Federal Trade Commission Wants More Online Privacy

orpheus writes: "According to this article, The U.S. Federal Trade Commission has completed a review of Web site privacy policies, and voted 3-2 to seek Congressional legislation to improve user privacy on the Web. According to Jason Catlett, president of Junkbusters Corp, the grading was "very easy", but most Web sites flunked anyway. "

Full text

[Money__]

http://www.ftc.gov/reports/p rivacy2000/privacy2000.pdf
___

Let's try not to just react here...

[Phizzy]

I know everyone and their mother is going to post saying something along the lines of "oh no, congressional legislation is going to kill [anonymity/privacy/freedom/little puppies] on the web, we have to stop these uninformed lawmakers from making any laws about the internet before they destroy it"

OK.. that's valid, but it's not going to do anything to help. Lawmakers are in office because they want to do things to (in their eyes, and supposedly the eyes of their constituents) help, and they are fairly convinced, probably by the fact that they are elected officials, that they should be the ones to make changes to try to help. I don't think we're going to be able to pursuade them from that beleif, so yelling and screaming about how uninformed and non-technical politicians shouldn't be making technology laws isn't going to help anything. What WILL help is either a) educating the politicians so that they beleive themselves that keeping anonymity and privacy will be beneficial to the internet and to society as a whole or b) convince them that their constituents beleive this.

A is a tall order.. congressmen did not grow up in our generation, they do not understand the kinds of changes the internet is going to bring, so we should focus our efforts on B. Make yourself heard, and not just by writing your congressman (which is good as well), but also by telling people you know, your family and friends, people you meet, etc our point of view. If more people can be made to understand this the way it really is rather than having their views shaped by the equally ignorant and hype-prone media.

Spread the word!

//Phizzy

Re:Let's try not to just react here...

[mbaker]

Actually, the Government (federal and state) both enact many laws, levy many taxes, and have sued tobacco companies. They're also the people the force the tobacco companies to put those nifty little warnings on tobacco products, informing the consumer that they pose a health hazard.

There're many reasons why the Government doesn't just abolish tobacco altogether, including the large number of farmers that make their living growing tobacco for the corporations, the millions of people that smoke and chew tobacco products, and of course the corporations that supply an economy for their states.

A good number of politicians do, in fact, think they are doing the right thing. The pay for being a representative doesn't compare with being a doctor, lawyer, scientist, several different types of engineer, or corporate executive. The amount of power in being a representative, especially in the House, is also fairly small, given the distribution. This isn't too say that none of them are in the pockets of corporations, but to suggest that all politicians are somehow corporate whores is nonsense. We'd have no where near as pleasent a society, if all they did was bow down to multinational corporations.

Its about time!

[chompz]

This is something I have pleaded for personally for quite some time at my university. Here the unix admin keeps logs of everyone's network usage, not just how much bandwidth we use, but what websites we are going to and things like that. What they did is they hired a student worker to wade through the pile of data stored on this daily and throw out 99% of the stuff. Not only is this an invasion of privacy if they did not know who owned what IP address, but they log who owns ethernet cards with what MAC address. No privacy at all, one time I was running an FTP server with all kinds of OSS on it, and they called me on the phone and accused me of distributing copyrighted material. The next time someone tried logging into my ftp server from thier I called his office within two minutes and asked what he was doing. It scared him that I noticed him right away, even though he was invading my privacy. What was also bad was he used a named account, not anonymous. I've never given him an account nor have I allowed more than a few individuals named accounts. I was pretty pissed, but I have been unable to do anything because of the overwhelming support from the administration the computing center has. The admins decided that I must have been doing something wrong, and because of that the unix admins were in the right to be searching around my computer.

On a side note, I only use SSH now because of them, SSH for almost everything. Before I usually used SSH, but if I needed to I would use telnet. Now if a computer doesn't have SSHD running, I don't login to it.

Re:Its about time!

[sjames]

Since you're using THEIR network to operate over, they have every right to monitor and log ANY traffic over that network, including MAC addresses, IP addresses,

So your recommendation for privacy would be: 'buy the entire internet or shut up'? He is paying to use their network the same way you are (presumably) paying to use your ISP's network and your phone company's resources. Is it OK if your phone company pipes your conversations into the breakroom for the enjoyment of all?

Privacy Standards

[bwt]

I'm worried that what will happen is that the FTC will adopt some lame standard that allows sites to say "look, we're FTC compliant" when in fact they are dealing out all sorts of privacy violations.

Beware the small print in privacy policies

[jsm]

Just in case anyone doesn't know--

Many privacy policies sound good, and give you that comfortable warm feeling that makes you trust them. HOWEVER, somewhere in the small print is a line like

"Any info we collect about you will only be used by Foo Inc. or its carefully selected business partners."

Yeah, carefully selected to give Foo Inc. the most money per demographic datum.

Such a privacy policy can be worse than nothing, because it gives the user a false sense of security (much like bad encryption). These days, I simply don't trust any privacy policy; I figure there's always some loophole I missed.

I'm not saying that every company means to deceive; I know for a fact that some companies truly value consumer privacy. Clauses like the one above may be needed to allow for outside contractors, etc. (but they should be more specific in that case). All I'm saying is that most privacy policies look a lot stronger than they really are, and that you could be screwed if you count on their protection.

I just don't understand.

[Hrunting]

When I read the summary of this article and then the article itself, I thought, "Damn, it's about time," and I was pretty sure that the majority of Slashdotters would feel the same. It seems that one of the things that most people here agree on is that corporations are eroding the privacy of online participants and there's really nothing anyone can seemingly do about it. Along comes a government with the ability to affect at least some change in these corporations and Slashdotters are like, "No! Government regulation will be the death of the Internet. Down with government. Boo. Hiss." What the hell do people want here?

I think it's naive of Slashdot to think that geeks alone are going to be able to convince corporations that they need to maintain the privacy of their customers. I think government intervention on an even more massive scale than the US government (read: international) is going to be required to safely ensure that we have access to what information is being collected, what is going to be done with that information, and who has the right to restrict that information. Corporations just won't do it on their own. I have never been to a corporate web site that would've passed the tests that the FTC used, and the tests were basic. They didn't cover anything about what was done with the information, only about how it's collected.

But Slashdot plays this out like there is no good side. We say, "Oo, corporations are evil," but when someone (read: the government) tries to help us out agains the evil corporations, we say, "Oo, governments are evil," and turn our back on one of our potentially greatest resources. How do you expect to reform the corporate world? By going around door-to-door like some geek Jehovah's Witnesses? The fact that Congress is controlled rather strongly by corporatist lobbiers means that these FTC recommendations have an uphill climb. We should backing them if we want to see any of these suggestions come to bear (and from the slant of past Slashdot stories and posts, I'd say that most in the online community do).

But what do I see when I finally read the posts? I see basically mistrust of the government and a refusal to take help from those who are offering it. Personally, I'll throw my support behind the FTC. I'd rather have a organization that is supposed to work for the people working towards my privacy goals than a corporation with absolutely no ties to me whatsover.

"Easy"?

Wait a minute... they graded the sites on four items they consider essential, two of which are access to the collected data AND assurance that the data is secure. Give me a break!

Accessibility and security are always at odds, especially on the internet. One thing that I have been saying for years, and will likely continue saying, is that if you want to secure your information, you must keep it away from the internet, period.

There is no practical way to give J. Random Surfer internet access to his personal information as stored by an internet business without also giving it to any script kiddie who finds a way to crack the system. As long as the threat of intrusion exists, the data is at risk of unauthorized disclosure. As long as that risk exists, the only responsible thing to do with that data is to get it away from the internet as fast as it comes in. ALL DATA THAT CAN BE REACHED VIA THE INTERNET IS AT RISK OF UNAUTHORIZED DISCLOSURE.

The referenced FTC report is so suspicious as to be, in my mind, totally discounted. Either the people who wrote it don't know how the internet works, or there's some hidden motive. I am most fearful of, and most likely to believe, the latter. FUD is a powerful weapon.

Some things just don't go together.

[Money__]

1) My name is ESR and I'm voting republican.
2) My name is Hemos and I've never been in a /. poll.
3) I'm from the government and here to help.
;)
___

YOU are the protector of your own privacy

[Lumpy]

if you didn't turn off java and javascript, or all that other client side crap we have shoveled into our borwsers now, use usenet with a fake email address, and munge every email address that your browser keeps, oh and turn off ALL cookies, then you are willinly giving this information out. you do not NEED any of these "features" to get what you want off the web. you do not NEED to have a slashdot login, you do not NEED to give any information to any website- period. Now, if you shop at a site, and you do NOT include in the notes that they cannot circulate you name/number/ets or use your info outside of that transaction, then you gave them the right to do it. They have avery right to use the information they have just as we all scream "let information be free!" YOU are responsible to make your information ride with a EULA.

Buy online? post your information EULA, stating that if they do not agree to keep your info private and not use it then to cancel your order,and destroy all information about you. that way they are legally bound (as we are legally bound by EULA's) to use your information as you requested. - and dont trust "geek" friendly sites...you set the terms sof your information, and if they dont agree, they must destroy your data. Or sue their butts off.. It's time we used their tools against them!!

EULA's for our personal Information!

Before you point fingers....

[god_of_the_machine]

... look at slashdot.org. Does it pass the test?? Lets see, from the article: "offer consumers the four types of privacy protection the agency deems essential: a notice defining privacy policies, a choice as to how data collected by the site is used, access to that data and assurances that the data is secure. "

1) a notice defining privacy policies.
YES, at http://andover.net/privacy.html (link on the left of the page)

2) a choice as to how data collected by the site is used.
NO, though the editors have talked about adding an option for opting-out of book publishing deals.

3) access to that data.
NO, correct me if I'm wrong here...

4) assurances that the data is secure.
NO, at least not that I can find in the FAQ or the about sections.

My point is that the criteria were pretty strict, as #2 and #3 are not readily available on most sites. I am really surpised that ANY sites offer #3. As for #4, it's pretty useless so I don't really care about it.

So before you get all upset about all those sites failing... remember that privacy-respecting firms like Andover.net (I hope) fail too.

-rt-

UK DPA: the gun in _your_ hand

[pjc50]

Let me tell you a story that happened to a friend of mine. She was involved in college politics, and was worried that college were reading her email.

So she came to me for help. I informed her of her rights under the Data Protection Act - the right to copies of any data any organisation had on her - and she asked college for the lot.

A month later, college delivered a HUGE box of documents. They listed everything college knew, all her academic record (including confidential bits), interview reports, etc. Then some college council minutes in which her activities had been discussed.

The moral of the story? DPA law is _good_ for individuals, _bad_ for companies. And you don't need a lawyer, just write a letter.