Children's Online Privacy Protection Rule Amendment -- Comment P994504
AOL Time Warner
November 30, 2000
AOL Time Warner, Sony Pictures Entertainment Inc., The Walt Disney Company, Twentieth Century Fox Film Corporation, Vivendi Universal, and Viacom (the "Companies"), hereby state their support for the Federal Trade Commission's proposal to extend the period during which web sites directed to children can use the sliding scale approach to obtain verifiable parental consent for the collection of personal information about children.(1) In their view, the Commission should retain the current sliding scale regime unless and until cost-effective digital signature technology is widely available. Therefore, whereas the Commission proposes to extend the sliding scale regime for an additional two years, they urge an indefinite extension "until the development of secure electronic mechanisms and/or infomediary services become widely available at a reasonable cost."(2)
The Companies maintain Web sites directed to children. Therefore, they not only have a direct interest in the Commission's action in this proceeding, but also offer a first-hand understanding of the capabilities and costs of the presently available technologies for securing verifiable parental consent.
The Companies agree with the Commission that "expected progress in available technology has not occurred."(3) In the meantime, firms have invested heavily in necessary technology to assure compliance with the sliding scale system. Moreover, the sliding scale system now appears quite adequate in protecting the interests of children. Therefore, the Companies support not only the two-year extension proposed by the Commission, but also an indefinite extension pending development, deployment, and widespread consumer acceptance of cost-effective digital signature technologies.
The Commission has determined correctly that the development, deployment, and consumer acceptance of digital signature technologies has lagged expectations.
The basic premise of the Notice is correct. Two years ago when the Commission adopted the sliding scale mechanism as a "short term" measure, it believed that "more reliable methods of obtaining verifiable parental consent would soon be widely available and supportable."(4) The Commission then recognized that, "[W]ith advances in technology, companies will soon be able to use more reliable, verifiable electronic methods in all of their transactions."(5) In particular, the Commission envisioned use of technologies permitting e-mail accompanied by a valid digital signature.(6) As many commenting parties then concurred, digital signature systems might provide a parental consent mechanism "in the future."(7) Now, however, the Commission has realized that "the expected progress in available technology has not occurred."(8)
The Commission is right. The promise of new digital signature technologies remains largely that - a promise. Progress has been slower than expected. Businesses are experimenting. Consumers are uneducated.(9) Costs are unpredictable. Widespread deployment and consumer acceptance of digital signature technology remains at best a very fuzzy speck on a very distant horizon.
The same may be said irrespective of the specific technology at issue.(10) Biometric verification systems like Cyber-SIGN are relatively costly, especially from a consumer perspective. Encryption key systems, like Verisign PKI, are less costly, but still enjoy no widespread deployment.(11) Few parents have been willing to invest the time and money to obtain an encryption key. As is apparent from the comments of Verisign Corporation regarding the ESIGN Study, wide-scale deployment of their Verisign PKI software has not occurred and "may be slow in developing."(12)
Furthermore, no evidence suggests that consumers have or will become comfortable with the newer digital signature technologies or find them sufficiently useful and valuable to justify the expense in the foreseeable future.(13) As noted by Thomas Greco of the Digital Signature Trust Company at the ESIGN Public Workshop, "There are going to be a number of applications that we're going to be attacking with this electronic technology. Some will merit the use of certain technology, some will not merit the use of certain technology."(14) At this point, no one may say with certainty that parents would invest in digital signature capability just to allow their children to provide information to a Web site.
Similarly unknown is what types of applications will induce consumers (including parents) to make that investment for other purposes. Even businesses have moved slowly in embracing digital signature technologies.(15) As observed by Ben Dayanim at the ESIGN Public Workshop, "[B]usinesses are trying to figure out the best way they want to approach e-commerce generally."(16) Thus, when all is said and done, much more is unknown than is known about the pace of deployment and acceptance of digital signature technologies at the consumer level. As Mr. Greco emphasized, "[We're at the very beginning stages of being able to answer some of the questions, what do businesses need, what do consumers need to make this kind of thing happen."(17)
Therefore, as the Commission now acknowledges, "more reliable methods" of securing verifiable parental consent remain unavailable.(18) Furthermore, consumer acceptance of such technologies remains unpredictable. Consequently, the Commission's decision to extend the sliding scale regime is sound and supported by the current state of technological development and deployment.
The present investment in the technology necessary to comply with the sliding scale regime is substantial.
Discarding the sliding scale mechanism at this time in favor of nonexistent new methods of securing verifiable parental consent not only is facially unreasonable, it also would impose a substantial financial penalty on operators of Web sites directed to children. Several of the Companies, undoubtedly like a large number of children's Web site operators, have spent thousands of dollars in site design, hardware and technology costs alone to implement the sliding scale mechanism. And this says nothing about the up front and ongoing personnel costs to put the requisite systems in place and maintain them. Furthermore, many Web based businesses are very much infant industries that are in no position to absorb unnecessary costs. Jettisoning the sliding scale mechanism and requiring immediate use of more advanced mechanisms of securing verifiable parental consent - assuming arguendo that they were available - would relegate these systems to the scrap heap and trivialize the investment many Web site operators have incurred to implement the sliding scale mechanism.
No sound reason exists to extract such a financial penalty from Web site operators. They have complied in good faith with the new rules and hardly deserve to be penalized by a premature embrace of more sophisticated technologies. The Companies submit, therefore, that the Commission must take into account the present sunk investment in sliding scale mechanisms in assessing the ultimate cost effectiveness of newer parental consent technologies.
No basis exists for concluding that the sliding scale regime is inadequate to protect the interests of children.
Utilization of the sliding scale mechanism has proven to be an effective means of protecting children's privacy. The Commission has alluded to no rash of complaints from parents alleging breaches in their children's privacy by the operators of children's Web sites. The Companies, too, have fielded virtually no such complaints from parents concerning infringements of their children's privacy. In the absence of complaints or other record evidence that the sliding scale mechanism is inadequate, no sound reason exists to plunge headlong into the realms of still budding technology in search of a solution to a problem that does not exist.(19)
An indefinite extension of the sliding scale regime would promote innovative Web-based services for children.
If the sliding scale regime is extended and thereby stabilized, many more positive applications for children may emerge. A permanent extension of the sliding scale would provide a predictable framework around which children's Web site operators can create children's content.
Experience with only temporary short-term reliance on the sliding scale mechanism demonstrates that regulatory uncertainty has been counterproductive in some instances. The impending expiration of the sliding scale has chilled the development of new online content for children. While some companies have invested heavily in implementing the sliding scale technology, others have been skittish. They have refrained from employing the sliding scale at all because they are unwilling to invest in a regulatory scheme that will soon expire and render the investments obsolete. The reason is simple: it is difficult and risky to build a business model on a regulatory framework that may change in two years. How might a company justify making substantial investments in compliance methods that may not be legally permissible within a two-year period? The temporary nature of the sliding scale has inhibited many children's Web sites from making investments in costly infrastructure, fearing that a once appropriate means of obtaining consent no longer would be acceptable.
Consequently, the limited short-term reliance on the sliding scale mechanism for compliance likely has inhibited the development of many features that would have been beneficial to children. For example, some child-directed Web sites have structured content and interactive functions around the collection of non-personally identifiable information. This chilling effect has reduced the content and interactivity that would have been available to children if the sliding scale had been made permanent in the original COPPA rule.
On the other hand, providing Web sites with meaningful guidance on how to structure their activities around a preferred consent mechanism would encourage the types of investments in children's content that some to date have been hesitant to make. Therefore, the Companies submit that an indefinite extension of the sliding scale system would create a considerably better climate for investment in and implementation of creative Web-based services for children.
The Companies applaud the Commission's willingness to base regulatory decisions on a sound and realistic appreciation of the facts. Expected developments in digital signature technology have failed to materialize. Widespread consumer acceptance is beyond reliable prediction. Therefore, rather than demand the impossible, the Commission has made a demonstrably wise and amply supported decision to maintain the sliding scale mechanism.
The Companies also urge the Commission to stay this course. It should insist that interested parties present substantial evidence that new, more reliable and cost-effective digital signature technologies are developed and deployed - with widespread consumer acceptance. Only then should the Commission even begin to consider supplanting the sliding scale regime.
November 30, 2001
1. The Companies submit these comments in response to the Commission's Notice of Proposed Rule Making, (http://www.ftc.gov/os/2001/10/coppafrn.htm), 66 Fed. Reg. 54963 (October 31, 2001) [hereinafter cited as Notice].
2. Notice at 3.
3. Notice at 2.
4. Notice at 2.
5. Final Rule, RIN 3084-AA84, 64 Fed. Reg. 59888, 59902 (November 3, 1999).
6. Notice of Proposed Rule Making, 64 Fed. Reg. 22750, 22756 (April 27, 1999)
8. Notice at 2.
9. See ESIGN Public Workshop, Proceedings (April 3, 2001) at 14 (Jeff Wood)("[C]ustomers are a little leery of e-commerce at the beginning stage of the relationship.").
10. Furthermore, the Commission should appreciate that P3P technology in its present form, while deployed, is irrelevant to the matter of verifiable digital signatures.
11. Identity verification also is only a secondary use of encryption key systems, which were designed to protect document security during transmission. Indeed, encryption key technology is not a fully secure means of parental verification. The key works well only to verify that a transmission has come from a particular computer on which the key is stored. It is nonspecific as to the particular user of the computer (e.g., parent or child) because anyone with access to the area of the computer in which the key is stored can use the key.
12. Comments of Verisign Corporation, ESIGN Study, Comment P004102, http://www.ftc.gov/bcp/workshops/esign/comments/Verisign2.htm (March 16, 2001).
13. Id. at 2, n.6, citing 146 Cong. Rec. S5216 (daily ed. June 15, 2001) (statement of Senator Wyden)("At the heart of these provisions is the concern - shared by many in the industry as well - that electronic communication, e-mail, is not as reliable or as ubiquitous as traditional first-class mail. Until advances in electronic mail technology eliminate such concerns and until the vast majority of Americans are comfortable using the technology of the New Economy, consent to use electronic records requires special care and attention.); see also Comments of the Cartoon Network et al., http://www.ftc.gov/privacy/comments/pauley.htm (June 11, 1999) at 7 ("[D]igital signatures impose a potential financial and technological burden on consumers…. For example, Cyber-SIGN's biometric verification system costs $850 for 10 users, and 435 for each additional user. Users must purchase a special digitizing pad and pressure sensitive pen."). At the same time, technologies based on encryption key technology may be more affordable, but raise even more critical issues in terms of effectiveness and availability.
14. ESIGN Public Workshop, Proceedings (April 3, 2001) at 31.
15. See, e.g., Letter of March 27, 2001, to the Commission from Thomas J. Greco, Digital Signature Trust Co., http://www.ftc.gov/bcp/workshops/esign/comments/dstc.htm ("At the present time, it is premature to say how this requirement of ESIGN ultimately affects electronic commerce since the level of such commerce is relatively low and businesses are just beginning to deploy applications that address these issues. Systems are currently being designed to meet the consent requirement, but we believe it is far too early to say that any particular approach is being taken.").
16. ESIGN Public Workshop, Proceedings (April 3, 2001) at 6.
17. Id. at 32.
18. Notice at 2.
19. Home Box Office v. Federal Communications Commission, 567 F. 2d 9, 36 (D.C. Cir. 1977) ("[A] regulation perfectly reasonable and appropriate in the face of a given problem may be highly capricious if that problem does not exist. ").