This attempted legislation (see forward, below) is a blessing in disguise. It's just more proof that book-entry commerce isn't going to work on the net in the long run. SET looks like it's having problems with Japanese commerce rules, which is another example of this problem. Cash settlement between blinded pseudonyms fixes all of these problems. I like to joke that if digital commerce is flight, then book entry settlement is Boyle's Law, and cryptography is Bernoulli's law, viz, + Sending a credit card in the clear is jumping off a cliff. The height of the cliff you jump off is related to the number of times you send an unencrypted credit card number and the amount you charge. Credit card companies aren't going to be guaranteeing all those trades much longer if they lose too much money. + First Virtual is a tethered balloon. You're up in the air, but you don't know what for, because all the action is happening on the ground. ;-). + SET, Cybercash/coin, SSL, and other encrypted-channel book entry methods, is a derigeble. You're flying, but you're using minimally strong crypto like little aerodynamic fins to push the giant gas bag of book-entry settlement around. + Digital bearer certificate technology, like ecash, or MicroMint, or Millicent, is an airplane. It "flys" with "wings" of strong cryptography, which gives us reputation capital and enforcement, and instantly settled microintermediated transactions. Thus, like aerodynamic flight, it will be faster, cheaper, and easier to use than book-entry "derigible" transaction methods. Cheers, Bob Hettinga --- begin forwarded text Date: Thu, 6 Feb 1997 11:24:09 EST Reply-To: Law & Policy of Computer Communications <CYBERIA-L@LISTSERV.AOL.COM> Sender: Law & Policy of Computer Communications <CYBERIA-L@LISTSERV.AOL.COM> From: "Jonathan I. Ezor" <jezor@NEWMEDIALAW.COM> Subject: Congressional Bill worse for 'Net than CDA? (crosspost) Comments: To: wwwac@echonyc.com, noend@laguna.taos.com, isales@mmgco.com, imarcom@internet.com To: CYBERIA-L@LISTSERV.AOL.COM Sorry for the crossposting, but I felt this one might be important enough to do it. The following is a shortened version of an article I've written for my firm's client newsletter about H.R. 98, the "Consumer Internet Privacy Protection Act of 1997", introduced by Rep. Bruce Vento (D. MN) on January 7, 1997. As the article describes, if the bill were enacted as drafted, Internet commerce could conceivably be stopped dead in its tracks, along with most of the reduced-fee-for-demographics online services. Privacy is quite important, and many of us have worked and are working extremely hard to protect privacy appropriately while still providing convenient services to users, but this bill is way beyond a reasonable approach. I haven't seen much discussion about this bill, but it's now in committee, and the time to act may be upon us. Feel free to e-mail/call/fax/talk to me with any further questions. I look forward to your feedback. {Jonathan} Jonathan I. Ezor New Media Attorney, Davis & Gilbert, 1740 Broadway, New York, NY 10019 Tel: 212-468-4989 Fax: 212-468-4888 E-mail: jezor@newmedialaw.com -----------------------------Cut here------------------------------- Congress Tackles Internet Privacy Recently, there has been significant press coverage over real and rumored revelations of personal information such as Social Security numbers by online services, including the alleged availability (later shown to be untrue) of mothers' maiden names and Social Security numbers on LEXIS' P-Trak database, and various governmental bodies have held hearings on issues of online privacy. On January 7, 1997, Representative Bruce F. Vento (D. MN) introduced the "Consumer Internet Privacy Protection Act of 1997," (H.R. 98) This bill provides that "an interactive computer service shall not disclose to a third party any personally identifiable information provided by a subscriber to such service without the subscriber's prior informed written consent." It requires online services to provide an express opt-out for subscribers at any time, prohibits services from knowingly distributing false information about users, and also mandates giving subscribers access to the information maintained about them for review, updates and corrections, as well as the identity of the party receiving the information, at no charge. The bill authorizes the Federal Trade Commission to "to examine and investigate an interactive computer service to determine whether such service has been or is engaged in any act or practice prohibited by this Act," and to issue a cease and desist order. Notably, it also provides that an individual may sue the violator directly without having to go through the FTC. As a general matter, this bill enacts the practice of many online services and sites, and the position of most self-regulatory industry groups, by asking consent before revealing personally-identifiable information. But the bill goes well beyond the ordinary industry practice by requiring "prior informed written consent," which is defined in this bill as "a statement-- (A) in writing and freely signed by a subscriber; (B) consenting to the disclosures such service will make of the information provided; and (C) describing the rights of the subscriber under this Act." What this could conceivably mean is that services which have all of their registration online may be unable to fulfill this requirement. Additionally, the bill is unclear about which online services will be subject to its provisions. It defines "interactive computer service" as "any information service that provides computer access to multiple users via modem to the Internet." This certainly covers dedicated Internet service providers (ISP's) and combination proprietary/Internet services like America Online and MSN. The bill may also cover services which depend on their ability to reveal certain information to advertisers in exchange for offering free Internet e-mail to their users. Beyond that, purely Web-based services may fall into the purview of this bill, depending on whether providing access via modem requires that the modem dial directly into the service in question or not. Theoretically, this bill could even prevent online purchases absent a signed authorization form from each purchaser, because a service would have to reveal the name and address of the purchaser to the seller in order for the goods to be delivered. Even more troubling, the bill does not even provide an exception for information shared between a service owner and the company owning the computer hosting the service, regardless of whether there is a contractual obligation for confidentiality, since the hosting company has access to the information collected by the service about its users. As with other bills of this type, it is important for any company intending to offer Internet-related services to individuals to follow and perhaps attempt to affect the path of the Consumer Internet Privacy Protection Act of 1997, since it could have significant impact on planned services, revenue sources and per-subscriber costs. For those interested in forestalling this type of governmental action, the best response may be to accelerate self-regulatory initiatives to deal with the valid concerns of consumers who may be providing information about themselves and their buying habits, either in the process of registration or while using the service. At the same time, the self-regulatory bodies can create rules based on the actual business practices and realities of their members, rather than drafting with a broad brush as Congress does in so many instances. If companies are going to be able to take the greatest economic advantage of the interactivity of the Internet as opposed to traditional broadcast and print media, there needs to be some way of legally and ethically utilizing information provided by subscribers in order both to enhance the subscribers' experience and to gain revenue through appropriate business relationships with advertisers, retailers, and others who may wish access to consumers. Copyright 1997 Jonathan I. Ezor, Davis & Gilbert. All rights reserved. Jonathan I. Ezor is an attorney with Davis & Gilbert in New York City, practicing new media and computer law, focusing on the advertising industry. Mr. Ezor can be reached at jezor@newmedialaw.com. --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "Never attribute to conspiracy what can be explained by stupidity." -- Jerry Pournelle The e$ Home Page: http://www.shipwright.com/rah/ FC97: Anguilla, anyone? http://www.ai/fc97/