Blessing in Disguise? (H.R. 98, the "Consumer Internet Privacy Protection Act of 1997")

Robert Hettinga rah at shipwright.com
Thu Feb 6 11:22:38 PST 1997



This attempted legislation (see forward, below) is a blessing in disguise.

It's just more proof that book-entry commerce isn't going to work on the
net in the long run.

SET looks like it's having problems with Japanese commerce rules, which is
another example of this problem.

Cash settlement between blinded pseudonyms fixes all of these problems.

I like to joke that if digital commerce is flight, then book entry
settlement is Boyle's Law, and cryptography is Bernoulli's law, viz,

+  Sending a credit card in the clear is jumping off a cliff. The height of
the cliff you jump off is related to the number of times you send an
unencrypted credit card number and the amount you charge.  Credit card
companies aren't going to be guaranteeing all those trades much longer if
they lose too much money.

+  First Virtual is a tethered balloon. You're up in the air, but you don't
know what for, because all the action is happening on the ground. ;-).

+  SET, Cybercash/coin, SSL, and other encrypted-channel book entry
methods, is a derigeble. You're flying, but you're using minimally strong
crypto like little aerodynamic fins to push the giant gas bag of book-entry
settlement around.

+  Digital bearer certificate technology, like ecash, or MicroMint, or
Millicent, is an airplane. It "flys" with "wings" of strong cryptography,
which gives us reputation capital and enforcement, and instantly settled
microintermediated transactions. Thus, like aerodynamic flight, it will be
faster, cheaper, and easier to use than book-entry "derigible" transaction
methods.


Cheers,
Bob Hettinga



--- begin forwarded text


Date:         Thu, 6 Feb 1997 11:24:09 EST
Reply-To:     Law & Policy of Computer Communications
              <CYBERIA-L at LISTSERV.AOL.COM>
Sender:       Law & Policy of Computer Communications
              <CYBERIA-L at LISTSERV.AOL.COM>
From:         "Jonathan I. Ezor" <jezor at NEWMEDIALAW.COM>
Subject:      Congressional Bill worse for 'Net than CDA? (crosspost)
Comments: To: wwwac at echonyc.com, noend at laguna.taos.com, isales at mmgco.com,
          imarcom at internet.com
To:           CYBERIA-L at LISTSERV.AOL.COM

Sorry for the crossposting, but I felt this one might be important enough
to do it.  The following is a shortened version of an article I've written
for my firm's client newsletter about H.R. 98, the "Consumer Internet
Privacy Protection Act of 1997", introduced by Rep. Bruce Vento (D. MN) on
January 7, 1997.  As the article describes, if the bill were enacted as
drafted, Internet commerce could conceivably be stopped dead in its tracks,
along with most of the reduced-fee-for-demographics online services.
Privacy is quite important, and many of us have worked and are working
extremely hard to protect privacy appropriately while still providing
convenient services to users, but this bill is way beyond a reasonable
approach.  I haven't seen much discussion about this bill, but it's now in
committee, and the time to act may be upon us.  Feel free to
e-mail/call/fax/talk to me with any further questions.  I look forward to
your feedback.  {Jonathan}

Jonathan I. Ezor
New Media Attorney, Davis & Gilbert, 1740 Broadway, New York, NY 10019
Tel: 212-468-4989   Fax: 212-468-4888   E-mail: jezor at newmedialaw.com


-----------------------------Cut here-------------------------------

Congress Tackles Internet Privacy


        Recently, there has been significant press coverage over real and
rumored revelations of personal information such as Social Security numbers by
online services, including the alleged availability (later shown to be untrue)
of mothers' maiden names and Social Security numbers on LEXIS' P-Trak database,
and various governmental bodies have held hearings on issues of online privacy.
On January 7, 1997, Representative Bruce F. Vento (D. MN) introduced the
"Consumer Internet Privacy Protection Act of 1997," (H.R. 98)  This bill
provides that "an interactive computer service shall not disclose to a third
party any personally identifiable information provided by a subscriber to such
service without the subscriber's prior informed written consent."  It requires
online services to provide an express opt-out for subscribers at any time,
prohibits services from knowingly distributing false information about users,
and also mandates giving subscribers access to the information maintained about
them for review, updates and corrections, as well as the identity of the party
receiving the information, at no charge.  The bill authorizes the Federal Trade
Commission to "to examine and investigate an interactive computer service to
determine whether such service has been or is engaged in any act or practice
prohibited by this Act," and to issue a cease and desist order.  Notably, it
also provides that an individual may sue the violator directly without
having to
go through the FTC.

        As a general matter, this bill enacts the practice of many online
services and sites, and the position of most self-regulatory industry
groups, by
asking consent before revealing personally-identifiable information.  But the
bill goes well beyond the ordinary industry practice by requiring "prior
informed written consent," which is defined in this bill as "a statement--

                (A) in writing and freely signed by a subscriber;

                (B) consenting to the disclosures such service will make of the
information provided; and

                (C) describing the rights of the subscriber under this Act."

What this could conceivably mean is that services which have all of their
registration online may be unable to fulfill this requirement.

        Additionally, the bill is unclear about which online services will be
subject to its provisions.  It defines "interactive computer service" as "any
information service that provides computer access to multiple users via
modem to
the Internet."  This certainly covers dedicated Internet service providers
(ISP's) and combination proprietary/Internet services like America Online and
MSN.  The bill may also cover services which depend on their ability to reveal
certain information to advertisers in exchange for offering free Internet
e-mail
to their users.  Beyond that, purely Web-based services may fall into the
purview of this bill, depending on whether providing access via modem requires
that the modem dial directly into the service in question or not.

        Theoretically, this bill could even prevent online purchases absent a
signed authorization form from each purchaser, because a service would have to
reveal the name and address of the purchaser to the seller in order for the
goods to be delivered.  Even more troubling, the bill does not even provide an
exception for information shared between a service owner and the company owning
the computer hosting the service, regardless of whether there is a contractual
obligation for confidentiality, since the hosting company has access to the
information collected by the service about its users.

        As with other bills of this type, it is important for any company
intending to offer Internet-related services to individuals to follow and
perhaps attempt to affect the path of the Consumer Internet Privacy Protection
Act of 1997, since it could have significant impact on planned services,
revenue
sources and per-subscriber costs.  For those interested in forestalling this
type of governmental action, the best response may be to accelerate
self-regulatory initiatives to deal with the valid concerns of consumers
who may
be providing information about themselves and their buying habits, either
in the
process of registration or while using the service.  At the same time, the
self-regulatory bodies can create rules based on the actual business practices
and realities of their members, rather than drafting with a broad brush as
Congress does in so many instances.  If companies are going to be able to take
the greatest economic advantage of the interactivity of the Internet as opposed
to traditional broadcast and print media, there needs to be some way of legally
and ethically utilizing information provided by subscribers in order both to
enhance the subscribers' experience and to gain revenue through appropriate
business relationships with advertisers, retailers, and others who may wish
access to consumers.

Copyright 1997 Jonathan I. Ezor, Davis & Gilbert.  All rights reserved.

Jonathan I. Ezor is an attorney with Davis & Gilbert in New York City,
practicing new media and computer law, focusing on the advertising
industry.  Mr. Ezor can be reached at jezor at newmedialaw.com.

--- end forwarded text



-----------------
Robert Hettinga (rah at shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"Never attribute to conspiracy what can be
explained by stupidity." -- Jerry Pournelle
The e$ Home Page: http://www.shipwright.com/rah/
FC97: Anguilla, anyone? http://www.ai/fc97/









More information about the cypherpunks-legacy mailing list