AOL Consumer Privacy 1997 Comments to the FTC

America Online, Inc. (“AOL”) appreciates the opportunity to participate
in the Public Workshop on Consumer Privacy at the Federal Trade
Commission. We submit this paper as a Notification of Interest in
participating in Sessions Two and Three of the Workshop on June 11,
12 and 13, 1997.

With over 8 million members, AOL is the largest Internet online
service provider in the world. AOL is keenly aware of the tremendous
benefits and potential of the Global online environment. AOL also
understands the risks that arise from interactive networks. Interactive
services offer consumers and businesses unprecedented
opportunities for communications, commerce and education..
Consumers in the online environment can exercise unique control over
content available online and they can avoid content or services in
which they have no interest. At the same time, however, the online
environment presents unique issues in the area of consumer privacy,
as personal information about consumers is easily collected and
transferred online. AOL believes that it is critical for companies
operating in the online world to address consumer privacy concerns
as a prerequisite to meeting consumers’ interests and growing
interactive networks into a global and socially-beneficial mass
medium.

In particular, AOL has a unique relationship with its members that
enables the company to modify its services to make each member’s
online experience as personally relevant, enjoyable and affordable as
possible. In doing so, AOL has spent considerable time balancing
consumer privacy with the careful and appropriate use of consumer
information to improve each member’s online experience.

These comments discuss those efforts and address questions posed
by the Commission about steps taken by online marketers and web
site operators by focusing those questions on the unique privacy
issues faced by Internet online service providers.

In general, because of a growing amount of concern expressed about
personal privacy protection by AOL members and the general public,
in April 1996, AOL revised and expanded its policies protecting the
personal privacy of its members ("Privacy Policy") and has continually
updated that Policy since then. (Please see the AOL Privacy Policy
attached as Exhibit A.) Prior to that time, AOL’s member agreement
(Terms of Service) contained a number of privacy related provisions,
including provisions protecting the confidentiality of private electronic
communications, or e-mail, and governing the disclosure of
information relating to AOL’s member identities. AOL’s current
Privacy Policy not only clarifies and consolidates these various
provisions into a comprehensive body of privacy rules, but also
expands its privacy protections to cover "navigational" and
"transactional" information (i.e., data about what members do and buy
on or through AOL). It also presents a clear segregated explanation
of the Privacy Policy for easy reference by members whenever they
use the service).

AOL believes that among the most challenging and important
questions that the Commission will address in its workshop sessions
are those that relate to children. AOL has spent considerable effort
over the last year revising its policies with respect to information
collection and use as it relates to children in the Internet online
environment. In particular, the company is in the process of finalizing
new policies which govern the area on AOL dedicated to children that
place clear restrictions on the ability of AOL’s content providers both
to collect information from children and to advertise to children. We
look forward to addressing these issues with the Commission in
June.

Despite AOL’s efforts in the area of consumer privacy there remains
one area over which AOL does not maintain control and which
continues to have a significant negative impact on the company and
its members’ online experience -- unsolicited bulk marketing e-mail.
Since the FTC last looked at the issue of consumer privacy in the
online environment in June 1996, AOL has encountered many
problems with unsolicited bulk e-mail being sent to its members
causing consumer dissatisfaction and placing significant burdens on
AOL’s computer servers. In fact, a large part of AOL’s ongoing server
expansion project is the result of the large volume of e-mail traffic that
AOL must handle on a daily basis, much of which comes to our
members from outside sources in the form of unsolicited marketing
announcements. While AOL has implemented several technological
and legal measures to curtail and cope with the volume of unsolicited
e-mail, it remains a significant problem and one that we hope the
Commission will place a particular focus on in the upcoming
workshop.

SESSION TWO: CONSUMER ONLINE PRIVACY

INFORMATION COLLECTION AND USE

Questions 2.1 through 2.8 address issues related to the collection
and use of personal information by commercial web sites or online
marketers. AOL believes that these questions are equally relevant to
Internet online service providers as personal information is both
collected and used by such providers who maintain a unique
relationship with their members. In other words, while consumers are
not required to have independent relationships with the web sites they
visit, (with the exception perhaps of those that require users to
pre-register prior to entry) those who subscribe to services like AOL
do. For instance, to become a member of AOL each member agrees
to read and must accept AOL’s Terms of Service as a condition of
membership. The AOL Terms of Service clearly specifies AOL’s
privacy and data protection policies and practices. AOL’s relationship
with its members allows for easier and more complete notification of
information collection and use policies giving consumers a better
understanding of the protection and potential vulnerabilities of their
personal information in the online environment.

AOL is therefore submitting responses to a selected few of the
questions posed in this section.

2.1 What kinds of personal information are collected by commercial
Web sites from users who visit those sites and how is such
information subsequently used? Among other things, is clickstream
data being collected and tied to personally identifying information?

AOL’s Privacy Policy refers to the collection and use of individual
information which is defined as any information, data or records that
relate to an AOL member’s use of AOL and identify an individual
member or a member’s account. AOL does not believe that the
collection, use or distribution of aggregate information that does not
reveal personal identity, such as member demographics, falls within
its Privacy Policy or raises concerns about threats to personal
privacy.

AOL’s Privacy Policy distinguishes among different types of
individual information since AOL’s practices with respect to such
information varies by category. These categories are: (1) "member
identity and billing information," such as a member’s name, street
address, telephone number and billing information, and any screen
names associated with a member’s account; (2) "navigational and
transactional information," such as information about where a member
goes on the service or what a member buys through AOL; and (3)
"private communications content," meaning the contents of e-mail, or
private chat room or instant message communications.

Under normal information practices, AOL collects and maintains
member identity and billing information to administer its business
generally. AOL also uses such information on a selective basis to
offer its members marketing information on goods and service that
may be of interest. These offerings are customarily made through the
use of “pop-up” screens that appear on individual member screens at
the time of sign-on. However, due in large part to concerns about
personal privacy, in October 1996 AOL granted its members the
option of opting out of all marketing pop-ups through an easy online
process.

On a sample basis, AOL also collects and stores navigational and
transactional information, such as data on the choices that members
make among the range of available services or merchandise and the
times and ways members use AOL. This information is used
internally by AOL for programming and editorial research. The
company also provides aggregate navigational and transactional
information to its third-party content providers to aid them in their
programming decisions about their respective online area. While the
company has made no firm plans about the future use of Navigational
and Transactional Information, may use such information in individual
form on an increasing basis to ensure that each member’s online
experience is maximized by including personalized interfaces and
content offerings.

The most controversial area of personal information online is the
contents of private communications which AOL believes deserve the
strongest privacy protection. The company, therefore, treats private
communications on or through AOL’s service as strictly confidential
and does not access, use, or disclose the content of private
communications. In addition, while claims have been made to the
contrary, the AOL e-mail system retains the contents of private e-mail
communications for a limited period only. However, the AOL
computer system does not record or retain any communications that
members have in chat rooms or through instant messages. (Instant
messages on AOL work like e-mail but take place in real-time
between members who are simultaneously connected to the service.)
In the case of regular e-mail, either coming or going to the Internet or
other AOL members, such communications are permanently deleted
from the system after they have been read by the intended recipient(s)
after about two days. In cases where e-mail has been sent but
remains unread, such communications are permanently deleted from
the AOL system after about thirty days.

The only exception to AOL’s strict confidentiality rule for private
communications, which is clearly delineated in AOL’s Privacy Policy,
is that the company may access and/or disclose such information
only if it in good faith believes that such action is necessary (a) to
comply with applicable law or valid legal process (e.g., search warrant
or court order), (b) to protect the rights or property of AOL Inc., or (c)
in emergencies when AOL Inc. believes that physical safety is at
risk. These exceptions are minor modifications of the default
provisions of the Electronic Privacy Communications Act and provide
AOL with the flexibility it needs to deal with emergency situations.

2.2 To what extent is the collection, compilation, sale or use of
personally identifying, as opposed to aggregate, personal information
important for marketing online and for market research? What privacy
concerns, if any, are raised by the collection or use of aggregate
personal information in this context?

As the online marketplace has shifted towards a forum for online
commerce and commercial advertising, so has the importance of
consumer information risen. While much of AOL’s marketing
research is performed through the use of aggregate data, an
increasing amount of online marketing is made more precise by the
ability to market to individual consumers who have interests in
particular online content, information, services or products. As stated
above, AOL makes its policies with respect to the use of personal
information for marketing purposes clear to members in its Privacy
Policy and gives its members the opportunity not to receive
customized marketing pop-ups from AOL.

Increasingly, AOL is also using individual user information to
customize its services for members. Such customization is not,
however, related solely, or even primarily, to online marketing but to
making the AOL service more useful and enjoyable to our members.

2.3 What are the risks, costs, and benefits of collection, compilation,
sale, and use of personal consumer information in this context?

AOL believes that as long as consumers are made fully aware of the
information practices of their Internet online service provider, as well
as those of the Web sites they visit on the Internet, they are able to
make informed choices about the ramifications of their activities
online, and that the risks of personal information collection are quite
low. This is, of course, dependent upon a guarantee by those entities
operating in the online environment that they will, in fact, abide by
those information practices once they have been established.

On the benefit side, AOL believes that targeted marketing that is
fairly communicated on the Internet presents a huge potential benefit
to consumers who would no longer have to wade through reams of
junk material in which they have no interest. Rather, consumers can
make their individual preferences known to online marketers or online
service providers and receive information about services and products
that meet those interests. We believe such individualized
experiences lie at the heart of the Internet online medium and
distinguish cyberspace from traditional print and broadcast media
which can only provide consumers with generalized content, service
and product offerings.

2.4 What surveys, other research, or quantitative or empirical data
exist about consumers’ perceptions, knowledge and expectations
regarding (1) whether their personal information is being or should be
collected by Web site operators and the extent of such collection; (2)
the benefits and risks associated with the collection and subsequent
use of this information; (3) appropriate uses of such information; and
(4) whether certain categories of information should never be collected
or disclosed to others?

AOL has not independently performed any research about consumer
attitudes towards information collection. The company has responded
to concerns expressed by consumers about certain information
practices and has implemented the procedures discussed above and
those discussed in the following section about unsolicited commercial
e-mail. In addition, because AOL believes that the issues related to
consumer attitudes towards privacy are critical to the establishment of
appropriate internal company information policies and sound public
policy it suggested at the FTC’s last privacy workshop and is
co-sponsor of a survey currently being conducted by Dr. Alan Westin
of Privacy & American Business, the specifics of which are being
submitted to the Commission under separate cover.

UNSOLICITED COMMERCIAL E-MAIL

2.16 How wide spread is the practice of sending unsolicited
commercial mail? Are privacy or other consumer interests implicated
by this practice? What are the sources of e-mail addresses used for
this purpose?

Unsolicited commercial e-mail (“UCE”) is very widespread on
interactive networks. UCE has been a significant problem for AOL
and its members for over a year. From AOL’s participation in industry
associations, it has become clear UCE is also a significant problem
for other interactive service providers and users . During the past
year, AOL members have complained regularly and vociferously about
the volume of UCE they receive from firms with which who they have
had no previous contact or relationship. And, before AOL
implemented its mail filter tools (see below), it received thousands of
complaints about UCE from members each week. Still, many AOL
members continue to receive dozens of UCE messages daily,
requiring regular time-consuming and sometimes costly sorting and
making it difficult to identify messages from friends, family, and
business associates. AOL members who sign on to their accounts
infrequently (e.g., on a bi-weekly basis) face an even more daunting
task as their mail boxes may be clogged with dozens of unwanted
UCE messages.

Historically, AOL members have been angered by the fact that firms
who specialize in sending UCE (“Bulk E-mailers”) have been able to
shift the cost of sending UCE messages to consumers who were
paying for their online time by the hour. Although the move to flat rate
pricing has reduced the number of members that still must pay for
usage by the hour, a significant number of AOL members still do.
Even members who have shifted to flat rate pricing continue to be
angered by the volume of UCE they receive citing that UCE usurps
their valuable time, and slows down and disrupts the performance of
the e-mail network, and diminishes enjoyment of the online
experience.

Bulk e-mailers use a variety of means and sources to harvest e-mail
addresses and create mailing lists. Several UCE firms have copied
addresses from member directories, bulletin boards, and chat rooms
in violation of AOL’s Terms of Service. They have also harvested
addresses from public postings on Internet newsgroups and message
boards. The effect of this is that many members are increasingly
weary of participating in online public debates or communities. Many
AOL members now refrain from posting any information in the AOL
Member Directory or participating in AOL’s message boards or chat
rooms for fear that doing so will invite large volumes of unwanted
commercial e-mail solicitations. This has chilled communication on
the service and undermined the sense of community on AOL.

Although most complaints from AOL members are based on the
volume -- not content -- of UCE messages, the abundance of UCE
messages featuring adult products and services, get-rich-quick
schemes, and miracle diets has further upset members about this
practice. Unlike offers from authorized merchants that operate on
AOL’s proprietary service, AOL has no way to ensure the quality or
reputability of these UCE offers and to protect its members from
unscrupulous practices. Since AOL’s members often times rely on
AOL’s judgment on content, and because many of the bulk E-mailers
use mechanisms to make it appear that AOL has either endorsed, or
worse, sent their messages, the company’s relationship with its
members has been adversely affected.

2.17 What are the risks and benefits, to both consumers and
commercial entities, of unsolicited commercial e-mail? What are
consumers perceptions, knowledge, and expectations regarding the
risks and benefits of unsolicited commercial e-mail?

See response to question 2.16 above which is incorporated herein.
The risks to consumers of unsolicited commercial e-mail (UCE)
include an increase in the cost of using interactive services, a
slowdown in the performance of e-mail services, and a general
diminishment of their enjoyment of interactive services. Although
many consumers have recently switched to flat rate pricing, a
significant number of consumers still pay for hourly usage charges.
Consumers who still pay for online time have to pay for the cost of
loading, sorting, reading, storing, and disposing of their e-mail. But
for all consumers, the indirect but real costs of UCE are significant.
Senders of UCE can succeed financially because they are able to
transfer the cost of sending electronic advertisements to recipients
and their network providers. Accordingly, the cost of sending UCE is
significantly less than sending physical mail solicitations which are
paid for by the sender -- not the recipient or mail carrier. And the
marginal costs of sending UCE are practically zero. This cost shifting
ability distorts market constraints and results in huge volumes of UCE
to unwilling recipients. The UCE firm is not constrained by normal
economic principles such as delivery costs and customer
accountability.

A tiny percentage of AOL members apparently do wish to receive
UCE messages. Presumably these individuals find UCE messages
to be of interest or value. For this reason, AOL has attempted to
impose mail filters (see below) in a manner that gives its members a
choice if they wish to receive UCE messages. As explained below,
many UCE firms have not respected the choice of AOL members by
systematically attempting to circumvent AOL’s mail filtering tools.
While AOL’s mail filtering tool remains imperfect, AOL does not
recommend mandatory limitations of commercial speech or
commerce on interactive networks. In fact, AOL believes that allowing
commercial entities the opportunity to make consumers aware of
products and services that may be of interest is valuable for
consumers and the growth of the interactive medium. However,
interactive marketing and commerce must be performed in a fair and
responsible manner which respects consumer privacy, choice and the
enjoyment of interactive services.

2.18 What costs does unsolicited commercial e-mail impose on
consumers or others? Are there available means of avoiding or
limiting such costs? If so, what are they?

Please see responses to questions 2.16 and 2.17 above which are
incorporated herein.

2.19 Are there technological developments that might serve the
interests of consumers who prefer not to receive unsolicited
commercial e-mail? If so, please describe.

Yes. AOL has been recognized as the industry leader in using
technological tools to empower consumers who do not wish to receive
UCE. In response to its members’ complaints and the increasingly
damaging load placed on its e-mail services by bulk E-mailers, AOL
introduced two user empowerment mail tools: Mail Control and
Preferred Mail™. The Mail Control tool enables members to chose
from whom they wish or do not wish to receive e-mail. This tool helps
members protect themselves from unsolicited commercial mailers and
it allows members to expand their privacy preferences to block e-mail
from any address.

Because the Mail Control tool requires the user affirmatively to list
the specific addresses from which they wish to block or receive e-mail
and because the tool can be circumvented by bulk e-mailers who
constantly change their domain addresses, AOL introduced the
Preferred Mail tool. Preferred Mail automatically shields AOL
members from e-mail sent from certain sites which have been
responsible for sending UCE messages to AOL members, thereby
generating numerous complaints. The list of such sites is updated
regularly through a specific process that ensures that those entities
on the list are indeed senders of bulk UCE. Members who wish to
receive mail from these sites, can easily do so by deselecting the tool
with one click. The Mail Control and Preferred Mail tools have
reduced, but not eliminated, the bulk e-mail problem on AOL. The
tools are not completely effective in part because UCE firms have
attempted to circumvent the tools and undermine members’ choices
not to receive UCE. This is done through a number of methods,
including sending UCE through fictitious and unregistered domain
addresses, and constantly changing their domain addresses (or ISPs)
from which they send UCE. Although AOL is confident that
technological improvements will address these holes and prevent Bulk
E-mailers from circumventing mail filters, there will likely remain a
cat-and-mouse dimension to this conflict, similar to the one which
service providers are engaged in with computer hackers. Recently, a
federal district court declared that a Bulk E-mailers continued
unauthorized sending of UCE amounted to a trespass to chattels
under Ohio state common law since the UCE misappropriated
Compuserve’s computer servers. The Compuserve v. Cyber
Promotions decision, (1997 U.S. Dist. Lexis (S.D. Ohio)), provides a
basis for service providers more aggressively to combat Bulk
E-mailers’ tactics in court. AOL remains optimistic that a combination
of tough self-regulatory standards, technology filters and blocks, and
as a last resort litigation under several broad computer trespass
theories will minimize the UCE problem. If not, both online
consumers and marketers will be damaged and the promise of the
interactive medium will fall short of reality.

SESSION THREE: CHILDREN’S ONLINE PRIVACY

Information Collection and Use

As with the questions related to information collection and use in the
area of consumer privacy to be addressed by the Commission in
Session Two, AOL believes that several of the questions posed
regarding the collection and use of information about children on the
Web are equally relevant to such practices on proprietary online
services like AOL. Therefore, AOL submits the following responses to
several of the Commission’s questions.

3.1 What kinds of personal information are collected by children’s
commercial Web sites from children who visit those sites and how is
such information subsequently used? Among other things, is
clickstream data being collected and tied to personally identifying
information about children; is information being collected from children
to create lists for sending unsolicited e-mail?

AOL’s general Privacy Policy is described in response to the
questions posed by the Commission regarding Session Two. Those
policies apply to all areas of AOL and to all members of AOL and as
stated above, and reflect the company’s commitment to the protection
of the privacy interests of AOL’s members. At the same time,
however, AOL does recommend children ages 6 to 12 partake in
content that is geared directly to them. Such content appears in an
area known as “Kids Only” that contains content that AOL believes
will be of interest to children. This area offers children the opportunity,
albeit in a more protecting manner, to engage in some of the activities
that take place in other AOL areas, such as online chat, with their
peers.

Because AOL invites children into the Kids Only area, the company
now takes extra precautions to ensure that children are not the target
of improper online marketing and information collection practices.
Any information collected from children in the Kids Only area is done
only in cases where there is informed parental consent prior to such
collection. While AOL has not always maintained such strong
policies that, for example prohibit contests targeted to children in
which information is collected, the company’s sensitivity on these
issues has been raised both by the Commission’s examination of
these issues over the last year and concerns raised by our members.
For example, one area in the AOL Kids Only area whose practices
have had to change with AOL’s changing policies is an area operated
by Warner Bros. called “Kids’ WB” As part of its offering, Warner
Bros. has long offered kids on AOL’s system an opportunity to receive
their online newsletter and asked for the child’s full name, address
and phone number in exchange for such privilege. Recently, however,
AOL required Warner Brothers to change the newsletter request
procedure so that kids need only send an e-mail request with no
accompanying identifying information.

In general, AOL’s new policies for the Kids Only area prohibit the
collection of any personal information from children by AOL’s
information providers either in connection with a content offering or an
advertisement. The new policies also prevent any online advertising to
children which invites them to engage in an online transaction or call
on 800 number off-line. Instead, any online advertising designed for
children must be clearly identified as such and provided only in
designated formats.

While AOL does not require parents to limit their children’s access
on AOL to the Kids Only area, the company believes that it should
provide a safe haven where kids can take advantage of the online
experience while not risking invasions into their personal privacy. In
order to help parents ensure safe experiences, the company also
developed its Parental Controls which were described to the
Commission in its June 1996 hearing on consumer privacy. Through
the use of these controls, parents can ensure that kids do not have
access to areas on AOL other than the Kids Only area.

3.3 What are the risks, costs and benefits of the collection,
compilation, sale and use of children’s information in this context?

AOL believes that while the collection of information about children
can clearly help make content developed for kids more useful and
entertaining for its intended audience, it can also present many risks
to children in the online environment. As stated above, it is for this
reason that AOL has expanded its policies in its proprietary areas
devoted to children to prohibit the collection by its content providers of
personal information from children. There have been some examples
where AOL’s information partners have specifically requested that
they be permitted to collected personal information from children in a
controlled environment. AOL has refused to allow any collection of
information from children unless and until the content provider
implements a reliable processes acceptable to AOL that obtains
parental approval prior to any child’s participation. These policies
include, for example, both online and off-line communication with each
child’s parent and an opportunity for the child or the parent to opt out
of the process at any time. AOL hopes to provide the Commission
with a supplemental submission that outlines these procedure’s in
greater detail in advance of the June workshop.

3.10 Do schools, libraries and other settings in which children may
have access to the Web have a role to play in protecting children’s
privacy ? What role do they currently play, and what role could they
play in the future?

As stated above, AOL believes that it is important for services like
AOL that act as gateways to the online world to offer children and
their parents a place in the online environment that permits them to
take part in the online experience while not exposing them to
information collection practices more appropriate for adults. As a
result, while AOL currently does not require parents to use the
parental control mechanisms that AOL offers, it does try to guarantee
that when children go into an area designed for children on the AOL
service, they are safe both from inappropriate content and
inappropriate information collection practices. For example, in the
Kid’s Only Chat area, AOL specifically tells children before the enter
chat the following:

1) Don’t give your password out to anyone, even your best friend;

2) Never tell anyone your home address, telephone number or
school
name without asking a parent;

3) Never say that you’ll meet someone in person without asking a
parent;

4) Always tell a parent about any threatening or bad language you
see online;

5) If someone says something that makes you feel unsafe or funny,
don’t
just sit there -- take charge! Call a guide (keyword: KO Help), leave
the chat room, or just sign off.

This is not say that AOL’s policies can protect children who are
permitted to venture out to the Web or that it is the company’s
responsibility to do so. Instead, these policies help parents choose
whether their children are old enough and experienced enough to
make informed decisions about what information to disclose about
themselves to others. If parents decide that their children are not
ready for such activities, the AOL Kids Only area should provide a
safe place.