These notes provide an overview of the presentations and discussions at the Consumer Online Privacy sessions of the 1997 FTC privacy workshop. For a complete list of speakers and comments submitted for the record, see the FTC's Web site (http://www.ftc.gov/bcp/privacy2/index.html).
Panel II: Self-regulatory Approaches to Online Privacy Issues (a review of current efforts and the status of industry proposals submitted at the June 1996 Workshop.)
H. Robert Wientzen, President of The Direct Marketing Association talked about the DMA's Privacy Action Now campaign (http://www.the-dma.org/pan/pan.html) and online marketing guidelines. He said companies that misrepresent their privacy policies could be subject to deceptive practices charges.
Esther Dyson described the TRUSTe (http://www.truste.org) -- formerly eTRUST -- system in which Websites can apply for Trustmarks -- trademarked visual icons they can put on their Web pages that describe their information practices to visitors. She said sites that abuse Trustmarks may be charged with fraud, contract violation, or trademark infringement. The Commissioners expressed concerns that data might be automatically collected from the consumer on the page where the Trustmark appears, before the consumer had the opportunity to examine it and decide whether to interact with that site. They were also concerned that consumers don't always start at the front page of a site, and therefore may not see the Trustmark.
Several representatives from other industry associations talked about privacy guidelines their respective associations had drafted or were in the process of drafting. There wasn't too much new or interesting there. The commissioners indictated that some of these efforts were moving along too slowly, and were particularly critical of the Promotion Marketing Association of America, which had not yet decided if it was going to issue guidelines of its own or defer to another association's guidelines.
Peter Harter of Netscape discussed the cookie functions in various Netscape browsers. This provoked some discussion (with much confusion) about cookies and Netscape's position on the new proposed cookies standard.
Russ Smith complained that complaints sent to industry associations when their members don't comply with their guidelines rarely receive a response.
Janlori Goldman asserted that self-regulation is a critical part of the process but that those who don't have "a good name to lose" don't care about self-regulation guidelines. She also praised self-regulation as a tool to find out what works before writing legislation.
Commissioner Varney noted that the FTC can go after companies that have unfair or deceptive practices. Shirley Sarna, New York Assistant Attorney General, noted that the NY State AG has deception jurisdiction but not unfair practices jurisdiction and they can't bring a case based on failure to disclose information practices.
Jerry Berman of the CDT said he had no problem ultimately writing a standard into law once there is a consensus of what that standard should be (there is no consensus at present). Legislation now, he said would put the "good guys" in a defensive mode.
Mary Culnan of the President's Commission on Critical Infrastructure Protection said that when companies disclose their information practices, most privacy concerns evaporate. She warned against regulating too soon.
Esther Dyson suggested we need a Direct Marketed Association to help consumers fight back against bad marketers.
Michael Nelson of the FCC cited the three Ps: privacy, piracy, and pornography, and suggested that lessons could be learned from the public policy debates and legislation in the piracy and pornography areas. In particular, he recommended involving technologists more in addressing privacy concerns.
Evan Hendricks, Editor/Publisher of Privacy Times recommended moving forward with legislation immediately.
Marc Rotenberg of EPIC presented a study of the top 100 Web sites (http://www.epic.org/reports/surfer-beware.html). While 49 collected personally-identifiable info, only 17 had privacy statements. Few allowed individuals access to their own information.
Saul Klein of Firefly and Peter Harter of Netscape discussed the Open Profiling Standard (http://www.w3.org/Submission/1997/6/Overview.html) proposal, now endorsed by both Netscape and Microsoft and submitted to W3C. It is basically a standard for exchanging demographic information, but includes some provisions for access controls to protect individual privacy. It's now up to W3C to decide what to do with it. Klein showed a demo of how OPS would work with Firefly's "passport." Commissioner Varney followed up with a series of questions for Klein, most of which he avoided answering. Most of her questions were in reference to the "enormous" amount of personal information passport allows Firefly to compile.
Jeffrey Fox of Consumers Union said he was concerned about an unequal power relationship between consumers and Web sites in P3. He was worried that the P3 "negotiation" would be unfair to consumers [this is not actually the case]. He was also concerned that people will have to negotiate away their privacy rights in order to gain access to Web sites.
Jean Fox of the Consumer Federation of America said it was important to have policies that apply to everyone, not just "the top of the market" companies that voluntarily adopt privacy guidelines. She also said it was "counter-intuitive" to protect privacy by giving up more information [probably in reference to OPS].
Marc Rotenberg said that the technology presented involved mostly privacy "extracting" techniques.
Evan Hendricks of Privacy Times raised questions about what happens if a company that collects a lot of personal information but has responsible policies is bought out by a less responsible company.
Janlori Goldman said privacy should be treated as a basic right and that "it shouldn't be about trading your privacy for a benefit."
Mary Culnan expressed enthusiasm for the technological solutions but said they looked difficult to use. She also said that she would be pleased if at a minimum everyone would simply disclose their information practices with unambiguous language (not "we may share information occasionally with carefully selected firms"). She said it was too soon for regulation.
Mike Nelson of the FCC suggested that the government's role should be to back-up industry-led efforts.
Sanford Wallace of Cyberpromotions (www.cyberpromo.com) said his company harvests email addresses, but only from "public databases" [like Usenet and Web sites ... they're public, but...]. He said his company uses the global removal list compiled by the Internet EMail Marketing Council (http://www.iemmc.org/) to remove people from their lists who don't want spam. There was also some general discussion about IEMMC, a "trade association dedicated to promoting the responsible and ethical use of direct EMail as a marketing tool on the Internet."
Jill Lesser of America OnLine said that harvesting is against AOL's terms of service. She said AOL's system is not a public database. There were some questions about how AOL catches violators. It was not clear that AOL can do anything until it's too late (they close accounts of violators, but at this point the violators have already harvested thousands of addresses). Lesser also said AOL gets approximately 15,000,000 incoming emails each day from the Internet, 5 to 30% of which are unsolicited commercial email (generally closer to 30%). She said UCE sometimes causes several hours of delay for incoming messages. She said spam is fraud and that "there are no incentives to stop." UCE is the most common complaint from AOL customers.
George Nemeyer of the Internet Services Providers Consortium said that spam has the greatest impact on small Internet service providers. He said that remove requests that are sent to invalid addresses can bog down ISPs' systems.
Simona Nass of Panix said her company has been making technical solutions available to their members. The technical solutions are somewhat successful, but don't completely solve the problem because they can only filter out things they can predict.
Al Mouyal, another direct email marketer said that only the "less-reputable companies" are willing to use direct email marketing services. H. Robert Wientzen, CEO of the DMA, agreed, "Most legitimate marketers are afraid to be associated with it." He said less than 10% of DMA members send commercial email, and 85% of those that do only use it in a "targeted way," mostly to existing customers. "Spam has left a very bad taste in the mouths of legitimate marketers," he said. He suggested that the "community of spammers" join with the DMA to self-regulate.
AOL now rejects all email that comes from non-existent domains. However, now spammers are using valid domain names and bogus account info to get around this.
There was discussion of several global opt-out lists currently in existence or under development. The email marketers present said they would be happy to use such lists. However, there was some skepticism that the majority of email marketers would use them. There were questions raised about what to do about the email "black market."
Rosalind Resnick of NetCreations described the opt-in email service she runs (http://www.postmasterdirect.com/) and claimed that opt-in works sufficiently well that there is no need for opt-out. But Wientzen said opt-in is not as good as opt-out because it hinders the ability to market new products.
In response to proposed anti-spam legislation, Deirdre Mulligan said that banning speech is a bad idea and that there are questions about the feasibility of enforcing mandatory labels on speech. She said email is not fax, phone, or the post office and solutions for those media don't apply well to email.
Commissioner Varney challenged those on the panel to commit to working together to come up with viable solutions. She also said that the FTC will go after fraud but needs some technical assistance.