Notes from the FTC Public Workshop on Consumer Information Privacy

Session II: Consumer Online Privacy

June 11-12, 1997

Lorrie Cranor

These notes provide an overview of the presentations and discussions at the Consumer Online Privacy sessions of the 1997 FTC privacy workshop.  For a complete list of speakers and comments submitted for the record, see the FTC's Web site (

Panel IA: Representative National Survey

Humphrey Taylor and Alan Westin presented and discussed the results of a Harris survey on online privacy.  The survey results will be published in a 175 page report, available from ISA and P&AB.  While the results indicate great concern about online privacy, the concern seems to be driven more by perceptions than by actual privacy violations.  Children are an intensifier issue.  Women seem to be more concerned than men.  Voluntary policies seem to be preferred to government regulation, but (in a different question) 58% of respondents said they wanted Internet privacy regulation.  People more familiar with the medium are less likely to think government needs to regulate.  Results suggest that people may be retreating from participation in electronic commerce due to privacy concerns.

Panel IB: Surveys based upon random samples of online users and surveys of self-selected online users

Several people who had conducted related surveys commented on the Harris survey results.  Most said the results were reasonably consistent with their own results.  There was some criticism of the position of the government regulation question in the survey and suggestions that the 58% result may be skewed due to the nature of the questions asked before it.  Similar results were reported from global surveys, although it was noted that there seemed be a heightened sensitivity about privacy in Asia.  It was also noted that some surveys suggest that 30-40% of people who fill out forms online falsify personal information.

Panel II: Self-regulatory Approaches to Online Privacy Issues (a review of current efforts and the status of industry proposals submitted at the June 1996 Workshop.)

Joseph L. Dionne, Chairman and CEO of the McGraw-Hill Companies talked about his company's privacy policy (, which includes provisions for notice, choice, and data security.  The policy also labels certain types of data as "sensitive" and prohibits it from being disclosed to third parties.

H. Robert Wientzen, President of The Direct Marketing Association talked about the DMA's Privacy Action Now campaign ( and online marketing guidelines. He said companies that misrepresent their privacy policies could be subject to deceptive practices charges.

Esther Dyson described the TRUSTe ( -- formerly eTRUST -- system in which Websites can apply for Trustmarks -- trademarked visual icons they can put on their Web pages that describe their information practices to visitors.  She said sites that abuse Trustmarks may be charged with fraud, contract violation, or trademark infringement.  The Commissioners expressed concerns that data might be automatically collected from the consumer on the page where the Trustmark appears, before the consumer had the opportunity to examine it and decide whether to interact with that site.  They were also concerned that consumers don't always start at the front page of a site, and therefore may not see the Trustmark.

Several representatives from other industry associations talked about privacy guidelines their respective associations had drafted or were in the process of drafting.  There wasn't too much new or interesting there.  The commissioners indictated that some of these efforts were moving along too slowly, and were particularly critical of the Promotion Marketing Association of America, which had not yet decided if it was going to issue guidelines of its own or defer to another association's guidelines.

Peter Harter of Netscape discussed the cookie functions in various Netscape browsers.  This provoked some discussion (with much confusion) about cookies and Netscape's position on the new proposed cookies standard.

Roundtable I: Perspectives on Self-Regulation

A representative of the NTIA announced they were releasing their report "Privacy and Self-Regulation in the Information Age" (

Russ Smith complained that complaints sent to industry associations when their members don't comply with their guidelines rarely receive a response.

Janlori Goldman asserted that self-regulation is a critical part of the process but that those who don't have "a good name to lose" don't care about self-regulation guidelines.  She also praised self-regulation as a tool to find out what works before writing legislation.

Commissioner Varney noted that the FTC can go after companies that have unfair or deceptive practices.  Shirley Sarna, New York Assistant Attorney General, noted that the NY State AG has deception jurisdiction but not unfair practices jurisdiction and they can't bring a case based on failure to disclose information practices.

Jerry Berman of the CDT said he had no problem ultimately writing a standard into law once there is a consensus of what that standard should be (there is no consensus at present).  Legislation now, he said would put the "good guys" in a defensive mode.

Mary Culnan of the President's Commission on Critical Infrastructure Protection said that when companies disclose their information practices, most privacy concerns evaporate.  She warned against regulating too soon.

Esther Dyson suggested we need a Direct Marketed Association to help consumers fight back against bad marketers.

Michael Nelson of the FCC cited the three Ps: privacy, piracy, and pornography, and suggested that lessons could be learned from the public policy debates and legislation in the piracy and pornography areas.  In particular, he recommended involving technologists more in addressing privacy concerns.

Evan Hendricks, Editor/Publisher of Privacy Times recommended moving forward with legislation immediately.

Panel III: Information Practices on the World Wide Web

Several representatives from Internet advertising agencies and related companies described their companies' practices.  Yale Brown of Intelligent Interactions Corp. said his company helps clients collect Web site visitors' names and addresses and overlay that information with information in other databases.  This is used to provide customized ads to visitors who repeatedly visit the same site. Information on visitors is not shared between sites.  Chris Evans of Accipiter, Inc. uses numbered IDs stored in cookies to show individuals different ads every time they visit a site.  He said tracking an individual over the Web becomes unwieldy due to the quantity of data involved (others suggested later that processing this quantity of data would not remain infeasible for long).  Tara Lemmey of Narrowline said her company doesn't use cookies at all, offers complete anonymity, and discloses their privacy policy.  She also warned about cookies delivered by advertisers in clear gifs.

Panel IV: Technologies as a Tool for Addressing Online Privacy (A review of available technology and current development efforts.)

Deirdre Mulligan of CDT introduced the Platform for Privacy Preferences (, a user empowerment approach to enable Web sites to communicate their information practices and individuals to communicate their privacy preferences.  Tim Berners-Lee of W3C talked about W3C's efforts to develop P3 and narrated a demo of a P3 prototype.

Marc Rotenberg of EPIC presented a study of the top 100 Web sites (  While 49 collected personally-identifiable info, only 17 had privacy statements.  Few allowed individuals access to their own information.

Saul Klein of Firefly and Peter Harter of Netscape discussed the Open Profiling Standard ( proposal, now endorsed by both Netscape and Microsoft and submitted to W3C.  It is basically a standard for exchanging demographic information, but includes some provisions for access controls to protect individual privacy.  It's now up to W3C to decide what to do with it.  Klein showed a demo of how OPS would work with Firefly's "passport."  Commissioner Varney followed up with a series of questions for Klein, most of which he avoided answering.  Most of her questions were in reference to the "enormous" amount of personal information passport allows Firefly to compile.

Roundtable II: Perspectives on Technological Approaches

The commissioners noted that the speakers from the previous session would not be given an opportunity to respond to the roundtable discussants in person, but that the record will be open until July 14 if they (or anyone else) wish to submit responses in writing.

Jeffrey Fox of Consumers Union said he was concerned about an unequal power relationship between consumers and Web sites in P3. He was worried that the P3 "negotiation" would be unfair to consumers [this is not actually the case].  He was also concerned that people will have to negotiate away their privacy rights in order to gain access to Web sites.

Jean Fox of the Consumer Federation of America said it was important to have policies that apply to everyone, not just "the top of the market" companies that voluntarily adopt privacy guidelines.  She also said it was "counter-intuitive" to protect privacy by giving up more information [probably in reference to OPS].

Marc Rotenberg said that the technology presented involved mostly privacy "extracting" techniques.

Evan Hendricks of Privacy Times raised questions about what happens if a company that collects a lot of personal information but has responsible policies is bought out by a less responsible company.

Janlori Goldman said privacy should be treated as a basic right and that "it shouldn't be about trading your privacy for a benefit."

Mary Culnan expressed enthusiasm for the technological solutions but said they looked difficult to use.  She also said that she would be pleased if at a minimum everyone would simply disclose their information practices with unambiguous language (not "we may share information occasionally with carefully selected firms").  She said it was too soon for regulation.

Mike Nelson of the FCC suggested that the government's role should be to back-up industry-led efforts.

Panel V: Unsolicited Commercial E-mail: Overview

Jason Catlett of Junkbusters ( gave an overview of the "spam" problem.  He said small time spammers would be a minor problem, except that there are a lot of them.  He described the practice known as "harvesting" (collecting email addresses to spam, generally from online service directories, Usenet posts, or Web sites) and said he preferred to call it "scavenging."  He estimated that it costs $1 to send out 10,000 pieces of spam.  He asserted that spam with incorrect instructions for getting removed from a mailing list is fairly common and that it is fraud.

Sanford Wallace of Cyberpromotions ( said his company harvests email addresses, but only from "public databases" [like Usenet and Web sites ... they're public, but...]. He said his company uses the global removal list compiled by the Internet EMail Marketing Council ( to remove people from their lists who don't want spam.  There was also some general discussion about IEMMC, a "trade association dedicated to promoting the responsible and ethical use of direct EMail as a marketing tool on the Internet."

Jill Lesser of America OnLine said that harvesting is against AOL's terms of service.  She said AOL's system is not a public database. There were some questions about how AOL catches violators.  It was not clear that AOL can do anything until it's too late (they close accounts of violators, but at this point the violators have already harvested thousands of addresses).  Lesser also said AOL gets approximately 15,000,000 incoming emails each day from the Internet, 5 to 30% of which are unsolicited commercial email (generally closer to 30%).  She said UCE sometimes causes several hours of delay for incoming messages.  She said spam is fraud and that "there are no incentives to stop."  UCE is the most common complaint from AOL customers.

George Nemeyer of the Internet Services Providers Consortium said that spam has the greatest impact on small Internet service providers.  He said that remove requests that are sent to invalid addresses can bog down ISPs' systems.

Simona Nass of Panix said her company has been making technical solutions available to their members.  The technical solutions are somewhat successful, but don't completely solve the problem because they can only filter out things they can predict.

Al Mouyal, another direct email marketer said that only the "less-reputable companies" are willing to use direct email marketing services.  H. Robert Wientzen, CEO of the DMA, agreed, "Most legitimate marketers are afraid to be associated with it."  He said less than 10% of DMA members send commercial email, and 85% of those that do only use it in a "targeted way," mostly to existing customers. "Spam has left a very bad taste in the mouths of legitimate marketers," he said.  He suggested that the "community of spammers" join with the DMA to self-regulate.

Panel VII: Unsolicited Commercial Email Responses

Simona Nass said that spam solutions that involve retaliation can put a burden on ISPs, especially when the spam comes with forged headers.

AOL now rejects all email that comes from non-existent domains. However, now spammers are using valid domain names and bogus account info to get around this.

There was discussion of several global opt-out lists currently in existence or under development.  The email marketers present said they would be happy to use such lists.  However, there was some skepticism that the majority of email marketers would use them.  There were questions raised about what to do about the email "black market."

Rosalind Resnick of NetCreations described the opt-in email service she runs ( and claimed that opt-in works sufficiently well that there is no need for opt-out.  But Wientzen said opt-in is not as good as opt-out because it hinders the ability to market new products.

In response to proposed anti-spam legislation, Deirdre Mulligan said that banning speech is a bad idea and that there are questions about the feasibility of enforcing mandatory labels on speech.  She said email is not fax, phone, or the post office and solutions for those media don't apply well to email.

Commissioner Varney challenged those on the panel to commit to working together to come up with viable solutions.  She also said that the FTC will go after fraud but needs some technical assistance.