Submissions to the Department of Commerce

  Email privacy (Tuesday morning)

See also coverage by Wired News.

When I telephoned my mother in Australia over the weekend and told her that I had been invited to Washington to address senior members of the Clinton Administration and hundreds of other very important people on the privacy implications of sending a piece of electronic mail, she wondered what on earth could have happened recently to bring so much high-powered attention to such a simple little thing.

``Well Mom,'' I said, ``there are lots of privacy risks with email that aren't obvious unless you've spent the past few years studying that kind of thing.''

``Like what, dear?'' asked my mother.

``OK, while we're talking on phone now, you wouldn't expect that what we say might be listened to by some teenager in Finland would you?''

``No, of course not. The phone line to Australia wouldn't run through Finland, and how could a teenager dig it up anyway?''

``That's the difference,'' I said. ``Email travels on an unpredictable route through computers on the Internet, which is a network of lots of different computer networks around the world. If any of those computers had been broken into by hackers, they could have been programmed to send copies of the email somewhere else.''

``But surely companies will fix that. It's a security problem. Couldn't they use some kind of secret code?''

``Actually, encryption's kind of a complicated subject in Washington right now. Let me give you a different example. You wouldn't expect that my local phone company could sell the fact that I called you to a chain of florists so they could send me a postcard reminding me that Mother's Day was coming up, would you?''

``Now that you mention it dear, you did forget this year. Maybe if they did that you would remember next year.''

``Sorry, Mom. I won't forget again. It's not just the florists that can buy that information. The phone company isn't allowed to tell anyone who you call. But the way American law stands now, the company you get to send your email can sell their knowledge of what you do online to telemarketers, for example.''

``Really? The telemarketers don't seem to call us in Australia.''

``Yes, I remember. Here's another example. If you throw away your old telephone, you wouldn't expect that someone who picks it out of the trash would be able to open it up and get a recording of a conversation you had on it years ago, would you?''

``Of course not. Are you trying to tell me that computers keep your email, even after they've been told to delete it?''

``Exactly. Remember Oliver North?''

``Of course. Is he going to be at your talk?''

``I don't think so, Mom. Lt. Colonel North already found out the hard way that he should have deleted the backup copies of his email too.''

``Then it sounds like the company that made the software he was using didn't do a very job. Computers should come with privacy as standard equipment, not an optional extra. Are there any other privacy problems that they have have? You know your father and I are thinking of getting email ourselves.''

So I told her about a dozen dangers to her privacy from email, that most of you all probably know already. I explained how her email address could be captured by junk emailers, and how often she would be spammed with pitches for hard-core pornography and get-rich-quick scams. And that even big software companies companies have been known to program their products to grab email addresses off people's computers and secretly include them along with online registration information. I warned her that her Internet provider might put her email address in a public directory unless she told them not to.

I told her that if she sends a personal message to one of her friends at work, that someone else at that company might read the message, perfectly legally. I told her that anything she sent might be kept on computers for decades, and might be forwarded to people she didn't wouldn't want to read it. I said that every message she sent would be timestamped and marked with the IP address where she connected to the Internet at that time - kind of like Caller-ID. She asked me if it was possible to stop that, so I explained about anonymous remailers and the problems they have.

I warned my mother that it was easy for people to forge email headers to pretend to come from her, and how she could verify digital signatures on email. I tried to explain public key cryptography, how certificate authorities worked, and how many different cryptosystems are based on the same mathematical ideas as the secret codes that she could use to stop people from reading her email.

I cautioned her never to run a program that was attached to an email sent by a stranger, because it might introduce a virus or erase all her files. I said that if she even looked at a Web page someone sent her in an email (possibly spam), that the site could tell when she had read it, where she was connected at the time, and would even be told what kind of computer and software she was using and the name of the file where that email was kept on her computer.

And I said that a cookie might appear on her computer without her noticing.

My mother didn't believe this could happen until I explained that the word was a technical term for a customer number that a web site stores on her computer, and that any time she visited that web site in the future she would be identified by the number. This disturbed her because she thought that the Web was just like watching TV except that you sit closer to the screen. She had assumed that nobody was watching when she changed channels.

I explained how if she lets any young children use her computer, they might go to the Web site of a toothpaste company and be fooled into sending email to the ``tooth fairy,'' which was really a computerized marketing program that might use the messages for decades to target advertising at the child's family.

I told her if she got a free email account she would have to divulge to the company a lot of information about herself, and that there probably wasn't much she could do if this information was abused.

When we had finished this long catalog of privacy risks she said to me, ``Jason, cyberspace doesn't really sound like a very safe place.''

``It isn't,'' I agreed. ``And that's what I'll be saying to the folks in Washington.'' But I think they know that already. And I think they're concerned for their mothers. And for the their children. And for their children's' children.

``Well I hope they can fix all those things then, because your father and I aren't going to use email if our privacy isn't protected.''

My mother isn't the only person in the world to have said this. This year's Business Week survey showed that the number one reason people give for putting off using the Internet is not that it's too complicated or expensive, but that they fear for their privacy. Business people often ask questions like ``What are we going to do about all these people who are afraid to get online? What will make them buy from our Web sites?'' But there's a more at stake here than just money; at issue is the fundamental human right of privacy, which President Clinton has called ``one of our most cherished freedoms.'' The question is not what we can do about those people and their fears, but what we can do for those people and their liberties. Or to adapt President Kennedy's inaugural address: Ask not what the consumer can made to do for your company, but what your company should be made to do for the citizen. Ask not what the Internet will do for you, but what together we can do for the freedom of mankind.

  Filtering banner ads (Wednesday afternoon)

See also coverage by Wired News.

Yesterday I appealed to online marketers' send of altruism by talking about my mother. Today I'm going to appeal to their sense of self-interest by talking about their customers. Let's see which is more persuasive.

Picture, if you will, your ideal online consumer. Let's call her Sally. Professor Alan Westin's survey for Privacy & American Business tells us that she's 54% male, 18-39 of age, and earns more than $50,000. To a marketer she's very attractive, at least demographically and psychographically. Of course, the marketer has never seen her face.

Sally is also very concerned about her privacy online. She's well educated, and is used to adopting new technology to protect her own interests. She's probably heard that her ISP or online service may be legally selling to marketers any level of detail about her behavior online. Sally has long felt ambivalent about direct marketing. She likes the convenience and variety, but she is suspicious of the industry's methods. She is constantly reminded of the consequences of privacy violations by spam and telemarketing calls. She gets a ton of direct mail. She is what marketers call ``over-stimulated.''

How has Sally's perception of banner ads changed over time? In 1995 they were a novelty, something to speculate about. In 1996 Sally typed "MCI" into a search engine and an ad for a competing long-distance company came back. This was interesting, possibly useful, but with a hint that someone was watching what she typed. In 1997 the ads became bigger and slower to download. They had become intrusive, with distracting animations, popups and the occasional pornographic ad that offended her. In 1998 Sally learned that there was a real privacy issue. Most banners she saw were not served by the site she was visiting, but by ad networks, which see each page that Sally views containing one of their ads. The network had her identified with a cookie, which might be tied to her offline identity. The ad has become an instrument of surveillance.

Sally is horrified. ``Stop the Internet,'' she says. ``I want to get off. But I can't get off. My life is already on the Internet. It would be harder than giving up TV,'' she thinks. ``Ah, where's my remote control for the Web? Where is the mute button for this surveillance?''

Sally quickly discovers that there are now available as retail software and freeware a huge range of technologies which can block cookies, other disclosures of identities, and even filter out banner ads. Here is the remote she seeks. But it's more powerful than with TV, in that once she installs one, she'll hardly ever see another ad.

Now let's switch the point of view to the online advertiser. The industry has grown in less than four years from nothing to a billion dollars this year, and probably several billion next year. Better targeting has produced far higher revenue per ad. Technologies for anonymizing, blocking and filtering threaten the explosive growth that everyone is expecting. All the IPO filings of the ad networks disclose this threat to their business model. Downstream, content providers who depend on ad revenue to support the development and maintenance of their sites find their investment decisions clouded by even further uncertainty. The world faces an enormous loss of opportunity here: the richness and diversity of the Web as a medium of expression may be diminished.

What I find particularly tragic is that this is so unnecessary. I know as a computer scientist that it's technically feasible to design methods to efficiently serve ads without invading privacy. The $64 billion question is whether this can be done in time, and whether guarantees can be put in place to assure people online that their privacy will be protected. Lawmakers are acting slowly (though this could change overnight, as the example of Judge Bork and the Video Privacy Protection Act of 1988 showed), so right now the fastest-moving force is consumer self-protection, not industry self-regulation or real regulation. It's Sally.

So here's my plea to online marketers, particularly ad networks: Deliver real privacy protection fast. Because if you don't, Sally and her friends are going to push the button on your fledgling billion-dollar industry, and you'll never see or hear from them again.

  Comments on Elements of Effective Self Regulation

These answers given below are in response to the questions asked in a Federal Register Notice by the Department of Commerce. The questions concern their discussion paper Elements of Effective Self-Regulation for Protection of Privacy.

1. 1.1 The discussion paper sets out nine specific characteristics of effective self regulation for privacy: awareness, choice, data security, data integrity, consumer access, accountability, consumer recourse, verification and consequences. Which of the individual elements set out in the draft discussion paper do you believe are necessary for self regulation to protect privacy?
   
   The question of which are necessary ignores the fact that no combination of self-regulatory measures would be sufficient to protect the privacy of the American citizen.

2. 1.2 To what extent is each element necessary for effective self regulation? What are the impediments and costs involved in fulfilling each element of a self regulatory scheme? What are the competing interests in providing each element? How would the inclusion of each element affect larger, medium sized, and smaller companies? What advantages or disadvantages does each element hold for consumers? What are the challenges faced by companies in providing each element? How do these challenges depend upon the size and nature of the business?
   
   No comment on this question.

3. 2. The draft discussion paper notes that individual industry sectors will need to develop their own methods of providing the necessary requirements of self regulation. How might companies and/or industry sectors implement each of the elements for self regulation?
   
   No comment on this question.

4. 3. Please submit examples of existing privacy policies. In what ways do they effectively address concerns about privacy in the information to which they apply? In what ways do they fail?
   
   Abacus Direct Corporation runs a ``co-op database,'' a massive pool of behavioral data about consumers from about a thousand ``member'' direct marketing companies, which gives them a comprehensive picture of the lives of tens of millions of Americans. These nice-sounding ``cooperative'' arrangements are among the more Orwellian inventions of the industry. Their privacy policy mentions nothing about their core business model; instead its main focus appears to be PR. Here is an excerpt.

   Privacy of consumer information is important to Abacus' business. Indeed, maintaining this privacy is one of Abacus' most significant responsibilities. In connection with meeting this responsibility, Abacus is an active member of the Direct Marketing Association and participates in and promotes projects regarding consumer privacy. We also encourage our Members to honor requests that they "do not mail" to consumers who specify that they do not want to receive mailings. Abacus also educates its Members and employees regarding issues and laws regarding individual privacy rights.

   Like many privacy policies, this one sounds wonderful provided it is read inattentively and without background knowledge. A closer search of the policy shows that it omits the crucial information of how consumers opt out of Abacus' database. It fails to disclose the fact that Abacus ignores or refuses to process written opt-out requests mailed by consumers directly to Abacus Direct. Abacus merely processes the DMA's Mail Preference Service, which obliges consumers to deal with a third party and to re-register every five years (a challenge to most people's calendars or to-do lists). A casual reader might take Abacus' statement that they "encourage our Members to honor requests" to mean "does not require Members to honor requests," but might presume this indicates that Abacus Direct would themselves honor a direct request. Directness in the Direct Marketing industry is all too often a one-way street. Our experience of working with Abacus for well over a year (entailing several letters, a dozen emails, and attempts by the DMA to mediate) has demonstrated their steadfast refusal to allow simple first-party opt out requests by mail. [Addendum: on September 15, 1998, Abacus Direct informed us that they will accept such requests.]

   Links to over fifty privacy policies are listed in http://www.junkbusters.com/links.html#policy on the Web. Many of these are just as vacuous as the paragraph quoted above, in the sense that there is little or nothing that they stop the company doing. A vacuous privacy policy is like a pseudo-scientific theory that cannot be falsified by any empirical evidence. Vague statements such as ``we strive to consider our valued customers' preferences'' reassure only the gullible. Of course most privacy policies are the product of PR people and lawyers, so they are made to sound nice while exposing the company to absolutely no risk no matter how badly it behaves.

   It is difficult to display an absent privacy policy, but the FTC have demonstrate that many organizations (presumably including most of the bad actors) post no privacy policy. The deficiency with a missing policy is that it does not restrict the organization in any way.

5. 4. Are elements or enforcement mechanisms other than those identified in the draft discussion paper necessary for effective self regulation for privacy protection? If so, what are they? How might they be implemented? In addition to the fair information practices and enforcement mechanisms stated in the discussion draft, are there other privacy protections or rights essential to privacy protection?
   
   Possibly necessary, but no addition would be sufficient. (See 1. above). Enforceable rights under law are needed.

6. 5. Should consumer limitations on how a company uses data be imposed on any other company to which the consumer's information is transferred or sold? How should such limitations be imposed and enforced?
   
   Yes, citizens should have rights over all use of data concerning them according to fair information practices in the sense of the OECD Guidelines. They should have a private right of action (including statutory damages) against companies whose practices breach the principles. See EPIC's submission.

7. 6.1 Please comment specifically on the elements set out in the draft discussion paper that deal with enforcement (verification, recourse, and consequences) and suggest ways in which companies and industry sectors might implement these.
   
   Expecting self-enforcement to be even slightly effective against a typical company is highly optimistic, and against a bad actor is downright gullible. Trade associations cite expulsion as their ultimate force against wrong-doers, yet it will obviously not stop a bad actor. The idea that associations could extend their influence beyond their membership would probably fall afoul of anti-trust legislation.

8. 6.2 What existing systems and/or organizations might serve as models for consumer recourse mechanisms, and explain why they might or might not be effective? Would a combination of elements from existing systems and/or organizations be effective? How might verification be accomplished? What would constitute adequate verification, i.e., in what instances would third-party verification or auditing be necessary, and in what cases would something such as self certification or assertions that one is "audit-ready" suffice? What criteria should be considered to determine the kind of verification that would be appropriate for a company or sector? What constitutes "reasonable access?" What are the costs/impediments involved in providing access? What criteria should be considered to determine "reasonable access" to information for a company or sector?
   
   No comment on this question.

9. 7. In the section on consequences, the draft discussion paper states that "sanctions should be stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion." Identify appropriate consequences for companies that do not comply with fair information practices that meet this goal, and explain why they would be effective.
   
   Peoples' lives are ruined by unfair information practices. Companies should equally face ruin as a consequence of sustained, willful, recklessly dangerous information practices. They are unlikely to volunteer for such a prospect. It must be imposed by government, which has a responsibility to protect its citizens.

10. 8.1 What is required to make privacy self regulation effective?
    
    Nothing will make self-regulation deliver adequate privacy protection. Regulation by another is necessary.

11. 8.2 Self-regulatory systems usually entail specific requirements, e.g., professional/business registries, consumer help resources, seals of accreditation from professional societies, auditing requirements. What other elements/enforcement mechanisms might be useful to make privacy self regulation effective? How have these enhanced or failed to enhance a self-regulation regime?
    
    No comment on this question.

12. 9. Self regulation has been used by the business community in other contexts. Please provide examples and comment on instances in which self regulation is used in an industry, profession or business activity that you believe would be relevant to enhance privacy protection. In what ways does self regulation work in these instances? In what ways does it fail? How could existing self-regulatory regimes be adapted or improved to better protect privacy?
    
    The history of telemarketing gives an excellent example of how self-regulation failed to protect privacy; a law was needed and was passed in 1991. It gave individuals a private right of action and $500 statutory damages. No vast bureaucracy was needed to enforce the law; individuals sue in small claims courts. This prospect has reduced most of the industry's excesses.

13. 10. Please comment on the extent to which you believe self regulation can successfully protect privacy online. Are there certain areas of online activity in which self regulation may be more appropriate than in others? Why?
    
    Self-restraint may reduce some abuses by larger players (what Peter Swire calls elephants). The smaller bad actors (which he calls mice) will not restrain themselves.

14. 11. Please comment on the costs business would incur in implementing a self-regulatory regime to protect privacy. How do these costs compare to the costs incurred to comply with legislation or regulation?
    
    The costs of complying with regulations would be substantial, which explains why businesses are spending large amounts of money lobbying to stop the government imposing them. Each business will attempt to minimize its costs by doing as little as possible, which translates into the least regulation that is politically achievable. Here lies a "tragedy of the commons": the consumer population is therefore being left unprotected, resulting in distrust and non-participation.

    It is fair to impose costs due to regulation on all companies, indeed it is more fair than expecting good actors to volunteer for expenses that will not be borne by their less altruistic or less farsighted competitors. All automobiles sold in the US must meet basic safety standards; it would be preposterous to expect manufacturers to voluntarily choose their own minimum requirements and to rely on consumers' preference for safe cars. Advocates of self-regulation are asking the Administration to believe an equally preposterous premise, that companies should choose minimum privacy standards, and (even more implausible) that they should be the ones to ensure these standards are maintained. This makes as much sense as putting the Fortune 500 companies in charge of setting taxation policy for the IRS, and for running its compliance division.

15. 12. What issues does the online environment raise for self regulation that are not raised in traditional business environments? What characteristics of a self-regulatory system in a traditional business environment may be difficult to duplicate online? Does the online environment present special requirements for self regulation that are not present in a traditional business environment? Does the traditional business environment have special requirements that are not presented in the online environment? What are these requirements?
    
    The Internet tends to amplify and accelerate phenomena of the offline world. Lack of privacy being exposed on the Internet stems from the fundamental lack of legal rights of American citizens, not from any quality of the Internet. The World Wide Web has helped make the implausibility of self-regulation evident, as Philip Agre points out.

    The whole idea of self-regulation never made much sense; it presupposes that the great majority of firms are motivated to join a trade association, and that this trade association's staff members are motivated to overcome their inherent conflict of interest by penalizing their own employers by enforcing codes of conduct when privacy violations occur. This scenario was already implausible in the old economy with its dominance by large, stable firms. It is even less plausible in the new digital economy, where new technology permits small firms to create impressive Web storefronts for no capital and companies come and go at the flick of a switch. Even the term "fly-by-night company", which epitomizes our notions of fraudulent trading, is a vestige of the old economy, with its presupposition that large, static firms are the norm and that small, flexible, rapidly changing companies are suspect. It follows that... self-regulation is an anachronism in the new economy.

16. 13. What experiences have you encountered online in which privacy has been at issue? In what instances has privacy appeared to be at risk? In what instances is it well protected? In what ways have businesses or organizations been responsive to privacy concerns? How difficult have you found it to protect your privacy online? What circumstances give rise to good privacy protection in a traditional business setting or online?
    
    Sunshine is the best disinfectant, as the Fair Credit Reporting Act showed: when people have the opportunity to see data kept about them and to correct it, companies are forced to be more honest and bear a larger share of the costs arising from their use of personal data.

    For examples of risks to online privacy, see the text of addresses by Junkbusters' President on email and online advertising at the DoC meeting.

17. 14. The Administration's A Framework for Global Electronic Commerce cites the need to strike a balance between freedom of information values and individual privacy concerns. Please comment on the appropriate point at which that balance might be struck. What is the responsibility of businesses, organizations or webpages to protect individual privacy? To what extent do these parties have a right to collect and use information to further their commercial interests? To what extent is it the individual's responsibility to protect his or her privacy?
    
    A party should have a right to exploit personal information only to the extent that their practices are fair. The question of balance has been well explored in literature of fair information practices, covering exceptions for cases such as medical research. The data subject can choose not to enforce his rights, but he should have adequate rights guaranteed by law. The American citizen does not yet have adequate rights.

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/commerce.html