FTC: Consumer Privacy Comments Concerning The Netscape Communications Corporation--P954807
Sent Via Federal Express
6 June 1997
Re: DOC #67 Project 954807
Please find enclosed the following materials:
1. Background information describing the persons
Should you have any questions please contact me at 415.937.3719. Thank you.
Peter F. Harter
Netscape Communications Corporation
501 East Middlefield Road
1. BIOGRAPHICAL BACKGROUND INFORMATION
Peter F. Harter, Session 2, Panel 2
Peter Harter is the Global Public Policy Counsel for Netscape Communications Corporation. He has been with Netscape since November of 1995 and is based in Mountain View, California. Peter is responsible for issues such as export controls on encryption, copyright, standards, securities litigation, competition, Internet governance and privacy. Prior to Netscape, Peter was Executive Director & General Counsel for the National Public Telecomputing Network.
Sean Gaddis, Session 2, Panel 4
Sean Gaddis is the Manager of Database Marketing for Netscape Communications Corporation. Sean has been with Netscape since March of 1996 and is based in Mountain View, California. Sean is the project manager for the Open Profiling Standard (OPS). Prior to Netscape, Sean was Director of Database Marketing at Creative Computers and Manager of Database Marketing at the Territory Ahead, a division of Land's End.
2. SUPPLEMENTAL COMMENTS
a. Session 2, Panel 2
Self-Regulatory Approaches to Online Privacy Issues, Peter Harter
1. Technology creates de facto public policy. Computer code creates a new code of conduct. How does traditional legal infrastructure interoperate with the functional rules of Internet computer communication protocols?
2. Cookies are an example of technology creating de facto public policy. In order to enable a consumer to communicate with a website, some information has to be exchanged. However, the hypertext transfer protocol (HTTP), the communications protocol for the World Wide Web, creates a stateless or connectionless medium where a consumer connects to a website, receives a single web page from that site and the connection ends. In order for user preferences and purchasing information to be transmitted effectively, some information about the consumer and its transactions with the website need to persist beyond the end of the connection. Hence, storage of stateful or transaction-related information on the client side is necessary to overcome all inherently connectionless nature of HTTP if a consumer is going to be able to conveniently submit information to websites as they go from page to page, connection to connection. Such information may be product or service purchasing information that is aggregated during the visit and paid for at the end of the visit on a secure payments page (i.e., this example is commonly referred to as the shopping cart). Another example is that of a subscriber to a website newspaper or magazine. Instead of having to rekey user name and password information as well as language and font type and topical preferences each time one logs into a website, a cookie file can contain and maintain this information for the user and make it available to the website the next time the user visits. (More detailed information about cookies is included below in a "Frequently Asked Questions" document.)
The de facto public policy resulting from cookies changes as cookies change in software implementations and new versions of product. The policy also changes as it moves through standards bodies. However, the de facto public policy of cookies today is that websites can place information on consumers computers without prior notice or consent. Due to the implications of such a policy software vendors have moved to modify their implementations of cookies in order to provide greater user control. However, there is only so much that a software vendor can do. Website operators will have to provide more information to consumers regarding cookie practices. This point is discussed in greater detail below.
3. While technology does create de facto public policy, public policy and customer demand cause the technology to change. These changes create new de facto public policy. For example, Netscape's implementation of cookies has changed from Navigator 2.0 to Navigator 3.0 to Communicator 4.0. In Navigator 1.0x through 2.0x, the cookie
preferences could not be set by the user. These version of Navigator default to accept all cookies. In Navigator 3.0x, the user can choose to be warned before a cookie is set. As a result, when a cookie is set, the user sees a dialog that gives him/her the option of accepting or rejecting that particular cookie request. This preference is found in the Options Menu Network Preferences Protocols. Navigator 3.0x defaults to accept all cookies without a warning. In Communicator 4.0x, the user sees the following cookie choices: Accept all cookies; Accept only cookies that get sent back to the originating server; Disable all cookies; and, Warn me before accepting a cookie. These choices are in the Edit Menu Preferences Advanced. Communicator 4.0 defaults to accept all cookies.
Changing an existing protocol or computer tool-like cookies may not modify the de facto public policy sufficiently. Nor will existing technologies satisfy the needs of the marketplace. Hence, the cycle of innovation and new technology continues to produce new protocols with their own set of new de facto public policies.
4. The Open Profiling Standard (OPS) is one such new technology. OPS uses existing open standard technologies to improve the status quo of ad hoc personal information gathering practices employed by websites. Websites are going to gather personal information and create profiles on consumers one way or another. It is a necessity of business and already part of the marketplace in real space. At present it is an inefficient and unstructured practice. Consumers are not in any position to exert any control over how personal information is gathered nor what is done with it as each site has its own practices and technologies deployed for gathering activity. OPS benefits both website operators and consumers by bring efficiency to the profile building process and control to the consumer. A study jointly run by eTRUST and the Boston Consulting Group estimated that widespread privacy assurance would increase electronic commerce on the Internet by as much as $6 billion. Yes OPS facilitates profile gathering; but this would go on anyway. If making the process more efficient empowers consumers and engenders electronic commerce then it is a win win without any onerous, top-down, technology-chilling regulation. Consumer fraud laws may be necessary to make sure that website operators who chose to use OPS implement it accurately and follow the specifications. Other than that the de facto public policy of OPS should be viewed as protecting privacy and empowering consumers by requiring websites to gather personal information according to a procedure that support convenience, efficiency accuracy, notice, consent and control.
5. Role of technical standards bodies: Innovators and business persons can propose their ideas to a standards body such as the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) and let go of the idea so that others can contribute, change it and shape it into a final form that all can benefit from and implement evenly so products can interoperate. Technical standards bodies, however, do not enforce or police the implementation of their standards in any formal sense. While vendors do receive criticism for not implementing a technical standard according to specification or in a timely fashion, beyond negative press and a loss of respect in the technical standards community, the force and effect of technical standards is one of
consensus and not formal law backed by punitive force. Should the de facto public policy created by technical standards fail to change enough to satisfy consumer demand or if the market driven environment created by the freedom from regulation somehow fail, government regulation may be necessary. It may also be necessary in order to support and bolster the incentive to support technical standards. Safe harbors from liability and more formal recognition of the industry led technical standards making process by governments would be welcome developments.
COOKIES AND PRIVACY FAQ
(FREQUENTLY ASKED QUESTIONS)
1. What are cookies?
2. How do cookies work?
3. Why are cookies useful?
4. How has Netscape's implementation of cookies changed from Navigator 2.0 to Navigator 3.0 to Communicator 4.0?
5. What kind of client-side information can web servers store?
6. Can cookies read information from a user's hard drive?
7. Can cookies be used to gather sensitive information, such as a user's email address?
8. Where are cookies stored?
9. Can programmers save client state information without cookies?
10. How long do cookies last?
11. Can malicious sites read cookie information used by another site?
12. Can cookies be encrypted?
13. What products support cookies?
14. Does every browser implement cookies in the same way?
15. Are cookies being presented for standardization to a standards body?
What are cookies?
Cookies help websites maintain user state. What this means is that websites can "remember" information about users to facilitate user preferences for a particular site, transparent user passwords, etc. More specifically, cookies allow websites (servers) to deliver simple data to a client (end user); request that the client store the information; and, in certain circumstances, return the information to the website.
How do cookies work?
Cookies are small data structures delivered by a website to a web client. The website may deliver one or more cookies to the client. The client stores cookie data in one or more flat files on its local hard drive. In certain cases (determined by the data in the cookie itself), the client returns the cookie to the server that originally delivered it.
Why are cookies useful?
Cookies allow websites to maintain information on a particular user across HTTP connections. The current HTTP protocol is stateless, meaning that the server does not store any information about a particular HTTP transaction; each connection is "fresh" and has no knowledge of any other HTTP transaction. "State" information is information about a communication between a user and a server, similar in many ways to frequent flyer profiles or option settings in desktop software. (For example, a preference for aisle or window seats is cookie-like information that a frequent-flyer program might store about one of its customers.) In some cases it is useful to maintain state information about the user across HTTP transactions.
How has Netscape's implementation of cookies changed from Navigator 2.0 to Navigator 3.0 to Communicator 4.0?
In Navigator 1.0x through 2.0x, the cookie preferences could not be set by the user. These version of Navigator default to accept all cookies. In Navigator 3.0x, the user can choose to be warned before a cookie is set. As a result, when a cookie is set, the user sees a dialog that gives him/her the option of accepting or rejecting that particular cookie request. This preference is found in the Options Menu Network Preferences Protocols. Navigator 3.0x defaults to accept all cookies without a warning. In Communicator 4.0x, the user sees the following cookie choices: Accept all cookies; Accept only cookies that get sent back to the originating server; Disable all cookies; Warn me before accepting a cookie. These choices are in the Edit Menu I Preferences I Advanced. Communicator 4.0 defaults to accept all cookies.
What kind of client-side information can web servers store?
User information may be stored in the cookie or in a database on the website. This information may be provided by either the user or the website provides. Some scenarios include the following:
Alice is shopping at a particular website that uses a shopping cart metaphor. She puts items into a shopping cart by clicking a link or an "Add to Shopping Cart" button. Cookies can be used to store or reference information on the contents of Alice's shopping cart so that she can conveniently purchase a cart full of items rather than one item at a time.
Bob clicks around a website that allows users to view articles for a small charge. Cookies can be used to store or reference information about which articles he has viewed (that is, a list of URLs) so that he can pay for them all at once rather than each time he downloads an article. Carl fills out a web form with his name, address, and other information. Cookies can be used to store or reference this information so that the next time Carl visits the site, the information is automatically uploaded and he doesn't have to provide it again. If the form contains sensitive information such as a credit card number or a mailing address, the cookies can be delivered over a Secure Sockets Layer, which encrypts the information as it travels between the client and server.
Don logs in to a website that requires a user name and password. When Don's user name and password pair is successfully verified, the server passes down a cookie that functions as a "guest pass" allowing him access to certain areas of the website. After a set time period, perhaps half an hour or a day, the guest pass expires and Don must log in again.
In each of these examples there are only two ways either the server provides it (as in the last example) or the user provides it by taking some action (such as clicking a link or button or filling out a form).
Can cookies read information from a user's hard drive?
No. Cookies can only store data that is provided by the server or generated by an explicit user action.
Can cookies be used to gather sensitive information, such as a user's email address?
Cookies can be used to store any information that the user volunteers. They cannot be used to gather sensitive information such as the fields in a Netscape preference file. In this case, however, the same information can just as easily (and with potentially more objectionable privacy concerns) be stored on the server by using a simple server-side application that stores user information in a database. Cookies are passive files that are delivered to the client, stored on the client's hard drive, and returned in certain situations to the same server that provided the information in the first place.
Where does Netscape store cookie data?
Cookie data is stored unencrypted on the user's hard drive (although during actual communication it is stored in memory). The filename is different for each platform. For example, on Windows machines, cookie data is stored in a file called COOKIE.TXT.
Can programmers save client state information without cookies?
Yes. Client state information can be stored in several ways. For example, server administrators and programmers can create a database application that tracks and stores data they would otherwise have managed with cookies. Cookies are simply a programming convenience.
How long do cookies last?
Websites may set an expiration date for a cookie it delivers. If no expiration date is specified, the cookie is deleted when the user quits Netscape Navigator.
Can malicious sites read cookie information used by another site?
Cookies are designed to be read only by the site that provides them, not by other sites.
Can cookies be encrypted?
While the cookie file itself is unencrypted on the user's computer, it can be encrypted between the user's computer and a website. Programmers can require that cookies be delivered and received only in the context of a Secure Sockets Layer (SSL) session. The SSL session handles the actual encryption of cookie data.
What products support cookies?
Netscape Navigator has supported cookies since version 1.0. Internet client products from companies such as Microsoft also support cookies.
Does every browser implement cookies in the same way?
Are cookies being presented for standardization to a standards body?
Yes. The State Management subworking group of the Internet Engineering Task Force's HTTP Working Group is currently working on creating a formal Internet draft for a cookie specification. In Communicator 4.0, Netscape has added the portion of the IETF specification that provides users with the ability to reject cookies that are not sent to the originating server. This enables users concerned with privacy to reject the placement of cookies by advertisers that track users on a variety of sites and send the information back to their corporate server.
2. SUPPLEMENTAL COMMENTS
a. Session 2, Panel 4
Technology As A Tool For Addressing Online Privacy, Sean Gaddis
FTC: Personalization with Privacy
I) What's at Stake?
The number of host sites coming onto to the Internet grew over 70% last year:
Next year, expect more than 55m interested U.S. users:
II) What's slowing things down?
III) What's slowing things down?
IV) The market requires an open standard
V) The Open Profiling Standard (OPS)
OPS is designed to enable personalized electronic commerce, content and communication while providing a framework for the individual's privacy. Over 60 leading companies have already supported the proposed standard, including IBM, American Express, New York Times Interactive Media and the Electronic Frontier Foundation.
VI) What OPS offers the Internet user
VII) What OPS offers Internet sites
VIII) What OPS offers Internet developers
XI) 60+ organizations currently support OPS
DEMO OPS Technology:
1) Individuals will have a Personal Profile that contains their personal information.
2) This profile will be stored on their personal computer (and can be, at the user's option, be securely stored in a corporate-wide or global directory).
3) The first time that an individual visits a website that supports OPS, the website will request information from the Personal Profile.
4) The individual has the choice of releasing all, some or none of the requested information to the website.
5) In addition, if the website collects additional information about the individual's preferences, it can (with the individual's permission) store that information in the Personal Profile for future use.
6) On subsequent visits, the individual can authorize the website to retrieve the same personal information without asking permission each time.
Proposed Q&A for the FTC:
A. OPS helps to further commerce and services on the Internet while enhancing personal privacy. Details: Users want personalized information, entertainment and services. Companies and service organizations worldwide want to take advantage of the 1-to-1 nature of communications on the Internet to provide their customers and visitors with this personalized information, entertainment and services. Advertisers want to target their messages to the needs and wants of specific audiences. To gather the information that makes this personalization and targeting possible, websites ask their visitors for information -- who they are, where they live, what they do, etc. A single individual might provide much of the same information to dozens (or even hundreds) of websites over time, which can be complex, time-consuming, and inconvenient. With OPS, an individual only has to provide the most frequently requested information once, so it saves time and helps to eliminate frustration. Also, it enhances personal privacy by allowing individuals to control what and when information about them is released.
A. Yes. According to the 6th annual World Wide Web survey run by the Graphics, Visualization and Usability Center of the Georgia Institute of Technology (commonly called the Annual GVU Survey), 70% of consumers surveyed cited privacy concerns as their primary reason for not registering demographic information with websites on the Internet, and 86% of consumers surveyed expressed a desire to control use of their demographic information. With its privacy safeguards and controls over release of data, OPS should significantly increase the number of consumers willing to provide personal information to websites.
A second study commissioned by eTrust confirms these findings. In its study, eTrust learned that 78% of individuals surveyed would feel more comfortable providing information over the Internet when visiting sites that provide privacy assurance.
A. Yes. A study jointly run by eTrust and the Boston Consulting Group estimates that widespread privacy assurance such as that offered by OPS could increase annual electronic commerce on the Internet by as much as $6 billion.
A. OPS allows for the trusted exchange of information of any sort and is fully extensible. For ease of use, there are a small number of "well-known sections" contained in Personal Profiles. The first is a Unique Identifier that is assigned to the Personal Profile when it is first created. The second is a Unique Identifier that is unique to each service visited, and only available to that service. The third is basic demographic information (Country, Zip Code, Age and Gender) that is of use to a broad range of websites. The fourth is contact information (based on the vCard standard), such as name, address, zip or postal code, country of residence, telephone number, fax number, electronic mail address, etc. There will also be the possibility of creating sections for commerce information (such as credit card numbers, eCash, etc.) and site-specific information, such as detailed personal preferences (favorite books, magazines and music) that are of value to users in the context of one or a small group of websites. OPS places individuals in full control of their personal information and they can choose to release all, some or none of their information to websites that request it.
A. Yes, the Electronic Frontier Foundation (EFF), eTRUST (a joint venture of CommerceNet and the EFF), CommerceNet, California Internet Industry Alliance (CIIA), Information Technology Association of America (ITAA), and the Silicon Valley Software Industry Coalition (SVSIC).
A. Once an individual releases his or her Personal Profile to a website, there is no technical way to prevent that website from retaining the information for reuse, or sharing it with others. Therefore, websites that adopt OPS are strongly encouraged to adopt a recognized privacy assurance program that includes third-party auditing, and to clearly and widely post their privacy policies on their website where visitors can see them. In addition, consumers are cautioned not to release their Personal Profile to any site that does not post its privacy policies and submit to third-party auditing.
A. Netscape, Firefly and VeriSign are the sponsors of OPS. In addition, 60+ other organizations have endorsed OPS, including American Express, Digital Equipment Corporation, Hewlett-Packard, IBM, Oracle, and Sun Microsystems. Media companies and content providers endorsing OPS include Hearst HomeArts Network, Knight-Ridder New Media, The New York Times Electronic Media Company, PBS ONLINE and SportsLine USA. Industry associations endorsing OPS include the Electronic Frontier Foundation, eTRUST, and the ITAA.
A. OPS is based on three current or proposed industry standards: vCard, Digital Certificates and HTTP. vCard is a specification managed by the Internet Mail Consortium (IMC) for "electronic business cards" that can be used to exchange personal information across multiple networks and applications. Personal Profiles are vCards that are backward-compatible with the IMC's vCard Specification, Version 2.1. vCard has been submitted to the Internet Engineering Task Force (IETF) standards body as a proposed Internet standard.
Digital Certificates are a form of verified personal and organizational identification using Public Key Cryptography. They have been adopted as a standard by the PKIX working group within the IETF and are expected to become an essential part of electronic commerce on the Internet.
Finally, HTTP is the standard communications protocol of the World Wide Web, used by tens of millions of individuals and organizations around the world.
A. The Open Profiling Standard includes safeguards to help keep Personal Profiles away from unauthorized parties. Personal Profiles may be sent between individuals and websites through the Secure Sockets Layer (SSL Version 3.0) as encrypted messages, and we recommend that Personal Profiles be encrypted on the individual's hard disk.
A. No. Cookies are text messages containing information relevant for a specific website that are stored on an individual's hard disk. Cookies are used for storing information about transactions, user preferences and personal information, but there is no standard specifying how the contents of cookies are structured. Individuals have limited control over cookies --Netscape Navigator 3.0 can warn individuals when a website tries to store a cookie on their computer, and Netscape Communicator, in compliance with the proposed IETF RFC 2109 - HTTP State Management Mechanism, allows individuals to turn off all cookies or selectively reject individual cookies.
In contrast, OPS specifies the structure of Personal Profiles, so that the same information (and information structure) can be used by many different websites. Individuals have the ability to selectively release or withhold information in their Personal Profiles, rather than the "all or nothing" process of accepting or rejecting cookies that the individual cannot examine, and whose structure the end user may not understand. In short, OPS gives individuals both more flexibility and more control over personal information than cookies can.
However, in applications where websites want to permanently or semi-permanently maintain information about individuals, such as a publisher that creates custom "electronic newspapers" based on consumers' preferences, OPS and Personal Profiles will become the preferred means of creating, transferring and maintaining this information.
A. Yes. Netscape has no plans to discontinue support for cookies in its products.