Comments of Firefly Network, Inc. Concerning Consumer Privacy - P954807 Firefly Network, Inc.
Information collection and use Question 2.1 What kinds of personal information are collected by commercial Web sites from users who visit those sites and how is such information subsequently used? Among other things, is clickstream data being collected and tied to personally identifying information? In general, Web sites tend to collect two types of information: demographic (address, city, state, country and zip code) and personal (name, age, gender and occupation). Upon registering for firefly.com, for example, an end-user is asked to provide the following information: age, birth date, gender, zip code and to choose an alias. Using an alias, the end-user can travel to all Web sites that use Firefly technology, therefore never revealing his/her true identity. Individuals have control over whether or not they maintain their anonymity or share their identity with the Firefly community. The remaining information -- age, birth, date, gender, zip code -- is used to create a personal profile. Firefly personal profiles are controlled by the end-user. In addition to the demographic and personal information in a profile, end-users can add additional information such as their favorite Web, music and/or movie sites. End-users can, at any time, delete, revise or update their profile. This information is used to provide valuable services such as personalized advertising, content and services on Web sites using Firefly technology. Firefly technology does not use clickstream data to tie personally identifying information to an end-user. In fact, Firefly believes that an end-user should be able to retain their anonymity when traveling throughout the Web. Question 2.2 To what extent is the collection, compilation, sale or use of personally identifying, as opposed to aggregate, personal information important for marketing online and for market research? What privacy concerns, if any, are raised by the collection or use of aggregate personal information in this context? The privacy concerns regarding the use and collection of aggregate information for market research are mainly based on the end-users lack of knowledge for how the information will be used. A common concern among end-users is that the collection of personal data increases a Web site's ability to trace their movement on the Web. With the complex debates surrounding cookies and clickstrearn technology, end-users are concerned that somehow their privacy is being violated and their personal information is being mis-handled. End-users need to be educated about the positive results and services provided by collecting aggregate data. The collection of aggregate data provides marketers with insightful information about how particular demographic groups spend their time on the Web. For example, aggregate information can reveal where people in the Northeast spend most of their time on the Web; where most 25-30 year old females look for information on financial issues; or if 30 year-old males in the Northwest spend more time researching car statistics than men in the Southeast. Firefly provides its partners with information on members' likes and dislikes in aggregate form only. As a result, no unique identifying material is provided to Web sites. Aggregate information can also be useful for market research and targeted advertising to a specific demographic group. End-users are more willing to provide complete and accurate information if they know the information will only be used in an aggregate form. Question 2.4 What surveys, other research or quantitative or empirical data exists about consumers' perceptions, knowledge and expectations regarding: (1) whether their personal information is being or should be collected by Web site operators and the extent of such collection; (2) the benefits and risks associated with the collection and subsequent use of the information; (3) appropriate uses of such information; and (4) whether certain categories of information should never be collected or disclosed to others? In the April 10 issue of USA Today, Peter Eisler wrote an article entitled "Social security temporarily unplugs Web site" which highlights end-users concerns regarding taxpayer privacy being at risk. In response to the controversy, John Callahan, acting Social Security commissioner, said that "many citizens have expressed their concerns regarding the security of the valuable, but obviously very sensitive, data being available online." In outrage over the violation of their privacy, over 10,000 taxpayers protested the use of the site. A consumer study completed in March 1997 by the Boston Consulting Group and eTRUST reveals that privacy of personal information on the Internet is a consistent, significant concern for consumers -- greatly limiting their commercial Internet activity and impeding growth of electronic commerce. According to the eTRUST Internet Privacy Study: Over 70% of the 9,300 consumers who responded to an online survey are more concerned about privacy on the Internet than they are about information transmitted by traditional media such as phone and mail. Consumers' mistrust often leads them to either refuse to provide information on the Internet or to give inaccurate information. Over 41 % of respondents report leaving Web sites when asked to provide registration information on the Internet. 27% of respondents provide false personal information on Web site registration forms. Consumers are about two times more willing to divulge sensitive personal and financial information to companies that disclose their information gathering and dissemination policies than to companies with no posted privacy policy. Based on the survey results, the Boston Consulting Group estimates that as much as $6 billion in additional electronic commerce could be gained by the year 2000 if consumer privacy issues were addressed (this projection is based on increases in the proportion of Internet users who are willing to make retail purchases online). Question 2.5 How many commercial Web sites collect, compile and sell or use personal information? Of these how many give consumers notice of their practices regarding the collection and subsequent use of personal information? With respect to these Web sites, describe (1) how and when such notice is given, (2) the content of such notice and (3) the costs and benefits, for both consumers and commercial Web sites, of providing such notice. Firefly is not aware of any study that has tabulated a figure regarding the number of sites that collect, compile, sell and/or use personal information. Firefly provides end-users with notice of how information is collected and used in the Network Privacy Policy and Terms of Service (see attached material). The Network Privacy Policy outlines how Firefly will use the information collected during registration. The Terms of Service are the agreed-upon terms by which consumers use the Firefly service. Both the Network Privacy Policy and Terms of Service are available, via hyperlink, from every page on firefly.com. As a result, consumers can review the policies, at any time, while on firefly.com or any other site using Firefly software tools. The benefit of these policies to end-users is that Firefly is inviting a free and open dialogue on the issue of privacy and information exchange. Firefly, in no way, attempts to hide, cover-up or discourage questions regarding their policies. On the contrary, by making the policies available from every page, Firefly encourages questions, comments and insights as to how the policies are perceived and implemented. The benefit for businesses with aggressive privacy policies is the development of a brand associated with consumer trust. For example, the Firefly logo has come to be associated with trust, personal choice and control. As a result, consumers know their privacy will be respected and honored at firefly.com. Commercial Web sites that create an open dialog with the end-user will create an atmosphere of trust and respect and, ultimately, will benefit from customer willingness to share more information about product and service preferences. Firefly Network Privacy Policy We at Firefly Network, Inc. have one primary obsession: to enable the building of thriving personalized communities based on trust, privacy and freedom of expression. We want you to feel free to express yourself, but just as important we want you to feel secure within an environment which puts you in complete control of what you share with the rest of the community. The Firefly Network Policy attests to our commitment to be on the cutting-edge of protecting and campaigning for your rights on-line. Our work with Coopers & Lybrand represents the first-time that any Internet company has taken such formal steps. In fact, many of the organizations, including the EEF, EPIC, eTrust and the ISA, who we have been working with to develop the Firefly Network Policy see it as a model for protecting trust and privacy on-line. But we believe in actions as well as words, so to make sure we are continually staying ahead of the game, below is the policy which Coopers & Lybrand has reviewed: Firefly Network Privacy Policy
In addition to the Firefly Network Policy, we also take the following steps to ensure your privacy on sites operated by Firefly Network Inc.:
No community is perfect but every thriving community should be full of voices: so please contribute, debate, express yourself, and if there is anything that we can do to make your experience better - don't hesitate to speak up about that too! Use of this site is subject to the Firefly Terms of Service. Read and Firefly Network Privacy Policy (c) 1996 Firefly Network, Inc. Firefly, Firefly Online, and bignote are trademarks of Firefly Network, Inc. All rights reserved. Firefly Terms of Service The following terms of service apply to Firefly Online (www.firefly.com), including the area called "Venues" (located at venues.firefly.com), and the Internet sites "Bignote" and "Filmfinder" (located at www.bignote.com and www.filmfinder.com) -- all of which areas may be referred to collectively throughout this document as the "Service." 1. Member Contributions to the Service One of the primary goals of Firefly Online is to provide its members with tools to facilitate and foster communication and community. Members should feel free to express themselves. However, comments and contributions from members should be consistent with community values on the Service and must comply with applicable laws. Members may not post messages or content that is abusive, defamatory, obscene, fraudulent, in violation of applicable laws, or which would otherwise be offensive to other users of the Service. Neither Firefly Network, Inc. ("FNI") nor any Venue host can prevent members from placing prohibited content on the Service. In addition, FNI and Venue hosts cannot and do not monitor every communication posted to the Service. Upon notification of inappropriate material, both FNI and Venue hosts reserve the right to remove the content. FNI further reserves the right to block a member's access to the Service upon receipt of complaints about the member's contributions and communications on the Service. By contributing to the Service, members represent that they have all of the necessary rights to the use of the materials, communications, or other information that they have provided or displayed on the Service. Because FNI is committed to promoting member content and sharing the works of the Firefly community outside the Service, members automatically grant FNI (and any relevant Venue host or acknowledge that the owner of these items grants FNI and such Venue host, the royalty-free, irrevocable right to copy, sublicense and re-use the items in any form, media, or technology now known or thereafter developed, in any manner FNI and/or the Venue host sees fit. A member may print and download portions of material from the different areas of FNI solely for their own non-commercial use. Any other copying or any redistribution or publication of any downloaded material is strictly prohibited without the express written consent of the copyright owner. The Service is protected by copyright as a collective work, pursuant to United States copyright laws. You may not modify, copy, publish, transmit, sell, create derivative works from, perform, display, or in any way exploit any of the content contained in the Service. The information, advice, facts, opinions or other content appearing on the Service posted by members or third parties are those of the respective authors and do not reflect the views of FNI or any Venue host. FNI and its Venue hosts assume no responsibility or liability for these materials. 2. Electronic Communications. FNI does not retain on-line conversational transcripts (e.g. chat) conducted between members on the Service, other than chat sessions that have been scheduled and publicized as special events. FNI will not review or disclose electronic mail messages exchanged between members on the Service. 3. Links to Other Web Sites The Service contains links to third-party World Wide Web sites and other resources. Neither FNI nor any Venue host assumes responsibility for the availability or content of these outside sites and resources. Therefore, any concerns a member may have regarding any other site should be directed to the relevant site administrator or webmaster. 4. Changes to the Service FNI may change, suspend or discontinue the Service, any Venue, or any other aspect of the Service, at any time without prior notice to members. FNI may also impose limits on certain features or services contained in the Service without prior notice. 5. Security Please notify FNI at 1-888-HELPFLY promptly in the event of any known or suspected loss, theft, or unauthorized disclosure of a member's password. Members are responsible for maintaining the confidentiality of their Service password. 6. Disclaimer of Warranty Neither FNI nor any Venue host makes any express or implied warranties, representations or endorsements whatsoever (including, without limitation, warranties of title or noninfringement or the implied warranties of merchantability or fitness for a particular purpose) with respect to the Service, any products, merchandise, information or services provided through or advertised on the Service, or the accuracy or results obtained from the use of any products, merchandise, or information or services provided through or advertised on the Service. Neither FNI nor any Venue host guarantees or warrants that any files available for downloading through the Service will be free of infection by viruses or other code that may contain contaminating or destructive properties. 7. Limitation of Liability In no event shall FNI or any Venue host have any liability for any incidental, consequential, or indirect damages (including, but not limited to, damages relating to loss of business, profits, goodwill, data, programs or information, and the like) arising out of the use of or inability to use the Service or any information, advice, or services provided on or downloaded from the Service or accessed on the Internet from the Service, even advised of the possibility of such damages and regardless of the cause of action under which such damages are sought, including, without limitation, breach of contract, negligence or other tort. Because some states do not allow the exclusion of implied warranties or the limitation of liability for consequential or incidental damages, the above exclusions and limitations may not apply to you. In such states, FNI's and any relevant Venue host's liability is limited to the greatest extent permitted by law. 8. Payment Members agree to pay all charges incurred for purchases made through the Service. Members authorize FNI to charge any amounts payable in connection with the use of the Service to the credit card identified by a member in the course of purchasing any item through the Service, subject to the terms and conditions of the service agreement between a member and their credit card issuer. 9. Third-Party Rights The provisions of this Agreement are for the benefit of FNI, Venue hosts and their respective licensees, employees, and agents. Each of these individuals or entities shall have the right to assert and enforce those provisions against a member on its own behalf. 10. Indemnification Members agree to indemnify and defend FNI, its affiliated companies, licensors, employees, agents, and Venue hosts from and against all claims, losses, expenses, damages and costs, including reasonable attorneys' fees, resulting from (a) any violation of this Agreement or the Service privacy policy, and (b) any activity (including negligent or wrongful conduct) by you or in any other person accessing the Service on your behalf. FNI reserves the right, at its own expense, to assume the exclusive defense and control of any matter subject to indemnification hereunder. 11. Changes to these Terms of Service and Privacy Policy FNI reserves the right to change these Terms of Service or the Privacy Policy at any time. Users will be notified within a reasonable period of time following changes to these Terms of Service or the Privacy Policy. A members continued use of the service following notice of such modification shall be deemed to be acceptance of any such modification. If a member does not agree to any modification of these Terms of Service or the Privacy Policy, they must immediately stop using the Service. 12. Miscellaneous FNI's failure to insist upon or enforce strict performance of any provision of this Agreement shall not be construed as a waiver of any provision or right. This Agreement, the relationship between a member and FNI resulting from this Agreement, and the resolution of any dispute arising out of that relationship shall all be governed and construed in accordance with the laws of the Commonwealth of Massachusetts, without reference to its conflicts of laws. Members agree that any legal action or proceeding between a member and FNI, for any purpose concerning this Agreement or any obligations hereunder, shall be brought exclusively in a federal or state court of competent jurisdiction sitting in Massachusetts. 13. Termination FNI reserves the right to terminate a member's access
for any violation of this Agreement. A member may
terminate this Agreement and their membership to the
Service at any time. The provisions of Paragraphs 2, 3
and 7 through 12 shall survive any termination of this
Agreement. Use of this site is subject to the Firefly Network Terms of Service. Read the Firefly Network Privacy Policy (c) 1996 Firefly Network, Inc. Firefly and Firefly Online are trademarks of Firefly Network, Inc. All rights reserved. Information collection and use (cont.) Question 2.6 Of the commercial Web sites that collect, compile, sell or use information, how many provide consumers choice with respect to whether and how their personal information is to be collected and subsequently used by other sites? With respect to such Web sites, describe (1) what choices are provided to consumers and how such choices are exercised; and (2) the costs and benefits, for both consumers and commercial Web sites, of providing such choices. Firefly is not aware of any study that researched the number of Web sites that offer consumers a choice with respect to whether and how their personal information is collected. The findings of the Boston Consulting Group/eTRUST study indicate, however, that consumers are less willing to disclose personal information to unfamiliar companies or companies without a privacy policy. The recent controversy surrounding Social Security information being available online indicates a high-level of public unrest regarding the use of personal data without proper authorization. Firefly makes several assurances in their Network
Privacy Policy about how end-users' personal information
will be used. Firefly considers the principle of
"informed consent" a clear understanding by the
end-user of how their information will and will not be
used -- and "value exchange" -- a company
should provide clear value to consumers in return for all
information shared -- to be at the core of its policy.
The assurances in the Network Privacy Policy include: Your e-mail address will not be shared outside of the Firefly Network for marketing purposes without your consent. Profile information will be used to create personalized content, services and advertising on sites in the Firefly Network. In addition, Firefly and third-party licensees may use your profile to generate aggregate reports and market research. You may inform Firefly Network, Inc. at cancel@firefly.net at any time if you would like to cancel your account and have your contact information deleted from Firefly's records. Every end-user that registers for a Firefly Passport on firefly.com is issued a personal page. On their personal page, end-users can choose what type of information is shared with the Firefly community. An end-user can choose to share his/her age, e-mail address, gender, real name and favorite music and movie Web sites. As a result, the end-user is in complete control over what information is shared with the rest of the community. An end-user can, at any time, access their personal page and remove any information regarding their identity or preference information. The maintenance and revisions associated with a personal page is completely in the hands of the individual user. Question 2.8 Of the commercial Web sites that collect, compile, sell or use personal information, how many have procedures to maintain the security and privacy of personal information collected from consumers online and what are the procedures? Firefly is not aware of a study that has tabulated the number of Web sites that have procedures to maintain the security and privacy of information. A 1995 Georgia Tech Survey, however, revealed that 70% of consumers cite privacy concerns as the main reason for not registering demographic information. Firefly developed a very aggressive privacy policy that details how information will be collected, used and distributed to partner sites. The Policy states that: Your e-mail address will not be shared outside of the Firefly Network for marketing purposes without the end-users explicit consent. Profile information will be used to create personalized content, services and advertising on sites in the Firefly Network. In addition, Firefly and third party licensees may use your profile information to generate aggregate reports and market research. You may inform Firefly, at any time, if you would like to cancel your account and have your contact information deleted from Firefly's records. In addition to the Network Privacy Policy, Firefly has also taken these additional steps to ensure an end-user's privacy on sites operated by Firefly Network, Inc.: Firefly Network Inc. does not require an end-user to provide a name and address to use the service. All profile data stored by Firefly Network Inc. has been entered solely by the respective end-user. End-users can modify registration data associated with their account and can control the amount of this information that is disclosed on their member page. Firefly Network Inc. does not provide functionality to perform "reverse searches" which find individual names from address, e-mail or phone number information. Conversational transcripts of on-line chat are not retained except for moderated chat sessions. Firefly Mail communications are only accessible by the designated recipients, except that Firefly Network Inc. personnel involved in maintenance of the system may have access to e-mail communications. Recommendations are generated solely based on an end-user's rating preferences and the preferences of other end-users and are not generated by Firefly Network Inc. or its advertisers. Self-regulation Question 2.9 What industry principle, recommendations or guidelines have emerged since the June 1996 Workshop? Please discuss whether they are permissive or mandatory, whether they include sanctions for non-compliance, and the extent to which they have been implemented within the industry. Industry principles and standards for evaluating consumer privacy online are just beginning to emerge. Firefly recognizes the urgency of protecting personal privacy rights online and in building consumer trust and confidence in electronic commerce, while still addressing merchants' needs. Firefly was one of the first Internet-based companies to create an open dialogue with end-users on how their information will and will not be used online and is seen as a model for self-regulation. Firefly developed an aggressive Network Privacy Policy that emphasized the principles of "informed consent" -- a clear understanding by the end-user of how their information will and will not be used -- and "value exchange" -- a company should provide clear value in return for all information shared. These principles and the Network Privacy Policy were formally evaluated by Coopers & Lybrand L.L.P. which has developed the first formal guidelines for evaluating privacy policies. As a result of its ground-breaking work with Coopers & Lybrand, Firefly was asked to become a member of the eTRUST steering committee and was the model used to develop the "trustmark" and auditing guidelines program. Russell Sapienza, partner in the Internet Assurance Services at Coopers & Lybrand, said that "the procedures we developed with Firefly have broken new ground for evaluating privacy policies. In fact, we have used our work with Firefly as a model for the initiatives currently underway with eTRUST and the implementation of a universal trustmark." The eTRUST program includes: A branded system of "trustmarks" or logos that represent the Web site's information privacy policy for consumers' personal information and alert consumers as to how the information they reveal online will be used. The "trustmarks" are backed by an accreditation procedure with privacy guidelines and standards for businesses that license them. The trustmarks are not intended to be a rating mechanism but rather a standardized method for assuring consumer privacy through informed consent. A scalable assurance and monitoring process involving self-assessment, community monitoring and professional third-party auditing to ensure compliance with guidelines. A widespread awareness and education program for consumers and merchants including: extensive targeted marketing, media communications and PR campaigns. The full "trustmark" program will be unveiled and implemented in June 1997. Question 2. 10 What steps have individual commercial Web sites taken since June 1996 to address online privacy? How many have employed the procedures for notice and choice set forth in the Joint Statement on Online Notice and Opt-Out presented at the June 1996 Workshop by the Direct Marketing Association and the Interactive Service Association? Firefly and Coopers L.L.P. formed a partnership in August 1996 that would result in the development of new guidelines and procedures for evaluating privacy policies. Firefly and Coopers & Lybrand have become pioneers in developing auditing standards and procedures for evaluating a company's privacy policies. As a result of the company's foresight, Firefly Network, Inc. became the first Internet company to receive an Unqualified Opinion from Coopers & Lybrand L.L.P. for control over privacy procedures in February, 1997. The Coopers & Lybrand opinion results were the first formal evaluation of any Internet-based company's design of an internal control system as it relates to the company's privacy procedures and policies. Firefly believes that privacy policy and procedure audits in the 1990s are in an analogous position to the fiduciary audit process initiated in the 1960s. Both audit processes offer customers assurances of integrity and honesty in core business practices. In developing Firefly's Network Privacy Policy, the company looked toward the direct marketing industry and European privacy policies as examples of strong consumer-based policies. The company considers the principles of "informed consent"- a clear understanding by the end-user of how their information will and will not be used - and value exchange" - a company should provide clear value in return for all information shared (e.g. a company should only require your home address in order to fulfill a purchase order) - to be at the core of its policies and procedures. These principles are highlighted in the Joint Statement on Online Notice and Opt-Out. The Firefly Network Privacy Policy clearly outlines how information is collected and used and provides end-users with the ability to control what information is shared with other Web sites. 1.33/1.34 What efforts are underway to educate consumers about data bases containing sensitive consumer identifying information? What are or should be the principle message of such efforts? Please refer back to question 2.10 |