PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest      Sunday, 20 July 1997      Volume 06 : Issue 10

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
          "internetMCI" (a service of the Data Services Division         
      of MCI Telecommunications Corporation), and Cisco Systems, Inc.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
        Privacy Discussion on KPFK-FM via PRIVACY Forum Radio
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Directory Services and The Roach Motel
           (Lauren Weinstein; PRIVACY Forum Moderator)
        Supermarket Banks (Keith Parkins)
        Bermuda (Rick Morbey)
        Draft minutes, June Meeting of CSSPAB (Michael Ravnitzky)
        [FYI] ALA Statement on library use of filtering software (Terry Kuny)
        Direct Line Insurance (Keith Parkins)
        Smart Cards at Surrey University (Keith Parkins)
        "Privacy is not a right" according to CEI/NCC submission at FTC
           (Lauren Weinstein; PRIVACY Forum Moderator)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system.  Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 06, ISSUE 10

   Quote for the day:

        "Can you prove it didn't happen?"

             -- Criswell (Charles Jeron Criswell King)
                "Plan 9 From Outer Space" (Reynolds Pictures; 1959)

----------------------------------------------------------------------

Date:    Sat, 19 Jul 97 17:16 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Privacy Discussion on KPFK-FM via PRIVACY Forum Radio

Greetings.  Now available via PRIVACY Forum Radio is a 25 minute audio
segment from Pacifica's KPFK-FM (Los Angeles) "Digital Village" program.
The show is hosted by Doran Barons and Ric Allan.  The in-studio guest
for this segment devoted to privacy issues was your loyal moderator and
host, yours truly.  The discussion covered a range of privacy topics,
from specific controversies to some more general philosophical
musings.

This segment is available for playback via:

http://www.vortex.com

... then follow the links to PRIVACY Forum and PRIVACY Forum Radio.
I hope you find it interesting--or at least amusing.

--Lauren--
Moderator, PRIVACY Forum
www.vortex.com

------------------------------

Date:    Sat, 19 Jul 97 18:30 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Directory Services and The Roach Motel

Greetings.  Even the most casual of web surfers is by now aware of the
plethora of "directory services" proliferating around the net.  It seems
that nearly every major search service has allied itself with one or another
of these "white" or "yellow" page search systems, which promise the thrill
of finding old "friends" (whether or not they have any interest in ever
hearing from you again), and simplifying all manner of business 
transactions.  

We've discussed in the past some problems with these services, including
stale or otherwise inaccurate data, or use of third-party data
sources which could allow unlisted telephone numbers and other 
"sensitive" information to become publicly available.  We've also
pointed out that at least some of these services ostensibly provide
mechanisms for a user to correct entries and/or remove themselves from the
databases, though the mechanisms for doing this may be rather
convoluted.

Reports are now arriving that in at least some cases, even persons
who have followed all the rules are finding it difficult or impossible
to alter or remove erroneous data in these systems.  Like the "Roach Motel,"
it appears that it can be quite a challenge to ever "check-out"
once your feet have been implanted in the glue.  (Or, the more
musically inclined might prefer the "Hotel California" analogy:
"You can check out any time you like, but you can never leave...")

One of our regular PRIVACY Forum contributers, Phil Agre, has recently
reported difficulties being removed from a list at Four11.com (one of the
major web-based directory services) which can only be described as a classic
"bad idea."  It's a list of supposed "celebrities" (he has no idea how he
got on this list, since he considers his celebrity status to be
nonexistent).  He's been inundated with e-mail requests for his autograph,
many of which appear to be form letters without any hint that the sender has
any idea why they'd possibly want to contact him.  Getting removed from this
list has been decidedly non-trivial.  Correspondence was unanswered, or he
was told he was not in the database, even though he could still clearly see
his entry was present.  Finally, after more time and effort spent than most
persons would probably be willing to exert, he was seemingly removed from the
graphically-oriented database pages, but (at least at last report) was still
present in the text-based pages, which apparently operate in an out-of-sync
universe of their own.  

Phil suggests that persons concerned about these kinds of issues contact
humans@four11.com and request to be removed from the database.  This could
well be a good idea, and I might add that at the very least you might end up
with a new hobby.

Concerned individuals might consider taking the same actions at the other
databases that have "remove" policies, though it's a certainty you'll never
get them all, and again the overall utility may be limited.  Unfortunately,
even if you have successfully managed to remove your entry from a database at
a given point in time, there is a high likelihood that it can reappear at
some future time when the database refreshes its info from its raw data
sources.  This is especially likely if you've moved, changed your phone
number, or done anything else that results in alterations from your previous
raw data information.  This creates one of the true ironies of database
intrusion--in order to stay removed from a database you may need to be
uniquely identified in some manner which can survive data updates and
changes, otherwise you can keep popping in again.  Some databases have used
Social Security Numbers for this purpose, with predictable and quite valid
concerns and outcry, especially since the SSN rarely ends up being truly
restricted only to that internal purpose.  Use of SSN in these commercial
databases is just not a good concept, period.

As the quantity of these databases continues to expand, these sorts
of problems seem likely only to increase.  It seems patently unreasonable
that persons should have to jump through hoops to maintain even modest
controls over their basic personal information.  Even where policies
exist to allow some measure of after-the-fact input, they are useless
if they are ignored or don't work properly in the real world.

--Lauren--
Moderator, PRIVACY Forum
www.vortex.com

------------------------------

Date:    Mon, 16 Jun 1997 10:45:20 -0500 (CDT)
From:    keithpp@hotmail.com (Keith Parkins)
Subject: Supermarket Banks

The recent two issues of Privacy Digest (Vol 06 # 08) have
concentrated on supermarket banking, that is banks relocating to
supermarkets and the loss that entails of privacy and the general
inconvenience it causes to lose a neighborhood bank - to which I
would add the extra environmental cost.  I though wish to discuss
this from a different angle - supermarkets becoming banks.
 
In the UK major supermarket chains are becoming banks, but first
I'd like to go back a few steps.
 
A couple of major chains in the UK (Sainsbury's and Tesco's are
two that spring to mind) offer Loyalty Cards.  High-tech versions
of the old stamps.  The more you spend the more you earn in
fairly worthless bonus points.  Each time you shop, the card is
inserted and points are added (actually I'd check on that as one
supermarket was deducting!).
 
Ostensibly this is to encourage you to shop at that particular
store, but I believe this is to enable the supermarket to build a
profile of your shopping habits.  Unless specified otherwise the
supermarket is free to sell this data.
 
A second trend is to install cameras to monitor the shoppers. 
Yes, these are to stop thieving, but how many people are aware
that this film footage is subjected to psychoanalysis to
determine how and why you buy?  About the only argument that I
have heard in favor of this technique is that it is anonymous,
but is it?  All it needs is a camera at the check-out to link you
to your loyalty card.
 
This is now being extended one stage further.  Supermarkets are
moving into banking.  In the UK, banking is extremely
competitive, and one reason why so many branches are closing. 
Main competition to the traditional bank is telephone banking.
 
I believe the main reason these supermarkets are now moving into
banking, is that it extends their data collecting capability. 
Now they are able to form profiles not only on the buying habits
within their own stores, but also outside.
 
Keith Parkins <keith@redkbs.com>

------------------------------

Date:    Wed, 25 Jun 1997 16:28:35 -0300 (ADT)
From:    Rick Morbey <rmorbey@morbey.com>
Subject: Bermuda 

[ Original message edited for length and format by MODERATOR ]

The Editor
The Royal Gazette
Hamilton
Bermuda

                                                        June 8, 1997

Dear Sir,

        The right to privacy and individual freedom is the essential core
of our democratic system of government, but technology has raced far ahead
and safeguards to privacy have failed to keep up.  This is true of the most
developed countries in the world, and it is particularly true of Bermuda.

        In his remarks at the recent Conference on Privacy in the
Information Age, Alan Greenspan said that in recent generations there have
been, as we know, two major forms of government (1) a system based on
individual rights with the role of the state largely directed at protecting
those rights, and (2) communist collectivization represented by the now
defunct Soviet Union, and its eastern European satellites. In the latter,
the individual was theoretically subject to the will of the collective but,
in reality, subjugated by an elite autocratic hierarchy. Collective rights,
enforced by the KGB or the Stasi, immediately dismissed by definition any
right to privacy. He goes on to say that the human need for privacy was a
major factor in undermining those collectivist states.

        IBM's FastGate electronic immigration clearance system at
the Bermuda airport, and CCTV video surveillance cameras on the streets of
Hamilton, are technologies which promise to save us time and protect us
from crime. They are also public examples of a slew of technologies which
threaten our fundamental right to privacy.

        A recent article in Business Travel News says that IBM's
plan for FastGate is to fund placement of the ATM-type machines in airports
and sell the service to credit card issuers such as American Express and
Visa. FastGate users would provide the credit card company with their
passport information which will be recorded on the credit card. This
digital data is combined with digital biometric data gathered as the
travelers hand is inserted and 'read' by the system. All of this data is
then married with "information contained in the IBM-managed database."

        The publicized purpose of the FastGate system is to
facilitate rapid immigration procedures, but the data could be combined
with a variety of global computer databases about every person who takes a
flight. The combined individual dossiers containing gobs of juicy, personal
information, would be highly valued by numerous International businesses,
organizations and government agencies. When U.S. Senator Dianne Feinstein
introduced the Personal Information Privacy Act last month, she said, "Our
private lives are becoming commodities with tremendous value in the
marketplace."

        Should business travelers, who regularly express concerns
about privacy in their financial and commercial transactions, now expose
personal data to IBM, the credit card companies, and any number of local
Government departments?  Not until they know that the information will be
used solely for specific purposes in the public interest. Not until they
know that the personal data contained in these computers will never be sold
to the highest bidder without any concern for their privacy.

        Privacy International says that in Britain, there are an
estimated 300,000 CCTV surveillance cameras in public areas, housing
estates, car parks, public facilities, phone booths, vending machines,
buses, trains, taxis, alongside motorways and inside Automatic Teller (ATM)
Machines. Originally installed to deter burglary, assault and car theft, in
practice most camera systems have been used to combat 'anti-social
behavior'. including many such minor offenses as littering, urinating in
public, traffic violations, obstruction, drunkenness, and evading meters in
town parking lots. They have also been widely used to intervene in other
'undesirable' behavior such as underage smoking and a variety of public
order transgressions. Other innovative uses are constantly being discovered.

        These 'military-style' cameras are often installed in
high-rent commercial areas. Crime statistics rarely reflect that crime may
merely be pushed from these high value commercial areas into low rent
residential areas. Richard Thomas, Acting Deputy Chief Constable for Gwent,
in his interview with 20/20, said "Certainly the crime goes somewhere. I
don't believe that just because you've got cameras in a city center that
everyone says 'Oh well, we're going to give up crime and get a job".

        In one survey commissioned by the UK Home Office a large
proportion of respondents expressed concern about several key aspects of
visual surveillance, says Privacy International. More than fifty per cent
of people felt neither government nor private security firms should be
allowed to make decisions to allow the installation of CCTV in public
places. Seventy-two per cent agreed "these cameras could easily be abused
and used by the wrong people". Thirty-nine per cent felt that people who
are in control of these systems could not be "completely trusted to use
them only for the public good". Thirty-seven per cent felt that "in the
future, cameras will be used by the government to control people". They
already have. British CCTV surveillance systems were used by the Chinese
government at Tienamen Square to suppress the student Democracy movement.

        The fact is that FastGate and CCTV surveillance systems
represent the tip of the technological iceberg. It is already far too late
to prevent the invasion of surveillance and database systems which are
getting faster, smarter, and cheaper every year. Innovation and
miniaturization have created systems which can take pictures through the
walls of your building and record every sound you make with satellites and
blast the information to the other side of the world in a millisecond.
Computers may already hold the financial, educational, medical and DNA
records of each and every one of us. If not, they soon will. Strangers may
already be collecting information on our whereabouts and cruising through
our most personal information with impunity. We may have already created a
world in which nothing is private.

        Do we try to protect Democratic freedoms by legislating
safeguards against the abuse of private data? Must we accept that the
mightiest individuals and institutions cannot be held accountable, and
there is no use in trying? Or do we simply acquiesce, and accept that
privacy is an outdated concept when cheap technology makes everyone
vulnerable, wolves and lambs alike? The choices are not easy, but in the
words of David Brin, "asking questions can be a good first step".

Rick Morbey
June 8, 1997

------------------------------

Date:    Tue, 08 Jul 1997 22:48:12 +0000
From:    Michael Ravnitzky <MikeRav@ix.netcom.com>
Subject: Draft minutes, June Meeting of CSSPAB

I just received via FOIA from NIST a copy of the meeting minutes of the
Computer system Security and Privacy Advisory Board's most recent
meeting in June 1997  (CSSPAB).

They will go onto the internet at http://csrc/nist.gov/csspab/ but only
after October 1997.

To get a copy, just send a note to Karl E. Bell, Deputy Director of
Administration, FOIA Officer, NIST, Gaithersburg, MD  20899-0001.

Interesting stuff.

Sorry I don't have time to type it all out, but that's not my
responsibility.

Michael Ravnitzky

------------------------------

Date:    Fri, 11 Jul 1997 10:47:18 -0400
From:    Terry Kuny <Terry.Kuny@xist.com>
Subject: [FYI] ALA Statement on library use of filtering software

This statement was developed by the Intellectual Freedom Committee at
the ALA annual conference.

STATEMENT ON LIBRARY USE OF FILTERING SOFTWARE AMERICAN LIBRARY
ASSOCIATION/INTELLECTUAL FREEDOM COMMITTEE
July 1, 1997

On June 26, 1997, the United States Supreme Court issued a sweeping
re-affirmation of core First Amendment principles and held that
communications over the Internet deserve the highest level of
Constitutional protection.

The Court's most fundamental holding is that communications on the
Internet deserve the same level of Constitutional protection as books,
magazines, newspapers, and speakers on a street corner soapbox.
The Court found that the Internet *constitutes a vast platform from which
to address and hear from a world-wide audience of millions of readers,
viewers, researchers, and buyers,* and that *any person with a phone
line can become a town crier with a voice that resonates farther than it
could from any soapbox.*

For libraries, the most critical holding of the Supreme Court is that
libraries that make content available on the Internet can continue to do
so with the same Constitutional protections that apply to the books on
libraries' shelves.  The Court's conclusion that *the vast democratic fora
of the Internet* merit full constitutional protection will also serve to
protect libraries that provide their patrons with access to the Internet.
The Court recognized the importance of enabling individuals to receive
speech from the entire world and to speak to the entire world.  Libraries
provide those opportunities to many who would not otherwise have them.
The Supreme Court's decision will protect that access.

The use in libraries of software filters which block Constitutionally
protected speech is inconsistent with the United States Constitution and
federal law and may lead to legal exposure for the library and its
governing authorities.  The American Library Association affirms that the
use of filtering software abridges the Library Bill of Rights.

WHAT IS BLOCKING/ FILTERING SOFTWARE?

Blocking/filtering software is a mechanism used to:

*restrict access to Internet content, based on an internal database of the
product, or;

*restrict access to Internet content through a database maintained
external to the product itself, or;

*restrict access to Internet content to certain ratings assigned to those
sites by a third party, or;

*restrict access to Internet content by scanning content, based on a
keyword, phrase or text string or;

*restrict access to Internet content based on the source of the
information.


PROBLEMS WITH THE USE OF BLOCKING/FILTERING SOFTWARE IN LIBRARIES

*Publicly supported libraries are governmental institutions subject to the
First Amendment, which forbids them from restricting information based
on viewpoint or content discrimination.

*Libraries are places of inclusion rather than exclusion. Current
blocking/filtering software prevents not only access to what some may
consider objectionable material, but also blocks information protected
by the First Amendment. The result is that legal and useful material will
inevitably be blocked.  Examples of sites that have been blocked by
popular commercial blocking/filtering products include those on breast
cancer, AIDS, women's rights, and animal rights.

*Filters can impose the producer's viewpoint on the community.

*Producers do not generally reveal what is being blocked, or provide
methods for users to reach sites that were inadvertently blocked.

*Criteria used to block content are vaguely defined and subjectively
applied.

*The vast majority of Internet sites are informative and useful.
Blocking/filtering software often blocks access to materials it is not
designed to block.

*Most blocking/filtering software is designed for the home market. Filters
are intended to respond to the preferences of parents making decisions for
their own children.  Libraries are responsible for serving a broad and
diverse community with different preferences and views. Blocking Internet
sites is antithetical to library missions because it requires the library
to limit information access.

*In a library setting, filtering today is a one-size-fits-all *solution,*
which cannot adapt to the varying ages and maturity levels of individual
users.

*A role of librarians is to advise and assist users in selecting
information resources. Parents and only parents have the right and
responsibility to restrict their own children's access * and only their
own children's access * to library resources, including the Internet.
Librarians do not serve in loco parentis.

*Library use of blocking/filtering software creates an implied contract
with parents that their children will not be able to access material on
the Internet that they do not wish their children read or view.  Libraries
will be unable to fulfill this implied contract, due to the technological
limitations of the software, thus exposing themselves to possible legal
liability and litigation.

*Laws prohibiting the production or distribution of child pornography and
obscenity apply to the Internet. These laws provide protection for
libraries and their users.

WHAT CAN YOUR LIBRARY DO TO PROMOTE ACCESS TO THE INTERNET?

*Educate yourself, your staff, library board, governing bodies,
community leaders, parents, elected officials etc., about the Internet and
how best to take advantage of the wealth of information available. For
examples of what other libraries have done, contact the ALA Public
Information Office at 800-545-2433, ext. 5044 or pio@ala.org.

*Uphold the First Amendment by establishing and implementing written
guidelines and policies on Internet use in your library in keeping with
your library's overall policies on access to library materials. For
information on and copies of  the Library Bill of Rights and its
Interpretation on Electronic Information, Services and Networks, contact
the ALA Office for Intellectual Freedom at 800/545-2433, ext. 4223.

*Promote Internet use by facilitating user access to Web sites that
satisfy user interest and needs.

*Create and promote library Web pages designed both for general use
and for use by children. These pages should point to sites that have
been reviewed by library staff.

*Consider using privacy screens or arranging terminals away from
public view to protect a user's confidentiality.

*Provide information and training for parents and minors that remind
users of time, place and manner restrictions on Internet use.

*Establish and implement user behavior policies.

FOR FURTHER INFORMATION ON THIS TOPIC, CONTACT THE OFFICE FOR
INTELLECTUAL FREEDOM AT 800/545-2433, EXT. 4223, BY FAX AT
(312) 280-4227, OR BY E-MAIL AT OIF@ALA.ORG.

------------------------------

Date:    Fri, 18 Jul 1997 09:00:02 PDT
From:    "Keith Parkins" <keithpp@hotmail.com>
Subject: Direct Line Insurance

Direct Line Insurance were one of the first in what has become a
very lucrative telephone banking and insurance market in the UK.

A potential client, wishing to take out insurance was asked a
large number of detailed questions, right down to the type of
locks on the doors.

The client declined the insurance, then realized how dangerous
the information could be if it fell into the wrong hands.  She
called back the insurance company and asked that they removed
all her personal data from their files.  This they refused,
unless she made the request in writing.  

Direct Line is a pioneer in telephone insurance, all its
business is conducted by phone!

The client did then make her request in writing, but although
Direct Line agreed to remove the data she had supplied, they
refused to remove her name and address from their records.  This,
they claimed, was required for 'marketing purposes'.

Source: 'You and Yours' (consumer affairs programme), BBC Radio
4, Tues 1 July 1997.

Keith Parkins <keith@redkbs.com>

------------------------------

Date:    Fri, 18 Jul 1997 09:04:26 PDT
From:    "Keith Parkins" <keithpp@hotmail.com>
Subject: Smart Cards at Surrey University

Many people are used to carrying some form of ID card, often with
a magnetic strip that enables access to restricted areas.

Students are used to carrying a Student Card, it is used to gain
access to students bars, often can be used to gain discounts in
local stores.  In addition they may also carry a library card,
possibly other cards too.

At Surrey University, it has been decided to combine all these
cards into one - the Surrey University Campus Card.  It will
serve as a student card, library card, and enable access to
restricted areas.  The 'open access' computer suites, will now
only be open to those students carrying a Campus Card.

Overlooked is the fact that the same card will enable
computerised monitoring of peoples behavior.  Already the
computer suite, and the entire campus is under video surveillance.

The Campus Card, in its present form, in only an interim step. 
The is due to be replaced with a smart card.

Possible uses of the smart card will include vending machines,
access control.  It is at present an open question as to what
information will be stored on the card, or whether students have
the option to opt out.

More information on the Surrey University Campus Card, can be
found in Broadcast #16 (University Computer Services
Newsletter), May 1997 - 'A Campus Card for Surrey', 'CAST -
Campus Based Applications for Smart Card Technology'.

        http://www.surrey.ac.uk/UCS

A National ID card is due to be introduced in the UK.  It is to be
'voluntary'.  My fear is that it is not voluntary, if those who
opt out, discover that they no longer have access to goods and
services.   The experiment at Surrey appears to be a foretaste of
what to expect, and needs very close monitoring.

Surrey University already has a bad record on privacy and data
protection.  Many students are concerned at the monitoring of
their e-mail.  One student I spoke with knows of at least two
occasions when his e-mail mail was intercepted and read.

        http://www.i-way.co.uk/~reality/sunrise/privacy.htm

Keith Parkins <keith@redkbs.com>

------------------------------

Date:    Sun, 20 Jul 97 10:14 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: "Privacy is not a right" according to CEI/NCC submission at FTC

Greetings.  In discussions regarding the myriad of privacy topics, a
frequent assumption is that there is, on a philosophical level at least, a
basic "right to privacy," (whether or not such a right exists in law in
any given case is another matter).  However, it's worth noting that
there are organizations who apparently would disagree with the
existence of such a right on any level when it comes to the collection
of consumer data.

The Competitive Enterprise Institute and the National Consumer Coalition
recently filed the following comments with the U.S. Federal Trade
Commission.  Though they are comparatively lengthy, I'm including them in
their entirety for the insight they provide into the (specifically stated)
"privacy is not a right, it is a preference" perspective.  I think you'll
find it interesting reading.

Comments both pro or con their views are of course welcome for the digest.

--Lauren--
Moderator, PRIVACY Forum
www.vortex.com

       -----------------------------------------------------------

July 14, 1997

Secretary
Federal Trade Commission
Room H-159
Sixth St. and Pennsylvania Avenue, NW
Washington, D.C. 20580

Consumer Privacy 1997
Additional Comments P954807

To the Secretary:

The Competitive Enterprise Institute and the National Consumer Coalition
hereby file additional comments on the Commission's June 10-13 hearings on
"Consumer Privacy Issues Posed by the Online Marketplace." CEI is a
non-profit, non-partisan free-market research and advocacy group.  The NCC
is a coalition of nine organizations dedicated to the proposition that
consumers are best served by a free market in goods and services.  We thank
the Commission for including us in the four Roundtable discussions during the
hearings, and appreciate the opportunity to elaborate upon some of the
issues raised during the course of the hearings.

What is Privacy? - Part II

In our opening comments, we wrote that when it comes to collection of
consumer data, "privacy is not a right, it is a preference."  The evidence
presented during the hearings regarding ways to "protect" privacy, as well
as the surveys showing consumer views, have convinced us that this remains
true.

The Harris/Westin survey was an interesting contribution to the discussion
of privacy on the Internet. We are not convinced, however, that everyone
interviewed understood "privacy" in the same way.  Privacy is an
abstraction, like "freedom" or "justice," so it is likely that the people
surveyed imposed their own concerns upon the term "privacy."  One point on
which the survey is clear is that people who are concerned about their
privacy have done something about it.  In this case, it is more illuminating
to look at what people do than at what they say.

Nevertheless, some have used this survey to support their arguments for
federal regulation and congressional privacy legislation.  Neither of these
would be appropriate responses to consumers' hesitance towards Internet
commerce.  It is the job of companies operating on the Internet to gain
consumer confidence, not the duty of the government. Indeed, the proper role
for the government is to guard against force, theft, and fraud.

Property Rights on the Internet

Professor Alan Westin said that web users "are worried that their e-mail
communications may be intercepted, their visits to web sites can be covertly
tracked, their participation in chat rooms and forums can be monitored
without their consent."  One possible solution was to give individuals a
"property right" in the information they have released onto the Internet.
From this follows a call for federal protection of this "property right" via
limits on the collection and sale of personal data.

The argument that people have a "property right" in their personal data is
ironic, as it comes from those who would have the government infringe upon
the property rights of both ISPs and companies on the Web.  We believe that
this upside-down conception of "property" will work against consumers'
interests in freedom of contract and association.

Traditionally, private property rights have been understood to be the means
by which we secure our privacy, as expressed in the old adage, "A man's home
is his castle." Our system of property rights enables us to enjoy privacy
(i.e. from government intrusion).  In recent years, however, the basis for
legal claims has become the idea of an inviolate personhood.  A "legal
right" to information about oneself on the Internet, as some have advocated,
is the next step.  >From this comes the "right" to control information about
oneself after one has already released it.  This is a step in the wrong
direction.

If an individual has released information about himself in a contractual
agreement with certain limits on it, then he has a right to see that that
information is treated in a certain way.  For example, if a company web page
says that it will not collect information, and it does, then that is a broken
contract.  On the other hand, if a company says it will collect all kinds of
information, then privacy-sensitive individuals have been warned and should
avoid that site.  From the examples discussed at the hearing, it seems that
many companies are still getting used to the way the Internet works, and they
are only beginning to understand the utility of publishing privacy policies.
For example, the New York Times discovered during the course of the hearings
that it had no published privacy policies on its web site, a situation it
addressed immediately.  Time-Warner's Pathfinder site recently added
prominent links to its privacy policy as well.

Sometimes information has been released to anybody and everybody, via chat
rooms or other forums.  Since this information becomes part of the knowledge
of others, our "property right" to control this information is actually a
"right" to control the actions of other people who now have this
information.  This is an infringement upon our basic freedoms of association,
contract, and speech. There is nothing wrong with collecting information
freely placed in public, as much of this information is.  Nor is there
anything wrong with one party selling information to another party as long
as it was not under fraudulent circumstances.  If a person objects to this
information being sold, then it is up to the individual to make alternative
arrangements with which he is more comfortable. .  In other words, protecting
your privacy is your responsibility. That is the value inherent in the
freedom to contract.

Bringing back the original conception of property rights, as well as freedom
of contract, is the best way of protecting an individual's privacy
preferences on the Internet. Rather than implementing a system of government
regulation of data collection practices, people should be able to choose
whether or not to contract with a company or otherwise.  Restricting the
downstream actions of others based upon a made-up right will undercut our
other valued freedoms.

On Self-Regulation

We laud the Federal Trade Commission for its cautious response toward calls
to regulate the Internet.  We are also pleased with the Clinton
Administration's stated intention to refrain from regulating most parts of
the Internet.  We agree in principle that data-gatherers ought to inform
consumers what kinds of data they are collecting and how that data will be
used.  If it really is true that consumers are highly concerned about this,
then companies scrambling to sell goods and services over the Internet will
accommodate them. (We also note that there are already strong incentives for
information brokers to ensure the accuracy of information they collect,
since there is no market for inaccurate information.)

What troubles us is the concept of "self-regulation."  Although the term
implies a lack of government regulation, many of these codes are being
developed in response to a threat of regulation. As the Clinton
Administration's recently released report on Internet commerce stated, "We
believe that private efforts of industry working in cooperation with
consumer groups are preferable to government regulation, but if effective
privacy protection cannot be provided in this way, we will reevaluate this
policy."  We believe that the Commission should not use "self-regulation" as
a way to steer the development of policies on the Internet without going
through the standard process for proposing regulations.  The Commission must
still defend whatever goals it proposes.

One component of this "self-regulation" was the Platform for Privacy
Preferences.  This template would allow consumers to fine-tune their
preferences and allow them to know what sort of policies a web site has.
This may be a fine idea, and we hope that if consumers find it acceptable,
it will be adopted by many organizations.

However, we do not believe that a single privacy standard is necessarily
desirable.  There are many real-world examples of competing standards
co-existing peacefully.  There are different monetary systems, there are
different systems of measurement (English and metric, Celsius and
Fahrenheit), there are different languages. The Commission should be wary of
backing a single standard for the Internet.

The threat of regulation is nearly as serious as actual regulation.  It may
well be that the solutions supported by the Commission and the
Administration are the best ones.  It also may be that there is an alternate
solution around the corner, one which we cannot predict now but one which
might be stifled because it does not match the goals supported by current
government officials.  This could have very serious ramifications for the
future development of the Internet.  After all, companies already entrenched
in a particular market that ask for regulation often do so in order to
constrain the actions of future competitors and to derive windfall benefits,
a practice known as "rent-seeking."  If regulation stymies the growth of the
Internet, we will have no way of knowing what we have given up as a result.

The idea that federal regulation of the Internet is somehow better than a
market solution to privacy questions is completely unfounded.  Indeed, the
evidence is that federal regulation in every other sector of American life
has had adverse and unforeseen consequences which end up hurting consumers.
There is no reason to believe that federal regulation of privacy practices
will be any better than the current situation, and it may well be worse.

Children and The Internet

The fear over children seeing sexually explicit materials online led to
hasty calls for Internet censorship in the Communications Decency Act. Yet
the Supreme Court recently struck down the law, ruling that the Federal
government should not be in the business of trying to protect children with
such a blunt - and patently unconstitutional - instrument.  Similarly, the
rhetoric surrounding the issue of children's privacy on the Internet has led
to hasty calls for regulation.  Indeed, the Administration has taken a
strong, even ominous position: "This problem warrants prompt attention.
Otherwise, government action may be required."

We believe that before the Commission begins to regulate in the name of
children, it should recognize from the start that today's children are
tomorrow's adults, and that these regulations may restrict their rights when
they are grown up.  The Commission should be wary of proposals which would
effectively treat adults like children.

The Center for Media Education's report on the privacy practices of some web
sites seemed to shock the Commission.  Yet we are not sure why the fact that
a toothpaste company which sends a solicited e-mail to a child in the name
of the Tooth Fairy - an e-mail which contains neither the name of the
product being sold nor the name of the company -is so disturbing, especially
since for many years people have been able to have letters from Santa Claus
sent to children. We are in fact puzzled as to why similar "information
collection practices" which have gone on for decades (e.g. children sending
box tops away for magic decoder rings) are suddenly sinister when performed
over the Internet.

We note that CME's primary objection is advertising itself, and "privacy" is
just a means to criticize it.  For example, one target of CME's outrage is
"animated product spokescharacters," e.g. Tony the Tiger, which "interact
with your children...fostering intimate relationships that compel your
children to buy specific products and services."  That these
"spokescharacters" also ask children for e-mail addresses appears to be a
slightly less urgent concern. CME's recommendations to the Commission
include restrictions on the use of these cartoons:  "Product and other
fictional figures should not be used to solicit personally identifiable
information from children."  Indeed, elsewhere CME states explicitly that
"there should be no direct interaction between children and product
spokescharacters" on web pages.  This is tantamount to a ban on selected
content simply because of its advertising nature.

This is not the proper forum for a discussion of the great value of
advertising to consumers, and why advertising is not, and never was, a
sinister seducer of consumers.  We will, however, say that children are far
more skeptical of advertising than CME gives them credit for.  No matter how
much advertising, or how little, there is, children will still want things
and their parents can still tell them, "No."  In short, it appears that this
issue has very little to do with privacy on the Internet, and far more to do
with CME's anti-advertising agenda.

Nonetheless, CME did introduce some interesting issues.  CME looked at the
existence and content of privacy practices on children's web sites, and
publicized them. There is nothing wrong with this; indeed, if children's
privacy is such a high concern for individuals, then companies will respond
(many of the web sites in question addressed the issue as soon as it was
brought to their attention).  As more and more people become comfortable
with the Internet, and become aware of its capabilities, we expect to see all
kinds of practices - from content, to advertising, to data collection - to
become more refined in response to consumer demand.

CME also raised the question of how and when to obtain verifiable parental
consent to collect information from children. One suggestion was to have
parents mail in a signed form indicating that their child may use the web
page and may divulge certain information.  Not only would this curtail what
is an essentially benign practice - not even CME can explain what actual harm
might result from this collection - but anyone who has ever known a child to
forge his parent's signature to play hooky knows that this is not a good
solution.

It is an irony of the Internet that the technology which enables
data-gatherers to collect information on what people look at can easily be
thwarted by Anonymizers and other disguising technologies.  It still holds
true that sometimes on the Internet, as the famous New Yorker animal cartoon
showed, "nobody knows you're a dog."  Nobody has to know that you are or are
not a child, either.  Obviously, forcing children to identify themselves as
minors, especially in such a public area as the Internet, would be unwise.

Consequently, regulations aimed at "protecting children's privacy" are going
to hit adults as well.  For this reason, we urge the Commission to refrain
from drawing up regulations specifically targeted towards children. Nor
should the role of parents be underestimated or tossed aside in favor of
federal regulation.  Though the Harris/Westin survey showed a nearly
unanimous belief that children's privacy ought to be protected on the
Internet, the survey also said that not even a plurality of parents have
done much to protect it.  There are a plethora of technologies available to
enable parents to monitor and adjust what their children see, and more are
on the way.  We urge parents to keep in mind that just as they would think
twice before allowing a child wander around New York City alone, they should
supervise their children on the Internet.

Conclusion

The Commission is under a great deal of pressure, from within the government
and without, to regulate at least some parts of the Internet. As more and
more people become Internet users, it is even more important for the
government to refrain from regulating.  The Commission should confine itself
to policing fraud and investigating any actual injury.


Julie DeFalco on behalf of the Competitive Enterprise Institute and for the
National Consumer Coalition Endnotes

------------------------------

End of PRIVACY Forum Digest 06.10
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.