TO:
Secretary
Federal Trade Commission
Room H-159
Sixth Street & Pennsylvania Ave., N.W.
Washington, D.C., 20580
Consumer Privacy 1997 -- Request to Participate, P954807
Comments Submitted by Russ Smith
(This Document is also available at http://www.consumer-info.org/FTCprivacy97.htm)
BACKGROUND
I publish an Internet site http://www.consumer-info.org/ (also accessible via www.consumerinfo.org, www.consumer-information.org, www.consumerinformation.org, and www.russ-smith.com) in my spare time. The site is a consumer information web site. It started as a project to post information concerning the Telephone Consumer Protection Act (TCPA) of 1991 and the implementing FCC rules. This law allows consumers to collect damages directly from telemarketers for violations of the rules. The site is fully financed by damages collected under this law and is visited by more than 100 different users on average per day as of April ‘97. Other consumer and privacy information will be added to the site as time permits.
In addition to the Internet site I publish I am also a heavy Internet user. This includes e-mail, chat, video-conferencing, Usenet newsgroups, etc. I had a high speed Integrated Services Digital Network (ISDN) line into my residence providing 128kb/second service to my residence (many Internet users have 28.8 kb/second service, ISDN is approximately 4 times faster) and I recently installed a cable modem which is several times faster than ISDN. My educational background is an MS in Physics and BS degrees in Physics and Computer Science all from Rutgers University.
I do not believe substantial new rulemaking proceedings should occur but rather a ‘tweaking’ of the exiting rules to specifically include the Internet where applicable. Many rules and regulation already exist that cover, at least in principle, many of issues of concern. The focus needs to on enforcement. Even if there were a huge new set of rules, who is going to enforce them? The FTC? There is simply no hope of enforcing rules about fraud, telemarketing, collection, etc. now. In this era of government downsizing it is simply not possible for government agencies to enforce all these rules. Industry self-compliance, as I will discuss below, does not exist; companies responsible for many of the complaints fund many consumer organizations; and other regulatory agencies do not have the resources to handle many of the complaints. Companies use this fact to simply defy many of these rules when they know the odds of the consumer complaint resulting in an enforcement action are small or nonexistent. There is simply nowhere for a consumer to turn unless a private right of action is permitted. Even then it is extremely difficult.
My comments will consist of admittedly anecdotal examples. However, I try to supply examples that may be easily reproduced at home. Often, this type of example provides a better picture of reality than quantitative data with unknown biases. Internet related survey results, even if unbiased, are often obsolete in a very short period of time. Furthermore, a complete discussion of possible biases is not practicable in this forum. I will also use examples from conventional telemarketing as many of the same players in this industry are moving into Internet marketing and I see many parallels in the two industries. Telemarketers essentially hold consumers’ phones ‘hostage’ by forcing them to use answering machines rather than use their telephones as intended. The same problem of overloading the consumer with unwanted information is also occurring in the Internet. Many have stopped using newsgroups due to the capturing of e-mail addresses and the subsequent barrage of junk e-mail. This reduces the overall usefulness of the Internet to consumers and results in a shifting of costs from the advertiser to the consumer. Passive techniques, such as requiring a consumer to view advertising when they visit a site, use a service, or download an image are not included in my objections. An exception to this is when a site collects personal information during a registration or other process or captures such information surreptitiously and does not allow consumers to control their personal information.
I vehemently oppose the positions of the Direct Marketing Association (DMA), Cyber Promotions, and the Interactive Service Association (ISA)’s opt-out principles and support the opt-in or ‘reverse target marketing’ principle. Let the consumer decide…not the marketers.
QUESTIONS AND RESPONSES
2.1 What kinds of personal information are collected by commercial Web sites from users who visit those sites and how is such information subsequently used? Among other things, is clickstream data being collected and tied to personally identifying information?
Information collected in a log filed of a server supplying Internet pages contains the following:
Internet Protocol (IP) addresses that identifies the computer used to connect to the Internet. This information varies as to how much identifiable the information is contained in the address. For an organization that has a direct connection to the Internet it is usually possible to determine the company and possibly even an e-mail address. If the address is to a registered domain, additional information on who owns the domain is available via the Internet registration known as ‘Internic’ in the US. Dial-up accounts via an Internet Service Provider (ISP) are more difficult to trace. For a national provider, the area of the country may be determined by doing a ‘trace route’ command that shows each computer a message passes through as it proceeds through the Internet. These procedures can also be used to trace e-mail messages to their origin. Often, dial-up users have a dynamic IP address that changes each time a user logs on. I have fixed address when I log on in order to facilitate the use of videoconference software as the IP address is used as my ‘telephone number.’ I have heard that hackers have developed software to send a false IP address when visiting a site.
Referrer, or how you linked to the visited site. This includes any link followed to the site, the search criteria entered into a search engine (this is not always available via the referrer but usually is), link from a newsgroup posting, etc. This is blank if you simply type in address. If the site was ‘bookmarked’ or is the default page for the browser, this information is also available. It is also usually possible to see what criteria were used in an Internet search engine and it is possible to recreate the search and find out what position link appeared. For example:
http://www.infoseek.com/Titles?qt=%22telephone+consumers
+protection+act%22&col=WW&sv=IS&lk=noframes&nh=10,
http://av.yahoo.com/bin/query?p=www.+virtua+girl
%2F+anna+nicole+smith.com&hc=0&hs=0
are two referrers I captured in my log file. I can check the link and see exactly what terms were searched and find out what position my site fell within that search. I expect the second person was somewhat disappointed upon finding russ-smith.com. The search criteria information can be associated with the user’s IP address and, potentially, their identity.
A security flaw in this system was recently brought out about the use of the referrer. If a consumer registered at a web site, and the registration confirmation page has an external link, the registration information could be passed along to this external site. Even if the registration submission were encrypted, the referrer information would not be. One way to solve this problem is by not providing any external links on the confirmation page.
The referrer privacy concerns have not been addressed as extensively as cookies.
Donloaded Files. Times and dates of every downloaded file, graphic, information entered, etc.
Cookies. Cookies are information sent from the web site to the users computers. This can be used to identify a user even if their IP address changes. Lately, software has been developed to allow users to erase cookies from their computer, prevent cookies from being accepted in the first place, and/or send back a cookie prepared by the user (‘wafer’) which contains a complaint instead of the original information. Netscape and Microsoft browser automatically accept cookies and if the setting is changed the user is asked each and every time if they want a specific cookie. The new version of Netscape Communicator is reported to allow rejection of all cookies but that is not necessarily a good solution either. The latest version of Microsoft’s browser, Internet Explorer 4.0, does not permit automatic cookie rejection. One use of cookies is to save user logon information when visiting a password or user restricted site or simply to identify the person and provide custom content. Hackers have attempted to change cookies on their computer in order to log on as a different user and gain information about that user.
Often, sites run a log file analysis program that creates aggregate information graphs and tables from the log file. A program commonly used is webtrends (http://www.webtrends.com. My web site hosting service runs this program for my site each day. In addition to the information described above, such things as the operating system, browser type and version, screen resolution being used, links clicked leaving the site, etc. can be captured and associated with a user.
The use of banner ads is how users are tracked across different site. The ads are not usually on the computer initially accessed, but on the banner ad companies’ computer. This central computer system tracks users across all sites that have their banners. Cookies are then used to identify a specific user. Potentially, if a user inputs personal information at any one of these many sites, all this information can be tied to the person. DoubleClick explains how this is done at their web site. Here is an excerpt from http://www.doubleclick.net/nf/adinfo/bandeset.htm (Copyright © 1996 DoubleClick. All Rights Reserved):
Here, in more detail, is how…
A user enters the name (URL) of a DoubleClick Network web site they wish to visit, usually by clicking on an icon or link;
The selected Web page is delivered from that Web site to the User, and the User’s browser loads the requested page. Embedded in the page are Image Tags that link the browser to the DoubleClick server in New York. The User’s browser initiates the HTTP Get request from the DoubleClick server, establishing a connection between the two, and a graphic file is requested from DoubleClick to fill the ad banner space on the Web page being loaded on the User’s screen. (In most cases near the top of the loading page.)
DoubleClick then performs the following …:
The User’s Internet Protocol (IP address) is referenced, and the series of numbers that make up a User’s network address (ex. 199.25.206.5), is noted. These network addresses are referenced against the DoubleClick database of more that 400,000 mapped networks.
Each mapped network reveals the User’s Domain (at&t.net, microsoft.com, etc.), and the following information about that Domain:
•Country •State •Postal Code •Area Code •SIC*
(*SIC codes identify an organization type. This information is gathered from independent third party sources, is matched with identified domains, and becomes part of the DoubleClick database.)
DoubleClick assembles and reviews all the information it has collected to this point, including referencing the content (News, Sports, Weather, Financial…) of the DoubleClick Network site the User is visiting, and even pages within a site that contain words that an advertiser wishes to place a banner near, (example: "auto", "highways", "tires" for a car maker’s ad). DoubleClick also notes the time of day, and day of week relative to the User.
The DoubleClick server reads the HTTP header from the User and notes the User’s Browser Type (Netscape, Microsoft, etc.) and Version (2.0 3.1, etc), Operating System (Unix, Mac, etc.) and Version, and Service Provider (AOL, Netcom, Pipeline, etc.). This information is sometimes used in targeting ad banners. As the User’s browser permits, a cookie identification number is assigned to the User. DoubleClick assigns each individual User its own unique user ID number, primarily to track the number of times a User has seen each banner in order to control frequency, or deliver sequential banners to the same User.
Then DoubleClick scans the more than 1,000 ad banners waiting for delivery at any time, matching the ad and its targeting criteria with the User, and the information gathered. The appropriate ad banner is selected and delivered to the User.
All of this, every bit, takes place in the blink of an eye, the snap of a finger,…less than 20 milliseconds.
Then What…? When the User sees a highly targeted ad banner, they are more likely to be interested and respond. When they do, when they ‘click-through’, DoubleClick receives a Get request and redirects the User’s browser to the URL of the site that placed the ad banner. The advertiser’s server delivers the page content, and DoubleClick records another successful targeted click-through.
If the user is a from a network not previously identified, it is tagged as ‘new’ and DoubleClick performs an automatic search looking for this new network by sending a query to Internic, the central repository for network identities on the Internet. Internic provides the Domain (and the associated information submitted at time of registration) and the data is incorporated into DoubleClick’s database.
All the information collected to this point is part of a running process that continually updates itself 24 hours a day, 365 days a year.
And, that, in a nut shell, is how it is done.
…
Copyright © 1996 DoubleClick. All Rights Reserved
Many privacy oriented web sites have these banner ads on their sites. I do not believe the public at-large is aware this technology is being implemented
2.2 To what extent is the collection, compilation, sale or use of personally identifying, as opposed to aggregate, personal information important for marketing online and for market research? What privacy concerns, if any, are raised by the collection or use of aggregate personal information in this context?
As a consumer I have no idea how the information collected about me is used, compiled, or otherwise distributed. Due to my fixed IP address, and my use of an ISP, my e-mail address is also captured when I visit a site. However, I do not believe this information has been collected or used to any great extent to send junk e-mail since capturing the IP address in this fashion will usually not result in an e-mail address.
In footnote 10 of the Staff Report of the Public workshop on Consumer Privacy on the Global Information Infrastructure, December 1996 it states in part: "…tracking site activity for individuals generates large complex data files that cannot be use for profiling with current technology." This is clearly not the case. The log files, while large, are in a standard format and can easily be searched for an exact ‘cookie’ and/or IP address match.. There is no need for a ‘fuzzy’ search necessary with names and/or addresses that could contain abbreviations, nicknames, etc. It is certainly easier than searching the entire non-standard Internet web for a specific string. If an e-mail address or other personal information were captured and associated with this cookie, Internet use over a long period across a large of sites could be correlated and tracked to an individual for good or bad purposes. If the DMA’s proposed e-mail preference service would go into effect, and require home address as proposed, this would help marketers correlate this information.
The privacy concerns are great as my every move on the Internet could potentially be tracked. For instance, I recently did a search of newsgroups via the DejaNews service [http://www.dejanews.com]. In my search I was searching on my username ‘russ-smith.’ The search turned up an entry in some type of an adult newsgroup. When I clicked on the message it turns out it had nothing to do with me. However, the banner ad I received was for an adult site from a widely used banner network called The Link Exchange. Does my profile now include this information? Is my search criterion (‘russ-smith’) also associated with this information? Do they have my name and address since I have purchased products (and entered personal information) at other sites with these banner ads? Is it being sold? How can I find out? Can I expunge it?
2.3 What are the risks, costs, and benefits of collection, compilation, sale, and use of personal consumer information in this context?
The risks and benefits are immense. The risks could include the gathering of all types of personal information including financial, medical, interests, hobbies, etc. all available strewn across databases all over the world. The benefits include a highly customized Internet with exactly the kind of information consumers want available conveniently at their fingertips. This can save time shopping and finding information fast that relates to that consumer. The benefits are worth it if the consumer has the knowledge and authority to control their information.
2.4 What surveys, other research, or quantitative or empirical data exist about consumers' perceptions, knowledge and expectations regarding (1) whether their personal information is being or should be collected by Web site operators and the extent of such collection; (2) the benefits and risks associated with the collection and subsequent use of this information; (3) appropriate uses of such information; and (4) whether certain categories of information should never be collected or disclosed to others?
2.5 How many commercial Web sites collect, compile, sell or use personal information? Of these, how many give consumers notice of their practices regarding the collection and subsequent use of personal information? With respect to these Web sites, describe (1) how and when such notice is given, (2) the content of such notice, and (3) the costs and benefits, for both consumers and commercial Web sites, of providing such notice.
I do not know any numbers concerning how many web sites compile personal information. It is almost impossible for a consumer to get this information. Based on my experience with obtaining a do-not-call policies for telemarketing [47 CFR § 64.1200(e)(2)(i)], even if a company does provide a policy, it is often not enforced. Usually, these policies are developed only after a request is made. The legal department usually drafts a policy that provides the least amount of information possible to the consumer. The policy often stays within the legal department and workers in the marketing departments never see the policy.
Two examples below:
Excerpt from Report Card On Compliance With The Telephone Consumer Protection Act Of 1991 By Top Companies In The Telemarketing Industry, A Majority Staff Report, Prepared For The Use Of The Subcommittee On Telecommunications And Finance Of The Committee On Energy And Commerce, U.S. House of Representatives, July 1994 [ http://www.consumer-info.org/rptcard1a.htm ]:
As a professional corporation in the telemarketing industry, x (company name) must abide by rules, guidelines, procedures and policies set forth by the local, state and federal governments for payroll, outbound telemarketing activities and overall business activities. We are in full compliance with all Federal Communication (sic) Commission standards and, in specific, the rules and regulations from the Telephone Consumer Protection Act of 1991, CC:Docket No. 92-90 (released October 16, 1992).
The document Bell Atlantic submitted after I requested the do-not-call policies that covered all of the Bell Atlantic companies:
Bell Atlantic - [State] Inc. has established a do-not-call list which contains names of residential customers who wish not to be called by Bell Atlantic - [State] to be solicited to purchase or lease our products or services. Residential customers who wish to be included on the do-not-call list should call the number listed on their telephone bill.
I have a pending lawsuit against Bell Atlantic for continuing to call my home, as well as other family members, after do-not-call requests were made as indicated in their ‘policy.’
2.6 Of the commercial Web sites that collect, compile, sell or use personal information, how many provide consumers choice with respect to whether and how their personal information is to be collected and subsequently used by those sites? With respect to such Web sites, describe (1) what choices are provided to consumers and how such choices are exercised; and (2) the costs and benefits, for both consumers and commercial Web sites, of providing such choices.
(1) Many sites that have a registration process have little or no information about what happens to personal information. Those that do provide a policy rarely have any way for a consumer to verify what really happens to the information. I believe many sites are conscientious in this regard but there is no way to know who is and who isn’t.
(2) The costs to businesses, whatever they may be, results in privacy concerns of consumers are often given a low priority.
2.7 Of the commercial Web sites that collect, compile, sell or use personal information, how many provide consumers access to, and an opportunity to review and correct, personal information about them that is collected and retained by those sites?
Virtually none. In most cases it is impossible to get any response from a company that collects personal information. Answering consumer inquiries about such information is very low on the priority list of businesses.
I recently found my home address on a database at www.infospace.com. I contacted the company numerous times over several weeks via e-mail and they simply would not respond. I then sent a certified letter and followed up with a phone call. They claimed they did not get the letter and I was told it was impossible to remove the information from their database. I asked for their legal department and they finally put the president of the company on the phone and the information was finally removed. This was an easy one since I could actually see the information via the Internet. I have no way of knowing what information is on the databases of other companies where the database is not readily available to me even if I could find out who had information.
2.8 Of the commercial Web sites that collect, compile, sell or use personal information, how many have procedures to maintain the security of personal information collected from consumers online, and what are those procedures?
Again, to use the example of the TCPA written do-not-call policy, security of the list is rarely mentioned. The TCPA requires consumer’s consent if the do-not call request be forwarded to a third party [47 CFR § 64.1200(e)(2)]. Also, personal information cannot be recorded when consumer requests only their number is to be placed on the list. Some policies I have seen, such as MBNA, actually indicate the list is forwarded to a third party. Many policies, such as JC Penney, require the consumer to submit name and address. JC Penny has refused to acknowledge complaints concerning this issue. The DMA’s TPS list and the proposed Email Preference Service also require the consumer to provide home address. This list is then distributed to marketers.
Another example: Bell Atlantic will not responded to my request not to forward my personal information. A consumer in NJ reported that a telemarketer, Inter-Media Marketing, called on behalf of Bell Atlantic after that consumer was supposed to be placed on the Bell Atlantic do-not-call list. The consumer also reported the telemarketer said they also had his social security number and that Bell Atlantic had provided it.
Another example is the Signature Group. They launched a service for telemarketers to gather the do-not-call requests and consolidate the requests into a single list. When I contacted them concerning the TCPA requirement of obtaining consumers permission before a telemarketer could provide the information to the Signature Group, they would not respond. Also, since the Signature Group also engages in telemarketing, I requested their do-not-call policy. My request made in February of 1995 was not answered.
If these large companies will not provide a policy required by law how can anyone reasonably expect other, much smaller, companies to provide a voluntary policy?
Self-regulation
2.9 What industry principles, recommendations or guidelines have emerged since the June 1996 Workshop? Please discuss whether they are permissive or mandatory, whether they include sanctions for non-compliance, and the extent to which they have been implemented within the industry.
The long-standing Internet guidelines concerning the inappropriateness of sending unsolicited junk e-mail has not changed, regardless of the Interactive Service Association and Direct Marketing Association’s contradictory guidelines.
PostMaster Direct [ http://www.postmasterdirect.com/welcome.mhtml ] and others have developed an ‘opt in’ mailing service covering numerous subjects. Others claim to have ‘opt-in’ lists but are actually sending unsolicited junk e-mail.
Cyber Promotions has developed the following policy for people that ‘flame’ (complain) about sending junk e-mail. This was a message attached to a message selling an expensive baldness "cure" from a Cyber Promotions’ client:
If you wish to continue to receive updated product info, press releases, and business and investment opportunities in your email box, stay tuned.
ADDITIONAL INFO ON FABAO????-- (AOL MEMBERS... go to keyword: preferredmail and turn off preferred mail or AOL will block the answer to your question and it will not go through) SEND QUESTIONS TO noci@cyberpromo.com put "PDG" in subject header, and ask away in the message body. Your message will be forwarded to Cybergen Health, but will be filtered for questionable content and size(max. 5K), and if it does not comply with our acceptable usage, our software will IMMEDIATELY and AUTOMATICALLY proceed to implement the remedies described above.
Another example is voluntary ‘flagging’ of the message as a solicitation such as putting UCE (for Unsolicited Commercial E-Mail) in the subject. The junk e-mailer’s trick here is to place the notation at the end of a long subject so the ‘UCE’ is usually truncated on most systems. Telysis, a major junk mailer, tried this with me. It was a solicitation to resell a junk e-mail service and claimed to honor all ‘remove’ requests. However, I had sent them a remove request a few months earlier. There is not much hope of implementing voluntary markings as the mailer’s job is to get the messages read, not deleted.
2.10 What steps have individual commercial Web sites taken since June 1996 to address online privacy issues? How many have employed the procedures for notice and choice set forth in the Joint Statement on Online Notice and Opt-Out presented at the June 1996 Workshop by the Direct Marketing Association and the Interactive Services Association?
The policies are at http://www.isa.net/pubpol/dma/spamming.html and http://www.isa.net/pubpol/dma/onlinesolicit.html.
The Interactive Service Association (ISA) and the Direct Marketing Association refuse to provide any information to consumers concerning these issues.
On incident with an ISA member, Individual Inc., illustrates how the procedures work. I registered at one of Individual Inc.’s sites, http://www.newspage.com. The registration required the inclusion personal information including e-mail. There was no notice that junk mail would be sent nor was there an opportunity to opt-out of any mailing. There was notice that the personal information was not to be forwarded outside their company. I received a junk mailing shortly after this. I asked them to stop sending the mail on four occasions, including a request that they update their registration procedures conform to the ISA guidelines. I then received another junk mailing that asked me to forward the message to others.
Over about a 9 month period I have contacted both Individual, Inc. and the ISA concerning the issue. The only response from Individual was their claim that they follow the ISA guidelines. When I presented them with the facts of the matter they will not respond. Can I now trust them to follow the other privacy guidelines? When I contacted ISA they indicated they did not accept or process consumer complaints. However, comments to the FTC in March of 1995 by the ISA give the impression that ISA is monitoring consumer complaints:
…
In the absence of a pattern of documented consumer complaints -- and the ISA is not aware that there has been any pattern of complaints -- it would be premature for the Commission even to initiate an investigation of marketing activities conducted via computer modems and online services. Although fraudulent practices can be conducted in any medium, there is no indication that any fraudulent practices are unique to online services or are so widespread that special regulations should be designed for online services…
This indicates that ISA is not providing accurate information to the Commission. Either they do not have online experience or they are providing misleading information to the Commission. Even though this was a 1995 comment, an industry group of online activities should have been aware of emerging online activities. It was only after a huge number of complaints and several high publicity junk e-mail lawsuits did ISA even admit to a problem.
An ISA attorney recently contacted me concerning my complaint. He indicated that an industry organization could not require their members to follow any guidelines in order to be a member. He referenced a situation in the 1960’s where television broadcasters were required to follow an industry guideline and this was determined to be illegal. I do not know the details of the matter but it does not appear to relate to this matter. There is not a monopoly of broadcasters on the Internet as there was in TV broadcasting. Many organizations require their members to comply with standards, etc. In any case, I would not object to the ISA having such a policy as long as this policy is clear to both consumers and the Commission. Currently, the ISA position is not clear on ‘self-regulation.’
The DMA’s (lack of) procedures for handling consumer complaints are discussed in 2.13.
2.11 How many online services have implemented the procedures set forth in the Interactive Services Association's Guidelines for Online Services: The Renting of Subscriber Mailing Lists submitted for inclusion in the June 1996 Workshop record?
The guidelines are available at http://www.isa.net/pubpol/maillist.html.
Unless consumers have the authority to control their information, it is not possible to get clear answer to this question. Interactive Service Association (ISA) does not provide any information to consumers. Furthermore, I do not trust organizations such as the ISA or the Direct Marketing Association (DMA) to implement privacy policies. For instance, companies like AT&T, the company that has more telemarketing complaints by far in the United States, are often involved in the development of these policies and then go on to ignore the policies in practice. Many of these same companies fund many consumer groups and initiatives. The consumer is powerless when trying to find out what information is being sold so there is no hope of determining what policies are being followed. Based on prior comments submitted by the Commission from the DMA and ISA, I would not believe any unverified data provided by these organizations.
2.12 How many marketers have implemented the provisions of the Coalition for Advertising Supported Information and Entertainment's (CASIE) Goals for Privacy in Marketing on Interactive Media presented at the June 1996 Workshop?
I am certain this figure is very low. The guidelines are available at http://www.commercepark.com/AAAA/bc/casie/privacy.html. Any discussion of marketers, such as DMA members, implementing these guidelines is simply not realistic.
2.13 What privacy concerns, if any, are not adequately addressed by existing guidelines?
Answer 2.13, Part A DMA and ISA guidelines for unsolicited junk e-mail
The policies promulgated by the DMA and ISA at http://www.isa.net/pubpol/dma/spamming.html and http://www.isa.net/pubpol/dma/onlinesolicit.html violate the TCPA. The TCPA regulates. This law prohibits the sending of unsolicited advertisements from a facsimile machine, which is broadly defined by Congress as:
(A) to transcribe text or images, or both, from paper into an electronic signal and to transmit that signal over a regular telephone line, or
(B) to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.
Another aspect of the TCPA regulation requires a telephone number, identity of the sender, date and time. In the case of the Internet the e-mail address, which is actually a number resolved to a text string by the InterNic [ http://www.internic.net ], is the number. This law, if enforced, would require the sender to include the proper header information. Programs, such as Sneaky Mail [ http://mason.gmu.edu/~rmcclana/ ] use the openness of the Internet e-mail system to send anonymous e-mail and make it appear as if it came from somewhere else. Cyber Promotions recently forged headers with an ad and a proclamation about spamming:
X-POP3-Rcpt: russ-smith@ids2
Return-Path: AD-1011@ISPam.net
Received: from mail.russ-smith.com (ns2.idsonline.com [204.157.204.5]) by ids2.idsonline.com (8.8.4/8.6.12) with SMTP id BAA20174 for <russ-smith@ids2.idsonline.com>; Sat, 29 Mar 1997 01:26:34 -0500
From: AD-1011@ISPam.net
Received: from [198.81.11.83] by mail.russ-smith.com
(SMTPD32-3.03) id A7641D480266; Sat, 29 Mar 1997 01:32:04 -0500
Received: from bandwidth.partner.4.of.52 ([206.27.86.210]) by emin47.mail.aol.com (8.6.12/8.6.12) with ESMTP id BAA23646; Sat, 29 Mar 1997 01:22:38 -0500
Received: from bw.partner.8.of.52 by bandwidth.partner.4.of.52; Thu, 28 Mar 1996 00:11:16 -0500 (EST)
Received: from (origin suppressed) ** Cyberpromo's new "ISPam Dial-Up Network" by (origin suppressed) ** Cyberpromo's new "ISPam Dial-Up Network" (8.8.5/8.6.5) with SMTP id GAA03103 for <You@Home-or-Work>; Fri, 28 Mar 1997 19:52:29 -0600 (EST)
To: You@Home-or-Work
Message-ID: 199703290053.TAA11793@GAA01211@sol.co.uk
Date: Fri, 28 Mar 97 19:52:29 EST
Subject: DIGNIFIED, HONEST, HOME COMPUTER WORK
Reply-To: Ad-1011@ISPam.net
X-UIDL: 119115154511510104704009584077011
Comments: Authenticated sender is <Ad-1011@ISPam.net>
The DMA, ISA simply will not respond in any way to the TCPA issue. Cyber Promotions claims the use of the word ‘facsimile’ as evidence that the law does not apply to junk e-mail. An article in NetGuide by Mark Eckenwiler also claims the law does not apply [see http://www.panix.com/~eck/junkmail.html]. I have had discussions with both the Congressional Staff that wrote the law and the FCC employees involved in drafting the rules. I do not believe e-mail was ever considered during the period the law was drafted in 1990 - 91 time frame. Congress could have made the definition more precise but they did not. My computer has the capacity to do everything in the definition. The FCC has never ruled on the applicability of the law but they did include the use of fax modem boards in their 1995 updates to the rules [In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CC Docket No. 92-90, MEMORANDUM OPINION AND ORDER, Adopted: July 26, 1995, Released: August 7, 1995, http://www.consumer-info.org/moando.htm#fxbd]. In such a case it is my understanding that the actual wording in the definition would take precedence.
This situation has resulted in liabilities for both the DMA and ISA as they are supporting violating these regulations that allow consumers to collect up to $1,500 for each violation.
Answer 2.13, Part B Industry Telemarketing Self-Regulation: An Example
Industry self-regulation is clearly not possible when the Direct Marketing Association (DMA) is involved. I have tried to file complaints with the DMA about: companies that claimed to honor the Telephone Preference Service (TPS) but did not (such as First USA and MBNA Banks), Bell Atlantic misrepresenting the character of the TPS in all their telephone books (Bell Atlantic claims the list is for companies that use national lists only when the DMA sells a local list at a reduced rate. Bell Atlantic then tries to use this as an excuse not to honor the TPS), and several members that are in violation of both the TCPA and the FTC’s telemarketing Sales Rule. When I called the NY DMA office they told me to call the Washington office. When I called the Washington office they told me to contact the NY office. When I told them the NY office referred me I was told the DMA does not accept consumer complaints. I continued to pursue the matter and I was referred to their attorney, Robert Sherman. I sent Mr. Sherman documentation of my claims. Mr. Sherman’s response to me dated December 15, 1995 included the following:
Mr. Sherman went on to discuss the paucity of my submissions rather than ask me for more information. Since this time, the DMA has continually referred the matters to different people who always fail to respond. Mary Alice H. Hurst, a member of their so-called ethics committee also indicated:
I incorrectly assumed the year would be 1996 as I have not received any such response. I have also requested a list of the DMA members. At one point, they took my credit card number and told me it would cost about $50 for the list. I was then told they were sold out and they did not know when they would publish the list again. I asked them to e-mail the list and now they will not respond. I certainly do not trust an association to do any self-regulating when they will not even disclose their members. Based on review of DMA comments to the FTC and FCC, their position is reminiscent of tobacco executive that claim smoking does not affect health. I feel the Commission should give their comments similar weight.
The American Telemarketing Association (ATA) has reacted in a similar manner. Jon Kaplan, their president, indicated the ATA would not take any action against a member for violating telemarketing laws, even when found guilty in court, unless the FTC or FCC took action first. The ATA did indicate they would send me a list of their members…if I sent them $150. The ATA also claims to be developing an industry self-regulation program called TeleWatch. However, they refuse to send me the information they have been distributing and will not disclose the founding members, will not say who will review complaints and decide on sanctions, and will not indicate what those sanctions will be. A former ATA president, Joan Mullen of Ron Weber and Associates, claimed not to know if her company calls consumers after I asked for the do-not-call policies. However, Ron Weber an Associates advertises that they conduct telemarketing to consumers and list Joan Mullen as the contact. Are consumers now supposed to submit complaints to the ATA? What action can be expected be taken against their former president for deceptive practices and TCPA violations?
As another example, the state of Kansas collected $225,000 from AT&T and has filed a suit against MCI. According to Attorney General Stovall telemarketers calling Kansas "are required to ask permission to make their sales pitch and to hang up if and when [Kansas consumers] tell them we’re not interested." She goes on to say "Despite my office’s efforts to work with the company in complying with our law, MCI has refused to cooperate and thus the reason for the lawsuit."
Why should Kansas have to go after AT&T? AT&T has been violating telemarketing rules enacted by both the FTC and the FCC for some time with no action. AT&T has more complaints than any other company by far at the FCC under the Telephone Consumer Protection Act database. The database has more that 3,100 total written complaints and the only enforcement action so far has been a notification letter to the company asking them to come into compliance. AT&T clearly disregards such letters and continues on. Adding additional rules enforced by the FCC or FTC would clearly not change the situation. Of course, consumers could move to Kansas. However, they should not have to wait for some government agency to intervene and/or spend time trying to convince an agency to intervene. The same problem exists with consumer groups. AT&T is involved with funding the National Consumer League. Bell Atlantic, the ATA, and the DMA is also members of the group. I complained about Bell Atlantic to the Alliance to Fight Telephone Fraud (a group headed up by Bell Atlantic and has several members who are also members of the National Consumers League’s Alliance Against Fraud in Telemarketing). Members either would not respond or explained that they didn’t deal with the type of fraud I brought to their attention. The National Consumer League’s President, Linda Golodner, provided a similar response when I discussed AT&T’s telemarketing practices. There is simply nowhere to take these complaints other than allowing consumers to do it themselves.
Many companies are very upset over the authority provided to consumers under the Telephone Consumer Protection Act (TCPA). A good example is my interactions with Household International and several of their companies including the GM Card credit card. Household insisted consumers were not permitted to see their do-not-call policies, only the FCC and Attorneys General as they have enforcement authority. A complaint was filed with the Illinois Attorney General, which was forwarded to the FCC. They ruled Household must provide consumers a policy even if they were not called. Presumably because the consumers have the burden of getting on each and every do-not-call list. Household withheld the policies from me for more than three months and finally sent me a few documents. Most of the documents contained a vague 7-line statement stating they follow the law. Most of the documents were in such poor condition that they were almost unreadable. A document from Household Bank was more lengthy and clearly indicated social security number was recorded with the do-not-call request. I explained to the Household legal staff that these policies did not provide instructions to consumers on how to get on the company-specific do-not-call lists. The attorney told me consumers can call the 800 number listed on their ‘statement’ and make the request. I tried this with the GM card and the supervisor indicated I had to have an account before they could accept a do-not-call request. After I filed suit an attorney representing Household accused me of being an extortionist and confirmed the accusation in court papers. Of course a Household lobbyist wrote to the California Senate in a letter to oppose SB 1512 for a mandatory do-not-call list for California, that the FTC and FCC rules already "heavily regulates" telemarketing and "consumers may receive up to $500 (sic) per violation for the do-not-call requirements."
In another case I received calls from Warrantech (an extended warranty company) after I purchased computers at CompUSA. The telemarketers first called and said they were Warrantech and in a later call they said they were from CompUSA. CompUSA legal department told me the calls were on behalf of Warrantech. They changed their story after I said Warrantech sent me a letter saying the calls were on behalf of CompUSA. At this point I still have not received a CompUSA do-not-call policy. They claim only Warrantech needs a policy but it does not explain how to get on the CompUSA company-specific do-not-call list. They have hired a law firm and have asked the court to impose ‘sanctions’ against me ‘for filing pleadings for improper purposes’ and are seeking damages from me for filing the suit.
Technological Developments
2.14 Has interactive technology evolved since June 1996 in ways that could address online privacy issues? To what extent is it currently available and being used by consumers and commercial Web sites?
Some tools are now available to prevent banner ads from being downloaded [see http://internet.junkbuster.com] but the user cannot implement this software. The Internet Service Provider level and needs frequent updates. The average user would not be able to implement the software.
Software tools to prevent cookies from being downloaded have been developed. Software that erases the information recorded by browsers, such as what links were visited, newsgroup messages read, cookies downloaded, etc. [see http://www.wizvax.net/kevinmca/]. Pretty Good Privacy is developing software for the user to control cookies and block specific categories of cookies [see http://www.pgp.com/products/PGPcookie-info.cgi ]. New versions of Netscape and Internet Explorer promise to allow cookie rejection without asking each and every time. The new version of Netscape is reported to do that but loading this version resets the settings to accept all cookies so a user would need to understand and change the setting in order to reject all cookies.
Cyber Promotions has developed filtering software to filter their junk and is selling the package for $49.95 to individual users [see http://www.cyberpromo.com ]. There are several software packages to filter or respond to junk mail. [Links to such packages are listed at http://www.consumer-info.org/links.htm ]. A casual user would not implement most of these programs.
2.15 What are the risks and benefits, to both consumers and commercial Web sites, of employing such technology? What are consumers' perceptions about the risks and benefits of using such technology to address online privacy issues?
The junk e-mail filtering programs, cookie programs, etc. are often complicated and difficult to implement for the average user. I believe many Internet users are not aware of the tracking capabilities being implemented by cookies and referrers. Those that are aware often do not have the time to purchase and test the various programs available as many programs have a learning curve associated with their use. Many depend on users filtering out an entire domain rather than specific users. This situation has resulted in advertisers shifting the burden and expense to consumers to protect their privacy.
Unsolicited Commercial E-mail
2.16 How widespread is the practice of sending unsolicited commercial e-mail? Are privacy or other consumer interests implicated by this practice? What are the sources of e-mail addresses used for this purpose?
The practice of sending junk e-mail is increasing rapidly. The current is that many low quality marketers are sending large numbers of messages. Many are for pyramid schemes, multi-level marketing, personals and x-rated information, vitamins and ‘cures’, etc. Other companies feel they are somehow not covered under a mass mailing. An excerpt from a recent message is:
Addresses are often captured from the Usenet newsgroups. I usually receive 5 to 20 times as many junk e-mail responses to a newsgroup posting as compared to legitimate responses. The junk e-mail can last for months while legitimate responses to a posting will usually only be for a few days. Many messages claim I requested multi-level marketing or long distance information when my posting was about do-not-call/mail information. I often set up specific e-mail boxes so I can trace how my address is distributed, much in the same way when people put a fake middle initial. I can also see if a company collected my e-mail address from my web site. So far, three entities, http://www.infospace.com, http://www.wabureau.com, and a company that makes postcards have done so in order to send me junk e-mail.
Many major companies, and most of the members of the Interactive Service Association, are not yet participating in these mass junk mailings. However, as the Internet enters main stream I believe many of the companies now causing problems with their telemarketing practices will enter this arena as telemarketing and telephone communications become obsolete.
Many junk mailers have learned to exploit the openness of the Internet mail system to send their messages via someone else’s server to avoid the subsequent complaints. This has resulted in additional expense to web sites as additional security software for e-mail servers is now necessary to prevent the junk e-hackers from hijacking their systems.
A major source of e-mail addresses is the Usenet newsgroups and other discussion groups and bulletin boards. Many have now either stopped using these groups or put a removable portion in their address such as russ@REMOVEruss-smith.com so automated e-mail collection programs will be foiled. This results in making it more difficult to respond legitimately as simply clicking on the address will not send mail to the proper address. The user that wants to reply must now edit the e-mail address properly to get it to work.
2.17 What are the risks and benefits, to both consumers and commercial entities, of unsolicited commercial e-mail? What are consumers' perceptions, knowledge, and expectations regarding the risks and benefits of unsolicited commercial e-mail?
Contrary to what marketers claim, the problem with the Internet is too much information. Most users are not sitting around waiting for junk e-mail. The usefulness of the Internet is being able to manage the information and find what is needed. Many heavy Internet users receive more junk mail than normal messages. A substantial amount of time is spent sorting through these messages.
Consumers do not expect to get a large amount of junk e-mail based on collection of their address as a result of newsgroup postings or other public sources even if the sender claims the message was targeted in some fashion. It is very easy to find and register for subscription services or to simply find the information at a web site.
Marketing by e-mail will be a source of tremendous benefit to both consumers and businesses alike. This is why it is imperative that the medium be protected by enforcement of the prohibition of unsolicited junk e-mail.
2.18 What costs does unsolicited commercial e-mail impose on consumers or others? Are there available means of avoiding or limiting such costs? If so, what are they?
The direct cost to consumers and Internet users is difficult to quantify. There is certainly loss to productivity as a result of the plethora of junk e-mail. Additional costs occur from software necessary to filter out the unwanted messages. ISP’s must also concern themselves with the numerous complaints about the junk mailers that invade their system. Many ISP’s have lost customers because angry recipients of the junk mail ‘mail bomb’ the sender resulting in disruptions of the ISP’s computers and therefore all their customers.
2.19 Are there technological developments that might serve the interests of consumers who prefer not to receive unsolicited commercial e-mail? If so, please describe.
Various filter programs are available [http://www.consumer-info.org/links.htm]. However, as discussed above, they are difficult to implement by the average user and have other problems associated with use. Any such system usually requires a buy-in from the junk mailer, which is simply not going to happen. The junk mailer’s job is to see the messages get through, not deleted before it reaches its destination. The junk mailers have advanced in developing stealthy sending methods faster than the filtering software in recent months.
2.20 How many commercial entities have implemented the Principles for Unsolicited Marketing E-mail presented at the June 1996 Workshop by the Direct Marketing Association and the Interactive Services Association?
Not nearly enough to satisfy the public’s expectation. The ISA and DMA will not enforce any such principles. Furthermore, I believe they will work to cover up any violations rather than correct them.
Respectfully Submitted,
_______________________
Russell Smith
April 13, 1997