Speakers:
- CB: Charles Bell, Program Director, Consumers Union
- MA: Marty Abrams, Executive Director of the Center for Information Policy Leadership, Hunton & Williams
- AF: Anna Fielder, Director, Office for Developed and Transition Economies, Consumers International
- BS: Bob Sullivan, Senior Writer, Technology, MSNBC.com
- DT: Don Tellock, Assistant Attorney General, Internet Bureau, Office of the New York State Attorney General
- MT: Mozelle Thompson, Commissioner, Federal Trade Commission
- NS: New Speaker
Note: This is an edited transcript of the proceedings.
CB: We have a terrific panel for you today. We span the different sectors. We’ve got the public, the private, the non-profit, consumer sectors and journalism sectors represented on this panel. And our topic today is Scams and Schemes: Why don’t consumers trust the Web?
I’m Charles Bell, the programs director for Consumers Union, based in Yonkers, New York, and I’ve been involved with the Consumer Reports WebWatch project as an advisor and problem solver.
The questions we’re trying to address here today include the following: Are consumers worried about the right things on the Web? We know that there’s a lot of suspicion, I think, about doing business with certain sites. Is it justified? Are they [consumers] paying attention to the right things? Should they be more vigilant in defense of their own interests? Are security and privacy concerns over-hyped? Should consumers be more concerned about information bias and deceptive information practices than they are today? What areas of the Web are people finding to be the most problematic? And what roles can, or should, Congress and the regulatory agencies play in any effort to improve public perception of the Web as a safe and secure place for information and transactions?
By extension, also, what is the role for voluntary initiatives? We talked at lunch about the importance of voluntary disclosures and voluntary guidelines; obviously, we think that is tremendously important and there is a lot that could be done in all of these areas. So we want to talk about the pathways to sustainable, long-term solutions that build a foundation for credible and trustworthy information on the Web.
To open, I have a couple of points that I collected. One was: I wanted to draw on some of the lessons from the media world, insofar as these might be relevant for e-commerce sites in this new medium.
In the media world, you have pretty strong conventions for separation of information or editorial content and advertising. So, for example, the American Society of Newspaper Editors has said “the primary purpose of gathering and distributing news and opinion is to serve the general welfare by informing the people and enabling them to make judgements on issues of the time.” And the Society of American Business Writers has said “a clear-cut delineation between advertising and editorial matter should be maintained at all times.”
Now, where this comes into the e-commerce area is there are many places you go on the Web where there are so-called advertorials or informational content about products and services that may be slanted in a certain way to induce you to make a purchase. One of the concerns we have is that type of content should be labeled or graphically separated or clearly called out so that consumers can make those judgements.
Jeff Chester, Executive Director of the Center for Media Education, has said, “In a world where marketing, advertising and editorial are all being rolled up into one, the already frayed distinctions and safeguards are already being obliterated.” And people can agree or disagree, but we think this is one of the challenges that is before us.
When we were working on the original proposal for Consumer Reports WebWatch, there was an article in the Times where an anonymous CEO of an Internet company said, “There’s an ideal confusion in the mind of the consumer today. It’s good if the consumer doesn’t know if he’s buying the watch from Casio’s site or from us.”
Many people are familiar with the problems that came out with the Dr. Koop site – these were problems relating to hidden sponsors of informational content. So, for example, there was a list of hospitals shown to be the most innovative and advanced healthcare institutions across the country. Well, it later turned out, The New York Timesreported those hospitals paid $40,000 to be listed. So this is the type of problem that we have experienced and has led to the creation of our product.
Another example, and this is something that we suspect continues on the Web today, is hidden sponsorships or transaction fees. In 1999, it was reported that recommended books in the columns on Amazon that said What’s Worth Reading and Destined for Greatness were actually there because their publishers had paid $10,000 placement fees. So these weren’t necessarily the best books as found to be by librarians or readers of great literature. They were there one suspects because of sponsorship.
Similarly, we have the problem of search engine bias, or potential bias, we covered this morning. There was an example in 1999 of how InsuranceWeb had paid Yahoo $9 million to receive referrals from the site, without disclosing that to consumers. And this was also true for other shopping tools and shopping bots that may be taking fees to direct consumers to certain merchants and so perhaps a greater level of disclosure is needed there.
I think one problem that we would just like to highlight from Consumer Reports WebWatch’s perspective is that media sites may be earning more and more revenue from transaction fees. This is actually a hidden problem, that consumers won’t even necessarily know the scope and scale of this problem since by definition, there’s little disclosure. In 1999, Business Week reported that they believed that media companies would actually, on the Internet, be earning more in transaction fees for driving traffic to other sites or for other types of economic transactions than they would actually be earning from the ad revenue by the year 2003. I sort of suspect that, because of the collapse of the dot.com boom, that trend did not go as far. But we really don’t know. We really don’t have that much information on how transaction fees may be affecting the content that consumers see on the Web, and this is potentially also a concern.
There’s a range of tools that we can use for consumer protection against deceptive practices and scams. One tool we have, which has been discussed, is Consumer Reports WebWatch guidelines, which are intended to apply to all types of sites. There are also many other good guidelines out there, such as those done by the American Society of Magazine Editors, the OECD [Organization for Economic Cooperation and Development] and many other agencies. Also in terms of voluntary standards, the IEEE [Institute of Electrical and Electronics Engineers] has just created a standard for site pages that many Web producers may choose to use.
So that’s a whole genre of activity we can use to improve protection for consumers. We can also disseminate best practices, perhaps call out exemplary practices and share that information with other types of sites. We could encourage sites to adopt better and clearer disclosures, with easy-to-find, easy-to-understand business or editorial policies, perhaps layered notices for privacy, as one of our speakers this morning addressed.
There’s the issue of visual conventions. We could have better separation of content, better labeling of content. Perhaps color coding or labels for sponsor hyperlinks and other types of technological solutions, such as spam-killing software would be another protection tool. There’s the whole idea of using consumer feedback as has been used on the auction sites to some good effect and on some consumer complaint sites.
Then there are voluntary standards – I think I’ve covered and enforcement of existing laws. We have many good general business laws and consumer protection laws that are applicable in the Internet context and those laws can be enforced as a major tool and many of the agencies we’ll hear from today are really involved in that business. And then there’s the prospect of other types of regulation and legislation that can protect consumers.
So, let me just briefly introduce our panelists. I know that their full bios are on the Web – I would recommend those to you. We have, to lead off, Marty Abrams, who is the Executive Director of the Center for Information Policy & Leadership at the law firm of Hunt & Williams. Marty’s been involved in a lot of consulting and work on privacy notices, or so-called nutrition label for privacy notice, and he’ll be leading off for us. Let me just go briefly through our other panelists.
We have Anna Fielder, who is the Director of the Office for Developed and Transitioned Economies at Consumers International, based in London. This is a global organization that Consumers Union, where I work, we joined to help start in 1960. Currently, they have over 250 consumer organizations in 115 countries around the world. We’re very glad that you could come from London to join us.
We have Bob Sullivan, senior writer on technology for MSNBC.com, who’s done a lot of reporting on Internet scams and frauds, and we’re looking forward to hearing your perspective.
Don Tellock, the Assistant General with the Internet Bureau at the Office of the New York Attorney General Elliot Spitzer, who has been quite involved in anti-fraud efforts.
And, finally, we have Commissioner Mozelle Thompson from the Federal Trade Commission. He is one of the pro-consumer commissioners who you would most want to have on your side if you have experienced abuse or a scam or fraud of any type. And we’re so happy that you’re with us, as well.
MT: Depends on whether you’re on the business side or –
CB: Yeah, I’m saying that from the consumer side. So, Marty Abrams, we’d like to have you go next and thank you very much for joining us.
MA: It’s my pleasure. I’ve had a real good time today. It’s been a while since I’ve been to a consumer conference. I usually spend my time when I go to conferences at very dry business conferences where we’re discussing information policy, privacy, global interests and all of that. And I actually have gone through three presentations today and I finally came to the presentation that Chuck actually wanted me to do, which is the one on how do short notices work? How do they work with long notices? Why are they important in both the Internet and the offline world? And so I will skip all the other things I really wanted to talk about and I will talk about notices.
About seven or eight years ago, the nature of privacy notices changed. It changed for a couple of reasons. The first was the growth of the Web and the desire for folks to have a sense of what organizations were doing on the Internet. And when that began to take place, we had decisions by the Federal Trade Commission which said that if you’re going to say something, if you’re going to say you’re going to do something, then you actually have to do that. So it increasingly drew notices from being written by communicators or marketers or others to notices that were being written by the general counsel’s office, because if they’re contracts, they have to be specific, they have to be clear. Then we had recommendations that they be complete, so they got incredibly long. So the notices went from short – the type of aspirational notices that we all remember from 15 years ago – to incredibly long.
Then we had the passage of the HIPAA [Health Insurance Portability and Accountability Act] and the Gramm-Leach-Bliley Act (GLB), Section 5, which covers privacy, but which was not really a privacy bill; it was a notice and somewhat semi-choice piece of legislation. And what that said is that your notices have to be complete, but they also have to be easy to understand and in plain English. The regulators, in their infinite wisdom, began to give safe harbor language with words that are common words we use across the fence like non-public, private financial information, something that I always talk with my neighbor about.
So we suddenly had notices that were not very effective. And we were approached, the Center of Information Policy Leadership, after those GLB notices began to come out and said, Is there a way to think about fixing this quagmire? And I said,yes, the concept is layered notices. The concept that you’re not going to get rid of this incredibly important legal document, which is contract-like and is going to be written by the general counsel, but that most consumers, though, do not want to read that document. They cannot compare that document to a document prepared by others.
So we went back to the research from the 1980s that led to food labels and we began to find that there are three things you have to think about when you build a notice that is actually for people to read.
–The first is it has to have language that doesn’t require the consumer to translate that language, so it’s got to be language that consumers use on a regular basis.
–The second convention is that long-term memory and short-term memory need to work together. In simple terms, the notice that you see today, you need to understand that based on the notice you saw yesterday and that will help you understand the notice you see tomorrow. So the format around notices has to be similar, to allow you to learn from today’s notice and use it to filter tomorrow’s notice. And that actually leads to the whole question of being able to look at notices and compare notices.
–The third thing is that they have to be short. The research says that you cannot have more than seven elements in a notice and have the notice something that the public can really deal with on a regular basis.
So we worked with a bunch of companies – nine, to be exact – when we began the project to develop a common template based on the elements that were most important to communicate with consumers. And we then took that template and did open-ended focus group research in Cincinnati, Ohio, to see whether indeed the elements that we thought were important were the elements that consumers thought were important.
There was a lot of consistency. They [consumers] did tell us some of our language was terrible. That they don’t like the word “policy”; they prefer “notice.””Policy” means that we’re dictating to them, they don’t want to be dictated to. If we’re going to tell them what actions they can take, we have to tell them at that spot how they exercise those actions. So if you’re saying to people you can opt out, you have to tell them right there how they go about exercising that opt out. They told us they hate the word “data” and like the word “information” much better. “Data” is what the kids graph in school. And so we’ve gone back and we’ve revised those basic templates.
If anyone wants to see what those templates look like, you can go to Chase.com or the U.S. Postal Service’s Web site or Fidelity’s Web site or Procter & Gamble, because all of those four companies are currently testing their highlights notice and allowing people to fill out surveys. So you can go there and you can look at those policies and I would really suggest you go to Procter & Gamble and Chase, because those are the two companies that stuck most closely to the norms that we were looking, but go and look at all four.
Again, this is a layered highlights notice. The notice needs to work with the longer, complete notice. There are many people who want to know the granular, the detailed information. That’s not most consumers, but there are consumers who will want to do that. You also need that longer notice for legal compliance reasons, for when the bank examiner comes to visit.
In an online setting, you can link them together, but with a click-through process. In the offline world, John Hawke, the U.S. Comptroller of Currency has suggested that the longer notice should be easy to get on request and that’s the suggestion he has made.
In the HIPAA world, the final regulations heavily encourage the use of highlights notices. Or the use of layered notices, they don’t specify a highlights notice. In that case, the two notices have to go together. An example of a company who’s actually used – we did a project to create a HIPAA highlights notice, and the company that’s actually used that is Kodak. They had to give a HIPAA notice to their employees and they’ve given them the complete, long notice. But on top is the basic template as developed for HIPAA highlights. And I think that as people begin to see the long eight-and-a-half page HIPAA notices, they’ll find the desire for the common template that allows for comparison. They’ll find that much more attractive.
The reason this is important to me is that the first step to good privacy policy is transparency. And, to be honest, we’ve never developed a good, solid system of transparency. We’re a society that has too many disclosures. You can say we don’t have enough, but people are over-disclosed, too. So we need – and the one system of disclosures that I think that has worked probably the best is the food label approach. And we need to go back in this because it’s a common template that allows for comparison. So that’s why we believe in the layered notice, that’s why we we’re encouraging it and that’s why we think it’s the first step for companies that really care about compliance to create a privacy culture that works for customers.
To be honest, for those organizations that will go offshore, for those organizations that want to run frauds, this is totally irrelevant. But for the companies that truly want to be good citizens and maintain their brand, we think that a noticing system that works is important. Thank you.
CB: Tremendous. And Marty, HIPAA stands for–? It’s related to healthcare—
MA: It’s the Health Information Portability and —
CB: –Accountability Act of 1996.
MA: Yeah. It doesn’t stand for privacy.
CB: So notices relating to healthcare issues.
MA: Yes, that’s right. And if you’ve not been in to the doctor since Monday of this week, you will soon see this notice. If you take your child to the emergency room bleeding profusely, they will not care for you until you read the notice and acknowledge that you’ve read the notice.
CB: Okay, thank you very much, Marty. I want to observe that what you’ve just talked about is about an easy-to-use disclosure that’s easy for consumers to understand. From the project’s [Consumer Reports WebWatch] perspective, we think this kind of a thing is a very important tool. We would agree with the concept – you know, we haven’t gone into the specifics of how this system works, the specific systems that you propose. There’s a retailer in the New York area who advertises, “An educated consumer is our best customer.” And it’s really a strategy that businesses could adopt to give consumers easy-to-understand information, but in an accessible way. So we think potentially this is a very promising approach.
MA: There is one issue that needs to be resolved and that is the question of liability and it’s a question that we’ve discussed with FTC staff and the New York Attorney General’s office. It’s a subject that we’re going to explore in-depth this year and that is: What is the relationship between the long notice, the short notice and the actual behavior? We’ve said all along that the long notice and the short notice need to be consistent with each other. And that, in some ways, consistency is a fact-based issue, not a standards-based issue. But if what you’re doing is significant, and it’s mentioned in the long notice and you leave it out of the short notice, we would say that’s not being consistent and that’s a deceptive trade practice. But we’re going to be developing some white papers that go into that question.
CB: Anna, I have to beg your indulgence, but we have Bob’s computer hooked up, so we’re going to go slightly out of order and have Bob Sullivan from MSNBC.com.
BS: Chuck and I were on the phone the other day, talking about what it was that I would talk about and he asked me, So, do you have any opinion on policy [unintelligible]? What can be done to stop all this? And like any good journalist, I said, “No.”
I don’t know what the solution is and, fortunately for me, finding it is not my job. The best thing I can contribute is I’ll spend a couple of moments convincing you that there really are problems out there. The people who I hear from – I’m sort of the consumer affairs reporter of the Internet, if you will – I hear from victims. People who have been scammed out of thousands of dollars, in a frantic search for someone who will listen.
Along with going to the local police and complaining with their relatives, they do a search and find that I’ve written stories about a lot of these scams, so they e-mail me with just terribly sad stories. So I’m going to share a couple of them with you, just to convince you that there really is a problem here.
I’ll just bang through them real quickly. You might recognize the picture at the top of the story as a chat room log. This is from Internetrelaychat. You probably can’t read it, but I will tell you what’s not blurred out there says, “Name, address, Social Security number, driver’s license number, employer, position, work phone.” This was a file that was passed to me, It was about 40 megabytes of just complete digital dossiers on thousands of people.
I’ve never been able to actually learn where this file came from, although I did go visit the chat room myself and see it going on as it happened for about three days non-stop. They were all credit applications – all the data was in the form of credit applications and everyone who I called had applied for a cell phone recently. So, reasonable enough to assume that somebody managed to intercept data somewhere between the person who’s asking for a cell phone and then getting that cell phone.
I suppose we could talk about this a little bit later, but the amount of information that is passed when you try to obtain credit for anything is everything that’s needed to steal who you are. And if we’re wondering about whether or not people trust the Internet – now, this incident we can’t really blame the Internet for the leak of the data. But here’s what we can blame the Internet on. I don’t think we could ever before even conceive of some teenager who has a lot of free time in his hands in Kiev, Romania or somewhere in former Soviet bloc countries stealing money from a poor old woman in Peoria, Illinois.
We were talking at dinner last night about indiscriminate harm and the real fear that’s – I don’t mean to compare financial crime to terrorism so much, but the real fear from terrorism is that there’s no way to insulate yourself from it. It can happen to anyone, anywhere at any time. And it’s the same thing with Internet crime. In fact, you don’t even have to be on the Internet to have it happen to you.
Before I do, this is a very wealthy person’s bank account. Actually, it’s not. This is a checking account that supposedly has $45 million to it. How many people in the room have ever gotten an e-mail from someone who’s just desperately looking for help getting money out of Nigeria?
[talkover-all]
BS: Every day. Okay. Well, they progressed.
NS: I send them to Mozelle, though.
BS: Oh, is that right? So you have a personal–
MT: I didn’t know that many people actually lived in Nigeria.
BS: People seem to be catching on that there really isn’t an easy way to get their hands on $23 million. So the scam is evolving. Although I will tell you that last night I got an e-mail from some poor woman who lost $12,000 to some version of the Nigerian scam.
In this one, what they do is – there’s a lot of people who sort of go halfway through it and they get nervous at the point where someone asks, “You need to wire $9,000 to a Western Union in Africa.” So people bail on the process. Well, they revisit these consumers who maybe about halfway, they know they got a nibble, a couple of months later. And they actually set up a fake online bank. What was the name of this one? It was the same name as a bank in Great Britain. And the site looks completely authentic. It was a copy of another online banking site that looked quite real. You had to go register; it was a thorough registration process. The promise was, you know, “We understand your reticence to wire $9,000 sight unseen to us. So what we’ll do is we’ll give you the money first. We’ll just wire it to the bank account and you can do whatever you want with it and we’ll prove to you the money’s there and that’s why you’ll wire us the $9,000.” Here is Joseph Cipriani – in this case, fortunately, Joseph is a fake name, a source of mine had some fun with the Nigerians and played along with the scam to at least this point.
But I bring this up only because it looks legitimate enough. And what are the odds that one in a hundred people might be convinced by this? You know, what’s a couple of thousand dollars? Heck, that’s a big number down there in the balance – what’s the risk? Lots of people are still falling for that, otherwise you wouldn’t be getting all those e-mails.
There are a lot of news-based scams, too. A lot of people get impulsive around, especially around September 11th. There were all sorts of e-mails promising herbal supplements – a silver supplement was the most popular one, [colloidal] silver, supposedly. That’s actually a scam that’s been around a long time, but thanks to the Internet, it got a new life.
This is one of the ways that I would like to try to prove to you – well, there are two – that you don’t even have to be on the Internet to lose money, thanks to the Internet. The first one – which is not the focus of this story – you probably remember the Long Island help desk worker who managed to tap into the credit system and steal some 33,000 credit reports. While that was still going on, he posed as a corporation asking for a credit report on someone. And at one point, he posed as Ford Motor Credit Company and asked for 15,000 of these things before some bell went off and somebody said this isn’t a good idea. The credit reports were random – well, they weren’t randomly selected, but they weren’t selected based on anyone who had tried to buy a car or anyone who had been online. Apparently, he just went around looking for high-rent neighborhoods. So he went looking for people who had credit to give. And many of the victims had never heard of Teledata Systems in Long Island. They’d never heard of Teledata. They hadn’t bought a car in years, some of them didn’t even have cars. And yet they were victims of the system.
This story here is about – this is very clever – and I have to tell you, I have a bit of a love-hate relationship with some of these fellows, because I do appreciate the elegance of a good financial crime. Fortunately, I only have to write about them. This is called the credit-back scheme. If you go into a store and buy something on a Visa card, you can return it and some stores will let you return it on an American Express card instead. That’s a convenience to customers. But if you have stolen both cards, that’s a real easy way for you to walk out with about a thousand dollars.
Now, most stores will sort of smell that if you do it in person. But thanks to the Internet, it’s an automated process. And these guys did it $5 at a time, with thousands and thousands of cards. In one night, they managed to run about $300,000 worth of charges. A lot of that money never got to the bad guys. Usually, it’s stopped, eventually somebody notices a batch process that’s running and it’s overwhelming the system. But I can tell you, the merchants in this case, they all got charged a buck twenty apiece for all those transactions. So the merchants were out thousands of dollars for the fact that all these credits had been granted.
Some of you have never seen anything like this before. This is a chat room devoted to swapping credit cards. And it it looks kind of like an old-fashioned stock ticker, it goes by at such great speed. Actually, there is horse trading that is constantly going on: “I’ve got a set of 20 brand-new American Express cards,”; “I’ll trade you one PayPal account for that,”; “I’ve got dossiers of Social Security numbers, I need one hundred American Express cards in exchange for that.”
It’s interesting that you can actually see data here. That means two things. Because, of course, the data’s useless to the possessor once it’s published. It either means it’s just a – it’s sort of like drugs, it’s a taste. Here’s real data, if you want more, come to me. The other one is they do this to what’s known as burying the data. If you want to confuse the credit card company, is there anyone who might be on your tail for using a stolen credit card, the best thing to do, at least these guys think, is to publish it and this is now a shark-feeding frenzy. The moment a credit card number is published in there, it’s used at dozens of sites around the Internet while someone tries to make money off of it. So that’s the best way to cover your tracks to obscure the transaction trail. There’s another example.
Gene Nelson here spent two years evading the Postal Inspector’s office. He scammed about three hundred people on eBay. And it’s the scam you all heard of: You pay for something and it just never shows up. But because he was able to create a series of aliases and fake eBay names – and you mentioned in your talk, actually, that there’s been some success with the –
MT: Yeah, the user feedback.
BS: Yeah, with the user feedback system. There are pluses and minuses to that. Lots of people hijack eBay accounts or create their own feedback and create false identities for themselves and that’s how he accomplished what he accomplished.
Just in terms of whether or not they should trust us, it happens to be Yahoo, they were the unlucky ones in this case. There’s a teenage hacker who likes to go around to Kinko’s and play around with computer systems. And in this case, what he did to prove that he was smart was he took a Reuters story, a wire story on Yahoo, and altered it. He put in fake quotes from President Bush. Essentially – this was a story about a Russian hacker who had been arrested, and he actually had a sensitivity about it. He didn’t pick a story of great prominence, so it wasn’t seen by many people. He then e-mailed a bunch of reporters to say, “Look what I did.” Which was good, because he could have done something else, which was he could have altered a very prominent story, and we’ve seen a couple of essences of this with press releases with companies [unintelligible] market sensitive information that sent markets [unintelligible] companies.
But, anyway, the reliability of news information – I mean, this cuts right to the very core of what we’re talking about here, so I’ll share that with you, in a moment. I think rather than take up the rest of all your time, I’m going to stop here and talk about it a little bit more later. Thank you.
CB: Anna Fielder. We’ll bring you up—
AF: I can start, because the PowerPoint is not what I’m going to say. It tells you a little bit about Consumers International, because I sort of gathered that many of you present in this room wouldn’t know that there is such a thing in the world.
We are a global organization. We basically have as members all the consumer organizations that have any credibility in the world, as Chuck said, in 115 countries. Because of that, being the only foreigner here, I thought I’d introduce an international, global dimension to this talk, which is very, very important when we talk about the Internet. I think the colleague that spoke at lunchtime from the FBI [Louis Freeh] was one of the first that mentioned the global dimension. I didn’t hear it very much in the morning.
A lot of the research shows that it’s not just that the Internet doesn’t have borders, but actually the interests of the companies operating on the Internet are worldwide, they are not limited within their own borders.
Of course they encompass not just language boundaries, but if you think about it, English is a very widely spoken language. Asia, most of Africa and so on. So I think the international dimension is very, very important.
I’m not going to speak a lot about evidence of schemes and scams, because I think a lot of the colleagues here have done it very effectively. Chuck has given some brilliant examples; you’ve given some even more.
I just want to attract your attention to two things in relation to that. As Beau [Brendler] mentioned this morning, we’ve done together an international study called Credibility on the Web that has 13 participating countries looking at credibility issues on Web sites addressing health, financial and price comparison sites. In fact, Professor [Murke], who is here in this room, he’s our principal research advisor on this, so we couldn’t have done without him. You can access this report, and what this report shows is that the main problem in terms of credibility on the Web is not so much fraud and schemes and scams, but basic professional disclosure issues, such as ownership of Web site, the identity partners, quality of the information given in terms of how up-to-date it is, authority of the people who give it.
So it’s what you would expect in the real world to be a normal professional attitude is not as frequent as you might expect on the Web. And this doesn’t happen with fly-by-night operators; in fact, very reputable companies regularly do it. I think you can deal with fraud; it’s an illegal operation. But these basic professional [unintelligible] it’s a real problem. Because, also as it was remarked this morning, it is not easy to legislate in a global environment. But legislation does exist in large parts of the world. There are many guidelines that already exist. Many of you would know that the European Union has no less than five directives that have the force of legislation that address issues of commerce and credibility on the Web – for example, the Commerce Directive, the Data Protection Directive, the Distance Selling Directive. Then we’ve got, of course, we see guidelines for consumer protection in e-commerce, and Mozelle will probably tell you quite a bit about that. I see he’s the chairman of the Consumer Policy Committee of the OCED, who developed them and we contributed to them. We are now gently lobbying the OECD to extend them to cover credibility issues.
But what we find – whether it’s legislation of whether there are voluntary guidelines – we found two full problems that relates to all of them. First of all, if it’s legislation, it’s not being enforced. So if there are guidelines or standards and they’re not being followed or they are not detailed enough go to be followed, we have a big gap in-between all these good schemes and principles. Of course Consumer Reports WebWatch offer an additional set of guidelines that are very important.
So globally, there are many, many initiatives and many good guidelines that are being promoted. But the biggest, biggest gap is verification, monitoring and oversight. And this is what I want to emphasize in my short address, because we can continue this discussion. There is a lot of money and effort involved in developing principles and guidelines and they are very, very good and it’s necessary. But, when it comes to oversight, to monitoring, to research, people say, oh, consumer organizations can do that.
Well, of course they can and they do it very well. The problem is that worldwide, very few neutral bodies or consumer organizations or any other independent, neutral body has the necessary resources to do such things. So maybe this is a subject for an important discussion of how we go into the next step, not from the knowledge of all the existing tools, existing trust marks, guidelines and now the International Standards Organization is beginning to develop standards for Internet services.
But how do we bridge that gap between grand words and actual, effective implementation of all these legislation and guidelines? And, particularly, how do we bring about the kind of oversight necessary to ensure it?
CB: Terrific, thank you very much, Anna. One point worth underscoring is that this report that your office produced was produced as a collaboration between Consumer Reports WebWatch and CI, Consumers International. And it involved collaborative research among developed country consumer organizations in, what? Eight to 10 countries? So it’s interesting, the Internet now gave us the ability to do transnational consumer research.
AF: In fact, it was terrific, because the methodology and the discussions on the methodology all happened between these 13 countries on a listserv. I mean, we met a couple of times and [unintelligible] generally throwing the cat amongst the pigeon and say, What about this? All this big discussion. I think we developed a really, really very credible methodology and criteria for measuring this issue. And of course, we want to continue this way.
CB: Yeah, and I think also at Consumer Reports WebWatch, we were very pleased to be able to participate with CI because it gave us the mechanism to communicate with consumer groups in other countries about our guidelines. And we were interested to learn, in terms of some of this research, that when people shop across borders – sometimes European consumers come to shop at U.S. Web sites – they can’t always tell if that site’s willing to do business with them until they click down to the final page of the shopping cart and it says, “Put in your zip code. So, sorry, we don’t serve non-U.S. consumers.”
So it’s just an interesting example of Web site usability and design. If you want to do business with consumers in other countries, it’s something worth paying attention to.
Next, we’ll hear from Assistant Attorney General Don Tellock.
DT: Our job in the Attorney General’s office is a pretty exciting thing right now at this time in the Internet Bureau. We use existing consumer protection laws of the State of New York to enforce, to regulate companies that do business with New York State consumers online. As you can imagine, that includes probably every large corporation – whether it’s a technology company or it’s a traditional company, say a Sears & Roebuck. If the company sells products online, they’ve probably sold something to a resident of the State of New York.
Fortunately for us, New York’s consumer protection laws and the authority given to the New York Attorney General’s office is very broad. We find our authority under Executive Law 6312, which allows the Attorney General of this state to initiate an investigation in terms of any illegality or fraud that goes on. We do not need a complaint from an actual consumer. We don’t have to prove intent, there doesn’t have to be an intent to defraud. It can be a one-time event. And we generally, in the Internet Bureau, use GBL 349 and 350, False Advertising and Deceptive Practices. That’s usually the hook that we use when we go after a company.
To go back a little bit to what Marty was talking about, we look at a company’s posted privacy policy. And we then examine a company’s privacy practices and we view the privacy policy as a contract between the company and the consumer. And then we examine the privacy practices to see if they live up to the promises in the policy.
If we find that a company is falling short – for instance, a typical case that I would deal with involves a data spill or a vulnerability on a Web site. Mr. Sullivan over there, Bob Sullivan, I must say puts out some really good stories sometimes, along with some other news organizations.
We are allowed to subpoena documents as well as subpoena, take depositions – for those of you who aren’t lawyers in the audience, I’m sure with the proliferation of lawyer shows today, everyone’s seen a deposition at least on television, on “The Practice” or “L.A. Law,” if you go way back.
NS: I object.
DT: There you go. And it’s a very interesting thing, because in the absence of – and I’m not talking HIPAA covers health information, Gramm-Leach-Bliley covers financial institutions. And there’s COPPA [Children’s Online Privacy Protection Act] and all this other stuff. But there is information out there that is, as of right now, if we did not use it – and we’re not the only AG’s office, by the way, there are other AG’s offices around the country. Notably, to rattle off a few and if I don’t mention one that you know of, don’t think that I have something against them, but: California, Washington, Vermont, Michigan, Florida – all are very active in privacy issues.
I’ll give you an actual scenario from an organization that actually prides itself as being a protector of privacy, the ACLU. Back in March of last year, it came to our attention that a reporter for the Corporate Legal Times who had been trying to reach the ACLU – this is all public information, the case is settled now – had gone to their Web site and was trying to figure out who he should give a call to because he was doing a story about, ironically enough, the ACLU’s push to have the FTC as well as other government agencies go after Eli Lilly for a privacy mistake that Eli Lilly had – and I can talk about that a little bit later.
So this reporter from the Corporate Legal Times goes onto the Web site of the ACLU. He doesn’t know who he has to contact to get the information that he needs or who to talk to about this issue. He goes into the search mechanism, the page that has the search mechanism for the ACLU Web site. ACLU, by the way, runs an online store. And in that store they sell literature, bumper stickers, t-shirts, hats, that sort of thing. But it’s the sort of thing that if you go on the Web site, you may not want everyone in the world to know what literature you’re purchasing from the ACLU.
Anyway, he plugs in “name,” because he doesn’t know whose name to enter. He presses Enter, and up comes all of the information on 91 consumers who purchased items from the ACLU’s Web site for a period of about eight months in the preceding year – their names, addresses, telephone numbers, as well as the items that they purchased.
We heard about the story. We scan the Internet as well as various publications and it came across my desk. This is a problem. I mean, the ACLU, their privacy policy stated, in essence – it was a very short policy, you’d be happy. The policy –
MA: I believe in layered notices.
DT: The policy basically stated, “We take your privacy very seriously. We would never share your information with anyone and we keep your data encrypted on secure web servers if you do business with us.” Something to that effect.
Well, that’s an easy case. You look at what the practices were. If someone who’s not Web savvy goes on, not a technical person, someone just plugged in “name” and they’re automatically viewing other people’s personal information, that’s very problematic.
Now, around the office, I like to – and when I talk to companies that we go after – I like to tell them it was Gen. Douglas MacArthur who said, “On this Earth, there is no security. There is only opportunity.” And that is so true in the Internet age, that with Web security – let’s face it, no Web site is going to be 100 percet secure. It’s only an opportunity for a malicious hacker to go in and extract the data and there you have the problem of identity theft and posting stuff in chat rooms. However, there are steps that a company or an organization that is serious about protecting consumer’s personal information can do.
To wrap up the ACLU story, I must say that, once the ACLU was informed about what was going on – the reporter informed them once he discovered it – they were very prompt in their response. Within two hours, I believe, they shut everything down. When contacted by our office, they cooperated voluntarily and we were able to reach a settlement with them whereby they offered refunds, complete refunds to all 91 of the consumers who had purchased items on their Web site. They notified all of the consumers that their personal information had been exposed. And they were definitely a good citizen in terms of owning up to what happened. That case settled at the beginning of this year.
Now, knowing that no Web site can be 100 percent secure, there are some things that a good corporate citizen can do. Preventative measures. One, they can develop and implement a security policy to protect information. Two, they can train their staff – staff members that have access to consumer information – to respond adequately to Web vulnerabilities, to report it to the tech people and also take it very seriously. Also, companies can have an annual, independent audit conducted by an outside company that can be hired as “white hat hackers” to try and hack into their database.
Remedial actions, or even preventative – if there’s a known vulnerability, companies should take action promptly to correct the vulnerability. Or, if it’s a known vulnerability, but you haven’t fallen victim yet, close the hole. And when we come calling or if something does happen, the AG’s office or the FTC – there’s a lot of overlap – we can know that you tried to do something.
Cooperate with law enforcement voluntarily. Don’t think of it as a visit to the dentist.
Also, take responsibility for your mistakes. I would say that to all companies. Just take responsibility for what went wrong and try to work with us to make sure that it doesnt happen again.
I got the one minute sign about a minute and a half ago and, given the fact that I don’t want to infringe upon Mozelle Thompson’s time, and since there’s a lot of overlap between what the FTC does and what our office does, I’m going to turn it over.
CB: Thank you very much, Don. You know, we started about 15 minutes late, so I’m hoping that we can keep going until they come and turn off the microphone. But I think this idea of a reality TV show, you know, “Government Internet Regulator” or “Internet Bureau Lawyer,” “Attorney General” could be great. Especially since a lot of this fraud, you just couldn’t make this stuff up. I mean, it’s really incredible.
So, batting in the clean-up position here, we have Commissioner Mozelle Thompson from the Federal Trade Commission.
MT: Thank you. First, I want to thank you very much for having this whole day where we can share ideas. I think it’s really important. It also gets me back home to New York, which I like.
I’m always skeptical nowadays about embedded cookies. But they were good today.
I’m a commissioner of the Federal Trade Commission, and I’m here to help you. The first thing that my general counsel requires me to say is that my words are my own, not necessarily those of the other commissioners. They’re usually my own. Peter, my staff person, is here. Sometimes they’re his.
In thinking about everything we’ve heard, especially on this panel, I’m trying to figure out where I could add some value. Maybe the first place to start – first, I want to know something about you. How many people here are with consumer organizations? Okay. How many of you are with government? How many of you with companies who have some consumer presence on the Web? Okay, good, that’s an interesting mix. How many of you are with the press? [laughs] Okay. Maybe I shouldn’t say anything.
I thought the first place to start is to give some perspective, because you’ve heard a lot of conversation about things like privacy and security, and I think we all too often speak in shorthand and we get compartmentalized into those little niches too early. I think it’s important to look at where we are right now with regard to the economy and the relationship between buyers and sellers. Right now, more than any other time in our history, we are a demand-driven economy. What we have around the world is the most developed economies and economic downturn, where consumer confidence becomes really important, because consumer spending represents a large part of what makes the economic engine turn. In the United States, people say consumer spending represents about 80 percent of our economic engine. In France, 55 percent, in the U.K. 60 percent. And so a small change one way or the other in what consumers think about the marketplace could have a significant impact on what happens to economic growth.
At the same time, we have a confluence of events, with improvements in technology that consumers out there are in a different position than what they used to be. When the Internet came into play, not only do sellers know a lot more about consumers, consumers know a lot more about them, too. And it’s not just affected by the fact that you can click on one Web site and buy there or an alternative is a click away. It’s information that’s available, some of it very good. Mrs. Smith now can go down to Circuit City and say, “Well, XYZ on the Web site told me they can give me this refrigerator for $20 less and have a warranty. What are you going to do about it?”
That changes the dynamic, but it also changes our responsibilities as well. So instead of thinking of privacy, security in a traditional way, I like to first take a step back and look at this umbrella that we call consumer confidence. And then figure out what are the elements that have to fit under that umbrella in order for consumers to feel comfortable. For example, in e-commerce and participating on the Internet.
So that means privacy. Consumers have to have some sense that you’re dealing with them fairly with regard to their data. Because in many instances, the data is the only connection that’s between the buyer and the seller.
Second: Security. That information that you give to a given Web site actually goes to the place it’s supposed to go and not go someplace else.
Third: Anti-fraud deception. That you’re being dealt with fairly, so that the information that you’re getting and the terms under which you’re doing business with this Web site are true and accurate, that you’re actually going to get the goods that you said you were going to get for the price that you said, and in a reasonable time for delivery.
So those are all part of the umbrella. Now, shall I take a few seconds and talk a little about the FTC? We’re a small agency, but there are those who love us. We’re about, I guess, 1,100 people, lawyers and economists. Which means that we have people who will assume a perfect world and people who will also tell you why it doesn’t exist.
And we are in the position of looking at competition and consumer protection. Meaning, on one side, that we think with full competition that you could have a marketplace that’s good for consumers, because they get the widest range of goods and services at the best prices. But on the consumer protection side, you have to have strong consumer protection so that consumers can feel confident in investing in the marketplace. They both go hand in hand. It’s a consumer welfare model.
Now, what you see out there is, then, we’re being looked upon as a law enforcer. On the competition side, to enforce the antitrust laws; on the consumer side, to look at not only some of the basic, broad laws that we have, some of which we are a mirror image with states, which is against fraud and deception. Meaning that when a Web site tells you they’re going to do X, they have to have to actually do it, they have to do it in a reasonable way. If they tell you they’re going to protect the security of your information, they have to take reasonable steps to make sure that that actually happens. And there are many examples of where it doesn’t happen, like Eli Lilly. Or Microsoft Passport.
Then we also enforce particular laws that specifically relate to elements under that umbrella. Like the Fair Credit Reporting Act, which limits how information on your credit, where it goes and the circumstances under which it can go to other people. The Gramm-Leach-Bliley Act takes a look at what kind of privacy notices did you get, what businesses in the financial industry are doing with your information. The Children’s Online Privacy Protection Act, which limits the amount of information that can be collected about children 13 and under. So there are any number of different ways.
So, our goal is to sit down – we’ve been called by The Wall Street Journal – we’ve been called a lot of things by The Wall Street Journal, actually – but one of the things we’ve been called is the Internet agency. Because we not only have an Internet lab where we have, I think we have a few people, it’s a secret as to how many – more than 10, bigger than a breadbox – but people who are out there that we pay who actually surf the Web to tell us what’s going on, to be the source of cases that we can bring. And we have translated that into some very significant cases, not only dealing with privacy and security, but also in areas where people have real concern.
Some of you saw last week, we took a series of actions against fraudsters who were preying on people in the Internet auctions. And we’re the first ones to really do that. So there are a number of areas where I think of us as bringing demonstration cases. But also we have areas where we’re trying to – it’s two parts to the process. Not only is it taking visible and strong law enforcement action. But, second, how do we take what we know and translate that so that people can find it useful? That’s not only a learning experience for us, but how we [unintelligible] the information.
So that includes the workshops that we have. In this area, probably, if you look at our Web site, FTC.gov, we’ve had a series of workshops and we’re going to have some more in the next several months, that are going to be very important for us to learn about what’s going on out there, but also to scope out what might be inappropriate practices. So, for example, we just had one on cross-border fraud that had an international perspective that talks about one thing that we can all agree on internationally, that fraud and deception is bad. And so how the countries and their law enforcement agencies can bring down the barriers that prevent us – not the fraudsters – but the law enforcers from going after people across borders.
We’re having a workshop on spam. Even though Spam is very popular in Hawaii, this is the other spam. And part of it is because we don’t know what the right answer is for unsolicited e-mail. But it’s time for us to sit down and talk to a variety of people of what are the various types of problems. Because it’s not just one problem, it’s not just fictitious header information or spoofing. It’s a whole bunch of different problems and it’s clear to me, at least from my standpoint looking at this, is there’s not one answer. It’s not necessarily a legislative answer, it’s also the business community has to be involved in trying to be self-regulatory. And we have to get out to consumers about steps that they can take on their own to begin to ask the right kinds of questions when they do business on the Internet.
So those are very important steps. We’re also going to have a workshop on the economics of privacy. To talk about what are some of the costs on technological responses. But also, perhaps, what are the costs of not doing anything? We’re also going to look at technological responses on the privacy side, to see if some of the tools that are so heavily touted actually do work. That, in other words, whether the choices that we are providing, that we are incentivizing industry to help the people to manage their own data actually have a benefit.
So those are places where public input is really important. But I’m going to throw out a couple of challenges for you right now before we get to the questions that I know you have. It’s this:
One of the big challenges that I see is that we’ve all done a fairly good job of beginning to highlight where the problems are. We all have gotten a lot more sophisticated in knowing that it’s not necessarily a one-size-fits-all approach to solving those problems. But still, the largest gap remains, we don’t talk to consumers enough about what’s reasonable for them to expect and what’s not reasonable for them to expect in doing business on the Internet. We’re getting better at that by telling them what the horror stories are and trying to give them some guidance – we, in the government, with our own Web site and materials and the consumer groups, too. But business has to also be involved in an ongoing process of talking to consumers about the right questions to ask. Because in many instances, a lot of those decisions about fair dealing have to come at the consumer making certain kinds of choices. So to get them involved in making those choices and understanding the importance of them is really important.
That’s a challenge for all of us and not individually the government or consumer groups or, not only the business community, but all of us together on an ongoing basis. I’m not going to say that there’s not room for distinct steps to be taken by government in terms of legislation or rule-making, or by businesses in terms of self-regulatory actions, or consumers about real advocacy and talking to government about what we need. But I’m saying we still have this education gap that continues to exist. And, until we solve that problem, a lot of e-commerce is still going to be catered toward the tails of the bell curve.
Those who are the most technologically savvy are the people who are willing to accept more risk. And the people who need to use the Internet – and that not only includes people who are [unintelligible], but people who also look like me, who are underserved, that middle of the bell curve – that’s not going to be popular until we actually become better educators and better listeners to what it is they need in the middle. That’s a real challenge for us all.
CB: Thank you.
MA: Chuck, I need to depart for a plane, but I would like to, before I leave, since I’m going to miss the questions, I would really like to second Mozelle’s last point. When I was at the Federal Reserve System in the 1980s and when I first left the Federal Reserve System to go to TRW, the level of consumer education that we did in this economy was significantly greater than it is today. During the 1990s, that dwindled off significantly. The interest behind pushing it dwindled off and the market is more complex. And I think there needs to be a high quality discussion of what fair play is in the digital age, and there needs to be educational materials around how you teach people fair play, and how you teach them exactly what the benefits are, and how do you make sure that your expectations are real.
CB: Thank you, thank you, Marty. Anna, did you want to make a quick point?
AF: I just want to make a quick comment on that. I’m going to [unintelligible] consumer education, just to –
DT: I’m from New York, we invented cynicism.
AF: Okay, just to maybe provoke some discussion. Consumer education is a very, very much abused term and I think it’s been used as a solution for all of the evils. You can have two kinds of consumer education. You can have it as information: for example, Top Five Tips for Using the Web. Now, this kind of information is in profusion everywhere. I can show you thousands of sites and books and manuals. In fact, there is an overload, so people don’t read it.
Then there is education which is part of a school curriculum or college or university, where awareness of such things is introduced into the children’s every day. And there is a very, very big difference between the two. Personally, I would very much endorse the kind of education that is actually an integrated approach in schools, although that is quite a challenge as well. But I think that this kind of information serves its purpose, but it’s not going to change the world.