[Wg-p3] Fwd: draft of Question 1 response to FTC

j stollman stollman.j at gmail.com
Thu Oct 1 03:04:49 PDT 2009


We intend to discuss the note and attachment below on today's call.  Please
review in advance to expedite our discussion.

Thank you.


Hi Jeff,
I've only had time to have a quick look, and made some minor amends using
the track changes tool.

I agree that you have got the essence of the argument down, so a great
start. Thoughts occurred to me that:

- you could build out the explanation of 'granular' to include data
attribute AND data use in the assessment; I know that is implied in the
document but could be brought out more forcefull (e.g. my location being
used for direct marketing by e-mail, my last transaction shared with partner

- such an assessment is absolutely what is required, but will scare them;
perhaps we need to explain in more detail how it might be done (e.g. a
proposal from Kantara), and the meta value in doing so (i.e. the results are
not USA specific).

- you could make reference to the recent Canadian.gov grilling of Facebook
as a point of reference for other entities being prepared to go down a level
or two to protect consumers.

Here are some quick thoughts on questions 2 and 3, to be honest i've had
little time to look at this. Also, I probably won't make the call later
today - snowed under on a client project.

We can talk tomorrow or Monday if that suits?



*Question  2:*
Are there commonly understood or recognized consumer expectations about how
information concerning consumers is collected and used? Do consumers have
certain general expectations about the collection and use of their
information when they browse the Internet, participate in social networking
services, obtain products from retailers both online and offline, or use
mobile communications devices? Is there empirical data that allows us
reliably to measure any such consumer expectations?  How determinative
should consumer expectations be in developing policies about privacy?


There is some research available in this space in different geographies, but
in truth there is none that puts metrics around the issue. The Kantara
Initiative has a consumer research proposal in scoping at present which will
address this issue. It is likely that this will be taken forward as a
proposal to a consortia of interested parties and will then be completed
during 2010. We shall, with permission, including FTC in the list of
potential consortia members.

*Question  3: (i've only added some text at the end of your original)*
Do the existing legal requirements and self-regulatory regimes in the United
States today adequately protect consumer privacy interests? If not, what are
the particular privacy interests that warrant increased protection? How have
changes in technology, and in the way consumer data is collected, stored,
and shared, affected consumer privacy? What are the costs, benefits, and
feasibility of technological innovations, such as browser-based controls,
that enable consumers to exercise control over information collection? How
might increased privacy protections affect technological innovation?

Response:  FTC should promote the standardization of privacy policies.
The standardization of privacy policies would have the following benefits:

1.       Make it easier for consumers to read and understand such policies.
2.       Make it easier for consumers to make informed decisions about what
terms they are willing to accept.
3.       Facilitate the publication of educational materials (e.g., by
privacy groups like EFF) that help consumers understand the impacts of
various standard terms and might even include recommendations for
appropriate terms.
4.       Facilitate competition among service providers to provide
consumer-friendly privacy policies.

Today, privacy policies are lengthy legalese documents that intimidate most
consumers.  As a result, consumers ignore them and just click Yes.  And
because no serious work has been done to assess the risks of various
policies, they are unaware of the risks to which they expose themselves when
they blithely accept such contracts.

Privacy policies currently include similar information that lends itself to
standardization.  A standardized privacy policy could provide

1.      A first section checklist documenting what data items are collected.
2.      A second section detailing to whom the information is disclosed
(e.g., other departments of the same company, partner companies, third-party
aggregators, third-party enterprises, government, etc.).
3.      A third section detailing how the information is protected.
4.      A fourth section that includes opt-in/opt-out information for
releasing particular data or releasing it to particular third parties.

*It is also perfectly feasible (and indeed being worked on at present) to
create a serious of standard machine readable icons for a small range of
necessarily distinct standard privacy policies and the sub issues within
those contracts. Enabling these machine readable icons enables the privacy
policies to be included within web searches and in application development
to develop competition around enhanced levels of privacy.*

On 29 Sep 2009, at 01:30, j stollman wrote:


Here is my draft response to Question 1.  I welcome your feedback.  Feel
free to eviscerate this if you feel it is necessary.  I think it needs a lot
of work, but I think I got the gist of what I think needs to be said down on
the page.


Jeff Stollman
stollman.j at gmail.com
1 202.683.8699
<Recommend Risk Assessment.doc>

Iain Henderson
iain.henderson at mydex.org

This email and any attachment contains information which is private and
confidential and is intended for the addressee only. If you are not an
addressee, you are not authorised to read, copy or use the e-mail or any
attachment. If you have received this e-mail in error, please notify the
sender by return e-mail and then destroy it.

Jeff Stollman
stollman.j at gmail.com
1 202.683.8699
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20091001/64773f3c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Recommend Risk Assessment (ih).doc
Type: application/msword
Size: 34816 bytes
Desc: not available
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20091001/64773f3c/attachment-0001.doc>

More information about the Wg-p3 mailing list