Forwarded From: phreak moi <hackereliteat_private> September 21, 1998 http://www.nytimes.com/library/tech/98/09/biztech/articles/21privacy.html F.T.C. 'Losing Patience' With Business on Web Privacy By JOEL BRINKLEY WASHINGTON -- After more than a year of heated debate within the government, the Federal Trade Commission has all but decided that it is going to part company with the Clinton administration over the contention that business can regulate itself when it comes to Internet privacy. "We are losing patience with self-regulation," David Medine, an associate director in the commission's Bureau of Consumer Protection, said in an interview, reflecting the larger agency opinion on this issue. "It's too bad, but I think industry has lost the opportunity to show that they will do it on their own." What was the last straw? Within the F.T.C., they called it "the Big Surf." >From all corners of the agency's headquarters in the spring, dozens of lawyers trooped to special training rooms equipped with personal computers and high-speed Internet connections. And for two weeks, they spent their days trolling the World Wide Web, searching for privacy problems. Their intention was to find Web sites that collected personal information from visitors but neglected to post any notice about how that information would be used. The presumption was that many of the companies sold the information -- some of it highly personal data on health, income and personal preferences -- to Internet-list brokers, merchants and advertisers. The "surfers" had no idea what they would find; no one had ever dedicated the time and manpower needed for this sort of targeted survey of the vast, tangled, largely unfathomable network that is the World Wide Web. But the Big Surf produced startling results published in a report this summer. More than 90 percent of the roughly 1,400 sites examined collected personal information from visitors, but only 14 percent of them disclosed how that information would be used, convincing the F.T.C. that formal regulation would probably be necessary. For more than a year, the Clinton White House had been saying that businesses using the Internet should be allowed to regulate themselves. "If there's ever an arena that should be market driven, this is it," Ira Magaziner, President Clinton's adviser on Internet issues, said as the White House announced its Internet policy last year. But while the White House was formulating this strategy, a few blocks away at the F.T.C. -- an independent federal agency not beholden to the administration -- agency officials were conducting hearings and workshops on Internet privacy, listening to complaints from members of Congress and interest groups. They were also installing up-to-date computer equipment so the agency could carry out the Big Surf and add the Internet to the list of business arenas subject to F.T.C. scrutiny and enforcement. Now, with results from the Big Surf and the industry's reaction to it in hand, several senior F.T.C. officials said, the agency will give industry just a few more months to respond to the recommendations in its report by demonstrating that it is effectively regulating itself. Medine said he would expect the industry to conduct a survey like the Big Surf and hand over the results. If, as most commission officials expect, industry does not provide such proof, the F.T.C. will draft a bill calling for clear Internet privacy standards and ask Congress to pass it. As an independent agency, the commission does not have to get permission from the Clinton administration to do this. And, given Congress' repeated statements of concern about Internet privacy, a bill would probably get the votes needed to pass. "It's not our intention to over-regulate," said Jodie Bernstein, director of the agency's consumer protection bureau. "We don't want to chill new technologies." But, she added, Web sites must begin "telling consumers if they are collecting personal information, what they are going to do with it and how the consumers can get out of it, if they want to." Generally, that means posting a privacy statement that answers these questions. But since the results of the Big Surf were published in June, commission lawyers have begun to believe that some Web sites are actually choosing not to post privacy statements. "There's now a perverse, reverse incentive," said Ori Lev, an F.T.C. official involved in Internet enforcement. "If you don't post a privacy policy, we can't go after you." That became clear last month, after the commission reached a settlement with Geocities, a popular site on the World Wide Web that the commission had accused of lying to its 2 million subscribers. The site offered a privacy statement that promised not to give out personal information collected during registration without permission. But the commission found that Geocities was selling the information anyway. That supposed deception was the basis for the government's case. If Geocities had not promised to keep the information private, then it would probably not have run afoul of the F.T.C.. As a result, Medine said, "clearly there are a lot of corporate lawyers advising their Web clients not to do anything now" -- not to post a privacy statement or anything else. Connie LaMotta, a senior vice president with the Direct Marketing Association, calls that idea nonsense. "It's a very bureaucratic way of thinking," she said. "It's upside down. Businesses want to post privacy statements to establish good customer relationships and customer service. Industry is stepping up to the plate on this." Ms. LaMotta said she and others in the industry agreed with the F.T.C.'s stated Internet privacy goals. But Ms. LaMotta added that she was certain that businesses could accomplish the task on their own. "It's our experience that, when you tap them on the shoulder, change happens. They say: 'Oh, gosh. OK."' With just a few minutes' effort, most anyone can find a Web site that collects personal information from visitors, in registration or order forms, without disclosing how that information will be used. But how those sites respond when asked about this can differ markedly. A site called Soccer Patch (www.soccerpatch.com) is a trading post for soccer-playing children who want to trade team patches. It lists the names, e-mail addresses and in some cases the hometowns of children who want to trade patches. That is a red flag for F.T.C. enforcers. They worry that child molesters can use the information to find victims. As soon as a reporter asked Philip Rubin, president of Edge of Chaos, the company that manages the site, about this, he immediately promised to change the policy. And a few days later, he did. "We now require all contributors to provide us with signed permission letters before e-mail addresses/and or names can be posted," he said. "Contributors under the age of 18 must provide a form signed by their parents or guardians." And the Soccer Patch site posted the form so that it can be printed out and mailed. Rosenthal Honda, a Washington area car dealer, had a different approach. The company, like many car dealers, posts a pre-qualification form for auto loans, requesting a variety of personal information, including income, debt load and the amount of rent or mortgage payments. Nowhere on the site does the company say how that information will be used. And when asked about that, the company issued a statement saying, "We will look at the issue with our Web developer." Asked two weeks later what had come of this, Rosenthal Honda did not respond. F.T.C. officials say they are investigating other Web sites and will almost certainly file charges against other companies, as the agency did with Geocities. Dean Forbes, 31, an F.T.C. lawyer, found the Geocities problem and spends most of his time working on Internet privacy issues. "Generally we get ideas from reading the trade press," he said, as well as from "looking at who is linking up with list brokers; we get tips from interest groups, usenet news group postings -- and complaints." Forbes, for one, disagrees with the idea that a Web site can escape trouble if it simply decides not to post a privacy policy. "If you don't make a visible statement," he said, "that does not mean there isn't an implied claim." But while his agency and the rest of the government figure out whether to push for new rules on Web privacy, Forbes sees a bit of improvement on the Web. "I'm not saying everything's great," he said. "But there is movement." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:06 PDT