30 January 1998
Source:
http://www.ntia.doc.gov./reports/privacydraft/198dftprin.htm
"Government to Unveil Plan to Overhaul Internet Domain Names"
Posted 27 January 1998
WASHINGTON, D.C.
As set forth in A Framework for Global Electronic
Commerce, the Clinton Administration supports private sector efforts
to implement meaningful, consumer-friendly, self-regulatory regimes to protect
privacy. To be meaningful, self-regulation must do more than articulate broad
policies or guidelines. Effective self-regulation involves substantive rules,
as well as the means to ensure that consumers know the rules, that companies
comply with them, and that consumers have appropriate recourse when injuries
result from noncompliance. This paper discusses the elements of effective
self-regulatory regimes -- elements that incorporate principles of fair
information practices with enforcement mechanisms that assure compliance
with those practices.
A. Principles of Fair Information
Practices
Fair information practices were originally
identified by an advisory committee of the U.S. Department of Health Education
and Welfare in 1973 and form the basis for the Privacy Act of 1974, the
legislation that protects personal information collected and maintained by
the United States government. These principles were later adopted by the
international community in the Organization for Economic Cooperation and
Development's Guidelines for the Protection of Personal Data and Transborder
Data Flows. Principles of fair information practices include consumer awareness,
choice, appropriate levels of security, and consumer access to their personally
identifiable data. While the discussion that follows suggests ways in which
these principles can be implemented, the private sector is encouraged to
develop its own ways of accomplishing this goal.
1. Awareness. At a minimum, consumers
need to know the identity of the collector of their personal information,
the intended uses of the information, and the means by which they may limit
its disclosure. Companies collecting and using data are responsible for raising
consumer awareness and can do so through the following avenues:
Privacy policies. Privacy policies articulate the manner in which a company collects, uses, and protects data, and the choices they offer consumers to exercise rights in their personal information is used. On the basis of this policy, consumers can determine whether and to what extent they wish to make information available to companies.
Notification. A company's privacy policy should be made known to consumers. Notification should be written in language that is clear and easily understood, should be displayed prominently, and should be made available before consumers are asked to relinquish information to the company.
Consumer education. Companies should teach consumers to ask for relevant knowledge about why information is being collected, what the information will be used for, how it will be protected, the consequences of providing or withholding information, and any recourse they may have. Consumer education enables consumers to make informed decisions about how they allow their personal data to be used as they participate in the information economy. Consumer education may be carried out by individual companies, trade associations, or industry public service campaigns.
2. Choice. Consumers should be given
the opportunity to exercise choice with respect to whether and how their
personal information is used, either by businesses with whom they have direct
contact or by third parties. Consumers should be provided with simple, readily
visible, available, and affordable mechanisms -- whether through technological
means or otherwise -- to exercise this option. For certain kinds of information,
e.g., medical information or information related to children, affirmative
choice by consumers may be appropriate. In these cases, companies should
not use personal information unless its use is explicitly consented to by
the individual or, in the case of children, his or her parent or
guardian.
3. Data Security. Companies creating,
maintaining, using or disseminating records of identifiable personal information
should take reasonable measures to assure its reliability for its intended
use and should take reasonable precautions to protect it from loss, misuse,
alteration or destruction. Companies should also strive to assure that the
level of protection extended by third parties to whom they transfer personal
information is at a level comparable to its own.
4. Consumer Access. Consumers should
have the opportunity for reasonable, appropriate access to information about
them that a company holds, and be able to correct or amend that information
when necessary. The extent of access may vary from industry to industry.
Providing access to consumer information can be costly to companies, and
thus decisions about the level of appropriate access should take into account
the nature of the information collected, the number of locations in which
it is stored, the nature of the enterprise, and the ways in which the information
is to be used.
B. Enforcement.
To be effective, a self-regulatory privacy regime
should include mechanisms to assure compliance with the rules and appropriate
recourse to an injured party when rules are not followed. Such mechanisms
are essential tools to enable consumers to exercise their privacy rights,
and should, therefore, be readily available and affordable to consumers.
They may take several forms, as proposed below, and businesses may need to
use more than one depending upon the nature of the enterprise and the kind
of information the company collects and uses. The discussion of enforcement
tools below is in no way intended to be limiting. The private sector may
design the means to provide enforcement that best suit its needs and the
needs of consumers.
1. Consumer recourse. Companies that
collect and use personally identifiable information should offer consumers
mechanisms by which their complaints can be resolved. Such mechanisms should
be readily available and affordable.
2. Verification. Verification provides
attestation that the assertions businesses make about their privacy practices
are true and that privacy practices have been implemented as represented.
The nature and the extent of verification depends upon the kind of information
with which a company deals -- companies using highly sensitive information
may be held to a higher standard of verification. Because verification may
be costly for business, work needs to be done to arrive at appropriate,
cost-effective ways to provide companies with the means to provide
verification.
3. Consequences. For self-regulation to be effective, failure to comply with fair information practices should have consequences. Among these may be cancellation of the right to use a certifying seal or logo, posting the name of the non-complier on a publicly available "bad-actor" list, or disqualification from membership in an industry trade association. Non-compliers could be required to pay the costs of determining their non-compliance. Ultimately, sanctions should be stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion. When companies make assertions that they are abiding by certain privacy practices and then fail to do so, they may be liable for fraud and subject to action by the Federal Trade Commission.
____________________________________________
For further information, please contact Paula Bruening,
pbruening@ntia.doc.gov
Date: Fri, 30 Jan 1998 09:32:15 -0800
From: Robert Cannon <cannon@DC.NET>
Subject: White House Releases Domain Name Report
To: CYBERIA-L@LISTSERV.AOL.COM
The White House's Green Paper on the Domain Name System has been released. It can be accessed at
http://www.ntia.doc.gov/ntiahome/domainname/domainname130.htm
[Mirrored at: http://jya.com/ntia-dnsdrft.htm]
-Robert Cannon
Internet Telecommunications Project
http://www.cais.net/cannon
GOVERNMENT TO UNVEIL PLAN TO OVERHAUL INTERNET DOMAIN NAMES
January 29, 1998
Web posted at: 6:53 p.m. EDT (1853 GMT)
WASHINGTON (Reuters) - The Clinton administration's eagerly awaited proposal for overhauling the Internet's naming system and phasing out U.S. government involvement will be released Friday, the Commerce Department said Thursday.
The department's National Telecommunications and Information Administration unit said it will post the plan on the World Wide Web at http://www.ntia.doc.gov.
The plan, originally expected in November, seeks to resolve the controversy over management of some of the Internet's most basic functions, including the assignment and registration of names for Web sites.