CONSUMER PRIVACY 1997 -- REQUEST TO PARTICIPATE, P954807 Pretty Good Privacy, Inc. requests the opportunity to participate in Session Two of the Federal Trade Commission Public Workshop on Consumer Information Privacy. Attached to this request are comments submitted by Pretty Good Privacy, Inc. in response to questions 2.9, 2.13, and 2.14 of the FTC Request for Public Comment, dated March 1997. PGP is a leading provider of privacy solutions that prevent the risk of unauthorized access to digital property by protecting it at the source. In other words, PGP puts into the consumers' hands the tools to protect themselves against privacy breaches, rather than forcing consumers to rely on the trustworthiness of others. With PGP's technology, individuals make the decision regarding what information is released about them, and whom they trust with that information. PGP's flagship product, PGPmail, uses public key cryptography to encrypt electronic communications and transactions, eliminating the threat of exposure and compromise. PGPcookie.cutter allows individuals to safely surf the Web, without fear that information about them is being collected without their knowledge and consent. PGPdisk protects personal and corporate information on the desktop and laptop, ensuring that information about individuals and companies is not accessible to interlopers, even if a computer is insecure, lost or stolen. Pretty Good Privacy would bring to the Public Workshop on Consumer Information Privacy a unique perspective: advocating the use of technology that provides consumers the ability to protect their own privacy and to proactively control who has access to their information. For more information about this request, please contact Kelly Huebner Blough, Director of Government Relations, Pretty Good Privacy, Inc. by telephone at 415-524-6254, or by email at kblough@pgp.com. Thank you for your consideration. About Pretty Good Privacy, Inc. Pretty Good Privacy, Inc., founded in March 1996, is a leading provider of digital-privacy products for private communications and the secure storage of data for businesses and individuals. Pretty Good Privacy's acquisition of Zoomit Corporation in March 1997 enables the company to provide business-wide privacy solutions that are scaleable, transparent and interoperable with existing corporate networks. Building on Zoomit's technology foundation will allow Pretty Good Privacy to seamlessly integrate privacy into the fabric of the IT infrastructure. The original PGP encryption software for e-mail, developed as freeware in 1991 by Phil Zimmermann, Chairman and Chief Technical Officer of Pretty Good Privacy, allowed individuals, for the first time, to send information without risk of interception. Pretty Good Privacy will now offer the same trusted privacy solutions to businesses by providing open, scaleable and transparent encryption technology that integrates seamlessly into private intranets, public extranets and the global Internet. With millions of users, PGP has become the de facto standard for Internet mail encryption. In order to provide only the strongest encryption software, Pretty Good Privacy publishes all of its encryption source code and algorithms for extensive peer review and public scrutiny. The company can be reached at 415-572-0430; http://www.pgp.com/. CONSUMER PRIVACY 1997 -- COMMENT, P954807 As a provider of privacy-related technology, Pretty Good Privacy, Inc. is best-equipped to respond to questions regarding design and implementation of technologies intended to enhance online privacy, and industry and individual self-regulatory efforts to address online privacy. I. Self-Regulation A. Question 2.9: Industry Principles, Recommendations and Guidelines. The Internet Engineering Task Force (1) The Internet Engineering Task Force is a large international community of network designers, operators, vendors and researchers concerned with the evolution of the Internet. The IETF and its activities were not discussed at the 1996 workshop, although it is not a new organization. The mission of the IETF includes identifying and proposing solutions to problems in the Internet, including security and user problems and concerns. The first IETF meeting was held in 1986, with 15 attendees. Currently, there are thousands of participants and nearly 100 working groups, 13 of which are focused on security and privacy-related user services. Working groups develop and disseminate "work in progress" Internet-Drafts that serve as guidelines. All of the working groups have been very active within the last year. Topics of recent Internet-Drafts include Users Security Handbook, Netiquette Guidelines, A Set of Guidelines for Mass Unsolicited Mailings and Postings, and Considerations for Web Transaction Security. These guidelines are informational documents only, and focus on educating and advising Internet users regarding how to protect themselves. There is no formal membership in IETF. Anyone may register for and participate in meetings. The work is produced by volunteers. Although the IETF is not a traditional standards organization, many specifications are produced by the IETF that become standards. Pretty Good Privacy, Inc. is an active participant in the IETF. B. Question 2.13: Privacy concerns not addressed by existing guidelines. Consumer Control According to the report on the 1996 workshop, participants agreed that notice of information practices and choice are two key elements in advancing online privacy. Pretty Good Privacy, Inc. believes that this analysis omits the first -- and arguably the most important -- step in advancing online privacy: consumer or individual control. It is the view of Pretty Good Privacy, Inc. that online privacy would be additionally advanced through the furnishing of tools to allow the consumer to control access to personal information at its source (the first line of defense). CONFIDENTIAL INFORMATION SOURCE FIRST LINE OF DEFENSE CONSUMER CONTROL (Information Release) SECOND LINE OF DEFENSE INDUSTRY SELF-REGULATION Without the tools to protect one's own privacy, the consumer is forced to leave control over his or her confidential information in the hands of service providers.(2) This is true even where consent is sought and granted, because such consent implies that the service provider, not the consumer, already has control over the information it seeks to disseminate. Pretty Good Privacy, Inc. believes that it is essential to provide systemic protection of privacy -- protecting information at the source -- rather than allowing information to be disseminated and attempting to control its use through firewalls, etc. Firewalls and industry self-regulation is akin to the moats and walls built around cities in Medieval Europe to guard against the plague. Consumer control over information, through the use of technology such as encryption, is like inoculating the citizenry, allowing them to control their own exposure. When a consumer has the tools to protect confidential information, the consumer can then choose what service provider he or she trusts with what kind of information. Control can be achieved by providing the individual with tools and technology that allows him or her to choose whether or not to trust someone else with confidential information. This is a model used everyday in our lives as autonomous beings in the physical world. Why should the digital world be any different? These tools include the ability to filter "Cookies" which often contain information about personal behavior. Encryption -- or the ability to encode and authenticate confidential information in transmission -- is also essential to providing the consumer with direct control over the information flow. II. Technological Developments A. Question 2.14: Evolution of Interactive Technology Technology is constantly evolving to address the needs of the marketplace, including the need to restore privacy in the information age. Two technologies that are continuing to evolve to provide greater protection for consumer and individual privacy at its source are public key cryptography and Cookie filtering technology. Public Key Cryptography Public Key Cryptography allows the consumer to control access to his or her private information at its source. However, broad use of encryption technology has historically been limited to government -- and, in particular, intelligence -- agencies. Recent development of user-friendly encryption software, available for the desktop in electronic mail applications and Internet browsers, gives the consumer additional control over information dissemination, and allows the consumer to make judgements regarding who to trust with confidential information. Millions of individuals worldwide use public key encryption technology to protect their confidential information at its source, and the number of users grows daily. Further integration of Public Key Cryptography into the realm of electronic commerce will greatly expand online transactions by reducing the risks of exposure. Scalability of Encryption Technology Commerce is the intersection of individuals with businesses and businesses with each other. Therefore, consumer privacy protection also requires the use of public key cryptography at the corporate level, where information that is private to individuals and to businesses is exposed in inter- and intra-company transmissions. Open, transparent and scalable solutions are needed for safeguarding communications and electronic commerce across private intranets, public extranets, and the Global Internet. The development of infrastructures for key management will facilitate the widespread use of public key cryptography technology as a way to preserve privacy in daily interactions by individuals and businesses. One important step in the development of this infrastructure is creating directories, which integrate cryptography into existing Information Technology structures. Through the use of directory technology, Pretty Good Privacy, Inc. brings privacy to business by offering business-wide privacy solutions that are scaleable, transparent, and interoperable with existing corporate networks. Cookie Filtering Technology As discussed in the 1996 workshop, "Cookies" are used by Web servers to track the online activities of individuals who are surfing the Web. While Cookies often facilitate interaction between the user and a Web site, for example by saving a password, they also increase the risk to the user of unauthorized snooping. With Cookie technology, Web sites can track where a user has been, and thus glean private information about their interests, shopping habits, and activities, without the knowledge of the user. In short, when you surf the Web, the Web surfs back. The information that is gathered can be used to build extensive personal profiles and digital dossiers. Several companies offer Cookie control products that warn users when a Cookie is being set on their browser. Early this year, Pretty Good Privacy, Inc. released a product that greatly aids users in protecting themselves from the rogue use of Cookie technology to invade their privacy. PGPcookie.cutter, released in January 1997, provides a user-friendly interface that allows individuals to block or allow only specific Cookies on their Web browsers. Users can choose to share aspects of their identity by allowing Cookies from trusted Web sites to be placed on their browsers. Users can also block Cookies from unknown or untrusted Web sites, providing enhanced privacy -- even anonymity -- while browsing the Web. PGPcookie.cutter accomplishes this through the use of a filtering approach called "network stream interception technology" that allows selective blocking of Cookies. The technology also indicates for the user the number of Cookies that Web sites have attempted to set, alerts users when a Web server is setting a Cookie, and displays all sites that have placed Cookies on one's browser. (1) Additional information about the Internet Engineering Task Force can be found at www.ietf.org (2) [Note: use of the term service providers is intended to broadly identify the providers of all kinds of services, not just Internet service.] |