Copies to offices of:
Senator Richard Lugar, Indiana
Sentaor Evan Bayh, Indiana
Representative John Hostettler, Indiana
Comments on materials presented soliciting comment at:
http://www.ita.doc.gov/ecom/menu.htm
titled: "The documents listed below are part of the Commerce Department's work to develop a "safe harbor" that would help U.S. organizations comply with the European Union's Directive on Data Protection."
My comments follow:
It is imperative, not only for future cooperation and commerce with the European Community, but for protection of the legitimate privacy interests of American citizens, that stong governmental regulations be put in place to protect consumers and citizens using the Internet for both business and personal purposes.
The heart of the issue lies in this paragraph in the draft at your web
site: "For sensitive information, (i.e. personal information specifying(3)
medical or health conditions, racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership or information
specifying the sex life of the individual) they must be given affirmative
or explicit (opt in) choice if the information is to be used for a purpose
other than those for which it was originally collected or disclosed to
any type of
third party other than those already notified to the individual, or
used or disclosed in a manner other than as subsequently authorized by
the individual through the exercise of opt in choice. Individuals must
be provided with clear and conspicuous, readily available, and affordable
mechanisms to exercise choice. "
The principle of prior-opt in to use of personal data should be applied across the board, both in rules governing 1) use by entity collecting the data, 2) transmission / sharing of that data with third parties, and 3) use of that data for contact purposes, specifically subsequent e-mail contact.
I want to register by particular criticism of and disdain for the statement
on your web site from the Direct Marketing Association. This group is currently
in the midst of lobbying Congress to legitimize opt-out unsolicited bulk
e-mail. They are proposing that opt-out be established as a standard, and
that they operate the opt-out database. Yet they are refusing to allow
their plan to give Internet Service Providers the right to opt their entire
domain, including all e-mail addresses at the domain, out. This is not
only unacceptable, it has already been clearly demonstrated as a failed
approach to maintaining the integrity of e-mail. Rodney Jaffe, a member
of the DMA, created an opt-out system a year ago, and its total failure,
even though he permitted opt-out by total domains, clearly makes the case
for why opt-out is unacceptable. The DMA is far to concerned with
the rights of business over the rights of consumers and citizens, and
has demonstrated repeatedly its lack of respect for the latter.
I am particularly galled by the DMA's callous and hypocritical references to 'balancing the legitimate interests of citizens against the legitimate interests of business.' What I see happening on the Internet right now is abuse by commercial entities and marketing interests that has created an environment so negative and untrustworthy that the potential for the advance of legitimate commerce is severaly and negatively impacted. Trust is being rapidly destroyed.
The intrusive and selfish practices supported by the DMA are and will have the paradoxical effect of throttling and strangling legitimate commerce on the Internet.
The opportunites for abuse are all too easy, given the power of contemporary technology. Let me provide and example:
Real Audio was recently caught secretly transmitting data on the music
played with their Real Jukebox product on peoples computers connected to
the Internet. Besides getting some well deserved bad press, they are now
being sued for several 10's of millions of dollars over the incident. And
they appear to have a permanent spot in the MAPS RBL realtime blacklist
of
spamming IP numbers, due to their adamant refusal to practice opt-in
email. You could check this out at http://email-abuse.org/rbl/, the
home page of the project, founded by Paul Vixie, an Internet founder and
creator of the cron daemon on UNIX, among other piffling accomplishments
and contributions to computing.
The New York Times reports today the Double Click is purchasing a massive database of personal prefence consumer information, planning 'targeted' e-mails. Yet NONE of these people had any intention when visiting web sites, or when providing information in order to purchase products, that their personal preferences and data would be misused and abused in this fashion:
http://www.nytimes.com/99/12/01/news/financial/01click.html
Comet Systems offered software which was recently discovered to be designed
so that it was surreptitiously tracking and reporting back to Comet Systems
the web activity of those who downloaded and used the software. A report
on
this can be read at:
http://news.cnet.com/news/0-1005-200-1474252.html?tag=st.ne.1002.
In all of these cases, it is galling to read the disingenous disclaimers of the corporations involved, which usually boil down to 'gosh, we did not think anyone would mind, and we are not really doing anything bad with the data.'
The bottom line is, industry self-regulation is and will remain a total failure. The only thing that will protect consumers and citizens is law and regulation and standards set the government AND ENFORCED by some meaningful mechanism, that should include the right of private action by affected citizens.
The power of emerging technologies is simply to great and offers too many easy avenues of abuse. American citizens don't deserve to be second class, and suffer less protections of their privacy and the integrity of their personal data, than citizens in Europe, or any where else in the world. We should be leading and setting standards, not scrambling to catch up, as is, sadly, the case currently.
Thanks for the opportunity to register these comments.
NOTE: These remarks have been presented as a private citizen, not in my professional capacity and position at Indiana University.
Ronald D. Edge