COMMENTS OF CME CENTER FOR MEDIA EDUCATION CONCERNING CONSUMER ON-LINE PRIVACY-P954807
CME Center For Media Education CFA Consumer Federation of America April 15, 1997 Secretary Re: Public Workshop on Consumer Information Privacy/Request to Participate, P954807 The Center for Media Education (CME) and Consumer Federation of America (CFA) are pleased to submit the following comments for consideration in the Federal Trade Commission's (FTC) ongoing investigation into consumer privacy concerns and specifically, children's privacy on the Internet.1 Our organizations continue to urge the Commission to take steps to protect children's privacy along the lines encompassed in our detailed filing in June 1996, encouraging the promulgation of guidelines. More than a year has elapsed since the Center for Media Education released its study, Web of Deception: Threats to Children from Online Marketing. During that time the number of children using online services has increased substantially. In 1996, four million children ages 2 to 17 used online services, nearly double the number of users in 1995.2 Moreover, as the Commission well knows, the advertising and marketing trends highlighted in the report have not only continued, they have worsened. Both the collection and use of children's information are widespread. Indeed, the technological tools being employed and developed by the advertising community have grown tremendously, giving marketers even greater opportunity to prey upon children's vulnerabilities. While the Center for Media Education and the Consumer Federation of America (CME/CFA) appreciate the fact-finding process on which the Commission has embarked over the last twelve months, it is time to protect computer users, especially children, from online privacy invasions. Although we are looking forward to the upcoming workshop, the workshop should not be allowed to replace or even delay decisive action. In order to maintain public confidence, the FTC needs to take a leadership role within the Global Information Infrastructure. The Commission must create a clear set of enforceable privacy guidelines that will help ensure that children fully benefit from the wealth of resources available online. CME/CFA strongly support the policies jointly created by the Clinton Administration, Congress and the Federal Communications Commission to provide schools and libraries with access to advanced telecommunications services. We have been actively involved in both national and state efforts to see that all children, regardless of income and geography, have access to developing technologies. At the same time, we believe that effective safeguards must be created to protect children from online commercial manipulation. CME/CFA submit the attached comments in response to questions 3.1, 3.6, 3.13, 3.14, and 3.15 for the FTC's Public Workshop on Consumer Information Privacy, Session Three: Children's Online Privacy and request the opportunity to participate in the workshop. Respectfully submitted,
______________________
__________________
__________________
1These comments relate solely to the issue of children's privacy. CFA also has submitted other comments related to additional privacy issues included in the Notice Requesting Public Comment on the Public Workshop on Consumer Information Privacy. 2See "Boys/Girls: Online Paths Diverge" in Digital Kids, March 1997. INFORMATION COLLECTION AND USE 3.1 What kinds of personal information are collected by children's commercial Web sites from children who visit those sites and how is such information subsequently used? Among other things, is clickstream data being collected and tied to personally identifying information about children; is information being collected from children to create lists for sending unsolicited e-mail? Over the past year, CME/CFA have found that the use of marketing and advertising practices that are potentially harmful to children has increased. These practices include the invasion of children's privacy through solicitation of detailed personal information and tracking of online computer use. A growing number of children's areas are eliciting personal information from children including their names, street addresses, E-mail addresses, ages and sex.1 Some sites are even more intrusive and ask questions about how many people are in the child's household, the child's access to a computer, and the type of computer the child is using.2 Other sites demand to know which is the child's favorite television program, favorite television commercial, favorite musical group, favorite sport, etc.3 Some use incentives, promising free gifts, such as T-shirts, mousepads, and screen savers, in exchange for such personal data as E-mail address, street address, purchasing behavior and preferences, and information about other family members.4 Disclosures of personal information often are mandatory when a child wants to play a game, join a club, or enter a contest.5 Other Web sites require children to complete registration forms and questionnaires in order to proceed into the site.6 Youngsters are considerably less capable than adults of discerning the motives behind such giveaways, contests and surveys, and easily fall prey to such marketing techniques. The development of new technology has also led to an increased number of interactive Web sites. These sites solicit different information from children depending upon their answers to certain questions. By tailoring surveys to the individual user, these requests for information are potentially more persuasive and manipulative.7 Tracking Computer technologies also make it possible to track all interactions users have online. Such covert data collection is becoming an essential tool for online advertisers. Unlike TV ratings which generally use anonymous aggregate numbers to reveal the viewing behavior of key demographic groups, online usage data can track how individuals respond to advertising. A burgeoning industry has developed to provide such online tracking services. Online advertisers seek assurances that their ads will be seen by a significant number of people. To meet this need, corporations such as DoubleClick and Netscape have developed elaborate systems for collecting visitor information. These two companies have devised some of the most popular tracking methods. Netscape Communications Corp., maker of the most widely used Web browser, utilizes "cookies" to track computer users' online activities. Cookies are files stored on the hard drives of all Netscape users, keeping a log of each page within a site a user has visited. Companies using Netscape software can use the detailed user logs to create detailed profiles of individuals.8 Several other companies also provide tracking services.9 One company, Bradley Madison Co., has designed software, "Birds of a Feather," to overcome the "hurdle" of consumer concern for privacy, and still collect online marketing data.10 The software, which is distributed for free, enables individuals with similar interests to find each other. The users enroll anonymously through passwords. The software company then tracks the their online movements and sells the aggregate data to marketers.11 As one author notes, tracking tools essentially force individuals to act unwittingly as their own direct mail agents. Online advertisers can collect information about which ad was displayed each time an individual visited a specific site page and whether the user clicked on the ad. Using the information to construct a user profile, the advertiser will be able to select ads that best fit this profile.12 Recently, the Internet Engineering Task Force proposed RFC 2109, an HTTP State Management Mechanism that would allow users to decide whether or not they want their cookies to be collected. This would give individuals greater control over the creation and collection of their personal information on the Internet. CME/CFA as well as other groups interested in privacy protection, strongly support adoption of this proposal.13 However, RFC 2109 has caused quite an uproar in the online advertising industry. Several online advertisers, including CNET and ADSmart, oppose this privacy-protecting measure, favoring instead a system that does not permit user choice.14 Marketers and advertisers are developing technological tools not only to openly solicit information from computers users, but to design sophisticated tracking mechanisms that collect information without the user's knowledge. For example, TAG, developed by Digital Renaissance, Inc., takes advantage of interactive technology by enabling online marketers to track consumers' moves and offer promotional material based on the user's choices. The technology records the user's selections and the time spent on them. TAG's manufacturer boasts, "I know what they watched and how they watch it and now I know what's important to that consumer. I can tell what that person liked and disliked and whether or not that person left and never came back.15 These surreptitious tracking tools are particularly troubling when used to gather information about children. Because tracking information can be coupled with information gathered through more overt means, the FTC should require companies who track children to obtain verifiable parental consent. Microtargeting The practice of tailoring ads to individuals, known as "microtargeting," remains at the heart of current plans for a number of children's online services. In their efforts to microtarget to children, many sites have begun responding to new users with personalized messages. In these cases, a child visiting a site receives unsolicited E-mail messages urging her to return and promising exciting new activities. If left unchecked, these techniques quickly will evolve into even more sophisticated efforts to target children. Using individualized advertising based on intimate knowledge of each child's interests, behavior, and socioeconomic status will give online marketers unprecedented powers to tap each child's unique vulnerabilities. Several companies are offering new ways of combining tracking and microtargeting to make it easier for sites to provide personalized content. As noted in Advertising Age, ". . .There already are a slew of companies that mine information about a Web user's computer and Web browser to make sure the right ad message reaches the right type of Web user at the right time."'16 For example, Blau/Coyote Technologies uses invisible "tokens" to follow a user's actions on the Internet. The tokens are linked to the marketer's database and prompt different information, depending upon the user's behavior.17 Similarly, !33 Communications Corp. relies on "cupcakes" to track and microtarget. For this system, a user completes an electronic demographic form on a cupcakes-enabled site. The information on the form is stored on the user's hard drive, and when he visits a participating site, the site provides information personalized to the user's interest.18 Although presently, users must register at a site or request information for a marketer to be able to send a targeted message to a specific user,19 without proper disclosure, these techniques can easily manipulate consumers, especially children. In summary, the use of electronic surveys, such as the ones described above, may foster a new wave of direct marketing. While some sites state that the information they collect if for internal use only, and will not be made available to third parties, there are currently no regulations that prevent personal information about children from being collected or sold to third parties. Moreover, the sites do not explain how they intend to use the information that they have collected. Sophisticated data collection and microtargeting techniques could be used to prey on children, exploiting their sense of trust, and manipulating both their preferences and their behavior. 3.6 Of the children's commercial Web sites that collect, compile, sell or use children's personal information, how many provide parents choice with respect to whether and how their children's personal information is collected and subsequently used by those sites? With respect to such Web sites, describe: (1) what choices are provided to parents and how such choices are exercised; and (2) the costs and benefits, for both parents and children's commercial Web sites, of providing such choices. Most Web site information requests secure children's cooperation without their parents' intervention. In the FTC Workshop last June, CME/CFA emphasized that Web sites catering to children should adopt an "opt-in" model if they choose to seek information from children, i.e., the Web site should require that a parent affirmatively authorize his child's participation before the site can request information. CME/CFA has not discovered any Web site that adheres to this recommended practice. Although in some cases, children are told that certain information is optional and to "check with your parents first" before registering at a site, such disclaimers are likely to be ineffective because the sites have no means of verifying parental consent." Moreover, we know of no sites that provide children and their parents the opportunity to limit the use of information collected, or to correct information previously given. SELF-REGULATION 3.12 What steps have children's commercial Web site operators taken since June 1996 to address children's online privacy issues? To what extent have they adopted the principles outlined in the following documents submitted at the June 1996 Workshop: (1) the Joint Statement on Children's Marketing Issues presented by the Direct Marketing Association and Interactive Services Association; (2) Self-Regulation Proposal for the Children's Internet Industry presented by Ingenius, Yahoo and Internet Profiles Corporation; and (3) Proposed Guidelines presented by the Center for Media Education and Consumer Federation of America? Representatives of online service providers and advertisers have argued that consumer education and industry self-regulation will be sufficient to protect the privacy of online users.21 However, past experience demonstrates that effective self-regulation is highly unlikely, and will not develop at all without some government intervention. Nearly a year after the FTC's Workshop, we are not aware of any sites that have adopted CME/CFA guidelines. Indeed, we find that companies are continuing to collect personally identifiable information from children at their Web sites without disclosing how the information will be used or who will have access to it, and without requiring parental consent. CME/CFA believe that children's privacy can be effectively protected only by a combination of comprehensive, understandable disclosure and verifiable parental consent. Currently, many sites offer no disclosure regarding the collection of information, whether it is aggregate and anonymous or personally identifiable. Where sites do offer some form of disclosure, it is usually insufficient to permit meaningful informed consent. For example, some sites state that they are collecting information solely for the use of the Web site, without revealing how they intend to use it. Where sites disclose that information is being collected, they almost universally fail to ask children to obtain parental consent before providing personally identifiable information. At the handful of sites that actually request parental consent, none can actually verify whether consent has been granted. Similarly, the Direct Marketing Association (DMA) guidelines advocating notice and consent have clearly not been routinely adopted by their membership, and the DMA does not appear to have taken any steps towards requiring their adoption. Moreover, other industry associations have not taken the lead in this area. There is little evidence that industry leaders even recognize the need to set limits on the marketing onslaught aimed at vulnerable youngsters. Instead, the emphasis is on continuing to refine techniques for creating loyal, lifetime consumers.22 The failure of self-regulation highlights the need for FTC action. The Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus has been promising for several months to release a set of guidelines for proper industry practice. Unless these guidelines require that companies marketing to children have an opt-in process for parental approval prior to information collection, they will provide inadequate protection for children. In addition, to the extent that CARU adopts policies that benefit children on-line, it is unclear whether their policies will have any substantive impact. CARU has a broad mandate to review child-targeted advertisements on television, and in print as well as on the Internet.23 Limited resources will prevent them from monitoring the thousands of continually changing Web sites. Moreover, industry compliance with a CARU investigation is voluntary. If violators refuse to comply with CARU guidelines, CARU refers the cases to the FTC or FCC for resolution. The FTC cannot expect parents to fill the regulatory void. While many parents may try to monitor their children's use of online services, it is not an easy task. Unlike television, which the entire family may watch together, many children use their computers alone.24 Children also tend to have greater computer skills than their parents, which makes periodic monitoring more difficult. Moreover, because of the "halo effect," arising out of the educational uses of computers, many parents implicitly trust computers, preferring that their children go online instead of watching television .25 They are unaware that children's Web sites can be more intrusive and manipulative than the worst children's television. TECHNOLOGICAL DEVELOPMENTS 3.14 Has interactive technology evolved since June 1996 in ways that could address children's online privacy issues? To what extent is it (a) readily available; (b) currently in use; (c) easy to use; and (d) effective in preventing children from disclosing personally identifiable information? 3.15 What are the costs and benefits, to both parents and children's commercial Web sites of employing such technology? What are parents' perception, knowledge, and expectations of the risks and benefits of using such technology. Given children's limited power to protect themselves on the information superhighway, the Direct Marketing Association (DMA) and other industry representatives have argued that the best defense from exploitative practices encountered online lies with new technological solutions. DMA has asserted in prior FTC proceedings that parents can "take advantage of available software tools and parental access controls to restrict their children's access to particular sites if they so desire."26 CME/CFA support the use of technology to customize the information that is released by children to comport with their parents' judgment and preferences, and recently joined the Internet Privacy Working Group's efforts to create a Platform for Privacy Preferences (P 3).27 Unfortunately, neither the available technological screening software services -- e.g., SurfWatch, Cyber Patrol, Net Nanny, SafeSurf, CYBERsitter-- nor the Platform for Internet Content Selection (PICS) rating system are likely to address adequately the problems presented by online advertising and marketing to children. Most of the software programs, as well as the PICS ratings system, were developed to protect children from sexual materials, rather than intrusive marketing practices.28 Four types of parental controls are available to prevent children from having access to "objectionable" material: 1. Blocking access to particular sites. A number of parental control programs allow parents to block access to any specific sites they choose. Given the huge and rapidly growing number of sites online and the constantly changing nature of the Web, this is not a practical way to screen sites that are considered offensive.29 Some of the programs streamline this process by generating a list of sites a child has visited, allowing parents the opportunity to easily examine and restrict access to sites that concern them. If parents learn that their children are spending hours visiting Web sites that collect personal information, they can block access to this site. Unfortunately, this approach permits blockage only after the child has been to the site or the parent has learned of the site on his/her own. 2. Blocking access to certain types of material. Some of the screening software, e.g., CyberPatrol, can block out entire categories of content, using key words to identify objectionable sites. However, the collection of personal information is not limited to sites dealing with certain products, or topic areas. Thus, it would be virtually impossible to use a key-word mechanism to combat all inappropriate information collection. 3. Preventing children from disclosing personal information. Software also may help protect children from invasions of privacy by marketers. Developed to protect children from potential child molesters, CYBERsitter allows parents to prevent children from disclosing their addresses or phone numbers when they are online. It may be possible to develop software that will further limit the amount of personal information online advertisers request from children, whether it is requested to join a club or be eligible for a prize, but information-collection technologies, e.g. cookies and its successors, are outpacing information-blocking technologies. Moreover, although blocking software has its merits when applied to potentially objectionable material, the blocking approach is fundamentally flawed when applied to children's personal information.30 Objectionable content is discrete and can be identified by each individual according to his or her values. A person can point to certain content areas on the GII, declaring "the pictures on this Web site and the topic of that chat room are something I don't want my child to see." That same child's personal information, on the other hand, is much more malleable, changing from one context to the next. For example, a parent certainly may wish to prevent his child from giving his name and street address to an online stranger or to an online salesperson, but he may want his child to share the same information in an E-mail to a classmate. Arguably, the parent could override the blocking software in the last case and permit his child to provide the necessary information to a friend. But what about all of the other instances in which the child has legitimate and desirable reasons to share his name and street address? For example, a child may wish to sign her name to an E-mail message sent to a keypal; or telnet to the local library to research a class project for which she is asked to supply her name and library card number. By installing blocking technologies onto the family computer, a parent not only thwarts nefarious requests for his child's information, but the legitimate ones as well. If children's privacy is to be protected, it is not enough to allow all kinds of information solicitation to take place with the excuse that they can be blocked. It is unreasonable to expect that parents must block all requests for information so that they can prevent their children from being bombarded with commercial solicitations for personal data. 4. Platform for Internet Content Selection (PICS) A set of online protocols is being developed that may enable parents to select from a variety of rating systems, and use whichever combination is best suited to their children. Once implemented, the PICS is intended to be "a viewpoint-neutral technology platform that will empower organizations and individuals to categorize and selectively access information according to their own needs."31 PICS was developed by the MIT-based World Wide Web Consortium and includes Netscape, Microsoft, SafeSurf and a host of other major online and computer firms.32 DMA and others contend that PICS can be used to label Web sites according to the privacy preferences of individual users. To date, this has not occurred. There has been little implementation of the PICS system to date, and, there is uncertainty whether a ratings approach will be supplanted by a browser-based approach. Although CME/CFA acknowledge that a ratings system has the potential benefit of providing parents with a shorthand way of identifying appropriate content for their children, we are also fully cognizant of the inadequacies of the PICS system. Even if software were created that could effectively screen out inappropriate information collection, the value of PICS (or any software solution) would be limited to those parents who could afford it, learn how to use it, and to devote the time needed to install and regularly update it. In addition, while PICS will enable public interest groups to develop and distribute their own rating systems to parents, such services will require substantial resources to establish and maintain. Organizations providing rating systems will have the labor-intensive tasks of regularly evaluating new sites and continually reevaluating existing ones. Most groups will not have the resources to develop and market a workable rating system. Finally, the PICS system cannot be applied to E-mail, chat rooms, news groups nor listserves. This is a grave omission given children's proclivity for these applications within the GII. Basic communication--exchanging E-mail letters, posting messages to bulletin boards, comparing thoughts about shared interests--is among the most popular activities for children online.33 Even if the PICS system were able to overcome the implementation problems, neither this rating system nor the blocking software can be used as a substitute for a comprehensive set of privacy guidelines. Indeed, it is unlikely that a technological fix will be found to address the complex concerns raised by online advertising to children. Blocking software and PICS are not sufficient because they do not create the policies necessary to ensure that marketers fully and effectively disclose their collection and tracking policies. Only adequate explanations of collection practices will enable parents to determine when to allow their children to release personal information. 1See, e.g., Hasbro International's site, www.actionman.com, which solicits children's names, E-mail addresses and countries. (site visited 3/31/97). 2www.kidscom.com continues to be one of the more invasive sites on the web, requesting an incredible amount of personal information from children who wish to participate in their games. Kidscom asks children for their address, the number of people in their household, their birth date, favorite television program, favorite commercial, favorite musical group, favorite sport, career plans, etc. See www.kidscom.com (site visited 3/24/97). 3McDonald's asks children who want to "say hello" to Ronald McDonald to provide personal information including their names, grades, favorite McDonald's food items, favorite sports teams, and favorite books. See www.mcdonalds.com (site visited 4/6/97). 4See, e.g., www.trivialpursuit.com, which offers a $3 coupon for the latest version of the game to individuals who complete a survey (site visited 3/31/97). 5See, e.g., Hasbro International's Action Man site, www.actionman.com (site visited 3/31/97); Headbone's site, www.headbone.com (site visited 3/31/97). 6 See, e.g., www.kidscom.com (site visited 3/24/97). 7 See Oscar H. Gandy, Jr., "Legitimate Business Interest: No End in Sight?" in The Law of Cyberspace, The University of Chicago Legal Forum, Volume 1996, for a discussion of the potential for discrimination on the Internet. 8 Netscape 2.0 and 3.0 includes cookies as one of its features. J. Rigdon, "Internet Users Say They'd Rather Not Share Their 'Cookies,'" The Wall Street Journal, Feb. 14, 1996. Netscape: (http://home.netscape.com/). 9 Other tracking companies include: Intermind (www.intermind.com), and Interse (www.interse.com), Firefly Network (www.ffly.com). See Matt Carmichael, "Are Cookies Really Monsters?" in Advertising Age, Nov. 18, 1996. 10See Birds Maker: Consumer Anonymity Will Link Online Users, Marketers, Interactive Marketing News , Jan. 1 7, 1997 at 1. 12Victor Mayer-Shonberger, The Internet and Privacy Legislation, Cookies for a Treat, 1996. 13See Appendix A, CME April 4, 1997 Press Release and Letter on RFC 2109. 14See Rick E. Bruner, "'Cookie' Proposal Could Hinder Online Advertising" in Advertising 15See "Company Rolls Out Interactive Database for Tracking Consumers," in Interactive Marketing News, Jan. 17, 1997 at 1. 16Debra Aho Williamson, "Web Advertising Saunters Toward Personalization" in Advertising Age, Nov. 18, 1996 at 44. 17See Matt Carmichael, "Are Cookies Really Monsters?" In Advertising Age, Nov 18, 1996 18Id. Other companies utilizing similar strategies include Broadvision (www.theangle.com) (registered users provide personal information. Advertisers can then target these individuals, but Broadvision won't reveal individual identities.) And Cyber dialogue (www.cyberdialogue.com). (registered users are placed within pre-defined psychographic profiles based on information they provide, and advertisers can then locate these users within a site.) 19Debra Aho Williamson, "Web Advertising Saunters Toward Personalization: in Advertising Age, Nov. 18, 1996 at 44. 20 The Disney Family Fantasy Sweepstakes site "requires" children under 16 to get permission from their parent or guardian. However, Disney offers no means of verifying this consent. See www.disney.com (site visited 3/29/97). See, also, www.jazzygirls.com (site visited 3129/97); www.kidscom.com (site visited 3/24/97). 21 See generally DMA Commentary on FTC Workshop on Privacy and Cyberspace. See also CMEICFA Post Hearing Comments, June 19, 1996. (detailing the weaknesses of the proposed DMA guidelines.) 22 Charles Waltner, "Brand Loyalty at Stake Online with Kids," in Advertising Age, Feb. 10, 1997 at 25. 23 In 1994, CARU reviewed 17,000 television commercials, informally investigated 55, and formally investigated 5. See www.bbb.org.childrensmonitor.html. (site visited 10/24/96). 24 How children use computers was a topic that was discussed at the "TECHNO Kids" and "Digital Kids" conferences. Representatives from the industry presented their market research and focus group findings. "TECHNO Kids Conference," Chicago, IL, September 13, 1995. 25 D. Britt, "Defining the Digital Consumer IV Agenda: Digital Kids Pre-Conference Seminar," New York, NY, October 25, 1995. "Defining the Digital Consumer IV Agenda: Digital Kids Pre-Conference Seminar," New York, NY, October 25, 1995. 26 Comments filed by the Direct Marketing Association to the Federal Trade Commission regarding Public Workshop on Consumer Privacy on the global Information Infrastructure, June 1996. 27 One concern that will need to be addressed with regard to a browser-based approach is the potential for abuse. A browser-based privacy platform may result in companies trying to persuade consumers to adjust their settings/default on the browser to release greater amounts of personal data. Children should not be allowed to negotiate about their privacy preferences as this would put them at an unfair disadvantage 28 A recent article in The Washington Post reiterates that exploitative advertising and privacy invasions still are not the focus of selection software. Linton Weeks, "A Safety Net for Children, New Software Blocks What Kids Can Access," in The Washington Post., Feb. 27, 1997. 29 For a discussion of the limitations of the blocking software currently available, see "Shielding Your Kids: We Test Web 'Babysitters,"' in Consumer Reports, May 1997. 30 Ironically, in order to obtain a "free" copy of one of the software packages, users must provide information to the company. As the Communications Decency Act decision recently noted, parents can download a seven day demo of the full version of Cyber Patrol from the MicrosystemsInternet World Wide Web Server. At the end of the seven day trial period, users are offered the opportunity to purchase the complete version of Cyber Patrol or provide Microsystems some basic demographic information in exchange for unlimited use of the Home Edition. The demographic information is used for marketing and research purposes." (paragraph 60, CDA.) 31 According to MIT's Albert Vezza, a spokesman for the PICS working group. 32 http://www.w3.org/hypertext/www/PICS/ 33 E-mail is often referred to as the "killer ap" (application) for children. How children use computers was a topic that was discussed at the "TECHNO Kids" and "Digital Kids" conferences. Representatives from tile industry presented their market research and focus group findings. "TECHNO Kids Conference," Chicago, IL, September 13, 1995.
ELECTRONIC PRIVACY INFORMATION CENTER
PRESS RELEASE NET USERS URGE STANDARDS GROUP TO PROTECT PRIVACY Organizations Respond to Attack on Privacy Standard by Some Online Marketing Groups Debate Focuses on Use of "Cookies" WASHINGTON - Many of the nation's leading consumer, civil liberties, and children's advocacy organizations have urged, an Internet standards organization to fix a problem with web browser software that allows companies and government agencies operating web sites to track the activities of Internet users. The groups say that there is a problem with the so-called "cookies" technology. Cookies make it possible to read information on users' computers and find out where they go on the Internet. Some companies in the on-line advertising industry use cookies data to collect personal information for advertising and marketing. The Internet Engineering Task Force, a loose coalition of technical experts responsible for the development of standards for the Internet is meeting this week in Memphis to consider a wide range of technical issues concerning the Internet, including a proposal to limit the ability of companies to use cookies. The proposed safeguard has come under attack by several companies engaged in interactive advertising and marketing. According to a March 31, 1997 article in Ad Age, these groups are now drafting a "counter-proposal" to head-off the IETF recommendation. Marc Rotenberg, director of the Electronic Privacy Information Center, said "We want the IETF to know that there are a lot of people who object to the current use of cookies and would like to see the problem fixed." James Love, director of the Ralph Nader's Consumer Project on Technology said "There should never be a case where private firms and government agencies are writing and reading information on a consumer's hard disk, without explicit authorization. These transactions must be more transparent, and the users must have the practical ability to say no." Jeff Chester, director of the Center for Media Education, said "We have to keep on-line marketers out of the 'cookie jar.' Such 'Orwellian' practices to stealthily track every move made on-line, and share that information with other companies, should be prohibited. More information about cookies is available at the EPIC Cookies Page. Organizations endorsing the letter include the Center for Media Education, Computer Professionals for Social Responsibility, Consumer Federation of American Consumer Project on Technology, Electronic Frontier Foundation, Electronic Privacy Information Center, National Association of Elementary School Principals, NetAction and Privacy International. To: Internet Engineering Task Force We write to express support for RFC 2109, the proposal for an HTTP State Management Mechanism, to address privacy concerns associated with "cookies." The proposal will allow users to exercise greater control over the creation and collection of personal information resulting from transactions between web clients and web servers. The proposal was published by the IETF on February 18 and is already in use on the Web. Netscape has indicated that Navigator 4.0 will incorporate part of the specification. We believe that "transparency" -- the ability of users to see and exercise control over the disclosure of personally identifiable information -- is a critical guideline for the development of sensible privacy practices on the Internet. The alternative would be the surreptitious collection of data without the ability to exercise any control. We support adoption of RFC 2109. We believe it is important step forward in the protection of privacy on the Internet Sincerely, Center for Media Education and more than 100 Internet users cc: Mr. Bill Gates, President, Microsoft Mr. Ira Magaziner, the White House ______________________________________________________________________________ Return to the EPIC Cookies Page http://www.epic.org/privacy/internet/cookies/
Monday, April 14, 1997 CENTER FOR MEDIA EDUCATION April 4, 1997 Dear Child Advocates, Recently, major steps have been taken that could dramatically increase the privacy of children and other Internet users. The Internet Engineering Task Force (IETF) wants the online user to be in control of the "cookies." Online advertisers use "cookies" to track a user's movements across the Internet. Cookies can store personal preferences of viewers and act as markers telling advertisers which web pages a viewer has visited. By collecting this information, advertisers can tailor their marketing to the specific interests of the individual. All of this is done without the knowledge of the child or adult who is using the Internet. Most online users do not even know that the technology of "cookies" exists. If the proposed changes are approved by the IETF, users of the Internet, including parents, would be given more control. A user, such as a parent, could deny permission for the cookie to be sent, thereby protecting his or her privacy online. Online advertisers have recently started fighting against this proposed safeguard. The Center for Media Education, the Electronic Privacy Information Center and the Consumer Project on Technology urge groups that are concerned with online privacy and children to express their support for the new personal privacy standards. The IETF will be meeting to discuss the proposed standards on Monday, April 7. If you would like to support the new privacy standards, please sign on to the attached letter before close of business Monday. We will forward a list of organizations to the IETF. You may reach us via.: phone - 202-628-2620 fax - 202-628-2554 email - lauri@cme.org If emailing or faxing, please include your organization's name, telephone number and a contact name. Regards, Jeff Chester To: Internet Engineering Task Force Re: RFC 2109 We write to express support for RFC 2109, the proposal for an HTTP State Management Mechanism, to address privacy concerns associated with "cookies." The proposal will allow users to exercise greater control over the creation and collection of personal information resulting from transactions between web clients and web servers. The proposal was published by the IETF on February 18 and is already in use on the Web. Netscape has indicated that Navigator 4.0 will incorporate part of the specification. We believe that "transparency" -- the ability of users to see and exercise control over the disclosure of personally identifiable information -- is a critical guideline for the development of sensible privacy practices on the Internet. The alternative would be the surreptitious collection of data without the ability to exercise any control. We support adoption of RFC 2109. We believe it is important step forward in the protection of privacy on the Internet. Sincerely, cc: Mr. Bill Gates, President, Microsoft |