Comments of the Electronic Privacy Information Center Concerning Children's Privacy - 954807
1. EPIC commends the FTC for conducting the Public Workshop on Consumer Information Privacy. Privacy is clearly an issue of great concern to American consumers. The FTC has the authority and the responsibility to investigate privacy issues, particularly where unfair or deceptive trade practices arise.
REQUEST FOR PARTICIPATION
2. Pursuant to the notice published by the FTC, the Electronic Privacy Information Center (EPIC) formally requests participation in all three sessions scheduled by the FTC for the upcoming workshop. EPIC has satisfied all of the criteria outlined in the agency notice. EPIC has submitted written comments for all three session areas. EPIC's participation would promote a balance of interests at the conference as there are few organizations that represent the public interest and do not receive funding from affected parties with regard to privacy issues . EPIC's participation would promote the consideration and discussion of a variety of issues raised by the FTC study as we have followed closely the work of the FTC and other federal agencies on privacy matters. EPIC has expertise and knowledge of the issues that are the focus of the study and has participated in a number of related privacy investigations, most recently as a member of the panel of experts of the Organization for Economic Cooperation and Development (OECD) that recently put forward international cryptography policy guidelines. EPIC reflects the public interest particularly well in this proceeding as it receives no financial support from any organization that would be directly affected by a decision of the FTC, and in particular has received no support from the Direct Marketing Association, credit reporting agencies, or database marketing, firms. EPIC has been designated by the US Privacy Council as a party that shares common interests with the Council. Finally, it is for the agency to determine the appropriate number of parties to participate in the public workshop. It is our view that the public concern about privacy matters must be given top priority in this determination.
REVIEW OF PREVIOUS STATEMENTS TO FTC
3. On December 14, 1995 EPIC wrote to the FTC and urged the Commission to "investigate the misuse of personal information by the direct marketing industry and to begin a serious and substantive inquiry into the development of appropriate privacy safeguards for consumers in the information age." We noted the growing privacy concerns among the American public as well as increased consumer resistance to certain new services. We specifically asked the FTC to investigate the following issues:
1. How is personal information collected and sold within the industry? What is the extent of data aggregation on particular individuals? Do current collection and trade practices violate federal or state law?
2. Has the Mail Preference Service actually protected the privacy interests of consumers? Are there better and simpler methods for consumers to control personal data?
3.What are the implications of the sale of direct marketing lists to federal and state investigative agencies? Does this practice violate privacy rights, of American citizens Should it be regulated or prohibited?
4.Could new technologies for anonymous and pseudo-anonymous payment schemes coupled with enforceable legal rights ensure the development of on-line commerce that promotes business opportunity and protects personal privacy? What steps should be taken to pursue these new opportunities?
REVIEW OF JUNE COMMENTS TO FTC
4. At the June 4, 1996 FTC Public Workshop on Consumer Privacy on the Global Information Infrastructure, we made five general points regarding the protection of consumer privacy in the information age. As these points were not adequately reflected in the staff report. we restate them here and ask that they be considered as part of our submission for the upcoming public workshop.
The voluntary approach has failed. Public opinion polls demonstrate that the level of public concern about the absence of effective privacy protection in the United States continues to rise. According to Lou Harris Associates, at no time has public concern about the loss of privacy been greater than it is today. There are a number of explanations for the growing public concern. One explanation may be a general distrust of institutions, both public and private. The better explanation is simply that the law has failed to keep pace with the rapid changes in technology and the commonly accepted expectations of privacy are routinely threatened by new business services. In such an environment, enforceable legal rights are necessary to restore public confidence.
Consumers will demand legal control over personal information. The difference between effective privacy policies and ineffective privacy policies can be seen in the difference between enforceable privacy rights and non-enforceable privacy rights. Where privacy rights are established in law, industry develops appropriate practices to protect identified privacy interests. This is apparent in the operation of the Fair Credit Reporting Act which ensures that consumers have a legal right to copies of their credit reports. Where there is no right, there is no remedy. For example, consumers who attempt to make use of the Direct Marketing Association's Mail Preference Service routinely report that they continue to receive junk mail and that the service is not effective.
Current industry practices are not viable. It has become increasingly obvious that an approach which places burdens on consumers to learn about information practices, object to misuses and monitor compliance has failed to adequately resolve public concerns about privacy. Over time, the gap between privacy problems and privacy solutions has grown. We believe it is now time for a new approach to privacy that is based on (1) the promotion of anonymous payment services and (2) enforceable codes of fair information practices.
Technologies of privacy limit or eliminate the collection of personal information. We have indicated on several occasions that there are many technical approaches to privacy protection. But we noted at the June hearing that the key feature of technologies that enhance privacy is that they limit or eliminate the collection of personally identifiable information. For this reason, we generally favor techniques that promote anonymous or pseudo-anonymous transactions. We do not support techniques that force consumers to disclose privacy preferences as a condition of a commercial transaction. Such techniques will undermine privacy rights and are discriminatory. These are not "Privacy Enhancing Technologies." but rather "Privacy Extraction Technologies", i.e. they require the disclosure of consumer privacy preferences as a condition of engaging in commercial transactions.
Mechanisms which promote anonymity and reduce the collection and use of personal information are discussed in "The Path to Anonymity," published jointly by the Information and Privacy Commissioner, Ontario, Canada and the President Registratiekamer, The Netherlands. The report assesses the types of privacy technologies commercially available "for keeping anonymous the identity of individuals during the rendering of services." The report notes that security (that is, keeping data secure from third party intervention), is only one component of privacy. "The areas covered by privacy are much broader, extending from limitations on the initial collection of personal data ... to restriction of its use to the purpose specified, to prohibitions on any secondary uses." Mechanisms to promote anonymity and thus privacy include: digital signatures, blind signatures, digital pseudonyms, and trusted third parties. The mechanism for digital cash is an extension of the mechanism for pre-paid cards, such as the familiar anonymous telephone card.
Smart companies (and countries) know this. Outside of the United States, companies and countries continue to move forward with plans to provide strong privacy safeguards for consumers recognizing, as the European Commission noted in 1992, that "privacy protection is a necessary precondition to consumer acceptance of new network services. The European Union will enforce the Data Directive beginning in 1998, Canada is committed to comprehensive private sector safeguards by the year 2000, and MITI has just announced far-reaching privacy safeguards for Japanese consumers. Anonymous cash payments are now being deployed in the EU, Germany, Austria, Norway, and Finland. Direct marketing firms from Canada to Australia are recommending the adoption of private sector privacy legislation to address public concerns about privacy.
NEED FOR ENFORCEABLE PRIVACY CODES
In general, we believe the best approach for Internet privacy would be to develop a Code of Fair Information Practices that would provide clear guidelines for users and service providers. This is the approach that the United States had historically taken in areas where there was public recognition of the need to protect privacy interests. It is also the approach that many countries are taking today to protect privacy interests in the online world.
One possible code, based roughly on the OECD Guidelines of 1980, which the United States has already endorsed, is the following:
The confidentiality of electronic communications should be protected
Privacy considerations should be recognized explicitly in the provision, use and regulation of Internet services.
The collection of personal data for Internet services should be limited to the extent necessary to provide the service.
Service providers should not disclose information without the explicit consent of service users. Internet service providers should be required to make known their data collection practices to service users
Users should not be required to pay for routine privacy protection. Additional charges should only be imposed for extraordinary protection.
Service providers should be encouraged to explore technical means to protect privacy
Appropriate security policies should be developed to protect network communications
A mechanism should be established to ensure the observance of these principles.
COMMENTS ON FTC NOTICE REQUESTING PUBLIC COMMENT AND ANNOUNCING PUBLIC WORKSHOP
EPIC has attempted to comply with the request of the FTC and to provide responsive answers to all of the questions posed in the agency notice. However, many of the questions request survey data which is not available to us. Nonetheless, we recognize the importance of survey data in the assessment of industry practice, e.g. Reidenberg & Schwartz, Data Protection Law (Michie 1996) (failure of US marketing companies to comply with opt-out procedures), and urge the FTC to pursue these questions. It will become crucial for the FTC to determine the adoption and enforcement of codes of fair information practices.
Information Collection and Use
3.1 What kinds of personal information are collected by children's commercial Web sites from children who visit those sites and how-is such information subsequently used? Among other things, is clickstream data being collected and tied to personally identifying information about children; is information being collected from children to create lists for sending unsolicited e-mail?
EPIC did not attempt to survey the kinds of personal information collected by children's commercial Web sites. The Center for Media Education has prepared an extensive survey of the "Threats to Children from Online Marketing." Their investigation uncovered both the solicitation of personal information from children and the click-by-click tracking of online computer use by children. Children are asked for information about themselves, personal and preference information, and for information about their families. This is personally identifiable information--not demographic information, not aggregate data.
3.2 To what extent is the collection, compilation, sale or use of personally identifying, as opposed to aggregate, children's personal information important for marketing online or for marketing research? What privacy concerns, if any, are raised by the collection or use of aggregate children's personal information in this context?
Privacy concerns are heightened when personally identifying information is collected from children for whatever purpose. While adults may be regarded as sufficiently mature to exercise discretion in the sharing personal information, children deserve an assured safety-net of protection. From a privacy perspective the collection of aggregate non-user identified data is not a problem.
3.3 What are the risks, costs and benefits of the collection, compilation, sale, and use of children's information in this context?
The commercial exploitation of children never serves society's interest.
3.4 What surveys, other research, or quantitative or empirical data exist about parents' perceptions, knowledge and expectations regarding (1) whether their children's personal information is being or should be collected by Web site operators and the extent of such collection; (2) the benefits and risks associated with the collection and subsequent use of such information; (3) appropriate uses of such information; and (4) whether certain categories of children's information should never be collected or disclosed to others?
EPIC did not attempt to survey parent's knowledge and expectations regarding children's personal information collected by Web site operators. However, in their excellent report of the Center for Media Education reports: "While many parents may try to monitor their children's use of online services, it is not an easy task. Unlike television, which the entire fan-Lily may watch together, many children use their computers alone. Children also tend to have greater computer skills than their parents, which makes periodic monitoring more difficult. And because of the "halo effect," arising out of the educational uses of computers, many parents implicitly trust computers, preferring that their children go online instead of watching television. They are unaware that children's Web sites can be more intrusive and manipulative than the worst children's television."
3.5 How many children's commercial Web sites collect, compile, sell or use children's personal information? Of these, how many give parents notice of their practices regarding the collection and subsequent use of personal information? With respect to these Web sites, describe (1) how and when such notice is given; (2) the content of such notice; and (3) the costs and benefits, for both parents and children's commercial Web sites, of providing such notice.
EPIC did not attempt to survey how may Web sites collect, compile, sell or use children's personal information. The Center for Media Education has prepared an extensive survey of the "Threats to Children from Online Marketing."
3.6 Of the children's commercial Web sites that collect, compile, sell or use children's personal information, how many provide parents choice with respect to whether and how their children's personal information is collected and subsequently used by those sites? With respect to such Web sites, describe: (1) what choices are provided to parents and how such choices are exercised; and (2) the costs and benefits, for both parents and children's commercial Web sites, of providing such choices.
While EPIC did not survey the marketplace, if this mechanism is available it is so poorly advertised as to be non-existent.
3.7 Of the children's commercial Web sites that collect, compile, sell or use children's personal information, how many provide parents access to, and an opportunity to review and correct, personal information about their children that is collected and retained by those sites?
While EPIC did not survey the marketplace, if this mechanism is available it is so poorly advertised as to be non-existent.
3.8 Of the children's commercial Web sites that collect, compile, sell or use children's personal information, how many have procedures to maintain the security of personal information collected from children online, and what are those procedures?
Existing security procedures are in place primarily to keep data secure from third party intervention, rather than to preserve the privacy of consumers' sensitive identifying information.
Security is only one component of privacy and does not equate to limitations on the initial collection of personal data or to restrictions on its use or sale.
There is clear precedent in the Family Educational Right to Privacy Act of 1974 for extensive protection of children's information. In this legislation Congress has already recognized that there is a need to establish privacy rights enforceable in law for personal information about young people. These privacy rights include both limitations on the improper disclosure of information and the right to inspect information. It is appropriate and necessary to allow parents to exercise these rights on behalf of their children; and strong penalties are appropriate to ensure that these rights are upheld.
3.9 Do children's information practices in the online context differ from those implemented in other contexts? If so, describe the differences. Do the risks, costs, and benefits of these practices differ depending on the context? If so, describe the differences.
The Center for Media Education's reports: "The World Wide Web and the major online services have become powerful forces in many children's lives. Almost one million children are now using the Web, and 3.8 million have access to it. A rapidly growing number of children are engaged by the interactively of online environments that allow them to explore what they want and when they want. Children, like adults, find the interactive nature of online networks extremely compelling. They can also easily communicate with others online, wherever they are located. They can make new friends, and exchange E-mail with old ones. They can post messages on bulletin boards, and chat in real-time. Unlike TV, which is a prepackaged, one-way medium, online media are dynamic and two-way. They give children the power to converse one-to-one, and to display their creations for anyone online to see. Significantly, many children are choosing to spend time online rather than watching television. They are logging on rather than tuning in."
3.10 Do schools, libraries, and other settings in which children may have access to the Web, have a role to play in protecting children's privacy? What role do they currently play, and what role could they play in the future?
All venues in which children may have access to the Web have a role to play in their supervision. However, they alone cannot prevent the collection of personal information and cannot serve as watchdogs for each keystroke.
3.11 What industry principles, recommendations or guidelines have emerged since the June 1996 Workshop? Please discuss whether they are permissive or mandatory, whether they include sanctions for non-compliance, and the extent to which they have been implemented within the industry.
The Direct Marketing Association believes that its self-policing practices have adequately protected children's privacy. They say that the opt-out procedure, which requires individuals to send a letter to the Mail Preference Service and ask to be removed from mailing lists is sufficient to protect personal privacy. This may reduce some junk mail, though it is unlikely that children will send letters to the Mail Preference Service. But it does nothing to prevent the extensive profiling that companies pursue when data is gathered. These practices are permissive and they do not include sanctions for non-compliance.
Cyber Promotions, the self-proclaimed largest bulk advertising e-mailer in this country, is not even a member of the Direct Marketing Association. (Detours don't seem to deter junk e-mail," USA Today, Feb 11, 1997)
3.12 What steps have children's commercial Web site operators taken since June 1996 to address children's online privacy issues? To what extent have they adopted the principles outlined in the following documents submitted at the June 1996 Work-shop: (1) the Joint Statement on Children's Marketing Issues presented by the Direct Marketing Association and Interactive Services Association; (2) Self-Regulation Proposal for the Children's Internet Industry presented by Ingenius, Yahoo and Internet Profiles Corporation; and (3) Proposed Guidelines presented by the Center for Media Education and Consumer Federation of America?
While some modifications to the CPPPEA may be necessary, the essential goal of ensuring basic privacy rights where personal information about children is collected is a good one and is more likely to result in policies and practices that actually result in privacy protection that unenforceable industry guidelines.
3.13 What privacy concerns, if any, are not adequately addressed by existing guidelines?
3.14 Has interactive technology evolved since June 1996 in ways that could address children's online privacy issues? To what extent is it (a) readily available; (b) currently in use; (c) easy to use; and (d) effective in preventing children from disclosing personally identifiable information?
Mechanisms which promote anonymity and reduce the collection and use of personal information are discussed in "The Path to Anonymity," published jointly by the Information and Privacy Commissioner, Ontario, Canada and the President Registratiekamer, The Netherlands. The report assesses the types of privacy technologies commercially available "for keeping anonymous the identity of individuals during the rendering of services." The report notes that security (that is, keeping data secure from third party intervention), is only one component of privacy. "The areas covered by privacy are much broader, extending from limitations on the initial collection of personal data ... to restriction of its use to the purpose specified, to prohibitions on any secondary uses." Mechanisms to promote anonymity and thus privacy include: digital signatures, blind signatures, digital pseudonyms, and trusted third parties. The mechanism for digital cash is an extension of the mechanism for pre-paid cards, such as the familiar anonymous telephone cards.
Moreover, anonymous payment systems are now being pursued by the European Union and several European countries. Anonymous payment techniques were also noted favorably in the recent recommendations of the OECD concerning Cryptography Policy Guidelines.
We noted above that we do not consider techniques that requires individual to disclose privacy preferences as a condition for conducting business on the Internet as a privacy enhancing technology. We said that such techniques will reduce privacy safeguards and lead to discrimination against those seeking to exercise privacy rights. The problem with this approach is particular apparent in circumstances involving the collection of personal information directly from children where even traditional contract approaches are disfavored.
3.15 What are the costs and benefits, to both parents and children's commercial Web sites, of employing such technology? What are parent perceptions, knowledge and expectations of the risks and benefits of using such technology?
As a general matter, parents are unable to assess the risks and benefits in any particular collection, compilation, sale, or use of personal information concerning their children. Once the parent or child has provided personal information, he or she no longer participates in subsequent transactions regarding the information and is therefore unable to assess the benefits or costs that mi-ht result from subsequent use. However, the organization in possession of the information decides at each point in time what the benefits and costs will be in a prospective information transaction.
This is one of the reasons that enforceable privacy standards are critical to ensure an adequate level of consumer confidence in new on-line services.
Unsolicited Commercial E-mail
3.16 How widespread is the practice of sending children unsolicited commercial e-mail? Are privacy or other consumer interests implicated by this practice? What are the sources of e-mail addresses used for this purpose?
EPIC is unaware of the scope of this practice in the private sector. We refer the FTC to the reports of the Center for Media Education.
3.17 What are the risks and benefits, to children, parents and commercial entities, of unsolicited E-mail directed to children? What are parents' perceptions, knowledge and expectations of the risks and benefits?
As a general matter, parents are unable to assess the risks and benefits in any particular collection, compilation, sale, or use of personal information concerning their children. Once the parent or child has provided personal information, he or she no longer participates in subsequent transactions regarding the information and is therefore unable to assess the benefits or costs that might result from subsequent use. However, the organization in possession of the information decides at each point in time what the benefits and costs will be in a prospective information transaction.
3.18 What costs does unsolicited commercial e-mail directed to children impose on children, parents, or others? Are there available means of avoiding or limiting such costs? If so, what are they?
We defer to the Center for Media Education on this point.
3.19 Are there technological developments that might serve the interests of parents who prefer that their children not receive unsolicited commercial e-mail?
Techniques that promote the anonymous receipt of information would reduce the risk of target marketing. In the broadcast environment, an advertiser may have a general idea about the audience for a children's show but there would be no opportunity for direct marketing to an individual based on the actual identity of the child.
3.20 How many children's commercial Web sites have implemented the Principles for Unsolicited Marketing E-mail presented at the June 1996 Workshop by the Direct Marketing Association and the Interactive Services Association?
EPIC did not review the implementation of the Principles for Unsolicited Marketing E-mail presented at the June 1996 Workshop by the Direct Marketing Association and the Interactive Services Association. To evaluate the impact of the proposed Guidelines we believe it is necessary to ask: