----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 23 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 23 June 7, 1996 CONTENTS: (1) Congress/FTC Focus on Online Privacy Issues - Solutions Differ (2) Text of EFF, CDT, PFAW, VTW Letter to Rep. Franks (R-NJ) on impact of "Children's Privacy" Bill (3) Join Senator Burns Live Online June 11, 10pm ET (4) How to Subscribe/Unsubscribe (5) About CDT, contacting us ** This document may be redistributed freely with this banner in tact ** Excerpts may be re-posted with permission of <editor@cdt.org> ----------------------------------------------------------------------------- ** UPDATE: DECISION IS NEAR IN FIGHT TO SAVE FREE SPEECH ONLINE ** An announcement from the Court is expected any time. Be sure to visit http://www.cdt.org/ciec/ for the latest news and information! ----------------------------------------------------------------------------- (1) CONGRESS/FTC FOCUS ON ONLINE PRIVACY - OFFER DIVERGENT SOLUTIONS The increasing use of the Internet by children, combined with the ease of collecting personal information online, raise serious privacy issues. However, while there is broad consensus on the goal of giving people more control over the collection and use of personal information online, some of the solutions being offered may have far-reaching, though perhaps inadvertent, impact on the free flow of information in interactive media. Over the past several months, concerns about the availability and use of personal information in the online world, particularly with respect to the collection and use of information about children, have prompted the Congress and the Federal Trade Commission (FTC) to seriously consider this important issue. The approaches to this issue fall broadly into two distinct categories: * Create Criminal Penalties For The Collection And Use Of Personal Information About Kids Without Parental Consent. * Encourage The Development And Use Of Technologies That Enable Users and Parents To Limit The Amount Of Personal Information They and Their Children Reveal Online. Legislation designed to restrict the collection and use of personal information about children without parental consent was recently introduced by Rep Bob Franks (R-NJ). The bill has sparked concerns from cyber-rights advocates that it may end up increasing the collection of personal information online and result in restrictions on the free flow of information (see the attached letter from EFF, People for the American Way Action Fund, VTW, and CDT below). Recent hearings before the FTC emphasized the broad consensus about the need to give individuals more control over the collection and use of personal information. The FTC hearings highlighted the availability of technologies which empower users and parents to exercise more control over the collection and use of such information, and the possibility that existing methods, including the PICS standards, can be enhanced to enable users to express preferences about how and to what extent they are willing to have personal information reused (although much work needs to be done before this is fully implemented). In addition, Rep. Ed Markey (D-MA), a long time champion of privacy issues, told the FTC panel that he would like to encourage the development of technologies that enable users to control the amount of personal information they reveal online. Markey also emphasized that Congress should consider legislation in this area if such technologies are not developed or are not effective. Markey told the FTC: "We should see if there are technological tools that can empower consumers. Where they don't exist, or where a particular industry refuses to embrace this code of electronic ethics in a way that solves this problem, then the government is obliged to step in and do something." Markey also announced that he intends to introduce legislation soon to give consumers the right to know that information is being collected about them, notice that personal information may be reused or sold, and the right to say "no" to the reuse or sale of their personal information. Markey's legislation would also commission a study of existing online privacy practices (The full text of Rep. Markey's statement is available at CDT's privacy issues web page URL below.) The FTC hearings illustrated that there is broad concern about the collection and use of personal information online. There was also great substantial support expressed for technological solutions to address this issue. As a result, the FTC has requested that the industry report back to the Commission in 6 months on progress towards developing technologies that enhance user control over the collection and use of personal information online. CDT is encouraged that Congress and the FTC have taken such strong interest in the issue of online privacy, and we look forward to working with all interested parties to ensure that solutions give users control over the collection and use of personal information and do not adversely affect the free flow of information online. More information, including CDT's testimony before the FTC panel and Rep. Markey's statement, and a demonstration illustrating the amount of personal information collected during the normal course of surfing the Web, can be found at CDT's Privacy Issues page: http://www.cdt.org/privacy/ ----------------------------------------------------------------------- (2) Letter from EFF, PFAW Action Fund, VTW & CDT to Rep. Bob Franks Regarding "Children's Privacy" (HR 3508) Bill The following letter was sent last week to Representative Bob Franks (R-NJ) regarding the "Children's Privacy Protection and Parental Empowerment Act" (HR 3508) from the Electronic Frontier Foundation, People for the American Way Action Fund, the Voters Telecommunications Watch, and the Center for Democracy and Technology. Among other things, the groups expressed concern that, as currently drafted, the bill raises some of the same privacy and free flow of information issues raised by the Exon/Coats "Communications Decency Act" to the extent that it is extremely difficult to know whether or not a person visiting a web site is or is not a child without requiring all visitors to identify themselves. While commending Rep. Franks for his efforts and expressing support for the goal of his legislation, the letter outlines several concerns about the impact of the bill on the Internet. The groups pledged to work with Rep. Franks and other interested members of Congress to explore technological solutions which empower users and parents to control the use of personal information and preserve the free flow of information. The Franks bill enjoys broad support from a number of conservative "pro-family" groups such as the Christian Coalition, Enough Is Enough!, and the National Law Center for Children and Families, as well as privacy groups such as EPIC, Privacy Times Publisher Evan Hendricks and Privacy Journal Publisher Robert Ellis Smith. The text of HR 3508 is available at: http://www.cdt.org/privacy/children/ The full text of the letter from EFF, PFAW Action Fund, VTW and CDT follows: ---------- June 4, 1996 Representative Bob Franks 429 Cannon House Office Building Washington, DC 20515 Dear Representative Franks: We are writing to commend your efforts to protect children's privacy. We are pleased that you have begun a process to put these important issues at the center of the political debate. We believe, however, that the solutions recommended in your bill, -- the "Children's Privacy Protection and Parental Empowerment Act" (HR 3508) -- particularly as they relate to the exchange of information on the Internet, will not only increase the collection of information about children in certain circumstances but will also criminalize behavior in a vast array of unintended situations, thereby compromising the free flow of information online. With the rising popularity of the Internet and commercial online services, concerns regarding the vulnerabilities of unsupervised children's activities online must be addressed. Indeed, although the Internet offers children unprecedented and important new educational and recreational opportunities, the medium also may offer access to inappropriate material, or exposure to unfair marketing or information collection practices. Solutions to these problems must be carefully analyzed and should take into account both the unique nature of the Internet, as well as the multitude of First Amendment and privacy rights at stake for all who seek to read, communicate, and associate with others in the online environment. In fact, the Federal Trade Commission (FTC), whose responsibility it is to police the existence and proliferation of unfair or deceptive advertising and information practices has scheduled hearings for June 4 and 5 to look at these very issues as they apply to the Internet. Because your bill was drafted to apply to all media we are concerned that its application in the Internet context may lead to unintended consequences. We ask that you examine, together with the FTC, the unique qualities of the Internet and the problems that result from regulating activity at the information publisher or Web site operator end. In its application to the Internet, the Children's Privacy Protection and Parental Empowerment Act is both over-inclusive, covering virtually all who participate in the Internet, and ineffective, in that it leaves substantial loopholes for those who engage in the behavior at which the bill is targeted. The term "personal information," the basic regulatory target of the bill, is defined in such as way that it may include nothing more than an electronic mail address which by its nature, gives no indication of the age or physical location of a user. Furthermore, the term "list broker," is drafted to cover any entity which exchanges personal information in the course of its operation. The vast majority of World Wide Web site operators, as well as anyone who operates a listserv, mailing list or other information distribution mechanism, all collect, store, and may well exchange, email addresses. Then, unless Web site operators obtain parental consent before collecting information, they risk criminal penalties for violation of section (a)(4). The difficulty in compliance is two-fold. First, information providers on the Internet have no way of distinguishing children from adults. In fact, compliance with the bill could well lead to an increase in the collection of information about children and adults, only compounding privacy risks. Even with the imposition of an unacceptably intrusive national ID system (a system that none of us support), it would still be essentially impossible for an information publisher or Web site operator to establish the age of the user visiting the providers site. Second, the requirement to disclose the source of personal information about children to parents creates unclear new obligations on Internet information providers. In fact, many of the information providers who would be covered by your bill do not keep track of the source of their information and thus may not have the ability to comply with the statute. Compliance with this section could well lead to an increase in the overall collection of personal information about Internet users, thereby compounding privacy risks. Imposed identification procedures applied to the World Wide Web under the threat of criminal penalties would limit all Internet users' ability to read, speak, receive information and interact online under constitutionally-protected conditions of anonymity. Further, requiring parental consent in all instances or requiring providers to disclose information to parents collected from children fails to acknowledge the distinction between young children and teenagers and their rights under the Constitution. Finally, section (a)(6) which criminalizes any distribution or receipt of personal information where the receiver has knowledge or "reason to believe that the information will be used to abuse the child or physically harm the child" is well-intentioned, but potentially so broad as to cover anyone who receives and discloses personal information about a child. The bill establishes no clear standard of care or level of knowledge necessary to meet this requirement, leaving everyone on the Internet in doubt about whether or not they may be violating this new crime. Schools and organizations who publish directories as well as newspapers who publish the identity of a child in a news story could be subject to prosecution because they had "reason to know" that the information may end up in the possession of bad actors. Given all of these difficulties in applying your bill to the Internet, and given the importance of addressing children's privacy issues, we suggest that examination of alternatives is in order. Empowering parents to protect their children's privacy with existing technological tools and fair information practices by the industry will help ensure that the Internet continues to grow and thrive for both commercial and noncommercial endeavors. For example, software already on the market such as Cyberpatrol, as well as industry-standard technologies such as the Platform for Internet Content Selection (PICS) enable people -- including parents and their children -- to restrict access to sites which practice objectionable marketing and information collection techniques. At present, PICS technology, along with other innovative products, allows parents to filter and block-out materials that contain objectionable content or block access to sites with inappropriate or abusive marketing practices. Current technology can enable parents to: * prevent their children from accessing Web sites with inappropriate information practices -- as defined by the parent or a consumer or privacy organization of the parent's choice; * prevent their children from revealing personal information such as name, address, and e-mail address to others; * install security measures such as passwords that prevent their child from changing rules about Web site access or information disclosure, collection and use that the parent has established. The Internet community is already considering extensions to the PICS specifications which will enable individual users and parents to block the transmission of their personal information to Web sites they visit and to express a preference about how and to what extent they are willing to have personal information reused. PICS, Cyberpatrol and other technologies can help eradicate the deceptive and inappropriate practices your bill seeks to address without compromising the rights of users or content providers. Several of us have had the opportunity to talk with you and your staff about this legislation. We appreciate your willingness to discuss these issues and look forward to working with you in this important area in the hopes that technological alternatives combined with better industry practices and much more narrowly crafted legislation will help protect this nation's children in the online world, consistent with First Amendment and privacy principles. Sincerely, The Center for Democracy and Technology The Electronic Frontier Foundation People For the American Way Action Fund Voters Telecommunications Watch ---------- ---------------------------------------------------------------------------- (3) Join Senator Conrad Burns Live Online to Discuss Encryption Policy The Night Before His Subcommittee Holds a Hearing On the Issue! --> Visit http://www.hotwired.com/wiredside/ for details <-- In what is becoming the newest way for Congress to read the net.community's opinion on issues, Senator Conrad Burns (R-MT) will be on HotWired on June 11th @ 10pm EST to discuss the encryption issue with all attendees. The next day, Senator Burns will chair the first of two scheduled hearings on the encryption issue with industry luminaries. Never before has the public had this much access to legislators without geographical proximity. Cheaper than teleconferencing, and more direct and unfiltered than the traditional press, online chats allow the public to directly question and hear the answers of Congress. Have a question about encryption policy that you've never been able to find out from the government? Come to the HotWired chat and ask Senator Burns to be your advocate to press the witnesses and the White House on these issues. The online chat is at 10pm EDT (7pm PDT) on Tuesday June 11, the night before the first hearing. HotWired's WiredSide chat is at: http://www.hotwired.com/wiredside/ Next Tuesday's forum is another in a series of planned events, and is part of a broader project coordinated by CDT and the Voters Telecommunications Watch (VTW) designed to bring the Internet Community into the debate and encourage members of Congress to work with the Net.community on vital Internet policy issues. The transcript from last week's discussion with Congressman Rick White is now available -- for information about the transcript, previous events with other members of Congress, and upcoming events, please check CDT's newest Issues Page, "Congress and the Net": http://www.cdt.org/net_congress/ ------------------------------------------------------------------------ (4) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request@cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (5) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.23 6/7/96 -----------------------------------------------------------------------