[ISN] FTC Losing Patience with Business on Web Privacy

From: mea culpa (jerichoat_private)
Date: Mon Sep 21 1998 - 16:29:26 PDT

  • Next message: mea culpa: "[ISN] Computer hackers led police to child pornography suspect"

    Forwarded From: phreak moi <hackereliteat_private>
    
    
    September 21, 1998
    http://www.nytimes.com/library/tech/98/09/biztech/articles/21privacy.html
    
    F.T.C. 'Losing Patience' With Business on Web Privacy
    By JOEL BRINKLEY
    
    WASHINGTON -- After more than a year of heated debate within the
    government, the Federal Trade Commission has all but decided that it is
    going to part company with the Clinton administration over the contention
    that business can regulate itself when it comes to Internet privacy. 
    
    "We are losing patience with self-regulation," David Medine, an associate
    director in the commission's Bureau of Consumer Protection, said in an
    interview, reflecting the larger agency opinion on this issue.  "It's too
    bad, but I think industry has lost the opportunity to show that they will
    do it on their own." 
    
    What was the last straw? Within the F.T.C., they called it "the Big Surf." 
    >From all corners of the agency's headquarters in the spring, dozens of
    lawyers trooped to special training rooms equipped with personal computers
    and high-speed Internet connections. And for two weeks, they spent their
    days trolling the World Wide Web, searching for privacy problems. 
    
    Their intention was to find Web sites that collected personal information
    from visitors but neglected to post any notice about how that information
    would be used. The presumption was that many of the companies sold the
    information -- some of it highly personal data on health, income and
    personal preferences -- to Internet-list brokers, merchants and
    advertisers. 
    
    The "surfers" had no idea what they would find; no one had ever dedicated
    the time and manpower needed for this sort of targeted survey of the vast,
    tangled, largely unfathomable network that is the World Wide Web. But the
    Big Surf produced startling results published in a report this summer.
    More than 90 percent of the roughly 1,400 sites examined collected
    personal information from visitors, but only 14 percent of them disclosed
    how that information would be used, convincing the F.T.C.  that formal
    regulation would probably be necessary. 
    
    For more than a year, the Clinton White House had been saying that
    businesses using the Internet should be allowed to regulate themselves. 
    
    "If there's ever an arena that should be market driven, this is it," Ira
    Magaziner, President Clinton's adviser on Internet issues, said as the
    White House announced its Internet policy last year. 
    
    But while the White House was formulating this strategy, a few blocks away
    at the F.T.C. -- an independent federal agency not beholden to the
    administration -- agency officials were conducting hearings and workshops
    on Internet privacy, listening to complaints from members of Congress and
    interest groups. They were also installing up-to-date computer equipment
    so the agency could carry out the Big Surf and add the Internet to the
    list of business arenas subject to F.T.C. scrutiny and enforcement. 
    
    Now, with results from the Big Surf and the industry's reaction to it in
    hand, several senior F.T.C. officials said, the agency will give industry
    just a few more months to respond to the recommendations in its report by
    demonstrating that it is effectively regulating itself. 
    
    Medine said he would expect the industry to conduct a survey like the Big
    Surf and hand over the results. If, as most commission officials expect,
    industry does not provide such proof, the F.T.C. will draft a bill calling
    for clear Internet privacy standards and ask Congress to pass it. 
    
    As an independent agency, the commission does not have to get permission
    from the Clinton administration to do this. And, given Congress' repeated
    statements of concern about Internet privacy, a bill would probably get
    the votes needed to pass. 
    
    "It's not our intention to over-regulate," said Jodie Bernstein, director
    of the agency's consumer protection bureau. "We don't want to chill new
    technologies." But, she added, Web sites must begin "telling consumers if
    they are collecting personal information, what they are going to do with
    it and how the consumers can get out of it, if they want to." 
    
    Generally, that means posting a privacy statement that answers these
    questions. But since the results of the Big Surf were published in June,
    commission lawyers have begun to believe that some Web sites are actually
    choosing not to post privacy statements. 
    
    "There's now a perverse, reverse incentive," said Ori Lev, an F.T.C. 
    official involved in Internet enforcement. "If you don't post a privacy
    policy, we can't go after you." 
    
    That became clear last month, after the commission reached a settlement
    with Geocities, a popular site on the World Wide Web that the commission
    had accused of lying to its 2 million subscribers. The site offered a
    privacy statement that promised not to give out personal information
    collected during registration without permission. But the commission found
    that Geocities was selling the information anyway.  That supposed
    deception was the basis for the government's case. 
    
    If Geocities had not promised to keep the information private, then it
    would probably not have run afoul of the F.T.C.. As a result, Medine said,
    "clearly there are a lot of corporate lawyers advising their Web clients
    not to do anything now" -- not to post a privacy statement or anything
    else. 
    
    Connie LaMotta, a senior vice president with the Direct Marketing
    Association, calls that idea nonsense. "It's a very bureaucratic way of
    thinking," she said. "It's upside down.  Businesses want to post privacy
    statements to establish good customer relationships and customer service.
    Industry is stepping up to the plate on this." 
    
    Ms. LaMotta said she and others in the industry agreed with the F.T.C.'s
    stated Internet privacy goals. But Ms. LaMotta added that she was certain
    that businesses could accomplish the task on their own. "It's our
    experience that, when you tap them on the shoulder, change happens. They
    say: 'Oh, gosh. OK."'
    
    With just a few minutes' effort, most anyone can find a Web site that
    collects personal information from visitors, in registration or order
    forms, without disclosing how that information will be used. But how those
    sites respond when asked about this can differ markedly. 
    
    A site called Soccer Patch (www.soccerpatch.com) is a trading post for
    soccer-playing children who want to trade team patches. It lists the
    names, e-mail addresses and in some cases the hometowns of children who
    want to trade patches. That is a red flag for F.T.C. enforcers. They worry
    that child molesters can use the information to find victims. 
    
    As soon as a reporter asked Philip Rubin, president of Edge of Chaos, the
    company that manages the site, about this, he immediately promised to
    change the policy. And a few days later, he did. 
    
    "We now require all contributors to provide us with signed permission
    letters before e-mail addresses/and or names can be posted," he said.
    "Contributors under the age of 18 must provide a form signed by their
    parents or guardians." And the Soccer Patch site posted the form so that
    it can be printed out and mailed. 
    
    Rosenthal Honda, a Washington area car dealer, had a different approach. 
    
    The company, like many car dealers, posts a pre-qualification form for
    auto loans, requesting a variety of personal information, including
    income, debt load and the amount of rent or mortgage payments. Nowhere on
    the site does the company say how that information will be used. And when
    asked about that, the company issued a statement saying, "We will look at
    the issue with our Web developer." 
    
    Asked two weeks later what had come of this, Rosenthal Honda did not
    respond. 
    
    F.T.C. officials say they are investigating other Web sites and will
    almost certainly file charges against other companies, as the agency did
    with Geocities. 
    
    Dean Forbes, 31, an F.T.C. lawyer, found the Geocities problem and spends
    most of his time working on Internet privacy issues. 
    
    "Generally we get ideas from reading the trade press," he said, as well as
    from "looking at who is linking up with list brokers; we get tips from
    interest groups, usenet news group postings -- and complaints." 
    
    Forbes, for one, disagrees with the idea that a Web site can escape
    trouble if it simply decides not to post a privacy policy. "If you don't
    make a visible statement," he said, "that does not mean there isn't an
    implied claim." 
    
    But while his agency and the rest of the government figure out whether to
    push for new rules on Web privacy, Forbes sees a bit of improvement on the
    Web. 
    
    "I'm not saying everything's great," he said. "But there is movement." 
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:06 PDT