| June 11, 1999 Secretary, Federal Trade Commission Re: Children’s Online Privacy Protection Rule – Comment P994504 Dear Mr. Secretary: PrivaSeek, Inc. ("PrivaSeek") appreciates the opportunity to submit comments in response to the Notice of Proposed Rulemaking ("the NPR") implementing the Children’s Online Privacy Protection Act of 1998 ("COPPA" or "the Act"). We commend the Commission and its staff for expeditiously crafting a proposed rule that reflects clearly the general goals, as well as the specific mandates, of the Act. Background Founded in 1998, PrivaSeek is the first "consumer infomediary" dedicated to establishing a new global consumer-centric marketplace. As its first major initiative, PrivaSeek developed and, in March of this year launched, "Persona," the first information control tool that lets individual consumers, rather than corporations, control how, what, where and when personal information is shared. Free to consumers, Persona acts as a consumer-driven information broker, or "infomediary," between the consumer and the marketer’s Web site. The technology not only enables consumers to automatically safeguard their personal information and identity on the Web, but to actually gain value from it. It also saves consumers precious time and effort by keeping track of passwords and purchases and by automatically entering a consumer’s personal information on online forms. The Persona technology provides a secure method of storing data that easily be audited by a third party. It also allows consumers to access their data and privacy preferences from any device that is connected to the Web. In the final stages of beta testing, Persona will be available within approximately three months. For more information on PrivaSeek and Persona, visit www.privaseek.com. Children on the Internet Figures released this week by Jupiter Communications reveal that in 1998, approximately 8.6 million children (5 to 12 years old) and 8.4 million teens (13 to18) were online. Jupiter predicts that by 2002, 21.9 million children and 16.6 million teens will be online, accounting for a 155 percent increase in online children and a 97 percent increase in online teens. Clearly, both children and teens comprise an increasingly significant segment of the universe of Internet users. As active shoppers and purchasers, children and teens are also pivotal players in the online marketplace. According to a recent Jupiter/NFO Consumer Survey, 37% of online children and 67% of online teens state that they have researched or bought products online. Jupiter predicts that, in the year 2002, children will account for $100 million of the electronic commerce dollars and teens will account for $1.2 billion. In light of these impressive statistics, it is not surprising that target advertising and marketing to these segments has become increasingly sophisticated and prevalent, and that the value of personal information collected from these age groups carries a very hefty price tag. Parental Consent PrivaSeek’s comments focus on Section 312.5(b) of the Proposed Rule, which addresses the mechanisms for "verifiable parental consent." Webster’s Dictionary defines the term "verifiable" as "capable of being verified." According to Webster’s, "to verify" means "to establish the truth, accuracy, or reality of." It is necessary, then, that the "truth" of parental consent be established in order for it to meet the standard for "verifiable" consent mandated by COPPA. Section 312.5(b) provides that
While the NPR notes that the Commission has not committed to any particular method or methods, it identifies the following potential mechanisms for obtaining parental consent:
PrivaSeek supports the premise that personal information from or about children should not be collected, used, or released to a third party without parental consent. We applaud industry leaders who, as a general rule, have employed any number of methods for obtaining parental consent prior to gathering information from children. It is PrivaSeek’s view, however, that although the standard methods for obtaining consent (delineated above in examples one through three) clearly have merit, none provides the optimal solution for ensuring verifiable parental consent. For example, the method by which a parent signs a consent form and returns it to the operator by fax or surface mail has several potential flaws. First, such a procedure is costly in terms of the time involved in securing consent, as well as in terms of the interference it causes to the child’s immediate online experience. More importantly, the consent form is susceptible to forgery by a child or other individual who is not the child’s parent who may have intercepted the form, signed it, and returned it to the operator without the parent’s consent or even knowledge. In the absence of an adequate means of authenticating the parent’s signature, this consent mechanism is not suitable for securing consent for collection, use, and disclosure practices involving children’s information. The second method -- requiring a parent to use a credit card in connection with a transaction -- may enable children to make electronic purchases over the Internet; however, it does not completely solve the dilemma of how best to obtain parental consent. First, in an environment in which we are ostensibly attempting to limit and control the collection and flow of personal data in accordance with an individual’s preferences, requiring the release of sensitive financial information from parents as a means of conveying consent for the release of children’s information seems counterintuitive at best. Nor can an operator be entirely certain that a child who is using parent’s credit card without authorization is not conducting the transaction. Furthermore, this solution does not adequately address situations involving children whose parents do not use credit cards or do not wish to transfer credit card information over the Web, nor situations where a child is interested in merely interacting with a site rather than actually conducting a transaction. Finally, it is PrivaSeek’s view that the provision of consent via a toll-free number would not constitute "verifiable" parental consent. Although this mechanism may be fairly easy to implement, the risk of false impersonation by a child or another individual that is not the parent outweighs any associated benefits. Again, PrivaSeek believes that, in the absence of the consummate formula for authenticating a parent’s telephone voice, this option falls short of the strict verification standard mandated by COPPA. It is PrivaSeek’s position that any workable model for establishing verifiable parental consent must meet three essential criteria. First, it must provide for authentication of the identity of the consent-granting parent. Second, it must not be vulnerable to attempts at repudiation. Finally, it must be ubiquitous. Clearly, neither a hand-signed consent form, a call to an 800 number, nor submission of credit card information is sufficiently capable of authenticating a user’s identity, let alone universally accepted or applied. Moreover, none of these options can sufficiently protect operators against efforts to repudiate parental consent on the basis of claims of forgery or false impersonation. PrivaSeek supports a technology-based solution that encompasses the criteria set forth above. Only technology will provide a foolproof means of ensuring that children are protected both from sites that do not adhere to fair information practices, as well as those that may fall outside the FTC’s Section 5 jurisdiction. Under Section 5 of the FTC Act, an operator who in the future violates Section 312.5(b) of the Rule -- regardless of whether the violation is actually detected and the perpetrator enjoined -- would have already collected, used, and/or disclosed personal identifying information of children, thus causing the very harm the law and rule were designed to eliminate. To be sure, penalties will be suffered by the offending operator and redress paid to the injured consumer; however, the actual damage -- abuse of a child’s personal information and deprivation of future control over it -- would have already occurred. A ubiquitous, technologically-sound solution that is capable of ensuring authentication and non-repudiation ideally will prevent potential Rule violators from obtaining unauthorized information from children in the first place, which theoretically would translate into a need to bring fewer enforcement actions in this area. It is our view that, of the examples included in the Notice of Proposed Rulemaking, only option four -- an email from the parent accompanied by a valid digital signature -- meets the appropriate standard for verifiable parental control. Because a digitally encrypted signature is impervious to forgery, the recipient of the email or electronic document can readily verify that the person whose signature is attached is the originator of the message. In the context of securing parental consent then, an operator is assured of the authenticity of the digital message and, therefore, can be assured of the truth of the parent sender’s identity. Likewise, the fact that it is not forgeable means that the sender cannot later repudiate the digital signature. Thus, in the context of information practices relating to children, operators who receive digitally encrypted consent are protected from later attempts to repudiate the consent conveyed in the digitally signed message. Of course, the key to the success of digital signatures in solving the parental consent quandary hinges largely on the viability and ubiquity of this technology. There is little question that digital authentication technology will play an important role in determining the future of online commerce. The acceptance and use of electronic signatures in routine consumer and business transactions will enable parties to more readily execute contracts and other agreements, ensure that electronic records are not altered after a signature is affixed, and, most germane to the proposed rule, verify the identify of the individual using the signature. In the NPR, the Commission poses several questions related to the status of digital signature technology. Specifically, the Commission asks the extent to which digital signatures are now in use. Currently, more than 40 states have laws that provide recognition of electronic signatures. The use of digital signatures occurs primarily in the context of business-to-business transactions. With increased attention from Congress, regulators, and the public at large, however, digital signature technology likely will become increasingly accepted and utilized in routine consumer transactions. On June 9, 1999, the House Commerce Committee held hearings on H.R. 1714, the Electronic Signatures in the Global and National Commerce Act (E-SIGN). If passed, this bill likely will pave the way for national recognition of digital signatures as a legally bind means of consummating commercial and consumer transaction, as well as securing and authenticating the identity of online consumers. At a minimum, the issue of digital signatures is gaining momentum as a major public policy issue and driving force behind the ultimate success of electronic commerce. PrivaSeek’s Role in Protecting Children’s Information PrivaSeek does not collect information directly from children under the age of 18, as it is our belief that information about a child belongs to the child’s parents. In the very near future, PrivaSeek will launch a technology that will allow parents to set the parameters for the collection, use, and release of their children’s information to third parties. PrivaSeek’s "Child Persona" solution combines a parental involvement component with secure digital authentication technology. The Child Persona is based on the idea that there is "sensitive information," i.e. information that can identify the child or otherwise put the child in potential harm. Furthermore, whether information is sensitive or not often depends on the context in which it is examined. For example, providing a first name and last name is not necessarily a problem, but combining it with an email address may be. Because it is difficult or impossible to really know the implications of certain combinations of data, it must be possible to employ an extremely conservative model of information delivery. The fundamental requirements of Child Persona protection become the following:
Given the above requirements, a Child Persona is being incorporated into the existing Persona infrastructure. Essentially, a Child Persona follows this model:
Finally, like Persona, the Child Persona will require that any PrivaSeek-approved third party be bound contractually to abide by a child’s privacy preferences and information controls as set by the child’s parent. Thus, parents will be in control of the amount of information sites can collect from and about children, as well as permissible uses for such information. We are extremely excited about this consumer enhancement tool and believe that it is a solution that will meet not only the parental consent component, but also all of the general requirements of COPPA and the proposed rule. PrivaSeek respectfully requests the opportunity to participate in July 20, 1999 workshop on the proposed rule. We would be pleased to make a presentation on the Child Persona technology at that time. Again, thank you for the opportunity to comment. Submitted by: Dr. Steven Lucas, Esq. Elizabeth M. Palmquist, Esq. |