FTC: Consumer Privacy Comments Concerning The Consumer Union Publisher of Consumer Reports--P954807

 

Consumers Union
Publisher of Consumer Reports

April 15, 1997

CONSUMER PRIVACY 1997
Comments and Request to Testify
P954807

Secretary,
U.S. Federal Trade Commission
Room H159
6th Street and Pennsylvania Avenue
NW Washington, DC 20580

These are comments and a request to testify, submitted by Consumers Union of U.S., Inc. in the above-captioned matter. Resumes of the two suggested witnesses are attached.

Consumers Union (CU) addresses some of the issues that are the subject of the Commission's inquiry in two articles in the just-published May 1997 issue of Consumer Reports. Attached for the record are copies of the articles "Is Your Kid Caught Up In the Web?" and "Is Your Computer Spying On You," both of which appear in that issue.

The first of these two articles reflects CU testing and evaluation of parental control computer software. In addition to the information contained in the article, the CU editor who prepared this article will soon conduct additional tests and evaluation of these software packages to determine whether they prevent children from providing their name, telephone number and/or address over the telephone and to determine whether they perform as claimed in their advertising and/or on their packaging. The second of these articles addresses the issue of the undisclosed commercial capture of information about visitors to popular internet web sites and the lack of control that such persons may have over the capture and use of this information.

We request that the editor of these two articles, Jeffrey Fox, an Assistant Editor of Consumer Reports, be listed to testify at the scheduled June hearings to address issues related to sessions 2 and 3 of the hearings.

Further, CU is conducting a survey on children and the internet for a fall issue of our children's magazine, Zillions. This survey, its analysis and the resulting editorial material will be prepared under the direction of Charlotte Baecher, Consumers Union's Education Director. We request that she be listed to testify at the June hearings to address issues related to session 3 of the hearings.

Respectfully submitted,

Mark Silbergeld
Co-Director
Washington Office

Consumers Union
Publisher of Consumer Reports

Prepared by
Jeffrey Fox
Assistant Editor, Consumer Reports
Published by Consumers Union1

Blocking software and children's online privacy
June 10, 1997

Various technologies are being considered to protect the growing number of children who go online. One already in the marketplace is blocking software (also known as filtering software) designed to let parents control their children's online activities. We know of at least 11 such products.

These products' features, which vary from brand to brand, include the ability to prevent access to inappropriate Web sites, discussion groups, chat rooms, as well as to certain software and data files; limit the time spent online; and monitor online activities by keeping a detailed log, called an audit trial, of kids' online activities.

In our recent report, Is Your Kid Caught Up in the Web? (Consumer Reports, May 1997, p. 27), we tested four well-known products' ability to block access to inappropriate Web sites. We found none of them to be totally effective in blocking such access and concluded that a determined, computer-savvy child might very well be able to circumvent them.

1Consumers Union is a nonprofit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education and counsel about goods, services, health, and personal finance; and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life for consumers. Consumers Union's income is solely derived from the sale of Consumer Reports, its other publications and from noncommercial contributions, grants and fees. In addition to reports on Consumers Union's own product testing, Consumer Reports with approximately 5 million paid circulation, regularly, carries articles on health, product safety, marketplace economics and legislative, judicial and regulatory actions which affect consumer welfare. Consumer Union's publications carry no advertising and receive no commercial support.

101 Truman Avenue Yonkers, New York, 10703-1057 (914) 378-2000 Fax (914) 378-2900

To protect privacy, some blocking products are also designed to prevent a child from disclosing his or her name, address, and other personal information online. To use this feature, a parent enters into the software any name, address, or other phrase they don't want their child sending out of the home. When a child tries to send a prohibited word, the software removes it or replaces it with meaningless characters. At the parent's option, the software may also issue a warning or shut down the application the child was running.

To see how much protection the privacy feature actually offers, we installed and tested three well-known products that have it-Cyber Patrol, Cybersitter, and Net Nanny.

Overview of the privacy feature test conditions:

  • All tests were on computers running Windows 95, with a standard dial-up connection to an Internet service provider.
  • Software versions were the latest we could obtain: Cyber Patrol version 3.3, Cybersitter version 2.12, Net Nanny version 3.1
  • We tested only e-mail access (via a popular e-mail package) and Web access (via current versions of Netscape Navigator and Microsoft Internet Explorer). We set these limits partly because of time constraints, but mainly because we are concerned over the commercial collection of personal information on Web sites. (One third of children online frequent commercial Web sites, according to the attached ZILLIONS survey results).
  • Although we didn't test the blocking of chat rooms, our conclusions below do address the issue of protecting privacy in Internet chat rooms.

Overview of test methods:

  • For each product, we set up a prohibited name, address, and telephone number to block.
  • While each product was active, we tried various ways to transmit the exact prohibited name and address via e-mail and on the Web via a browser. We refer to these below as "undisguised name and address."
  • We tried various ways to transmit thinly disguised but still recognizable variations of the prohibited name and
  • address. (We disguised the name and address by transposing characters, such as disguising Metropolis as "'Metorpolis" or inserting a stray letter or number, as in "Metroppolis").
  • We limited ourselves to methods available to anyone who can use a word processor or e- mail program. We didn't try anything that required sophisticated knowledge of computers or computer programming.

Overall privacy test results:

  • Only Cybersitter withstood most of our attempts to transmit an undisguised name and address.
  • Cyber Patrol and Net Nanny could readily be defeated, even using an undisguised name, because those products appear to monitor the keyboard or display rather than what's actually being transmitted to the Internet. We believe that a computer-savvy child could defeat either program.
  • All three products were quite vulnerable to a thinly disguised name and address. We were able to get a recognizable name and address past any of them into a Web site or out via e-mail. For example, when we blocked the name "Lana Lang," even Cybersitter let us come within a mouse click of actually ordering merchandise from Amazon Books (www.amazon.com) when we inserted a period into her name: "Lana.Lang"
  • None of these products guards against a child giving out personal information via check boxes or multiple choice menus on a Web site.

Conclusions on blocking software:

  • None of these three products ensures privacy when accessing the Web or sending e-mail.
  • Blocking software can be useful as a deterrent to children, but it shouldn't be relied on to protect their privacy.
  • Parents' use of these products doesn't relieve companies doing business on the Internet from the responsibility of respecting children's privacy any more than using a child safety seat eliminates the need to drive safely.
  • There is a continuing need for the FTC to scrutinize commercial treatment of children's privacy online and act, where necessary, to ensure that business live up to its responsibility.
  • Some blocking techniques are stronger than others:
  • Monitoring what actually gets sent to the Net, as Cybersitter appears to do, is the best method, because it controls what actually goes "out the door."
  • Monitoring the computer's keyboard or video display, as Cyber Patrol and Net Nanny appear to do, is weaker. We were able to defeat Cyber Patrol with as simple a technique as cutting and pasting and Net Nanny by renaming our browser.
  • Even the best blocking technique-monitoring outgoing transmissions-is vulnerable.
  • Names and addresses sent out to the Net are sometimes encrypted. For example, when we sent an undisguised name and address to Amazon books' Web site using Amazon's "secure server" connection-which tells the browser to encrypt the name and address before they are sent to keep the transaction private-even Cybersitter didn't block them.
  • Names and addresses may be contained in a data file that the blocking software can't decipher. For example, when we typed an undisguised name and address into a word processing document and attached it to an outgoing e-mail, Cybersitter failed to block it, apparently because it couldn't decipher the word processing file's format.
  • We doubt there is any foolproof way, short of blocking Internet chat rooms altogether, that blocking software can prevent a determined child from communicating a name and address within a chat room. There are simply too many ways to communicate, such as spelling out a name or address letter by letter.
  • The makers of these three blocking products show questionable judgment about what's suitable for children. As of late May, five weeks after our May report alerted them that they weren't blocking access to graphic and inappropriate photographs on a particular Web site, none of the three companies have acted to shield their young users from those photos.

Notes an individual products:
Cybersitter

  • Uses the best blocking technology; appears to monitor what's actually sent to the Net.
  • Has a "context sensitive" feature to monitor combinations of names, addresses, and sentences.
  • Lets parent monitor child's activities through a log or audit trial; may be useful for enforcing an "honor system."
  • Won't block encrypted data or word-processing files attached to e-mail.
  • Won't catch a number of simple disguises, since as inserting a period into a name or address.

Cyber Patrol

  • Relies on monitoring the keyboard.
  • Lets a parent block less than 50 phrases or variations in spelling.
  • We found four ways to enter an undisguised name.

Net Nanny

  • Appears to rely on monitoring what's displayed on the screen.
  • Lets a parent define hundreds of prohibited phrases.
  • Lets parent monitor child's activities through a log or audit trial; may be useful for enforcing an "honor system."
  • We found two ways to transmit an undisguised name.

Zillions
CONSUMER REPORTS FOR KIDS

Prepared by
Charlotte M. Baecher
Editor, Zillions Magazine
Director, Education Services,
Consumers Union

KIDS' INTERNET EXPERIENCES
A ZILLIONS* Survey of Kids 9 to 14

June 10, 1997

Overview:
This survey was not designed to gather information for the FTC Internet privacy workshop. Its purpose was to gather information for a Zillions article on its readers' online experiences (e.g., how many readers go online at home, where they go, problems they encounter). It did not ask about kids' information-giving practices or other privacy concerns. We are presenting this survey's findings at this workshop because they reflect some disturbing problems kids are encountering in cyberspace, as well as limitations of blocking software as a "solution." Survey results also indicate the need for ongoing and expanded monitoring of kids' experiences in cyberspace.

* ZILLIONS is a bi-monthly magazine for kids 9 to 14, from Consumers Union (CU), publisher of Consumer Reports. CU is a nonprofit organization. Its publications carry no outside advertising. Results of this survey will be published in the September/October 1997 issue of ZILLIONS.

Summary

This survey was designed as a "tag-along" survey to accompany the Nov./Dec. 1998 Zillions readership survey, which was mailed on Nov. 4, 1996 to a sample of 1,200 Zillions subscribers. (Parents were informed by postcard one week before the survey mailed. The children's anonymity was strictly protected: The survey did not ask for their names or addresses.) Kids were asked whether they had gone online; if so, how they had accessed the Internet, what they did, where they went, what they enjoyed. In addition to asking about phone lines and sharing computer time, it asked about blocking software, parental restrictions, and problems "with other users." If kids had problems with other users, they were asked to explain in their own words, which were later transcribed.

  • Survey response rate was 53%; roughly an equal number of boys and girls replied. The median age was 12.
  • About half of the survey respondents - a total of 320 kids - had gone online from home over the past year (47% of 9- to 11-year-olds; 58% of 12- to 14-year-olds).
  • In the seven days prior to the survey, 51% of the 320 kids who'd gone online used e-mail. The next most-frequent activity was downloading material (37%). About 1 of every 3 kids visited chat rooms, product/company Web Sites, news or educational Web sites, or played online games,
  • Respondents liked e-mail and chat rooms the most, closely followed by online games.
  • More than 3 out of 10 kids reported having problems with other users either often (7%) or occasionally (25%), and those problems ran from efforts to steal passwords to profanity (in chat rooms) and pornography.

Survey Findings:
(1) Kids are experiencing problems online.

More than 90 kids - nearly one-third of those who went online - had problems with other users often or occasionally.

While most problems had to do with stealing passwords and profanity, several were disturbing indicators of inappropriate advances to kids on the Internet. Here are descriptions of some problems, in the kids' own words:

Password stealing:

"I've had a big problem with people trying to get my password." (boy, 12)

"One user said they were AOL staff and asked for my password and I gave it to them ... and it cost us a lot of money." (boy, 14)

"A guy said he could give me a fake I.D. if I'd give him my password." (no info)

"Someone got my password somehow and charged $500 in time to our account." (girl, 14)

"About 6 months ago someone got a hold of my password and charged around $200, then changed it so we couldn't go on. Occasionally someone will try to harass me, so I just sign off." (girl, 13)

"Someone almost tricked me to telling my password, but a friend told me not to!" (girl, 11)

(Total of 18 password-stealing complaints)

Profanity (in chat rooms):

"I generally hang out in Christian chat rooms and because it's Christian, people come in with porno stuff and use bad language." (girl, 13)

"We were checking out a chat room and they were swearing and talking about drugs." (boy, 11)

"Almost every time I go online, there is always a few bad people in my chat room. They type in swears, and say bad things about people, and disgusting things that aren't true." -(no info)

(Total of 29 profanity complaints)

Inappropriate advances to kids:

"Sometimes I get an Instant Message with people asking me for my password, address, and phone number." (girl, 12)

"Some people just get a bit annoying and won't bug off until you leave, and then they e-mail you." (girl, 11)

"How many times do I have to tell an 11 yr. old guy I don't want to give my phone number out???" (girl, 15)

"Guys come on and bug me.... And my parents didn't want me online because I was talking to a boy who's 'not quite a pimp yet.'" (girl, 15)

"I had my e-mail address visible in my profile. Someone sent me a lot of pictures of little kids naked, or performing sexual acts. I got over 100 pictures! I deleted them, but it was gross" (boy, 15)

"Once I got an e-mail from an agent-person, but it probably was just a joke." (no info)

"Adults in children's chat rooms." (no info)

"An older man tried to ask me on a date." (girl, 10)

"One person was asking me sexual stuff about different sexes and he was also using vulgar language." (boy, 12)

"Adults going into Kids Only chat rooms." (info not given)

"People send promiscious (sic) questions or messages." (girl, 15)

"They swear and look for dates." (girl, 11)

(Total 12 potential-predator complaints)

(2) Kids are visiting commercial sites quite frequently.

Visiting product/company Web Sites was reported by 33% of the Internet-users over the seven days before the survey. Although we did not ask about individual sites or what kids did there, we do know kids are attracted to commercial sites.

(3) Blocking software had no impact an whether a kid experienced problems with other online users.

There was no correlation in our survey between the reported presence of blocking software on respondents' computers (and/or parental restrictions on sites they could visit) and respondents who said they had problems with other users. The user-problems cited underscore the fact that people online are able to locate and target kids on the Internet.

(4) Blocking software was not widely used.

While 60% of respondents reported parental restrictions ("sites your parents won't let you visit"), only 20% said there was blocking software on their computers at home. The survey subjects were Zillions subscribers, not kids in general. As magazine subscribers, they typically come from higher-income, better educated homes than the population at large. One would expect such homes to demonstrate higher-than-average parental supervision and restrictions, and greater likelihood of being able to afford and install blocking software. The fact that only 20% reported blocking software indicates minimal implementation.

Market Research Findings

Blocking software is not widely available in stores.
In a separate study to determine blocking-software availability, we had shoppers in California, Oregon, Texas, and Illinois visit local computer shops, as well as chain stores like CompUSA, and ask if they had any Internet Filtering/Blocking software. If stores didn't know blocking-software titles, shoppers mentioned Cyber Patrol, Cybersitter, Net Nanny, and Surf Watch.

Of the 10 stores in Burbank/Glendale/Los Angeles, California, nine didn't have any of the programs available. One store carried Net Nanny. Seven of the 11 stores in Tigard/Lake Oswego/Portland, Oregon, didn't have any of the programs. The remaining four carried Microsoft Plus! for Kids. None of the 11 stores in Richland Hills/Southlake/Grapevine/Arlington, Texas, carried any of the programs (three used to, but had been out of stock for several months). The Texas shopper called an additional 10 software/computer companies listed in the Yellow Pages, but none of them had any of the programs, either. Finally, none of the 15 stores visited in Schaumburg/Arlington Heights/Rolling Meadows/Mount Prospect, Illinois, carried any of the products. Most of those stores could not suggest an alternative, nor could they special order the software.

To sum up: Of the 47 stores visited, only five carried blocking software - four of them in Oregon. The four programs we shopped for are available for downloading via the Web. Cyber Patrol is available free as a download to subscribers of AOL, Compuserve, and Prodigy; the other three are available for purchase. Judging from the fact that blocking software was not reported by 80% of the kids our survey, it is not being widely used. Whether parents are more comfortable purchasing blocking software from a store (where they get a diskette and printed documentation), or whether they are uncomfortable purchasing online, dissemination of blocking software to date appears to be inadequate.

CONCLUSIONS AND RECOMMENDATIONS:

The disturbing problems Zillions readers reported with other online users indicates that there is still much to be done to make cyberspace safe for children. Reported attempts to steal kids' passwords and send them pornographic messages underline the need for continued vigilance and action by law enforcement agencies.

CU's research to date has focused on kids' cyberspace experiences and whether software adequately blocks online requests for personal information from kids. This research addresses only part of the issue of online privacy and kids, but it raises real concerns about problems kids are encountering online and the adequacy of blocking software as a solution.

When addressing online privacy protections for kids, a number of concerns come into play. Children can't be expected to have the experience or maturity to know when inquiries are inappropriate, what the consequences of giving out information may be, and what problems and dangers may lurk in seemingly innocent online activities. Children are open and impressionable, likely to enjoy online interactions without critical judgment - to enjoy fun animals, for instance, whether they're at a nature Web site or one sponsored by a brewery. Because this new medium can "narrowcast" rather than broadcast, and because it can exploit information kids give and make adult supervision difficult, children need special protections. Lines need to be drawn for children where they might not be for adults.

The fundamental protection needed would prevent the online collection of personal information about any child (without a parent's prior informed permission), and use of it to go back to that child with "tailored" information or solicitations of any kind. Targeting children in this way takes unfair advantage of their fascination with computers and getting mail (and probably also counts on their lack of critical judgment).

Online protection for kids needs to:

  • Be based on the conviction that Web sites (and all online destinations) for kids should meet higher standards than those aimed at adults, and should not exploit kids' inexperience and vulnerabilities.
  • Be widely available and easily implemented, applicable even in homes where adults are not "computer literate."
  • Not put an undue burden on parents. Nor should it rely solely on parental action. Otherwise, it would only protect children of more educated, vigilant parents, leaving millions of children unprotected.
  • Not rely on having kids get parental permission. Web sites need a fool-proof way to communicate directly with a parent.
  • Provide parents with full disclosure of how the information about their child will be used, including potential sale of lists. It's unrealistic to assume parents know the various uses to which their kids' personal information will be put.
  • Not penalize children who refuse to give personal information (or are prevented from doing so) by barring access to an otherwise appropriate Web sites. A system that overly restricts Internet access or makes it inconvenient and frustrating will penalize the user, and not be a fair solution.

Children are a special audience. Protecting their privacy online requires all players to put children's interests ahead of marketing interests. This may make finding a "market solution" more difficult, and puts responsibility on the FTC to make sure that children are truly protected.