irrelevant to many businesses, and may effectively exclude some enterprises from the marketplace. Ultimately, the exclusion of a variety of companies for failure to comply with these regulations would result in the loss of one of the most precious rights that a consumer and American citizen currently enjoys -- the right to know. The cost of censoring market players, thereby depriving individuals of valuable information that aids in their everyday life decisions, coupled with the inevitable stagnation of electronic commerce under the heavy hand of government, is too steep a price to pay in return for legislation or regulation in this area.

There are special considerations for doing business online that companies must take into account when adopting to an Internet or online environment. However, the difference between conventional and electronic commerce are sometimes overstated. Most consumers in the traditional world have proffered their personal information in a variety of contexts and entrusted a variety of enterprises with this information. Although purchases through the exclusive use of cash may provide some anonymity, such behavior is not the norm in today’s business world. Today, a combination of sectoral laws, market forces, and self-regulatory structures operate to ensure individual privacy. Occasionally, the news will highlight an incident where a person’s information has been misused, but usually the activity stems from a blatantly fraudulent act punishable under current law. Legitimate businesses usually respond to correct any inadvertent misuses immediately. Rarely does a newspaper take interest in reporting the resolution of these cases, although that might assist in expediting the resolution process and creating public awareness. Disputes online have been and continue to be successfully resolved through the application of mechanisms that currently operate successfully in the offline world.

The most basic distinction between the traditional business environment and the online environment is the absence of the face-to-face transaction. Yet, even this concept is not that different from today’s business environment, which includes catalog shopping and phone transactions. Essentially, the same amount of information is present in both worlds, but the online world has the advantage of compiling information from various sources almost instantaneously. Rather than a threat, this new technology heralds tremendous advantages for the consumer. Consumers are now able to research, make decisions, and make purchases more efficiently and effectively than ever before. This technology has the advantage of actually enhancing a prospective consumer’s education level, resulting in more informed purchases. Companies can tailor commercial information to address individual preferences and answer individual concerns. As in the traditional world, businesses will continue to engage in responsible business practices and will honor a reasonable request to be let alone. Just as in the offline world, it is reasonable to expect that if a customer purchases a product, that individual will be placed on a contact list for marketing purposes and product development. Although companies operating in an offline environment are generally not required to offer an "opt-out," many companies, at their discretion, offer consumers such a choice. We expect this trend to continue online as well. Alternatively, we would encourage companies to explain why "opt-out" is not available in certain circumstances.

Companies operating successfully in today’s offline business environment do not customarily disclose what or how information is collected or where that information will ultimately end-up. Yet, consumers largely feel comfortable doing business offline. IIA encourages a higher standard for both the online and offline business environments, and recognizes that fair and honest disclosure that is reasonably comprehensive is especially crucial to the online world where consumers may not yet be familiar with the technologies associated with cyberspace.

This question appears to be directed towards consumers and inappropriate for a trade association’s response.

The above statement, offered by Commissioner Azcuenaga of the FTC in a speech entitled, "The Role of Advertising and Advertising Regulation in the Free Market," highlights the important role commercial speech plays in our economy. She continues,

Commissioner Azcuenaga’s observations are not limited to the advertising context, and prove especially insightful when applied to an Internet environment. The Internet is a decentralized network, transporting huge amounts of every type of information conceivable. The Commissioner recognizes the value of the free-flow of such information, and acknowledges that much of the information that fuels our market economy and our democracy is protected by the First Amendment to the Constitution. Commercial speech, or speech inextricably bound to a transaction like the information about consumer tastes and income levels cited by the Commissioner, also enjoys constitutional protection, as has been recognized by the Supreme Court since 1976. In recent years, the commercial speech doctrine has become even stronger, reflecting the values of the American people and their longstanding abhorrence of censorship. Therefore, when discussing industry use of information, it is important not to characterize such collection and use as merely furthering commercial interests of a particular company, but to recognize that the collection and dissemination of such information is also of great benefit to the consumer and our economy and our society.

With the influx of information comes opportunity. Companies seize opportunity when they improve upon their products and customize a product to meet consumer taste. Marketing becomes more targeted, eliminating mailings to potential customers who are likely to view the receipt of such mail as a nuisance. Truthful information targeted to an interested consumer vitiates the need for consumers to sort through unwanted information in an effort to uncover what they seek. The free-flow of information allows consumers to compare information and arrive at an informed decision to deal with a particular company and select particular products. Information educates and informs. The new technology affords faster transactions, the tools to detect fraud more rapidly, and the potential to build a new level of consumer trust.

Although companies may be protected as commercial speakers, they are still obligated to uphold and implement responsible business practices. They are also obligated to comply with the existing legal framework, and not to misuse the information that they have acquired. But, in a free society, how do we define the misuse of information? Arguably, such misuse is characterized by the resulting harm. To address harm resulting from the misuse of personal information over the Internet through government regulation, rather than through vigorous enforcement of existing laws against harmful behaviors, would most likely prove impossible, given the breadth of businesses participating in electronic commerce. That is why companies need to take the lead in tailoring self-regulatory procedures to address real harms posed by their particular industry sector and unique business operation. Industry-tailored solutions to ensure consumer privacy and secure consumer trust will regulate the use of this information without jeopardizing the consumers’ First Amendment right to receive such information. Alternatively, if the safeguards created by a particular business do not meet the discerning tastes of an individual consumer, then that consumer may use that information in making a choice not to do business with that company.

As the Supreme Court noted, "the free flow of commercial information is indispensable to the proper allocation of resources in a free enterprise system because it informs the numerous private decisions that drive the system." Rubin v. Coors, 514 U.S. 476, 481 (1995) (citing Virginia Bd. of Pharmacy v. Virginia Citizens Consumer Council, Inc., 425 U.S. 748 (1976)). The Court also aptly observed that, "a particular consumer’s interest in the free flow of commercial information may be as keen, if not keener by far, than his interest in the day’s most urgent political debate." Id. at 482. And if one is not interested in such information, then one need not participate and is free to do business elsewhere. It is a well-established principle of economics that, as Commissioner Azcuenaga notes, "Nobody designed the market; yet it functions remarkably well."

The Information Industry Association has adopted the following principles to give guidance to industry for the collection, use and dissemination of individually identifiable information.

The principles are designed to apply to all information companies whether they obtain individually identifiable information directly from customers/consumers or from other sources. The principles are independent of any specific technology or market configuration. Because of the vast diversity of companies within the information industry, it is the responsibility of individual companies and industry sectors -- within the parameters of these principles -- to develop guidelines that are more precisely tailored to their businesses or industry sectors.

The information industry creates numerous products and services which either include individually identifiable information or are based on such information. Benefits are delivered to society through those products and services. In addition, the information industry uses individually identifiable information to provide valuable tailored products and service. The principles, therefore, balance consumer concerns regarding the collection, use and dissemination of information about them with the multitude of societal and economic benefits inherent in the free flow of such information.

For purposes of this document, individually identifiable information is defined as any information which can be used to identify a specific individual in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural status or social affiliations. Aggregate information from which an individual cannot be readily identified is not individually identifiable information.

The principles were designed to apply to individually identifiable information as used in or with information products and services. The principles apply to the collection, use and dissemination of individually identifiable information that is not regulated by law; and they should provide additional guidance for such activities that are regulated by law. The principles were not designed to apply to information about an individual included in an internal business record used in the normal course of business; linked to an individual serving in a business capacity; or obtained through newsgathering.

It is information -- including individually identifiable information -- that makes our securities, publishing, credit, risk management, real estate, entertainment and other markets so prosperous. The information industry, in turn, creates products and services which provide a wealth of benefits to individual and business customers such as customized products and services, instant credit, accurate employment screening aids and tools for detecting fraud. It is important to balance these beneficial uses with consumer concerns regarding the collection and use of individually identifiable information. Therefore, companies in the information industry shall collect and use individually identifiable information in a manner that benefits individuals, commerce and the society.

Disclosing policies or explaining practices regarding the collection, use and dissemination of individually identifiable information will lead to greater understanding of the benefits associated with the responsible use of this information. Companies shall provide information about their uses of individually identifiable information or their policies through whatever media are appropriate.

Company policies and information about the collection, use and dissemination practices shall:

1. Be easy to understand.

III. Choice:

Many companies offer individuals choice with regard to the collection, use and dissemination of individually identifiable information. Information companies should, when appropriate, offer choices to individuals to limit uses of individually identifiable information. If it is inappropriate to offer individuals the ability to limit uses, companies should inform individuals in a timely manner that it is inappropriate and explain why it is inappropriate.

A company’s use and dissemination of individually identifiable information shall be consistent with any known policy disclosures and choices regarding use and dissemination. Therefore, companies shall take reasonable steps to ensure that:

Providing accurate and up-to-date individually identifiable information is one of the factors which makes the information industry valuable to its customers and society as a whole. Companies shall, therefore, take reasonable steps to attain a high level of information quality, consistent with industry practice and customer need.

Information security is a key feature of responsible collection, use and dissemination of individually identifiable information. Companies shall, therefore, take reasonable and appropriate measures to secure information they collect and use. If the individually identifiable information is disseminated, the disseminating company should take reasonable

steps with respect to affiliates or the unaffiliated third parties who are receiving the information to protect against security risks.

Because of the vast diversity of companies in the information industry, the processes for accessing and correcting individually identifiable information will differ from company to company. In particular, there may be differences in the processes employed by companies that collect information directly from individuals and those that collect information from other sources.

Information companies should implement the principles articulated and should establish a system of accountability for such implementation. Information companies that disseminate individually identifiable information to affiliates or unaffiliated third parties should implement mechanisms to verify and remedy abuses associated with the information they provide.

Businesses collect and use individually identifiable information in a variety of ways and media. While the Fair Information Practices Principles should, as a general rule, be applied as widely as possible in all circumstances, certain modifications are appropriate.

Some key points to keep in mind:

• Information collected through Web pages -- as well as other information about individuals you may collect online -- is covered by the Principles. Government officials and consumers, including your customers, may have special sensitivity about practices pertaining to collection and use of this type of data.
• You should take care to review contracts to assure that terms governing collection and use of individually identifiable information are consistent with your evolving policies. Such terms and conditions may apply both to the data you receive and the data you make available to others, including when you outsource services, such as product delivery and bill collection.
• The Principles do not apply to data used in the aggregate.
• The Principles do not apply to data relating to employees, to information gathered through newsgathering, or to certain types of internal business records, such as customer file notes and information collected and used for purposes of litigation.
• Even if you do not collect individually identifiable information or use it only in the aggregate, it is wise to inform consumers that these are your practices.

In implementing the Fair Information Practices Principles you should strive to achieve four main objectives:

• Openness about your practices in collecting, using and disseminating individually identifiable information.
• Clear and simple language when defining terms and explaining practices.
• Consistency in communicating practices and overseeing their implementation.
• Willingness to review your practices and adjust them to meet changing marketplace expectations.

I. PERFORM A CHECKLIST OF YOUR PRACTICES

1. Name, address, phone, fax.

2. User names, Internet addresses.

3. Health-related data.

5. Family information.

6 Other -- age, cultural background, personal interests.

III. DEVELOP A METHOD OF ACCOUNTABILITY FOR YOUR PRACTICES

IV. DEVELOP DISCLOSURE POLICIES

• What information about them you collect and use;
• What sources you employ to collect such information;
• How you use, or intend to use, such information, including dissemination to third parties;
• What procedures are in place to maintain the quality and assure the security of such information;
• Under what circumstances they may review such information; and
• How and when they may correct or delete information they claim to be incomplete or inaccurate.