Barbara A. Dooley
Stuart P. Ingis
Ronald L. Plesser
Submitted June 11, 1999
I. Introduction and Summary
The Commercial Internet eXchange Association ("CIX") and PSINet Inc. ("PSINet"), by their attorneys, together submit these comments in response to the Federal Trade Commissions ("FTC") request for comment on its notice of proposed rulemaking for the Childrens Online Privacy Protection Act.
CIX is a trade association that represents more than 100 Internet service providers ("ISPs") who handle more than 90% of the United States Internet traffic. CIX members include large ISPs and many smaller local providers. CIX works to facilitate a climate for growth of the Internet as well as global connectivity among commercial ISPs in the United States and throughout the world.
PSINet, a founding member of CIX, was the first commercial ISP in the United States. Located in Herndon, Virginia, PSINet is a leading independent ISP in the United States and is also the second largest ISP in Japan and the Far East. PSINets network today includes more than 230 points of presence ("PoPs") in the United States, and more than 500 PoPs worldwide, each designed and built specifically to handle Internet traffic from customers that employ a range of access methods. PSINet offers a full line of services to business, government, and educational customers, including 37 of the Fortune 100 companies as well as the Federal Trade Commission.
PSINet and other CIX members continue to be at the forefront of efficient, innovative, and market-based Internet services to the public, providing consumers with access to the
Internet, web site hosting, e-mail account management, and numerous other services. PSINet engineers and executives have developed many of the most significant technical and product innovations in the Internets history. As the "gateway" to the Internet, CIX members and PSINet have a significant interest in ensuring an appropriate legal framework for the Internet.
The development of the Internet has occurred at a pace unprecedented in the history of communications, offering consumers tremendously diverse service offerings. The United States ISP market consists of more than 6,000 ISPs serving more than 60 million Internet users. We expect this market to continue to grow explosively, barring actions that would disrupt the growth of users and interfere with the development of the Internet.
One of the remarkable features of the Internet that has fostered its growth is the numerous layers of services that collectively compose the Internet. Included in these layers are facilities providers, information service providers, Web page developers, Web merchants, Web site hosts, content providers, and software developers. Although some providers of Internet services offer several or all of these services, many specialize in certain services, bringing innovation within their area of expertise.
CIX and PSINet support technological innovations as an effective means for protecting the privacy of children online. We are particularly concerned that the Commissions childrens privacy regulations not burden ISPs unnecessarily. The final rules must allow for flexibility in compliance to ensure the continued development and growth of the Internet. Any legal framework governing childrens privacy and the Internet should not unduly burden ISPs in providing communications functionsincluding Internet access, Internet backbone, and web hosting and related services such as cachingfor third-party users of their networks.
In addition, such a legal framework should adhere to the principles of Section 230 of the Telecommunications Act of 1996. Section 230 has played an important role in facilitating the tremendous growth of the Internet by avoiding imposing liability on ISPs for the content of third parties. To this end, any regulation of the Internet should distinguish between those services that own or control content and those that own or provide the underlying communications facilities and services for third parties. CIX and PSINet are particularly concerned about any proposal that would impose liability on Internet service providers for the content of others that is stored on or carried over their networks. Rules developed to apply to the Internet that extend unnecessarily across various services could inappropriately burden such services and chill diversified and innovative Internet offerings.
II. The Final Rules Should Make Clear That Absent Control of the Site and Use of Information Collected By the Site, Web Site Hosting Does Not Make An Internet Service Provider an "Operator" for Purposes of the Commissions Rules
One of the important services that CIX members and PSINet offer is that of web site hosting. This service offers individuals and organizations, including those directed at children, the ability to maintain web sites without having to own the expensive underlying facilities, such as Internet servers, and the bandwidth required to maintain access to a web site via the Internet. When ISPs provide web site hosting, the costs to maintain reliable and efficient connections are spread across many web site operators, including those with sites directed at children, allowing the costs of owning sites for all operators to be minimal. Through such offerings, web site owners are able to update their sites by connecting remotely to the Internet server that the ISP maintains.
Holding the hosting ISP responsible for collection of childrens personal information at sites that it hosts, but does not operate or control, could significantly increase the costs for all web site operators, with the effect of increasing the low barrier to entry that is so critical to the Internet. Such a result would adversely affect the experience for all users, not just for children. Moreover, holding the hosting ISP responsible for the collection practices of site operators provides no added benefit to children or their parents: the operators are already responsible for the collection practices at their sites.
Another important functionality provided by ISPs that should be excluded from the rules sweeping definition of "collection" is that of caching. The provision of caching services should not impose on ISPs the responsibilities of "operators" under the COPPA rules.
ISPs use caching to improve the efficiency of their networks and the Internet as a whole. Caching is a technique of distributing and temporarily storing Internet content, such as a web page, on multiple servers across the Internet. The servers are periodically refreshed as the content of the web page is updated. Caching allows an end user to retrieve a web page from the cache rather than the host computer. This dramatically decreases response time because the retrieve time from the cache is faster, and eliminates the burden of additional Internet traffic because requests are fulfilled by the more convenient cache server. An ISP may cache web pages at various points along the network that receive many requests for the same page.
Cached sites will automatically copy pages from web sites, which could include childrens sites. The purpose of such automatic copying at the cached site is to decrease transmission times and bandwidth requirements. The information that is copied is forwarded as though the data were being transmitted at the host computer of the web site. An ISP that is caching a site is in no different position with respect to the content of the web page than the hosting ISP¾ it simply copies and forwards information from the originating site and does not otherwise own or edit the web pages. Thus, liability should not be imposed on networks for their caching capabilities, even if they collect information as a result of the cache.
The NPRMs Commentary appears to accept these concepts, but the final rules should adopt them explicitly. The key factor is whether the ISP actually controls or owns the content of the site and discloses or makes use of information collected on the site other than for providing the underlying communications facilities or services for the controller of the content of the site.
The principle of not imposing liability on ISPs for content of others that is stored on or carried over their networks is a central feature of Section 230 of the Telecommunications Act of 1996. In adopting 47 U.S.C. § 230(c), Congress recognized the need to promote the continued development of the Internet and to preserve the competitive free market of the Internet, unfettered by federal or state regulation. In addition, Congress wanted to encourage the development of technologies that maximize user control and encourage the development of parental empowerment technologies. 47 U.S.C. § 230(b).
To that end, Congress expressly provided that Internet service providers should not be held liable for content that others supply. Thus, subsection 230(c) explicitly prohibits treating ISPs as the publisher or speaker of information provided by another information content provider. In addition, Section 230 shields ISPs from all civil liability under federal and state laws for restricting access to "objectionable" material and explicitly preempts inconsistent state law. 47 U.S.C. § 230(c)(2), (d)(3). Congress decided to apply this core principle horizontally across all areas of civil liability under federal and state law with the sole exception of liability for intellectual property violations. See § 230(d)(2). The principles embodied in Section 230 are equally applicable and important in the context of COPPA, and the rules should clarify that Internet service providers performing communications functions fall outside the scope of the term "operator."
Congresss judgment is well-founded in light of the realities of the Internet, realities that make ISPs incapable of serving as the "Internet police." ISPs that host web sites for others typically host tens of thousands of sites without knowing what content has been or will be placed on the sites. Moreover, the unique flexibility of the Internet allows web site owners to alter the sites content daily, hourly, or more frequently, without editorial input from the ISP. Furthermore, other fora on the Internet¾ including chatrooms, bulletin boards and newsgroups¾ allow millions of users to post material of their choice without ISPs having any editorial control. Any regulation that requires an ISP to police the content of any web site or other forum that it hosts is not practical. Responsibility for content and data collection should rest with the individual web site owner who is collecting the data. Self-policing by ISPs would be ineffective, intrusive, and highly burdensome given the massive scale on which ISPs would
have to effectuate such efforts. Moreover, holding ISPs liable, absent explicit knowledge, is impractical: ISP functions are too automated for an ISP to reasonably be aware of all information stored on or transmitted across its system.
Therefore, the principle of Section 230¾ placing responsibility for content on the content owner¾ must be preserved as it is essential to the growth of the Internet as a means of global communication and commerce. If Internet service providers may become liable for content on their servers that others supply, ISPs will have a powerful incentive to close the Internets "vast democratic fora," see ACLU v. Reno, 117 S. Ct. 2329, 2343 (1997), and to deny placement on their servers to businesses that cannot or will not indemnify them for potential illegal activities. The result would be higher costs, limiting entry of competitors and greatly reducing choices available to consumers.
For these reasons, the Commission should avoid imposing liability on ISPs for the acts of third-party end users and web site operators that affect childrens privacy.
The mere provision of Internet access or backbone service is not covered by the statute and should be specifically exempted from the Commissions rules. The proposed rule places restrictions and requirements, including notice requirements, on operators that collect or disclose personal information from a child. As currently drafted the definitions in the proposed rule fail adequately to tie the requirements to those operators that have activities directed toward children. The definitions outlined in the proposed rule suggest that all operators, not just those dealing with children, would be subject to the regulations, a result that we believe is broader than the Commission intended. This language should be clarified in the final rule.
A. The definition of "collection " is broader than necessary under COPPA.
"Collection" is defined as the "direct or passive gathering of any personal information from a child by any means, including . . . [a]ny online request for personal information by the operator regardless of how that personal information is transmitted." Section 312.2 (emphasis added).
We believe that this definition is broader than the Commission intended and broader than is necessary to protect childrens privacy. Such a definition could be interpreted to imply that merely subscribing for Internet access and being assigned an e-mail address or requesting customer service fall under the definition. For example, if an ISP advertises for subscribers on its site and then a potential subscriber submits information, including a request for an e-mail address for a child, then this submission would fall under the definition of collection.
If a child who already has an established account requires technical support and contacts the ISP, the ISP would likely require that the child provide a user name or e-mail address to examine the ISPs internal system and determine the nature of the difficulty. The ISP would in turn preserve a record of the contact in its customer service records. The giving of the e-mail address or user name under these circumstances could also be considered a collection and, therefore, subject to the rules. Arguably, an ISP that already holds information on a child, such as an e-mail address, is not "collecting" information when a child provides that same information to the ISP, which it already has, for technical support. However, this point is not entirely clear in the proposed rule. It should be the subject of an explicit exception or clarification that response to such requests is covered by the parental consent exceptions of 15 USC §6502(b)(2)(A) and (c)(ii) and does not require notice and opt-out.
A contrary result that considered such activities as collection would be troublesome for ISPs: merely signing up for Internet access through a local ISP or requesting technical assistance could implicate the rules. This result is far broader than anything contemplated by COPPA and is inconsistent with the plain language of the statute.
B. The definition of "disclosure" also is broader than the statute requires.
The breadth of the definition of the term "collection" is aggravated by similarly broad language in the definition of the term "disclosure." The definition of "disclosure" includes making publicly available "personal information collected from a child by an operator . . . by any means . . . that would enable a child to reveal personal information to others online." Section 312.2 (emphasis added). Offering Internet access "enable[s] a child to reveal personal information to others online." However, the service provider may collect the information unknowingly and entirely passively through a posting to a newsgroup for example¾ and may not see the information or have any rights to the information. If merely offering Internet access implicates the ruleseither under the collection or the disclosure definitionsthen all ISPs, not just those that are directed at children, could be obligated to comply with the rules. Imposing liability on the ISP under these circumstances reaches beyond the intent of COPPA and does not appear to protect the childs privacy. The provision of Internet access has never been regulated, and to do so would raise major policy issues.
C. The rules should not become a barrier to connecting classrooms and libraries to the Internet.
At a minimum, the Commission should relax requirements with respect to provision of Internet access and e-mail service to children through schools. Given the current definitions of "collection," "disclosure," and "notice," ISPs that provide access to students in elementary and junior high schools appear to be subject to the rules. However, to the extent that ISPs provide blocks of e-mail addresses or user names for the school to distribute to students, or to the extent that ISPs otherwise provide access without being able to identify individual students, the ISPs should be exempt from the rules.
Moreover, to the extent that these ISPs are subject to the rules and require parental consent, schools should be able to obtain parental consent on behalf of the ISP. In addition, this consent should be similar in nature and form to other consents that schools obtain from parents. Indeed, the discussion of the verifiable consent standard in the legislative history to COPPA is based on the understanding that the Commission will conduct a particular examination of consent in the context of Internet access offered through schools and librariesa topic completely missing from the NPRM. See Statement of Senator Bryan, 144 Cong. Rec. S11657.
To provide Internet service to school classrooms, for example, consents must be obtained through the school. Schools typically secure parental consent before a child receives access to the Internet through the school. The Commission should expressly provide that such consent meets the requirements of its rules for purposes of provision of Internet services to children in schools. Schools that simply provide Internet access and e-mail service to children through a for-profit ISP under the "E-rate" or other program should be not saddled with onerous regulation such as the voluminous notice requirements set forth in Section 312.4. Otherwise, the Commissions rules will simply create a duplicative burden on schools and a barrier to fulfillment of the goal of connecting classrooms and libraries to the Internet.
D. The rules should not apply to operators whose services are not directed to children.
As currently drafted, most of the operative requirements of the proposed rule appear to apply to the conduct of all operators, not just those covered by the statute. For example, Section 312.4(b) states that an "operator must post a link to a notice of its information practices with regard to children on the home page of its website . . .." Because the definition of an operator set forth in Section 312.2 is not limited to operators whose activities are directed at children or who know that they are dealing with children, this notice requirement imposes an obligation on every web site and every ISP, regardless of their contact with children, a result that is beyond the scope of the statute. Sections 312.5 through 312.9 contain the same drafting problem, and appear to reach far beyond the scope of the statute to impose strict liability on all operators.
The problem lies in the proposed rules limiting the scope of these requirements only by implication and only in the first sentence of the "general requirements" provision of Section 312.3, which in turn is contradicted by broader language in the second sentence of that Section, as well as in each of the sections setting forth specific obligations on operators. To resolve this drafting problem, a new sentence should be added to Section 312.3 or to the definition of an "Operator" specifically stating that the requirements of the rule do not apply in situations in which an operator does not have actual knowledge that it is collecting information online from a child through a web site or online service that is directed to children.
For these reasons, we recommend that the definitions of "collection," "disclosure," the parental consent requirement of Section 312.5, and the general requirements provision of Section 312.3 be modified to avoid imposing unnecessarily broad liability for the performance of Internet communications functions on behalf of third parties.
CIX and PSINet applaud the Commissions attempt through this proposed rulemaking to protect childrens privacy online. At the same time, we encourage the Commission to revise and clarify the proposed rules so that they do not chill technological innovation, the growth of the Internet, and the highly beneficial services that ISPs offer consumers.