COMMENTS OF MICROSYSTEMS SOFTWARE CONCERNING CONSUMER ON-LINE PRIVACY-P954807

Microsystems Software

April 15, 1997

Secretary
Federal Trade Commission
Room H-159
Sixth Street and Pennsylvania Ave. NW
Washington DC 20580

RE: Consumer Privacy 1997 -- Request to Participate P954807

Please accept this letter as the official request to participate in the upcoming Consumer Privacy Workshop to be held in June. Enclosed please find six (6) copies of Microsystems Software's comments on Consumer Privacy 1997 Comment P954807.

As the developer of Cyber Patrol, the leading Internet filtering software, our comments are specifically related to technological developments in the filtering and privacy area. As a panelist, our representative would be prepared to speak about existing technology as well as future developments that might improve overall privacy efforts.

I can be reached at 508 879 9000 x113 or via fax at 508 626 8716, and look forward to hearing from you in the near future.

Sincerely,

Susan J. Getgood
Susan J. Getgood
Director of Marketing

cc: via fax, Caroline Curtin, FTC

Microsystems Software, Inc.
600 Worcester Road
Framingham , MA 01702-5342
Tel: (508) 879-9000

Sales
Cyber Patrol: (800) 828-2608
CaLANdar: (800) 489-2001
HandiWARE: (800) 828-2600

Fax
Main: (508) 626-8515
HandiWARE: (508) 879-1069
Support: (508) 879-0950

Internet
e-mail: Info@microsys.com
http://www.microsys.com
http://www.cyberpatrol.com

MICROSYSTEMS SOFTWARE INC.
Committed to Software Solutions

Microsystems Software, Inc., a privately-held company based in Framingham, Massachusetts, was founded in 1989 by the husband and wife team of Debra and Richard Gorgens to produce software that would give disabled people access to computers and the on-line world. Using their own money, the couple worked to build a line of software for persons with disabilities that now includes products ranging from screen magnification for the visually impaired to word prediction and on-screen keyboards.

In 1995, Microsystems Software Inc. saw concern growing over Internet content that was inappropriate for children. The Gorgens -- who have six children -- created and introduced Cyber Patrol to help parents and educators manage children's access to on-line information and the Internet. Cyber Patrol, which blocks sites inappropriate for children, is now the world's leading filtering software. Sites to be blocked are selected by a team of parents and teachers hired by Microsystems to surf the Web using state-of-the-art technology to find sexually explicit, violent or hateful material. This list of sites, the CyberNOTs, is provided to parents who can then add additional sites or delete sites based on an individual child's interests, needs and age. In addition to the blocked CyberNOT sites, Cyber Patrol provides a list of CyberYES sites selected for their educational and entertainment value to children. Cyber Patrol also allows parents to control how much time, and when, children are on-line.

Last summer. Microsystems Software Inc. introduced the feature-enhanced Cyber Patrol 3.0 which includes ChatGard, a way of keeping children from divulging personal information to strangers in cyberspace. Cyber Patrol's technology is offered exclusively by all of America's largest on-line service providers -- America Online, Ameritech, AT&T, Bell AtlanticNet, CompuServe, GTE, Prodigy, Scholastic Net and others.

Technological Developments

2.14 Has interactive technology evolved since June 1996 in ways that could address online privacy issues? To what extent is it currently available and being used by consumers and commercial web sites?

There are 4 main components to the privacy on Internet issue.

1 . Information gathered without user's specific knowledge or consent such as clickstream data or cookies;
2. Use of information -- specific and general (aggregate) for market research or marketing, with the necessary distinction between information gathered with consent and information gathered without consent.
3. Resale of information gathered -- specifically names, e-mail addresses etc.
4. Invasion of privacy through unwanted (junk) e-mail

Below we address recent as well as imminent developments in some of these areas as they relate to consumer privacy on the Internet. The issue of children's privacy is a subset of the larger privacy issue and contains a specific component: at what point is parental consent necessary, and how is it implemented, for the above mentioned activities.

Cookies
Currently, users of the most popular browsers can set their browser to advise them when a web site is trying to "set a cookie" and either allow or refuse the activity. The notice provided, however, doesn't really give the user sufficient information as to what the cookie will actually gather as information or provide the user as a benefit. Further, once the user grants permission for the cookie, the site will not ask again until the expiration date of the cookie as defined by the web site. In other words, it is hard to change your mind.

Cookies do provide benefits to users. If you are a frequent customer of a particular web site, you might want to have a cookie saved with your recent transactions, or your general color preferences or whatever information might help the vendor better serve your needs. However, users also want control over what information is gathered and how this information will be used. Parents may want a greater degree of control over the information gathered and used about their children.

Web sites that use cookies should clearly say so, clearly state the benefit of the cookie to the user and provide the user the option to not be "cookied." The current implementation of cookies is not sufficient in this regard.

Add-on commercial solutions are currently available and in development that improve upon the idea of "Notice" and give the consumer more flexibility in terms of permissions granted and for how long. A successful resolution to the issue of cookies and privacy requires two elements:

  • cooperation of web sites to both publicize and promote their cookies. This allows the consumer to make an informed choice about whether he wants the value provided by the cookie.
  • software solutions on both clients and servers that enable flexibility in the transactions and allow users to dynamically allow or refuse cookies. In particular, solutions are needed that will allow parents to set preferences for their children surfing unsupervised.

P3 - Platform for Privacy Preferences
An industry effort currently underway is the Internet Privacy Working Group, an industry coalition brought together by the Center for Democracy and Technology. The members of this group, along with the Worldwide Web Consortium and the PICS Developers Group are working on an extension of the PICS language called P3, or Platform for Privacy Preferences. Microsystems Software is part of this effort.

The key components are:

  • using PICS to create a label that indicates a site's privacy practices (what information is gathered and how it is used);
  • using PICS to create a label that indicates a users privacy preferences (what information may be gathered and how it may be used);
  • using PICS readers such as the Internet browser or Microsystems Software's Cyber Patrol to store the users privacy preferences and then match them with the site's privacy practices.

The P3 vocabulary is due later this spring. When it is available, some of the key steps to ensure widespread adoption include endorsement and adoption by industry, web site developers and owners and the availability of server and client software to support the privacy negotiation and integrate with other systems.

For example, on the server side, if data gathering is permitted by the user, the web site will need to interface with in-house databases in the proper fashion. For the consumer's PC, it will be necessary to develop client software that handles multiple privacy preferences per family, and specifically allows adults to make decisions on the fly for themselves as well as define privacy preferences for children surfing unattended.

ChatGard
The privacy profile could also operate in conjunction with a Cyber Patrol feature called ChatGard which was demonstrated last June at the first FTC Privacy workshop. ChatGard is an outbound filter that parents use to specify the important bits of information that children cannot give out on-line in a chat room or on a web site such as name, address or phone number. Currently, ChatGard will prevent the child from divulging the information absolutely. However, in the future, it could incorporate elements of P3. If a site matches the privacy selection for a child, certain personal information might be divulged. If not, the child would still be allowed to visit the site, but could not divulge personal information. For example, if the site has a strict privacy policy, a parent may be comfortable with the child revealing his first name so he can have a fun, personalized time on the site. On a site that isn't so private, however, this data might be blocked.

2.19 Are there technological developments that might serve the interests of consumers who prefer not to receive unsolicited commercial e-mail? If so, please describe.

Currently, most e-mail filtering solutions exist at the user end; users can organize their e-mail to improve efficiency in reading but there is little available to prevent delivery of unwanted e-mail and/or to prevent "theft" of e-mail addresses from public spaces to build spam lists.

Initiatives underway include the Direct Marketing Association's proposed e-mail preference service, which will mirror its telemarketing and mail preference lists. Microsystems has already provided comment to the DMA on this effort, and intends to respond to the RFP.

Even with such systems, however, users will still want the ability to control their own mail -- they may want to be off some lists, and not others. They may want to have different standards for their children than for themselves. For this reason, we believe that e-mail filtering software on the client side is bound to evolve over the next year and would expect this software to address both personal filtering (adults filtering their own mail) and adults filtering children's e-mail (at home or at school) to ensure that mail can be read by a child unattended only if from known senders.

Technological Developments (vis children's privacy)

3.14 Has interactive technology evolved since June 1996 in ways that could address children's on-line privacy issues? To what extent is it readily available; currently in use; easy to use; effective in preventing children from disclosing personally identifiable information.

There are 4 main components to the privacy on Internet issue.

1 . Information gathered without user's specific knowledge or consent such as clickstream data or cookies;
2. Use of information -- specific and general (aggregate) for market research or marketing, with the necessary distinction between information gathered with consent and information gathered without consent.
3. Resale of information gathered - specifically names, e-mail addresses etc.
4. Invasion of privacy through unwanted (junk) e-mail

Below we address recent as well as imminent developments in some of these areas as they relate to consumer privacy on the Internet. The issue of children's privacy is a subset of the larger privacy issue and contains a specific component: at what point is parental consent necessary, and how is it implemented, for the above mentioned activities.

Cookies
Currently, users of the most popular browsers can set their browser to advise them when a web site is trying to "set a cookie" and either allow or refuse the activity. The notice provided, however, doesn't really give the user sufficient information as to what the cookie will actually gather as information or provide the user as a benefit. Further, once the user grants permission for the cookie, the site will not ask again until the expiration date of the cookie as defined by the web site. In other words, it is hard to change your mind.

Cookies do provide benefits to users. If you are a frequent customer of a particular web site, you might want to have a cookie saved with your recent transactions, or your general color preferences or whatever information might help the vendor better serve your needs. However, users also want control over what information is gathered and how this information will be used. Parents may want a greater degree of control over the information gathered and used about their children.

Web sites that use cookies should clearly say so, clearly state the benefit of the cookie to the user and provide the user the option to not be "cookied." The current implementation of cookies is not sufficient in this regard.

Add-on commercial solutions are currently available and in development that improve upon the idea of "Notice" and give the consumer more flexibility in terms of permissions granted and for how long. A successful resolution to the issue of cookies and privacy requires two elements:

  • cooperation of web sites to both publicize and promote their cookies. This allows the consumer to make an informed choice about whether he wants the value provided by the cookie.
  • software solutions on both clients and servers that enable flexibility in the transactions and allow users to dynamically allow or refuse cookies. In particular, solutions are needed that will allow parents to set preferences for their children surfing unsupervised.

P3 - Platform for Privacy Preferences
An industry effort currently underway is the Internet Privacy Working Group, an industry coalition brought together by the Center for Democracy and Technology. The members of this group, along with the Worldwide Web Consortium and the PICS Developers Group are working on an extension of the PICS language called P3, or Platform for Privacy Preferences. The key components are:

  • using PICS to create a label that indicates a site's privacy practices (what information is gathered and how it is used);
  • using PICS to create a label that indicates a user's privacy preferences (what information may be gathered and how it may be used);
  • using PICS readers such as the Internet browser or Microsystems Software's Cyber Patrol to store the users privacy preferences and then match them with the site's privacy practices.

The P3 vocabulary is due later this spring. When it is available, some of the key steps to ensure widespread adoption include endorsement and adoption by industry, web site developers and owners and the availability of server and client software to support the privacy negotiation and integrate with other systems.

For example, on the server side, if data gathering is permitted by the user, the web site will need to interface with in-house databases in the proper fashion. For the consumer's PC, it will be necessary to develop client software that handles multiple privacy preferences per family, and specifically allows adults to make decisions on the fly for themselves as well as define privacy preferences for children surfing unattended.

ChatGard
The privacy profile could also operate in conjunction with a Cyber Patrol feature called ChatGard which was demonstrated last June at the first workshop. ChatGard is an outbound filter that parents use to specify the important bits of information that children cannot give out on-line in a chat room or on a web site such as name, address or phone number. Currently, ChatGard will prevent the child from divulging the information absolutely. However, in the future, it could incorporate elements of P3. If a site matches the privacy selection for a child, certain personal information might be divulged. If not, the child would still be allowed to visit the site, but could not divulge personal information. For example, if the site has a strict privacy policy, a parent may be comfortable with the child revealing his first name so he can have a fun, personalized time on the site. On a site that isn't so private, however, this data might be blocked.

3.19 Are there technological developments that might serve the interests of parents who prefer that their children not receive unsolicited commercial e-mail?

Currently, most e-mail filtering solutions exist at the user end; users can organize their e-mail to improve efficiency in reading but there is little available to prevent delivery of unwanted e-mail and/or to prevent "theft" of e-mail addresses from public spaces to build spam lists.

Initiatives underway include the Direct Marketing Association's proposed e-mail preference service, which will mirror its telemarketing and mail preference lists. Microsystems has already provided comment to the DMA on this effort, and intends to respond to the RFP.

Even with such systems, however, users will still want the ability to control their own mail -- they may want to be off some lists, and not others. They may want to have different standards for their children than for themselves. For this reason, we believe that e-mail filtering software on the client side is bound to evolve over the next year and would expect this software to address both personal filtering (adults filtering their own mail) and adults filtering children's e-mail (at home or at school) to ensure that mail can be read by a child unattended only if from known senders.