Subject: Children’s Online Privacy Protection Rule – Comment, P994504

Dear Secretary:

As a former early childhood educator, field market research specialist, current small business owner, mother of two and concerned citizen, I feel that this regulation will accomplish a lot toward making children under 13 years of age safer. Thank you for recognizing the importance and addressing this issue. When we began "doing our homework" to write a response to this proposal we already knew of its importance. However it wasn’t until my colleague responded to an email inviting her to send her children to a kid-safe, kid-friendly place, that we were force-fed a true dose of reality. She traveled to the site out of professional curiosity but made discoveries there that caused us to see the magnitude and the ramifications of what is happening daily in millions of homes across our nation and throughout the world without the knowledge of computer owners. The gross violation of privacy that was discovered would have escaped most people but she was sensitive to it because of our on-going research for this paper. It was certainly a timely discovery. We sincerely thank you for the opportunity to comment on the Federal Trade Commission’s Notice of Proposed Rulemaking to Implement the Children’s Online Privacy Protection Act of 1998. Our response to the Commission’s request for comments on various aspects of the proposed Rule is grouped by assigned number and topic.

Definitions:

Question 2 – INTERNET definition – acceptable

Question 3 a/ 3b– Is this definition clear and what is the impact of defining the term in this way?

We perceive this area to be particularly ambiguous because the term "OPERATOR" is all encompassing, including entities that perform vastly different roles in the process. For clarification purposes, we suggest that term "OPERATOR" be divided into descriptive categories. To better illustrate, we have outlined below an example of how the individual entities now termed "OPERATOR" might be classified. There should be differentiation based on responsibility that is assigned to each of them because of the level of control of information, its content and the "OPERATORS" advantage of "inducement".

1. Web Site Designer(s) – Designs the original site for the Web site owner, whom responsible to the Web site owner and may or may not be involved in the maintenance of the site.

Site Maintenance Provider(s) – A service, contractor or internal staff member who performs updates and makes modifications to the URL.

Web Site URL–IT (Information-Tech) – The custodian of the site who is involved in data retrieval, review, storage, and in some cases the selling of the information.

Web Server Host-Technician -The service that maintains the server equipment, which houses the web sites and databases.

5. Web Site Co-located hosts – A group that shares a site as either:

(A). Silent parent-child- A relationship, in which an undisclosed "parent" owns

The site, is privy to all information gathered but is not identified in the privacy

Statement. (Could even be an international partner)

(B). Identified Business Alliance "Alliance -partners" are separate, but by the

Web site design may have access to each other’s information.

(C). Referring Site -A site with a hyper-link for the purpose of expanded or

Similar material.

(D). Reflector site (troller) – A site which complies with the letter of the

regulation but offers links to sites that collect information in return for

"providing something". This second site may not comply with privacy

regulations.

(E). Mis-direction - A person becomes comfortable and less guarded and is

referred to another site for a seemingly innocent purpose. [Ex. A child can not

display a picture on the site and is referred to another site to gain the needed

software to properly view it. The new site, in addition to providing the

required software driver or applet with undocumented additional features,

which collect information, and at a pre-determined time returns home without

the family knowing that it has been monitored.]

Question 4 – PERSISTENT PERSONAL INFORMATION - We suggest the following additions:

Identifier/revealer (a).

When we log on to a web site, the computer browser offers the server hosting the site, information about your machine it’s hardware, software, your URL and even us! According to advanced technical manuals, the original intent of this feature was to assist the web designer to account for differences in the hardware and software available in order to ensure a correctly displayed page.

Identifier /revealer (b)

This type of identifier is embedded in software or drivers. The identifier records selected information and at predetermined intervals, without the knowledge or indication to the user, it returns the collected personal data to its point of origin.

AN ANALOGY: would be LIKE: A child brings home a cuddly teddy bear with a hidden recording device inside such as a video or audio tape recorder. The next day the child goes back to school with the toy and returns it to the owner. The owner then plays the tape, which contains very personal & private data.

In conclusion, our research indicates that these feature are not well known to the average user, but that they are well-documented in advanced technical manuals used by Web designers for Reference. However, we have discovered that the most recent browsers, several applets, and programs have deliberately embedded these "little jewels". One company is so bold that they boast that they ‘…won’t inconvenience the client, by requiring an action on their part…’ and will wait until the next Internet sign-on to automatically glean the information. Our major concern is that this same information, if not required to be protected by law, could reveal and perhaps even sell sensitive material about us, without our knowledge or permission.

In addition we suggest that his section should be expanded to include these additional "elint-types" of collection. (reflector, mis-direction, informer/revealer)

Notice Placement:

Question 5a & 5b – OPERATOR’s obligations for notice placement – the following reservations

This sub-section of the rule is well designed and clearly specifies to Web designers how to place the notice. The challenge is to find a way to find a way to get and hold the attention of an age group that spans a decade. The little ones may not recognize or understand the nature of the warning and the older ones may not care. As an educator, my experience is that young children can be taught to recognize and relate to a universal symbol, or icon and the older children think icons are "awesome" especially when they are animated. We have explored the idea of using a small cat icon, named cyber. We are willing to provide the FTC commission artwork and sample text from our beta site. (Without restrictions).

If this cat symbol was mandated to be on any site that could potentially reach the eyes of children under 13 a campaign to introduce this concept could be included as part of an awareness unit on computer- safety. "Cyber the cat" would show where you can play on the Web.

The icon would hyperlink to a standardized notice written at child’s level. This icon would be in addition to the normal icon for adults.

Question 6 – Multiple OPERATORS Identify information – We agree and hope that this provision will be included in the final draft.

Question 7 – Third party agreements: To maintain confidentiality-It is impossible to make an informed opinion about sites potential for harm with out all the facts. We hope you require that third parties must be listed and bound by the privacy statement of the primary site.

Question 8 – OPERATOR stated parental right to review information –Put it in both places. It is not harmful to a parent to receive the notice twice. What is harmful is to not be informed at all.

Question 9 – OPERATOR provided direct notice to parent -If the site uses any on-line form registration collection methods, they should be required to use that same method for requests and parental denials of use for the information. Please consider adding that the web site should immediately e-mail a copy of the current privacy statement and revision number, with the date of posting.

Question 10 – Content of parental notice of contact from their child -The proposed rule does not currently require that web sites assign version number to their privacy statement forms or to print an explanation of the revision changes. As a legal maneuver around binding privacy contracts, some sites are now issuing a "user site license" requiring silent agreement with the current terms of the site’s privacy statement, which is subject to change without further notice.

Question 11, 12,13,14,15,16,17,18 – No comment

Question 19 – Protect safety of child -the following reservations -Please be more specific as to your definition of "protection" of the child and the procedure. Did you mean intervention for the safety of the child (i.e. suicide, child abuse,)?

Question 20 – Limited purpose data usage - the following reservations

There are are automatic functions available to the web operator to protect the site. As explained earlier in this letter. The data-object named "navigator" provides the URL from which the user came. Further more, the statistical packages used to monitor URL performance will generate a history of visitors.

Question 21 – Special exceptions - Why open the door to the political process?

Right of the parent to view personal information provided by the child:

Question 22 -No comment

Prohibition against conditioning a child’s participation of personal information:

Question 23 – Conditional participation for child –My colleague recent visit to a self proclaimed and shielded site asked for the following information as participation in site activities over a 15-min period of time. Each individual tid-bit of information requested was harmless but the cumulative effect created a total breach of privacy:

1. To better view a picture in full color it told her that she needed to load a plug-in. The plug-in provided Frequently Asked Questions describing the current version as fixing the previous security leak. The security leaks was that when any cookie was picked up, their cookie information went too. Their cookie was to collect all the names and URL visited from the entire family. After download and installing she discovered that the "free" download was the old security-leaking version not the new advertised to be secure version.

2. It asked for her initials because she had achieved one of the top 20 highest scores. But, when she reviewed the top 20 scores she discovered that she was not even close. She went to another area of the site and returned later. The second time when she played the game, she was told again that she had a top 20 score, only this time her score was significantly less that the previous one.

3. In order to determine FREE offers, It asked her to identify her state from a predetermined set of states.

4. It asked which city to narrow the listed offers. Experimentation with the options showed that the list was the same no matter what city was chosen. It was clearly a gimmick to acquire her city and state.

5. It asked her to send an e-mail post card to 5 friends. There was no screening for age and the post card had an active link back to the site.

6. It asked her to call an 800 number to register for a free voice mail. This diversion to a phone can take place in minutes at any time of the day or night without any parental supervision. The combination of the security leaking applet and the voice mail and resulting caller ID information provided the website IT Admin with a name, physical address and other information from the computers URL.

7. It offered her a screen saver through download that could be upgraded for certain behaviors. The offered link was to site only identified by xxx.xxx.xxx.xxx.

Upon linking to the home page of that nameless/numbered site, she discovered that the site was a prominent US computer company using an overseas site to provide the freebee.

8. She registered for a contest by a providing name, address, e-mail, b-day, & gender with a site not listed on the primary privacy statement, but was listed as "Part of xxxxxxx.com network" on the contest form. The contest was embedded in the primary site with a current kid theme. Upon completion of the entry form, she found out that another site was running the contest. She opened the other site to check it out. The contest sponsor site could be classified as having "material appropriate for adults who want sexual information".

The conduct speaks for itself but we feel obligated to make one further comment. Our observation is that the combination of planting the recording applet and directing a child to an 800 number is probably the most offensive act of privacy on an entire household through the use of an innocent child. There is no parental defense for such an act. We recommend that the commission consider all plug-ins offered to children under 13 to do either or both of the following:

Recommendation #1 That any applet offered as part of a page used by a child under 13 be required to add itself to the end of a list of downloads that a parent could review.

Recommendation #2 Any applet offered as part of a page for a child under 13 is only temporary and ceases to exist when the computer is turned off. This feature would allow the child to access the computer but the parent will be able to erase any potential privacy invasion.

Question 24a b c – Operators to establish and maintain reasonable procedures - The industry uses a secure server to transmit sensitive information for adults because the Internet has leaks. It is widely accepted that a person with a technical level of expertise can monitor other sites information transfer. The web site should be required to use a secure server to transmit children’s information to them. This will prevent the site from convenient leaks of information without the repercussions of improper disclosure.

Safe Harbor:

The concept of Safe harbor is clearly the best incentive for the Internet industry to monitor its privacy activities. As proposed currently, there are problems, which will render this act totally ineffective in the prosecution of violators. We believe that the system can be slightly modified and close up the problem.

We suggest that:

The regulation require the registration of all companies offering a shield program that would qualify participates for safe harbor status at no charge.

FTC Issue its own shield verifying that the Service Company is a registered to provide safe harbors.

Publish on web a list of violators of either privacy act for a period of three years.

Require shield /safe harbor providers to monitor clients, quarterly.

Require shield / harbor companies to actively seek feedback with a response form on the verification page.

Require shield companies to maintain customer complaints for three years, reporting through a standardized database format.

Update and cross-reference databases every 6 months to FTC & carry cross-ref database for companies who change name

Forward every investigation to FTC, who would make the decision to list or sanction.

There is a perfect example of the current system failure. A shield company cited a fortune 500 company. The company made statements on the privacy statement that was contrary to the actual privacy conduct. A citizen complained to the shield for improper handling and collection policies. The fortune 500 company admitted the improper procedure publicly only after disclosure by a third party. The shield company investigation concluded that they had indeed violated the policy, yet took no action. Publicly published statements confirmed this by the Shield Company.

Question 25,26,27,28 - These are ideal topics for the upcoming workshop where brainstorming will perfect the product.