Profiling

  Letter 3/28 to Congressional Privacy Caucus

To: The Congressional Privacy Caucus Co-chairs:
Representative Joe Barton (R-TX), Edward J. Markey (D-MA), Senator Richard Shelby (R-AL), and Senator Christopher Dodd (D-CT)

March 28, 2001

Dear Sirs

I write concerning four recent developments that I believe warrant your attention as they combine to form an unprecedented assault on the privacy of Americans.

1. The major online profilers have refused to allow people access to their own profiles, or even to provide example profiles for the Federal Trade Commission's recent investigation; ( http://www.junkbusters.com/profiling.html )
2. The profiling companies are continuing development of their Consumer Profile Exchange technology without any committment to observe fair information practices in their use of it; ( http://www.junkbusters.com/new.html#CPEX )
3. Microsoft has chosen default settings on its next browser that will allow the millions of web bugs already installed to continue gathering clickstreams in volumes of billions of clicks per day; ( http://www.junkbusters.com/microsoft.html )
4. A leading online profiler, DoubleClick, has admitted a long-standing security flaws in many of its computers, following demonstration of the weaknesses by a foreign computer security organization. Doubleclick has trillions of clickstream records and billions of personally identified transactions on approximately 90 million Americans. ( http://www.junkbusters.com/doubleclick.html )

In brief, we have a group of companies bent on collecting hundreds of millions of enormous electronic dossiers, keeping them secret from the people they concern, intending to exchange and sell them using advanced technologies, but unable to keep them secure from criminals. This is unfair and is moving our society into a level of surveillance that most Americans find unacceptable.

I urge you to pursue an investigation of these developments and to consider action to protect the privacy of Americans in the face of this unprecedented surveillance effort. I have attached two open letters giving further detail on each of the above points, and more information is available from our web site. I appreciate your interest in this matter and would be pleased to assist you.

Sincerely yours

Jason Catlett
President
Junkbusters Corp.

Attachments: Open letters to Microsoft and to Doubleclick

  Junkbusters reply March 12 to PLI, DMA and Acxiom

To: Walter J. O Brien, Jr., PLI
Jerry Cerasale, DMA
Jennifer Barrett, Acxiom

Dear Sirs and Madam

Thank you for your letters last week replying to my letter of February 27, which are now available on our Web site. This open reply addresses all three collectively, since your replies are all refusals of my call for transparency, each giving similar reasons.

Junkbusters has received a handful of responses from individuals consenting to the disclosure of their profiles, in most cases provided they have the opportunity to see the information beforehand, and delete anything they wish. These are rights that should be guaranteed to all Americans by law. Citizens of most developed countries have have long enjoyed these privacy rights. It saddens me to see organizations that claim to be supporting privacy formally opposing not just the right of access in general, but even this specific instance that would allow the public glimpse of how they are being profiled.

The fundamental inadequacy of these responses is their refusal to open marketing databases to public scrutiny, even for people who have consented to the disclosure with the goal of informing the public about consumer profiling. The replies give poor excuses to keep this information hidden from the view of the people they concern. The only reasonable conclusion to draw from the direct marketing industry's refusal to be open about their practices is that its companies have something to hide. It is shameful that these companies want another Federal government inquiry into consumer profiling to pass by with the farcical absence of any examination of real profiles by the public.

Replies that say consumers should be satisfied with merely a description of the types of information held about them, or that consumers should be better educated about the different kinds of personal information and their ``choices'' and ``options'' are insultingly arrogant. Choice is meaningless if a person can't see the things at issue. The obvious awful truth that marketers are trying to avoid is that if consumers could see half the information kept in electronic dossiers about them, many would be horrified and demand its destruction.

The replies allude to the principle of purpose-specificity, which is an important part of privacy law. But they ignore the fact that data can and should be disclosed where the data subject consents. Also ignored is the fact that much of the data used for marketing was collected for a different purpose, and its conversion to marketing data violates that very principle of purpose-specificity.

The Privacy Leadership Initiative letter refers to a "trust deficit," which is to state in macroeconomic-sounding jargon that people distrust direct marketers. The obvious remedy would be for businesses to become open with consumers about the personal information they hold and to give them control over it. But these responses show the failure of businesses to provide the transparency that would foster trust. This is not leadership. It is trailership in the worst tradition of trade associations pandering to the lowest elements of their membership.

The PLI letter includes a trio of negatives that I would summarize with the sentence: ``The data you describe would not be available, but just in case it is, we do not want you to collect it about us, and if you do, the results will be inherently misleading.'' I have asked the companies themselves to provide profiles on prominent consenting subjects. If such data is inherently misleading, then nobody should be using it for anything.

Several assertions in these letters are incorrect, such as the claim that ``No reputable marketer ... would shock or surprise consumers by publicly posting their data.'' Many companies, from General Motors to Butterball, have accidentally left databases of personal information open for downloading from the Web. If people are not able to see what data a company has about them, they are not able to mitigate the risks of accidental exposure. Marketing data has many times been used for other purposes, for example by the Internal Revenue Service, by employees ``browsing'' customer files, by prison inmates who entered data, and in subpoenas.

The claim that looking up an individual in a marketing database is technologically impossible belongs in the 1960's. Many marketing data companies now boast of online analytical processing, and their ability to ``append'' or ``enhance'' data to a list of specific individuals, or to track individuals as they change address, telephone numbers and email.

Several paragraphs of the letters point out the benefits of consumer data to businesses and consumers. I agree with this. There is no need to inform me or anyone that ``a recent Wall Street Journal article said that significant productivity growth has been achieved because of information and information technology.'' What I object to is not the technology nor the business but the way that consumer data is handled unfairly. Technology does not require this; companies do it because it is easier and cheaper. No individual company wants to bear a cost, however slight, when its competitors are not required to do so; therefore legislators must require it uniformly.

Finally, I turn to the attempts by the two associations to ``opt-out'' their constituent executives en masse. The PLI's letter asserts its ``collective refusal'' to allow Junkbusters to gather personally-identifiable information about its executives. This is inconsistent with the qualified consent we had earlier received from several executives of DoubleClick Inc., a PLI member. I can only assume that some miscommunication occurred within the PLI's leadership, and suggest that the PLI request each executive to send his or her individual response to us directly. The DMA also attempted to opt-out all its member companies, which we did not address as a group and have never seen listed in full. We may not honor that request either, consistent with with the DMA's policy of refusing ``third party'' opt-out requests made on behalf of consumers.

The refusals of these organizations to let the public see real examples of consumer profiles will stand as compelling evidence that legislation is essential to give Americans the right to control their personal information.

Sincerely

Jason Catlett
President
Junkbusters Corp.

  Main body of the letter to company leaders on their disposition toward profiling

February 27, 2001

Dear Sir/Madam

To provide more accurate and specific answers to the questions posed by the Federal Trade Commission's public workshop March 13 on how businesses merge and exchange consumer information, and for subsequent public interest research, Junkbusters Corporation (possibly joined by other privacy groups) intends to seek a variety of personal information from commercial sources about a number of known individuals, particularly those who are prominent in the privacy debate and those who are likely to be present at the workshop. You could be one of these people. This letter asks you to indicate your disposition towards the collection of personal information about you and its dissemination to the public for discussion at the workshop.

We intend to focus primarily on data gathered for marketing purposes, and which companies sell or share with other marketers, possibly without the knowledge or consent of the data subject. The kind of data sought might include: demographic data; psychographic and lifestyle data; data about past residences, income, education level, and criminal records; membership in clubs, political and religious organizations; records of goods and services purchased; subscriptions to magazines; estimates of interest in or propensity to purchase particular products or categories of products; estimates of lifetime value; clustering or segmentation data; clickstream data such as URLs viewed, IP addresses, cookies, timestamps; search queries; data gathered from public records including marriages, divorces, property purchases and licenses; self-reported data including survey responses and warranty cards.

We intend to exclude patient records, credit reporting information regulated under the Fair Credit Reporting Act, and financial transactions other than matters of public record such as the purchase of real property; however marketing information relating to health and financial products may be included, particularly where their use by third parties is permitted under the new HIPAA rules or the Financial Services Modernization Act. Lists of ailments and the use of non-prescription medications may be included.

The sources of personal information for our study have not been finalized at the time of this writing, but the following list is indicative of kinds of companies whose data we intend to seek.

Acxiom, Amazon.com, AOL/Time Warner, Claritas, Citicorp, Database America, DoubleClick's Abacus Direct Division, Equifax's National Demographics & Lifestyles, Experian, Harte-Hanks, Microsoft, Martha Stewart Living Omnimedia, Naviant, Playboy Enterprises, the Polk Company, Safeway, Shoprite, Trans Union, and U.S. Bancorp.

Some of the information obtained may relate to households that you have lived in, and may reflect the behavior and attributes of cohabitants (such as a spouse or children) rather than yourself. If an individual with such a relationship to you specifically wishes to be included in this survey, he or she should reply separately.

I would be grateful if you could return your response to the questions below by email to profiling (at sign) junkbusters.com at your earliest convenience, and preferably no later than March 6th. In case you received this letter by hard copy, an electronic copy is available at http://www.junkbusters.com/profiling.html on the Web for you to cut and paste into your email.

If you require more information on the FTC workshop, it is posted in the Federal Register and is available at http://www.ftc.gov/os/2001/02/mergingfrn.htm on the Web.

The survey also asks for an indication of whether your organization is willing to provide information for this study. Depending on whether your organization profiles consumers, this may not apply to you. We also ask your opinion on some related matters such as how we should treat non-responders to this inquiry.

I welcome any comments, suggestions, or questions you might have on this research project. I thank you in advance for your attention and participation.

Sincerely

Jason Catlett
President
Junkbusters Corp.

  Response sheet

Please mark with an X as indicated in the following sample:

Sample question
[ X ] Yes, this is the right way to answer a question, with an X
[   ] No, inappropriate answers should be left blank

What is your personal position on data collection?

[   ] I demand that information not be collected about me or my household, and
I assert I have, or should have, a legal right to prevent collection.
[   ] I would prefer that information not be collected about me, but I don't
claim any right to prevent its collection by legal means
[   ] I consent to the collection of my personal information for this project
[   ] I don't care about this

What is your personal position on subject access?

[   ] I demand to see any information collected about me or my household, and
I assert I have, or should have, a legal right to see it.
[   ] I would prefer to see the information held about me, but I don't
claim any right to do so
[   ] I don't care about this

What is your personal position on disclosure?

[   ] I demand that the information not be published, and
I assert I have, or should have, a legal right to prevent disclosure
of such information without my affirmative consent.
[   ] I would prefer that the information not be made public, but I don't
claim any right to prevent its disclosure
[   ] I consent unconditionally in advance to the publication of this
information about me and my household
[   ] I don't care about this

How do you advise we treat those who answered with "preferences" to the above?

[   ] Respect their preferences, restricting the free flow of information
[   ] Ignore their stated preferences in favor of the free flow of information
[   ] I don't care about this

How do you advise we treat people who fail to respond to these questions?
[   ] Neither collect nor disclose data (i.e. apply an opt-in standard)
[   ] Collect and disclose data (i.e. apply an opt-out standard)
[   ] Apply the standard advocated by their organization
[   ] No comment / don't care

What is your organization's disposition toward providing data for this project?
[   ] My organization does not maintain or does not supply to anyone personal
information about a significant numbers of consumers
[   ] My organization supplies personal information to other parties,
but is unwilling to supply it for this project
[   ] My organization is willing to supply information for this project
only about individuals who have consented to its collection
[   ] My organization is willing to supply information for this project
about any individuals, subject to the negotiation of commercial terms

Any comments or questions may be included below:

  Addressees

The letter is addressed to the individuals named below. The list may be expanded as time and resources permit. Time and circumstances may not allow all individuals to be contacted, but they are welcome to respond before receipt. A ``+'' sign before the name indicates the letter has already been sent to the individual. The designation (+/no) indicates the individual has denied consent to collect or publish information. The designation (+/withheld) indicates the individual has replied, but has asked for the content of that reply not be published. The designation (+/qualified) indicates the individual has granted us qualified consent to collect and disclose information. The designation (+/yes) would indicate the individual has granted us consent to collect and disclose information, but nobody has yet granted this.

Privacy Leadership Initiative (PLI) Corporate Members [More on PLI] [PLI response]

1. AT&T: C. Michael Armstrong, CEO
2. Compaq Computer: Michael D. Capellas, President
3. Dell Computer: Michael Dell, Chairman
4. DoubleClick: (+/qualified) Kevin O'Connor, Chairman; (+/qualified) Kevin Ryan, CEO; (+/qualified) Jules Polonetsky; CPO;
5. E*TRADE: Christos M. Costakos, CEO
6. Eastman Kodak Company: Daniel A. Carp, CEO; Anthony Sanzio, Director, Technology Public Relations
7. Engage: (+/withheld) Anthony Nuzzo, CEO; (+/withheld) Dan Jaye
8. Experian: (+)Tom Newkirk, Chairman; (+) Chandos Quill, VP Corporate Communications
9. Ford Motor Company: Jacques A. Nasser, President; Nicole Solomom Director, Corporate Policy Communications
10. Harris Interactive: Gordon S. Black, Founder; Dan Hucko
11. IBM: (+) Louis V. Gerstner, Jr., Chairman; (+) Harriett Pearson, Chief Privacy Officer; Kendra Collins, Director of Corporate Media Relations
12. Intel Corporation: Craig R. Barrett, CEO; Sue Richard, PR Manager, Government Relations
13. Procter & Gamble: John Pepper, Chairman of the Board
14. Sony: Nobuyuki Idei, CEO; Greg Dvorken
15. Travelocity.com: Terrell B. Jones, CEO; Judy Haveson
16. Verisign: Stratton Sclavos, CEO; Jim Rutt, head, Network Solutions Division

1. Privacy Leadership Initiative, (+/no - reply below) Walter J. O Brien, Jr., Executive Director
2. American Association of Advertising Agencies: O. Burtch Drake, CEO; John Wolfe, Director of Public Relations
3. Association of National Advertisers: John J. Sarsen, Jr., CEO; Susan Pralgever, Director of Communications
4. Direct Marketing Association: [reply below] (+/no) H. Robert Weintzen, CEO; (+/no) Jerry Cerasale, VP Government Affairs; (+/no) Pat Faley, VP Consumer Affairs; (+/no) Stephen Altobelli, Director of Public Affairs
5. European-American Business Council: Willard Berry, President
6. Information Technology Industry Council: Rhett B. Dawson, President; Connie Correll, Director of Communications
7. Internet Advertising Bureau: Rich LeFurgy, Chairman
8. National Association of Manufacturers: Jerry Jasinowski, President; Scot Montrey, Director of Media Relations
9. NetCoalition.com: Daniel Ebert, Executive Director; Steve Selby PR Counsel

1. Association for Competitive Technology: Jonathan Zuck, President
2. Information Technology Association of America (ITAA): Harris Miller, President
3. 24/7 Media, Inc: David Moore, CEO
4. Acxiom: [reply below] (+/qualified) Charles Morgan, President; (+/qualified) Jennifer Barrett, Chief Privacy Officer
5. America Online / Time Warner: Steve Case, CEO; George Vrandenberg, General Counsel
6. Avenue A, Inc.; Brian McAndrews, CEO
7. Bank of America: Hugh McColl, Jr., Chairman, CEO
8. Bell South: F. Ackerman, CEO
9. Cisco: John Chambers, CEO
10. Dun & Bradstreet: Allan Loren, CEO
11. EDS: Richard Brown, CEO
12. EDventure Holdings, Inc.: (+/response below) Esther Dyson, Chairman
13. Equifax: Thomas F. Chapman, CEO
14. First Data: Ric Duques, CEO
15. Microsoft: Steve Ballmer, CEO; Rick Belluzo, COO; Bill Gates, Chairman; (+/qualified) Richard Purcell, Director of Privacy
16. Novell: Eric Schmidt, CEO; Mike Sheridan, VP
17. Real Networks, Inc.: Robert Glaser
18. Sun Microsystems: Scott McNealy, CEO
19. Verizon Communications: (+/no) Charles Lee and (+/no) Ivan Seidenberg, co-CEOs; (+/qualified) Shelley Harms, Chief Privacy Officer
20. Websidestory, Inc.: John Hentrich, Blaise Barrelet
21. Yahoo: Timothy Koogle, Chairman; Jeffrey Mallett, President

1. Jeff Connaughton, Quinn Gillespie & Associates (represents NAI)
2. Rick White, TechNet
3. (+/no) Ron Plesser, Piper & Marbury (represents DMA)
4. (+/qualified) Christine Varney, Hogan & Hartson (represents OPA)
5. (+) Amazon.com: Jeff Bezos, CEO; (+) Paul Misener, VP
6. American Business Information / Database America / infoUSA / Donnelly Marketing: Vinod Gupta, CEO
7. American Express: (+/no) Harvey Golub, CEO; (+/no) Peggy Haney
8. Be Free: Gordon Hoffstein, CEO
9. Claritas: Bob Nascenzi, CEO
10. Citicorp: John Reed, CEO
11. Cogit.com: Peter Corrao, CEO
12. Harte-Hanks: Larry Franklin, CEO
13. I-behavior.com: Lynn Wunderman, CEO
14. Martha Stewart Living Omnimedia: Martha Stewart, CEO
15. Naviant: Charles Stryker, CEO
16. Playboy Enterprises: Christie Hefner, CEO
17. Polk Company: Stephen R. Polk, CEO
18. Safeway: Steve Burd, CEO
19. Shoprite: Dean Janeway, CEO
20. Trans Union: Harry Gambill, CEO; Oscar Marquis, VP
21. U.S. Bancorp: Jack Grundhofer, CEO

  Clarification published March 2, 2001

This clarification was published to answer questions and comments sent to Junkbusters in response to the letter above.

Some people have asked if this is part of Privacy International's "outing" project. It is not; I strongly opposed that idea. I stress that if you reply with the "demand" option not to collect or distribute data about you, Junkbusters will not collect any profile about you for this project, and will not distribute any profile at the Federal Trade Commission's upcoming public workshop on March 13, nor in any other arena before or after it.

Some people have agreed to allow Junkbusters to collect information about them on the condition that they be given the opportunity to review their data prior to publication, and redact it or withhold it as they see fit. We'll be glad to honor these requests also. If you would like to participate in this way, simply say so at the top or bottom of your response.

Some people seem to have jumped to the mistaken conclusion that I might use information gathered for this project to embarrass participants at the FTC workshop by capriciously displaying their profiles on overhead projector slides. I would certainly not focus on an individual in this way without his or her prior permission. As it happens, the material I would most like to present during the FTC's workshop relates to a somewhat different topic, and since time will be short, I will not be presenting any new profiles in that forum. My view of the appropriate way to disseminate the profiles on consenting data subjects for the FTC's workshop is to publish them on the Web in advance, so that all participants can review them. Hard copies might also be available as handouts at the workshop - but again, only with the data subject's permission. I am asking companies that maintain profiles to provide samples, preferably choosing the data subjects who have granted consent for this project.

I also expect that our project will be ongoing, with profiles being added long after FTC's workshop is over. Ongoing data collection might be done in conjunction with other groups or separately by them, possibly applying an opt-out criterion. But I repeat: (1) Junkbusters will display profiles at the FTC only with the explicit prior consent of the data subject; and (2) we will comply with demands to be excluded from all data collection, research and publication, at and after the FTC workshop.

Even if you choose not to be a data subject, you can assist this project by obtaining profiles on consenting data subjects, sending the data either directly to them or to me. Please let me know if your company is willing to do this.

It's been very gratifying to hear so many OPA members strongly advocating the importance of the principles of consent, collection limitation, individual participation including deletion, and purpose-specificity. These standards go well beyond the OPA's own principles of notice, choice, access and security. And given that this is with respect to commercially available information that the industry deems "non-sensitive," I think this bodes well for the future of privacy protection.

Sincerely

Jason Catlett
President
Junkbusters Corp.

  Response by Esther Dyson

>What is your personal position on data collection?
This is a confusing question, because there are two forms of collection - collection from the individual, and "collection" as you use it below, which means collection from legal sources who already have it and are selling it. I would assert that I have the practical right to prevent collection of data from me directly by not providing it, and the legal right (but unfortunately for now few *practical means*) to prevent people from passing it along by making and enforcing such a contract. ...

>[ X ] I would prefer that information not be collected about me, but I don't
>claim any right to prevent its collection by legal means
>
>What is your personal position on subject access?
>[ X ] I would prefer to see the information held about me, but I don't
>claim any right to do so

>What is your personal position on disclosure?

>How do you advise we treat those who answered with "preferences" to the above?
>[ x  ] Respect their preferences, restricting the free flow of information
>
>How do you advise we treat people who fail to respond to these questions?
Disclose the fact that they failed to respond - and of course disclose the
answers of those who *did* respond....
>[ x ] Apply the standard advocated by their organization
>
>What is your organization's disposition toward providing data for this project?
>[ x  ] My organization does not maintain or does not supply to anyone personal
>information about a significant numbers of consumers

  Response by Privacy Leadership Initiative, March 7, 2001

Dear Mr. Catlett:

This is a response to your February 27 letter to the Privacy Leadership Initiative member companies and their leadership.

Your letter demonstrates the critical need to educate all stakeholders especially consumers on the distinctions between marketing files, compilations of data used to facilitate and enhance targeted offers, personalization and customer service, and reference products, compilations of data that provide information about specific individuals for various commercial purposes such as individual verification and location. The data you seek from various sources about company leaders would, if available at all, actually constitute reference data, data that is available about specific individuals. Marketing data is not used for reference purposes.

In addition, your letter raises the issues of notice, choice and access. PLI members believe that appropriate notices should accompany information collected for marketing purposes, and individuals should have the ability to limit targeted marketing communications. Consumer access to marketing databases is typically not available because these databases are not structured to provide information on any individual. Given that individual marketing profiles do not exist as commercial products, they cannot be accessed by consumers or companies.

These issues are incredibly important, as increasingly, information drives our economy . A recent Wall Street Journal article said that significant productivity growth has been achieved because of information and information technology. The growth is real and has given most consumers more choices and better service.

Your letter also asks for comments and suggestions on your research project.

However, your results will be inherently misleading because your approach confuses reference data products and marketing profiles. Simply put, your methods do not reflect the way consumer data is collected or used by marketers. Marketing files are not available as consumer profiles; instead, marketing data makes it possible for companies to be more effective in providing the right opportunities at the right time to consumers. We believe the consumer is better served by a greater understanding of the choices they have when it comes to keeping information private as well as the value they can receive from sharing information.

We recognize there is a trust deficit between consumers and businesses, as well as between consumers and government, on the subject of sharing and use of personal data. That is why the PLI, among other efforts, is developing tools to ensure that the marketplace uses information responsibly and in ways that benefit consumers and businesses alike. We believe this is a necessary step toward building a climate of trust between businesses and consumers.

Sincerely,
Walter J. O Brien, Jr.

This further paragraph received March 9 was in response to a request for clarification

Given that I am a member of the PLI leadership, you should consider me included in our collective refusal to have you gather personally-identifiable information . As stated in my previous letter, the data you would seek to gather about the PLI leadership would, if available at all, constitute reference data, and marketing data is not used for reference purposes.

  Response by the Direct Marketing Association, March 7, 2001

Dear Jason:

Your survey has asked for permission to publicly release data about some DMA officials and member company executives for non-marketing purposes. As you know, The DMA is very concerned about appropriate uses and protections afforded to personal data. Our industry is built upon consumer trust, and your proposed actions would seriously undermine that trust.

No reputable marketer information provider such as those you list in your survey would shock or surprise consumers by publicly posting their data. And the DMA Ethical Guidelines prohibit such use of marketing information. These policies are designed to preserve consumer confidence by assuring consumers that information obtained from a transaction with them for example, the fact that they made a certain type of purchase or the fact that they subscribe to a particular type of magazine will be used for marketing purposes only.

Marketers share some data with other marketers and information providers facilitate that sharing so that groups of consumers might receive offers that would be of interest to them. Promoting to individuals on a list of consumers with similar interests is very different from a public posting concerning a specific individual.

Moreover, your letter assumes that the commercial entities you approach will be able to respond with the information you are seeking. In fact this is not the case. Data used for marketing purposes does not reside in files that are accessible with only a consumer's name.

Therefore, we, DMA officials, and member company executives who have not separately responded to you, cannot give you permission to use personal data as you requested inconsistent with DMA policy.

Sincerely,
Jerry Cerasale
Senior Vice President, Government Affairs

  Response by Acxiom Corp., March 8, 2001

Dear Jason,

I received your e-mail of March 6th and appreciate the opportunity to clarify Acxiom's consumer information protection policies.

First, I would like to address your request that Acxiom provide personal information on specifically targeted individuals for your presentation at the Federal Trade Commission's March 13, 2001, Workshop. Even if the individuals named in your survey were to grant you permission to seek information from Acxiom, we are not in a position to honor your request. To do so would violate Acxiom's own Information Practices Use Policies, as well as the guidelines of the Direct Marketing Association and the Individual Reference Services Group, two industry-leading organizations in which Acxiom is a member and active participant. Acxiom's Information Practices Use Policies clearly define to whom and for what purposes personal information about consumers may be provided. Acxiom takes the responsibility we have for protecting personal information seriously and we strictly follow these guidelines, which have been developed with an eye toward providing consumers protection against information misuse. The type of personal information that Acxiom holds is designed for specific commercial uses. Permissible uses do not include the kind of survey inquiry you are conducting, particularly where any supplied non-public personal information would presumably be forwarded by you for inclusion in a public record. Acxiom considers such proposed use of personal information as a violation of an individual's privacy and counter to the consumer protections that Acxiom is committed to up holding and fostering. Only businesses that adhere to Acxiom's Information Use Policies and who have a demonstrated, legitimate commercial need for the information are eligible to purchase such information. Acxiom does not sell personal information to individuals or directly to the public. Businesses cannot purchase the information on single individuals. Acxiom carefully screens users of personal information and verifies that the use to which the information will be put is appropriate. To this end, we contractually bind the purchaser to our conditions.

With this background, I trust that you will understand that Acxiom cannot honor your request, since to do so would force us to violate our own ethical guidelines and those of our industry. If you would like further clarification on the guidelines of either from the Direct Marketing Association or the Individual Reference Services Group, we would be happy to provide them.

Secondly, I wish to respond to your request of Charles Morgan and me to complete your survey. You are free to collect any public information on Mr. Morgan or me. We of course do not object to your contacting other information providers an d collecting whatever non-public information they may provide under their guidelines. Mr. Morgan and I are like a great many other Americans - we understand that information is compiled, we have benefited from that practice in many ways, and we appreciate companies that use such information responsibly. As a result, companies are able to make us offers, protect us against fraud, quickly process applications, and provide any number of other important service s and benefits. Regrettably, your survey does not appear to be directed toward servicing any of these beneficial purposes.

Regardless of the results of your collection efforts and aside from the obvious potential to embarrass the targeted survey individuals by making a public disclosure of certain non-public information, I would suggest that your discussion at the FTC Workshop focus on the types of information you gather rather than the individual details of your collection efforts. As a matter of policy, practice, and approach, Acxiom does not endorse or support the public display of detailed non-public information on any individual consumer and any implied representation through your proposed survey to the contrary would be a misleading characterization of industry practice. In fact, your requested use of personal information goes far beyond industry-accepted practices. Responsible information use by commercial entities for marketing and reference purposes has resulted in significant economic benefits to our economy and to individual consumers. Acxiom and our customers carefully consider what data is needed for a particular purpose and treat that data with respect concerning its use. We hope you will share this core Acxiom value.

Sincerely,
Jennifer Barrett
Chief Privacy Officer
CC: Charles Morgan

A few slight amendments have been made to the text below since they were submitted to the FTC on October 18, but nothing substantive.

  1999 Comment, P994809

1. 1 What types of companies are engaged in online profiling or in the development of online profiling technologies? What are the relevant business models?
   
   By far the leaders in these technologies are ad networks and the companies that supply them with software and systems. This part of the industry has been undergoing a furious consolidation in recent months, and three "camps" have emerged as dominant:
   
   1. Doubleclick (DCLK), which has announced but not consummated mergers with Abacus Direct (ABDR) and Netgravity (NETG). A merger with 24/7 Media (TFSM), was rumored in October but had not been announced as of the date of this submission (18 October 1999). Privacy advocates have opposed the merger with Abacus Direct on the grounds that the companies intend to merge their massive databases of online and offline behavior.
   2. The CMGi group of companies, includes Engage Technologies, Accipiter, and to include after with mergers AdForce (ADFC), Flycast (FCST), and I/Pro. Also in this stable are many others in only somewhat related businesses, such as the Altavista and Lycos portals/search engines.
   3. Excite, Matchlogic, Enliven, @Home and others (ATHM), related by ownership with AT&T (T) and TCI (TCOMP).
   As the companies listed above illustrate, there is a chain of ownership linking the profiling companies into other kinds of online and offline businesses. Furthermore, some of these companies offer for sale profiles to other businesses. So it would naive to assume any containment of profiling activities to one particular sector or area. Rather, they are becoming pervasive throughout all business-to-consumer commerce. Under the somewhat misleading name of "one-to-one marketing" companies, even manufacturers with no previous direct consumer relationship, such as Levi's jeans, are collecting and exchanging thousands of times more personal information than they were a few years ago. There is a distinction worth making between profiles initiated when a customer buys something from a merchant and those built by an organization such an an ad network, whose existence the consumer is unaware of, but even this distinction is blurred when profiles are obtained to "customize the web experience" before a consumer identifies herself, and when the information after identification is "enhanced" with demographic and psychographic data purchased from personal data vendors. Both these practices are becoming commonplace.

2. 2.1 What types of information are currently being collected by online profiling companies from or about Web site visitors?
   
   Most companies do not discuss even the types of information collected. An exception is Engage Technologies, which has been open about its practices selling ``anonymous'' profiles gathered from web browsing. In August 1998 the New York Times ran a story titled Big Web Sites to Track Steps of Their Users, from clickstreams, which showed that hundreds of pieces of information were collected by Engage, but health and religious information was deliberately not collected. There is little reason to think that all companies will exhibit this restraint. For example, Experian has for years sold an "ailments" list, identifying sufferers of conditions from hemorrhoids to depression, and Acxiom among others sell data including religious denomination. Particularly troubling to many consumers is whether information is recorded about their visits to ``adult'' sites, a category which exhibits considerable diversity, and which accounts for approximately one billion dollars in ecommerce revenues.

   A consumer profiles is generally formatted as an "interest vector" - collections of numeric "scores" in several hundreds categories. At the time of the DoubleClick/Abacus merger, Abacus Direct CEO Tony White told MSNBC "The goal is to have the most complete picture of the consumer you can." The near-term future of an unrestrained online ad industry is clear: hundred of millions of secret electronic dossiers containing a vast range of information about every aspect of people's lives. It is an Orwellian vision about to be made real.

3. 2.2 What technologies do online profiling companies use to collect information about consumers? Please describe how these technologies function.
   
   The most common technique is the use of cookies by an ad network to observe and record the visits of consumers to specific pages of sites in their network. Although cookies were intended to be site-specific, networks are using a technique sometimes called cookie synchronization to be able to effectively "share" cookies and the information associated with them on the server side across multiple sites. For details see http://www.guid.org or http://www.junkbusters.com/cookies.html for example. The insidious effect of this technology is that once a user's identity becomes known to a single company with a cookie set, it is technically possible for any of the others to discover identity with every visit to their sites. Junkbusters has been alerting consumers to this threat since 1996, and specifically described it in our submission to the FTC in the summer of 1997. The prevailing state of the art has advanced considerably.

   It is now routine practice for commercial email in HTML format to include Web-based tracking elements that allow a company to determine whether, when, and from where the email was viewed, and to synchronize the address with a cookie.

   Other Internet media are also used as a means of surveillance. Both RealNetworks' RealPlayer and the Microsoft Windows Media Player carry GUIDs, ``and those numbers are transmitted to any site where you access a streaming file,'' according to the Seattle Weekly. (1999/4/8) There is also evidence that some products report when specific tracks are played.

   The Forrester report also notes that "clever interactive tools such as Reel.com's Mood Matcher -- which helps customers find movies based on their moods -- and PlanetRx's personalized prescription filler make it possible for companies to collect "highly intrusive psychographic data that individuals would rarely provide on a standard registration form."

4. 2.3 Do these technologies currently enable creation of anonymous profiles?
   
   A profile may or may not be associated with the name of a person. We prefer the term "pseudonymous" here.

5. 3.1 Do these technologies currently enable the creation of consumer profiles that identify individual consumers?
   
   A profile may be associated with an individual by several means: voluntary identification by the individual, or inference by triangulation of data (for example, a zip code, gender and date of birth identifies the individual in public records in a large percentage of cases), or through "synchronization" with other sources to whom the individual's identity is known.

6. 3.2 Do the profiles include information originally collected anonymously but later linked to an individual?
   
   This is certainly technically possible. It is difficult to know how prevalent this practice is because companies are generally secretive about such details.

7. 3.3 Are online profiling companies currently creating such profiles?
   
   Some vendors that make "collaborative filtering" software, such as Net Perceptions, market their products as a "bolt-on brain" that greatly enhances the targeting performed on existing customers.

8. 4 Are there technologies in development that will enable the creation of consumer profiles that identify individual consumers? If so, please describe.
   
   New companies and technologies are constantly appearing that do this. For example, in September Vignette and Edocs announced that they would combine their consumer data from multiple Web sites (including many major media sites) and bill payment to build more extensive profiles, Reuters reported. [Vignette Release] Vignette also proposed an XML standard called ICE to exchange consumer data.

   24/7 Media has been reported as linking individual with cookies in an arrangement with a company that provides online product registration - Boston Globe (1999/9/9, p. C1)

9. 5 How is the information collected by online profiling companies used?
   
   The main direct use is to target advertising. Another use that is more hyped than used in earnest is customization of a site from the first time that a visitor enters. See Net Perceptions for example.

10. 6 Is the information collected by online profiling companies being merged with other databases? If so, what kinds of information are included in such databases? How is the merged information being used?
    
    Yes. See the "enhancement services" offered by traditional database marketing companies such as Acxiom for example. The information is used for the same purposes: targeting and customization. See also our letters concerning the DoubleClick/Abacus merger and the excerpt from the NetDeals site below.

11. 7 What are the costs and benefits, to both industry and consumers, of online profiling?
    
    There is no question that online profiles can and do have substantial economic benefits to both consumers and companies; the question should be whether the current manner in which profiles are being built has unacceptable consequences in what economists call "negative externalities": undesirable effects not measured as part of the economic equation. To quickly see the danger of ignoring these and being misled by the cost-benefit analysis presumed by the question, imagine asking in 1850 "What are the costs and benefits of rice and cotton farming?" or in 1965 "What are the costs and benefits of automobiles?" while ignoring issues such as slavery, deaths in road accidents, and environmental pollution. As in the case of slavery, the missing factor in the case of online profiling is the consent of the individuals concerned. Neither rice farming nor profiling is inherently bad, but forcing them unfairly on people is wrong. As in the case of automobile safety and pollution, the public is not being told about or offered alternatives, such as safer, cleaner cars; or in the case of profiles, profiles built with the informed consent of the individual, open to their inspection and destruction if desired, limited in scope and time, and following the principles of fair information practice.

    Profilers argue that more "relevant" advertising (i.e. more targeted messages based on more detailed profiles) result in lower prices and better products, but this minor effect does not trump the fundamental human rights of privacy any more than lower rice prices and a stronger trade balance trumps freedom from slavery.

    One prominent industry commentator has taken the advertisers' side of the argument to its logical conclusion. Evan Neufeld, senior analyst for Jupiter Communications in New York was quoted making the following statement in an interview in Silicon Alley Reporter in August 1999.

    I always thought the privacy thing should be flipped around and the government should be going after these privacy groups who actually want to hurt consumers by raising consumer prices. By keeping everything secret, where you can't learn from anything, and where you can't give people relevant advertising, you hurt the consumer.

    Most privacy and consumer groups would bristle at his allegation that their intention in seeking privacy is to hurt consumers, but the more coherent sentence here is the second one. It ignores the enormous amount of information that can be gained by aggregate data that is not personally identified. Also ignored is the possibility that "dynamic pricing" based on personalization may actually cause a net increase in prices, in favor of brand "spinners" and against the loyal stable customer who is too busy to constantly shop for a better deal. (Research by CALPIRG on shoppers' cards suggests that this form of personalization has not resulted in a net decrease in supermarket prices.) But if we accept Neufeld's thesis as valid, would we not also have to accept that any government action supporting consumers in the evasion of commercial solicitations is detrimental to society on the grounds that it results in higher prices? In 1970 the Supreme Court upheld a statute that allows consumers to stop unwanted junk mail, rejecting the appellants' contention that unimpeded communications are ``imperative to a free and sane society.''

    We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another. If this prohibition operates to impede the flow of even valid ideas, the answer is that no one has a right to press even ``good'' ideas on an unwilling recipient.

    Similarly, we contend that marketers should not have the right to extract information from a consumer's web browsing at home to build profiles without observing fair information practices such as first obtaining the consumer's consent.

12. 8 What are consumers' perceptions about online profiling? Please provide the results of any studies or surveys addressing this question.
    
    It would be difficult to obtain survey results because so few consumers are aware of what profiling is performed. At the time of the DoubleClick/Abacus merger, Forrester's Jim Nail told MSNBC "I don't think the average consumer has any idea that individual transactions are being dumped into a monster database. The fact that it's not only being released with other catalogers but with any Web marketer is crossing a boundary."

    The GVU's 6th WWW User Survey concluded ``The notion that people like to receive targeted marketing material is not supported by the data, regardless of the medium. There is high agreement on these issues across strata.'' Industry surveys also routinely show that the majority of people don't click on a banner ad even once per year.

    The marketing newspaper DM News reported (1998/10/12) that a study by Forrester Research, showed that consumers are not responding favorably to Internet advertising. Their study study found that only 37 percent of new Internet users have ever clicked on banner ads. The percentage increased to 62 percent after 42 months of online experience. Clearly advertising, targeted or not, is not a strongly desired part of the online experience. Since the chief benefit of these profiles is targeted advertising, it is unlikely to be appreciated even if most consumers understood the link.

13. 9 What are the beneficial uses of the information collected by online profiling companies?
    
    The primary benefit inures to ad companies in the form of higher CPMs (cost per thousand ads delivered). For untargeted "eyeballs" this is typically around $10; for highly targeted deliveries it often rises to $30 or more.

    Ad companies argue that their trade supports free content on the web. This is true, but it does not justify arbitrary privacy intrusions. The web has a superabundance of content (how many weather sites do we need?) and there will always be some companies whose finances are marginal. Most companies maintain their sites as a way of lowering transaction costs and reinforcing their franchise with existing customers. The claim of some advertisers that without ever-more targeted advertising the economics of the web will collapse lacks credibility.

    In the case of a consensual relationship with a merchant, many consumers request and enjoy the convenience and personal service that is possible with online account histories. For example, Amazon.com provides a service by which customers can request email notifications of new books of interest. This kind of profiling is a considerable distance from the surreptitious profiling of ad networks, but should still become fully compliant with fair information practices, including rights of access.

    In many cases, profiling information has very beneficial effects for consumers, companies and the economy. But in many cases the information practices that companies are scrambling to assemble are simply unfair and dangerous, and there's no reason for them to be, other than a slight inconvenience and expense to the companies of doing the right thing.

14. 10 Are consumers' privacy interests implicated by the collection, compilation, sale and use of information collected by online profiling companies? If so, please describe.
    
    Yes, clearly. The current received definition of privacy is ``...is the claim of individuals... to determine for themselves when, how, and to what extent information about them is communicated to others...'' Consumers currently have few effective means to determine which organizations store and communicate information about them.

15. 11 Do online profiling companies disclose the ultimate uses of the information they collect? If so, what is the nature of such disclosures? Where possible, please provide examples of such disclosures.
    
    Disclosures, where present, are usually very vague, as this example from http://win.netdeals.com/getaway/ shows.

    When you register on NetDeals you provide us with personally identifiable information such as your name, home address and e-mail. We combine that information with other information about you that is available to us. This includes other personally identifiable information and certain non-personally-identifiable information, such as the type of browser you use. We participate in the DoubleClick Information Alliance and share the information we have about you with that Alliance. You can contact DoubleClick at info@doubleclick.net if you have any questions about the Alliance.

    Through the DoubleClick Information Alliance, we will use the information you provide to us, alone or in combination with other online and offline information, to deliver targeted advertising messages to you.

    One prominent and disgraceful example is the language used by Microsoft's Internet Explorer (a Web browser) when a user asks to be notified of cookies. The notice states that the site would like to "personalize" the visitor's experience by placing a file on their PC. No consumer would be even vaguely anticipate what is happening with ad networks based on this notice.

16. 12 Do online profiling companies provide effective mechanisms for a consumer to remove his or her information from their databases or otherwise control the use of such information?
    
    Some provide a farcical opt-out mechanism. For example, the following statement dates from October 1998 on DoubleClick's site.

    While some third parties offer programs to manually delete your cookies, DoubleClick goes one step further by offering you a "blank" or "opt-out cookie" to prevent any data from being stored.

    This is one of the most laughable instances of the fake-privacy notion of opt-out. A parody makes this clearer:

    While some hotels offer hardware to lock your door, the DoubleClick Inn goes one step further by offering you a "do not disturb" sign to prevent your door ever being opened.

    DoubleClick's "opt-out cookie" does not prevent data being stored; it is itself a piece of data being stored on the consumer's PC which DoubleClick says it will interpret to indicate that its servers should not store further profile information associated with that PC and cookie. The opt-out cookie will itself expire, and may be pushed out of the limited space allocated to cookies by the browser. Further, it is unclear whether, for example, DoubleClick still stores information about the IP address used, which in the case of static IP addresses is constantly associated with the user. Also unclear is whether information previous collected is then deleted.

    It is difficult to imagine any consumer who would go to the effort of understanding what cookies do and how ad networks work, and then choose as a remedy DoubleClick's opt-out mechanism. A far more plausible and widespread reaction is to reconfigure one's browser to restrict cookies, or to use cookie management or ad filtering software.

17. 13 Do online profiling companies provide consumers an opportunity to choose whether and how their information will be collected and used? If so, please describe the choices that consumers are given and how consumers can exercise these choices.
    
    Many offer Hobson's choice: let us track you or get out of our web site. Leading examples include Healtheon, and Expedia and other Microsoft sites.

18. 14 What is current industry practice, with respect to information already collected from individuals, when there is a later change in the company's policies?
    
    Current industry practice is to simply post the change in the privacy policy. There is rarely even have a notice period.

19. 15 What is the current industry practice, with respect to information already collected from individuals, when there is a material change in the corporate structure or business contracts governing such information, such as through a merger, joint venture, or sale of customer lists?
    
    Generally, the buyer gets the data, and a consumer who wants to stop her data being transferred has to try to stop it. Few companies are configured to destroy data on request at any time, so this is generally not available. Companies rarely inform consumers explicitly of the event. The buyer usually wants the customer data as part of the assets being bought. Junkbusters was told by a Firefly executive that when Firefly was sold to Microsoft, its members were asked to opt-in to the transfer of the profiles, but we have not seen confirmation of this.

    The following quote DoubleClick's privacy policy addresses their merger.

    On June 14, 1999, DoubleClick and Abacus Direct Corporation announced their plan to merge in the third quarter of 1999. Abacus currently maintains a database consisting of personally-identifiable information used primarily for off-line direct marketing. DoubleClick has no rights or plans to use Abacus' database information prior to the completion of the merger. Upon completion of the merger, should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus' database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate.

20. 16 Do online profiling companies provide notice and choice with respect to how already-collected information is handled under changed circumstances?
    
    Some privacy policies include language along the lines of "we can change our mind anytime by changing our posted language, and you can close your account if you want." Most ignore the question.

21. 17 What, if any, legal or other practical issues would be implicated in the creation of effective self-regulatory programs to govern the sorts of changed circumstances described in Question 16?
    
    Self-regulatory programs have been shown to be endemically ineffective in this environment. See for example the example of Microsoft and TRUSTe. Remember that the buyer wants the customer data as part of the assets being bought, and the seller wants to maximize his price. Expecting self-regulation to work here is expecting parties in a negotiation about money to leave money on the table. It's completely naive.

22. 18 Do online profiling companies provide consumers the opportunity to see what information has been collected from or about them and the ability to correct errors? If so, please describe.
    
    We are not aware of any ad networks that do this. At least one profile-building shopping site, http://www.dash.com provides the user with complete access to the user's profile, along with the capability to edit and destroy any part or all of the profile. (Disclosure: Junkbusters advised Dash on the design of its information practices.) The Forrester report urged companies to give consumers such capabilities.

    Acxiom offers such access on some of their data products, but it is not clear to us whether or how far this extends into Acxiom's online data.

23. 19 What procedures have online profiling companies instituted to maintain the security of the information they collect?
    
    Every company has a duty and incentive to maintain a high level of data security, and doubtless many have diligently spent the time and money to achieve appropriate levels of security, but the large number of incidents reported this year suggests that the prevailing level of security is woefully inadequate. For example, in late August Microsoft's Hotmail service was left open for anyone who followed instructions posted on the Internet to read the email of any Hotmail member. We did not see any report that the profile associated with the member was also compromised, but this would clearly be equally possible, and such a breach will be increasingly dangerous as Microsoft has recently integrated with Hotmail its Passport service, which Wired News noted will be logging records of all the sales across its partner sites, building up ``a monumental database of consumer behavior.''

    In the past year dozens of companies, from General Motors to Butterball, (a brand of turkey), have accidentally placed profile data on the Web, where the databases could be downloaded by anyone. In many cases the data included name, address, marital status, and whether the household has children.

    In August 1999 DoubleClick filed suit over ads run by its competitor AdForce claiming that DoubleClick has given confidential information about its customers to their competitors. "You've just been Double Clicked," say the ads. DoubleClick maintained that the accusation was false. The companies later settled with a stipulated injunction.

24. 20 What self-regulatory efforts have online profiling companies undertaken to address concerns raised by their collection, compilation, sale, and use of consumer information? How do these efforts address the fair information practice of notice, choice, access, security, and enforcement? What are the costs and benefits, to both consumers and businesses, of such self-regulatory efforts?
    
    

    TRUSTe has initiated an "Advertising Affiliate Program" specifically for ad networks. According to a spokesperson for Imgis, an online ad company, ``to guarantee that users will respond positively to Web ads, people must be assured that no one seeing their data in the course of an online transaction will sell it to third parties, including ad serving companies.'' Sites will be audited twice a year to ensure they abide by their privacy policy. Chuck Berger, chairman and CEO of Imgis, told ZD Net "We initiated the idea for this program to promote end-to-end self regulation for the online advertising industry."

    Unfortunately nothing has been heard of this initiative since March 1998, and the industry has gone on to do exactly the things that this self-regulatory measure sought to prevent. Junkbusters asked has TRUSTe to explain what happened, and has received no explanation. In the intervening year and a half, Imgis has changed its name to AdForce and been bought by CMGi. [Postscript: CMGI shuttered AdForce in June 2001, Internet News reported.]

    Some web companies maintain that since their services are given away free, they should be able to do whatever they want with consumers' personal data. This makes as much sense as saying that toys or automobiles that are given away free should be exempt from basic safety requirements. Free services should still be required to observe fair information practices.

    The costs of observing fair information practices would be a very tiny percentage of most businesses, but the absolute figures would be substantial, which explains why businesses are spending large amounts of money lobbying to stop the government imposing them. Each business will attempt to minimize its costs by doing as little as possible, which translates into the least regulation that is politically achievable. Here lies a "tragedy of the commons": the consumer population is therefore being left unprotected, resulting in distrust and non-participation.

    It is fair to impose costs due to regulation on all companies, indeed it is more fair than expecting good actors to volunteer for expenses that will not be borne by their less altruistic or less farsighted competitors. All automobiles sold in the US must meet basic safety standards; it would be preposterous to expect manufacturers to voluntarily choose their own minimum requirements and to rely on consumers' preference for safe cars. Advocates of self-regulation are asking the Administration to believe an equally preposterous premise, that companies should choose minimum privacy standards, and (even more implausible) that they should be the ones to ensure these standards are maintained. This makes as much sense as putting the Fortune 500 companies in charge of setting taxation policy for the IRS, and for running its compliance division.

    Privacy advocates have been saying for years that self-regulation is not providing privacy protection and that nobody should expect it to. Recently an independent and respected research firm, Forrester Research, which makes its money by advising companies, issued a report that was highly critical of self-regulation. The report suggests that the FTC, rather than producing reassuring messages to the industry, should push companies to take bigger and faster strides towards complying with already established privacy principles. Forrester also suggests that companies should be required to make customer profiles available to users, including all parties with whom data is shared, and provide the ability for customers to control who the information is shared with and the option to remove themselves from lists. Finally, the report says that "because independent privacy groups like TRUSTe and BBBOnline earn their money from e-commerce organizations, they become more of a privacy advocate for the industry -- rather than for consumers. The FTC should call for a consumer-based organization to provide principles and redress."

25. 21 Are there any efforts currently underway or planned to educate consumers and businesses about online profiling? If so, please describe.
    
    

    The industry "educates" itself as part of the processes of sales and business development; but rather than using the nasty-sounding word "profiling" they speak of "one-to-one marketing" or "personalization". For an example see the "Personalization Summit" at http://www.personalization.com on the Web.

    Early media coverage of Netcoalition suggested it would offer advice to the public in addition to lobbying against privacy laws. So far the web site consists of two pages of press release.

    Most marketers desperately want not to talk about this topic, and those who do are chastised by their colleagues. Denny Hatch, a veteran marketer, former editor-in chief of Target Marketing and author of the book Method Marketing: how to make a fortune by getting inside the heads of your customers, wrote ``Many marketers are insensitive goons who happily love to show off how much they know about a person--reeling off information about a person to a person which was obviously obtained elsewhere.'' After recounting several horrific incidents, his book concludes ``Aren't marketers playing fast and loose with highly sensitive, intensely private data? Once fully understood by government and consumers alike, aren't marketers heading for a cataclysmic juggernaut with regulators who could legislate us all back to the Stone Age of database technology?'' Yes Denny, they are playing fast and loose with highly sensitive, intensely private data. But once they are fully understood by government and consumers, you'll still be able to use your database technology. You'll just have to ask those people first.

  Cover Letter

To: Secretary, Federal Trade Commission, Room H-159, 600 Pennsylvania Avenue N.W., Washington, D.C. 20580.

Re: Online Profiling Project - Comment, P994809 / Docket No. 990811219-9219-01.

Date: 18 October 1999

Dear Sir

Junkbusters Corp. is pleased to submit the attached comments in response to the NTIA and FTC's public invitation to comment.

Our comments are best read from http://www.junkbusters.com/ht/en/profiling.html through a Web browser so that links to other pages may be seen and followed. I am emailing these comments so that may be placed on the Commission's web site if desired.

Pursuant to point 4 of the Federal Register Notice's criteria we designate CME, EPIC, the NAMED, Privacy Times, and US PIRG as parties sharing group interests with us.

I also request the opportunity to participate as a panelist, in the first session as an expert in profiling technology and software, and in the latter two sessions as a privacy advocacy group.

Respectfully submitted

Jason Catlett, President, Junkbusters Corp.

  Critique of the 1999 Westin/Doubleclick survey

At the NTIA/FTC hearings on online profiling a survey was presented by Privacy and American Business claiming that most consumers find ad targeting based on profiles acceptable. These conclusions are based on an untenable interpretation of the questions actually asked.

Here are excerpts from the questions; the last one is key.

1. Would you be willing to describe your interests if the company providing tailored ads spelled out how they would use your information, and you could "opt out" of uses you did not approve?
2. By asking you to allow information about your VISITS TO web sites on the internet to be used to tailor Internet banner ads to you?
3. Would you be willing to allow information about your VISITS to web sites on the Internet to be used if the company providing tailored ads spelled out how they would use your information, and you could "opt out" of uses you did not approve?
4. If a company explains to you just what they want to collect and how they will use it, and if you can "opt out" of uses you did not approve, would the creation of a profile for presenting tailored banner ads be acceptable to you?

Fifty-eight percent of Internet users, or 53 million users, would agree to having their visits to web sites used to personalize banner ads to them, if notice and opt-out were provided.

The survey was sponsored by Doubleclick.

  A sample question from the Westin/Doubleclick survey

As an example of the leading questions posed to respondents in the the Westin/Doubleclick survey, consider the number of times the word ``positive'' and ``negative'' appear in the following question (our italics).

When banner ads are presented to you as you use the Internet, how positive would you be in having some of these ads tailored to your interests, rather than seeing only random ads that are aimed at all net users?

1. Very positive
2. Somewhat positive
3. Not very positive
4. Not positive at all

With questions like these, the conclusion is reached that people like targeted profile-based ads. Other surveys reach a different conclusion. The GVU's 6th WWW User Survey concluded ``The notion that people like to receive targeted marketing material is not supported by the data, regardless of the medium. There is high agreement on these issues across strata.'' Industry surveys also routinely show that the majority of people don't click on a banner ad even once per year.

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/profiling.html