iCanBuy.com Inc. - Supplemental Comment

Hi Toby, Jill, Abbe and David:

Thanks again for the opportunity to participate on the panels last week during the Workshop on Children's Privacy. Following are a few suggestions not captured in my original feedback that were covered during the workshop:

* Privacy protection can be graded according to the level of intimate information shared. In other words, free content sites are not required to register visitors. For sites that want registered users to customize content, and will use that valuable information, there is an acceptable cost to verifying consent. And for transaction-enabled sites, where personal information is needed, the value created in the transaction can support a process that causes an acceptable verification cost. In general, most Internet sites today are content and community (not transactions), but do gain a value from the personal information collected, and should be willing to accept a reasonable cost to protect the precious resource of privacy.

* The Commissions should strongly consider the approach of verifying the results of privacy protection, and encourage auditable accountability by businesses. This means that the processes, methods and technologies can vary over time -- but the end result is the same: protected private information. One approach that may be useful is Performance Standards and Criteria.

* One implementable approach that can be used is to set up a scorecard systems (possibly like http://www.gomez.com) that Commission staff can use to grade performance of sites. The criteria that are used - both quantitative and qualitative - can be documented in a standards document. A great example of this in Government is the Malcolm Baldridge Quality Award (http://www.quality.nist.gov/). This Quality process outlines several Performance Standards and Criteria (http://www.quality.nist.gov/docs/99_crit/ovrvu99.htm) so that individual businesses can improve their ability to deliver results. The Commission can use this type of approach to improve privacy, while suggesting metrics and approaches that are helpful. There can also be an Award recognition, as a positive incentive, to those organizations that lead the way to better privacy and achievement of the Performance Standards and Criteria.

* Sample Performance Standards and Criteria can be categorized into categories, like Overall Safety of Site, Privacy Protection, Privacy Disclosure, and Verification Frequency, and Verification Accuracy.

1. Overall Safety of Site: The site has never allowed, enabled or permitted an act that has threatened or caused harm to a child. The site has successfully deflected/rejected attempts to threaten or harm or child. Potential Metric: Zero incidents of harm.

2. Privacy Protection: The site takes measures to categorize levels of consent, according to the activities on the site. The site sets up procedures and processes that affirm reasonable consent with regard to privacy. Potential metric: A diagramed process flowchart of actions/procedures taken to verify consent.

3. Privacy Disclosure: The site has clearly stated disclosure of its privacy policies. These policies are written in plain English and can be clearly understood to the average user. Potential metric: Privacy policy meets 5-10 criteria that must be disclosed. (This approach is already in use today)

4. Verification Frequency: The site regularly verifies the user base to confirm that children have parental approval and consent. The site samples an appropriate number of users to make sure that an automated procedure is representative of a more labor-intensive process. Potential metric: 5% of all users are surveyed during the year and confirmed that verification/consent is given appropriately.

5. Verification Accuracy: The site has high degree of confidence that user's privacy consent is valid. The site regularly samples its users to re-confirm that information and privacy consent is given appropriately. Potential metric: Less than 1% of inappropriate verifications are found.

These are initial thoughts, and if appealing to the Commission, I am happy to discuss further.

Thank you very much, Paul

R. Paul Herman
CEO, iCanBuy.com
(415) 575 3520 Phone
(415) 575 3525 Fax
PaulH@iCanBuy.com