COMMENTS OF JUNKBUSTERS CONCERING CONSUMER ON-LINE PRIVACY-P954807
14 April 1997
Consumer Privacy 1997 -- Request to Participate, P954807
This is our company's request to participate Session Two in the Commission's Consumer Privacy Workshop. We are not requesting participation in Session Three. Information about our company is given in our Comments (attached).
If invited I would attend personally. Here is a brief biography.
I believe I would be a productive participant because my areas of expertise coincide with the workshop's topics: privacy, databases, data analysis, Web technology, privacy-enhancing software, and procedures for preserving privacy and eliminating unwanted communications.
Email: firstname.lastname@example.org Telephone: +1 281 537 4747
14 April 1997
Consumer Privacy 1997 -- Comment, P954807
We submit the attached comments in response to the Commission's invitation to comment.
In addition to the six paper copies we enclose a diskette containing versions in both and plain text format (file name: FTC.TXT) and HTML (file name: FTC.HTM). Other pages in HTML are included on the diskette, because the submission contains links to some pages (particularly LINKS.HTM). The submission is best viewed using a web browser for this reason. The text is also available on the Web at http://www.junkbusters.com/ht/en/ftc.html
Pursuant to point 6 of the Commission's criteria we designate Ram Avrahami and Russ Smith as parties sharing group interests with us.
Consumer Privacy 1997 -- Comment, P954807
Background about Junkbusters
JUNKBUSTERS is a privately-held Delaware-registered for-profit corporation whose mission is to free consumers from junk communications of all kinds. Our web site (junkbusters.com) is visited by tens of thousands of people per month, despite the fact that we do not advertise. Since its opening in August, the site has been featured in dozens of newspapers, magazines and other media organizations. The LA Times described it as a magnet for activists on the issue of junk email. Hundreds of individuals and organizations on the Web have linked to its pages. Each day visitors send Junkbusters email telling us how happy they are to find an organization dedicated to giving them individualized services to help them preserve their privacy; one thanked us for providing "one-stop shopping" for dejunking. Many express anger and frustration that they had suffered for so long because they lacked effective means to deal with junk and threats to their privacy.
In addition to publishing extensive and detailed information on how to stop all kinds of unwanted communications and disclosures, Junkbusters provides free individualized services and configurable software to help consumers regain their privacy. All these are free of charge.
The Internet Junkbuster (TM) allows users to control commercial communications to their web browser. It provides for selective blocking of ads, sites, cookies and the disclosure of sensitive information such as the email address and hardware/software configuration of the user's computer. Several thousand copies have been downloaded from Junkbusters' site, but the number in use is probably much larger because it is also distributed through many mirror sites around the world, and everyone is permitted to give copies to others under a very liberal license.
Junkbusters' flagship service, Junkbusters Declare (SM) allows consumers to state (in as much or as little detail as they want) exactly what kind of organizations they allow or encourage to send them mail. Some consumers publish the detailed "No solicitations" sign it produces on their home pages on the Web. These notices also state that they don't want their name sold without consent. The service also drafts opt-out letters for printing and mailing to direct marketers. Thousands of these letters have been generated and presumably mailed.
Junkbusters' service to deter junk email, JUNKBUSTERS SPAMOFF, builds a personalized "No email solicitations" notice that can be published on home pages, Part of this is a strongly-worded reply that can be sent to spammers, saying that they will have to pay $10 for each further piece of spam. It has become one of the most popular ways of fighting spam and is discussed favorably in many current articles on Usenet.
Junkbusters' alerts on cookies and other Web surveillance technologies include interactive tests that consumers can perform to assess what information is being disclosed by their particular computing environment. Many are shocked to find that their ISP is making their email address available to companies every time they click on a new page.
Junkbusters' goal is to be the leading consumer privacy resource on the Internet. Its rapid success can be taken as an indication of frustrated consumer demand for privacy.
This submission has benefited from discussions with many people, including Ram Avrahami, Robert Bulmash of Private Citizen, Julian Byrne, Pat Fahey of the Direct Marketing Association, Russ Smith, and consumers who have provided feedback to Junkbusters. This is not a claim to endorsement by any of these individuals or organizations; any shortcomings of this submission are the exclusive responsibility of Junkbusters.
P974806 http://www.junkbusters.com/ftc.html GPL and Copyright 1997 Junkbusters Corp.
2.1 What kinds of personal information are collected by commercial Web sites from users who visit those sites and how is such information subsequently used? Among other things, is clickstream data being collected and tied to personally identifying information?
The basic information such as IP addresses that are routinely logged by Web sites is well known; see for example Russ Smith's submission for details. This information has numerous legitimate uses in the maintenance and development of a site. Few individuals have "static" IP address used exclusively by them over a prolonged period. Cookies tag a user's browser, and are usually associated with an individual. If an individual's identity becomes known to a web server, all cookie-tagged transactions in the past and future can be related to that individual.
We have been alerting consumers to the possibilities that web organizations may be "synchronizing" cookies once a user's identity becomes known to a single company with a cookies set, it is technically possible for any of the others to discover identity with every visit to their sites. We know of no organization that currently admits to doing this, but many have the means and a strong economic incentive to do so, so we expect it is already happening or will be soon.
2.2 To what extent is the collection, compilation, sale or use of personally identifying, as opposed to aggregate, personal information important for marketing online and for market research? What privacy concerns, if any, are raised by the collection or use of aggregate personal information in this context?
In general, the more detailed information marketers can get, the better. As pointed out in the Jan/Feb Harvard Business Review, "Companies today have every incentive to overinvest in collecting information about their customers and to underinvest in using it." The marginal cost of processing and storing additional information is so low that the breakeven point where additional information would not be useful is way beyond what most people would consider acceptable.
However, (the claim made by some Web advertisers that their economic viability depends on cookies is not persuasive) As counter-evidence one advertiser, Web-Connect, which is owned by a list broker, argues that cookies are unnecessary and often counterproductive in targeting.
Certain statistical techniques can often be used to extract individual information from apparently aggregated information. The U.S. Census uses sophisticated methods to alter aggregated information to thwart this; we are unaware of the extent to which these methods are used or even known to information vendors.
2.3 What are the risks, costs, and benefits of collection, compilation, sale, and use of personal consumer information in this context?
They are qualitatively the same as in the broader context discussed in our answer to Questions 1.7 and subsequent questions. The Web is simply another medium of information distribution and gathering; (it differs quantitatively because the volumes are so high and the costs so low).
2.4 What surveys, other research, or quantitative or empirical data exist about consumers' perceptions, knowledge and expectations regarding (1) whether their personal information is being or should be collected by Web site operators and tile extent of such collection; (2) the benefits and risks associated with the collection and subsequent use of this information; (3) appropriate uses of such information; and (4) whether certain categories of information should never be collected or disclosed to others?
The GVU's 6th WWW User Survey has considerable data on these questions. It indicates for example that some 80% of people are unaware of what cookies do, and wouldn't want them if they had a choice. They also concluded firmly: "The notion that people like to receive targeted marketing material is not supported by the data." Responses also indicated that very few consumers believe that sites ought to have the right to sell data collected. Their findings are consonant with the following conclusion from the 1996 Equifax/Harris Consumer Privacy Survey: "The majority of the public (64%) disagree that providers of on-line services should be able to track the places users go on the Internet in order to send these users targeted marketing offers. An even greater proportion of Internet users (71%) disagree with 43% of them disagreeing "strongly.""
2.5 How many commercial Web sites collect, compile, sell or use personal information? Of these, how many give consumers notice of their practices regarding the collection and subsequent use of personal information? With respect to these Web sites, describe (1) how and when such notice is given, (2) the content of such notice, and (3) the costs and benefits, for both consumers and commercial Web sites, of providing such notice.
We have seen few privacy policies posted on web sites. Exceptions include the major Online Service Providers, newspaper sites requiring a registration agreement, Amazon (a bookstore) and Intuit, which makes software personal finance. These are perhaps areas where consumers are particularly sensitive about privacy.
Some of these statements and agreements are bewilderingly complex, and revolve around the definition of what is attributable to the individual. On close examination many companies are found to be retaining the right to sell information about the household, which is unacceptable to many people.
There are attempts by various organizations to simplify these issues with what e-Trust calls trustmarks: graphics certifying a certain level of compliance.
2.6 Of the commercial Web sites that collect, compile, sell or use personal information, how many provide consumers choice with respect to whether and how their personal information is to be collected and subsequently used by those sites? With respect to such Web sites, describe (1) what choices are provided to consumers and how such choices are exercised, and (2) the costs and benefits, for both consumers and commercial Web sites, of providing such choices.
Very few sites offer a choice; one admirable exception is Amazon, which gives customers the option of specifying that their names should never be rented, even though Amazon does not currently do this.
The setup costs of offering choice are small; administration has some cost, and the list revenue foregone from people who opt-out is an opportunity cost.
2.7 Of the commercial Web sites that collect, compile, sell or use personal information, how many provide consumers access to, and an opportunity to review and correct, personal information about them that is collected and retained by those sites?
No site that provides such a service has come to our attention.
2.8 Of the commercial Web sites that collect, compile, sell or use personal information, how many have procedures to maintain the security of personal information collected from consumers online, and what are those procedures?
Computers connected to the Internet (which Web sites must be) are notoriously insecure. The web site of the CIA, which might reasonably be presumed to maintain a higher level of vigilance than most commercial organizations, was penetrated by a group of Swedish hackers on 18 September 1996, who changed its name to the Central Stupidity Agency. See also our comments on the differences between security and privacy in Question 1.22.
2.14 Has interactive technology evolved since June 1996 in ways that could address online privacy issues? To what extent is it currently available and being used by consumers and commercial Web sites?
Several software products are being sold or given away free that let consumers control the disclosure of information and cookies. The Internet Junkbuster, PGP cookie.cutter, and WebFilter are among the better known. Awareness of these products is very limited however.
2.15 What are the risks and benefits, to both consumers and commercial Web sites, of employing such technology? What are consumers' perceptions about the risks and benefits of using such technology to address online privacy issues?
Some of these products, depending how they are configured, deprive sites of tracking information and advertising impressions. As we stated in Question 2.4, consumers do not perceive targeting as beneficial to them. The overwhelming majority of user feedback from the Internet Junkbuster indicates that consumers like being able to remove advertising; some because they regard it as intrusive, others because it slows their surfing. A small number of users say that they don't mind the ads or actually want certain ads, but some block them anyway because of privacy reasons such as cookies and the fact that their search queries are being handed over to advertisers to build profiles of their behavior. This is one example of how companies that cling to practices that consumers consider inimical to their privacy may suffer in the marketplace as a result.
At the FTC's previous workshop one representative claimed "cookies technology could be used by Web sites to facilitate communication of consumers' privacy preferences." Even though our software gives consumers the power to send any message they choose in cookies, we don't consider that cookies will prove to be an appropriate vehicle for this task, because they are under the control of each separate Web server. And we believe that the word "privacy" should be followed by the words such as "rights," "requirements" or "instructions," not "preferences."
2.16 How widespread is the practice of sending unsolicited commercial e-mail? Are privacy or other consumer interests implicated by this practice? What are the sources of e-mail addresses used for this purpose?
Figures quantifying UCE are scarce, perhaps because almost no traditional direct marketers currently send it: almost all the solicitations appear to be from small entities, such as individuals promoting make-money-fast schemes. The GVU WWW survey found that about 80% of American Web users receive spam, about 10% read it, and 4% claim to retaliate.
Spam factories claim to be able to send out millions of items per day. There is a widespread consensus that UCE started becoming widespread in 1995 and has grown considerably since then.
One factor that is easily measured is the number of public postings mentioning UCE. An analysis conducted by JUNKBUSTERS using Deja News (an archiver of public online forums) counted the number of times in a year that certain keywords were appeared on Usenet postings indexed by that company. The count: sex: 651,186, spam: 537,311, Clinton: 373,417, drugs: 264,153, censorship: 115,384. Assuming that the processed meat product also named spam accounts for only a small percentage of these discussions, UCE appears to rank high on the list of issues for the online population.
Are privacy ... interests implicated by this practice? Certainly, even under the older definition of privacy as "the right to be let alone." People have written to JUNKBUSTERS saying they get 50 or more items of UCE per day, and express a feeling of helplessness in stopping them. Consumers also dislike the idea of their email addresses being traded on lists without their consent (an example of the more modern conception of privacy).
In 1996 a single piece of UCE made hundreds of thousands of people feel their privacy was violated, because it began with the assertion that the addressee was on a list of people interested in child pornography. In this particular case the solicitation appears to have been hoax in the sense that the sender was not genuinely offering the articles for sale, but the apprehension of the recipients is genuinely applicable in many real cases. Assuming it was a hoax victimizing the person named, his privacy was certainly violated. The FBI reported hundreds of calls due to this incident.
Are [other consumer] . . . interests implicated by this practice? The practice concerns anyone who has an interest in the well-being of the Internet and electronic mail as a medium of communication between individuals. Consider the economics of a future where UCE becomes a marketing medium analogous to direct mail (which many businesses are trying to position it as). The number of direct mail articles sent in the US each year is currently approximately 70 billion, roughly one per day for each adult. The average cost of sending those articles is perhaps a dollar for paper and postage. If that average dollar were being spent on UCE instead, the average individual could expect about 10,000 items per day. Optimistically hoping for 99% accurate email filtering software, this would mean reading 100 unwanted messages a day (and losing some small number of wanted messages in the process). Even ignoring the burden such volumes would place on an already strained Internet infrastructure, email could turn from an efficient medium to a difficult chore or an unworkable burden.
Many people go to considerable efforts to conceal or disguise their email address because they believe that it will be difficult to stop UCE once their address is compromised. These efforts have intangible costs to both those people and to others who might have a legitimate reason to want to email them. The reluctance of some consumers to use email as a means of communicating with companies means lost opportunities such as lower transaction costs.
What are the sources of e-mail addresses used for this purpose? Some on-line services provide directories of their customers' email addresses. Email addresses are often "harvested" from Web pages, Usenet groups, and other public machinereadable texts. This is an automated process performed by software packages. Only one such process we know of takes any heed of markings consumers often leave trying to indicate they don't want UCE. In a piece of UCE forwarded to Junkbusters by a consumer, the spammer claims to have software that can to extract 260,000 distinct addresses per hour. Its $100 price tag includes a bonus "e-book" titled How To Make Obscene Profits On The Internet. That asking price is high compared to competitors, which usually ask $30-$50.
2.17 What are the risks and benefits, to both consumers and commercial entities, of unsolicited commercial e-mail? What are consumers' perceptions, knowledge, and expectations regarding the risks and benefits of unsolicited commercial e-mail?
Any business considering UCE faces a simple risk/reward tradeoff: alienating a large number of people against getting sales from a small number of people. Companies with some investment in their trademarks and goodwill therefore don't do it, and fly-by-night operations do. The upfront costs of spamming (address harvesting and transmission) are almost negligible.
The current primary beneficiaries are spam factories who are paid by individuals and small businesses to send it. Their customers are able to make their solicitations to consumers in numbers that they would not otherwise be able to afford to reach, but we see no evidence that consumers benefit because of this: online consumers have ample access to online purchasing opportunities. UCE is almost universally despised by consumers on the Internet: it and privacy were the top two concerns in the GVU Survey. Some larger companies are also concerned at the loss of productivity caused by their employees having to process junk email.
Some consumers incorrectly believe that certain email messages can introduce viruses into their computers.
At least one spam factory makes the specious claim that he is trying to save trees, but we are unaware of any evidence or even plausible economic mechanism to support the idea that an increase in UCE results in a decrease of direct mail. The history of advertising in suggests that new media tend to supplement rather than displace old media.
2.18 What costs does unsolicited commercial e-mail impose on consumers or others? Are there available means of avoiding or limiting such costs? If so, what are they?
The cost in terms of vexation and lost time are obvious but difficult to quantify. Some junk emailers argue that as more people move on to flat-rate Internet access plans, the direct costs become negligible, but time-charged services such as ISDN are actually becoming more popular. UCE is clearly "postage-due marketing," violating the basic principle that led Congress to prohibit solicitations to cellular phones, faxes, and 800 numbers in the Telephone Consumer Protection Act of 1991 (TCPA).
The fact that the addressee pays to receive UCE is the basis of JUNKBUSTERS SPAMOFF, where the addressee tells the sender that UCE is unwelcome and that the sender must pay $ 10 for each further item. Users report that such notices are relatively effective in convincing spammers to desist. Many people post such notices to the Web on their home pages, along with permissions that may assist class action suits against spammers. We believe that economic disincentives are likely to prove the only lasting way of discouraging would-be spammers. Spammers could easily circumvent legislation by routing their spam through other jurisdictions, and enforcement would face many other difficulties and deleterious sideeffects. However, we wish that the FCC or other authority would end debate on the question of whether UCE is subject to the sanctions and restrictions of the TCPA.
2.19 Are there technological developments that might serve the interests of consumers who prefer not to receive unsolicited commercial e-mail? If so, please describe.
The most common measures fall under the heading of filters: software that examines the item and decides whether to reject it. The determination can be based on several factors according to the user's specifications, such as keywords in the body of the text (e.g. "special offer" and "check or money order"), or the apparent identity of the sender as indicated by email and IP addresses in the headers (e.g. prohibiting known spammers and allowing correspondents previously known to be legitimate).
As with any filter, there are inevitably errors of two types: items passed through that should not have, and items rejected that should have passed through. Both errors can cause grief, and there is an unavoidable tradeoff between them.
Some people reject messages without notifying the sender; others produce automated replies with one-time passwords asking the sender to resend the item quoting the password. UCE thus burdens not only recipients, but legitimate senders also.
Several mail handling packages now include filtering features (performed at the time it is delivered to the user's computer). Among them are NetManage, Eudora Mail Pro, Claris Email, and Netscape Communicator. Various software packages, such as Spam Hater attempt to track down the (often clandestine) address of the sender, and send the addressee's choice of text, such as threats of legal action. (Spammers often make their email appear to come from addresses other than their own: mostly from nonexistent addresses, occasionally from real but unrelated third parties.) Filtering can also be performed before it is delivered to the user's computer. This is the approach taken by AOL's "Preferred mail." Some ISPs have instituted communal filtering systems; filters are also offered as part of mail aliases by non-ISPs.
Angry consumers often propose "mailbombing" spammers, but no responsible organization endorses such action.
The idea of imposing an "impact fee" on spammers has been proposed, in fact according to GVU over 16% responded in favor of this, versus 5.9% in favor of government regulation. But we have seen no credible proposal for how this might be done other than by private legal action.
All these measures remind us of the old saying that an ounce of prevention is worth a pound of cure. An exaggerated analogy may help clarify this principle: suppose that the EPA were to ask environmentalists whether there are technological developments that might serve the interests of owners of beach-front property who prefer not to receive oil spills. Doubtless there are, but no offshore barrier imaginable would be preferable to the obvious solution of discouraging oil companies from polluting in the first place. It is unfair to burden the consumer with the task of filtering large numbers of unwanted messages that they have to pay to receive, especially since the means of doing so are imperfect and impose further expense.
2.20 How many commercial entities have implemented the Principles for Unsolicited Marketing E-mail presented at the June 1996 Workshop by the Direct Marketing Association and the Interactive Services Association?
We do not know; but we make the observation that even if every established marketers were to implement a complete ban on UCE, consumers would still be vexed by UCE from spam factories. The head of least one such company has declared his intention to continue spamming until legislated out of business. There is widespread consensus that most spammers will not respect opt-out lists; Cyber Promotions and Softcell have explicitly stated this.
But the DMA's principles do not condemn the practice of sending UCE; they simply recommend doing so in a certain manner, such as making it easily identifiable as a solicitation and providing an opt-out mechanism. At first glance the DMA's position might sound fairly reasonable: they are saying that each company should be able to send one piece of UCE, but no more if they are told to desist. The danger is that if UCE becomes destigmatized, even in the restrained manner advocated by the DMA, there would be no economic reason for any business not to start sending large amounts of UCE, other than the fear of alienating the consumer, which is a strong factor only for the relatively small number of large established companies.
In an argument similar to that in our answer to question 2.16, assume that say, half of the US retail businesses connected to the Internet decide to send just one piece of UCE to half of the email addresses in the US. Each consumer could expect to receive at least 10,000 solicitations. The figure may be higher than this: the DMA'S 3,700 members probably account for only a small fraction of all such organizations.
In our opinion the opt-out model is inappropriate for email; the only responsible way to market by email is through opt-in. Established companies have ample opportunity to tell consumers how they can request information on buying opportunities via email.
We consider the DMA'S failure to condemn UCE to indicate their lack of consideration for how severely the public would suffer if it became widely used.