Symposium Wrap-Up
What is the future of privacy? Just look at the evolution of the Internet, say plenary speakers at the TRUSTe-IAPP Privacy Futures symposium. »Learn More

Leading Edge
Rob Gratchner of Intel asks: What are the risks and the rewards associated with RFID? »Learn More

Knowledge You Need
Parry Aftab interviews kids and teenagers to identify their concerns about privacy. »Learn More

New Benefit
Check out TRUSTe's new Web site. »Learn More

TRUSTe News
TRUSTe welcomes several new staff members. »Learn More

Stay Current!
Privacy events around the world and on the Web. »Learn More

Privacy Resource
TRUSTe's new white paper helps you craft the style as well as the substance of your privacy statement. »Learn More

TRUSTe Tech Tip
Back up your commitment to privacy with internal procedures that reflect your public privacy statement. »Learn More

Correction
May 2004 spyware issue: Missing article found. »Learn More

Welcome New Members
The newest Web sites to display the TRUSTe seal. »Learn More

According to Futurists, the Internet Will Be Everywhere -- and So Will Privacy Issues
by Jonathan Kauffman

“We’ve seen less than 5 percent of the future impact of the Internet,” John Patrick, president of Attitude LLC, told attendees at the 2004 TRUSTe-IAPP Privacy Futures Symposium. “The Internet is more than the World Wide Web. It’s going to be everywhere.”

Patrick was one of a number of futurists who presented plenary sessions at the symposium, which was held in San Francisco in June. Their task? To share their predictions on the future of the Internet in order to help privacy professionals craft long-range privacy strategies.

The notion that the Internet was spreading beyond the frames of our browsers emerged as a recurring theme. Thornton May, a columnist, consultant, and member of the faculties of Carnegie Mellon University and UC Berkeley, said, “If the pace of change in technology means that every 18 months processing capacity doubles, ten years from now . . . every molecule on the planet is going to be IP addressable. Every device will be intelligent and able to communicate.”

May also raised questions about the shifting of the balance between machine and human agency. “We used to use PC technology to look into the digital world. Now we’re using the digital world to look into our world. We are being stalked by our machines.”

Bob Johansen, president and CEO of Institute of the Future, concurred: “The Internet is becoming the geographical Web. We’re moving from the Internet as people communicating with people to things communicating with things on people’s behalf.”

Other presenters and respondents mentioned the proliferation of biometric data, GPS and RFID devices, and other new technologies that will have significant privacy implications. But even when the predictions conveyed echoes of Big Brother, the futurists’ outlook was anything but Orwellian. As respondent David Hoffman of Intel said, “To the degree that you focus on legal framework and compliance, [privacy] looks like all sorts of problems. If you don’t think about privacy as compliance issue, then you can focus on providing level of trust.”

May concurred. “If, in four years, we going to be able to answer in the affirmative the question ‘Do you have more privacy today than you did four years ago?’” he said, “we’re going to have to take privacy to the streets. We have to make privacy consumable -- and desirable -- for Joe Six-Pack. Privacy can’t be gift-wrapped and given to the American public. They have to care about it.”

Jonathan Kauffman is managing editor of the TRUSTe newsletter. Email him at editor@truste.org.

RFID and Privacy
by Rob Gratchner

Two recent events have brought concerns over radio frequency identification (RFID) technology to the forefront: Last year, Benetton announced that it would start attaching RFID tags to its Sisley line of clothes without notifying customers, setting off an Internet boycott movement that quickly led the company to back off. Not to be daunted, Wal-Mart just issued a mandate to its top suppliers that by January 2005 all merchandise shipped to 150 of its stores must have RFID tags -- the first step in a phased process that will soon affect every supplier and every store in the nationwide chain.

Since these two issues hit the national media, the press and privacy advocates have raised various concerns about privacy. Some groups have claimed that consumers will be monitored and profiled through RFID tags in the items they purchase. Others have expressed concerns that governments will soon use RFID technology in passports and currency.

While some of these claims are at present technologically unfeasible, they indicate to government and industry that the public’s concern over RFID privacy issues must be taken seriously.

In the last few months, I have talked with numerous individuals who are involved with RFID either from an implementation or privacy perspective. They have identified numerous risks:

• Determining an individual’s future actions
• Associating personal identity with tags, or conversely, being unable to disconnect this information
• Determining a tag’s location
• Determining an individual’s personal preferences
• Identifying an individual by all the RFID tags associated with them

This list is probably not completely comprehensive, since RFID technology has so many potential uses. However, it does illustrate that companies who use RFID must create and implement RFID policies. Companies need to review how the information generated by RFID tags will be managed by asking how data will be stored, accessed, protected, and shared.

Key for the business community is to identify real privacy risks associated with the technology versus perceived risks. Only by addressing upfront the real privacy risks can we maximize the potential of RFID.

It is important that industry educates consumers about what RFID technology is and gives them choice on how data collected through the technology is used. EPCglobal, which is leading the effort to create industry standards for RFID, has created privacy standards for its members and has started a consumer education program.

Every company considering the use of RFID will need to understand the risks associated with the technology and make informed decisions on how it wants to use these tags. Most risks can be avoided if consumers are given adequate notice and choice.

Rob Gratchner is corporate privacy manager for Intel.

Kids Know -- and Care -- About Privacy Issues
by Parry Aftab

More than 70 million Internet users in the United States are under the age of 18. Preteens and teenagers spend more personal time online than most adults -- shopping, searching, communicating, playing games, and registering for online services. They do their homework and hold meetings online. They are the future of e-communities and e-commerce.

In preparation for a panel at the TRUSTe-IAPP “Privacy Futures” symposium held in San Francisco in June, I polled 30 preteens and teens who work with TeenAngels.org about privacy.

They identified several areas of privacy that concerned them, which in privacy parlance are known as the following:

• Collection and use of personally identifiable information
• Surveillance
• Intrusion on seclusion
• Private facts made public
• False light

According to the kids, personally identifiable information means any information that can be used to find you in real life, such as full names, snail-mail addresses, telephone numbers, schools, or the names of sport teams.

Surveillance concerns the kids mentioned included public surveillance, nanny cams, GPS tracking, monitoring software, and spyware. The kids I polled were particularly concerned about adware and whether marketers could target them for pop-ups and spam.

Intrusion on seclusion -- or as they called it, protecting their “personal space” -- included concerns over access to their rooms, their diaries, and their phone calls, as well as intrusion by spammers, pop-ups, and anything else that gathers information about them and what they do online.

The kids were also concerned about private facts made public -- personal facts about their family, themselves, or their close friends that are shared with the public through the media or with others through rumors or unauthorized disclosures. Some of the children had even experienced cyber-bullying, where private information was shared with kids at another school and quickly spread online.

Concerns over false light, or when the facts disclosed to the user are false or intended to create a false impression, included another form of cyber-bullying: “notify wars” or “warning wars.” Sometimes one kid targets another by provoking her into doing or saying something online that violates her ISP’s terms of service. The provoking child then reports the victim, often using AOL’s online-abuse “notify” feature.

Kids understand privacy. They also understand trust. If you violate that trust, you will not be given a second chance. Overwhelmingly, the kids I spoke to indicated that they see government agencies and big corporations with lots of brand recognition as being more trustworthy. Interestingly, they ranked Microsoft as the most trustworthy, each for different reasons.

Kids and teens also want to be kept informed but not bothered. And they want the ability to control their personal information and prevent intrusions. They recognize that the right method of getting their buy-in isn’t there yet. They acknowledge that they will work with you -- but only if you are giving them some tangible value in return.

It’s all about sharing and not always taking. It’s about earning their trust and not abusing it. Bottom line: With kids, preteens, and teens (and perhaps even more so than with their parents), it’s all about showing respect.

Parry Aftab is a TRUSTe board member, privacy lawyer, consultant, and founder of WiredSafety.org. Keep in touch with recent developments in privacy law by visiting her weblog at
http://theprivacylawyer.blogspot.com.

The next time you visit the TRUSTe Web site you’ll be in for a treat. We have redesigned the site for improved navigation, added material on email and wireless initiatives, and brought our online brand into the 21st century. The new Web site will feature graphics of our member Web sites with great seal implementations. We’ve also added topical articles and news that will be updated on a regular basis. (Back issues of newsletters, however, are still available.) If this increases the value of your company’s certification and association with TRUSTe, please let us know -- send your feedback to kputman@truste.org.

TRUSTe is pleased to announce the following new hires and promotions:

David Currie has joined our staff as vice president of business development. David came to TRUSTe from ScanAlert, where he was chairman. Over the last 15 years, he has held senior positions in growth-oriented companies like MeetWorldTrade, Neopost, ADP, and Oracle; he also cofounded Etera Systems, the first business application service provider in the United States. Contact him at david@truste.org.

In March, Heidi Berger joined us as an account manager for TRUSTe’s Web seal program, and will help members through the certification process. Heidi’s background is in account management, client relations, and business development at such firms as Aquent and Enterprise Rent-a-Car. Contact her at hberger@truste.org.

Michelle Denovan has joined the TRUSTe team as a senior account manager in charge of the Bonded Sender Program. She has more than 15 years of management experience, most recently as operations and accounts payable manager for Bluelight.com. Prior to Bluelight.com, she held various management positions for Gap Inc. and American Express Travel Related Services. Contact Michelle at mdenovan@truste.org.

We also welcome Krystal Putman, marketing associate; Chris Egli, sales manager; and Chris Lee, renewal sales associate.

In other news, Michelle Hines has been promoted to director of sales and Colin O’Malley has been promoted to director of product management.

White Paper: "Your Online Privacy Policy"

TRUSTe's new white paper, downloadable as a PDF file, provides in-depth, common-sense instructions to novices and experts alike on how to create an online privacy statement. It discusses why businesses should add a privacy statement to their Web sites, as well as who should be involved in drafting the document. Most importantly, the new white paper tackles style as well as substance -- how to make your privacy statement consumer friendly and how best to convey your commitment to privacy. Check TRUSTe's Web site for additional guidance on privacy.

The privacy statement that you post on your Web site is the document that defines your entire privacy program for industry regulators such as TRUSTe and the Federal Trade Commission. Consequently, your internal documentation regarding processes and procedures for enforcing privacy within your organization should be in lockstep with the public privacy statement. These internal privacy policies are typically not made public, but each should convey the meaning and importance of the public privacy statement.

An example: If your privacy statement declares that you train your employees on privacy issues, then you should have an internal privacy policy that reflects this declaration. At minimum, adopt a policy that requires all employees to read the privacy statement, and develop documentation for them to fill out acknowledging that they have read it.

If your statement indicates that you take measures to secure your data, you may want to implement an internal privacy policy covering termination procedures: Once an employee leaves the company, whether voluntarily or as a result of termination, require human resources to direct IT staff to prohibit access to all systems, particularly sensitive or personally identifiable information.

Developing internal documents and policies with an eye to your outward-facing privacy statement is one more step toward mitigating your privacy risk.

-- Robert Behrens, JD, senior account manager and Internet privacy specialist

The May 2004 issue of the TRUSTe Advocate inadvertently dropped one of its articles. Click here to read Michael Greene’s piece about Webroot’s anti-spyware practices, including the surprising findings of Webroot’s recent survey on the prevalence of spyware among Earthlink users.

TRUSTe would like to congratulate the following new members on successfully completing our certification process:

AFI Software, ASPGulf.com, AWS Convergence Technologies, Citizens Health Corp., Directmatches.com, ePocrates, E2open LLC, Express Group, Friendly Web Design, InStorecard Inc. dba Retail Presents LLC, Interactive Advertising Bureau, McMillion Research LLC, Onstation Corporation, PartySpace.com, The Monticello Corp., weclicked.

Got Feedback?
We would like to hear what you think of the TRUSTe Advocate. Send an email with your comments and suggestions to newsletter@truste.org.

TRUSTe is an independent, nonprofit organization that administers the Internet's first and largest privacy seal program.

685 Market Street, Suite 560
San Francisco, CA 94105
(415) 618-3400
Email: privacyseals@truste.org
Web: www.truste.org