From: "Vladimir Z. Nuri" <vznuri@netcom.com>
Date: Thu, 24 Sep 1998 02:29:32 +0800
To: cypherpunks@cyberpass.net
Subject: IP: Privacy: FTC Losing Patience w/Business
Message-ID: <199809240731.AAA25674@netcom13.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain




From: believer@telepath.com
Subject: IP: Privacy: FTC Losing Patience w/Business
Date: Wed, 23 Sep 1998 07:33:09 -0500
To: believer@telepath.com

Source:  New York Times
http://www.nytimes.com/library/tech/98/09/biztech/articles/21privacy.html

September 21, 1998

F.T.C. 'Losing Patience' With Business on
Web Privacy

By JOEL BRINKLEY

WASHINGTON -- After more than a year of heated debate within the
government, the Federal Trade Commission has all but decided that it is
going to part company with the Clinton administration over the contention
that business can regulate itself when it comes to Internet privacy. 

"We are losing patience with self-regulation," David Medine, an associate
director in the commission's Bureau of Consumer Protection, said in an
interview, reflecting the larger agency opinion on this issue. "It's too
bad, but I think industry has lost the opportunity to show that they will
do it on their own." 

What was the last straw? Within the F.T.C., they called it "the Big Surf."  

>From all corners of the agency's headquarters in the spring, dozens of
lawyers trooped to special training rooms equipped with personal computers
and high-speed Internet connections. And for two weeks, they spent their
days trolling the World Wide Web, searching for privacy problems. 

Their intention was to find Web sites that collected personal information
from visitors but neglected to post any notice about how that information
would be used. The presumption was that many of the companies sold the
information -- some of it highly personal data on health, income and
personal preferences -- to Internet-list brokers, merchants and advertisers. 

The "surfers" had no idea what they would find; no one had ever dedicated
the time and manpower needed for this sort of targeted survey of the vast,
tangled, largely unfathomable network that is the World Wide Web. But the
Big Surf produced startling results published in a report this summer. More
than 90 percent of the roughly 1,400 sites examined collected personal
information from visitors, but only 14 percent of them disclosed how that
information would be used, convincing the F.T.C. that formal regulation
would probably be necessary. 

For more than a year, the Clinton White House had been saying that
businesses using the Internet should be allowed to regulate themselves.  

"If there's ever an arena that should be market driven, this is it," Ira
Magaziner, President Clinton's adviser on Internet issues, said as the
White House announced its Internet policy last year. 

But while the White House was formulating this strategy, a few blocks away
at the F.T.C. -- an independent federal agency not beholden to the
administration -- agency officials were conducting hearings and workshops
on Internet privacy, listening to complaints from members of Congress and
interest groups. They were also installing up-to-date computer equipment so
the agency could carry out the Big Surf and add the Internet to the list of
business arenas subject to F.T.C. scrutiny and enforcement. 

Now, with results from the Big Surf and the industry's reaction to it in
hand, several senior F.T.C. officials said, the agency will give industry
just a few more months to respond to the recommendations in its report by
demonstrating that it is effectively regulating itself.  

Medine said he would expect the industry to conduct a survey like the Big
Surf and hand over the results. If, as most commission officials expect,
industry does not provide such proof, the F.T.C. will draft a bill calling
for clear Internet privacy standards and ask Congress to pass it.  

As an independent agency, the commission does not have to get permission
from the Clinton administration to do this. And, given Congress' repeated
statements of concern about Internet privacy, a bill would probably get the
votes needed to pass. 

"It's not our intention to over-regulate," said Jodie Bernstein, director
of the agency's consumer protection bureau. "We don't want to chill new
technologies." But, she added, Web sites must begin "telling consumers if
they are collecting personal information, what they are going to do with it
and how the consumers can get out of it, if they want to." 

Generally, that means posting a privacy statement that answers these
questions. But since the results of the Big Surf were published in June,
commission lawyers have begun to believe that some Web sites are actually
choosing not to post privacy statements.  

"There's now a perverse, reverse incentive," said Ori Lev, an F.T.C.
official involved in Internet enforcement. "If you don't post a privacy
policy, we can't go after you." 

That became clear last month, after the commission reached a settlement
with Geocities, a popular site on the World Wide Web that the commission
had accused of lying to its 2 million subscribers. The site offered a
privacy statement that promised not to give out personal information
collected during registration without permission. But the commission found
that Geocities was selling the information anyway. That supposed deception
was the basis for the government's case.  

If Geocities had not promised to keep the information private, then it
would probably not have run afoul of the F.T.C.. As a result, Medine said,
"clearly there are a lot of corporate lawyers advising their Web clients
not to do anything now" -- not to post a privacy statement or anything else. 

Connie LaMotta, a senior vice president with the Direct Marketing
Association, calls that idea nonsense. "It's a very bureaucratic way of
thinking," she said. "It's upside down. Businesses want to post privacy
statements to establish good customer relationships and customer service.
Industry is stepping up to the plate on this." 

Ms. LaMotta said she and others in the industry agreed with the F.T.C.'s
stated Internet privacy goals. But Ms. LaMotta added that she was certain
that businesses could accomplish the task on their own. "It's our
experience that, when you tap them on the shoulder, change happens. They
say: 'Oh, gosh. OK."' 

With just a few minutes' effort, most anyone can find a Web site that
collects personal information from visitors, in registration or order
forms, without disclosing how that information will be used. But how those
sites respond when asked about this can differ markedly. 

A site called Soccer Patch (www.soccerpatch.com) is a trading post for
soccer-playing children who want to trade team patches. It lists the names,
e-mail addresses and in some cases the hometowns of children who want to
trade patches. That is a red flag for F.T.C. enforcers. They worry that
child molesters can use the information to find victims.  

As soon as a reporter asked Philip Rubin, president of Edge of Chaos, the
company that manages the site, about this, he immediately promised to
change the policy. And a few days later, he did. 

"We now require all contributors to provide us with signed permission
letters before e-mail addresses/and or names can be posted," he said.
"Contributors under the age of 18 must provide a form signed by their
parents or guardians." And the Soccer Patch site posted the form so that it
can be printed out and mailed. 

Rosenthal Honda, a Washington area car dealer, had a different approach. 

The company, like many car dealers, posts a pre-qualification form for auto
loans, requesting a variety of personal information, including income, debt
load and the amount of rent or mortgage payments. Nowhere on the site does
the company say how that information will be used. And when asked about
that, the company issued a statement saying, "We will look at the issue
with our Web developer." 

Asked two weeks later what had come of this, Rosenthal Honda did not respond. 

F.T.C. officials say they are investigating other Web sites and will almost
certainly file charges against other companies, as the agency did with
Geocities. 

 Dean Forbes, 31, an F.T.C. lawyer,  found the Geocities problem and spends
most of his time working on  Internet privacy issues. 

 "Generally we get ideas from reading the trade press," he said, as well as
from "looking at who is linking up
with list brokers; we get tips from interest groups, usenet news group
postings -- and complaints." 

Forbes, for one, disagrees with the idea that a Web site can escape trouble
if it simply decides not to post a privacy policy. "If you don't make a
visible statement," he said, "that does not mean there isn't an implied
claim." 

But while his agency and the rest of the government figure out whether to
push for new rules on Web privacy, Forbes sees a bit of improvement on the
Web. 

"I'm not saying everything's great," he said. "But there is movement." 

 Copyright 1998 The New York Times Company
-----------------------
NOTE: In accordance with Title 17 U.S.C. section 107, this material is
distributed without profit or payment to those who have expressed a prior
interest in receiving this information for non-profit research and
educational purposes only. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
-----------------------




**********************************************
To subscribe or unsubscribe, email:
     majordomo@majordomo.pobox.com
with the message:
     (un)subscribe ignition-point email@address
**********************************************
www.telepath.com/believer
**********************************************