What's News at JUNKBUSTERS

  Privacy groups oppose DoubleClick acquisition

EPIC, CDD, and US PIRG filed a complaint with the Federal Trade Commission (FTC), urging the Commission to open an investigation into the proposed acquisition of DoubleClick by Google. (4/20)

  AOL apologises for releasing search log data on subscribers

AOL apologized for releasing search log data that might link to individual subscribers to their web searches. (2006/8/7) [News.com] [Reuters] Some employees later left the company. It has a long history of privacy blunders.

  FTC fines against evaders of telemarketing rules

The FTC charged two telemarketing companies over attempts to use rules about corporate affiliates to evade the national Do-Not-Call registry. (2006/6/15) [FTC release] [DM News] Junkbusters founder Jason Catlett applauded the action.

  iTunes update criticized as spyware

An update of Apple's iTunes software has been criticized for transmitting information about the user's songs and a unique iTunes account ID to Apple without the user's knowledge or consent. (2006/1/11) [MacWorld] [Slashdot] [Real Tech News] Apple responded by saying that the company "does not save or store any information used to create recommendations for the MiniStore." [CNET] [PC Pro]

  Spyware prosecuted

The FBI brought various charges against a man it said covertly installed pop-up-generating adware on some 400,000 PCs, Wired News reported. (2005/11/3)

In 2004 the Federal Trade Commission filed suit against a software company that it claims unfairly deluged users' computers programs with ads. (2004/10/14) [Times Argus]

  Book on RFID published

The publication of Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID by Katherine Albrecht and Liz McIntyre has been met with widely differing reactions. [EPIC Alert] [CNET] [Boston Globe] [RFID Journal] [Wired]

  Court rules against cellphone spam

An Arizona court ruled that the Telephone Consumer Protection Act prohibits unsolicited calls and e-mail text messages to cell phones. (2005/9/21) [Wired News] [DM News] [PC Mag] [AP]

Other later laws also ban unsolicited commercial text messages to cell phones. [Wired on SMS spam] [CNET on Joffe cell text spam]

  Congress makes junk faxes easier

Congress passed a law that will make it easier for businesses to send junk faxes, by introducing an exemption based on an existing business relationship. (2005/7/1) [Inc.]

Rep. Fred Upton (R-Mich.) introduced the bill in 2004, titled the Junk Fax Prevention Act. Junkbusters founder Jason Catlett said the name is misleading, and that ``the exemption it creates from the general ban on faxes is way too broad.'' No consumer advocates were invited as witnesses to the House hearing. (2004/7/20) [KR] [JWR] [Wired] [Consumer Watchdog]

  Identity thieves buy wholesale from ChoicePoint

Criminals bought personal dossiers on thousands of people from ChoicePoint Inc., according to MSNBC. (2005/2/14) [NPR 1] [NPR 2] [Washington Post] This is not Choicepoint's first public instance of mishandling data. According to ChoicePoint CEO Derek V. Smith, "ChoicePoint's core competency is verifying and authenticating individuals and their credentials." The company appears not to have accurately verified and authenticated the criminal individuals who opened accounts with it using fake documentation. The company subsequently agreed to pay penalties of $15M. [FTC release] (2006/1)

  Do-not-mail registry proposed for New York

A bill was reintroduced in the New York Assembly that would establish a statewide Do-Not-Mail registry. (2005/1) [DM News] Junkbusters has long campaigned for a national Do-Not-Mail registry.

Earlier, several privacy groups wrote to Congress urging improvements in postal privacy. (2004/1/19 )

  Shopper's card leads to arrest

A Washington state firefighter, Philip Scott Lyons was arrested that based on purchases made with a supermarket loyalty card. After several months he was found innocent. The story is told in detail at the site of Richard M. Smith. Smith concludes that the ``moral of this story is that even the most innocent database can be used against a person in a criminal investigation turning their lives completely upside down.'' (2004/2)

  Junkbusters and Guidescope combine

From 2005, this web site, junkbusters.com will be maintained by Junkbusters' sister company Guidescope Inc. Junkbusters' founder Jason Catlett is an Executive Vice President of Guidescope. (2005/1/1)

  Telemarketers lose appeal in Supreme Court

The Supreme Court rejected an appeal by the American Teleservices Association (ATA) on constitutionality of the National Do-Not-Call registry. (2004/10/4) [Washington Post]

The appeal was filed in May 2004. (2004/5/18) [DM News] Junkbusters founder Jason Catlett predicted that the court would dismiss the telemarketers' claim that the Registry violates the First Amendment. ``The appeal shows a combination of desperation and wishful thinking usually only seen in the terminally ill,'' Catlett said.

The Direct Marketing Association earlier said it would abandon its legal action against the national Do Not Call Registry. (2004/3/3) [AP] [Reuters] [AdAge] Junkbusters founder Jason Catlett was suprised by the DMA's decision. ``It's like seeing Wile Coyote give up trying to catch the road runner. The DMA's lawyers must have lapsed into a moment of candor and told them that they would lose in the Supreme Court, and that any first amendment claims for other cases in the future would look even more preposterous.''

Separately, the FTC took its first enforcement action using the DNC regulations (and other laws) against National Consumer Council, a debt-consolidation agency posing as a nonprofit group. (2004/5/5) [FTC Announcement] [DM News]

Two polls indicate that the DNC Registry is working well. A Harris poll found that more than half of all U.S. adults say they have signed up and they now receive far fewer telemarketing calls or none at all. [WSJ] [Harris] A different survey by the Associated Press and Ipsos Public Affairs that 45 percent of those surveyed have signed up for the registry, and of these, 74 percent say they've gotten fewer marketing calls as a result. [Boston Globe] (2004/2/21) The lower figure for signups in the latter survey may be due to the fact that it was conducted by telephone, and non-responders seem more likely to have signed up to avoid telemarketing calls.

A federal appeals court upheld the national Do-Not-Call list. [NY Times] [Court's opinion] [Reuters] [Washington Post] [FTC Statement] [AP] (2004/2/17) This overrides an Oklahoma City court ruling that FTC exceeded its authority in creating its do-not-call list. (2003/9/25) [DM News] [IHT] [CNN] [USA Today] Despite the approval of Congress in February for funding the list, the judge ruled that this did not grant the FTC authority to create the list, but said that Congress could pass legislation granting the FTC the necessary authority (which they did in near-record time). The FTC's chairman said that ``This decision is clearly incorrect. We will seek every recourse to give American consumers a choice to stop unwanted telemarketing calls.'' The FTC filed a motion for a stay pending an appeal. The following day the House voted 412-8 to approve the registry, the Senate without no dissenters and the president expected to sign the bill Monday. (2003/9/26) [AP]

Telemarketers had filed two separate suits against the FTC to try to stop restrictions on their calls. (2003/1/29) [Reuters] The court that found the FTC exceeded its authority was the Western District of Oklahoma (Docket 03-122) petitioned by the Direct Marketing Association and four telemarketing companies: Global Contact Services, InfoCision, [NY AG on InfoCision] U.S. Security, Inc., [KY AG on USS] and Chartered Benefit Services. The court in Colorado that ruled the registry unconsitutional was petitioned by the American Teleservices Association (Docket 03-184), Mainstream Marketing Services Inc., and TMG Marketing.

The telemarketers chose courts that have often been sympathetic to business interests. Junkbusters founder Jason Catlett commented: ``Telemarketing is an idea whose time has gone. This line of business should just die quietly. Their ridiculously inflated figures claiming that the average American gives a thousand dollars a year to telemarkers just don't pass the smell test. Their First Amendment claims have been repeatedly rejected by courts in other analogous cases such as junk faxes. The suits are simply a desperate delaying of the the overdue.''

The FTC says consumers filed approximately 1500,000 complaints in 2003 against telemarketers who continue to call them after the Do-Not-Call registry came into effect. Over 55 million numbers have been registered. (2004/2/13) The agency also issued a new information sheet on DNC topics such as how to file a complaint.

Separately, the FTC announced a suit against a company that bombarded consumers with pop-up ads, mostly offering to sell a product that stops the ads. (2003/11/7) [AP]

The FTC's Do-Not-Call registry is in effect, at least for now, following the 10th U.S. Circuit Court of Appeals blocking U.S. District Judge Edward Nottingham's order barring the FTC from enforcing the law. (2003/10/7) [Reuters] [SJ Merc] [CNN] [WSJ] The judges concluded that "there is a substantial likelihood that the FTC will be able to show ... that the list directly advances the government's substantial interest and is narrowly tailored."

Various courts produced discordant opinions on the registry. (2003/9/26) Companies that fall under FCC rules such as banks and telcos were required to respect the list when it came into effect October 1st, but the FTC had said that others falling under its jurisdiction could call numbers on the list. [Reuters] [AP] [USAToday] A U.S. Appeals Court in Denver refused on Friday to block the registry, Reuters reported. For details and history see EPIC's DNC Timeline.

A Denver court found the registry unconstitutional. (2003/9/26) [Reuters] [Washington Post] [WSJ] Junkbusters founder Jason Catlett commented at the time: ``This decision will take longer to correct, but it'll get done eventually. Lower courts have occasionally sided with marketers' free speech arguments, but correctly crafted restrictions prevail. The telemarketers' litigation confirms their public reputation as a pack of sleazy hustlers.'' Catlett told Reuters the telemarketers ``won't take 50 million `no's for an answer.'' (2003/9/26)

Junkbusters released an open letter to members of Congress suggesting a national Do-Not-Mail registry, analogous with the Do-Not-Call registry. (2003/9/26) State lawmakers in New York and Massachusetts introduced legislation this year to establish state do-not-mail registries, DM News reported. (2003/11/10) Several trade associations have been lobbying against such a registry, including the Association for Postal Commerce and Envelope Manufacturers Association.

The national Do-Not-Call registry began operations in July 2003, and the first registrations became effective October 1st. (2003/6/27) [Reuters2] [WSJ] [AP] [Slashdot discussion] [Reuters] [DM News] In the first few days more than 20 million telephone numbers had been added to the registry. In addition, 14 million numbers will being automatically transferred to the federal list from various state lists. [Washington Post on whether your state will transfer] Residential and cellular phone numbers may registered at http://donotcall.gov or by calling 1-888-382-1222. (Heavy demand made the service sometimes sluggish and unavailable on its first day, but since then the web site has been only occasionally slow.)

The previous day the Federal Communications Commission (FCC) announced new restrictions on telemarketers, which appear to be consistent with the FTC's new rules, including the registry. (2003/6/26) The FCC's coordination is significant because the FTC does not have statutory authority over two of the largest industries that use telemarketing, telecommunications and financial services. Junkbusters founder Jason Catlett commented:

``With the FCC's cooperation, the Do-Not-Call registry will have the breadth and clout to eliminate most of the nation's junk calls. Aluminum siding installers may be weeping, but the 99%+ of Americans who are not employed to pester people by long distance calls can rejoice. The registry is surely one of the most significant consumer protection measures ever implemented by the federal government. It will save the equivalent of thousands of lifetimes wasted picking up the phone on unwanted calls. The FCC was late for the party that they should have thrown a decade ago, but they have now said, a weekend in advance, that they'll come to the ball with the FTC. American consumers who hear about it will be in such a rush to register that they may not think to ask why their interests were disregarded the FCC for so long. FTC Chairman Muris will go down in the history of consumer protection as the savior of the American dinnertime.''

The two agencies' operational details seem to have converged, with the FTC running the registry via a subcontractor. Both online and telephone registration is are now available nationwide. Only residential telephone numbers (including wireless numbers) may be registered; business numbers are not covered by the law.

There is no cost to consumers to register. Telemarketers will pay the government a fee for the list. The inital funding for the registry was provided by Congress and signed into law by the President (the Do-Not-Call Implementation Act, Pub. L. No. 108-10). (2003/3) The registry will be effective October 1, 2003. Californians can already ``pre-register'' at http://nocall.doj.state.ca.us online. [MSNBC]

Consumer groups have fought for the registry for years. The main recent political battle had been in the House. [Washington Post] (2003/2/13, p. E7) The Wall Street Journal recounted the heroic efforts of FTC chairman Muris to save the project from the underhanded lobbying of the Direct Marketing Association. (2003/4/4)

The Federal Trade Commission was planning implementation of the restrictions in late 2002. (2002/12/18) [Reuters] [DM News] [SF Chronicle] Junkbusters founder Jason Catlett praised the move.

The FTC proposed the national Do-Not Call list in January 2002. (2002/1/22) [FTC announcement] [AP] [ABCnews] ``Why even expend the energy to oppose [a national DNC list]?'' asked an editorial in DM News. The Direct Marketing Association opposed it. For more than a decade privacy advocates have urged the FTC and FCC to implement a national DNC list. Junkbusters founder Jason Catlett said Congress plainly stated they wanted one in the Telephone Consumer Protection Act of 1991 , but the FCC gave in to lobbyists for telemarketers. The FTC received over 40,000 comments from the public, Reuters reported.

Separately, the Federal Communications Commission (FCC) held a public meeting to announce its intention to modify its rules on telemarketing, considering a national Do-No-Call list. (2002/9/12) [Reuters/ABC] [FCC Release] [FCC Notice of Public Rulemaking] [RealAudio of meeting - the topic begins about 20% into the file] [Statement of Chairman Powell] [Statement of Commissioner Abernaty] [FCC agenda notice] [DM News] Junkbusters founder Jason Catlett welcomed the move, saying that he hopes the FCC will work with the FTC to produce an effictive DNC list. ``The FCC's role is significant because due to limits in statutory authority the FTC can't cover telephone companies and some financial institutions, which are the major sources of junk calls. But FCC can cover them, as well as intrastate calls. The FCC is more than a decade late in obeying the stated intent of Congress of having a national do-not-call list. It's a welcome change that the Commissioners seem unanimous in their desire to protect consumers from this systematic long-distance harrassment.''

The commissioners ``said they were concerned that local number portability -- which in November 2003 will allow consumers to transfer their home phone numbers to their wireless phones -- would bring an increase in telemarketing calls to consumer cell phones,'' DM News reported.

Separately, the Onion, a satirical newspaper, reported that the CIA ``has acquired a videotape showing suspected al-Qaeda operatives engaging in what appears to be telemarketing.'' (2002/9/18)

The FTC held a public workshop on its proposed amendments to the Telemarketing Sales Rule (TSR). (2002/6/3) [FTC Agenda] [FTC Release] [USAToday] [AP] [DM News] [Scripps Howard] [Chicago Tribune] The meeting supplied oral public comment to a January 2002 proposal by the FTC to amend its previous rule. Among the proposed changes is the establishment of a national do-no-call list. The proposal already drew more than 42,000 written comments from consumers and businesses. Junkbusters, EPIC, and other privacy groups filed joint written comments responding to the FTC's questions. Junkbusters founder Jason Catlett was one of the participants at the meeting.

In 2001 Texas mother April Jordan filed a class action suit against SandStar Family Entertainment over the use of prison labor in telemarketing operations. (2001/11/13) [Salt Lake Tribune] [DM News]

At an earlier forum in July 2000 at the Federal Trade Commission, two leading privacy organizations called on the FTC and State Attorneys General to halt illegal and abusive practices that are prevalent in the telemarketing industry. (2000/7/27) [FTC Agenda] [CBSMarketwatch] Private Citizen Inc. and Junkbusters held a press conference spotlighting two objectionable practices. ``Prison labor is still often used in telemarketing, despite incidents where convicted felons have abused personal information,'' said Junkbusters founder Jason Catlett. [AP on April Jordan] [FTC comments of Jordan] [Hutchinson News on Jordan, August 9] The second practice has been nicknamed ``dead ringers,'' calls placed by large automatic dialing systems but abandoned after being answered because no representative was available to speak, or because the system was simply testing for an answering machine, modem or fax. ``Few consumers know the reason for these abandoned calls, and many fear they are being stalked as they are left saying "Hello? Hello? Hello?",'' Catlett said. Privacy advocates say these calls are illegal under the Telephone Consumer Protection Act of 1991 and should be stopped completely. The advocates also discussed the widespread practice of banks selling account information about their customers to telemarketers.

Separately, Direct Marketing Association CEO Robert Wientzen told the 2000 annual DMA Telephone Marketing Conference that a survey revealed that people don't like telemarketing calls, DM News reported. [The Onion] (2000/6/22) Wientzen cited a recent DMA-funded study finding that most consumers said telemarketing calls were "always intrusive." ``People are very curious -- and they're increasingly irritated -- about how we got their phone number, as well as other information we seem to have at our fingertips,'' Wientzen said. Privacy advocates were not available for comment.

In 1999 the Wall Street Journal reported that some telemarketing companies have started targeting answering machines exclusively. (1999/8/16, p. B1) If their ADRMPs (Automatic dialing and recorded message players) detect a live voice, they hangs up and try again later; if they detect an answering machine, they play a prerecorded message. For people who spend the day at home, it can result in a very large number of "abandoned calls," also known as dead ringers, long criticized by privacy advocates. ``This practice is highly annoying, often deceptive, and plainly illegal under the Telephone Consumer Protection Act,'' said Junkbusters President Jason Catlett. The companies named by the Journal include Voice Mail Broadcasting Corp. of Irvine, CA. and the Broadcast Team Inc. of Ormond Beach, LA.

Subsequently, ABC started using a similar tactic, ZD reported. (2000/7/24) The New York Times reported that the Bush campaign was using the same technique from Voice Mail Broadcasting. (2000/8/6)

In November 1998 the American Telemarketing Association changed its name to the American Teleservices Association. Its president told DM News: ``There are many companies with call centers that don't think of themselves as telemarketers. Many have call centers they use for customer service in a very professional way.'' As opposed to using call centers for customer disservice in an unprofessional way? ``Let's face it, most people would prefer to get a housecall from a dentist than a telemarketing call,'' said Junkbusters founder Jason Catlett. ``Outbound telemarketing should be on its way out, and even the people making the calls are starting to get the message.''

In April 1998 GTE, California's second-largest telephone company, included about 50,000 unlisted numbers and addresses in the lists that they routinely sell to telemarketers, the AP reported.

In 1997 fifty people at thirty telemarketing companies in Tennessee were convicted of fraud, the New York Times reported. (1997/6/29, p. 17) The Federal Trade Commission estimates that Americans are bilked out of $40 billion dollars annually by fraudulent telemarketers. ``I've been a widow for 19 years,'' an 80-year-old victim told the Times. ``It's very lonely. They were nice on the phone. They became my friends.'' Junkbusters founder Jason Catlett later commented on the surprisingly widespread fallacy that because no physical violence is involved, telefraud isn't really a serious crime. ``These criminals are long-distance muggers,'' Catlett said. ``They use lies instead of guns to rob trusting people of their livelihood. They deserve prison far more than houseburglars.''

In 1997 MCI was accused of breaking a Kansas law on telemarketing that provides for a maximum penalty of $5,000 for each violation, AP reported. (1997/3/28) The company is said to have made 2.4 million calls in Kansas last year. The trade magazine Telemarketing and Call Center Solutions reported in its March '97 issue that Kansas had imposed a $225,000 fine on another major telecommunications company.

Separately, Private Citizen Inc. reported that one of its members was paid $5,500 in settlements from two telemarketing companies.

Separately, Louisville Comedian Tom Mabe called conference attendees at a telemarketing convention in the middle of the night offering to sell them a sleep aid and pretending he was calling on behalf of the "Telemarketers with Insomnia Foundation," the AP reported. (2002/4/22) Mabe torments telemarketers, telling one caller ``trying to sell him a burial plot that the man had perfect timing, because he was considering killing himself. The telemarketer asked him for credit card information, Mabe said.''

  Spammer charged with stealing personal data from Acxiom

A Florida man, Scott Levine of Snipermail.com, Inc., has been charged with stealing 8.2 gigabytes of data from the servers of personal data vendor Acxiom (ACXM) between April 2002 to August 2003 (2004/7/22) [FBI release] [Reuters] [AP]

``Eight gigabytes is a lot of personal data,'' commented Junkbusters founder Jason Catlett. ``That's enough to hold every residential address in America, along with a name, email, SSN, and some other miscellaneous information.'' People who would like to know what data about them was stolen from Acxiom's servers can write a letter such as this one. People don't want Acxiom to sell data about them can write Acxiom an ``opt-out'' letter (such as the one that JUNKBUSTERS DECLARE drafts for several such companies) or call them on 1-877-774-2094, or email info@acxiom.com.

The theft was discovered during the course of investigating another unrelated breakin in 2002 by an Ohio resident named Daniel Baas. The AP quoted an Acxiom spokesperson as saying: "We are committed to safeguarding our systems and the data that we store and manage on behalf of our clients. Since evidence of this crime was uncovered and halted in the summer of 2003, Acxiom has made a strong security system even stronger." The FBI says that that Levine made 137 separate intrusions during the period April 2002 to August 2003. Acxiom disclosed an intrusion in its SEC filings for 2003Q4, which seems to relate to the 2002 theft by Baas. Here is Acxiom's statement to investors:

In early August 2003 management determined that Acxiom had experienced unlawful security breaches of its file transfer protocol ("FTP") server. Unauthorized access to certain files occurred as a result of information being exchanged between Acxiom and a number of clients via the FTP server. Acxiom was among several companies whose security was breached. Law enforcement authorities have arrested and charged a former employee of one of Acxiom's clients and are investigating another company. Thus far, one individual has pled guilty and is awaiting sentencing. Acxiom continues to fully cooperate with the investigation, which involves multiple law enforcement agencies.

Only FTP files on a server located outside of the Acxiom firewall were compromised, and not all FTP files nor all clients were affected. No internal systems or databases were accessed, and there was no breach that penetrated the Acxiom security firewall. Based on the facts known to management, the Company does not believe that there is any risk of harm to individuals, and the Company does not expect any material adverse effect from this incident.

Acxiom has a longstanding commitment to systems and network security. The Company undergoes internal security audits on a regular basis, and many clients perform audits on the Company's systems as well. The Company has begun an additional comprehensive review of its systems and procedures to guard against similar incidents in the future. Based on this incident, management is implementing improvements to its systems and procedures.

Acxiom data was involved in the JetBlue airline profiling scandal in 2003.

  FTC charges company with privacy policy switch

Gateway Learning, which markets and sells products under the Hooked on Phonics brand name, settled with the Federal Trade Commission over charges that it violated federal law when it rented consumers' personal information to telemarketers after changing its privacy policy. (2004/7/7) [FTC Announcement] [Computerworld] [Reuters]

In a column in DM News, privacy expert Robert Gellman wrote ``This type of FTC privacy enforcement is a joke because it has no teeth. If the rare enforcement action doesnt hurt, then the deterrent effect is zilch and little has been accomplished. Its as if a bank robber's only penalty was that he had to give back the money he stole.'' (2004/11/2)

  English-speaking governments cooperate against spam

Consumer protection agencies in Australia, the US and UK have signed a memorandum of understanding (MoU) concerning enforcement of spam laws. (2004/7/4) [Computerworld] [ZDUK] [CBR] [FT] [TechWeb] The MoU requires cooperation between agencies the countries when the spamming is "prohibited by a country's Commercial Email Laws that is substantially similar to conduct prohibited by the Commercial Email Laws of the other countries". Whereas the UK and Australia have an opt-in laws, the US has a lower standard with its opt-out law, so the US would only be required to prosecute spammers who violate the the weaker law. Junkbusters founder Jason Catlett said that international cooperation of law enforcement against spammers is an important and necessary step. ``Eventually spamming should be prohibited by international treaties, just as copyright violations are. But right now the big hole in the boat is the fact that U.S. law explicitly and deliberately permits spamming.''

  FTC recommends against National Do Not Email Registry

The Federal Trade Commission gave Congress its opinion that a National Do Not Email Registry ``would fail to reduce the amount of spam consumers receive, might increase it, and could not be enforced effectively.'' (2004/6) [FTC press release] [FTC report (PDF)] [Arizona Republic] Junkbusters founder Jason Catlett said he agreed with the report's main conclusion, but said the FTC should endorse an opt-in law or a registry that would allow whole domains to prohibit spam and sue violators.

Separately, Michigan passed a law to establish a registry of children's email addresses aimed at stopping spam unsuitable for children. (2004/7/4) [Detroit News]

  Who knows if you read their email?

A new web site called http://www.DidTheyReadIt.com allows individuals to track whether you opened email they sent you. (2004/5/20) [USAToday] [CNET] The company will also tell the sender when the email was opened. how long it remained opened, the geographical area that you were in when reading it. Here's an illustration of the kind of tracking information DidTheyReadIt.com provides:
   Sent On: 05/20/04 (09:31AM)
   1st Opened: 05/20/04 (09:32AM)
   Tracking Summary
   Total: Opened 1 time by 1 reader
   Tracking Details (latest first)
   Opened: 05/20/04 (09:32AM)
   Read Duration (approx.): 00:01:18
   Location: (US) UNITED STATES, NEW JERSEY, WASHINGTON Show Map
   Organization (ISP): VERIZON INTERNET SERVICES
   Opened On: pool-141-153-129-237.nwrk.east.verizon.net (141.153.129.237)
   Language: en-us,en;q=0.5
   Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b)
   The tracking technology used is not new; email marketers have been using web bugs for years to monitor who opens their mass mailings. Other services for tracking individuals include: http://www.confirm.to and http://www.msgtag.com/ and OpenTrace. Junkbusters founder Jason Catlett said that ``trying to monitor when and where your correspondents open their mail is rude, disrespectful and violates their privacy. Tell anyone who tries it you're insulted that they tried it.''

How can you avoid being tracked in this way by people who send you mail? The simplest way is not to use HTML mail. There's also technological countermeasure: to block the web site of the company that does the tracking. If you are using the Internet Junkbuster or Guidescope this is simply done by placing lines such as
   didtheyreadit.com
in the local block file. It may also be necessary to ensure the mail reader is using the proxy. With any of these techniques you can then read the email, but the monitoring company (and the person who emailed you) will not be able to detect that you have.

  Google's Gmail criticized by privacy advocates

Over thirty privacy and civil liberties organizations have jointly urged Google to suspend its Gmail service, which would use the contents of users' email to target advertising. (2004/4/6) [Open Letter] [NJ Star-Ledger] [Wired] [Brad Templeton]

  Survey finds Federal spam law unhelpful

A survey by the Pew Internet and American Life Project found that the new federal spam law has not helped. (2004/3/17) [KR] [AP] [Bergen Record]

Several Internet companies under the name of the Anti-Spam Technical Alliance (ASTA) announced technical cooperation and lawsuits against spammers. (2004/3/10) [Search Google News] [Reuters] [WashingtonPost.com] [Star-Ledger] [Boston Globe] [MSFT Press Release] [USA Today] [NY Times] [IDG] [Wired] [Bloomberg] [Internet News] Junkbusters founder Jason Catlett said that ``although the ISPs use of filtering helps reduce spam, and suits against spammers are generally a good thing, these companies deserve to be mistrusted by consumers. Microsoft, AOL and Yahoo all opposed provisions in Federal law that would make spamming illegal, and removed the right of individuals to sue spammers. They gave us the current bad Federal law that permits spamming and protects big email marketers. The CAN SPAM act is generally a bad law that the major ISPs wanted, making sure that they are the only ones who have the right to sue.'' The lawsuits filed also use many other state and Federal laws, not just CAN SPAM.

Microsoft earlier proposed a system for licensing and monitoring senders of email that it says would allow spammers to be cut off. [Boston Globe] [MS Release] [Washington Post] [IDG] (2004/2/24) One of the proposals, "Caller ID for Email," was criticized by analyst Gartner as taking years to implement and not even then being ineffective. [VNUnet] Some questioned Microsoft's patent licensing terms. [InfoWorld] [PC World] Catlett said that ``proposals for "safelists" maintained by industry-captive organizations such as TRUSTe amount to creating an self-protecting cartel controlled by big email marketers for the benefit of those companies, with no legal rights for consumers.''

  Law proposed to protect children from list vendors

U.S. Senators Ron Wyden and Ted Stevens have introduced legislation to require companies to obtain parents' consent before selling personal information about their children. (2004/3/2) [Text of Bill] [Floor Statement] To support S. 2160, the Children's Listbroker Privacy Act, call your senator's office and tell them.

  California Access law passed

California passed a law, SB 27, requiring disclosure to consumers of the kinds of information companies collect and shared about them. [Internet News] The law takes effect at the beginning of 2005. (2004/1/1)

  U.S. Congress says: You CAN SPAM

President Bush signed the CAN SPAM Act. (2003/12/16) [DM News] [Reuters] [Internet News] Junkbusters founder Jason Catlett said that the law is likely to make the spam problem worse. ``This is an opt-out law that overrides any state that tries to truly ban spam. It says to spammers: "You Can Spam. And you can keep spamming the 99% of people who don't complain. And states shouldn't be able to stop you spamming." It's a bad law. Americans wanted a law that says "no spamming," and this does the opposite.'' The Coalition Against Unsolicited Commercial Email also expressed similar concerns.

Congress passed the bill a week earlier. (2003/12/9) [Reuters] [USAToday] Various versions had been going back and forth between the Senate and the House. (2003/10/25) [Reuters] [WSJ] [SJ Merc]

The Senate Commerce Committee had approved an early version of the bill in July 2003. (2003/6/19) The Committee held hearings in May. (2003/5/21) [AP] [MSNBC] [Internet News] [InfoWorld] [Washington Post] Microsoft said it would only support a law that provides special exemptions for marketers who electronically call themselves ``trusted senders'' [Washington Post]. The only witness representing consumer interests was EPIC, whose testimony urged opt-in and a private right of action. Spammer Ronald Scelson told the committee "I agree with having laws governing bulk e-mails," Internet News reported. Junkbusters founder Jason Catlett testified before this committee on this topic in 2001.

A diverse group of companies and organizations launched a global consumer awareness campaign against spam. (2003/9/26) [IIA News Release] [Network World/IDG] [Info World/IDG] [Computerworld/IDG] The campaign aims to make spamming less economical by cautioning the small number of people who might respond to spam. Participants include several Internet trade associations, Microsoft, AOL, Yahoo!, Junkbusters, and Consumers International (representing 250 consumer organisations in 110 countries).

A strong anti-spam bill was signed into law by the governor of California. (2003/9/23) [Internet News] [NY Times] [DM News] S.B. 186 states that no one may "[i]nitiate or advertise in an unsolicited commercial e-mail" either sent from California or to a California e-mail address. (An exemption is granted where the sender has a pre-existing business relationship with the recipient.) It gives individuals the right to sue. The law effect was due to take effect January 1st, but its important provision have been preempted by the federal CAN SPAM Act. Junkbusters founder Jason Catlett praised the bill, commenting that it is the kind of law that federal legislators should have passed. Separately, California's Attorney General sued a spammer under one of the state's earlier laws. (2003/10/27) [Infoworld]

The competing pro-spam bill from the House, misleadingly titled the RID SPAM Act, has been ``weakened even further to provide near-perfect immunity to the big companies who are virtually dictating the legislation to their compliant congressmen,'' said Junkbusters founder Jason Catlett [Washington Post] (2003/9/18, p. E01) The Post quoted a spokesman for Rep. Tauzin saying that ``the self-regulation plan improves the bill because it creates a grievance process for individual consumers who might otherwise have trouble getting the attention of law enforcement authorities when marketers are continuing to target them.'' Catlett replied that consumers should be able to sue spammers themselves. ``One of the key deficiencies of this bill is that consumers can't sue companies, and a large new section virtually stopping law enforcement from suing them isn't going to help. An Attorney General would have would have to prove that the company knew they were repeatedly spamming people who told them to stop. That might happen if they found a discarded company memo saying "We bad. We spam. We won't take no for an answer." Otherwise it's a pretty unattainable level of proof, which is what the companies want. And class action damages are excluded. The seal program should read "Immune to Lawsuits". Or maybe "How's my spamming? Call 1-877-FTC-HELP."''

Here is a sample of the new language in the bill.

``A person that participates in a self-regulatory program... made shall not be liable ...unless such participant has actual knowledge of the noncompliance with the guidelines.. of the self-regulatory program.''

Catlett continued: ``The worst deficiency in the Tauzin bill is that it is an it is an opt-out bill that preempts state law and gives no rights to consumers, therefore it will make the spam problem substantially worse. The self-regulatory exemption for Microsoft and their fellow lobbyists is merely adding an insult to the widespread injury that the public will suffer.

``This is an awful bill for so many reasons. The one that strikes you first is that it's so long and complicated. Contrast it with very short law that outlawed junk faxes in 1991, ``No Person May... send an unsolicited advertisement to a telephone facsimile machine.'' The Tauzin bill takes thousands of words to avoid doing what needs to be done: making spam illegal.''

Federal legislators have ignored all the main points proposed for effective spam legislation by the many public interest groups in the Privacy Coalition. (2003/7/18)

Senators Hatch and Leahy introduced the Criminal Spam Act (CSA), which includes a penalty up to five years in prison for certain spamming practices, but would not cover simple spamming as even a civil offence. (2003/6/19) [CNET News.Com] Junkbusters founder Jason Catlett said that although he supports stronger penalities for spamming, `It would be a mistake for Congress to criminalize some practices while leaving spamming legal, giving people who are spammed no rights against the spammer.''

Senator Schumer introduced his long-anticipated SPAM Act (Stop Pornography and Abusive Marketing Act), S.1231. (2003/6/11) [Washington Times] [Atlanta J-C] An unusual feature of the bill is a registry of email addresses that do not want spam. Junkbusters founder Jason Catlett said he would only support an opt-out registry if it worked on the level of domain names, covering all email addresses at the domain. (The current draft of the bill seems ambiguous on this point.) ``less than 1 person in 100 wants spam, so why require the other 99 to expose their email addresses in some huge database? Spammers have a long and shameful record of using opt-out registries as lists email addresses to spam.'' Catlett said that a registry would also would also be difficult and costly to operate if based on individual email addresses. Like many bills, the SPAM Act includes labeling requirements. Junkbusters opposes labeling because it caters to an unsatisfactory combination of opt-out and filtering technology rather than opt-in, and it leaves legislation open to constitutional challenges based on the First Amendment.

Separately, Reps. Heather A. Wilson (R-N.M.) and Gene Green (D-Tex.), plan to introduce another opt-out bill with fewer loopholes than other proposals, the Washington Post reported. (2003/6/17, p. E01)

The leading pro-spam bill was introduced into the House by Representative Burr, cosponsored by Reps. Tauzin, Sensenbrenner, Goodlatte, Stearns and others. (2003/5/22) [Reuters] [News.com] [Infoworld] [Detroit Free Press] H.R. 2214 is titled the Reduction in Distribution of Spam Act of 2003 (RID SPAM). Junkbusters founder Jason Catlett commented that it should have been called the Rapid Internet Demise Act.

A broad coalition of privacy, anti-spamming and consumer groups immediately released an open letter to key congressional committees calling for a consumer-enforcable Federal prohibition against spamming. (2003/5/22) [Reuters] The groups argue that anti-spam measures such as H.R. 2214 currently being considered by Congress are too weak because they don't actually prohibit spamming (merely require an opt-out), and don't allow consumers to sue spammers.

"People are drowning in spam, and the proposals Congress has been producing just tell people to swim harder and apply to the government for the occasional life raft," said Junkbusters founder Jason Catlett. ``These opt-out laws are nowhere near strong enough to reduce spamming. People should to be able to sue spammers in small claims court for the first spam they get, just as they can with junk faxes.''

An editorial in the San Jose Mercury News commented: ``They think the best way to curb spam is for Internet users who are fed up with useless solicitations to nicely ask each of America's 23 million or so businesses to take them off their junk e-mail lists. We ask nicely that Congress junk this legislation.'' (2003/5/27)

Separately, the California State Senate approved an opt-in bill that would allow individuals to sue spammers, Reuters reported. (2003/5/22) Junkbusters founder Jason Catlett applauded its passage, commenting that ``California is setting an example that the federal Congress should notice. In the late eighties, California banned junk faxes ahead of the 1991 Federal law. I hope the corresponding time lag for junk email will not be measured in years.''

H.R. 2214 was long anticipated. (2003/5/12) [Reuters] [Internet News] [Philadelphia Inquirer] [Washington Post] (2003/5/13, p. E1) Junkbusters founder Jason Catlett denounced the draft and introduced forms of H.R. 2214 as a "federal license to spam." "The bill shamelessly ignores consumer interests and common sense in favor of spammers. It says ``Go ahead and spam people until they scream, they can't sue you. Just follow these easy guidelines, and if you have any trouble with them, try one of our many handy exemptions.'' Early drafts of the bill would completely override stronger state laws that prohibit spam or allow individuals to sue spammers. ``This bill should be called the Spam Preservation and Protection Act,'' Catlett said.

``At the Federal Trade Commission's workshop held at the end of April, a substantial majority of the expert participants very clearly articulated that to be effective, spam legislation would need to be opt-in with a private right of action. (Dissenting opinion came from spammers and the Direct Marketing Association.) Yet the Tauzin bill not only ignores this consensus and sides with spam, it include exemptions that seem to have been designed to make life easier for spammers. For example, it makes an opt-out last only three years and includes an exemption for "separate business lines" that basically allows all of a company's affiliates to spam. Consumers don't want to opt out from spam for every brand that a company might trademark. They don't even want to have to opt out from each of the hundreds of thousands of companies in the world. And they shouldn't have to. They want a law that says "Don't spam." Period.''

``Many of the provisions in bills that are supposed to be anti-spam will be at best ineffective. Even criminal penalties for certain common spamming practices will not substantially reduce the volume of spam if the basic provisions permits spamming. Compulsory labeling such as ADV and ADULT in the subject header is not necessary if unsolicited email is prohibited, and it may even cause constitutional challenges to the law. Provisions against "harvesting" of email addresses may be too late, as many such lists have been compiled, and spammers are now moving on to "dictionary attacks" which simply use systematic guesswork.''

People who want to tell the House committee leaders that spamming should be prohibited, not just regulated, can send letters such as these samples addressed to Representatives Tauzin and Sensenbrenner.

Separately, the FTC announced actions against 45 spam scams. (2003/5/15)

Earlier, a broad coalition of privacy, anti-spamming and consumer groups called on the Federal Trade Commission (FTC) to recommend a consumer-enforcable Federal prohibition against spamming. (2003/4/30) The FTC held a major public workshop on Spam April 30-May 2 and will deliver a report to Congress by early July. [Reuters] [DM News] [AP] [Internet Week] [Newsday] [CS Monitor] [WSJ] Junkbusters founder Jason Catlett was a panelist.

In an open letter the groups argue that anti-spam measures currently being considered by Congress are too weak because they don't actually prohibit spamming (they merely require an opt-out), and don't allow consumers to sue spammers.

"It has been demonstrated that an opt-out law such as that proposed by S. 877 will exacerbate the problem - the volume of spam from Korea increased by a factor of 11 in three months after a similar requirement was introduced there," said Scott Hazen Mueller, Chairman of CAUCE.org.

"Consumers should to be able to sue spammers, just as they can sue junk faxers and telemarketers who phone them at 10pm." said Jason Catlett, President of Junkbusters Corp. "Enforcement actions by the FTC and other agencies are welcome, but they will never be enough to turn back the rising tide of spam."

The signatories to the letter are: privacy groups Junkbusters Corp. and and the Privacy Rights Clearing House; anti-spam groups SpamCon Foundation and CAUCE.org (Coalition Against Unsolicited Commercial Email); and consumer groups Consumer Action, the Center for Digital Democracy, Commercial Alert, and Consumers Union, publishers of Consumer Reports.

A survey by filtering company Surfcontrol indicated that 82% of business users consider unsolicited mass e-mail from legitimate or well-branded companies to be spam. (2003/4)

Separately, the Governor of Virginia signed a law criminalizing certain spammer behavior. (2003/4/30) [Computerworld] [Governor's Press Release]

A bill that would prohibit certain kinds of typical spammer behavior was reintroduced in the Senate, as S.877, the CAN-SPAM Act of 2003. (2003/4/10) [Reuters] [PC World] An earlier version of the bill passed the Senate Commerce Committee in May 2002, but its defects are that it is an opt-out bill with no private right of action. (2002/5/1) [Washington Post] [Reuters] [Infoworld] Junkbusters founder Jason Catlett testified on an earlier version of the bill saying that an opt-out approach will not solve the spam problem, and that people should only receive commercial email from companies they have given permission to send it.

Although the Senate bill is currently the most prominent, a separate bill has been considered in the House for years. In May 2001, the House Judiciary Committee further weakened H.R. 718, the Unsolicited Commercial Electronic Mail Act of 2001, by removing the right of consumers to sue, among other anti-consumer measures. (2001/5/23) [Release by Rep. Wilson] [DM News] The U.S. Public Interest Research Group had already objected in a letter to the prohibition against class action suits. The House Energy and Commerce Committee had earlier approved this bill, where it has been opposed by privacy advocates as too weak, and industry lobbyists as too strong. [Newsbytes] It is a weakened version of H.R. 3113, which was almost passed by Congress last year. (2001/3/28) [Newsbytes] [WSJ] Junkbusters, which had supported H.R. 3113 and H.R. 718, withdrew its support of H.R. 718 because the bill has been weakened to an ``opt-out'' spam bill that offers no ability for individuals or ISPs to prevent the first spam from any organization. (2001/3/28) [IT World] Its findings suggest a pro-spamming attitude, said Junkbusters founder Jason Catlett.

(3) Unsolicited commercial electronic mail can be an important mechanism through which businesses advertise and attract customers in the online environment.

Earlier, the Direct Marketing Association announced that it would pursue anti-spam legislation. (2002/10/20) [Press release] [Ecommerce Times] [Newsfactor] The AP quoted a DMA official saying ``the DMA supports unsolicited e-mail marketing as long as it targets a certain demographic or interest group -- say, 25- to 35-year-olds or homeowners -- and isn't merely sent to every e-mail address one can gather.'' Junkbusters founder Jason Catlett said that ``The DMA has finally admitted after years of denial that legislation is needed to control spam. But they are still supporting spamming. Instead of promoting a law that would really reduce spam, they are trying to redefine spam as slightly-targeted non-fraudent email with an opt out. Wrong. Spam is unsolicited commercial email, no matter whether the spammer had any demographic information on the spammee, whether it contains lies or truth, removal instructions or not. All spamming should be illegal.''

In February 2002 the DMA announced what it considers acceptable behavior for spamming by its members. (2002/2/4) [DMA Release] [Full DMA Guidelines] [DM News] [Reuters] [CNET] In their own words, they ``promulgated groundbreaking online marketing guidelines to assist consumers in identifying legitimate commercial e-mail from spam and promote higher ethical standards among marketers.'' Junkbusters founder Jason Catlett said that ``Consumers don't need any help from the DMA to distinguish spam from email that they asked for.'' The DMA continued its "opt-out" policy, under which spammers can send email to people unsolicited, provided they include instructions to ask the sender to stop. ``Spam with an opt-out is still spam,'' said Junkbusters founder Jason Catlett. ``The DMA is condoning practices that are unacceptable to the vast majority of online users, are prohibited by almost alls ISPs, and are illegal in many jurisdictions. Its compliance program is as silly as the Guild of Burglars saying it will expel housethieves who steal from the same home twice.''

The Federal Trade Commission and 12 federal, state, and local law enforcement and consumer protection agencies announced various enforcement actions against deceptive spam and Internet scams. (2002/11/13) [FTC press release] [WSJ] [FTC on address harvesting] Junkbusters founder Jason Catlett applauded the efforts, but said that spamming won't be substantially reduced until a law gives individuals the right to sue spammers directly.

Separately, New York's Attorney General sued MonsterHut, Inc., to stop them sending unsolicited e-mails that they claim was requested, Internet News reported. (2002/5/28)

In January 2000 the DMA launched its "Electronic Mail Preference Service" (e-MPS) at http://www.e-mps.org/ (2000/1/10) [Wired News on eMPS's flop] Leading anti-spam groups called on Internet users and companies to reject this attempt to change email marketing from an "opt-in" to an "opt-out" system. Junkbusters founder Jason Catlett contrasted the DMA's position with its sister organization, the Canadian Marketing Association, which since 1997 has prohibited its members from sending unsolicited commercial email. "Most businesses and industry groups have long understood that spamming is bad for consumers, bad for the Internet, and bad for business. The e-MPS from the DMA is a really rotten idea, as awful as a trade association of oil companies maintaining a list of people who don't want petroleum waste dumped near their property. It just shouldn't happen. People shouldn't register, and companies shouldn't use it." [Press Release] [SJ Merc] [Press release from http://www.OptInk.com] [DM News] Even an editorial in the industry trade magazine DM News said the e-MPS isn't the answer. ``Spammers won't use E-MPS, and the companies responding properly to current market conditions don't need it. Those conditions? Opt-in e-mail marketing. ... The old 99-percent-who-don't-respond-don't-matter rule doesn't work anymore.''

The Internet Alliance, a DMA subsidiary said of the e-MPS in a press release ``While, as DMA acknowledges, it will not eliminate all UCE abuses, it will help. It is clearly a useful component of a combined industry/public/government response.'' Catlett rebutted this statement, saying ``The DMA's e-MPS isn't part of a solution, it's part of the problem.''

H. Robert Wientzen, President and CEO of the Direct Marketing Association addressed members at the DMA's 1999 annual conference with the following words ``Well, let me begin by recognizing that bulk unsolicited commercial e-mail is not real popular with consumers. And to date, very few of you are employing it. However, we also feel that most of those who push for an opt-in-only regime have very little understanding of the incredibly negative impact it would have on the future use of e-mail as a marketing tool.'' (1999/10/25) Junkbusters President Jason Catlett commented: ``The DMA knows people hate spam, and that almost all of their member companies are afraid to do it. Yet they are continuing their pig-headed push to impose an opt-out system on the Internet community.''

The DMA had been negotiating with anti-spammers, trying to push back the near-unanimous view of people online that they should only get email marketing messages if they explicitly ask for them. [Wired News] [Interactive Week] The DMA's president told DM News ``We have for a long time said [the spam debate is] not about opt-in as opposed to opt-out.'' Catlett retorted: ``That's exactly what it's about.'' [Salon] For more on the DMA's spam policies, see our filings with the FTC in 1997.

A Washington state court ruled against a spammer who used misleading subject lines such as "Did I get the right e-mail address?" (2002/9/13) [Seattle PI] [DM News] [Portland Business Journal] Junkbusters founder Jason Catlett commended the Attorney General for ``going after a commonly despised practice of spammers and winning. I particularly dislike the burden of having to open spam to determine whether it's spam. Although this suit is not going to solve the spam problem, I think this action will resonate with a lot of people. If this kind of suit deters a few spammers from using the tactic, it could save a lot of human time wasted.''

Sprint has been sued under a recently-enacted Utah law requiring the label "ADV". The suit, Terry Gillman v. Sprint Communications, is a class action. (2002/8/1) [CNET] [AP]

Separately, an Ohio spam law was signed by the Governor. (2002/8/1) [AP]

The Federal Trade Commission announced it caught and sued seven spammers who sent deceptive chain letters promising extravagant amounts of money in return for five dollars. ``This chain letter deceptively claims the program is legal and urges recruits who question its legitimacy to contact the FTC's Associate Director for Marketing Practices. Well, I am the Associate Director for Marketing Practices,'' said Eileen Harrington, the FTC's Associate Director for Marketing Practices, ``and these chain letters are illegal.'' (2002/2/12) [FTC announcement] [Reuters 2] [Reuters 1] [Newsbytes] Junkbusters founder Jason Catlett praised the Commission's action, saying that suits against spammers should be brought more broadly and more often, including suits for fake return addresses and opt-out instructions. ``The FTC is fortunate in having a strong statutory basis to defend their name against spammers. But they're not the only ones being abused. Members of congress and businesses have been victims. All Americans deserve a law that lets them easily sue spammers. Government enforcement alone is not going to keep spam down to tolerable levels.''

Separately, a consortium of banking, insurance and securities firms mounted an opposition campaign to anti-spam legislation, which they claim would have a "chilling effect" on expanding e-commerce. The consortium includes Bank of America Corp., Merrill Lynch & Co., Chubb Corp.'s Chubb Group of Insurance Cos. and Credit Suisse First Boston. ``Shame on these companies,'' said Junkbusters founder Jason Catlett. ``They want to keep the door open for themselves to spam, just as they pester us with telemarketing calls and credit card solicitations.'' Two congressional representatives responded by asking the Securities and Exchange Commission to investigate whether the use of spamming by securities firms. (2001/3/26) [Reuters/CNET] "In order to better understand financial services industry e-mail spamming practices, we request that the commission initiate an immediate investigation into securities industry use of unsolicited 'spam' e-mails," wrote Reps. John Dingell (D., Mich.) and Edward Markey (D., Mass.)

Earlier, several consumer groups wrote a letter to Congress calling for a law prohibiting unsolicited commercial email, with strong legal rights for individuals who are spammed. (2001/4/26) [Internet News] [PC World] [Scripps] [DM News] [Ecommerce Times] [CNET] [UPI] The Senate Commerce Committee's Communications Subcommittee held a hearing on spamming and bill S.630 . Junkbusters founder Jason Catlett testified and opposed the present form of the bill as insufficient to stop spam. [Catlett's written testimony] The Coalition Against Unsolicited Commercial Email (CAUCE) also released a statement opposing the bill.

Separately, California resident Ellen Spertus successfully sued Kozmo for spamming her. (2001/4/19) Kozmo has ceased operations.

  Airline data used to profile passengers

Data on millions of JetBlue passengers was used in a study on profiling, Wired News reported. (2003/9/18) [NY Times] [AP] [News.com] [News.com on EPIC complaint] [NY Times letters] The case is being investigated by two federal agencies. [NY Times] The flight data was matched with data from the giant personal data vendor Acxiom. Acxiom denied to the AP that it had violated its privacy policy.

A litigation web site has been established for the class of people who flew JetBlue Airways between February of 2000 and September of 2002. A suit has been filed in Utah. [Fox]

  MIT shuts down RFID Center

MIT closed its Auto-ID Center. (2003/10/23) [CNET] Some of its activies are being handed off to EPCGlobal.

Protesters against RFID tracking attempted to get their message to business decision makers at the EPC Symposium, a trade show touting the tiny tracking devices. (2003/9/15) [AP] The ACLU petitioned a local court to suspend the conference center's policy of keeping dissenters at least 200 feet away from facility.

A Wired News report quoted Kevin Ashton, the Auto-ID center's director, ``A draft proposal recommends that retailers disable the RFID tags at checkout, but only when shoppers ask them to do so.'' Junkbusters founder Jason Catlett called this socially irresponsible, and unacceptable threat to privacy. (2003/9/12)

The Auto-ID Center accidentally leaked confidential internal documents about its plans to influence lawmakers and the public to accept the tracking devices it promotes. (2003/7/10) [AP] [No Cards Site] [Search Google News] (2003/7/16) [AFP]

Earlier, Junkbusters started a campaign aimed at stopping retailers from selling consumer goods such as clothing containing live tracking devices. It also aims to alert the public to the privacy threat that RFID (Radio Frequency ID) technology poses. (2003/4/4) [Junkbusters RFID info page] [Junkbusters RFID poster images] [Audio from CFP in streaming or MP3 formats]

The campaign was spurred by Benetton's plans to include the tiny, washable RFID devices in their garments. [SF Chronicle] [EE Times] [out-law.com] In dialog in early April, Junkbusters told Benetton it should either abandon its plans to plant identifying "bugs" inside its garments, or guarantee to permanently disable each transmitter at the point of sale before the article is taken out of any retail store. Mr Terry Phipps, Benetton's consulting CIO told Junkbusters it would disable them. However, Benetton's chief spokesperson later stated that Phipps ``didn't have the authority to speak on behalf of Benetton about whether the company planned to use the tags.'' (2003/4/7) [Computerworld] Benetton's press office earlier issued a statement that it has not made any decisions about deployment. (2003/4/4) [More on this] The AP subsequently quoted a spokesman as saying ``If the tags are introduced, Benetton will give customers the option of having the tags disabled or removed.'' (2003/4/8)

The model of RFID device that Benetton had been planning to use, called I.CODE and made by Philips Electronics, can be instructed to temporarily cease transmitting its unique identification number, but can be re-enabled and cannot be permanently disabled.

Benetton had earlier stated in newspaper reports that it had no plans to track the garments post-sale themselves, and claimed there would be technical difficulties in doing so. But in reality any other organization would have been able to do it independent of Benetton, with little difficulty or expense. For more detail see our section on Benetton and RFID. A Benetton technical officer has told Junkbusters it will not deploy RFID devices that it cannot permanently disabled. Junkbusters is suspending its decision to boycott or campaign against Benetton pending a public statement by the company. For more detail see our section on Benetton.

Junkbusters aims to make universal among retailers the sensible policy of permanently disabling such bugs at point of sale. Junkbusters is publishing a series of "fake ads" aimed at drawing attention to the privacy threat of RFID in consumer items, and at putting companies on notice that they face a backlash if they sell privacy-damaging goods. The ads, which may be viewed and downloaded at http://www.junkbusters.com/jamming.html somewhat parody the "United Colors of Benetton" advertisments, although they do not presently criticize or mention the company. ``If Benetton or any other company ever sells a consumer item containing a live RFID device they can expect to become the direct target of a campaign against their brand,'' said Junkbusters founder Jason Catlett. The fake ads are initially intended for news reports, consumer organizations' newsletters, and grassroots websites.

Catlett says that all manufacturers of consumer durable goods should ensure that any RFID-tagged items they make can be permanently disabled, and retailers should always do this at the point of sale. ``If common items such as clothing, wallets and car tyres become trackable, marketers will certainly start installing RFID readers in entrances to stores and car parks, to obtain more information about visitors,'' he predicted. ``Once any company associates your identity with a bugged item you're carrying, that item can give you away anywhere. If you make a purchase with a credit or loyalty card, the seller could link your identity with the RFID number of any tagged articles you are carrying, and use it later or even sell that linking information to other organizations. Vast databases of records of people's movements would become available to telemarketers, government investigators and divorce lawyers. Suppliers must be told now not to pollute our private possessions with indestructable bugging devices. These are privacy land mines, being manufactured in their billions. If these digital bugs escape live they will remain active for decades. They must be disarmed.''

For more details see our RFID page. To view the fake ads, see our image gallery.

  The fight for financial privacy

Consumers Union, the non-profit publisher of Consumer Reports, has launched a financial privacy campaign and website at http://www.financialprivacynow.org where consumers can join the fight for better financial privacy.

The banking lobby succeeded in killing a Californian finanical privacy bill, the San Francisco Chronicle reported. (2003/7/10, p. A15) [SFC Editorial] [SJ Merc] This is the latest in a long-running campaign by banks to stop privacy laws. A petition may bring the issue to a referendum in 2004.

In 2002 the California Assembly voted narrowly against State Senator Jackie Speier's financial privacy bill, San Francisco Chronicle reported. (2002/9/1, p. A1) [SFC earlier] [SFC on Ads] [Text of California Senate Bill 773] [PRC on 773] The Assembly committee earlier made an amendment that the bill's author called ``hostile'' to privacy. [SF Chronicle] (2002/8/23) Banks and insurance companies have been furiously lobbying against the bill, contributing millions of dollars to legislators and the governor Davis. ``Citibank and its executives recently have given Davis nearly $100,000,'' the Chronicle reported. Our opt-out letter to Citibank and Wells Fargo asks the companies to stop spending money opposing privacy rights and to lower fees instead. For more ways to stop financial institutions selling your personal information, see our opt out page. If you're a Californian who wants more privacy, send our sample letter to Governor Davis.

In 2001 California Governor Gray Davis tried ``to weaken a consumer measure that would prevent financial information from being sold to telemarketers or traded among corporations,'' the San Francisco Chronicle reported. (2001/8/29, p. 1) [Earlier SFC story] [SJ Merc Editorial 9/6] The changes proposed by the banking lobby would allow "contact information" such as addresses and telephone numbers to be sold to outside organizations. (Banks nationwide can do this now unless you tell them not to.) Also according to the Chronicle, "banking and insurance interests have spent $7.04 million in the first six months of the year to defeat various consumer and privacy bills" and have given more than half a million dollars to Davis.

Two major Californian banks are continuing their fight against a local government law that would require banks to obtain customers' consent before disclosing information about them, the San Francisco Chronicle reported. (2003/5/30) [Earlier SFC] (2002/9/13, p. A23) If you're a customer of Bank of America or Wells Fargo and think your bank should be lowering its fees instead of spending millions lobbying against your privacy, click on the name of your bank above for an opt-out and protest letter.

Separately, Financial services firm CapitalOne Corp is marketing a credit card with the promise that they will not receive telemarketing calls as a result of their relationship with the company, DM News reported. (2001/11/2) The company telemarkets to its other customers, the trade magazine said.

Separately, a lawsuit alleges that Citibank unlawfully disclosed to telemarketers and vendors private financial information about customer accounts. [Information Week] (2001/10)

A federal rule requiring financial institutions to provide notice to customers about what they do with their customers' personal information took effect on July 1st. [Washington Post] Consumer groups and congressional leaders have accused the banks of making the notices difficult to understand. The groups launched a site called http://www.PrivacyRightsNow.com to help people understand the notices. (2001/6/20) [Washington Post] The federal rule implements a 1999 law with some weak privacy requirements. Many banks have already sent notices, some of which contain instructions on how customers can ``opt out'' of certain disclosures, such as having their personal details sold to telemarketers. The law has been criticized by privacy advocates, who called for an ``opt in'' approach requiring affirmative consent, particularly because it allows banks to share data between members of the same corporate family, even in unrelated businesses. Junkbusters publishes a generic opt-out letter that can be sent to any financial institution, as well as letters for specific banks and credit card companies. The Privacy Rights Clearinghouse publishes a Fact Sheet.

The American Banking Association announced a survey claiming that ``nearly two out of three consumers read their banks' privacy notices.'' The survey figures show that about 36% read their notice, and the remainder either didn't get it or didn't read it. ``Let's hope their accountants can add better than their PR people,'' commented Junkbusters founder Jason Catlett. (2001/5/6)

A law that would significantly improve the privacy of consumer financial data and medical data was introduced by Sen. Paul Sarbanes, the ranking Democrat on the Senate Banking Committee. (2001/1/23) Titled the Financial Information Privacy Protection Act of 2001, it is co-sponsored by several Democrats and opposed by Senate Banking Chairman Phil Gramm (R-TX). [Congressional Record transcript] Junkbusters and many consumer groups have broadly supported the bill.

The Financial Services Modernization Act of 1999, HR 10 (also known as Gramm-Leach-Bliley, or GLB, after its sponsors), was a stunning victory for industry lobbyists who wanted businesses to be able to sell consumer's personal data with minimal impediment. The law provides for closer integration of banks, securities firms, credit unions, savings and loans, and insurance companies. (The Privacy Rights Clearinghouse publishes a Fact Sheet for consumers on on GLB.) Privacy advocates sought an ``opt-in'' system where conglomerates would have to obtain consumers' permission before ``sharing'' data between affiliates; for example an insurance division getting details on the balances of a banking customer. Instead, the law allows through loopholes the selling of data without customers' permission to other businesses, and doesn't give consumers a way to stop having their data sold, even if they try hard. A bipartisan coalition led by Rep. Edward Markey (D., Mass.) and Sens. Richard Shelby (R., Ala.) and Richard Bryan (D., Nev.) said that the committee and the White House had caved in to special interests. The Wall Street Journal quoted Bryan as saying ``The complete lack of adequate protections is simply unacceptable.'' Their earlier attempts at amendments merely requiring effective opt-out was rejected. ``Congress has again shown its callous disregard for the privacy of Americans in its latest deal on bank legislation,'' said Junkbusters President Jason Catlett. The AP reported that Ralph Nader called on President Clinton to veto the package, calling it ``a threat to the safety and soundness of the nation's financial system and a reckless assault on basic protections for consumers and communities.'' [AP] [WSJ on Privacy] However the Wall Street Journal reported that the President ``has signaled that he will sign it into law, pending a review of final language.'' Privacy advocates say they will pursue a separate financial privacy law. [NY Times] [CBS] [DM News] [Chicago Trib]

The law requires financial institutions to create privacy policies but as we have seen on the Web, these needn't protect privacy. House testimony by the US PIRG showed that most major banks already have privacy policy, but they do not protect privacy. U.S. Bank's privacy policy, printed in their Customer Agreement, stated ``We share your concerns about the privacy of your personal information and strive to maintain its confidentiality.'' Clearly they didn't strive very hard against the flood of millions of dollars from the telemarketers they sold it to.

The law seems to require that customers be allowed to out of having their data sold to unaffiliated third parties, but this provision is rendered ineffective by loopholes for business partners: a polite way of describing anyone who will give them enough money.

So what can you do? Tell your representative you want your privacy better protected by law. If you don't know your elected official in Washington, look up your representative online. [US PIRG guide] And you can try hard to get as much privacy as your bank deigns to give you by writing them a letter like this one. (Please tell us the address for your bank.) [Washington Post column]

Several recent incidents illustrated the need for comprehensive privacy protection in law. In June 1999 Minnesota Attorney General Mike Hatch sued U.S. Bank (USB), objecting on various legal bases to the bank's provision to Member Works Inc. the following information for its customers: ``name, address, telephone numbers of the primary and secondary customer, gender, marital status, homeownership status, occupation, checking account number, credit card number, Social Security number, birth date, account open date, average account balance, account frequency information, credit limit, credit insurance status, year to date finance charges, automated transactions authorized, credit card type and brand, number of credit cards, cash advance amount, behavior score, bankruptcy score, date of last payment, amount of last payment, date of last statement, and statement balance.'' In a statement U.S. Bancorp's CEO Jack Grundhofer characterized this kind of transaction as an ``industry-wide practice.'' The bank settled without admitting the charges, but a class action suit is in progress, with an interesting FAQ:

Q: ``Can you tell me with whom [U.S. Bank] shared my information?
A: Unfortunately, the lists of customers whose information was provided to the third party partners for marketing are not retained after the program is completed. Therefore, we cannot pinpoint which partners may have received your information.''

Another conspicuous incident was at Charter Pacific Bank of Agoura Hills, which sold 3.7 million credit card numbers to a convicted felon. In 1999 the Federal Trade Commission filed suit against Kenneth H. Taves, accusing him and related companies with illegal billing practices; in September 2000 the FTC announced it had won a $37.5M verdict against the scam. After reporting on a scam allegedly bilking 900,000 credit card holders, the LA Times ran an editorial opening: ``Banks have been selling detailed financial information about their customers to just about anybody,'' Under current US law the bank has done nothing wrong, the editorial says. ``That provides the strongest argument yet for a federal privacy law to protect consumers from their own banks.'' (1999/9/14) As Bank Rate Monitor reported, that many of the credit cards were not issued by the bank, but merely processed by the bank. Junkbusters President Jason Catlett commented that ``This illustrates how the "opt-out" system is unworkable: you don't know who will process your data so you can't tell them not to disclose it. Consumers can't keep their details out of the Internet pornographers' databases merely by avoiding the Internet and not buying pornography, because the banks that sell the information to them process transactions for all kinds of businesses.'' Charter Pacific Bank processes approximately $11.5 million a month for the ``adult industry'' -- accounting for 46 percent of the bank's credit card business, Business 2.0 reported in 1999. The bank was later acquired by First Banks America (FBA). (2001/9/17) Privacy Times pointed out that whereas the majority of a bank's revenue typically comes from lending, most of Charter Pacific's came from credit card processing. Adult Web sites use two types of lists of credit card holders, according to the California Department of Financial Institutions: list of consumers who dispute charges, and list of those who use adult sites but don't cause these ``chargebacks'' The latter is obviously valuable as a ``sucker list'' for criminals. In an overview of fraud methods, a University of Minnesota academic points to the low incidence of these frauds in Germany, where banks have very rigorous security for transactions and strong privacy laws. ``By allowing banks practically free trade in personal financial information, Congress is enabling these undesirable and dangerous practices to become widespread,'' said Catlett.

  Microsoft gives up pushing Passport

EBay said it will drop support for Microsoft's Passport. Microsoft said it will stop marketing Passport to other sites. [Info Week] (2004/12/30)

Yet another security lapse by Microsoft left Passport users open to intruders, the AP reported. [Microsoft statement] (2003/5/8) Junkbusters founder Jason Catlett commented: ``Microsoft has demonstrated again and again that their ambition to be the world's gatekeepers is not matched by the technological competence.''

European privacy commissioners announce a settlement with Microsoft involving changes to Passport, according to Reuters and the Wall Street Journal. [Globe Mail] [Reuters] (2003/1/31)

Security analysts at research firm Gartner urged companies to stop using Passport, Internet News reported. ``Microsoft failed to thoroughly test Passport's security architecture, and this flaw -- uncovered more than six months after Microsoft added the vulnerable feature to the system -- raises serious doubts about the reliability of every Passport identity issued to date," Gartner said. The report said that financial institutions, credit card issuers, retailers and other enterprises that use Passport for any meaningful business purpose should immediately break all Passport connections "until Microsoft can prove that its security is adequate." (2003/5/18)

The FTC earlier investigated Microsoft's Passport and reached a settlement with the company. [Reuters] [FTC announcement] [Microsoft Press Release] [WSJ] [Bloomberg] [AP - Bridis] [AP - Hopper] [Infoworld] [Seattle PI] [CNET] [Geeknews] [Washington Post] [CBS Marketwatch] [MSNBC] [SF Chronicle] [Guardian] [Search Google News] (2002/8/8) Over a dozen privacy and consumer groups had petitioned the FTC to investigate more than a year prior. Junkbusters founder Jason Catlett commended the FTC for its investigation and Order, calling it ``a landmark case for online privacy and security.'' However, he did express disappointment that many areas of the the groups' petition were not addressed, such the allegations of coercion, which the FTC Chairman Muris said was better handled as part of the antitrust suit by the non-settling States. ``Although finding that Microsoft has bad security it may seem like concluding the obvious, it's very significant that a government agency conducted an on-site investigation, found inadequate security and surreptitious data collection, then put long-term conduct remedies in place. This is the FTC's second such action. This function should become routine.'' The FTC found that Microsoft collected and retained for months a personally identifiable sign-in history for individual users with records of the date, time, and sites visited. The FTC did not require Microsoft to disgorge the registrations it had wrongfully collected, as privacy groups had asked, though it is not clear whether Microsoft deleted this history as a result of the investigation. Catlett said that ``Microsoft has a shameful history of lying and surreptitiously collecting personal information, so it is proper for it to be watched and penalized for this behavior. ''

The EU had also investigated Microsoft on the same topic. In August 2001 the groups expanded their complaint, and Microsoft made some minor changes to Passport. In October consumer and privacy groups criticized the FTC for its apparent inaction. In January privacy groups sent an open letter to all State Attorneys General asking them to stop Microsoft's Passport system from violating privacy and state laws. [EPIC Sign out of Passport page]

Separately, a large Microsoft customer database was for a time accidentally available to the public to download, Wired News reported. (2002/11/20)

  Congress pulls plug on totalitarian database

Congress cut off funding for the DoD's TIA project. (2002/10) [EPIC on TIA] The Pentagon had changed the name of its planned surveillance system from "Total Information Awareness" to "Terrorism Information Awareness". Other details remained the same; few were greatly comforted by this move. (2003/5/20) [AP] At the time Junkbusters founder Jason Catlett said that the Pentagon's claim that it would only analyse data about terrorists is preposterous, especially given that the planned data storage capacity greatly exceeds the Library of Congress. ``Suppose that the TSA said "We're only going to look inside luggage owned by terrorists" and then ordered 100,000 X-ray machines, nobody would believe them. But when the Pentagon is planning a massive software search machine, somehow they think they can get away with putting a nice-sounding label on it and saying "nothing up my sleeves."''

A non-partisan coalition of groups wrote to the Senate leadership urging them not to enable the privacy-invasive government project. (2002/11/19) The Defense Advanced Research Projects Agency (DARPA) is developing a surveillance system called "Total Information Awareness" (TIA), aimed at detecting terrorists by collecting and analyzing enormous amounts of information about everybody. The development of the system is directed by John Poindexter and would give law enforcement access to private data without suspicion of wrongdoing or a warrant. (2002/11/14) [NY Times Editorial] [Washington Post Editorial] [Washington Times] [Wendy Grossman on TIA] [DoD press conference transcript] [AP]

Conservative NY Times columnist William Safire denounced the plan in harsh and blunt terms, beginning:

If the Homeland Security Act is not amended before passage, here is what will happen to you: Every purchase you make with a credit card, every magazine subscription you buy and medical prescription you fill, every Web site you visit and e-mail you send or receive, every academic grade your receive, every bank deposit you make, every trip you book and every event you attend - all these transactions and communications will go into what the Defense Department describes as "a virtual, centralized grand database." [NYT Column]

A Pentagon spokesperson defended the project in a press conference saying that the system was a prototype being developed with fake data. [AP]

[the] experiment will be demonstrated using test data fabricated to resemble real-life events... In order to preserve the sanctity of individual privacy, we're designing this system to ensure complete anonymity of uninvolved citizens, thus focusing the efforts of law enforcement officials on terrorist investigations. The information gathered would then be subject to the same legal projections (sic) currently in place for the other law enforcement activities... There's some real data that we use, but it's normal data that's available legally. The privacy issues, those will be fabricated stuff.

  Junkbusters asks FTC to investigate eBay (again)

Junkbusters founder Jason Catlett wrote an open letter asking the FTC to investigate eBay, again over recent changes to the representations on its web site about its privacy practices. (2003/4/22) [Letter and background] [Washingtonpost.com] [Computerworld] [Ad Age] [Out-Law.com] [Search Google News] He commented: ``There's a tragi-comic contrast between the "good news" summary version of their privacy policy and the long fine print. The average visitor, who glances only at the cheerful headlines, will be lulled into a false sense of privacy and security. With this year's changes, the duplicity gap has become even wider. It's a shameful product of marketers trying to reassure customers that everything's dandy and lawyers trying to cover the company so it can do what it feels like.''

Separately, EPIC, Junkbusters and about ten privacy and consumer groups sent a complaint to the FTC about Amazon.com for violations of COPPA. (2003/4/22) [CNN] [SJ Merc] [Washington Post] Junkbusters also maintains a page about its objections to Amazon's practices.

In March 2002 eBay changed a clause in its newly released privacy policy that would repudiate all other privacy representations. (2002/3/19) [News.com] [AP/USAToday] Junkbusters founder Jason Catlett said ``eBay should never have attempted to impose on its users such a profoundly anti-consumer contract clause. Imagine the scorn that would heaped on an electronics merchant who claimed that in the event of any price discrepancy between their newspaper ad and their catalog, the catalog price would have to be paid. But that is the equivalent of what eBay was trying to do with privacy.'' Catlett added that the amended policy is still far from satisfactory, noting that eBay did not state it was changing its new policy of letting itself disclose any information about any eBay user at its ``sole discretion.''

Ebay spokeman Kevin Pursglove told News.com the changes would ``simply clarify it, simply make it easier to understand. We're going to say the same thing, only a little bit differently.'' Junkbusters founder Jason Catlett retorted that the change was not a matter of clarity but of substance. ``The backdown removes a nasty piece of lawyering aimed at severely reducing consumer rights and replaces it with bland PR speak that is probably harmless. If this two-steps-back, one-step-forward pattern continues to be the way large companies change their policies, privacy is going to be trammelled. It illustrates the folly of leaving privacy up to the convenience of corporate America. Consumers need strong statutory rights for privacy.'' Pursglove told the AP ``The message we heard was that the paragraph dealing with the conflict of terms could be clearer and more to the point.'' Catlett retorted saying: ``My letter to the FTC didn't mention clarity or complain about prolixity or discursiveness. I used words such as "deceptive," "outrageous," and "grossly unfair."''

Three weeks earlier, Junkbusters founder Jason Catlett asked the Federal Trade Commission's Director of Consumer Protection Howard Beales in a harshly-worded open letter to investigate online auction site eBay (EBAY) over changes to its privacy policy. (2002/2/27) [News.com] [Internet News] [DM News] Catlett called ``outrageous'' a new clause of the policy repudiating privacy representations made elsewhere.

In a statement quoted in USA Today, Beales said ``Fine-print disclosures are not necessarily adequate to correct deceptive headlines in advertising. Privacy promises are no different.'' (2002/2/28)

In rebuttal, eBay spokesman Kevin Pursglove told Internet News: ``Mr. Catlett's comments notwithstanding, eBay does not provide, sell, rent, share or in any other way disclose personally identifiable information to third parties.'' Catlett pointed to an appendix to eBay's privacy policy titled How third parties may have access to your information you disclose to eBay which indicates dozens of cases where such information is disclosed to various kinds of parties. He expressed surprise that a company spokesman would make such a representation so directly contradictory to its overriding privacy policy, and speculated that ``eBay's PR department may have been spending too much time reading its own marketing materials and not enough on the details of its privacy policy.''

Mr Pursglove told Newsbytes: "We had a very frank conversation with Mr. Catlett, and he gave us several suggestions. We have taken his recommendations under advisement." (2002/2/28)

In January 2001 eBay angered users by resetting their preferences on receiving solicitations. [News.com] [USAToday/AP] [Wired News]

When eBay acquired European competitor iBazar, the Dutch Data Protection Authority objected to eBay's plan to transfer account information from Europe to the US on an opt-out basis. For French citizens it used an opt-in basis, and eventually agreed to an opt-in for the Dutch. (2001/6)

In August 2000 the LA Times reported that ``A "freak technical" glitch at EBay Inc.'s online payment unit, Billpoint Inc., allowed some users to temporarily access personal information--including credit card numbers--about other Billpoint customers...'' (2000/10/10)

In January 2000 the FTC announced that ReverseAuction.com Inc. had agreed to settle charges of deceptive practices in email marketing made against it by eBay. (2000/1) [OS Opinion]

Many eBay users have complained that soon after they bid on eBay, they receive spam from other parties. (A preventive measure is to sign up with a separate disposable email address.) eBay has lobbied Congress to include in a weak spam law a section prohibiting the harvesting of email addresses, but it has not supported a prohibition against spamming, making their proposal appear more aimed at protecting their own commercial interests than the broader privacy of Internet users. (2001/6/15) [Ecommerce Times] When questioned in a Senate hearing, Junkbusters founder Jason Catlett said that stopping harvesting would not solve the spamming problem.

  Verizon sues to use customer information without consent

Verizon (VZ) filed a lawsuit against a Washington state regulation that requires them to obtain customer consent before using phone call record for their marketing purposes. (2002/11/22) [Seattle PI] [Reuters] Junkbusters founder Jason Catlett criticized the move as ``yet another example of phone companies attempting to plunder their customers' privacy for profit.'' EPIC earlier wrote to Verizon asking them to abandon a plan that they called ``unfair and needlessly jeopardizes the privacy of telephone subscribers.'' (2002/2/7)

People who want to tell Verizon that records of their calls shouldn't be used for marketing purposes can send a letter like this one.

Qwest (Q) announced it would suspend its similar plans to share information based on its customers calling patterns among its various divisions. (2002/1/28) [Qwest Release] [AP] [Reuters] [ZDNet] Reuters reported that the Arizona Corporation Commission had been considering legal action against the company.

However, Qwest continues to sell other information about its customers through its subsidiary Qwestdex. For example, it gets 40 cents each time it sells numbers to telemarketers on the first day a customer begins service. Its web site boasts: ``Our New Telephone Hookups list provides detailed information about new residents within 24 hours of their arrival so you can reach them first.'' The number to be removed from QwestDex marketing lists is (800) 244-1111. ``New customers had better call fast,'' said Junkbusters founder Jason Catlett. Qwest later announced its intention to sell Qwestdex. (2002/8/20)

Privacy groups have long opposed Qwest's campaign to use peoples' calling patterns to profile them. A group led by EPIC filed reply comments before the Federal Communications Commission urging the adoption of an opt-in standard for use of phone call records for other purposes. (2001/11/16) [AGs comments on CPNI]

In June 2000 The U.S. Supreme Court declined a request to hear an appeal to protect the privacy of phone subscribers. [AP] [Reuters] (2000/6/5) Junkbusters founder Jason Catlett said that while he was disappointed that the Court decided not to hear the case, the court's choice doesn't reflect the Court's views on the merits of the case. ``The lower court's anti-privacy decision is simply wrong,'' he added.

In a friend-of-the-court brief more than a dozen consumer and privacy organizations including Junkbusters and twenty legal scholars urged a federal appeals court to reconsider a decision that would allow telephone companies to use private telephone calling records for marketing purposes. (1999/10/22) [EPIC litigation page]

In August 1999 an appeals court has ruled unconstitutional privacy protections that require phone companies to obtain the consent of a subscriber before using their phone records for marketing purposes. (1999/8/19) [Details] The anti-privacy decision is inconsistent with previous constitutional tests of privacy laws such as the Fair Credit Reporting Act. The suit was brought by US West, which like many telcos wants to be able to make money from consumer data without getting permission from the people concerned. In a dazzlingly self-serving piece of corporate doublespeak, the company called the decision "definitely consumer friendly" because it allows the company to offer new services more efficiently. Junkbusters President Jason Catlett retorted that under this logic "a burglar might call his thieving ``homeowner-friendly'' because it makes consumers' homes feel more spacious and is more efficient than removalist services." [NY Times] [MoneyCentral]

People who want to tell US West not use records of their calls for marketing purposes can send a letter like this one to PO Box 3766, Omaha NE 68102 by physical mail, or to privacy@uswest.com by email. (Please tell us whether you get a response within a month.)

Qwest is not the only telecommunications company to want to market based on profiles of their customers' phone usage. In comments to the FCC, AT&T stated: "As for those customers who decline to opt out, there is no reason to believe that they place a high value on keeping their CPNI private, and thus no basis for concluding that an opt in requirement materially furthers any interest in protecting privacy." Sprint Corporation also asserted that an opt-out regime meets the requirements of the law. (In the Matter of Implementation of the Telecommunications Act of 1996, Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, CC Docket No. 96-115, CC Docket No. 96-149, Nov. 01, 2001, citing to U.S. v. Playboy, 529 U.S. 803 (2000).)

Qwest's plan to charge people $1 a month to keep customer addresses private was put on hold by the Colorado Public Utilities Commission, Newsbytes reported. (2001/10/18)

Verizon (formerly Bell Atlantic) settled with the state of Pennsylvania after the telecom giant allegedly sent 10,000 postcards to lawmakers on behalf of users who never consented to the mailings, Wired News reported. (2000/8/10) Verizon was formed by the merger of Bell Atlantic and GTE, which in April 1998 improperly revealed about 50,000 unlisted numbers and addresses in the lists that they routinely sell to telemarketers. Cases of phone companies fabricating consent from consumers are endemic in the industry; the term slamming describes changing carrier without consent, and cramming describes adding additional services that were not ordered. In one incident Qwest produced the alleged "signature" of a consumer named Boris, who turned out to be a deceased dog. (1999/10/19) [ZD]

  Privacy groups accuse Amazon of violating children's privacy

EPIC, Junkbusters and about ten privacy and consumer groups asked the FTC to investigate Amazon.com for violations of COPPA. Details are available at EPIC's site. (2003/4/22)

Junkbusters and EPIC wrote an open letter to the State attorneys general who investigated Amazon.com, arguing that further action is required to protect its customers' privacy. (2002/10/8) [News.com] [News.com 2] [PC World] [IT World] [AtNewYork] [DM News] [Seattle PI] [Law.com] [Wired News] The Massachussetts AG's office replied, saying among other things that it wanted Amazon to respond to the letter, and that Amazon would would have to obtain the permission of people who emailed never@amazon.com before selling their personal information in the event of a business transfer. They said that the ability to delete records would be helpful to privacy, but is not required under current law. Amazon spokeswoman Patty Smith told Wired News that Amazon does not currently allow users to delete records ``because the company believes the data can be useful for future customer service programs or for making purchase recommendations.'' This contrasts with her earlier excuse about taxation.

Amazon.com (AMZN) had said it would change its privacy policy again, following meetings with consumer protection officials from a dozen states led by Massachusetts. (2002/9/25) [CNET News.com] [Internet News] [Seattle PI] [CRM Daily] [AP/WSJ] [Infoworld] [Search Google News] In a letter to the officials, Amazon VP and Associate General Counsel David A. Zapolsky said ``we are not making any material changes in our policies and practices regarding customer information this time...'' and that the company would merely ``expand some of the examples provided in the Notice, as well as clarify some of the provisions that may have been misunderstood in the past.'' Amazon will disclose more information about how it uses external data sources such as credit bureaus to ``enhance'' data it holds about its customers, but it will not give its customers the right to see all the data it accumulates about them. It will disclose more about the ``partners'' with which it shares data, but it will not give people the right to delete their personal data. Amazon says it may still sell along with a division its data about its customers, even if they asked Amazon never to sell their personal information. Amazon spokeswoman Patty Smith told the Seattle PI ``"Customers can't delete records, for tax and business reasons.'' Junkbusters founder Jason Catlett mocked this excuse as patently false. ``Does the IRS require a record of the fact that Monica Lewinsky purchased Leaves of Grass?'' In 2000 Catlett criticized this excuse in an open letter to Jeff Bezos.

Massachusetts Attorney General Tom Reilly said in a statement that the company had agreed to "wide-reaching changes" in its privacy policy," and that "Amazon will not sell its customer database to marketers." However, Amazon can sell its database wholesale to a marketer, as part of a division, as explained in the following new language to be placed the privacy policy a few weeks later, according to a footnote in the letter.

As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise). Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.

Separately, Amazon has again been lobbying against new federal privacy rights, and in favor of a bill that would weaken privacy rights in the states. For more on Amazon's history on privacy, see our earlier news or our the source materials of our campaign.

  House holds hearings on anti-privacy law

The House held hearings on H.R. 4678, which is called Consumer Privacy Protection Act of 2002. (2002/9/25) Junkbusters founder Jason Catlett said the bill should be renamed ``The Consumer Privacy Prevention and Preemption Act of 2002.'' Marc Rotenberg of EPIC testified: ``In many respects it seems crafted to protect privacy violators from legal accountability. On almost every key provision it favors industry over the consumer, the invasion of privacy over the protection of privacy... The bill appears to ignore the testimony of every public interest advocate appearing before the Subcommittee.'' [DM News] [Eweek] [Computerworld] Reuters reported that ``U.S. consumers are unlikely to see new federal privacy protections this year.'' The bill is sponsored by Rep. Cliff Stearns, R-FL, and is widely supported by corporate lobbyists. Amazon.com, criticized for its violations of privacy, even claimed to be supporting it on behalf of its customers. Amazon.com opposes the competing Senate bill, which privacy advocates say would provide some real protection of privacy. For ways you can tell Washington you want better privacy law, see our action page.

In 2001 the American Electronics Association proposed principles for new Internet privacy laws. [Wall Street Journal] (2001/1/18, p. B6) [TechWeb] [CNET] [Reuters] [Bloomberg] [Industry Standard] [ComputerWorld] Although a few businesses have already made such calls, this is the first major trade association to abandon the line that self-regulation will protect privacy. The AeA's principles were described the Journal as "minimal." A sample: "Legislation should not create any new private rights of action." (Translation: consumers should not be able to sue companies who misuse their personal information.) Together with a provision preempting any stronger state law, such legislation would actually reduce privacy, said Junkbusters founder Jason Catlett. ``The industry's current proposals amount to a Privacy Rights Prohibition Act.'' Congress failed to pass any Internet privacy bill in 2000, let alone the strong bill supported by Junkbusters and other privacy organizations.

Industry lobbyists have long sought, and privacy organizations have long opposed, preemption of state law. (One conspicuous case is the industry-funded CDT.) In 2000 Catlett testified before Senator John McCain on this issue, and addressed the annual conference of the National Governors Association, urging them not to tolerate preemption. The banking lobby sought preemption of state law in the weak privacy provisions of the Financial Services Modernization Act of 1999, but failed to obtain it.

Separately, the venture capital magazine Red Herring wrote an open letter to President-elect Bush calling for Internet privacy legislation. (2001/1/16) The letter concluded that ``in the end, companies, as a group or individually, simply cannot be trusted to act in the best interests of consumer privacy.'' They should know.

Separately, the National Association of Attorneys General was expected to urge federal lawmakers not to pre-empt state laws, and to include in any new federal law provisions allowing for state-based enforcement, the Industry Standard reported. (2001/1/23) But they stopped short of this the Standard later reported. (2001/3/16)

Separately, Junkbusters, EPIC and several consumer groups sent a letter to President-elect Bush and several political leaders "to take action early this year in support of privacy protection for Americans." (2001/1/16)

  Email lists stolen

Email marketing outsourcer Lyris Technologies said its e-mail addresses that its SparkList division housed for other companies were stolen, and people on this list are being spammed. (2002/9/19) [CNET] [DM News] [WSJ] (2002/9/12) [CNET] [Computerworld] [NY Times] [DM News]

  DoubleClick settles with AGs

Doubleclick settled with the Attorneys General of ten states after an investigation of its privacy practices. (2002/8/26) [AGs Release] [Full Text of Agreement] [DCLK Release] [WSJ] [Reuters] [AP] [Seattle PI] [Infoweek] [Direct Mag] [DM News] [Washington Post] [LA Times] [Guardian] Junkbusters founder Jason Catlett commented:

The states obtained some real concessions, in contrast to previous litigation, but Doubleclick will continue to track billions of web pages viewed daily. The settlement makes this massive surveillance more transparent, but it doesn't make it fair. The majority of Internet users will still have their privacy unknowingly violated. Doubleclick's stockpile of surfing logs continues to grow.

The AG's case was the last major attempt to protect privacy from Doubleclick under laws that were written before cookies were invented. Americans urgently need specific online privacy legislation.

The web sites in Doubleclick's surveillance network have to disclose the fact in their privacy policies, but but there's no requirement that consumers be asked to consent to Doubleclick's profiling. The vast majority of people online would want to be asked before profiles are built about them, and this should be required by law. The European Union is starting to requiring this, and for years Doubleclick's European operations have been years far less intrusive than its US ones.

Doubleclick says it is working on a "cookie viewer" to allow surfers to see the targeting profiles associated with their computers. This is like opening the door on a small closet in Doubleclick's enormous data warehouse. The principle of access should be extended to the tens of thousands of pieces data held about the average person online, to all the personal information on catalog buyers in Doubleclick's Abacus division.

In separate litigation, a federal court earlier approved a settlement despite objections by privacy groups. (2002/5/22) [Internet News] Junkbusters and the Electronic Privacy Information Center (EPIC) formally objected to the proposed settlement of various suits in state court against DoubleClick, on the grounds that it does not give consumers adequate protection. [Newsbytes]

Doubleclick reached the proposed settlement of some of its class action suits. (2002/3/29) [Reuters] [DCLK release] [SJ Mercury] [Computerworld] [Register] Junkbusters founder Jason Catlett commented: ``This settlement is far too mild considering DoubleClick's continuing invasive surveillance. The FTC should have acted, and Congress should have given Americans statutory rights against such online snoops. Doubleclick continues to snap surfers billions of times a day as they move around the web, without consent and without the necessary protection of privacy.''

DoubleClick said it has suspended its online profiling service, CNET reported. (2002/1) Junkbusters founder Jason Catlett said ``Spying on people doesn't always pay. DoubleClick's claims that the online economy would collapse if they weren't permitted to profile people have been shown false.''

Earlier, a federal judge dismissed claims under federal law, but various state suits have passed through that phase. The law firm Bernstein Litowitz Berger & Grossmann LLP said it is appealing that dismissal. (2001/6/13)

Announcing a new privacy policy, Doubleclick's Chief Privacy Officer claimed that "DoubleClick is committed to executing its business in the most open manner possible." Junkbusters founder Jason Catlett wrote an open letter to DoubleClick President Kevin Ryan rebutting this claim and calling for several actions that would make DoubleClick more open. (2001/6/1) [DCLK Press Release] [CNET News.com] [Internet News] [Newsbytes]

Doubleclick's computers were hacked several times in March 2000. (2001/3/29) [Internet News] Doubleclick earlier admitted its computers had been infiltrated by hackers. (2001/3/23) [Internet News] [WSJ] [CNET] [Transfert (French)] [Kiketoa 1] [Kiketoa 2] Doubleclick had said after the first breaking that it patched the holes, but a vulnerable computer was demonstrated to MSNBC three days later. (2001/3/26) DoubleClick declined to answer the Journal's question of whether any data had been stolen by the hackers. Junkbusters founder Jason Catlett commented: ``Doubleclick has more than a trillion clickstream records and billions of personally identified records on about 90 million Americans. DoubleClick chooses to keep this information secret from the people it concerns, but apparently can't keep it out of reach of foreign hackers. This is scandalous.'' Catlett wrote to Doubleclick demanding a published audit. (2001/3/28) The Wall Street Journal reported the following day that DoubleClick had commissioned ``PricewaterhouseCoopers LLC to conduct a security audit of its computer systems,'' but did not say whether the audit report would be made public.

Separately, Judge Naomi Reice Buchwald dismissed class action suits under federal law against DoubleClick. (2001/3/28) [WSJ] [DoubleClick Press Release] [Law.com] [Court Opinion] [NY Times] (Suits in California and Texas under consumer protection law continue, having already survived similar motions to dismiss.) Junkbusters founder Jason Catlett said he disagreed with the judge's finding that DoubleClick's policies of using cookies were well-known to Web surfers, adding that most people have not even heard of the company, let alone being aware of its surveillance practices. He also disagreed with the judge's statement that "DoubleClick will not collect information from any user who takes simple steps to prevent DoubleClick's tracking," commenting that DoubleClick's cookie-based opt-out method is flawed from both the policy and technology perspectives. Legal commentators have questioned the argument that the consent to cookies of the web site publisher suffices, rather than the surfer on whose computer the cookie is placed. Catlett commented that ``the decision shows the need for specific laws to restrain data collection on the Web, as well as general technology-independent laws governing the use and disclosure of personal information.''

For more history on DoubleClick, see below.

More and more people annoyed by intrusive banner ads are turning to ad filtering software, the New York Times reported. (2001/6/13)

  Suit against drug site tracker dismissed

A federal court ruled that a company that used cookies and web bugs to track users across the sites of drug manufacturers did not violate federal wiretap, computer hacking or privacy statutes, Reuters reported. (2002/8/22) [Court's opinion]

In 2000 the Washington Post reported that a company called Pharmatrak (2000/8/14, p. E1) is using Web bugs to ``surreptitiously tracking computer users across the Internet on behalf of pharmaceutical companies, a practice that demonstrates the limits of a recent agreement to protect the privacy of Web surfers.'' [Infoworld]

  Class action suit against junk faxer

Californian privacy activists filed a $2.2 trillion lawsuit against facsimile marketer Fax.com, Reuters reported. (2002/8/23) [FCC Enforcement page] [Infoworld/Reuters] [CNN/AP] [Wired News on Fax.com evasion]

The Federal Communications Commission earlier proposed a fine of $5.38 million against Fax.com for sending junk faxes, the largest fine by the agency for such a violation. (2002/8/7) Junk faxes are prohibited by federal law. The FCC previously fined junk pusher 21st Century Fax more than a million dollars. [Newsbytes] [FCC release] [junkfaxes.org on 21C] [junkfaxes.org on 21C] [Law News Network on junk faxes]

  Eckerd Drug changes junk consent

Following an investigation by the Florida Attorney General's Office, Eckerd Corp. will pay $1 million and revise its information practices. (2002/7/22) [DM News] [ABC News] Eckerd had its customers sign a form acknowledging the receipt of a prescription that included giving the company permission to use the information for marketing purposes. A separate lawsuit was filed by a man who claiming he received solicitations about a new HIV drug. ``Junk consent is creeping into the fine print of transactions everywhere, and it's damaging our privacy,'' said Junkbusters founder Jason Catlett.

  Alternative to Microsoft Passport specified

The Liberty Alliance announced a specification for single sign-on system that is an alternative to Microsoft's Passport. (2002/7/15) [Press Release] [AP] [SJ Merc] [VNUnet] [The Register] [Economist] [EPIC on Project Liberty] Since 2001, Microsoft's competitors have been promoting plans for identity services of their own. AOL's "Magic Carpet" was the first. [Washington Post] Sun Microsystems led the a consortium called the Liberty Alliance Project. (2001/9/26) [CNET] [WSJ] [Wired/Reuters] [Sun Release] [CNET on AXP]

Microsoft and Arcot Systems are planning a service to allow Passport username and passwords to be used for MasterCard and Visa credit transactions. (2002/7/9) [CNET] Microsoft Passport already had an option for storing their credit card information, but only 14 percent of Passport users did, according to a study by the Gartner Group. Junkbusters founder Jason Catlett commented:

Consumers are right not to hand Microsoft their credit card numbers, because of Microsoft's awful record on privacy, security and business practices. Having credit card numbers on file also supports Microsoft's long-term goal of collecting an annual tax for Windows.

Separately, Microsoft has changed its media player to tell users explicitly about some of ways it reports their actitivity, CNET reported.

  Microsoft licence terms accused of violating banking laws

A credit union chief information officer says that Microsoft a End User Licence Agreement (EULA) may put financial institutions in violation of federal privacy laws. (2002/10/22) [Internet.com] [Mac Observer]

Microsoft has started requiring users of Windows Media player to allow Microsoft to turn off apparently any part of their computer that Microsoft might choose. The Register quoted the End User Licence Agreement "You agree that [... Microsoft ... ] may disable your ability to copy and/or play Secure Content and use other software on your computer." Junkbusters founder Jason Catlett called the Agreement unconscionable.

Microsoft has disclosed new project that would use encryption to seal off certain data and code within Windows, out of control of the user of the PC. (2002/6/25) [AP] [Newsweek] [ExteremeTech] [CNET] [InfoWorld] [InternetWeek interview with Juarez] [Washington Post] [The Register] [ExteremeTech] [EPIC Sign out of Passport page] [Ross Anderson on TCPA] [EPIC on Palladium] [Infowarrior] [Internet News] Junkbusters founder Jason Catlett commented: ``I'm weary of the steady stream of code names from Redmond that try to repackage the unpalatable idea that everyone should put more of their data under Microsoft's control. Their PR department seems to hope that if they keep making up new names and overstated benefits that everyone will just let Microsoft do whatever they want.'' (Palladium was later renamed Next-Generation Secure Computing Base (NGSCB)). (2003/5) [CNET]

The project manager for Palladium, Mario Juarez, cites three areas Palladium seeks to improve: system integrity, personal privacy, and enhanced security. None of these sound convincing to us. On system integrity, the system would have a kind of micro-OS within the OS, which they call a TOR (Trusted Operating Root). ``It's true that it's easier to reduce the number of flaws in a smaller piece of software than a larger one, but given their history we have no reason to assume that Microsoft will be able to keep even the micro-OS defect-free and invulnerable,'' said Catlett. (This point has been made by the eminent security specialist Bruce Schneier). ``Palladium will not fix the defects in Microsoft's other software and services: it would not have prevented Microsoft's numerous security breaches in Hotmail, for example.''

On personal privacy, Microsoft's proposed idea of a blind agent (which they call `My Man') handling encrypted data doesn't make sense as a solution to the problems of Internet privacy. Most violations of consumer privacy are not caused by hackers exploiting bugs but by the deliberate policies of the companies holding consumer information. Palladium would not change this. The Newsweek article also quotes ``the geeks implementing Palladium'' as claiming the system could stop junk email. This is obviously snake oil: ``Eventually, commercial pitches for recycled printer cartridges and barnyard porn can be stopped before they hit your inbox-while unsolicited mail that you might want to see can arrive if it has credentials that meet your standards.'' There are few cases where recipients would have in advance cryptographic credentials for everyone they are willing to receive email from, and people in such situations can already implement that policy without Palladium. (This illustrates a more general point that how much of the functionality talked about for Palladium is available already; another is the encryption of data, which is routine in some environments.) But if Microsoft is proposing to maintain and enforce a list of acceptable senders of email, that is even more unacceptable than an elected government attempting to do so. It would be like Ford or GM trying to take over the functions of the DMV. Only worse: Microsoft is a court-certified lawbreaker.

The third benefit Juarez cites, enhanced security, is more a benefit to companies than consumers. A patent issued to Microsoft describes how an operating system would ``[limit] the functions the user can perform on the rights-managed data...'' The ability to "seal data" on a user's computer and restrict what can be done with it is just what companies such as record labels have been clamoring for, but it is of little use to the average user. On the contrary, as Matt Loney commented, ``...it appears that limitations built into Palladium could redefine "fair use" of digital media from a legal right, to a technological grant from a company.'' Further, the company's history does not inspire confidence. ``The words 'Microsoft' and 'trust' only really seem to fit together with the help of an 'anti' somewhere in the middle,'' he wrote. ``Lawbreakers are not suitable as gatekeepers,'' Catlett said.

Palladium is supported by Intel and AMD. The Register drew comparisons to the Intel Processor Serial Number incident.

``If Microsoft really wanted to improve privacy and security, there are dozens of repairs they could perform on their existing software,'' Catlett said, pointing to Richard M. Smith's laundry list, and citing particularly Microsoft's defaults for cookies.

  EU may investigate Microsoft Passport

The European Union is investigating privacy issues in Microsoft's Passport system. (2002/7/2) [WSJ [ZD] http://www.infoworld.com/articles/hn/xml/02/07/02/020702hneupassport.xml [Inforworld/Reuters] The move had been anticipated. (2002/6/11) [Reuters] [IT World] [Bloomberg] [USAToday] Reuters also revealed that Microsoft had also supplied information to the Federal Trade Commission in Washington, which has also been asked by U.S. privacy groups to investigate Microsoft. The EU may also investigate the legality of IDs in media players, Reuters reported. [Dow Jones] (2002/6/14)

Separately, Microsoft has been accused of resetting the privacy preferences of Hotmail users. (2002/5/14) [Newsbytes] [Eastside Journal] [Slashdot]

Computer sleuth Richard M. Smith has discovered privacy-abusive features in Microsoft's Windows Media Player (WMP) for Windows XP. (2002/2/20) [AP] [CNET 1] The DVD movies people watch on their Windows PC are secretly reported to Microsoft, together with a cookie that uniquely identifies the WMP player. Junkbusters founder Jason Catlett slammed the reporting function, saying that it should be done only with the user's explicit consent. ``The true meaning of XP's seems to be eXterminate Privacy,'' Catlett said. Microsoft's response has been to add a description of the reporting to its privacy statement. [CNET 2] David Caulton, Microsoft's lead program manager for Windows Media, told the AP ``If you're watching DVDs you don't want your wife to know about, you might not want to give her your password." Junkbusters founder Jason Catlett asked ``what if you trust your wife but not Microsoft? What right does Microsoft have to know what you listen to and watch? They spy because they have the technological and market power to force their surveillance devices on people.''

Smith earlier reported a design flaw in the WMP that allows a Web site to grab the unique ID number of the Windows Media Player belonging to a Web site visitor, using it to track a user's travels around the Web. (2002/1/16)

A feature in MSN and Windows Messenger which allows Microsoft to quietly identify IE users on Microsoft Web sites can also be exploited by any web site, according to a report to the BugTraq mailing list. (2002/2/5) [The Register] [Demonstration Site] Junkbusters founder Jason Catlett commented: ``Microsoft should never have dog-tagged visitors to its web sites. It should not have given itself a peephole on its users' contact lists. And to yell the screamingly obvious, it should not continue to use its defective technology to collect personal data when it can't keep that private information safe.''

Separately, Johannes Westerink reported to BugTraq a cross-site scripting (CSS) problem in Microsoft's .NET that will affects Web sites using Microsoft's IIS 5 Web server. CSS errors typically allow hackers to break into people's Web site accounts. (2002/2/5)

Privacy groups sent an open letter to all State Attorneys General asking them to stop Microsoft's Passport system from violating privacy and state laws. (2002/1/29) [Reuters] The groups had twice asked the Federal Trade Commission to act urgently in 2000. Junkbusters founder Jason Catlett said ``Microsoft is breaking state and federal fair trade laws, deceiving consumers with its coercive tactics and endangering people through its sloppy security. Because they have not been hindered by the Federal agency charged with protecting consumers from this kind of abuse, we are asking the states to use their authority to stop this lawbreaking.''

Microsoft admitted that a flaw in its Passport technology could have allowed hackers to steal credit card numbers and personal information. (2001/11/1) [AP] [Mark Slemko's Technical Writeup] [WSJ] [Computerworld] [Newsbytes] Junkbusters founder Jason Catlett said that this was ``yet another illustration of how Microsoft is incapable of keeping personal information secure. It should be stopped from telling people that it can; that is deceptive and illegal.''

In October consumer and privacy groups wrote to Federal Trade Commission (FTC) Chairman Timothy Muris, criticizing his agency for failing to act on complaints filed in July and October concerning the collection of personal information by Microsoft using Windows XP. (2001/10/23) [Press Release] [Text of Letter] [Reuters] [Computerworld] [Newsbytes] [USAToday.com/Law.com] [SJ Merc] [Newsfactor] [Slashdot] [BBC]

In addition to repeating several remedies from their earlier complaints the groups further asked the FTC to force Microsoft to "disgorge any personal information collected fraudulently and deceptively through XP and Passport." The groups advised consumers who are considering buying a PC with Windows XP to be warned that it will attempt repeatedly to extract personal information from them, and to ask themselves if they really want to being tracked by the Passport system, whether under their real identity or a fictional name. ``Microsoft is using Windows XP as a software cattle prod to herd consumers into its marketing databases,'' said Junkbusters founder Jason Catlett. ``The FTC's failure to enforce the law it is charged with upholding is a wholesale abandonment of its duty to consumers and confidence in online commerce.''

Bill Gates defended Passport, telling the AP that Passport is ``a savior, not a threat, to Internet commerce.'' ``We're trying to make the Internet more effective and allow not just large companies to get to critical mass with these user names and passwords but let any company who wants to participate in Passport just do it,'' Gates was quoted as saying.

Catlett also criticized the coercive tactics used by Microsoft to extract personal data. ``XP could stand for "eXtremely Pushy." It will bug you not one, not two, not three, not four, but five times. Microsoft won't take no for an answer. You're paying them to program their software so you have to tell them "No, No, No, No, No."'' Catlett said that saying no five times and staying out of Passport's databases at all is better than signing up using a fake name and being tracked. ``Yogi Bear and Mickey Mouse probably already have upwards of ten thousand Hotmail and Passport accounts each, and here are plenty more fictional characters to choose from. If Microsoft continues to treat consumers like dumb animals to be electronically dog tagged before feeding they should expect some people to play dumb.''

Microsoft announced that it plans to make the technical standards for Passport, its online identification system, open to other companies. (2001/9/20) [NY Times] [WSJ] [CNET News.com] [MSFT Press Release] The company claimed this as a privacy benefit, but Junkbusters founder Jason Catlett said that ``the move is mainly a concession to AOL and other competitors on anti-trust grounds, but it does not address the major privacy objections that consumer groups made in their complaint to the FTC.'' ``It's good to see Microsoft giving up on this attempt to use their operating system monopoly to reinforce their monopoly on identity services, but they currently have over 100 million people in their Passport database. Even if AOL and other competitors were to sign up half of their customers, Microsoft would still dominate. Instead of one enormous database, there'll be one enormous database and a few big ones. That's slightly better, but only slightly. Microsoft must be restrained from continuing to collect and retain personal information unfairly.''

Indeed, Walter Mossberg's column on the same day blasted Passport and Windows XP for many of the same reasons as the privacy groups.

The company has also turned Windows XP into a sort of Trojan horse. It has built in a bunch of "features," such as instant messaging, online photo printing and a "passport" to the Web, that are just blatant efforts to lure consumers into using a set of new Web-based services Microsoft is launching, while ignoring alternative services that may be better. The goal seems to be to trap users in a sort of Microsoft company store.

It's as if you finally had a chance to buy a sleek, reliable new car after owning a series of lemons, only to find that the new car was rigged so that the manufacturer could track which garage you kept the car in, blare its ads at will through the radio, and steer you toward toll roads it owned.

Not only that, but you can't use the messaging feature without signing up with Passport, Microsoft's service that aims to collect names and passwords for everyone on the Internet. Windows XP nags you to do this...

The Gartner Group issued a report titled Privacy and Security Still Challenge Microsoft Passport concluding that ``consumer apathy and distrust of the Internet, not underlying technology, pose the biggest hurdles'' for Passport. (2001/9/26)

In August 2001 privacy groups expanded their complaint against Microsoft. They filed "Supplemental Materials in Support of Pending Complaint and Request for Injunction, Request for Investigation and for Other Relief." [PDF] (2001/8/15) [Reuters] [Industry Standard] [SJ Merc 1] [Newsbytes] [SJ Merc 2] [Newsbytes] [CNET] [Newsfactor] [Wired News] (2001/08/14)

Separately, Securitywatch.com reported that Microsoft ``has withdrawn its earlier assurances over its software by finally admitting that confidential information from the accounts of Hotmail users could have been compromised by a mutation of the Code Red worm.'' (2001/8/13) There have been many other reports of security failures in Hotmail and Passport. [Salon on Hotmail] [Newsbytes on breach] [USAToday.com on one-line Hotmail breach] [Newsbytes on another Hotmail breach]

For about a month, anyone with the right Web address could ``look up the billing, shipping and purchasing data for any customer who had bought Microsoft products online,'' Newsbytes reported. (2001/10/10) [Seattle PI] [ZD (related issue)] [Diffie/Laundau on .Net]

The Wall Street Journal reported that Microsoft is making some changes to its Passport system to address privacy. (2001/8/10) Junkbusters founder Jason Catlett said that the changes were ``completely non-responsive to the consumer groups' complaint about Microsoft's unfair, deceptive and illegal behavior.'' Microsoft told the WSJ ``it will encourage improved privacy by requiring merchants that use Passport to support a new technology known as P3P.'' Catlett said that P3P is unlikely to improve privacy, and in any case the complaint focused on the collection of personal information by Microsoft, not merchants. The Journal also said that ``Microsoft is reducing the amount of information gathered when users sign up for a Passport account,'' but Catlett pointed out that it still requires an email address, which is personally identifying information. Microsoft also said it is ``shifting responsibility for payment authorization and a database of user's profiles to other parts of Microsoft.'' Catlett said that if this move was intended to provide solace to privacy advocates, it doesn't: ``This is about as consoling to consumer interests as Microsoft's settlement offers of behavioral remedies for its anti-trust violations have provided to the Department of Justice.'' Catlett rebutted statements by Brian Arbogast, the Microsoft vice president in charge of Passport, that the complaint springs from ``a misunderstanding of the technology underlying Passport.'' Arbogast told the journal that ``Microsoft never receives information about consumer activities from sites that use Passport for authentication or to receive consumers' billing information,'' and ``doesn't use the Passport databases to send any marketing pitches.'' Catlett said that Microsoft does receive information about which sites consumers visit using Passport, about their activities at Microsoft-operated properties, and credit card information if the consumer uses Microsoft's Wallet product. Microsoft also sends marketing pitches to email addresses it obtains from Hotmail accounts, for example, for which a Passport is mandatory.

The FTC wrote to EPIC saying ``We will evaluate your complaint to determine what action, if any, would be appropriate in this case. Please be advised that any Commission investigation is non-public until the Commission decides to issue a formal complaint. As a result, we will not be able to advise EPIC or the other complaintants of our decision as to whether to investigate the matter.'' (2001/8/7)

More than a dozen privacy groups filed a complaint [PDF] with the FTC about the privacy issues in Microsoft's Passport services. (2001/7/25) [NY Times] [InternetNews] [Industry Standard] [CBS Marketwatch] [Washington Post] [Newsfactor] [Reuters] [Reuters 2] [BBC] [The Street] [Grok] [Slashdot discussion] [Times (London)]

The Senate Judiciary Committee plans to hold hearings on Microsoft's Windows XP software and its effect on Internet competition, the Wall Street Journal reported. [Reuters on Schumer] [SJ Merc - Gillmor] (2001/7/23) [CBS MarketWatch] Junkbusters founder Jason Catlett praised the move, saying that it should closely examine the effect of XP and Hailstorm on consumer privacy. [SJ Merc]

Separately, Microsoft has confirmed servers running its MSN Hotmail service were affected by the Code Red worm, CNET reported. (2001/8/9) Various attacks on Passport have been discussed.

Microsoft has been criticized over the privacy and security risks of its ``Hailstorm'' Internet services. (2001/3/19) [NY Times] [Wired News] [ZDNN] [Microsoft Press Release] [Microsoft White Paper] [Salon] [WSJ] [WSJ/MSNBC] [WSJ 2] Junkbusters founder Jason Catlett said that ``Microsoft is sounding disturbingly like a government: issuing passports, controlling identity and imposing tolls on transactions. Given their awful record on privacy, it's the last organization that we would want to control such a vast amount of personal information.'' Two years earlier Catlett authored a report on the implications of Microsoft controlling the electronic wallets of consumers.

In March Microsoft announced a P3P implementation for its next browser. [WSJ public] (2001/3/21, p. B1) [Washington Post] [Microsoft Press Release] [Microsoft Fact Sheet] [Microsoft White Paper] [WSJ 1] [WSJ 2] Privacy advocates including Junkbusters say P3P will not improve privacy. [Washington Post] [Newsbytes] [Cnet on Compact headers] [Gartner on P3P] [CNET on Gartner on P3P] [CRM News Report: Consumers Nix Microsoft Passport] [Intelligent Enterprise on P3P] Roger Clarke, an influential privacy scholar who previously supported P3P, expressed his disappointment with what P3P had become. Junkbusters founder Jason Catlett, who has long criticized P3P, commented: ``Microsoft's "thermostat setting" where surfers are required to tell their PCs how much they will tolerate being surveilled gives a misleading and dangerous view of privacy. People shouldn't be forced to trade privacy for participation. People need legally guaranteed privacy rights to control the data collected about them. Microsoft's new default setting for cookies will not protect the privacy of people who don't know what cookies are. Microsoft should have stopped ``third-party'' cookies, which are a security hole, and the means of an enormous amount of surveillance by banner ad companies. The excuse that people can opt out of tracking by companies such as ad networks ignores the fact that most people are unaware of it and don't know what to opt out of. The default should have been to alert people and ask their permission. Microsoft's settings seems to focus on whether an opt-out is provided, rather than important questions such as whether a site gives individuals access to the data collected about them, the opportunity to delete it, and whether the user's consent will be obtained before information is used for other purposes. All recent experience with privacy policies, from Amazon to Toysmart indicates that they are not going to guarantee an adequate level of privacy. P3P is merely sweeping the failure under a software carpet.'' Catlett wrote to Microsoft expressing his disappointment with the defaults. (2001/3/28) [Newsbytes] [TheStreet.com on NAI/Microsoft fight]

Separately, a posting on Slashdot objected to the Passport Terms of Use which say Microsoft can do almost anything with Passport data. (2001/4/3)

By "inputting data ... or engaging in any other form of communication with or through the Passport Web Site" -- or any of its "associated services" -- you grant Microsoft the rights to "use, modify, copy, distribute, transmit, publicly display, publicly perform, reproduce, publish, sublicense, create derivative works from, transfer, or sell any such communication" and -- just when you were thinking it couldn't get any worse -- "exploit any proprietary rights in such communication, including but not limited to rights under copyright, trademark, service mark or patent laws.

In May Microsoft announced it would sign the EU-U.S. ``safe harbor'' agreement. The commitments under the safe harbor agreement will be applied globally by Microsoft, not just EU and U.S., according to the Dow Jones and the Wall Street Journal. [Reuters] [ComputerWorld] [Wired News] (2001/5/15) Junkbusters founder Jason Catlett commended Microsoft on the announcement, saying that ``although the standard of privacy protection required by safe harbor falls short of ideal, it is far higher than what is typical in the U.S.'' However, he noted that the implementation of Microsoft's past announcements have sometimes severely disappointed privacy specialists.

Separately, MSNBC reported that Microsoft's digital certificate has been compromised. (2001/3/23) [Internet News on patch] In December 1999 Microsoft famously forgot to pay the domain registration fee on the Passport.com domain name. [Slashdot]

Separately, TechWeb reported that Microsoft in Spain paid out $60,000 to settle a case of data misuse. (2001/4/4)

The AP reported that Hotmail supplied subscribers' e-mail addresses, cities and states to a public Internet directory site that combines the information phone numbers and home addresses. (2001/3/5) The discovery was made by internet activist Bennett Haselton. Hotmail and Microsoft have a long history of deliberate and accidental privacy violations. The most recent security was limited because it was very difficult to exploit. [MSNBC] [PC World] (2001/8/20)

And why does the United Kingdom's e-government gateway site exclude almost all browsers except Microsoft's Internet Explorer? (WSJ (2001/6/6)) According to Linux Today, it's related to the fact that Microsoft built it.

  North Dakotans vote in favor of banking privacy

More than three out of four voters in a North Dakota voted in favor of stronger banking privacy, repealing a law that that allowed banks to sell customer information without written permission. (2002/6/11) [Direct Mag] [AP] [Reuters] [Bismarck Tribune] [Unofficial results page] [Full Text of SB 2191] [AG's Opinion on 2191] [Timeline] [Official Ballot Language of Referral of SB 2191] [Analysis] Junkbusters founder Jason Catlett commented ``This first privacy plebiscite in the history of the US shows that Americans overwhelming want their information kept under their explicit control. It shows that the weak federal privacy law they have been given by Congress represents a triumph of lobbying over democracy.''

  Experian involved in another wrongful disclosure of consumer files

Ford Motor Credit Co. said that identity thieves ``gained access to a database used by Experian, a credit reporting agency, to download the personal information of 13,000 consumers,'' the AP reported, (2002/5/16)

Consumer data juggernaut Experian may have accidentally placed on the Internet confidential information on more than 1.5 million South African consumers, according to a story in South African newspaper Business Day. (1999/7/12) [Followup] An Experian official declined comment to Newsweek.

Experian was formerly a division of TRW, and is now owned by Great Universal of Nottingham, UK. In 1998 it merged with junk mail databaser Metromail, uniting two companies with among the worst records on privacy. In 1997 Experian rolled out a system for selling credit reports over the Internet, but it started by delivering the reports to the wrong people. Metromail's invasive practices have come out in a series of horrifying media reports, including the case of Beverly Dennis.

Consumers who want to reduce the amount of their personal data handled by this company can send letters to Metromail [sample] and Experian [sample] ``But the question remains whether this company really deletes the data is says it will, and whether it should be trusted with any personal information at all,'' commented Junkbusters President Jason Catlett. ``Americans have so few privacy rights guaranteed by law that it is not clear there is anything that they can do to stop this company or others from crushing the privacy of millions of Americans, carelessly and repeatedly.''

Data spills are a frequent occurrence; the list of reported incidents includes a Wisconsin medical clinic, GM, Amazon.com, Travelocity, Butterball and Ikea. The WSJ reported that a hacker downloaded files this past summer from computer systems the University of Washington Medical Center in Seattle containing medical data on more than 5,000 patients. (2000/12/11)

Experian suspended a new system that sells consumers access to their credit reports over the Web, after an undetermined number of people received the wrong credit report. (1997/8/15) ``It's like a fast-food restaurant with 20 lines,'' the LA Times quoted an Experian spokesman explaining what the company has been calling ``missequencing'' and a ``glitch.''

A Washington Post reporter whose credit report was faxed to the paper by a concerned user of this service reports the sudden onset of symptoms of paranoia about privacy. The story has also been covered by CNET, CNNfn, the Washington Post, ZD Net, USA Today, and AP. A follow-up article in Interactive Week indicates that the two other major credit reporting agencies planned to offer Internet delivery.

The company says they plan to fix the problem and then put the system back on line. People who are still uncomfortable with the possibility of of 18 pages of detailed financial information about them being scattered into cyberspace like cold hamburgers can send Experian a letter like this one telling the company never to distribute their credit report on the Internet. JUNKBUSTERS DECLARE will insert your name for you. People who have already registered with our free service simply go to their bookmark and in three mouseclicks have a tailored letter ready to print.

Of all the names sold for pre-approved credit offers in the US, nearly half were produced by Experian. Let's hope they went to the right people. Experian only recently started Internet delivery, but Qspace claims to have been doing this for some time (and appears to be continuing to do so). [CNET]

Separately, the September '97 issue of Privacy Journal reported that in one of its court cases against Experian, the Federal Trade Commission ``accused the company of "indifference to the privacy protections that Congress intended to provide," and "a disregard for consumers' privacy expectations" and a "cavalier" attitude towards credit reporting law.''

In mid-1997 Experian acquired Direct Tech, ``largest provider of computer services to the catalog industry,'' known for its consumer database management. Years ago Experian's competitor Equifax ``pulled out of the direct marketing business because of consumer concern about uses of credit related data for this purpose.''

  Big Brother Awards go to Oracle's Ellison and other invaders of privacy

London-based watchdog group Privacy International held the Orwell Big Brother Awards 2002 in San Francisco at the 2002 Computers, Freedom and Privacy Conference. (2002/4/18) [Reuters] [SF Chronicle] [SFC 2] [GeekNews] [AP] Junkbusters founder Jason Catlett was one of the judges, as he was in past years.

In a related event on the same day, Catlett spoke on a panel about identity services such as Microsoft's Passport. [News.com] [IDG] Catlett accused Microsoft of deception and coercion, citing a Garter report that found the majority of people signing up for passport are doing so because of product requirements rather than new features. Separately, the New York Times and CNET earlier reported that Microsoft is unsure what its Hailstorm/.Net/My Services service actually should be doing, and are planning changes.

Separately, the U.S. government is reportedly considering using Passport as an authentication mechanism for Federal web sites. [Seattle Times] [CNET] Junkbusters founder Jason Catlett said that ``Microsoft's record as a lawbreaker and violator of privacy should disqualify it as a suitable party for this role.'' He said that ``no company should receive a windfall database of personal information about citizens because of its outsourcing functions to any government agency.''

Separately, a privacy bill was blocked Senate Minority Leader Trent Lott in an unusual procedure, Reuters reported. (2002/5/16) The bill since seems to have stalled. (2002/9) [Internet News] The Online Personal Privacy Act. [USAToday] [Full Bill in PDF] [Section-by-section Analysis] [Statement of Senator Hollings] Hollings introduced a similar bill in 2000, which Junkbusters supported. (2002/4/25) The committee held hearings at which Amazon, HP and other companies opposed enforceable privacy rights for online visitors. [AP] [Reuters] [IDG] [Salon]

  Yahoo weakens privacy policy

Yahoo weakened its privacy policy. (2002/3/28) [CNET News.com] [CNET 2] [SJ Mercury] [Wired News] [Slashdot] [Reuters] The company reset users' "marketing preferences," allowing itself to spam them. The move is similar to those of AOL in 1999 and eBay in 2001. Junkbusters founder Jason Catlett commented: ``Why won't these companies just take no for an answer? They treat people like their chattels. Consumers need statutory rights to prevent salesmen pushing their feet into the online door.'' Yahoo also made it easier for itself to disclose information where it suspects illegal activity. ``Too many companies are feeling an urgent need to reduce costs and increase revenues from personal information. They naturally try to reduce liability and operational inconveniences, and to exploit what they have more widely,'' Catlett said.

Yahoo (YHOO) faces a variety of allegations relating to privacy, in addition to security failures. Yahoo established http://privacy.yahoo.com/ as a central site for information on Yahoo's privacy policies and practices. (2000/7/19)

A lawsuit has been filed by Aquacool_2000, a pseudonymous Yahoo! user, alleging that personal information was improperly disclosed to AnswerThink Consulting Group, Inc. The Wall Street Journal said that in April Yahoo began notifying individuals if their accounts had become the subject of a subpoena. (2000/5/11) [ACLU/EPIC release] [ZD] [Legal statement from Kleiman Associates]

Separately, Yahoo said in its March SEC filings that the Federal Trade Commission was conducting an inquiry into some of its information practices. (2000/3/30) [Reuters] [WSJ] [SJ Merc] [Bloomberg] [AP] As usual, the SEC filing (available from http://www.freeedgar.com) is vague:

In addition to intellectual property claims, the Company has also been advised that the FTC is conducting an inquiry into certain of the Company's consumer information practices to determine whether the Company y has complied with applicable FTC consumer protection regulations. In connection with this inquiry, the FTC has requested that the Company provide information about its practices and submit various documents and other materials to the FTC.

The Company is not currently aware of any legal proceedings or claims that the Company believes are likely to have a material adverse effect o n the Company's financial position or results of operations. However, the Company may incur substantial expenses in defending against third party claims or any action by the FTC. In the event of a determination adverse to the Company, the Company may incur substantial monetary liability, and be required to change its business practices. Either of these could have a material adverse effect on the Company's financial position and results of operations.

It may be that Yahoo is just one of many companies the FTC is believed to have written to following a report by the California Health Care Foundation on web site privacy. The report criticized many sites including Yahoo for a lack of disclosure of when services are actually provided by other sites; this seems to have been conspicuously addressed by Yahoo on the relevant page. In March Junkbusters founder Jason Catlett commented that Yahoo's record on privacy ``is fairly good for an internet media company of its size, and far better than AOL or Microsoft for example.'' Catlett contrasted the company with DoubleClick, saying ``Yahoo doesn't depend on knowing the identity or the wider movements of its users the Web beyond their site. If Yahoo does have a privacy problem, it shouldn't be difficult to fix.'' (2000/3/30)

Separately, Universal Image, which operates http://www.chalkboardtalk.com, has been suing Yahoo for allegedly stopping reporting information about registered users of broadcast.com after Yahoo acquired it, Bloomberg and the Dallas Morning News reported. (1999/12/24) [Bloomberg] The Texas law firm later asked a court to declare cookies illegal under anti-stalking laws, ZDNet reported. [Law News Network] [NY Times]

  J.C. Penney begins sharing its customers' data

The huge cataloger J.C. Penney Co. Inc. will soon start swapping the names of its catalog customers, DM News reported. (2002/2/22) People who don't want their names shared can email privacy@jcpenneyeservices.com or call 1-800-204-3334 or send them a letter like this one.

  FTC investigates Eli Lilly over privacy breach

Drug manufacturer Eli Lilly (LLY) has been investigated by the Federal Trade Commission following an investigation of a breach of privacy of subscribers to an email list about Prozac, Reuters reported. (2002/1/11) [FTC announcement] (2002/1/18) Contrary to its assurances about security and privacy, the company revealed email addresses of all subscribers, in July 2001. [AP] [Forbes] Privacy advocates raised it in meetings with the FTC as an example of the failure the market to protect privacy. In testimony before the Senate Commerce Committee, Junkbusters founder Jason Catlett asked ``What sufferer of depression is going to tell his doctor not to write him a prescription for Prozac because of the manufacturer's record on privacy?'' The ACLU wrote to the FTC calling for an investigation.

Commenting on the news of the investigation, Junkbusters founder Jason Catlett said: ``This action shows that FTC Chairman Muris is serious and genuine about his promise to use existing law to protect privacy. It's been a relatively fast investigation for the FTC, and it's also pleasing to see an action against a major company rather than just the usual fly-by-night scammers. But it remains to be seen whether this is merely a public slap on the wrist, or an example to deter others. In order for large companies to have a sufficent incentive to take privacy and security seriously, there must be a substantial penalty for failures. Government watchdogs should be imposing fines that are noticable to these companies. Imagine how happy polluters would be if the only incentive used by environmental regulators was public embarrassment. Individuals too should have a private right of action to sue companies themselves, rather than having to hope the the FTC does.''

  New FTC chairman announces position on privacy

The new Chairman of the Federal Trade Commission, Tim Muris, announced his position on privacy in a speech Thursday. (2001/10/4) [Text of Speech] [FTC Press Release] [Internet News] [SF Chronicle] [DM News] [Reuters] [Computerworld] [LA Times] [AP] [NY Times] [Newsbytes] [FTC announcement] Junkbusters founder Jason Catlett commented:

By the standards of the FTC's two decades of timid consumer protection, Chairman Muris's agenda represents a substantial improvement. I commend Mr Muris for his committments to on several long-overdue and under-resourced areas. One example is pretexting, on which his fellow commissioner Orson Swindle had voted against enforcement action. In proposing a national Do-not Call list, Muris is bringing the FTC up to par with Congress's plainly stated intent in the Telephone Consumer Protection Act of 1991. His promised increases of actions against deceptive spammers should been made at the FTC five years ago, but they are still very welcome. Muris did not address any of the the many more recent privacy issues, such as opt-in for email marketing, profiling by banner ad companies, or Microsoft's Passport and other identity services. His opinion that new privacy rights are not currently needed is a disappointing, and is another example of how he is still lagging behind the prevailing sentiments of lawmakers and the majority of Americans. The FTC had previously determined based on surveys and years of experience that additional authority was needed, and Mr. Muris hasn't provided any evidence to reverse this.

  September 11: Freedom and Fear

Following the September 11 attacks, more than 150 organizations, 300 law professors, and 40 computer scientists expressed support for a declaration in defense of freedom. For details see: http://www.indefenseoffreedom.org/

Separately, householders are increasingly reluctant to open junk mail for fear of anthrax contamination. (2001/11/1) [CNN Money]

  Junkbusters President testifies before House and Senate Committees

Junkbusters founder Jason Catlett testified before two Congressional committees in July 2001: before the Senate Commerce Committee on Information Privacy [Internet News] [Reuters] [DM News] [AP] [Industry Standard] and before the House Judiciary Committee on the Whois database. (2001/7/13) [Catlett's Statement] [Wired News] [Statements of other Witnesses] [ZD] [Newsfactor] [Slashdot] [BNA] Related documents: Letter from EPIC to the Committee; The International Working Group on Data Protection in Telecommunications (IWGDPT)'s Common Position on Privacy and Data Protection aspects of the Registration of Domain Names on the Internet.

  Company launches CD tracking service

Gracenote announced tracking features in their CDDB2, an Internet-based service used in computer audio CD players to identify album titles, artist names, and song titles of audio CDs. (2001/6/5) [Newsbytes] Email addresses are collected and a Global Unique ID is assigned. Real Networks caused a scandal in 1999 when they secretly introduced a GUID tracking system. Gracenote's privacy policy discloses the practice and undertakes to keep the personal information confidential, but says ``it is possible that we might be required to make disclosure, for example in response to court orders...'' Junkbusters founder Jason Catlett commented that recording companies are highly litigious and have shown their disregard for personal privacy in their proposed SDMI system. In an interview with Wired, Junkbusters founder Jason Catlett discussed the risk of compelled identification of Napster users in order to extract payments, market, and deter infringement. EMusic.com has told Napster users it would deploy new technology to contact song-swapping offenders, the AP reported. (2000/11/22)

  Privacy groups urge FTC reform following Amazon/Alexa inaction

Junkbusters President Jason Catlett wrote a letter to FTC Chairman designate Tim Muris asking among other things for Amazon's information practices to be audited, on the grounds that its own statements about its practices could not be trusted. (2001/5/30) [CBS Marketwatch] [Reuters] [USAToday/AP] [TechWeb] [Washington Post Interview with Muris] [Wired on Muris] Junkbusters and several other consumer and privacy groups later wrote to Muris asking for fundamental changes in the FTC's enforcement system. [CNET] [Newsfactor] In a meeting with Muris, Bureau of Consumer Protection Director Howard Beales and other FTC staff, privacy groups presented several recommendations to the FTC in an open letter. (2001/7/17)

In their second decision on Amazon in a week, staff of the Federal Trade Commission found that Amazon and its Alexa division has likely deceived customers, but it had decided "not to recommend any enforcement action action at this time" (2001/5/29) [Letter from FTC Staff to Amazon's Litigators] [WSJ] [AP] [Bloomberg] [Ecommerce Times 1] [Ecommerce Times 2] [Internet News] [Wired] [Industry Standard Grok] [The Street] [Seattle Times] Among the reasons given by FTC staff were the fact that the Alexa's privacy policy had since been changed, and that a settlement had already been reached in a class action suit on the same matter. Junkbusters founder Jason Catlett said ``This is a lamentable non-action for a consumer protection agency that is supposed to keep companies honest. Imagine if the SEC found that a company had misled investors with fake figures in a prospectus, then let them off because they had issued new figures and moved into a new business. '' The head of Alexa told the AP "We're jazzed that they closed the investigation without doing anything."

Amazon.com's Alexa division had earlier settled a privacy class action suit including potential payments of up to $40 to those whose personal data was stored in Alexa's database contrary to the company's earlier privacy statement. (2001/4/27) [Alexa Notice of Proposed Settlement] [CNET] [Reuters] [Dow Jones] [WSJ] [Bloomberg] The settlement was disclosed in Amazon's Quarterly SEC filings. (2001/4/26)

During the first quarter of 2000, Supnick v. Amazon.com and Alexa Internet and four similar class action complaints were filed against the Company and its wholly owned subsidiary, Alexa Internet. The complaints, which were consolidated in the United States District Court for the Western District of Washington, allege that Alexa Internet's tracking and storage of Internet Web usage paths violates federal and state statutes prohibiting computer fraud, unfair competition, and unauthorized interception of private electronic communications, as well as common law proscriptions against trespass and invasion of privacy. On or about April 20, 2001, the Court preliminarily approved a settlement of the consolidated class action. The settlement is subject to final approval by the Court.

The key issues are whether Amazon can be trusted to handle personal information responsibly, and whether its customers have any effective recourse against violations. When Amazon says it won't inhale personal data, as they have also claimed with their so-called Honor System, who will hold them to account? Amazon has repeatedly refused to show its customers all the information it holds about them, and refused to let them delete it. What does it have to hide? The fact that the class action suits brought the violation to light before the Federal Trade Commission reached a conclusion is an illustration of the need of for privacy rights to be enforcable by individuals, not just government agencies.

A suit was filed against Alexa in January 2000, claiming the company sent confidential information to Amazon without his consent. (2000/1/7) Bloomberg reported that plaintiff Joel D. Newby claims that he and others weren't told their personal information would be collected when they used Alexa's software. [CNET followup] Amazon revealed in its SEC filings that the FTC had started an "informal inquiry," of the review of its Alexa Internet division, Bloomberg reported. (2000/2/7) In later SEC filings the company says the FTC has "opened a formal investigative file in connection with its inquiry." Although the FTC never reveals even the existence of investigations in progress, the subject of the investigation sometimes does, as Geocities did.

Security expert Richard M. Smith earlier criticized the extent of data collected by Amazon.com's Alexa service in a letter to Amazon's CEO. [New York Times] (1999/12/30) One of the key points is the way personal information is often embedded into URLs sent to search engines and other sites (and also to Alexa if it's installed). For example, a search on Altavista for "Richard M. Smith" might generate a URL (known in HTML as a "GET request") like this:
http://www.altavista.com/cgi-bin/query?pg=q&what=web&fmt=.&q=Richard+M+Smith
Junkbusters founder Jason Catlett said at the time the suit was filed that ``If Alexa really wants to protect its users from identification its software should throw away and not transmit the part of the URLs that contain text that the user types in.'' (More technically, everything after the first question mark.) ``This information isn't really necessary to provide "What's Related" features,'' he continued. ``In general companies should learn to follow the principle of limiting data collection to what is needed to perform the function the user is expecting. If data isn't collected or transmitted, there's no need for further questions about whether the company will handle it properly.'' The deletion of this information became one of the provisions of the settlement proposed in April 2001.

In an earlier decision on a separate matter, the FTC responded by letter to a complaint by Junkbusters and EPIC about Amazon's change of privacy policy, finding that Amazon has not changed its information practices in a way that was unfair or deceptive in the sense of Section 5 of the FTC Act. (2001/5/25) [Reuters] [WSJ] [AP] [Internet News] [Seattle Times] [Ecommerce Times] [SF Chronicle] [Washington Post] [International Herald Tribune] [Newsfactor] [DM News] [Seattle PI]

The FTC focused on a description given to it by Amazon's lawyers of its current "information disclosure practices," rather considering how Amazon was making preparations for possible future disclosure and sale of purchase information. Junkbusters founder Jason Catlett said he was ``disappointed that the FTC did not proactively prohibit Amazon from using personal information in the new ways it has allowed itself.'' Catlett said that the outcome was similar to the FTC's review of Doubleclick's change of privacy policy, where the company had clearly announced its intention to treat personal information in a new way that would damaging to privacy, but was let off by the FTC because it said it had not yet performed at the time it was investigated. The FTC's letter also focused more on whether personal information was being sold, rather than whether it has been disclosed. The privacy groups said that they were considering their next step in the campaign.

In the letter sent to the Federal Trade Commission in December 2000, the Electronic Privacy Information Center and Junkbusters Corp. asked the FTC to determine whether Amazon deceived customers in the United States by changing its privacy policy to permit disclosure of personal customer information. EPIC and Junkbusters alleged that the changes are inconsistent with Amazon's previous statements that it would "never" disclose customer information to third parties and are therefore deceptive and illegal under the US FTC Act. The groups asked the FTC (1) to prohibit Amazon from disclosing information about its customers without their prior affirmative consent, (2) to require Amazon to offer its customers the option to delete all information about their identity and purchases, and (3) to require Amazon to tell each customer on request exactly what information it has disclosed or exchanged about the customer with other companies and to provide complete access to the customer profile.

In several months of negotiations with Junkbusters Amazon had refused these three demands. Both EPIC and Junkbusters severed their ties with Amazon on September 13 over Amazon's revised privacy policy. Junkbusters President Jason Catlett published an open letter to Amazon CEO Jeff Bezos summarizing the deficiencies in Amazon's position.

Amazon announced a movie information service titled ``In Theaters,'' including paid advertising, funded by movie studios. (2001/4/15) [Reuters] [Amazon Press release] [Wired] [WSJ] Junkbusters founder Jason Catlett commented: ``Most people haven't noticed yet, but Amazon is no longer really an online bookseller. It's becoming a database marketing and media company. Unfortunately their chief asset is you and your personal information. That's unfortunate because they are treating it unfairly.''

In February 2000 Amazon.com introduced a system similar to PayPal to allow consumers to make payments to Web sites, which it calls the Amazon Honor System. (2001/2/6) [Cnet] [TechWeb] [Amazon Press Release] [Wired] [Baltimore Sun] [Amazon FAQ] Junkbusters criticized the implementation of the program, which it said provides Amazon with tracking data about surfers' movements on participating Web sites, even if they don't use or notice the feature, and even though Amazon claims they don't currently store the information. [Internet News] [Wired] [Slashdot] [SJ Merc - Gillmor] [Baltimore Sun] [Gillmor 2] Amazon deliberately chose to require participating sites to have the click-on graphic served from Amazon's web site rather than the participating site, so Amazon gets a cookie identifying the surfer. The surfer may not be aware that the information is being reported to Amazon. This contrast with Amazon's years-old affiliate program, where Amazon's servers don't find out about the visitor until she clicks on a link to Amazon.com. To see the details of the technology, go to any participating site, such as http://www.modernhumorist.com/mh/0102/tipjar/ and view the "Page Info" or similarly named feature on your browser to find the graphic which ends in a long tracking number such as http://s1.amazon.com/exec/varzea/tipbox/A2R5FXLPVXDKS7/TNSTXZRNSPRXT or similar. (If you or someone using your computer ever purchased from Amazon, the name that was given for the purchase may be displayed in the graphic.) The tracking number, your Amazon cookie and other information are reported to Amazon as soon as you load the page on the participating site. The technology is similar to that used for web bugs and banner advertising.

Amazon claims on its web site that it does not currently store the tracking information. Junkbusters founder Jason Catlett said that Amazon's claim that their technology ``was designed not to inhale'' tracking data has several flaws, including the possibility of technical failure. ``Amazon's policy may change significantly, as it has in the past. Amazon didn't use the word "never" in this statement, and even if they did, why should we trust them? They've betrayed that trust before,'' Catlett said. ``If this technology becomes widespread on the Internet, Amazon would be receiving tracking information on the browsing habits of a large percentage of Internet users, and even on people who are not their customers. And more than twenty-five million of them are personally identified. Many people now deeply distrust Amazon after their withdrawal of their promise never to sell their personal information. Web sites considering the Amazon Honor system probably don't realize that by installing it they may ultimately be dishonoring their visitors' privacy. Amazon should change its implementation so that participating sites serve their own graphics, and Amazon does not get any cookie until the user clicks on an Amazon link.'' Catlett added that he has told Amazon that he believes the basic function of enabling payments is a good goal, and Amazon should not attempt to sneak in an invasive marketing feature that is not needed to implement the core function.

Amazon's SEC filings previously disclosed an investigation relating to its Alexa division.

Privacy International has published its correspondence with Amazon's UK company. In it Amazon replied to charges of unlawful behavior. (2000/12/4)

The pro-business Competitive Enterprise Institute sent a letter to the FTC warning them ``not to let current high-profile privacy complaints against Amazon.com push them into expanding federal privacy regulations,'' and urging them ``to refuse requests to investigate this matter.'' (2000/12/6) [Press Release] Junkbusters founder Jason Catlett commented:

``Our complaint wasn't about whether Amazon was upfront about their changes, it was the fact that their new policy states in a very clear manner that it behaves in a manner inconsistent with their previous representations using the word "never". That's illegal in the same way as it would be for a company to sign up a customer for a 12 month lease and then double the monthly payments half way through.''

Privacy groups on both sides of the Atlantic urged government agencies to investigate the US and UK operations of Amazon, charging violations of trade practices and data protection laws. (2000/12/4) [AP] [CNET] [ZD] [TechWeb] [SF Chronicle] [AP - related story] [US News+WR] [Industry Standard] [Industry Standard - Grok] [WSJ]

In another letter, Privacy International, a London-based human rights group, asked the UK Data Protection Commissioner to halt Amazon's UK affiliate from processing customer data until it complies with UK data protection law. (2000/12/4) [ZD UK] [Press Release] Privacy International director Simon Davies charged that the company is "in wilful violation of several requirements of the Act," including the obligation to show its UK customers all information held about them, and to delete it on request. Davies had also objected to Amazon's transfer of customer data from the UK to the US in a letter September 14. Davies received a reply the next day claiming that the Commissioner's office was "comfortable" with the transfers. Davies requested comment from the Commissioner. He also sought clarification on statements by Amazon that deletion is "impractical." The capability to delete is mandated by UK law.

Marc Rotenberg, Executive Director of EPIC, said, "The United States and the United Kingdom have established laws to safeguard the rights of consumers. We are asking the FTC and the Data Protection Commissioner to ensure that the right of privacy will be respected in the online world."

In September, Privacy International joined other privacy groups in objecting to Amazon's information practices, in particular to Amazon.co.uk's transmission of personal data to jurisdictions without adequate privacy law, such as the United States. (2000/8/14) PI Director Simon Davies's letter is reproduced on our site. PI also asked the UK Data Protection Registrar to block further international transfers from the UK company. [Industry Standard] [Industry Standard 2]

In an earlier open letter 9/13 to Amazon.com Junkbusters founder Jason Catlett pointed out several inadequacies in its privacy policy and practices, and asking for changes. Junkbusters terminated its participation in Amazon's affiliate program. (2000/9/13) [USAToday] [AP] [Geek.com] [CNET] [TechWeb] [Newsbytes] [Wired] [Internet Retailer] [Ecommerce Times] [IDG 1] [ZD] [NY Times Op/Ed] [IDG 2] [CIO] [eCommerce Times] [Computerworld]

Amazon spokesman Bill Curry told IDG that Junkbusters was only one of 500,000 affiliates. He also said that ``the talk circulating that Amazon in the past had issued "some guarantee of never selling [customer data] wasn't the case."'' (2000/9/13) The next morning Junkbusters checked the URL http://www.amazon.com/exec/obidos/subst/help/sec-priv-newuser.html and found the following statement:

We respect your personal privacy
We do not now sell or rent our list of customers to anyone. In fact, the Electronic Privacy Information Center cites the quality of our concern with customer privacy as one of the reasons they became an Amazon.com Associate. If you would like to make sure we never sell or rent information about you to third parties, just send an e-mail message to never@amazon.com.

We do not sell, trade or rent your personal information to others. We may choose to do so in the future with trustworthy third parties, but you can tell us not to by sending a blank e-mail message to never@amazon.co.uk. If you never want to receive any announcements or special offers from us, please send a blank e-mail message to never@amazon.co.uk to change your preferences.

The Associated Press quoted Amazon spokeswoman Patty Smith as claiming that the new policy is ``actually stricter than the previous one because it spells out the conditions under which personal information can be transferred.'' (2000/9/13) Junkbusters founder Jason Catlett said this logic was faulty: ``Under the old policy, customers at least had the option of never having their information sold, under the new policy, they don't have that option, and the policy might be changed to sell their information without their affirmative consent. Being more upfront and explicit about a bad and changeable policy is not improvement.''

In an independent but related move, the Electronic Privacy Information Center also terminated its relationship with Amazon. In a letter to EPIC subscribers, Executive Director Marc Rotenberg cited the recent change in Amazon's privacy policy as the reason for the organization's decision. "Because Amazon announced that it could no longer guarantee that it would not disclose customer information to third parties, and in the absence of legal or technical means to assure privacy for Amazon customers, we have decided that we can no longer continue our relationship with Amazon," Rotenberg wrote. [EPIC Press Release]

Amazon.com weakened its privacy policy August 31. (2000/8/11) [Infoworld] [TechWeb] [The Register] [Internet Stock Report] Its previous version said that although it did not currently sell or share information about its customers with others, it might in the future, and that you could ask them never to do this by sending email to never@amazon.com. This option has been removed; Junkbusters founder Jason Catlett called it ``a big step backwards.'' (The option remains on the amazon.co.uk site.) Amazon also revealed that it buys information about its customers from other sources and adds this information to its profile, but doesn't let people see the information it keeps about them. Amazon also said that if it goes bankrupt or sells part or all of its company it will sell all that personal information with it. This was clearly prompted by the Toysmart case. Weakening privacy policy is a common trend; a survey by Enonymous indicated that a large percentage of companies change their privacy policies frequently, and that they are generally getting worse.

Separately, Amazon has been experimenting with differential pricing (a.k.a. dynamic pricing, price differentiation, price discrimination), Wired News reported. (2000/9/6) Amazon claimed that it had been assigning different prices to visitors randomly, not based on the information held in its databases about the customers. CNET subsequently reported that Amazon claimed to have abandoned the practice of charging different customers different prices, but the Washington Post questioned some of Amazon's claims. (2000/9/27, p. A1) [AP] In a later survey of dynamic pricing, Jared Blank, an analyst at Jupiter Media Matrix Inc. in New York, told the Wall Street Journal "Amazon.com's biggest mistake was getting caught." (2001/6/21) Few companies will admit to dynamic pricing, but an article in Harvard Business Review titled Price Smarter on the Web described an unnamed online electronics company that regularly charges some customers as much as 20% more than others. (2001/2, p. 125)

Separately, the state of Texas sued the failed Web furniture store Living.com to prevent it from selling customer information, CNET reported. (2000/9/25) In a proposed settlement, Living.com will be allowed to sell names and email addresses, but only after notifying customers and giving them the opportunity to opt out. Junkbusters founder Jason Catlett commented that opt-in should be required; if the email address is no longer valid for example, the customers may have their information sold contrary to their wishes. The Amazon.com-backed Living.com would also destroy all of its customers' financial records such as credit card, bank account and social security numbers. By December the company's web site listed a set of assets to be disposed of by the liquidators, including:

Customer list - Registered purchasers $100 / 1,000 names

  Junkbusters criticizes banner ad companies' offer of multi-tracker opt-out

A handful of banner ad companies announced a site for simultaneously opting out of their tracking. (2001/5/25) [AP] Junkbusters founder Jason Catlett said the opt-out model is inappropriate from both technology and policy points of view. The system proposed by online advertisers is to place "opt-out" cookies on the computers of people who indicate they do not wish to be tracked. ``People generally believe that destroying all their cookies will improve their privacy, and do not realize that this step in fact removes the record of their request to be anonymous,'' Junkbusters founder Jason Catlett said. ``Under the NAI's contemptible excuse for their massive surveillance, people will be repeatedly faced with the burden of opting out, and if they fail even once, they are then tracked indefinitely. Furthermore, deleting your cookies won't delete the information that online profilers have already linked and possibly sold along with your name.'' Rather than using the online profilers opt-out procedure, people can rid of both the profiling and ads by using ad-blocking software. ``Most people don't want to being watched as they surf. And they don't want to to be burdened with stopping it and shouldn't have to opt-out of surveillance from a company they have never heard of.'' Catlett said he was unimpressed by the NAI compliance program to be run by Arthur Andersen, because the standards that the NAI set itself to comply with are at privacy-damaging levels. Catlett said that strong privacy rights are needed for Americans, and that Congress and the states should move to require companies to obtain consent before profiling, as well as giving individuals ongoing control over their profiles.

When the NAI principles were announced in July 2000, EPIC and Junkbusters released a report titled Network Advertising Initiative: Principles not Privacy, in response to the FTC's report sanctioning online profiling. The organizations also sent a letter along with a copy of the report, to the Senate Commerce Committee urging them to examine the proposal. (2000/7/28) [ZDNN/eWeek] [Internet.com] [Internet.com] [ZD] [Reuters] [ZD Interactive Week] [CNET] [Reuters Finance] [American Medical News] [Forbes] [The Street] [Bloomberg] [Industry Standard on the States] In their letter to the Senate, the privacy groups said that the self-regulatory principles proposed by a consortium of online advertisers will not stop unwanted surveillance by Web advertisers, and that legally guaranteed privacy rights are urgently needed. Under the proposal online advertisers can associate names and addresses with extensive online profiles and sell them unless consumers notice a disclosure every time that they enter personal information on a Web form and take steps to "opt-out" of being tracked by multiple online profiling companies. [WSJ] [Washington Post] [NY Times] [Reuters] [PC World] [AP] [Wired] [Industry Standard] [BBC - 1] [BBC - 2] [FTC Announcement] [FTC report]

The Washington Post reported that the online profiling companies were ``gleeful'' at the government approval of their data-gathering plans. Bloomberg quoted DoubleClick's Washington lobbyist, Josh Isay (who has since left the company's permanent employ) as saying the company is ``thrilled with this agreement.'' Junkbusters founder Jason Catlett said that ``It's shameful that the government has sanctioned practically everything that the companies wanted to do.'' Business Week editorialized `` For more reasons than you can count on your fingers, the FTC guidelines represent hardly a squeak in the name of meaningful consumer privacy protection. A roar is required -- and the sooner the better.'' The Industry Standard's lead was ``The Federal Trade Commission has agreed to let the foxes run the henhouse, yet some in the press covered the story as if it were a victory for the hens.'' The Industry Standard cited a sentence from the AP as summing up the whole fiasco: ``The plan takes effect immediately but still contains vague language with few details.''

The NAI principles give the OK for online profiles and browsing data to be sold quite freely and widely. Under Section IV.A.4 (p. 3) the only restriction on sale is that buyers of online profiles follow the Online Privacy Alliance guidelines, which effectively means that the buyer has to post a privacy policy somewhere and offer some kind of choice to opt out of use or further resale by the buyer. Section IV.A.1 requires that profilers not use ``personally identifiable sensitive medical or financial data, sexual behavior or sexual orientation, nor social security numbers...'' The document does not define the distinction between sensitive medical data and non-sensitive medical data, nor between sensitive financial data and non-sensitive financial data, nor what constitutes sexual behavior. Presumably these decisions will be left to the online profilers. Junkbusters founder Jason Catlett commented ``In this deal the government is allowing the sale of names, addresses and email addresses along with online profiles and extensive histories of browsing data without consent of the person being monitored and commercially exploited. Surfers should be outraged.''

The last paragraph of the agreement is the clearest illustration that the companies got the government to agree to whatever they wanted: it says that the companies can change unilaterally the rules within a month, whenever they want, and the government can't say no.

VIII. Amendments to Principles These principles may be amended by a four-fifths vote of the signatories to this document after thirty days prior written notice has been provided to the third-party enforcement program, the Federal Trade Commission and the Commerce Department.

The Network Advertising Initiative had been working on a deal with federal regulators on a self-regulatory framework for online profiling for much of 2000. [Wall Street Journal] [Reuters] [CNET] [Industry Standard] [Industry Standard 2] Stories immediately prior to the FTC announcement: [CNET 2] [Industry Standard 2] In May 2000 privacy advocates repeated their call made to the Federal Trade Commission (FTC) last year to halt online profiling by Internet advertisers pending the development of a proper legislative framework. (2000/5/13) As the FTC testified on the issue before the Senate Commerce Committee, advocates said that legal protections for online consumers are well overdue, and that the lack of robust privacy protection is widely agreed to be stunting the growth of ecommerce. [Press Release] Privacy advocates said that the self-regulatory schemes such as the NAI were unsatisfactory, citing the failure of a similar scheme called the Individual Reference Service Group, to stop the harmful trade in Social Security numbers. Business Week wrote that the stock values of such companies have been slashed as Wall Street waits for the uncertainty over privacy regulations to end.

In June 2000 the Senate Commerce Committee reviewed the practices of Internet network advertisers. [AP] [Newsbytes] [AP 2] [TechWeb] [Heise - German] [Schedule] [Boston Globe] [USAToday on Chairman John McCain] (2000/5/13) A history of this issue is given below. See also Junkbusters founder Jason Catlett's remarks in an earlier debate at the Technology Forum in the U.S. Capitol.

An online privacy bill proposed by two influential senators will be reintroduced this year, Computerworld reported. (2000/5/22) It would to post privacy policies, keep information secure, and to offer consumer a chance to opt-out of having their information sold to others. [CNN] [IDG] Such a bill bill was introduced in 2000 by Senator John McCain, (R-Ariz.) and co-sponsored by John Kerry, (D-Mass.) and Sen. Spencer Abraham, (R-Mich.). Junkbusters founder Jason Catlett said ``It's encouraging to see bipartisan support for some privacy measures, and the will to pass a law this session. But Congress should also ask itself whether the American people deserve the right to see the information that companies hold about them, and whether companies should be required to obtain people's permission before selling their personal information.'' The Consumer Privacy Protection Act, introduced earlier, includes these provisions. ``Notice and opt-out isn't helpful when you don't even know the names of the dozens of company that follow you around online,'' Catlett said.

Separately, Michigan State Attorney General Jennifer Granholm sent legal notices to four commercial Web site companies that use Web bugs. (2000/6/13) [Michigan's Notice] [Michigan on Cookies] [Detroit News] [Wired] [USAToday] State Attorneys General have become increasingly active on privacy, Reuters reported.

In a previous hearings the Committee discussed the Consumer Privacy Protection Act, S. 2606, sponsored by Senator Hollings (D-SC) and others. (2000/5/23) [Industry Standard's tabular comparison] [ComputerWorld] [ZD] It was considered at a meeting of the Senate Commerce Committee. (2000/5/25) The proceedings were broadcast on C-SPAN Extra and C-SPAN radio, and are available from the Senate's Web site in Real Video format. Junkbusters founder Jason Catlett's testimony begins after approximately 2 hours 40 minutes. [SIIA summary] [Arent Fox summary] In his written testimony Catlett praised the bill as ``a landmark work. It makes giant strides towards the wide application of fair information practices across technologies and across market sectors, within a legal framework that will really protect privacy in this country.'' All five Federal Trade Commissioners also testified on their recommendations to Congress. [AP] [PC World] [TheStreet] [TechWeb] [TechWeb 2] [ZD] [Infoworld] [Interactive Week] [Slashdot] [ComputerWorld] [NPR - RealAudio] [Real Video]

Web bugs are near-invisible graphics on web pages used as a surveillance technology by banner ad companies. (Some PR spokesdroids have been trying to push the nicer-sounding phrases such as "Web beacons" or "pixeling".) [Washington Post on Web bugs] [Privacy Foundation Definitions] [USAToday on Web bugs] [Yahoo on Web "Beacons" ] [BBC on Web Bugs] [Intelytics claims 15MM Web Bugs] [Security Space Web Bug report] [WebBug Mailing List] [Industry Standard on Web Bugs] [CNET on Web Bugs] [CNET on Web Bug detectors] [The Register on hostile Web Bugs] [Guidescope on community filtering of Web bugs] A detailed description of the technique and how to detect it has been published by Richard M. Smith and the Privacy Foundation. See also the interaction with HTML mail. Smith has also demonstrated that Microsoft Word documents can be bugged.

  Proposed law to protect the privacy of schoolkids

The U.S. Senate unanimously approved the Student Privacy Protection Act [PDF] sponsored by Senators Richard Shelby (R-AL) and Christopher Dodd (D-CT), that would require parental consent before a company could extract market research from a child in school. The measure is pending in a House-Senate conference committee. (2001/6/14 ) [Commercial Alert] [Wired News] Commercial Alert warned parents about NetworkNext, which it says ``uses high schools to gather market research from teenagers, and pitch products to them, without parental consent.'' (2001/7/11)

The Department of Defense announced will drop its online monitoring of schoolchildren, the AP reported. (2001/1/22) The company selling the data will also stop producing reports for Roper Starch Worldwide, the Wall Street Journal reported. (2001/2/26) The DoD had purchased web surfing data from N2H2 (NTWO), a company that aggregates data on schoolchildren who use its Internet content filters called Bess, the Wall Street Journal reported. (2001/1/26) [MSNBC/WSJ] [WSJ] [Roper Statement] [Commercial Alert on N2H2]

EPIC submitted a series of Freedom of Information Act requests Department of Defense to discover what information the agency is collecting on the Internet browsing habits of schoolchildren. (2001/1/26) [Wired]

Ralph Nader's Commercial Alert objected in a letter to Secretary of Defense Donald H. Rumsfeld: "During the Clinton Administration, the Defense Department must have grown confused about its mission. It should spy on national security threats, not our own schoolchildren." (2001/1/29) Commercial Alert, Junkbusters and a broad coalition of other groups successfully opposed ZapMe, a company that gathered marketing information about children.

  Data vendors lose appeal against privacy law

A federal judge has upheld new limits on sales of certain personal credit data, the Wall Street Journal reported. (2001/5/8) [Court's opinion] Judge Ellen Segal Huvelle upheld the government's interpretation of "personally identifiable financial information" in the 1999 GLB financial privacy law, which places some restrictions on sales of such information.

In a similar earlier decision, a federal appeals court rejected credit bureau Trans Union's argument against a law requiring it to obtain permission from consumers' before selling lists based on loan information. (2001/4/13) [Court's opinion] [Washington Post] Credit bureaus have long history of breaking this law, the Fair Credit Reporting Act of 1974. [FTC vs Trans Union, 1998] In June 1999 a different federal judge upheld a $4.52 million award against the company, calling it "reprehensible" for acting "with such callous indifference toward a consumer."

Trans Union claims to have ``most comprehensive database available for adult Americans. Credit bureaus sell a variety of consumer information for various purposes. Junkbusters has a self-help guide for people who who want to reduce the amount of data these companies sell about them. Personal data trader Acxiom sells a ``comprehensive marketing data bundle'' called ``(IB)Consumer InfoBase(TM)'s PowerPak(SM),'' that includes information on ``home market value, home equity, age, financial stability information, marital status, estimated income, length of residence, dwelling size, affluence code, credit card holders,'' together with financial information from Trans Union and psychographic information from Claritas. A similar ``data enhancement product'' called INSOURCE is offered by Metromail and Experian. People who don't want its 300 ``data elements'' such as psychographics and car and home ownership sold can write Metromail an opt-out letter.

  Children's online privacy

The FTC announced a settlement with Mrs. Fields Cookies and Hershey Foods for violating the Children's Online Privacy Protection Act (COPPA). [EPIC on COPPA] (2003/2/27) The FTC earlier settled with Lisa Frank, Inc,. which operates a children's web site the FTC also accused of violations. [FTC announcement] (2001/10/2)

One year after the Federal Trade Commission rule implementing the COPPA took effect, the Center for Media Education released a report surveying 153 commercial Web sites directed at children under age 13. The CME found broadly positive changes, but some violations. [CME Press Release] (2001/4/19) Separately, the FTC announced three enforcement actions with civil penalties totaling $100,000. [Reuters] [ZD] [Industry Standard]

A different study by the Annenberg Public Policy Center of the University of Pennsylvania found most children's websites are not following all of the FTC requirements. [Press Release] The FTC has held a COPPA compliance workshop to help web sites comply. Various companies have offered consulting, such as Aftab & Savitt and MTN. The Federal Trade Commission approved participation in the Council of Better Business Bureaus' Children's Advertising Review Unit (CARU) as the first "safe harbor" for companies under the Children's Online Privacy Protection Act (COPPA). (2001/2/1) [Newsbytes] [NewsFactor] Privacy and children's groups had opposed CARU's first proposal as too vague and weak, but supported an amended proposal.

Rules implementing the Children's Online Privacy Protection Act (COPPA) took effect April 21, 2000. [AP] [USA Today] [Reuters] [Computerworld] [Computerworld Followup] [Internet News] [Wired] [Wash Times] [Network World Fusion] [NY Times review] [WrestlingTalks.com] [WSJ] [WSJ Followup] The FTC has issued a press release and published a guide to compliance. The Center for Media Education launched a site called http://www.kidsprivacy.org with information on the law. AOL will be deleting the profiles of pre-teens, USA Today reported. [ZD] [CNET] [DM News] Junkbusters founder Jason Catlett said that legal protection of the privacy of adults is also urgently needed. ``This first federal internet privacy law is landmark legislation. Historians of the 21st century may compare it to the abolition of child labor in the 19th Century. The question now is why Americans lose all their privacy rights online when they turn 13.''

The Federal Trade Commission issued its final rules implementing the Children's Online Privacy Protection Act (COPPA) in 1999. (1999/10/20) [FTC Press Release] [Text of Rules] [MSNBC curtain-raiser] [AP] [Wired] [Reuters/Internet News] [TechWeb] [Ecommerce Times] [DM News] [Direct] [ABC News] [Washington Post] [ZDNN] [Boston Globe] [Industry Standard] [Industry Standard - Media Grok] [Computerworld] [Computerworld 2] [LA Times] [SJ Merc] [CNET] [NY Times]

Junkbusters President Jason Catlett commented: ``The FTC did a very diligent job and produced a good set of rules covering a complex range of technology and business issues. They largely resisted industry's attempts to insert huge loopholes into the rules. They should have left out the sunset clause allowing all-email authorization in some circumstances. But overall, it's a blueprint for effective and workable privacy protection. This is the significant American milestone to date in the progress of privacy rights online. From April 2000, web sites collecting personal information about children under 13 are legally required to observe some basic principles of fairness in handling personal information. These principles should be extended to adults. Americans should not lose all privacy rights online the day they turn 13.'' [MediaCentral Quote of the Day]

"Overall, we are pleased with the Commission's actions," said Kathryn Montgomery, Ph.D., president of the Center for Media Education in a joint statement. ``These rules should help guide the development of this powerful new commercial medium.'' Montgomery expressed some caution about a few provisions in the new guidelines that could make it possible for some marketers to circumvent the rules. However, she vowed to work closely with the FTC to ensure that the rules effectively are enforced. ``We will continue to monitor online practices and report potential violations to the Commission.''

Mary Ellen Fise, general counsel for the Consumer Federation of America (CFA) called the new rules, ``a privacy vaccination for kids on the Web. They will greatly assist parents in protecting their families' privacy in a medium where commerce is fighting tooth and nail for their online time and information.''

One key point that privacy advocates have been watching for is whether email alone is considered adequate for parental consent (advocates contend it is too easily faked by children). The rule generally considers email alone inadequate, it allows this in some circumstances. The FTC says ``For internal uses of information, such as an operator's marketing back to a child based on the child's personal information, operators will be permitted to use e-mail, as long as additional steps are taken to ensure that the parent is providing consent. Such steps could include sending a confirmatory e-mail to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call.'' Privacy advocates consider an all-email system too open to abuse.

A survey of children's attitudes has been published by SmartGirl.com.

The FTC Commissioners' vote on the rules was 4-0. Even Commissioner Swindle, who has a record of opposing privacy protections, voted in favor of the rules. [SJ Merc interview with Swindle] [Wired News interview with Swindle] [Interactive Week on Swindle]

On July 20 the Federal Trade Commission held a workshop on children's privacy. A transcript is available on the FTC's web site. Junkbusters President Jason Catlett participated. [ZDNN] [CNET] [Newsbytes] [Wired] [PC World] [USA Today] [NY Times] [Washington Post]

In April the FTC released draft rules. [FTC Press Release] [Full Document (PDF)] [Washington Post] [NY Times] [ZD Net] [Bloomberg] [LA Times] [Wired] [USA Today]

Junkbusters President Jason Catlett called for the FTC to require companies to keep records for random auditing. [Press Release] Catlett urged parents and pro-family who want to protect children from exploitation by marketers to tell the FTC that they want the strictest standards and frequent random audits of companies that collect data about kids. He applauded the Center for Media Education's stand against email being considered adequate for consent. [Cartoon Network Comments] [DMA]

The Direct Marketing Association's VP of Consumer Affairs told Interactive Week "I think it's a bit odd to consider verification done in any medium other than the Internet." (1999/4/21) Junkbusters President Jason Catlett asked how this attitude on the medium was consistent with the DMA's requirement that requests to be added to the DMA's Telephone Preference Service be made in writing by US Mail. Marc Rotenberg, director of EPIC, commented "Consent always comes down to burden-shifting, whether the issue is express/implied, opt-in/opt-out, default, or medium of expression. The marketers will always try to make it as easy as possible to obtain consent."

The bill requiring websites that target children to implement basic privacy protections was signed into law on October 28, 1998. [Expert Analysis from DM News] [TechWeb] [Followup] [USA Today] S2326, the Children's Online Privacy Protection Act of 1998, was introduced by Senators McCain (R-AZ) and Bryan (D-NV). The bill implements the FTC's recommendations for online safeguards for children. Junkbusters supports the bill. We also wish adults had such protection too. For more information see the Center for Media Education. [Wired] [TechWeb] [Interactive Week] [CNET]

Robert Ellis Smith, publisher of Privacy Journal wrote in InternetWeek: (1998/9/21)

Imagine if a stranger approached a child in a school playground and started asking for name, address, telephone number and family demographics! We would find that intolerable, and it's also intolerable on the World Wide Web-no ifs, ands or buts.

  Bush makes health privacy rules take effect

President Bush has decided against any further delays in implementing sweeping medical-records privacy rules. (2001/4/12) [HHS Statement] [HHS Rule] [AP] [Reuters] [Industry Standard] [Wired News] The Wall Street Journal reported that administration insiders said Mr. Bush has a strong personal interest in the privacy issue, and that he was adamant that the rules go into effect. Junkbusters founder Jason Catlett praised the move, saying that although the rules still need strengthening, particularly in the use of health information for marketing, the Administration should be commended for not giving in to the HMOs' lobbyists.

Health and Human Services Secretary Tommy Thompson had earlier said he expected to change but not abandon the Clinton administration medical-privacy rules, the Wall Street Journal reported. [AP] (2001/2/28) [Washington Post] Companies have been lobbying hard to try to get the rules weakened or abandoned, the Boston Globe reported. Privacy advocates wrote to President Bush urging that the regulations be implemented as soon as possible. (2001/3/7) [Consumer reports on medical privacy] [AMA]

President Clinton had announced the first federal rules protecting the privacy of medical information. (2000/12/22) [AP] [Reuters] [Gellman in DM News] The rules stem from the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Junkbusters founder Jason Catlett said that the rules ``for the most part follow the structure of legal system of privacy protection that is urgently needed for all personal data, not just health information.'' Catlett praised several provision of the rules:

1. Written consent is generally required before using a person's health information (but see marketing uses below)
2. There are provisions to prohibit the coercion of consent by unfairly conditioning benefits on it.
3. The rule applies equally to electronic, paper, and oral information.
4. People will have the right to access their own medical files and to request amendments or corrections.
5. Employers who administer their own health care plan must not use medical information for anything other than health care. (Known as purpose specificity in privacy law.)
6. States may pass stricter laws if they want.
7. People have right to a ``disclosure history,'' detailing the entities that received their personal data.

Many businesses have opposed various provisions due to increased costs. The Clinton White House estimated that the costs at only a fraction of the savings gained by converting medical records to electronic form, and still a miniscule percentage of the total cost of health care.

  Dick Armey reaffirms his opposition to privacy rights

Republican House Majority Leader Dick Armey (R-TX) wrote another letter to congressional colleagues opposing privacy rights for Americans whose personal information is misused by corporations. (2001/4/9) [CNET] [Reuters] Junkbusters founder Jason Catlett said that ``if Mr. Armey has a sincere desire to stop government abuses of privacy, he should support a permanent federal privacy commission. Privacy advocates have asked for such a commission for years. Unfortunately the Bush administration has gone the other way, eliminating even the weak and limited position of Counselor on privacy created within the Office of Management and Budget under Clinton. Mr. Armey's excuse for staving off privacy rights of Americans is logically flawed,'' said Catlett. ``His argument is that the federal government is a prime violator of privacy, therefore the federal government shouldn't legislate on privacy. Under that reasoning, there would be no copyright law, because state universities are hotbeds of infringement.'' Catlett supported the agenda outlined in a letter responding to Armey by EPIC. (2001/4/9) For people who want to tell Armey to start supporting privacy and stop opposing it, here is a sample letter

A 2000 congressional report claimed that most federal Web sites fail to measure up to the Federal Trade Commission's standards for Internet privacy. (2000/9/12) [Fox] [Industry Standard] [Reuters] [AP] House Majority Leader Dick Armey issued a statement claiming this was a reason not to require commercial web sites to protect privacy. Junkbusters founder Jason Catlett called the argument fallacious, and said that ``all organizations, online or offline, government or corporate should be legally required to treat personal information fairly: keeping it secure, asking consent before disclosing it, giving each person access to her own information.'' The report correctly points out that this has been required for decades:

While the FTC's [principles] address Internet privacy issues in the commercial sector, federal web sites are governed by specific laws designed to protect individuals' privacy when agencies collect personal information. The Privacy Act of 1974 is the primary law regulating the federal collection and maintenance of personal information maintained in a federal agency's system of records. The act provides, for example, that (1) agencies cannot disclose such records without the consent of the individual except as authorized by law, (2) under certain conditions, individuals can gain access to their own records, and (3) agencies must protect records against disclosure and loss.

  Metromail settles class action suit

The Privacy Times reported that Metromail has settled a suit by an Ohio grandmother who received an obscene and threatening letter from a convicted rapist who keyed data for the company while incarcerated in a Texas prison. (2001/2/19) Under the settlement:

1. Metromail must notify 2.2 million people that prisoners processed their personal data.
2. A class administration process will be set up to compensate people who can show they were hurt.
3. Metromail will screen contractors to ensure they don't use prisoners.
4. Metromail will disclose in its surveys how it intends to use the information, and honor opt-out requests.
5. A fund will be set up to promote consumer privacy.

But when Metromail executives wanted to know more about the woman suing the company, their task was simple: They turned to the company's own massive consumer data base, an retrieved more than 900 tidbits of Ms Dennis's life going back to 1987. Laid out on 25 closely printed pages of spreadsheets were not only her income, marital status, hobbies and ailments, but whether she had dentures, the brands of antacid tablets she had taken, how often she used room deodorizers, sleeping aids and hemorrhoid remedies.

  Junkbusters calls on lawmakers to investigate profiling companies

Junkbusters founder Jason Catlett wrote to the co-chairs of the the bipartisan Congressional Privacy Caucus asking them to investigate online profiling companies, following recent developments including DoubleClick's security breaches and Microsoft's surveillance-friendly browser. [Text of Letter] [Internet News] (2001/3/29) Catlett also released an open letter to Doubleclick calling for publication of security audits following its multiple break-ins, and an open letter to Microsoft criticizing the cookie defaults on its new browser.

  Privacy research laboratory criticizes TiVo

The Privacy Foundation issued a critical report on the information practices of personal video recorder manufacturer TiVo (TIVO). (2001/3/26) [AP] [Slashdot]

  Junkbusters slams profilers' refusal to show profiles

In a letter replying to the refusal of two trade associations and one of the biggest personal data vendors, Junkbusters founder Jason Catlett harshly criticized their refusal to show the public what its profiles look like. (2001/3/12) The FTC ran a Public Workshop on consumer profiling titled The Information Marketplace: Merging and Exchanging Consumer Data. (2001/3/13) [FTC Info Page] [Industry Standard] The workshop will examine consumer profiles online and offline. Junkbusters had earlier sent a letter to the heads of leading profiling companies asking them about the publication of their profiles at the workshop. [Wired News] [E-Commerce Times] [Newsbytes] [Heise - German] (2001/2/27) Junkbusters founder Jason Catlett explained the reason for this: ``At the previous workshop on profiling, not a single profile was displayed by the many companies presenting. It would be very odd for a conference on say, crustaceans or porcelain, not to have a single specimen or photograph of the subject matter, but in Washington policy can somehow get discussed without a real picture of the topic. We want to get companies to be open and honest about what profiles they have on people. They have refused, and the only conclusion is that they have something to hide.''

The workshop appears to be partially in response to a request by highly influential U.S. Senator for the FTC to review a proposed standard for exchanging consumer profiles. (2000/12/5) [Shelby Letter] [Newsbytes] Senator Richard Shelby said in a letter he was ``troubled that insufficient attention has been given to the negative ramifications that the use of this exchange will have on the privacy of American consumers.'' Shelby, who has had multiple citations in Junkbusters Awards for Privacy in Commerce, is perhaps most admired for the Drivers' Privacy Protection Act, which requires DMVs to obtain to consent of individuals before selling data about them for marketing purposes. In 2000 Shelby introduced the Freedom from Behavioral Profile Act, which did not pass. The profiling project came to Shelby's attention in a story by Washington Post reporter Robert O'Harrow Jr., whose stories have many times moved lawmakers to action. (2000/12/4, p. E01) [More on CPEX from CNET] The proposed standard is now called CPExchange (Customer Profile Exchange, previously CPEX). It was begun more than a year ago. [Reuters] [Internet News] [Forbes.com] [NPR Audio] [Computerworld 2000/6] An earlier proposed standard called ICE aimed to facilitate the exchange and sale of personal information between companies, Wired News reported. More Internet history: the now moribund Open Profiling Standard.

The Federal Trade Commission and the Department of Commerce previously held hearings on online profiling. (1999/11/8) Comments submitted by Junkbusters are available here. [Agenda] [Transcript] As is customary at these hearings, an industry-sponsored survey by Privacy and American Business was produced to show that people don't really mind, with the implication that legislation is not needed. [USAToday.com] [AdWeek] Junkbusters founder Jason Catlett released an analysis of the report showing how ``the conclusions were based on an untenable interpretation of the questions actually asked and should be dismissed.''

  Banner ads get bigger, creep onto government sites

The Internet Advertising Bureau, which among other things sets de facto standards for banner ad sizes, announced new bigger sizes for ads. (2001/2/26) [CNET] [Reuters] [FT] Junkbusters founder Jason Catlett commented: ``As banner ads become ever larger and more intrusive, more people are turning to banner ad filtering software to reduce browser junk and regain some peace, quiet and privacy online.'' SatireWire ran a story headlined ``Net advertising opponents say online ads too intrusive - save 10% on your first purchase right now at egghead.'' The New York Times quoted Scott Kurnit of Primedia as saying "Too many people involved with the Internet have been too shy about advertising. The ads are too small and not intrusive enough." (2001/3/17)

Separately, more government web sites are accepting banner ads, Reuters reported. (2001/3/2)

Separately, AOL admitted its intention to place third-party banner ads on its ICQ instant messaging software, CNET reported. (2001/2/26) Predictably, someone has built an ICQ Bannerkiller.

  Domain name registrar criticized over sale of personal information

Network Solutions has been criticized for selling marketing information about the registrants of domain names, many of whom are individuals. (2001/2/14) [Vortex] [WSJ Public] [WSJI] The company may be in violation of European law, Interactive Week reported. (2001/2/22) EPIC wrote a letter to several member of congress urging them to ``examine whether this sale is currently permissible and if so, whether it is therefore necessary to adopt new legislation to safeguard the information that is provided by Internet users and companies as a condition of registering a domain name.'' (2001/2/16) A study by ICANN of privacy issues in the Whois database has been launched. [Newsbytes/USAToday] (2001/6/12)

  Privacy Coalition presents Privacy Pledge to Congress

The Privacy Coalition, a coalition of consumer, civil liberties, educational, library, labor, and family-based groups, presented its Privacy Pledge to Congress as the standard for future protection of privacy. [News Release] (2001/2/12) [AP] [Reuters] [TechWeb] [Industry Standard] [MSNBC] [LA Times] [Newsbytes] [TechLaw] The Privacy Pledge includes commitments to Fair Information Practices, independent enforcement and oversight, promotion of genuine Privacy Enhancing Technologies, and strong federal law without preemption of further state protections. The broad nonpartisan Coalition ranges from the United Automobile Workers of America (UAW) to the conservative Eagle Forum. Junkbusters is also a member. Junkbusters founder Jason Catlett commented: ``It's common wisdom that Congress will pass some kind of privacy law this year. The important question is whether it will be a weak bill that doesn't really protect privacy or a strong one that does. Members who take the pledge are committing to a strong bill. The pledge is a way of distinguishing those who give lip service to privacy, but cave in when a counterpoint appears, and those who really want to stand up for it.''

Senator Bill Nelson (D-FL) was the first senator to endorse the pledge. (2001/2/20) In his recent election campaign, the Senator emphasized his intent to take affirmative steps to protect the privacy of Americans.

Rep. James Moran (D-VA) dismissed Coalition's call for consent before using personal information, saying it would "arrest private-sector development," CNET reported. [Contact Moran] Separately, Moran and Asa Hutchinson (R-AR) are expected to reintroduce their bill to create a privacy study commission to think about the issue for 18 months. Privacy advocates opposed and defeated the bill last year as a waste of time. Junkbusters founder Jason Catlett called it a ``Privacy Procrastination Bill.''

An industry lobbying group confusingly called the National Consumer Coalition's (NCC) Privacy Group issued a response saying that companies should not be required to follow Fair Information Practices because it would cost them money. Even a requirement to state "how information is collected and used is, at best, unnecessary," the lobbying group said. Consumers concerned about their privacy can pay for additional services, according to the NCC. The NCC includes the Competitive Enterprise Institute, which opposed the investigation of Amazon.com on charges of deception. Junkbusters founder Jason Catlett commented: ``The NCC's message is plain: businesses shouldn't have to incur costs for privacy, but it's OK for consumers to. They want businesses to be able to continue to use personal information unfairly, to be able to damage the privacy of individuals without any burden or legal consequences. Furthermore the NCC mischaracterized the Privacy Coalition's standard, which is far stronger than the FTC's weak version of Fair Information Practices.''

Separately, watchdog group Privacy International held the Orwell Big Brother Awards 2001 on March 7, 2001 in Cambridge, Mass. at the 2001 Computers, Freedom and Privacy Conference. [NewsFactor] Winners included the FBI for Carnivore, the City of Tampa for video surveillance at the Super Bowl, and personal data vendor ChoicePoint (CPS), [Privacy Foundation on ChoicePoint] [ChoicePoint on access] [Wired News on ChoicePoint's Data Spill]

  Microsoft flaw enables email wiretapping

The Privacy Foundation has publicized a security hole in Microsoft Outlook ``that enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add,'' the New York Times reported. (2001/2/5) As is almost always the case, the cure is to disable active scripting. The flaw was reported to Microsoft in 1998, but the company apparently didn't bother to fix it. A Microsoft spokesperson was quoted as giving the implausible excuse that the company is only trying to provide the user with more options. Separately, Microsoft announced its new versions of Office would be called Office XP. Xtremely Porous? During the preview of XP, Microsoft delivered the wrong passwords to some people, and accidentally allowed others to download the preview for free. (2001/7/13) [CNET] [PC World]

Separately, SatireWire.com reported that ``foot-and-mouth disease cannot be spread by Microsoft's Outlook email application, believed to be the first time the program has ever failed to propagate a major virus.''

  Personalization Consortium proposes privacy principles

The Personalization Consortium, a ``group of companies formed to promote the responsible and beneficial use of technology for personalizing consumer and business relationships,'' issued a set of privacy principles and guidelines for third-party privacy audits. (2001/1/31) [Personalization Consortium Press release] [Computerworld] Junkbusters founder Jason Catlett said that while the principles fall short of the OECD's principles of fair information practice in points such as purpose specificity, the proposals are an improvement over those of the anti-privacy-rights Online Privacy Alliance. Catlett praised the audit requirement and the option to delete personal information, which companies such as Amazon have refused to do. Catlett criticized the redefinition of the word "consent" to include "notice and an opportunity to opt-out," saying that affirmative, deliberate and informed consent should be required for most data collection, processing and disclosure. He also questioned the qualification of people's access to their information by the word "reasonable" and the phrase "subject to legal, technological or security constraints."

  Nortel Networks admits Web surveillance and targeting product can damage privacy

Nortel Networks Corp. (NT), a Canadian supplier of networking products and services, announced new technology that will allow communications carriers and Internet-service providers to better track Internet users' interests. (2001/1/30) [WSJ] [AP] [CNET] [TechWeb] [Interactive Week] [Nortel News] Reuters reported that ``The new products will assess an individual's preferences and decide what information is needed.'' Journal reported Nortel as saying that would help phone carriers and service providers to sell customized content to subscribers,'' quoting Nortel executive Dominic Orr saying that the it would allow ``an Internet ad to appear on the screens of Web surfers just in a particular geographic area, or to those who have displayed an interest in, say, fishing.'' Junkbusters founder Jason Catlett commented:

ISPs and telcos should not be monitoring where their customers go online to build up a profile of them for targeted advertising. They are carriers, like the post office, and they have no right to spy on their customers, just as phone companies and have right to look at the kind of businesses people call in order to decide which telemarketers to sell their numbers to. Most people loathe this kind of surveillance, as DoubleClick learned the hard way. The law protects phone calls from this kind of intrusion, but hasn't caught up with the Internet.

In response to a question by Catlett during their conference call, Nortel executives stated that some people are happy to have targeting if they get a benefit, and that their technology is flexible enough to to be configured to monitor some but not others. (It is true that some free ISPs such as NetZero monitor where their users surf in order to target ads at them, but this is not something that most people want.) Nortel Executive Anil Khatod told the Associated Press that ``you can negotiate with your service provider as to how much privacy you want.'' (2001/1/31) Catlett commented that consumers should not have to negotiate with their ISPs in order to stop them recording where they surf. The Electronic Communications Privacy Act (ECPA, 1986) prohibits disclosure by ISPs of data to government entities, but not non-governmental entities, a loophole that privacy advocates have long lobbied to have fixed. Consumers can use software such as ZKS Freedom to prevent ISPs from monitoring their movements, but they should not have to do so, Catlett said. ``Nortel's technical babble about technology for preferences is just a long-winded way of saying that there'll be a switch to turn off the surveillance. Well we don't want a switch for this feature, because the feature shouldn't be there in the first place.''

The day after Nortel's unveiled its surveillance service, it announced a "joint technology and marketing alliance" with AOL Time Warner, the world's largest ISP, which itself has a checkered history on privacy. (2001/1/31)

Separately in the same week, several members of Congress addressed the issue. Sen. John Edwards (D-NC) reintroduced a bill S.197, that would require Web sites to get permission from visitors before tracking their movements online, Reuters reported. [Edwards Press Release] [Newsbytes] And in a news conference the bipartisan Congressional Privacy Caucus said that federal privacy laws were needed to address growing public concerns about electronic surveillance, Reuters reported. (2001/2/2)

  Sequencing snafus spill data from IRS, AmEx

The IRS sent tax documents including sensitive information such as Social Security Numbers to the wrong people, the San Jose Mercury News reported. (2001/1/26)

In a separate but similar mistake, some 401(k) financial statements issued by a subsidiary of American Express were sent to the wrong employees, the Washington Post reported. (2001/1/24, p. E1) A similar ``sequencing snafu'' was made in 1997 by credit reference company Experian when they introduced online access to credit reports.

  FTC drops investigation of DoubleClick

The Federal Trade Commission closed its investigation of the information practices of DoubleClick, saying in a letter that the company does not appear to have violated its privacy policy. (2001/1/22) [WSJ - Public] [WSJ - Subscribers] [CNET news.com] [DCLK Statement] [Industry Standard] [NY Times] [AP] [IDG/Infoworld] [The Street] [Internet News] [Reuters/CNN] [Internet News] [NY Times Followup on "anonymous" profiles]
Junkbusters founder Jason Catlett commented:

DoubleClick seems to have convinced the FTC that it did not actually associate names and addresses with its previously anonymous cookies, despite the fact that this was their stated intention prior to their backdown in March. Even assuming that DoubleClick did not actually get around to matching up any of its massive stockpiles of online and offline data, they are still technically able to do so, and they continue to collect huge amounts of identified and identifiable information in ways that are unfair and unacceptable violations of privacy. And the practices of DoubleClick and other ad companies could go from bad to worse at any time, particularly in the case of competitors who have been quieter about what they do and subject to less scrutiny. The FTC's action did not respond to the relief requested in EPIC's complaint, that the DoubleClick be permanently enjoined from linking cookies to names without consent. It's deplorable that there is still no law restraining these enormous databases of clickstreams and transactions. The FTC's investigation resembles a hypothetical case where the police cleared a company called the Molotov Cocktail Lounge after finding warehouses full of empty bottles and stolen gasoline -- in a country where theft and arson aren't illegal unless the perpetrator promised not to steal or incinerate particular goods.

Here is a forward chronology of the key events in the history of DoubleClick on privacy:

1. 1999/6/14: DoubleClick and Abacus Direct announce merger plan. Privacy groups oppose the merger and call on the companies to abandon it or face a campaign.
2. 1999/11/23: Merger completes.
3. 1999/12: DoubleClick changes its privacy policy.
4. 2000/1/25: USAToday.com reports that Doubleclick has signed up some web sites to provide names and addresses to be "synchronized" with cookies
5. 2000/2/10: EPIC files a complaint with the FTC against DoubleClick.
6. 2000/2/14: Investigations by the FTC and others are revealed. DoubleClick holds a press conference to announce a weak package of changes, without mentioning the investigations.
7. 2000/3/2: After a "firestorm" of criticism, DoubleClick announces a moratorium on tracking by name
8. 2000/7: The FTC approves set of industry-proposed principles on online advertising; privacy groups denounce them.

The following reverse chronology gives more details and references.

CNET News.com reviewed the state of Doubleclick and privacy. (2000/12/12) [Also: Red Herring]

Mark Boal reported in Brill's Content about how Doubleclick tracks visits to porn sites. (2000/7)

The Economist reported of Kevin O'Connor: ``in July, he paid a price for this -- ceding the job of chief executive, although he remains chairman.'' (2000/11/11, p. 80)

DoubleClick appointed a privacy advisory board. (2000/5) [Wired] [Slashdot] Junkbusters founder Jason Catlett said that ``few or none of the board's members have a record of privacy advocacy.'' DoubleClick previously appointed Jules Polonetsky, formerly consumer affairs commissioner to New York City Mayor Rudolph Giuliani, as its Chief Privacy Officer. (Polonetsky left the position in April 2002.) [CNN] [CNET]

DoubleClick CEO Kevin O'Connor announced a moratorium on tracking by name. (2000/3/2) [DoubleClick Statement] ``We commit today, that until there is agreement between government and industry on privacy standards, we will not link personally identifiable information to anonymous user activity across Web sites.'' [USAToday.com] [USAToday column] [Internet News] [CNET] [Reuters] [AP] [SJ Merc - Gillmor] [Reuters - Satran] [NY Times] [Upside] [MSNBC] [WSJ] Junkbusters founder Jason Catlett welcomed the move. ``DoubleClick's moratorium on personal identification of profiles should not be seen as the end of a company-specific issue but rather as a milestone in a long-overdue process of developing a suitable legal framework for online profiling.'' [Wired review]

Public opinion converged on a consensus that DoubleClick's current and intended operations were unacceptable. (2000/2) [WSJ analysis] [Newsweek] [NY Times Editorial]

DoubleClick is the subject of inquiries by state and federal agencies, as well as two previously unreported civil suits. (2000/2/15) The Washington Post quoted Michigan's Attorney General as saying that she will file suit against DoubleClick under that state's consumer laws, calling DoubleClick's consumer monitoring "a secret cyber-wiretap." "Forget Big Brother. Truly, 'Big Browser' appears to have arrived in the form of an Internet corporate giant." [Reuters 2] [Reuters] [Ecommerce Times] The legal notice given by the Michigan AG called DoubleClick's opt-out system "an inadequate and unacceptable substitute for a consumer's knowing consent to allow DoubleClick to collect, compile, analyze, and use confidential, personal information. DoubleClick's opt-out alternative violates the Michigan Consumer Protection Act," Internet World reported. [USAToday] [CNET] [WSJ/DJ] [NY Times] [ZDII] [CNNfn] [CNET] [Internet News] [Internet News 2] [TheStreet] [TheStreet 2] [Newsbytes] [CNNfn] DoubleClick's initial disclosure was found amid the details of a lengthy amended registration statement to sell 7.5 million shares of stock that was filed with the SEC on Feb 14, Reuters reported. The FTC also said in a statement that the agency was conducting ``a routine inquiry of DoubleClick, Inc., to determine whether it has engaged in unfair or deceptive practices in violation of Section 5 of the Federal Trade Commission Act.'' The AP reported that New York State Attorney General's office had also launched an inquiry.

``It's good to see that the FTC is scrutinizing DoubleClick under its authority against unfairness and deception,'' said Junkbusters founder Jason Catlett. ``But we also urgently need a better law to to stop ad networks from slapping electronic name-and-address labels on the majority of Americans online. Informed consent should be required, and full access to the profiles should be available.''

Doubleclick announced a site called http://www.privacychoices.org ``to increase consumer's awareness of their choices on the Internet.'' (2000/2/14) Privacy groups dismissed the program as window-dressing. [Reuters] [NY Times] [USAToday] [WSJ] [Wired News] [AP] [Bloomberg] [SJ Merc - Gillmor] [The Street] [SF Chronicle] [Industry Standard] [Newsbytes] [Internet World] [LA Times] [CNET] [MSNBC] [PC Week] Junkbusters founder Jason Catlett said that ``DoubleClick's excuse that people can "opt-out" of their surveillance is grossly inadequate. ``Most people aren't aware they are being tracked. DoubleClick's line that consumers should request an "opt-out cookie" is like telling homeowners who don't want salesmen entering their homes unannounced to hang out a "please do not disturb" sign instead of locking their doors. A more reliable way for surfers to protect themselves is by using software that completely blocks profile-based advertising networks from reaching their Web browsers.''

Electronic sleuth Richard M. Smith unveiled a new report titled What are banner ads saying about us?

George Mannes of TheStreet.com commented of DoubleClick's banner ads for its http://www.privacychoices.org site that ``rather than something like, "Click here to find out how online advertisers are using information about you," or some other throat-grabbing call to action, an initial banner in the campaign, launched Monday, was the bland and mysterious, "PrivacyChoices/Your resource for online privacy information/click here."''

The Electronic Privacy Information Center has filed a complaint with the Federal Trade Commission against DoubleClick. (2000/2/10) [Reuters] The complaint asked the FTC to order DoubleClick to ``obtain the express consent of any Internet user about whom DoubleClick intends to create a personally-identifiable record, and to develop such means as are necessary to ensure that the user has access to the complete contents of the record.''

A survey of a panel of ecommerce executives judged that DoubleClick's decision to start associating names and addresses with cookies will have a negative effect on ecommerce.

DoubleClick routinely claims based on a survey they sponsored that consumers approve of individually targeted ads. The surveys contains leading questions and other interpretative flaws that allow it to conclude that people are happy to be tracked.

Several suits have been filed against against DoubleClick over privacy, Internet News and Bloomberg reported. (2000/1/27) [CNET] [InfoWorld] [PC World] [ZD] [LA Times] [NY Times]

DoubleClick has been widely criticized since a story in USAToday.com. Prominent newspaper columnists commenting include Hiawatha Bray of the Boston Globe and Dan Gilmore of the San Jose Mercury News, who said ``[t]his latest outrage raises a question: Is anyone awake at the Federal Trade Commission? Apparently not.'' He also heaps scorn on DoubleClick's opt-out procedure. [USAToday editorial] Slashdot says DoubleClick has asked it not to link to the USAToday.com story, and that the information in it was false. Slashdot said it refused, but offered DoubleClick the opportunity to state its rebuttal. The Industry Standard commented that DoubleClick's ``refusal to reveal the participating companies has raised eyebrows. Many suspect that DoubleClick knows people would be upset and take action if they knew the parties involved.'' Other commentary: [Red Herring] [PC World] [SJ Merc] [SJ Merc 2]

Doubleclick has signed up some web sites (whom they refuse to name) to provide names and addresses to be "synchronized" with DoubleClick cookies, USAToday.com reported. [CNET] [SlashDot] [Boston Globe] [MSNBC/ZD] [Seattle Post-Intelligencer] [Heise - German] (2000/1/25) ``If the DoubleClick model prevails, the anonymity that most people now enjoy as they move around the Web will largely be destroyed,'' said Junkbusters founder Jason Catlett. ``If you've given your name to a single site in an ad network, you'll run the risk that you'll automatically be identified by the network at any of their other tens of thousands of sites that you visit in the future. Almost everyone wants to be anonymous until they wish to identify themselves. Doubleclick shouldn't be allowed to get away with this massive seizure of personal data and identity.''

What can individuals do?

1. Use banner-blocking software such as the Internet Junkbuster or other products
2. Tell your State or federal representatives that you want strong privacy rights to stop your personal data being used without your consent.
3. Send Abacus/DoubleClick a letter like this one telling them not to identify you. (DoubleClick's ``out-out cookie'' applies only to a particular computer, and cookies have a limited lifetime.)

``For years DoubleClick told the public that cookies do not identify them personally,'' Catlett said, pointing to part of DoubleClick's former privacy policy.

DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous. Since we do not have any information concerning names or addresses, we do not sell or rent any such information to third parties. Because of our efforts to keep users anonymous, the information DoubleClick has is useful only across the DoubleClick Network, and only in the context of ad selection.

In November 1999 privacy advocates sent an open letter to managers of six leading socially responsible mutual funds, asking them not to invest in online advertising network Doubleclick and junk mail database company Abacus Direct. (1999/11/19) Smith Barney's fund's prospectus for example includes the ``responsibility and fairness of advertising and marketing practices'' as a social factor they consider. The two companies voted to complete their merger November 23. [Press Release] [Reuters] The advocacy groups also held meetings Monday November 22 with Federal Trade Commissioners discussing the merger and the need to restrain the online advertising industry. [CNET]

``This merger is the most dangerous assault against anonymity on the Internet since the Intel Processor Serial Number,'' said Junkbusters President Jason Catlett separately. ``By synchronizing cookies with name and address from email, registrations and ecommerce transactions, the merged company would have a surveillance database of Orwellian proportions.''

Soon after the merger was announced, privacy advocates sent an open letter June 21 to the CEOs of Doubleclick and Abacus, calling on them to abandon the proposed merger. Copies of the letter were also sent to select members of Congress and to staff of the Federal Trade Commission. [Reuters] [CNET] [Internet World] [IW 2] [New Media] [NY Times] [Wired] [DM News] [Heise (German)] [France.Internet.com (French)] [Industry Standard] [Search Yahoo] [The Opinion] [TechWeb] [Seattle Post-Intelligencer] [SF Chronicle] [Search Newsindex]

Privacy advocates sent an open letter 6/29 to the stockholders of Abacus Direct urging them to disapprove the merger and to demand disclosures from the companies on the privacy-related risks of the merger. [Wired] [CNET] [Intelligent Enterprise Mag]

Previous coverage: [MSNBC] [Wired] [CNET] [CNET2] [Industry Standard] [IS 2] [Direct Newsline] [USA Today] [Bergen Record]

Related links:

1. A sample letter requesting deletion from Abacus's databases.
2. Junkbusters' 1998 comments on Abacus before the Department of Commerce
3. DoubleClick's Press Release on the merger.
4. DoubleClick's S-3 filed with the SEC 1999/5/20 (See under headings "Government Regulation and Legal Uncertainties" and "Privacy Concerns")
5. On 6/23 Analysts at Janney Montgomery lowered their rating on the company from 'buy' to 'accumulate'. [Reuters] [Yahoo upgrade/downgrade history]
6. Doubleclick vice president David Rosenblatt told CNET news.com that the company has the "physical ability to generate those [central] reports," but noted that "we absolutely do not and never will." He also claimed the company does not attach a person's name or other identifying information to cookies it issues, but failed to say that this would never be done. (1999/8/20)

In September 1999 DoubleClick filed suit over ads run by its competitor AdForce claiming that DoubleClick has given confidential information about its customers to their competitors. "You've just been Double Clicked," say the ads. [Interactive Week] [CNET] AdForce subsequently continued with modified ads, CBS Marketwatch reported. The companies later settled with a stipulated injunction.

DoubleClick was rumored in October to be negotiating to buy rival 24/7 Media. Privacy advocates have opposed DoubleClick's earlier merger plans with Abacus Direct due to the potential for linking online and offline data through names and addresses of consumers. This is something that 24/7 appears to already be doing. 24/7 Media's SEC filings state that the company is ``developing our Profilz database to collect data derived from user activity on our networks and from other sources.'' Junkbusters President Jason Catlett said that ``DoubleClick's feeding frenzy must not be continue to eat away Internet privacy.'' [Internet News on Naviant] [Interactive Week on CMGi consolidation to AudienceNet]

At the FTC's hearings on online profiling in November 1999 privacy groups called for an immediate halt to the practice. Andrew Shen, Policy Analyst at the Electronic Privacy Information Center (EPIC) said that ``The lack of government action continues to place the average user -- unaware of the tracking and surveillance technologies at work -- at the mercy of companies that often abuse their privacy.''

Separately, Dr Koop's web site has required pharmaceutical companies that buy advertising on drkoop.com to agree not to attach cookies to those ads, AP reported. The move seems to follow a report on privacy on medical sites. [Industry Standard] [Wired] [NY Times] [Washington Post]

  Bankruptcy judge approves subsidized destruction of Toysmart customer database

A federal bankruptcy judge Carol J. Kenner's approved an agreement that under which Toysmart.com will destroy all customer data, Internet News reported. (2001/1/30) A subsidiary of Walt Disney Co. offered pay $50,000 for Toysmart.com to destroy its customer list, and the company agreed to accept this in bankruptcy court. (2001/1/9)

The judge earlier rejected Toysmart's agreement with the Federal Trade Commission on restrictions on suitable buyers for its Web site customer list. (2000/8/17) [AP] [AP/CNN] [Reuters] [WSJ] [Industry Standard] [Infoworld] [DM News] ``I concur with the creditors' committee opinion that to restrict the sale to a particular type of buyer is counterproductive to the interests of the estate,'' Judge Kenner said, noting that there was no buyer. She said that the restriction that the buyer be a "family-friendly" company is too vague. [Bankruptcy court filing] Junkbusters founder Jason Catlett said that the case demonstrates that current US law does not adequately protect privacy. ``Lobbyists against privacy laws have been for years been telling congress that consumers should be careful only to give their personal data to companies that promise to keep it confidential,'' Catlett said. ``This case shows that those promises can evaporate with the company's solvency, and that people have little legal recourse they hand over their data. The US urgently needs a comprehensive privacy law to cover this and many other inadequacies. Everyone should have the right to tell a company or the company's receiver to destroy their data, and there should be a legal requirement to comply.''

Separately, The Dept of Justice, Dept of the Treasury and the Office of Management & Budget (White House) have sought public comment for a study on Privacy and Bankruptcy. [Call for comment] [ZD Interactive Week] (2000/7) Catlett said that rather than changing the bankruptcy code, encoding some simple privacy principles into law would cover this and many other problems. ``Information collected for one purpose should not be used for a different purpose without the affirmative consent of the person concerned. It's perfectly appropriate for a toy retailer, bankrupt or not, to sell its business and database to another toy retailer, but it shouldn't be allowed to sell its customers' phone numbers to telemarketers unless they consent to this.''

The Federal Trade Commission had approved a settlement that would allow Toysmart.com Inc. to sell its customer list in bankruptcy proceedings provided the buyer agrees to abide by the Internet retailer's previous privacy promises. (2000/7/21) The FTC had earlier sued to stop the sale. Massachusetts and 38 other states had also asked a federal court to stop the sale. The FTC also claimed Toysmart had violated COPPA. [FTC Announcement] [CNET] (2000/7/10) [Reuters] [Atlanta J-C] [CNN] [Industry Standard] [WSJ/MSNBC] [USAToday on TRUSTe] [PC World] [Boston Globe] [PC World 2] The Waltham, Mass-based Toysmart had told customers that their personal data would "never be shared with a third party." The data was reported to include 250,000 names, addresses, billing information, credit card numbers, shopping behavioral information and family profiles with the names, age, gender and birth dates of children, and their toy preferences.

The FTC's move follow press reports of other troubled online merchants such as Value America Inc., Boo.com and Craftshop.com, and questions about what has happened their consumer data. Bankruptcy court documents filed by APB Online, which is under Chapter 11, include a "registered user" list of 65,000 names, e-mail addresses and corresponding zip codes), Dow Jones reported. (2000/8/24) Toysmart was a licensee of TRUSTe, which objected to sale. [CNET] [Industry Standard]

Dow Jones reported that Walt Disney Co. owns 60% of Toysmart stock and controls three of five board seats. Disney has offered to buy the list, according to the AP. ``If the bankruptcy court ... allows us to purchase the list, we will do so, and retire the list,'' Disney said. ``If we are not allowed to purchase the list, we will urge the court, as the Federal Trade Commission has, to permit a sale only to a purchaser of all the assets of Toysmart who will maintain the confidentiality of the information contained in the list.'' (2000/7/11) Junkbusters founder Jason Catlett said that the case illustrates the inadequacy of the attempts to protect privacy using laws against fraud. ``There was no fraud here: Toysmart intended to maintain their customers' privacy, just as they intended to pay their creditors. When a bankrupt company is handed over to the receivers, all contracts are abrogated, most likely including its commitments of privacy.''

The Consumer Privacy Protection Act includes an amendment to the bankruptcy code to restrict the use of consumer data. Reps William Delahunt, (D-Mass) and Spencer Bachus (R-La) have introduced legislation on this topic, as have Senators. Patrick Leahy (D-Vt), and Robert Torricelli (D-NJ). [Newsbytes] [AP] (2000/7/12)

  Year 2000 in Review

The Privacy Foundation listed its top ten privacy stories of 2000. Included are workplace privacy, health privacy rules, DoubleClick, Amazon, Financial privacy, and Microsoft's cookie patch.

  Legal action over and Toysrus.com and Coremetrics

Records from Toys R Us's Internet division have been subpoenaed by New Jersey's Division of Consumer Affairs, the AP reported. [CNET AP] (2000/12/12) The company has been under scrutiny over personal data collected by data-analysis firm Coremetrics at the Toysrus.com site.

A dozen lawsuits seeking class-action status have been filed, according to the AP. Soon after the first, the site announced it was discontinuing its ``trial arrangement.'' [Bloomberg] The suit follows the publication of a report by InterHack. [Wired] [Industry Standard] [CNET - 1] [CNET - 2] Junkbusters founder Jason Catlett wrote the following analysis. (2000/8/8)

Toysrus.com says that it was simply outsourcing an information processing function to Coremetrics, and that Coremetrics can't use disclose the personal information or use it for any other purpose. Such outsourcing arrangements are common, especially with dot coms that quickly assemble a largely virtual company from a variety of suppliers.

The class action lawyers this case might say that the privacy policy promised the information would be "completely confidential" and didn't disclose the fact that it would be processed by others. And most people probably aren't aware that outsourcing is widespread. As a practical matter, data processed by outsourcing company can be performed in a way just as respectful of privacy as a large company that processes the data in house. The problem is that this question hinges on the company's contract with the outsourcer, which the consumer can't see, and which gives the consumer no right of action against the outsourcer in case of a breach. Most countries legally require all companies to specify a purpose for information at the time it's collected and only use it for the purpose. If the company breaches this limitation without first asking the consent of the person concerned, then that person has a direct cause of legal action. Outsourcing is handled comfortably without any special provisions. Recent US law have taken the wrong approach by specifically carving out excessively broad exceptions for outsourcing. In the Financial Services Modernization Act of 1999, the exemption designed to cover outsourcing actually opened up a loophole large enough to drive a twenty divisions of telemarketers through. Unfortunately the courts are now having to decide on privacy rights that lawmakers should already have ensured. Instead of having clear basic human rights and simple workable standards for companies, the lawsuits are flying and Congress is heading off on vacation. It reminds me of a famous quote by Ashleigh Brilliant: "The time for action is past! Now is the time for senseless bickering!"

  Bulk emailer sues anti-spam group

In a case similar to Yesmail's, email marketer Exactis has sued anti-spam group MAPS. [Denver Post] [Direct] (2000/11/16) Exactis previously attracted the attention of privacy advocates when it was called Infobeat . [RMS on Infobeat] Exactis is was bought by 24/7 Media (TFSM) [24/7 Press Release] and then sold to Experian. (2001/5/18) [Internet News] The U.S. District Court in Denver ruled in favor of a temporary restraining order against MAPS, requiring that Exactis be removed from the blacklist, DM News reported. It also issued a gag order preventing both parties from speaking about the case, (2000/11/27)

Trying to establish their own comfortable alternative to MAPS, a group of bulk emailing companies called the Responsible Electronic Communication Alliance (RECA) issued in September a set of self-regulatory principles for themselves. (2000/9/25) [Press Release] [CNET] Despite their attempt to portray these as ``best practices,'' the standards fall short of those advocated for years by anti-spammers, said Junkbusters founder Jason Catlett. For example, Section 2(c)(a) allows companies to obtain the email address of a customer and send unsolicited commercial email, a practice Catlett called unacceptable. ``Just because you buy something from a company doesn't mean you want to hear from them by email,'' he said. Junkbusters has criticized American Express and Amazon for this practice. Another shortcoming is the general approval of a ``single opt-in,'' which unlike ``verified opt-in'' (or ``double opt-in'') does not require that the email address being signed up respond to a request for confirmation (a practice pioneered by Netcreations to guard against mistyped email addresses and prank signups). MAPS, an anti-spam group has long insisted on verified opt-in, and has been sued by companies including Yesmail that want to avoid this step because it reduces the size of their lists. [Wired] Catlett also criticized the way the principles permitted companies to ``share'' lists and send email from companies that the consumer had not given permission to email her. ``Permission to email is not transferable,'' he said.

The MAPS Basic Mailing List Management Principles for Preventing Abuse has long published their best current practices; it is derived from two well-recognized standards setting organizations (IETF and RIPE). Junkbusters also has published a discussion paper on standards.

Separately, the AP reported that spammer, Jason Garon, has pleaded guilty to second-degree forgery in one of the first criminal spamming cases.

  Privacy-threatening CueCat fails to captivate

The CueCat seems to have lived out its nine lives due to lack of being useful. [D Magazine] [CNET] "You have to wonder about a business plan based on the notion that people want to interact with a soda can," wrote Joe Salkowski of the Tribune Media Services. Digital Convergence reduced its staff from 300 to 20, the Wall Street Journal earlier reported. (2001/6/27) In its SEC filings in November 2000, the company said it was scaling back its rollout plans. [WSJ] [S-1 Filing] (The company withdrew its IPO in March 2001.) Its CueCat product was named Most Questionable Innovation of the Year by Slate, and mocked by James A. Martin in PC World. The Providence Phoenix gives a long account of the resistance to the product.

In September the Privacy Foundation issued an advisory asking Digital Convergence to disable a personal tracking feature on its bar code scanners. [Press Release] [SJ Merc] [TechWeb] (2000/9/22)

Several privacy groups had earlier warned of the privacy impact of the tracking feature. [CNET] [ZD] [FBM Criticism] Users of the device are required to register giving their email address. Salon ran an unflattering review of the user experience with CueCat. CNET reported that hackers breached security at the company and were able to obtain information about approximately half of registered CueCat users name, email address, age range, gender and Zip code of users. The company's IPO filing with the SEC stated that ``Computer break-ins could jeopardize the security of information stored in and transmitted through our computer systems and network, which could adversely affect our ability to retain or attract customers and users, damage our reputation and subject us to litigation.'' It also states ``We intend to use our :C.R.Q. and :Cue:C.A.T. technology to develop and maintain a substantial database of consumer demographic information... Privacy concerns may cause users to resist providing the personal data necessary to support this profiling capability.''

Junkbusters recommends that people not use or register CueCat unless the company removes the unique ID. Junkbusters founder Jason Catlett recalled the objections of privacy advocates to the Intel Processor Serial Number and the Microsoft GUID. Catlett said ``People may not realize that this scanning device has an invisible barcode number inside. Serial numbers in Internet-enabled devices always carry the risk that personal identifiers such as email addresses may be associated with the serial number, making the device leave a trail of electronic calling cards that be assembled into a large stack of behavioral profiles. Companies may say they will not disclose such information, but security flaws, changes of policy, and bankruptcies show that such undertakings cannot be relied on. It's better for privacy simply not to collect the information in the first place.'' (2000/9/22)

  The fight against junk lessons in schools

Eighteen British educational institutions to make money by displaying advertisements on the computer screen savers of students and employees, the San Francisco Chronicle reported. (2001/9/26)

Maryland Senator Paul Pinsky introduced state legislation to get corporate advertising and marketing out of Maryland public schools. (2001/2/2) Commercial Alert called Senator Pinsky's bill `a model for action in other states.''

A coalition of child advocates and academics asked lawmakers to ensure that federally mandated Internet filters in schools and libraries be prohibited from carrying advertising. (2000/11/3) [Commercial Alert Press Release]

Two Ohio children were held in a juvenile detention center for refusing to watch Channel One and TV in-school marketing programs. (2000/10/6) [The American Prospect on Channel One] [Nader's essay on GDP and Childhood] Commercial Alert and Obligation Inc. sent a letter to Ohio Governor Bob Taft asking him not to allow local school systems to punish children who won't watch Primedia's Channel One in the public schools. [TV or Jail] [Toledo Blade 1] [Toledo Blade 2] A coalition of groups is campaining against Channel One. (2001/6/11)

Separately, ZapMe appears to be discontinuing its controversial program in schools. (2000/10/3) In a statement it said it would ``transition to a vertical business market focus'' and explore ``the divestiture of its educational network.'' Soon after the company laid off 42 staff, InternetNews reported. (2000/10/18) [Internet World] The New York Times wrote ``To its founders, ZapMe had a noble vision defeated by a handful of naysaying activists opposed to any commercialism in schools and ready to jump to conclusions about the company's use of data about the students' computer use... When the company announced a program called ZapPoints, which would have given students points toward prizes while gathering personally identifiable information about them, the outcry was so swift and loud that ZapMe quickly discontinued the idea.'' (2000/11/2)

A broad coalition of groups including Junkbusters long opposed the practices of ZapMe! Inc., a corporation that is installing computers and Internet connections in schools so they can target ads at kids and collect information about them. (2000/1/21) [Review from Internet World] (In April, Sen. Richard Shelby, (R-Al) weighed in.) [Newsbytes] [CNET] [USNWR]

In open letters the coalition of progressive, conservative and privacy organizations and scholars urged all 50 governors and chairs of education committees in all 50 state legislatures to protect children from ZapMe!, and asked corporations to break their partnerships with ZapMe!. (2000/1/19) "In essence, it plants computers in the schools as advertising delivery, market research and surveillance machines," the letter said. ZapMe! disputed this characterization in a public response. Chris Nerney, Senior Analyst at the Internet Stock Report, concurred with the groups on this point, saying ``This perfectly describes ZapMe!'s business model.''

In its response to the letter, ZapMe! portrayed itself as ``champion of students' privacy rights'' and claimed to reaffirm ``its strict, long-standing privacy policy.'' (2000/1/21) CEO Rick Inatome said ``ZapMe! takes the privacy of its student users so seriously that we, unlike most websites on the Internet, explicitly do not collect personal information like names, addresses or phone numbers of our users.'' ZapMe's SEC filing says ``we currently collect only non-personally identifying information during user registration, including age, gender, and location by zip code... We may in the future collect names and other personal information for users over 13 in connection with contests and other promotions...

Mr Inatome also said ``We don't track the usage of particular students and would never sell such information to anyone...'' The SEC filing says ``ZapMe! may monitor the Network and compile statistics and demographics with regard to the habits, viewing preferences, and other non-identifying information, such as age and gender, about the Network's users.''

ZapMe's home page has a TRUSTe privacy seal, which seems to relate only to its web site, not the information practices of its ``Network.''

ZapMe made an initial public offering (IPO) on October 20, 1999, closing at $9.50, below its offering price of $11. [Company Press Release] [Profile] [Boston Globe]

ZapMe has been harshly criticized by consumer and privacy groups since its launch. [Wired News] ``This is borderline child abuse,'' said Ralph Nader in a press release for Commercial Alert. [earlier press release] [Commercial Alert summary page] [NY Times] [SJ Merc] In its filings with the SEC, the company warns potential investors

``OPPOSITION TO OUR NETWORK, ADVERTISING IN SCHOOLS AND UNRESTRICTED INTERNET ACCESS MAY LEAD TO NEGATIVE PUBLICITY, REGULATORY CONTROL, LEGAL ACTION, BOYCOTTS OR OTHER ACTION THAT COULD HARM OUR BUSINESS...''

The practices of such companies relate to the FTC's new rules only for children under 13. For them, the FTC's press release says ``The Federal Register notice accompanying the rule makes clear that schools can act as parents' agents or as intermediaries between Web sites and parents in the notice and consent process. '' Catlett warned parents that vigilance is needed because ``Schools aren't always on the side of privacy.'' [Related news]

Ralph Nader supported a bill (HR 2915) introduced in 1999 the by Rep. George Miller to protect schoolchildren from corporations such as ZapMe that intrude into the schools to gather marketing information from kids.

Nader has also asked Congress to repeal a 1980 law that prevents the FTC from protecting children from exploitative advertising. [Nader letter] (1999/9/22)

Related book: No Contest: Corporate Lawyers and the Perversion of Justice in America by Ralph Nader and Wesley J. Smith.

The Center for Advanced Technology at the University of Oregon has published a report titled Capturing the Eyeballs and E-Wallets of Captive Kids in School: Dot.com Invades Dot.edu. It examines companies such as ZapMe that offer "free" Internet access to schools in exchange for the collection of marketing information from their students. (2000/8/1)

A poster reading ``Our School: Ad free zone'' is published by Subvertise.org. Related: Exeter's Web Logs.

In 1998 a high school student in Georgia was suspended for wearing a Pepsi shirt on ``Coke in Education Day,'' CNN reported. [Adbusters] (1998/3/25) Counterpoint: Commercial Alert on Coke and Pepsi.

Separately, directory service WhoWhere? Inc. started paying schools to give a free email accounts to their students, so they can be sent advertising by email, Interactive Week reported.

Separately, The Walt Disney Company launched a free email service for kids, CNET reported.

Separately, a Canadian school board began selling ad space on classroom computers earlier this year, according to a report in Wired News.

Separately, the Canadian non-profit Adbusters reported in their Spring 1997 magazine (p.39) that schools are receiving fees based on the number of students who volunteer ``to received stylized and updated tattoos of common and famous corporate logos.'' It was intended as satire. Adbusters also reported on a student who was disqualified from school band contest for wearing a T-shirt opposing in-school TV.

Writing on genetic engineering in Wired 6.01 (p. 44), Oliver Moreton predicts: ``Then pets with engaging predetermined characters and advertising logos growing in their fur.'' This brings a new meaning to the term ``junk DNA.''

In 1995 Consumer Reports published a report titled ``Captive Kids,'' with a follow-up on the safety risks of ads placed on school buses (97/10, p.6). Its 98/2 Editorial Stop! I'm drowning in commercials criticized high schools for making kids `watch Channel One, a TV ``news'' product with commercials.' Wired News reviewed Homework Heaven's ad-laden site.

  DoubleClick will not buy Netcreations

NetCreations announced it was calling off its merger with DoubleClick, and would instead sell to an Italian firm, SEAT Pagine Gialle. (2000/12/22) [CNET] [Internet News] [WSJ] DoubleClick earlier agreed to buy NetCreations (NTCR), and its database of 22 million email addresses. (2000/10/4) [Press Release] [ZD] [Internet News] [2] [DM News] Junkbusters founder Jason Catlett commented that this merger would have married a company with one of worst records on privacy with one of the best. He said that it also illustrates the fact that ``even if a company looks like you can trust it with your email address, it may be bought the next day by a company that you would never dream of giving your personal information to.'' This has also been illustrated by Amazon's recent change of policy, and Toysmart's bankruptcy. ``It's better for privacy simply not to collect personally identifiable information in the first place.'' Guidescope, which Junkbusters recommends, uses Netcreations for its opt-in email offers, but Guidescope doesn't even collect an email address of its users, so privacy is automatically preserved.

In December 1999 DoubleClick brought a company called Opt-In Email, which it renamed DARTmail. [CNET] In a conference call October 3 DoubleClick said that it would preserve both NetCreations' ``double opt-in'' system and maintain both the single opt-in DARTmail. Catlett said that ``DoubleClick made the easy choice of a bet each way, one on good standards and one on sloppy standards.''

  Civil liberties group honors Junkbusters for defense of privacy

The New York Civil Liberties Union has honored Junkbusters and its President, Jason Catlett, with its Joseph Callaway Award for protection of the right to privacy, particularly for campaigns against privacy-threatening practices of Intel and DoubleClick. Separately, EPIC's Marc Rotenberg has been chosen to receive the 2000 Norbert Wiener Award for his tireless efforts to protect the online privacy of America's public.

  New services for privacy and security in credit card transactions

iPrivacy, a startup, announced a service that allows anonymous payment and shipment for products purchased online. (2000/9/11) [Press Release] Junkbusters founder Jason Catlett serves on iPrivacy's Technical Advisory Board.

Discover Card announced a digital wallet that generates credit card numbers that are unique for each merchant. [InfoWorld] (2000/11/19)

Separately, American Express announced a product called Private Payments, essentially a system of generating one-time use credit card numbers. (2000/9/7) [CNET] [AP] [IDG] Junkbusters founder Jason Catlett praised the move saying that it would reduce fraud and increase security of consumers' credit card numbers, but pointed out that it does not protect personally identifying information such as names and addresses that consumers give to web sites when they make a purchase. AmEx also announced that it would introduce in 2001 a service for anonymizing browsing and deliberately sharing personal information. (In mid-2001 they dropped plans for both of these.) The New York Times said that Private Payments ``has so many complications that Amazon.com (news/quote), by far the largest online store, explicitly recommends that its customers not use it.'' (2001/8/12)

Separately, the FTC announced a verdict against a company that bought and bilked millions of credit card numbers. (2000/9/7)

In May 1998 American Express and KnowledgeBase Marketing had planned to sell to merchants information about the kind of purchases made by 175 million Americans, USA Today reported. The company quickly denied it would sell the specific details of individual transactions. On July 15 the AP reported that AmEx canceled the deal ``because it would not be sufficiently lucrative and not because of privacy questions.'' Direct reported that KnowledgeBase Marketing would still provide merchants with data from other sources. (1998/7/17) The companies were reported to have reduced the scope of the project after protests from cardholders and privacy advocates. People who don't want the companies to sell their names and behavioral information can ask them not to, but they won't be notified it's happening, the paper said. KnowledgeBase Marketing (KBM) was part of a merger including ``I Rent America'' (IRA). Americans who don't want to be rented can write IRA an ``opt-out'' letter such as JUNKBUSTERS DECLARE prepares, which should also be honored by KBM.

AmEx's privacy policy states that ``If you provide us with your E-mail address, or have done so in the past, or if we obtain your E-mail address from another source, we may send you E-mail offers.'' It also describes how consumers can opt-out of receiving further emails. ``Sending email on an opt-out basis is spamming, and it is deplorable for AmEx to have as their policy that if they can find out your email address, they'll keep on using it unless you scream,'' said Junkbusters founder Jason Catlett.

Separately, CGMIi launched ExchangePath, to offer a ``service for consumers to make and keep track of online transactions without disclosing personal information to outside merchants or vendors.''

  Privacy advocates call for investigation of Cookiegate

In July 2000 privacy advocates wrote to congressional leaders urging them to investigate the use of cookies at the web site of the Office of National Drug Control Policy placed by DoubleClick. (2000/6/22) The advocates charged that this activity violates White House privacy policy and may be illegal under the Privacy Act of 1974. [Press Release] [NY Times] [Salon - Garfinkel] [ZDNN/Interactive Week] [Scripps] [Salon] [Slashdot] [Lost in Cyberspace] [Boston Globe Editorial] [Chicago Tribune] [Wired] [Wired 2] [Wired 3] They also called on Doubleclick to provide a guarantee to the public that it has destroyed all the information it held that could in future link any individual with visits to the Drug site or search queries such as "grow pot" that led to site. The groups pointed out that law enforcement agencies or civil litigants might obtain a subpoena demanding such information. The groups further asked for Doubleclick's privacy auditing firm to publish an opinion attesting to this assertion within thirty days.

The White House earlier confirmed that one of its own Web sites may have violated federal privacy law. Reuters reported that it was by using cookies on a drug-related site. House Majority Leader Dick Armey issued a critical statement and referred to the GAO's study. [Interactive Week] (2000/6/21) [Reuters] [AP] [APBnews] [NY Times] [Forbes] [Washington Post] [WSJ] [Richard M. Smith's Drug Page] [Scripps] The Washington Post and AP reported that the Office of Management and Budget issued a memo stating cookies should generally not be used on Federal web sites. [Text of Memorandum] (2000/6/23) Junkbusters founder Jason Catlett praised the move as a prompt declaration of the correct policy, provided that the affirmative consent of visitors was obtained prior to the setting of a cookie, and that the cookie was retained only as long as necessary for the purpose specified when consent was obtained.

White House drug czar Barry McCaffrey said later that he wants to be able to turn cookies back on, Scripps reported. (2000/7/11)

  Microsoft to test Web bug alerting feature

Microsoft released to the public a browser add-on to provide better cookie management, Wired News reported. (2000/9/1)

Two leading privacy and security experts commended Microsoft on its earlier announcement that it would test a change to its Web browser that alerts surfers when they visit Web pages that are being monitored by third parties. (2000/7/22) [WSJ] [MSNBC] [ZD/WSJ] [Reuters] [AP] [NY Times] [Washington Post] [Wired] [Wired 2] [Slashdot] [CNET] [Microsoft release] [Microsoft interview]

Despite his harsh criticism of Microsoft's record on privacy, Junkbusters founder Jason Catlett praised Microsoft's move as highly significant. ``It's comparable to adoption of tamper-evident drug packaging: people will at last be able to detect that someone else has been inside the product they're getting,'' said Catlett in a statement. What Microsoft subsequently delivered six months later fell so far short of what should have been done that Catlett wrote a harsh letter criticizing Microsoft.

In May 1997 Netscape quietly told the advertising community that they are going to ignore the prohibition in proposed standard RFC 2109 against third-party cookies. Their refusal to abide by the standard will allow advertisers to continue build up comprehensive profiles of the pages people look at that contain their ads. Many privacy groups tried to thwart advertisers' attempts to change the standard.

  Privacy advocates criticize P3P as a bogus privacy technology

Junkbusters and EPIC published a report on Web browser privacy and P3P. [Press Release] [Text of report] The publication coincided with a demonstration of P3P, a technology supposed to improve Internet privacy. Junkbusters founder Jason Catlett and other privacy advocates have criticized P3P as unlikely to improve privacy. (2000/6/21) For further details see Catlett's open letter and panel on P3P. [NY Times] [WSJ] [Slashdot] [TechWeb] [TechWeb 2] [Fox News] [Wired] [LA Times Editorial 7/2] [Business 2.0] [SF Examiner Editorial 7/3] [ZD] [ZD - 2] [Computerworld] [NPR - audio] [Industry Standard] [USAToday.com] [AP] [NJ Online] [MSNBC] [IDG] [Reuters] [CNET on Microsoft] [ZD] [ZD on Microsoft] [PC World]

The White House endorsed the technology in a statement. (2000/6/21) Privacy advocates said that the cookiegate incident illustrates the report's conclusion because P3P would not have been prevented it.

  Another industry group on privacy formed

In June 2000 coalition of Internet companies announced a privacy program. The Privacy Leadership Initiative (PLI) used to state on its Web site, http://www.understandprivacy.com/, that its mission is to ``empower individuals to protect their privacy.'' (It disbanded in July 2002). [DM News: RIP PLI] [NY Times] [Industry Standard] [Direct Mag] [AdAge] (2000/6/19) Member companies include the privacy-challenged Doubleclick, and marketing list vendor Experian, U.S. Bancorp, plus the longtime lobbyist against privacy, the DMA. Junkbusters founder Jason Catlett said that most industry-funded programs for ``consumer education'' are transparent attempts to try to persuade legislators that the problem lies with stupid consumers being careless rather than companies acting to minimize their costs and maximize their revenues. ``Detroit tried the same trick in the 1960's, pushing "driver education" to avoid the expense of having to install seat belts. If these companies were serious about the privacy principles they espouse, they would be calling for legislation giving people the right to see the information held about them and to prohibit companies from selling it if they don't want them to. Instead most of the member companies continue to lobby against such legally guaranteed privacy rights.''

In an unrelated move, the Recording Industry Association of America is beginning a public education campaign of its own, to dissuade consumers from downloading free music from the We, the Wall Street Journal reported. [Wired] (2000/6/20) Modern Humorist parodied this with a poster titled "When You Pirate MP3s, You're Downloading Communism" . (Counterpoint: Tapster [PC World]) Junkbusters founder Jason Catlett discussed comparison between copyright and privacy rights in his Senate testimony.

  Presidential candidates talk privacy

Privacy (and technology generally) was not a major issue in the 2000 presidential campaign. [CNET]

A survey by Netelection.org found that ``while 70% of campaign sites collect personal information through the use of online volunteer and donation forms, only 15% have any sort of privacy policy describing how this information will be used.''

Ralph Nader has fought for consumer privacy and other consumer rights for decades. [Nader site on privacy]

At the Democratic National Convention, delegates claimed their party was the party of privacy, ZD reported. (2000/8/16) Al Gore's speech accepting the presidential nomination contained the following statement: ``I'll fight to toughen penalties on those who misuse the Internet to prey on our children and violate our privacy.''

Republican Presidential candidate George Bush told Business Week he supports privacy protections. (2000/5/11) ''I'm a privacy-rights person,'' Bush said. ''The marketplace can function without sacrificing the privacy of individuals.'' In practice, that means ''customers should be allowed to opt in [to sharing information]. The company has got to ask permission.'' Bush also told the Wall Street Journal that he favors consent. (2000/5/30, p. 1) ``Companies, before they use your or my information, must give you a buy-in, must seek your information in a positive way,'' and ``need to be held accountable for its safeguard,'' the Journal reported. [ZD Interview] [Wired on Lieberman] [Wired on Bush] [IDG on Lieberman] [transcript of Markey/Goldsmith debate] Republican lawmakers have often but not always opposed legal privacy protections.

In December 1999 Republican presidential candidate Steve Forbes called for strong protection of privacy against government intrusion, particularly in healthcare. [AP/CNN] [Wired] (1999/12/16) Junkbusters founder Jason Catlett called Forbes's goal of limiting data collection laudable, but said that it needed to be extended to marketers, who now collect more information than government. Forbes withdrew from the race in early 2000.

In July 1998 Vice-President Al Gore announced a package of measures to promote privacy, some new and many pre-existing. Privacy advocates were pleased he is addressing the issue, but point to the gap between the rights he says Americans should have and the specific steps he has taken towards securing them. [AP] [Wired 2] [CNET] [CNET 2 - report delayed] [Wired] [Interactive Week] [InfoWorld] [Industry Standard] [Interactive Week] [WSJ] In May Gore espoused several basic principles of fair information practice at a university address. ``Americans should have the right to choose whether their personal information is disclosed. They should have the right to know how, when, and how much of that information is being used, and they should have the right to see it themselves, to know if it's accurate.'' Gore also announced a White House initiative on Internet privacy. [CNET] [Wired] It includes a Web site called http://www.consumer.gov and a program to designate a person at government departments to check if existing laws are being followed. Welcome steps, but more is needed if his "shoulds" are to become "musts." Gore said 24 June that ``People will not put their faith, their trust or their cash into electronic commerce if they feel that in order to buy a product, they must first sell their privacy.''

  HP, Dell, Intel's Grove call for privacy legislation

In an article about the high-tech sector's attitude towards the federal goverment, the Wall Street Journal reported that ``some online firms have reversed course and decided they actually want regulations from Washington protecting personal privacy on the Internet. They know that consumer fears about privacy invasions are a significant roadblock to electronic commerce that the government can help knock down.'' (2000/6/21)

Earlier, Michael Dell supported the FTC's recommendation for a federal online privacy law, PC World reported. (2000/6/8) He joins Hewlett-Packard's CEO, Carly Fiorina and the ranks of several industry leaders in calling for privacy legislation. (2000/6/7) [ZD on HP] Intel Chairman Andy Grove told the Congress's Joint Economic Committee that it should pass Federal privacy law. [Newsbytes] [WSJ] [Industry Standard] (2000/6/6) Here is the relevant statement from Grove's oral testimony.

A person's individual data, whether it's financial data or health data or whatever, is the currency of the Internet. People trade it; people covet it; it is a valuable good, as valuable a good as the money in my pocket. History shows that property rights have not been left to voluntary action, and voluntary treatment. Governments at all levels have regulated dealing with properties. I think individual rights are properties and it is inevitably my opinion that various levels of governments are going to get into the act and regulate dealing with individuals' data. I would prefer to recognize this trend and get ahead of the possibility that localities and states will take matters in their own hands and we're going to be dealing with fifty different approaches in the United States alone and hundreds of different approaches worldwide. I would strive before the problem is acute, to establish government-sanctioned rules, property rights extended again using the atoms-to-bits neutrality to electronic data that is so much devalued that people fuel the Internet with.

A few privacy advocates favor the property view of privacy, but not most. Junkbusters founder Jason Catlett said ``The right to privacy, like the right to vote, is not something that you should be able to sell to others. You should be able to grant consent for others to make commercial use your information, but you should always retain the right to revoke that consent. That should be an inalienable right, not something that is traded away.'' But Catlett praised Grove's leadership and intellectual honesty, saying ``Grove has obviously thought about privacy with a long-term societal and strategic view.'' Newsbytes reported that Grove said any federal moves to legislate on either Internet taxes or consumer privacy should be done in a ``technology neutral'' fashion, On this point privacy advocates are in perfect agreement with him.

Privacy groups had boycotted Intel over the Processor Serial Number in its Pentium III chip, but called off the boycott after Intel removed the feature from the chip's successor.

At the same hearings, Dr Mark Leavitt, CEO of MedicaLogic, said ``We actually support well-reasoned Federal legislation and regulation to protect medical privacy. We believe it should extend to all medical information, not just electronic medical information.''

Bill Gates said ``There are some clear principles that apply everywhere. Any information that's collected about you, you have right to see and you have the right to say `No, I want you to delete that from your files.' And you have the right to understand whether that's being shared with any companies other than the one you're interacting with.'' (2000/6/6) Separately, Gates told university students in Tokyo that the thing he wanted most in life was privacy, Reuters reported. (2000/6/19) For other statements by Gates on privacy, see below.

Separately, Forrester Research issued a report titled The Internet's Privacy Migraine predicting that federal Internet privacy legislation will pass by summer 2001. (2000/5/22) [Release] Forrester has a distinguished history of thought leadership on privacy.

The recent outpouring of support for privacy from unexpected quarters bodes well for real privacy protection in this country, said Junkbusters founder Jason Catlett. For more detail see below.

  Online companies propose rules for consumers

A group of multinational companies want to set international rules governing consumer rights in international online transactions, Reuters reported. (2000/6/6) Junkbusters founder Jason Catlett criticized the privacy component of the proposal as falling far short of international privacy standards formulated more than twenty years ago by the Organization for Economic Cooperation and Development, and even short of the safe harbor principles proposed by the U.S. Department of Commerce. Here are the companies' guidelines with Catlett's comments in italic font.

Merchants should adopt privacy policies that are consistent with existing in industry standards and existing legal requirements. (``So the companies are saying: don't break the law in any country where you operate. This is prudent advice, but not enough to protect privacy in a country like the US where peoples' privacy rights are inadequate.'') At a minimum, such policies would provide for notice to a consumer as to what type of information is to be collected and how it will be disseminated. Merchants also should provide Consumers with choices as to the dissemination of information to third parties for marketing purposes. (``Choice is euphemism for the some kind of opt-out from the sale of lists, no matter how weak, burdensome or ineffective the measures are. The standard should be affirmative consent.'') Merchants should provide Consumers with reasonable access to the records of the individual Consumer's Transactions with the Merchant upon request. (``People should have the right to see not only the history of their transactions, but also the psychographic profiles of them that are inferred and bought from other companies.'')

Multinational companies have been increasingly pushing against national laws and international treaties, under the name of "global self-regulation." One group of companies goes under the umbrella of the Global Business Dialog, which in September 1999 announced a comprehensive agenda. [Press Release] [Dept. of Commerce Press Release] [Reuters 2] [Internet News] [PWC for GBDe] [Computerworld] [Le Monde Informatique] [Wired - P3P]

Catlett slammed the GBDe's summary press release, saying it ``shows big businesses' hypocrisy on the questions of government involvement, legislation and regulation. (1999/9/13) It wants strong laws to protect businesses (copyrights and patents), by no laws to protect consumers.'' Verbatim quotes: ``The GBDe proposes the acceptance of effective self-regulatory and market driven mechanisms (i.e. codes of conduct) for the protection of personal data.'' Thus they want no laws to protect privacy. ``It also votes for a strong protection of intellectual property rights for works available over digital networks while promoting the lawful use of such works by consumers.'' Thus they want strong laws protecting copyright. ``This double standard is driven by pure self-interest,'' Catlett said. ``To claim they are doing this in consumers' interest is shameful.'' Counterpoint: the Public Voice [Newsbytes] (1999/10/12)

Subsequently in September 1999, Michael Dell, chairman of Dell Computer Corp. criticized the lack of a strong enforcement mechanism. ``When you have a situation where there's no rules like on the Internet, you will have one bad actor and then the rule is the lowest common denominator,'' Dell told Reuters. MIT Economist Lester Thurow also expressed his disbelief that self-regulation could be effective. `I don't think there is any example (of self-regulation) that has ever worked, unless government is standing behind it with a club.'' (1999/8/15) Separately, Reuters reported that Eric Fossum, the chairman and chief scientist of Photobit, a manufacturer of video technology said privacy laws are necessary.

  FTC recommends privacy legislation, finally

The FTC issued a report concluding that self-regulation alone has not adequately protected consumer online privacy, and that legislation is now needed to protect privacy online. (2000/5/22) [FTC Press Release] [USAToday] [USAToday Editorial] [WSJ] [Reuters] [Internet News] [Industry Standard] [Forbes.com] [Smartmoney] [ABP News] [AP] [Heise (German)] [ZD] Junkbusters founder Jason Catlett commented ``The Federal government has finally started to abandon the unsupportable fiction that companies will voluntarily protect consumer privacy to the level consumers want. The next step is for Congress to guarantee people the rights they need to protect their privacy.''

Industry lobbyists responded to the report with their own survey and by saying that the FTC's survey shows laws are not needed to create consumer privacy protections online. Junkbusters founder Jason Catlett countered saying that ``if lobbyists think that businesses are quickly moving to abide by the FTC's standards, why don't they want them to be legally enforcable?'' Industry spokesperson Christine Varney said in a press release ``There is no agreed- upon standard for access, so how can the FTC measure it? They can't.'' The answer was on page 23 of the FTC's report:

With respect to Access, a site received credit if it offers the ability to review, correct, or delete at least one item of personal information it has collected - oftentimes simply an opportunity to update an email address - without regard to what other information a site may have actually collected or compiled.

The FTC's recommendation had been anticipated the previous week. [New York Times] [Washington Post] [NY Times 2] [AP]

Republican lawmakers oppose the plan, the Washington Post reported Sunday. (2000/5/21) Junkbusters founder Jason Catlett pointed out that several Republicans, most prominently Senator Richard Shelby, have fought hard in this Congress in favor of privacy rights. ``Privacy is not an issue that divides along party lines,'' Catlett said. The White House favors some privacy legislation. [IDG] [Reuters]

Many businesses including eBay want federal privacy legislation that preempts individual states' efforts. The NY Times quoted some industry leaders as favoring uniform standards. [WSJ] [E-commerce Times]

The Wall Street Journal earlier reported that ``a survey of major e-commerce Web sites by the FTC found that only about 20% met FTC standards for protecting consumer privacy.'' (2000/5/11)

The 2000 annual Business Week/Harris privacy poll found a clear and increasing majority of people favoring legal protections for privacy. (Our action page has suggestions for people on what to do.) The poll also concluded that ``online buyers dread junk mail'' and found near-unanimous opposition to web sites sharing users' identity and information, a result in stark contrast to an earlier survey sponsored by DoubleClick. The New York Times reported April 17 on a survey by market research firm Odyssey in which 82 percent of online households agree strongly or at least somewhat with the statement, "The government needs to step in and regulate how companies can use personal information."

A survey in October 1999 by industry research group Forrester found that privacy fears are holding back Web shopping. [Forrester release] ``Nearly 90% of online consumers want the right to control how their personal information is used after it is collected,'' said Forrester's Christopher Kelley. ``This desire for online anonymity cuts across consumers from a broad range of demographic backgrounds, including gender, income, and age. Surprisingly, these concerns change very little as consumers spend more time online.'' A previous report by slammed the industries record and typical privacy policies. "The vast majority of such policies... use vague terms and legalese that serve to protect companies and not individuals."

Privacy concerns are significantly slowing growth in e-commerce, according to Boston Consulting Group's director, Martin Naville. The Wall Street Journal reported he estimated that E-commerce growth could be as much as one-third more substantial if consumers and companies had more trust in the protection of their privacy when using the Web, and that although well over 80% of Web sites make privacy claims in their marketing, many fail to give adequate protection. (2000/6/7)

The FTC's recommendation represents a dramatic departure from its previous acquiescence to the Clinton administration's policy of self-regulation for Internet businesses, including two recommendations to Congress against legislation (in a 1998 letter based on its first survey and a 1999 report based on a survey conducted by Georgetown University professor Mary Culnan and sponsored by the DMA and other trade organizations). Here is a reverse chronology of major events in that long history, including the rise of public demand for privacy legislation, and the lobbying against it by businesses.

1. The chairman of the FTC told USA Today that the commission may broaden focus on privacy to offline businesses also. Earlier the chairman warned that the e-commerce industry's battle against federal privacy standards could backfire, the WSJ reported. (2000/2/11)
2. On November 8, 1999 the Federal Trade Commission and the Department of Commerce held hearings on online profiling. [More] Comments submitted by Junkbusters are available here.
3. The Electronic Privacy Information Center released a report titled Surfer Beware III concluding that the privacy policies of major shopping sites don't offer much privacy. (1999/12/17) [Washington Post] [USAToday Editorial] [Reuters] [Computerworld] [ZD] [CNET] ``American consumers looking for privacy online currently have about as much choice as a Soviet-era shopper looking for fresh fruit in Stalingrad,'' said Junkbusters founder Jason Catlett. ``The Web is being turned into an electronic strip mall where cash isn't accepted and your credit card constantly transmits your account numbers as you walk around.''

   In a weekly radio address in November 1999, President Clinton said ``If we want Internet commerce to continue to grow, we all must work together to make sure that shopping online is just as safe as shopping in a mall,'' [AP] ``If you want privacy, go to the mall instead,'' said Junkbusters President Jason Catlett. He slammed the failure of Washington to provide real privacy protection, and urged Americans to demand privacy rights from their government. To act now, see Junkbusters' action page.

4. The Electronic Privacy Information Center (EPIC) said in November 1999 that it ``has filed a lawsuit against the Federal Trade Commission seeking the disclosure of privacy complaints received by the agency. EPIC contends that the FTC has failed to take action on complaints that the agency has received from consumers.'' (1999/10/11) [CNET News.com] [TechWeb] [NY Times] [Wired] [Computerworld]
5. In July 1999 EPIC Director Marc Rotenberg told a Senate committee that developments such as the DoubleClick-Abacus merger make clear the need for privacy legislation. [EPIC Press Release] (1999/7/27) [AP] [TechWeb] [Computerworld] Rotenberg also harshly criticized the FTC's 1999 report and its record on privacy protection. Several FTC commissioners also testified. The Subcommittee on Communications of the Senate Commerce Committee is chaired by Senator Conrad Burns (R-MT). Senator Burns and Senator Ron Wyden (D-OR) are co-sponsors of S. 809, the Online Privacy Protection Act.
6. At a panel at Fall Internet World October 7 on Internet privacy law, Federal Trade Commission official David Medine announced that the FTC intends to fast track complaints from privacy seal organizations such as TRUSTe and BBBOnline. [ZD NN] [SJ Merc] Junkbusters President Jason Catlett later said that this was ``unlikely to have any practical effect because no such complaint had ever been lodged,'' despite incidents that strongly warranted it. He call the move ``an unconvincing gesture directed towards Brussels'' trying to persuade the EU that the US has an enforcement mechanism that is adequate to protect consumer privacy.
7. The FTC told Congress in July 1999 that it thought no new Web privacy laws were needed at the time. (1999/7/12) [FTC Press Release] [AP] [Reuters] [ZD] [NY Times] [SJ Merc] [CNET] [Heise (German)] [Wired] "Self-regulation is the least intrusive and most efficient means to ensure fair information practices, given the rapidly evolving nature of the Internet and computer technology," said the FTC's report. Junkbusters President Jason Catlett countered that self-regulation has not even reached fair information practices, let alone ensured them. He told PC World News that the FTC is more concerned about intruding on companies than the intrusion of companies into people's private lives. "The FTC's abandonment of consumer's privacy is like the EPA saying that chemical factories should be allowed to choose their own pollution levels."

   Privacy advocates urged Congress to stop opposing privacy protections for the American people, and to pass legislation that would protect fundamental privacy rights. [Press Release] The groups issuing the call include Center for Media Education, EPIC, Junkbusters, Privacy Times, Privacy International, Privacy Rights Clearinghouse, and the US PIRG.

   The FTC's position is even stranger given its earlier sentiment that it has `` all but decided that it is going to part company with the Clinton administration over the contention that business can regulate itself when it comes to Internet privacy,'' reported less than a year before in the New York Times. (1998/9/21)

8. A report released 99/8 from Jupiter Communications claims that that 64 percent of online consumers are unlikely to trust a Web site, even if the site prominently featured a privacy policy. [Bergen Record]
9. AT&T Labs released a study titled Beyond Concern: Understanding Net Users' Attitudes About Online Privacy. (1999/4/14) [Press Release] [Wired News] Like many studies it focuses on what industry might do ``to make people feel secure about the privacy'' rather than actually protecting privacy. Respondents were self-selected from readers of Family PC magazine, so the results cannot be extrapolated to the population as a whole. ``Our respondents placed relatively little value in the presence of Web site privacy proposals or privacy seals,'' the report said. Junkbusters President Jason Catlett commented that the fact that the respondents were more reluctant to give their phone number than their email address suggests that most people aren't aware that look-up services allow companies to get phone numbers and other personal details from email addresses. He also questioned the report's conclusion that ``the ability to access data was rated less importantly by our respondents than several of the other factors,'' pointing to the answers to Questions 20 and 21.

   When asked about ``importance of whether the site will allow me to find out what info about me they keep in their databases'' 57% replied very important, 27% somewhat important, 4.2% not important, with the rest not responding. ``People should be able to see data kept about them, but companies are still opposing this basic privacy right,'' Catlett said.

10. In July 1998 The Federal Trade Commission released its first report on the privacy practices of Web. The FTC found that only 14 percent of sites provide any notice about what they do with personal data they collect, and only 2 percent provide a comprehensive privacy policy. Junkbusters President Jason Catlett commented that even those few policies typically offer very little self-restraint. [Junkbusters Press Release] [FTC News Release] [FTC Report] [CNET] [2] [TechWeb] [Interactive Week] [USA Today on AOL] [MSNBC] [Boston Globe] [USA Today] [Bloomberg] [InfoWorld] [Search Yahoo News] [Search Newsindex]

    Catlett stressed that the current privacy debate should not be limited to just the web and just privacy policies. He pointed to recent testimony of Marc Rotenberg, Director of the Electronic Privacy Information Center (EPIC), before a House committee:

    ``Where once there was an understanding that individuals should have the right to get access to their own data, to inspect it, and to correct it, now those who favor self-regulation believe it is necessary only to provide access to a privacy policy. Where once individual consent was central to the disclosure of personal information, now the focus is on individual choice in a range of disclosures.''

    The Washington Post [2] earlier quoted Ira Magaziner, the White House's point man on the Internet, as saying that the status quo is not acceptable. It also quotes a DMA representative who points to the increase in the number of sites posting a policy. Although this is true (it has changed from a rarity to a majority), it bypasses two important points. Most of the policies are vacuous, in the sense that they offer no self-restraint on the part of the companies (they simply tell you they can do whatever they want). Also, merely offering access to a policy is pitifully little compared to what the laws of most countries in the developed world provide: providing the individual complete access to all information kept about him or her. More information and links are available from our privacy policy section.

11. The Online Privacy Alliance announced its Enforcement proposal, which was delayed from the Department of Commerce Forum on Internet Privacy. Privacy advocates called it toothless. [Wired] [CNET] [Internet News] [InfoWorld] [TechWeb] [AP] [CNN] [DM News] [CNNfn]

    Separately, the Chairman of the FTC told a House Subcommittee that new laws may be needed, and sketched model legislation. [PC Week]

    Subsequently, Ira Magaziner told Wired he still thinks legislation is unnecessary.

12. Former Federal Trade Commissioner Christine Varney made statements at a 1998 privacy conference suggesting that she was tiring of the prevailing doctrine of ``self-regulation'' in Washington. ``We have this view in the Clinton administration we're not going to regulate electronic commerce. I'm not sure it's going to work with privacy.'' She later wrote similar comments in Wired. [CNET] [Interactive Week] During her time at the FTC Varney starred in the Commission's privacy hearings. However, Varney later became a spokesperson and advisor to the Online Privacy Alliance and Network Advertising Initiative, two groups that lobby against privacy laws, and changed her position accordingly.
13. The Clinton Administration held two-day public meeting on Internet Privacy 23-24 June, 1998. Junkbusters President Jason Catlett spoke on privacy risks in email [CNET real audio] and privacy-enhancing technologies. [Text of Catlett's addresses] [Joint statement from privacy advocates] [ZDNet News - First Panel] [ZDNet News] [ZDNet - Review Panel] [DM News] [Washington Post Editorial] [AdAge] [Chicago Trib] [USA Today] [TechWeb] [KR] [AP] [NY Times] [Star Tribune] [Search Newsindex] [Search Yahoo News]
14. A new trade group espousing self-regulation called the Online Privacy Alliance was announced in July 1998. http://www.privacyalliance.org/ The Council of Better Business Bureaus announced their BBB Online program. [Microsoft Press Release] [Alliance News Release] [BBB Online News Release] [CNET - Alliance] [ZDNet News - Alliance] [Washington Post] [LA Times] [Washington Post]
15. The U.S. Department of Commerce has since mid-'97 been advocating industry ``self-governance'' with reports such as A Framework for Global Electronic Commerce - Privacy and Elements of Effective Self-Regulation for Protection of Privacy. Privacy advocates have often stated this approach has failed. [Legal Times on US Cyberlaw] [Text of Junkbusters' submission] [Wired] Another factor was the European Union's Directive on Data Protection which takes effect on on 23 October, raising the possibility of a transatlantic ``privacy trade war.'' Because the US does not have laws up to the standard of the OECD guidelines, European member states could in principle prohibit transfers of personal data across the Atlantic. [IDG Standard on EU Report] [CNET on EU Report] In a report Wired News headlined Caveat Surfer, Ira Magaziner, the White House's point man on the Internet, said: ``I think the paradigm here that we're going with is one which empowers people and gives them the tools to protect themselves if they want to.''
16. Following its privacy week in June 1997 the FTC issued a report 17 December 1997, saying that the ``information industry voluntarily agrees to stronger protections for consumers.'' Several of the major companies will no longer make certain information available to the ``general public.'' We haven't seen them defined, but assume it would exclude one-person companies for example. Privacy Journal (98/1) called the deal ``the government's most serious miscalculation on consumer privacy in two decades.''
17. In a letter July 31, 1997 to Senate and House Commerce Committee members, the FTC indicated that it will rely mainly on industry self-regulation. [CNET] In a response commenting on it, privacy advocates criticized the FTC's position as understating the public's desire for privacy legislation. [Interactive Week] [NY Times] [Wired News] ``Consumer survey research presented at the Workshop indicates they are looking for greater protections, preferably from voluntary efforts by industry, but if necessary from government.'' The FTC had already outlined several principles that it believes should generally apply to the collection of personally identifiable information from children online. (These were passed into law in 1998 as the Children's Online Privacy Protection Act.) It designated certain practices as deceptive, and concludes that a Web site that has collected identifiable information about children must obtain parental consent prior to releasing that identifiable information to third parties. It has since reminded sites that it is monitoring them.

    The FTC released transcripts of its 1997 workshop on consumer privacy, which run more than a thousand pages, in PDF and Word Perfect formats. It is also available in plain HTML format on the Web from the Consumer Information Organization.

    Separately, Reuters and Computerworld reported that a study of Federal government Web sites reveals widespread insecurity and lack of privacy protection.

18. The Federal Trade Commission's first workshop on Consumer Information Privacy was held June 10-13, 1997. President and CEO Jason Catlett represented Junkbusters in several sessions.
    
    1. The morning devoted to junk email started with a presentation on spammers' methods by Junkbusters, after which Commissioner Varney grilled Sanford Wallace, President of Cyber Promotions.
    2. In a session on Web privacy, Junkbusters presented its anonymizing software, the Internet Junkbuster. Tim Berners-Lee, inventor of the Web, presented the W3C's P3 platform Netscape and Firefly presented their Open Profiling Standard (OPS).
    3. In a session concerning commercial databases about consumers, Junkbusters criticized ``self-regulation'' as inadequate to protect Americans, but stressed Americans' need for basic privacy rights rather than Internet-specific legislation.

    The FTC published more than fifty submissions responding to their Notice requesting information on Consumer Information Privacy. Junkbusters's 9,000 word submission answered dozens of questions on the collection and sale of information about consumers, the privacy of Web users, and junk email. It criticized the Direct Marketing Association's recently announced guidelines, which permit companies to send ``Unsolicited Commercial Email.''

19. A paper titled Options for Promoting Privacy by the Information Infrastructure Task Force (IITF) created by Vice President Al Gore set out arguments for and against the creation of a governmental privacy authority, pointing out that ``no federal agency currently has privacy as its primary, much less its only, mission.'' (1997/3) In most other developed countries such entities have been active for years. [Wired News] [CNET]

  Report by FTC Committee on Online Access and Security

An Advisory Committee on Online Access and Security submitted a report to the Federal Trade Commission. (2000/5/15) [Computerworld] [CNET] [ZD] The group of 41 people, mostly representing companies, with a few academics and privacy advocates attempted to define what ``adequate security'' and ``reasonable access.'' These two areas are key principles of fair information practices. The group met four times between February 4 and April 28. [TechWeb] [Wired] [Industry Standard] [Industry Standard 2] [Ecommerce Times]

``The right to see all the information held about you by a company is a fundamental right that should be legally guaranteed,'' said Junkbusters founder Jason Catlett. ``Since the early seventies this right has been guaranteed only for credit reporting agencies, by the Fair Credit Reporting Act. Lobbyists have been trying to resist and restrain the extension of this right. The privacy policies of most big companies don't offer you access to your data, but they do usually include disclaimers saying that they might accidentally disclose it or give it to others, including government agonies if they think it appropriate. This is an outrageous double standard. If a company has information about you, you should be able to see it and have it destroyed on request. It's for each individual to determine whether information about him or her is important or unimportant, desirable or harmful.''

Separately, Peacefire discovered that all cookies on Microsoft Internet Explorer (a web browser) can be read by a hostile web site. (Sites should only be able to read their own cookies.) [WSJ] [Computerworld] Microsoft claims that the bug can only be exploited if the user visits a rogue web site, but latest reports indicate that HTML mail can be used to get around this. (In December privacy advocates asked the FTC to order browser manufacturers to stop cookies being set in HTML mail, but the FTC did not act.) The respected BugTraq newsletter wrote:

A disappointing part of this security bulletin is where Microsoft describes the problem: "The vulnerability could allow a malicious web site operator to take inappropriate action on the computer of a user who visited his web site."

They neglect to mention the very serious problem of receiving malicious HTML files via a web enabled mail client such as Outlook. Malicious web pages are a minor problem. Email viruses and worms are a very serious problem. They spread exponentially and are harder to track. As long as IE, Outlook and Windows are so tightly coupled every "malicious web site" vulnerability is a potential Outlook vulnerability that could be much, much worse.

Serious vulnerabilities from the bug include compromising web-based email accounts. (In March 1999 Hotmail made cookies mandatory, claiming this was necessary for security.) The temporary fix is to disable active scripting. Netscape products are not affected.

Separately, a new book on Internet Security and privacy titled The Hundredth Window has been published. Junkbusters founder Jason Catlett wrote an unfavorable review.

  Ad targeting is sloppy and ineffective, say reports

An extensive article in the New York Times Magazine suggests that ad targeting isn't effective. (2000/5/7) Others including the venture capital magazine Upside have questioned the viability of the online advertising model.

For several weeks DoubleClick was accidentally placing banner ads for Jack Daniels on a kid's cartoon site called snoopy.com, the Wall Street Journal reported. (2000/5/8)

  Clinton proposes legislation for financial privacy protection

President Clinton proposed legislation to let bank customers ``opt-out'' of use of some financial information by their banks, Reuters reported. (2000/5/1) [White House Proposal] Current law doesn't even require banks to provide this option, let alone requiring them to obtain prior consent. For background on the sorry state of privacy protection in the financial industry, see our section on banking.

Separately, federal regulators are expected to delay enforcement of the new financial-privacy rules until July 2001, the Wall Street Journal reported. A coalition of privacy and consumer groups formally protested the delay. [AP] [Computerworld] [SJ Merc - Gillmore] The Industry Standard reported that the FTC published the rule, which includes some Web sites, due to the law's broad definition of a financial entity. (2000/5/12)

Separately, Senator Shelby has introduced a bill, the Freedom From Behavioral Profiling Act of 2000, requiring affirmative consent for certain uses of financial information. [Shelby Press Relese]

Separately, Federal legislators have set up two groups to study privacy law, AP reported. (2000/2/9)

Separately, Senator Torricelli (D-NJ) introduced legislation intended to protect privacy from cookies. (2000/2/10) [USAToday.com] [ZDNet] [CNET]

  Employees' PCs searched

Northwest Airlines performed court-authorized searches of the home computers of about a dozen employees, searching for private e-mail and other evidence that they helped to organize a sickout, the Star Tribune and the WSJ reported. (2000/2/8) Business Week]

Separately, Continental Airlines has lost several large corporate accounts by insisting they ``disclose how much they are spending, ticket by ticket, with rival airlines. (2001/2/6)

  Credit bureau Equifax buys huge psychographics database

Credit bureau Equifax (EFX) announced it is buying the Consumer Demographics and Lifestyles data and other assets of Polk, one of the largest and most detailed psychographic databases in the world. [Reuters] [DM News] (2000/2/10) The Wall Street Journal quoted the head of of Polk as saying his company decided to sell its consumer-information division after concluding that Polk lacked the financial muscle to "do it all." Junkbusters founder Jason Catlett commented that ``most people don't want to have it all done to them. The tendency of personal data to be merged into ever larger and more comprehensive electronic dossiers is dangerous and should be limited by law.'' Some years ago Equifax said it ``pulled out of the direct marketing business'' because of consumer concern about uses of credit related data for this purpose, but the company seems to have set aside this objection. People who want to ask the companies to stop selling data about them can write opt-out letters to Equifax and Polk.

In January 2000 the Federal Trade Commission sued Equifax and the two other major credit reporting agencies under the Fair Credit Reporting Act (FCRA) for failing to maintain a toll-free telephone number at which personnel are accessible to consumers during normal business hours. [FTC Press Release]

In April 1999 the Better Business Bureau awarded its privacy seal to Equifax, one of the three big credit reference companies, CNET reported. [Equifax Press Release] Privacy advocates criticized the move in an open letter to BBB because of Equifax's bad record on privacy. [CNET] [internet.com] [Business Week] Junkbusters President Jason Catlett said that along with the Microsoft/TRUSTe case this demonstrated the constitutional failure of seal programs to protect privacy.

  Time Warner/AOL/Netscape and privacy

Two Californians who run the site http://www.NoMoreAOLCDs.com/ say they are almost a tenth of the way to their targe