IBM Institute for Advanced Commerce Privacy Symposium, Joel Reidenberg

BACK TO MENU

STUART FELDMAN, IBM

Welcome back. We now have the opportunity to hear from a panel chaired by John Patrick of IBM, people representing the four most important activities for private sector responses on privacy. In some sense, this is the industry's current answer to Ira Magaziner's challenge. I'm looking forward very much to hearing from all their comments, and hand it over to John.

JOHN PATRICK

Okay, thank you, Stu. Good afternoon. Welcome to our final session of the program for today. It's only this panel standing between you and the reception.

But if you don't ask good questions, we're going to make you stay in here. We're going to lock the doors until we have lots of good questions. This is going to be your panel. We're going to ask each participant to speak for just five minutes to give you a perspective on this subject, from their especially and their point of view. We're fortunate to have some wonderfully experienced people here with us on this panel to offer some insight, plant some seeds with you that I'm sure you'll find quite valuable.

Now, Bob Wientzen who is the CEO and President at DMA is always last, because his name starts with W. So we're going to ask him to go first. In some respects, Bob has been around this perhaps longer than any of us, so I think he'll have some very good insight for us. So, Bob, let's start out with your comments.

BOB WIENTZEN

Okay, thank you very much, John. I guess as the representative of the Direct Marketing Industry, for which really data is the very lifeblood of our entire industry and, you heard from Barry, and others, because the people on the previous panel were all members of the DMA. We particularly appreciate the opportunity to participate here, because in fact this is a core issue for our entire industry.

And there is certainly a lot to say on it, and we have a lot of involvement in it. And, as John Patrick has said, we have been involved as an association in this area for about 40 years in an organized way, and in fact have a whole department of people and a lot of ongoing activities that deal with it. And we know that there are concerns out there by consumers, so that needs to be said first. We do know that.

And the message came through from the vice president's comments last week, certainly that government has some concerns where yet he did call for self regulation, and the continuation of self regulation with, I guess, the exception of the medical area, which has been the hallmark of what the Direct Marketing Association and the Direct Marketing Industry has attempted to do for certainly the last 25 or 30 years. We do know that there is a lot of concerns in the newspaper.

We heard from Dr. Weston that explains in fact that there are concerns, factual concerns, that are measurable on the part of people. However, it's our point of view, and I think our experience, that people assign different levels of concern for various types of information, and how personal information is used. And we sometimes lose sight of that as we reach sort of a panic state when this issue becomes hot, as it has in the last few months, and certainly over the last year or two.

We believe that people are less concerned about marketer's use of transaction information than they are about how their credit or medical information is used. So we do have a concern, and some of the things that I'm going to talk about in a second are focused on trying to deal with marketing information. While we recognize that those applications that work there may not work for everything, we think it's important for you and others to make distinctions about the nature of the information, and to not, in effect, lump everything together when we talk about the various issues that are being talked about.

Because there are federal laws, certainly fair credit reporting act, that we've heard about. There are laws pertaining to the issue of telemarketing. And there, I think, are sufficient laws in the area of credit and that area, that have been in place for some time, and we expect there will be those that deal with the medical area. So, bottom line, I want to make a point, it's dangerous to generalize, and I would hope we keep that in mind. A second point, is that any business today that's going to succeed in the information era is going to have to deal with a customer focus service point of view, obviously. Enough said.

However, and I guess IBM would be a great example of that. In fact, they're putting on this conference for you, in many instances, their customers. That observation is important when you realize that the direct marketing industry, which is built on trust, and built on the use of information, has grown to be about a $1.2 trillion industry, growing at twice the rate of retail. Based on trust, which we recognize is a key component, but I think what I want to get across is that this has always been a concern of the purveyors of material and information, et cetera, at distance. And if it would not have been the case, our success wouldn't have happened had we not had the build up of consumer trust.

Third, I think that in order for e-commerce to succeed, we have to get out of the business of blaming people for the problems as they come up in the area of privacy. And we have to get out of the business of trying to work in isolated camps. We have to work together, and there are numerous parts of the world, I think, of information processing, that really need to be drawn into this discussion in a positive and proactive way.

One of the things that I feel is important is that technology has been the driver of a lot of these debates and discussion recently, because of the Internet. And, in fact, one of the themes of my comments would be that I think we need to get the word out to marketers, those who come into contact with the consumers in your companies, those who have the communication responsibilities, that they are the ones who have to get actively engaged now. The time is now, and that the technologists can't carry the ball. Because the solution is only partially in the technology area. I think the rest is going to be in the consumer communications area.

Now we've been doing things for a long time. I don't want to take any time to go into detail about them, but we do have this clear point of view that we have to educate the consumer. You'll see it in some of our materials out there, including a book called "Get Cyber Savvy." We have to give consumers the ability to opt out. You've heard people talk about that. Most importantly, we have to give consumers notice about what we do. Very simple principles. If we do those things, we believe that this problem can in effect be dealt with. And we can go on and expand e-commerce in a way that I think most of us would like to see it happen.

I think the final comment I would make is about e-mail for a second, because I think it's so important. And it tends to get lumped in again with the issue of privacy. We think e-mail should be preserved as a marketing tool, we think it can be. We think the e-mail of the future is going to be a lot more exciting, and worth preserving. And we don't want to see it trashed, if you would, because of the behavior of a few. We do have some systems that we're working on that we think will make that better. But we would hope that you would be supportive of the preservation of marketing e-mail as a marketing tool of the future, which we think has great promise. So I didn't want to let the opportunity to make that statement get past, and I know we haven't talked about it very much earlier today. So thank you very much.

JOHN PATRICK

Okay, thank you, Bob. Well, that was an excellent perspective. It ties quite nicely with some of the comments that Esther made about the five percent impacting the 95 percent. So a lot of good questions were imbedded in what Bob had to say there. Not just about e-mail, other things as well.

Christine Varney, I think can add a great deal to planting of seeds for questions as well. Christine is with the distinguished firm of Hogan and Hartson, and she's just recently returned there after spending five years in government service, working at the Federal Trade Commission as commissioner, prior to that as an advisor at the White House. She has a breadth of experience in Internet technology and with all aspects of the associated business issues. So let me ask Christine to make some comments for us.

CHRISTINE VARNEY

Thank you very much, John. It's interesting to be here. I think many of you I know from my previous role as a Federal Trade Commissioner and your dinner speaker tonight, David Medine and I, about three years ago, along with other FTC staff people convened a meeting. And I'd like to say it was some of the smartest people all of us knew from different disciplines to say, what should the Federal Trade Commission be doing in the next century? Both on the competition side, and the consumer protection side.

And it became obvious to us very, very quickly that on the consumer protection side, privacy was probably going to be the number one issue of the information age. And as we began to work on it, it became clear to us that market based solutions that gave individual controls were probably going to be the most effective mechanisms to protect consumer choice when it comes to their own data. As a former government official, I had always believed that the market could be more responsive and more flexible.

After all, I'm from the administration that brought you both clipper chip and CDA. So I'm not too confident in my own colleagues' ability to bring you legislative coverage, legislative protection for privacy. However, we've been talking about this, at least I've been talking about it, we at the FTC have been talking about it, for three years. And last February in San Antonio at the Computers, Freedom and Privacy Conference I finally sort of stood up and said, look. You know, I am the original promoter of market-based solutions here. But as much as Esther doesn't like the word self regulation for that, the ideas that we've talked about that are encompassed by that term of self regulation, in order for self regulation to work, it has to exist.

And we don't see it across the board. DMA has done some great work. IRSG has done some great work. Some companies have done some really good privacy policy work. But it's not comprehensive, it's not broad based. It in no way creates sort of a viable structure for self regulation on privacy. So I said that in February at CFP, I said it again in March at the CIL Conference and created quite a ripple.

And shortly after that, a number of companies, many of whom are here today, came to me and said, well, wait a minute. You know, we think we can do this. We have been thinking about how to create a private sector-based, responsive privacy marketplace. And, you know, we may be a little late, but better late than never. So what is in the process of being put together is something called the On-line Privacy Alliance. It's not official yet, it's not announced.

It's a very broad based group of companies and trade associations across different sectors that are trying to think about how we could in this country honor our traditions of sectoral decentralized privacy while promoting and protecting individual choice in the information age. And what we've come up with so far is that this privacy alliance needs to do a few things. It needs to develop principles of fair information practices. Not to reinvent the wheel, you know, the commerce department has put them out, OMB has put them out, OECD has put them out. And in very short hand, they're essentially knowledge, notice, and no.

Tell your customers what data you're collecting. Tell them what you're going to do with it. Give them the opportunity to say whether or not they can -- they give you their consent to have their data, and use it in the ways which you've disclosed. So these companies are articulating those principles on a very high level. They will commit themselves to adopting those principles in their own companies by the end of the year. And encouraging their business partners to also adopt privacy principles, data collection and data protection principles, appropriate to the industry or company they're in.

They're also thinking about, and again, with apologies to Esther, what does self regulation look like? Self regulation enforcement. We think it probably has two components. Authentication, and consumer dispute resolution. Authentication. How do you know that a company does what it says it does? Now we've got all these companies, they all have their privacy policies. They put them up. There has to be a variety of ways that different companies can authenticate that they are following their practices, ranging from self validation. Somebody in the company saying, yes, I've reviewed the practices, and they are what they seem to be.

Outside sources. Whether it's law firms or CPAs validating what the practices are. Or government review on occasion as appropriate. The other thing that I think you have to have for a self regulatory enforcement system is a variety of ways to solve consumer disputes. And I think both TRUSTe and BBB will talk a bit about that. The Alliance is struggling to come up with a clear statement of policy on the collection of data from children. So far we are looking at that as children 13 and under, and I think we'll get there.

There is obviously a lot of discussion when you have a very diverse group of companies at the table. What's the appropriate policy for the collection of kids' data? Then the final thing this group of companies and trade associations hopes to do, after they've agreed to the principles, pledged themselves to adopt the principles, committed to some self regulation enforcement. Is business and consumer outreach. I mentioned the idea that these companies will encourage their business partners. Some very big companies are investigating whether or not it makes sense for them to require as a condition of doing business that their partners have privacy policies.

And we'll also be looking at the right ways to do consumer outreach, to educate consumers that they have privacy interests that they can choose to protect on the Internet. So, we'll hear more I think from our other panelists on the self enforcement piece, and I'll save the rest for questions.

JOHN PATRICK

Okay, thank you Christine. We have a very interesting thread developing here, a very broad one. Our prior panel talked about how specific companies are dealing with this issue, and I think we would agree that having every company devise their own approach is not a very good answer, certainly from a consumer point of view, a user point of view. On the other hand, it seems unlikely, and actually undesirable, to have a single global approach that all industries would take. So what we're hearing here is something in between.

We're hearing about some fairly broad approaches to this, but as you listen to the presenters, listen for the differences between some of the ideas they're talking about, and that'll be a good source for our questions. Well, next we're going to move on to Susan Scott, who is the executive director of TRUSTe. I can tell you through our long association with TRUSTe that the thing has made it, come this far, and it's made terrific progress, has been the personal energy, and the passion for the subject that Susan has given to this. And so I think you'll enjoy hearing her outline of how this is going. Susan?

SUSAN SCOTT

Thanks, John. Just to give you a little overview on TRUSTe. We are a non-profit organization. We were formed about 18 months ago, and we launched at the FTC privacy workshops last year in June. It's been almost one year since the program has been in effect, and I would venture to say that the program has really started to catch wind, actually about two months ago. Strangely coincidental to about the time when the government started really putting down their heavy hand, or exerting a lot more pressure.

We were founded by two organizations, one which as Esther mentioned, was the Electronic Frontier Foundation. The other was Commerce Net, which is an industry consortium of about 500 electronic commerce companies. The significance of that, I think, is key because what we feel with this program is that we can effectively bridge -- and there can be a win, win solution between business and the consumer. That one doesn't have to lose in order for the other to win. And those are the types of principles that TRUSTe was founded around.

We have two primary goals. One is to accelerate the growth of electronic commerce, and the other is to forestall any type of government regulation. Now, to get into the program a little bit, what Christine had articulated as far as fair information practices are concerned, is something that we support. What we ran into in the 18 months that we were implementing the program is, a lot of people don't know where to start. What should be included, et cetera, so when the Department of Commerce came out with their elements of effective self regulation, it was a great starting point for these companies to start looking at what was required.

Notice, consent, adequate security. Having a verification processes, as well as consequences for non-compliance. Those are the elements that we follow in TRUSTe. We help organizations put together comprehensive and accurate privacy statements. We look at the web sites, we look at the privacy statements. Make sure that they are consistent. If they are, and they're meeting the principles that we have outlined, we award a seal, a TRUSTe seal. Now, based on that seal, what the sites are agreeing to, is to accommodate TRUSTe in our review process.

Not only does a review happen initially, it also happens quarterly. The reason for that is because what we've found, is because this is such a new practice, people fill out their privacy statement, kind of put it on the shelf, and forget about it. And their sites have changed dramatically in a quarter, but no one's remembered to update the privacy statement. So we're trying to help web sites remember that what you post is a promise to your consumer, or your customer, and you need to abide by it. Trying to keep sites out of trouble, if you will, while we try to embrace fair information practices.

So we're doing that. We also have a consumer recourse, or dispute, mechanism. Where in the privacy statement itself, it's saying that TRUSTe is reviewing the site's privacy statements, and the site itself. And if they have any questions, or any type of inquiry, they can either forward that directly to the web site, because that is one of our principles, that needs to be disclosed. Or they can decide to come through TRUSTe. We have built in various mechanisms into our program that allow us to track what an individual site's privacy policy was on a particular day.

Otherwise what we find, it comes down to he said, she said, and no one really knows what the actual privacy statement was on a particular day. That is one of the things that we try to do in order to make sure that the sites are staying honest, and we can quickly resolve any types of inquiries that have come up. We've handled about a couple of dozen of them so far, and all of them have been handled, and resolved to the customer's satisfaction. So we're very happy with the way that that's been working.

We've had tremendous success, as far as from the industry so far. With AOL, Disney, Yahoo, Netscape, Excite, Web Crawler, the Wired publications having all signed up. We have about 125 sites up now. It may not seem like a great number, but our focus has always been on the quality and the visibility of sites, and not so much on the quantity. We think that will follow in due time, when the industry leaders step up to a self regulation program.

JOHN PATRICK

Thank you, Susan. Very profound some of the points that Susan made. If you're a large company, and most of you are, the very process of putting a trust mark on your web site brings out the best and the worst in your organization. In the sense that when Susan talks about your web site, I'm sure that many of you have maybe hundreds, if not thousands, of web sites within the domain of your overall company. So when you decide to have a trust mark for XYZ Company, how do you get everybody in the company lined up together -- agreeing to even the same goals with regard to this broad topic?

It's a very interesting exercise in and of itself. Well, last but not least is Russ Bodoff. I first met Russ here in New York City a little over three years ago, when we talked about the Better business bureau On-line, and it was just an idea at that time. And I must admit, it was pretty far out there on the edge, Russ, at that time. And you've come a long way, and are still pushing very hard to stay out on the leading edge. So we'd appreciate your perspective now. Russ is the VP of marketing, by the way, for the Better Business Bureaus.

RUSS BODOFF

Thanks, John. Well, you heard earlier from Alan Westin some statistics that pointed to the awareness and recognition the Better business bureau system has. I won't get into that, but let me give you just a quick introduction to the organization. Better Business Bureaus have been around for over 80 years. There are 135 better business bureaus, an infrastructure with about 2,000 staff. We do about 14 million consumer transactions a year, and about a quarter million businesses that are members of Better Business Bureaus.

In 1971, the council of Better Business Bureaus was formed as the parent to the Better business bureau system. But even more importantly, it brought about the establishment of the national advertising division, and our children's advertising review unit, which are major self regulation programs in the advertising industry. And, in fact, the chairman of the Federal Trade Commission, Bob Pitofsky, has described our advertising self-regulation program as the most effective self regulation in the country today. So we do have a good history of some very effective self regulation.

Just last year, in 1997, our children's unit revised its Carew guidelines to account for what's happening on the Internet, and marketing to children, and we define children 12 and under. And I know our Carew guidelines are part of the discussions that are taking place in the alliance efforts that Christine was talking about. We also launched BBB On-line, which for us was about two years in discussion, and a lot of effort. But within the year's time that we've launched it, we now have 1,300 companies carrying a BBB On-line seal.

The seal signifies a company that's committed to a series of standards of good business practice. It's to help consumers quickly identify reliable businesses. We also, off our regular BBB web site, have probably taken thousands of complaints about businesses. So while I don't think a lot of people identify the Better business bureau system as a technology with-it kind of organization, we have really been involved in a lot of Internet activities, and I am going to bet with the 1,300 companies carrying our seal, and the others that we have looked at, and some that we have turned down, that we maybe have looked comprehensively at more web sites than almost anybody.

But we've not been involved in privacy, and my confession is, I probably have the least experience in privacy than almost anybody in this room. But I think we have a great deal of expertise in self regulation activities. But we were approached about three months ago, right at the time when the privacy topic in the administration was really heating up. We were approached by a number of major leadership corporations, IBM, Hewlett Packard, AT&T, and some others, as well as some major trade associations, urging us to take a look at developing within the BBB On-line brand, the Better business bureau organization, a privacy initiative.

And we were urged to do something, because it was felt that with the public name recognition, that the Better business bureau system has the business relationships that we have, and the trust that exists within regulatory organizations for the Better business bureau system, that we had a real opportunity to do something that could potentially head off regulation in this area. So let me just say, we've heard self regulation described here today. Over and over, the term is mentioned.

But the important thing to keep in mind when we talk about self regulation is that self regulation is about business. It's about business looking at itself, and regulating itself. And it only works when you have the commitment of the business community. And I think it's important when you have a self regulation provider that has the recognition and the trust of that business community, to accept the programs that are coming forward. And the other thing I see -- because we've talked a lot, and the companies represented here are major corporations.

But certainly our experience on the Internet to date in our BBB on-line program, has been everything from the largest advertiser in the world, Proctor & Gamble carrying our seal, down to the smallest one person business. And with hundreds of thousands of businesses on the Internet, I just urge us to consider that whatever comes across in a self regulation program, it's something that's applicable to small, medium and large companies. Because that's the excitement of the Internet.

When we talk about what we see happening in the privacy area, and what we would like to do by way of the BBB on-line privacy program, and where it may differ a little bit from some other programs out there, is number one, is we want to develop a new initiative within BBB on-line, actually a new seal program, a co-branded seal program. We say co-branded. It is something that would be co-branded with major trade associations. So they could become the major force in carrying the message to their own company members, and become very influential in being the prime contact with those companies.

But operating under a series of core criteria, and what that would allow is the ability for industries to customize the program to the needs of their industry. As long as they met a series of core criteria. So if you're in specific industries that may be in the financial area, or in the insurance areas, or medical areas, where you need something more specific, we feel this program would give you that opportunity to have that. But one of the real differences that we see in the program, and it is different than things that are being discussed here at the panel, is we don't think self certification works.

We don't think the regulatory organizations will buy into that, and we don't think auditing is the way to go also. Because it is too expensive, outside auditing, for the majority of businesses operating on the Internet. So we put together a concept called self assessment. Which would be a comprehensive series of protocols that a company would have to evaluate itself against, and their application to seek a BBB on-line seal would be to submit all that self assessment process. And then each year when they renew it, they'd have to go through that self assessment process again.

And one of the keys there, by forcing the company to go through a good self assessment model, it would force them to take a look at themselves, and what their processes are internally. And we think it would help strengthen the whole process. But it would enable us to deliver a seal at a low cost, and enable us to deliver a seal, we think, with a high confidence level. And I think the other aspect of our program that I would mention, is putting together a core steering committee.

Although a lot of the things that we think a steering committee could do, which was really driving the policy and programs of where our program would be going, is we'd probably get a lot of direction from the effort that Christine is heading up and that alliance. But we believe in self regulation as consensus. And we're not the privacy experts so we're going to look for the right people to come together and help drive such a program.

JOHN PATRICK

Thank you very much, Russ. Well, a lot of common goals in what you've heard from the four speakers, but clearly some considerable differences also. So let's open it up to the questions that are on your mind. While you're thinking, I have one. Get those questions ready now. The question that I've been wondering about, and I'd like just a brief comment from each of the panelists about, has to do with the global nature of this subject.

We all know, of course, that the Internet works exactly the same in Boston as Beijing, as Basingstoke, as Brisbane. A really good idea from Slovenia. Finding a need for that idea in Anchorage, Alaska. Can get together and do a transaction. So it's just like one global local area network. Yet when I look at all of these programs, frankly they have a very American sound to them. Most of the announcements seem to come from the White House, or from American companies. Most of the trust marks, and seal programs are American in nature.

What are we doing to make this a global issue? And have global solutions for it?

BOB WIENTZEN

Well, we're doing quite a bit actually. We formed the International Federation of Direct Marketing Associations. We've got 27 signatories to a set of 10 principles, which encompass on-line behavior. We are working to expand that, we expect we'll add another four or five countries. But the countries that have signed up are pretty much the developed companies that have a reasonable amount of Internet activity. We have a set of standards that have been operational here in the US. We have now on-line guidelines, there's a copy out there on the desk in the black covered folder.

And we are moving to get countries to at least the associations that are operative in those countries that have direct marketers who are on-line, to adopt those principles. And so far, they seem to be gaining some degree of acceptance. I was in South America last week, and in Europe the week before, basically preaching that message of trying to get companies to understand that those guidelines exist, and to get them to sign on with their associations that they belong to.

And they do seem to recognize, in quite a few countries that this is an issue that sort of comes with the adoption of on-line transactions. It's kind of interesting, my sense is that many of them are going to buy into it, as just the way you do it when you get into this kind of industry.

JOHN PATRICK

Thanks. Christine?

CHRISTINE VARNEY

John, it's an incredibly interesting question, one that we spend endless hours debating in Washington, and in other places. How do you translate local norms and customs into a global medium? And beyond privacy, it's clearly what's happening all over the world. You know, what's prohibited as hate speech in Germany is first amendment protected speech in the United States. So how do you balance, if you're a government enforcement agency, the norms that you're trying to create jurisdictionally in your geographic area, as they move out over the net?

I think at this juncture, what we need to look to in the privacy arena, is developing the principles that will guide our companies as they move into this global medium. They may not be acceptable principles in other companies in other countries. Then you get into, well, is it up to our government to negotiate with other governments the need for acceptance? Or do companies go and do they negotiate individually with countries? Or do countries place clear and conspicuous warnings to their citizens, and let the citizens make decisions that, you know, this company may or may not comply with our law.

For example, in many of the Scandinavian countries, advertising of tobacco or alcohol is completely illegal. So, you know, you go to the Seagram's site, and you tell me whether or not that's advertising. Yet if you're in Scandinavia, who do you want to prosecute? Do you want to prosecute Seagram's? Do you want to prosecute EU-Net that maybe, you know, the pipe that it's coming through? Or do you want to prosecute the citizens for looking at it? I mean, these are questions that are being struggled with today. But I don't think that that can inhibit our ability to help develop the norms that ought to guide our own companies.

SUSAN SCOTT

I think from a strategy perspective, I agree with what Christine's saying. As far as our global roll-out plan is concerned, I think this is where our partnership with Commerce Net comes in. They are, as I said, a global consortium. They have offices around the world, and what we have talked to them about, and have an agreement, is that when we are ready to roll the program out internationally, that we would use their organizations as licensors of the TRUSTe program.

What we're trying to do at this point is, you know, fine tune it in the United States, since that's where most of the electronic commerce business consumers [sic] happening right now. And really trying to refine that model before we begin to roll it out to other countries. And having said that, I think we're also waiting to see what transpires, or what the resolution is between the EU as well as the United States.

RUSS BODOFF

Somehow I think, John, you asked me that question three years ago when we met. Actually my answer is probably similar to what Susan and Christine said. BBB on-line was set up as a separate corporation with the better business bureau system, and one of the reasons was so we could deal with issues such as what's happening in the global arena. And the 11 initial companies who are our founding companies, and the ones who financially helped get us going are all multi-nationals. And that's been an active discussion at our board meetings.

But the feeling in you know, it's almost what Susan said, 70 to 75 percent of commerce is in North America right now on the Internet. Self-regulation works, let's put models together that work here in the United States. Then we can figure out how to do this outside the United States. Who we have to partner (Inaudible) this, how do we share programs. I don't think anyone knows truly what the answer is. But one of the things we've done in the Better business bureau system for the privacy initiative, and I think it's really important to make it successful in the global scene, is we've separated from our local better business bureau programs.

So we have a commitment that what we're going to do private in the privacy arena is not going to be a local bureau effort. It's going to be done as a centralized coordinated effort the way we do our national advertising programs. And it gives us the ability to eventually negotiate, or enter into arrangements with organizations in other areas of the world. And Ira Magaziner addressed our board a few weeks back, in urging us to take this major initiative in the privacy area. And he mentioned the fact that there were probably, and I think he mentioned it this morning, that there are a number of organizations around the world who are probably very eager to start looking at working with us towards a more global approach.

JOHN PATRICK

Okay, thanks very much. I believe there was a question over here.

QUESTION

Yes. Two questions, actually. I guess the first for Christine and Russ. With the desire to have self regulation for privacy and to do it in four to six months, looking at other industries, is there a best practice for deregulated -- or nearly self regulated -- industries that could be brought in as a framework? Which seems to me you would need if you were going to try to stave off 100 bills that are pending, and then the political pressure.

And then the second question, I guess, goes to Russ for the self assessment. How do you have independent verification and validation of self assessment? Or how do you assess whose self assessment practice or process is better than someone else's?

CHRISTINE VARNEY

Go ahead, Russ.

RUSS BODOFF

Okay. Well, let me deal with the self assessment question first. We feel a good self assessment program -- and we are bringing in outside expertise to develop that and to build that model, if you have the right program, with the right understanding of the way corporation data flows, and the right pieces that you need in place, by forcing the companies to respond to the questionnaires that you have, you would have a testimony in a sense that a company has the processes in place.

It really will depend -- and I liken it to -- those who are familiar with the ISO-9000 -- a quality program. ISO-9000 never assures that you have a quality product. It looks at the processes that are in place. There's an assumption there that if you have good quality processes in place, the end result will be a quality product pops off the production line, for example. And I think that was our thought process in looking at the self assessment model. Is that if we can be assured that the processes are in place, and we have the companies looking at those processes and signing off to those processes, then hopefully the assurance is that there's a good a privacy program at the other end of that.

CHRISTINE VARNEY

I know you didn't direct it to me. But I would just add that, I think whether or not BBB On-line, if they get into this, offers a range of, whether you call it authentication, validation, verification, or there's other programs. It seems to me because of the diversity of businesses on the net, you need to have a diversity of mechanisms to check. For example, you know, very small mom and pop web sites. I always like to think of hot, hot, hot, the site that sells hot sauce. You know, they say right on there, we don't do anything with your data other than send you the hot sauce. Period.

So, you know, I would hate to see them be dissuaded from going through a process of filling out -- you know, pages and pages of forms, or expensive audits. I think they ought to be able to say we collect data to fulfill transactions, period. Some of the big companies that I've talked to, some of the Fortune 100 companies, clearly are willing to make privacy part of what their auditors audit, and put it out in their 10-K. I think that ought to be an acceptable mechanism as well. So I think we just have to provide for variety.

On the other paradigms, or frameworks that you can easily move into privacy. I'd have to say they probably don't exist, although the DMA has done some very good work in developing one. To me the essential difference between what the broadcasting division does, and what we're talking about here, is in large part -- and I don't know if Russ will agree with this, a lot of the reason the national advertising bureau worked in the beginning is that it was it's very centralized. All the ads used to go through the broadcasters, and they got vetted at the broadcast level.

So when you're talking about the Internet, and on-line, it is so diffuse, and so diverse, it's very hard to kind of keep that centralized model. Although some aspects of it we need to take forward. Like Russ mentioned, that if BBB gets into this, they'll be doing it at a national level, as opposed to a local level. I think we have learning that we can take from different efforts, but I don't think there is one that's easily transferable.

BOB WIENTZEN

Let me add a point. You might keep in mind that these self assessment, and other kinds of self declaration programs, do have in the context of the FTC and other fraud laws that are on the books, the ability to say, wait a minute. If somebody represents that they are doing something, and in fact it turns out that they are not, and that's a relevant, false representation, et cetera, than we do have some ways to back -- some of it up.

So that, whether it be TRUSTe or the BBB program, or ours, or anyplace else where someone says, I do -- I make this statement publicly, and it turns out that that's not true, and you've engaged in commerce. Because of it, there may well be FTC sanctions that could be brought against that company.

CHRISTINE VARNEY

John, that's a really important point. I don't know if it's been brought out today, that, you know, self regulation only works, if it works at all, if it's backed up with very strong government enforcement of existing laws.

RUSS BODOFF

I think one of the reasons our advertising process has been so effective, that if companies don't comply with a final decision, we refer it over to Federal Trade Commission. And I think we would see the same thing happening in any self regulation program developed to deal with privacy on the Internet. You'd have to have that ability, that if the self regulatory piece didn't work, that you turn it over to the appropriate regulatory organization for action.

SUSAN SCOTT

Right, and that is part of ours.

JOHN PATRICK

Great question, thank you very much. Esther Dyson has a question.

ESTHER DYSON

Yes, I wanted to get back to the international issue. But just, on TRUSTe and other things, the presence of the government is absolutely guaranteed. Because what you have is a binding contract between the licensee, or the member or whatever, and the organization. If you break that contract, you can be sued. Just as you can for breaking other contracts, whether it's in a French court, or a US court, or whatever. One the international question, it's tough for Ira Magaziner to go waltzing in and tell the French government what to do.

That gets their backs up right away. And at the same time, I've spent a lot of time in Europe. I can't talk as much about other regions. Companies there, number one, are not as willing to stand up and be counted in whatever way. They prefer to negotiate behind the scenes, and this is a rampant generalization, but it's true. And second, they like controlled marketplaces. There's a much they feel much more comfortable with the notion of government regulation of almost everything. And so if you believe in the kind of freer markets that I do, your real ally is in fact the consumers.

And those of you who are doing business on-line will probably find you're doing a higher percentage of overseas business on-line than of regular business, whatever business you are in. The ability to get on the web and order a book from Amazon.com is not terribly exciting in the United States, where you can go down the street to Barnes & Noble, or you can call an 800 number. But in Russia, it's a miracle. And so you're finding lots of consumers outside the United States, much more enthusiastic about the opportunities that they get here.

And they're going to get more and more used to American styles of disclosure, and privacy, and so forth. So I'm pretty optimistic about this. The thing vendors need to do is to acknowledge their overseas customers more than they do. Take a look at who's coming to your web site and consider adding some other languages, and being a little more international minded.

JOHN PATRICK

Good point, Esther.

CHRISTINE VARNEY

Although I'd have to say, Esther, if one of the languages you add is French, the French data protection registrar will assert that you are under his jurisdiction.

(LAUGHTER)

ESTHER DYSON

Thanks.

JOHN PATRICK

Esther, are your Russian friends able to get a credit card?

ESTHER DYSON

A lot of them are. I just have to tell a funny story. I was in Russia two weeks ago, and I needed to buy some underwear. So --

(LAUGHTER)

ESTHER DYSON

I asked this Russian woman friend of mine, well, where would you go? And she said, oh, if you want to know the truth, I wait until I'm going to the US, and I go to J.C.Penney.

(LAUGHTER)

BOB WIENTZEN

She could get it from a catalog, Esther, tell her please.

JOHN PATRICK

Okay, who has the next question? Yes, up front here? Oh, I'm sorry, Irving is next.

IRVING

Should I go ahead?

JOHN PATRICK

Please.

IRVING

Yes, again on this international question. Last month I gave a talk in Washington to Met '98 which was all about Internet too, and essentially the title of the talk I gave was around the Internet as the empowerment of the individual. And I was talking about power to the people, and things like that.

(LAUGHTER)

IRVING

And, you know, here I am, an IBM executive talking about power to the people. Which reminds us culturally this is such a US-centric initiative, and power to the people -- a lot of governments don't like that very much.

(LAUGHTER)

IRVING

And even as we were discussing, as Esther pointed out, the European government and people -- you just don't think that way. So we just have to work ourselves through these kinds of issues, but the culture that's around this, that's making it successful, is just such a supremely American culture. I don't know how else to say it. And I'm also wondering what the role -- this is such a distributed initiative, as we've all been discussing. And I'm wondering what the role of -- the equivalent of reviews. The equivalent of the Zagat guide, to web sites, which when they rate web sites, part of the rating will be respect for privacy. What do they do with the data? And whether the notion of reviews is not an incredible market pressure on highly decentralized businesses. I'd like to hear all of your comments on any of the things I've said.

BOB WIENTZEN

Irving, I make one comment. I think the issue of reviews is important. From my travels overseas on the international question, I see a number of companies using their concern, and their respect for the individual in a lot of ways, as a marketing tool. Identifying themselves with a higher standard of, if you would, a US standard on this issue, I think, can be seen as a marketing tool. The other point I want to make is there's self regulation. I like to think of something else called peer regulation. And that is a bit different.

We try to do it in our industry, where we say, you know, it's often times helpful for a company to hear from a supplier, or to hear from a customer, that their particular practices may or may not be appropriate in regard to this kind of an issue. And we're trying to talk up in our industry, saying it's not bad. It's not inappropriate for you to speak out. If you see suppliers or customers doing things that you think are probably not consistent with their best principles.

And to encourage an environment where there can be free discussion of that by peers, I think can make a big difference. In addition to this issue of being, quote, self regulatory.

CHRISTINE VARNEY

I think there's a huge market opportunity for something like a consumers union, to come along without necessarily making an overall judgment on sites involved in e-commerce. But to go through, and to look at a variety of practices that sites are engaged in. From security, to privacy, to reliability. You know, all of the things that you would care about as a customer, and just to give them, you know, a rating based on an impartial, but informed review of the practices. I don't know when we'll see it, but I have no doubt that we will.

I've long thought that privacy is only a piece. You know, when you go on-line, remember the old joke, it's great, you don't know whether you're dealing with a lawyer or a dog. It allows anybody to be selling on-line, and I would really like to know that these sites that aren't the L.L. Beans of the world, I want to know whether or not they're reliable before I put my credit card over, whether or not it's encrypted. So, yes, I think there's a huge market opportunity and I hope somebody steps up to it soon.

SUSAN SCOTT

I think as far as TRUSTe is concerned, reviews are a big part of our program, it's the backbone of the program if you will. To your point on what is a good practice, or are we ranking sites by what they do with information, that's not something that we're looking at. What we say is disclose what you're doing, because as we have seen, you know, people do fantastic things for Eric Clapton tickets. Myself, maybe Linda Ronstadt. But, you know, having said that, I think everyone is different as far as what information they're willing to give up.

And our principle has always been, we are not going to make that distinction. If what you're doing is lawful and legal, as long as you are adequately and prominently notifying the user of what you intend to do with that information, based on that information, the user can then make that decision whether to disclose the information or not.

JOHN PATRICK

Russ, did you have any comment?

RUSS BODOFF

Yes, I'd certainly you know, when Christine mentions reliability of the business, and the references we had to the Eric Clapton tickets. Are you going to give out your personal information to get two tickets? But the reality is, how do you know that company's a real company that has the two tickets? One of the interesting things that we have found in doing our evaluations on reliability of businesses, that there's a tremendous problem in contest and promotions on-line. And these are issues that the whole Internet community are going to have to face.

Because, you know, contests are dictated often by state laws. Now we have an Internet product that's not only, you have to deal with 50 states, but you're looking at international criteria also. Contests have to have rules. Once you get away from major company web sites, and you start seeing these contests and promotions, suddenly you don't see rules, and you don't see anything else. So the reliability tied to privacy starts becoming important. It starts becoming this whole effort of confidence.

And we're hoping. we put up a search engine for people, if they want to come and find businesses who are in our reliability program, and we're hoping if we get into the privacy area we would expand that. So people would have a place to come, and we'd make that search engine available at other locations as well. And if you want to search for a business that's met reliability standards, or if it's important for you to search for a business that meets privacy standards, you can do that up front.

JOHN PATRICK

Very good, thank you. The gentleman here has a question. Identify yourself please.

RALPH JOY

It's Ralph Joy from Visa. Everything that I've ever seen says from an opportunity perspective, that business to business E-com completely dwarfs consumer to business. So with that in mind, what do I need to be doing differently if I'm an offerer of a commercial site, or if I'm somebody that wants to buy, going on-line? And I'm doing commercial to commercial transactions? And it's an open question for the whole panel.

JOHN PATRICK

Yes, in other words does this issue apply business to business? Very good question.

SUSAN SCOTT

I can give one perspective on it. We talked to a company who is selling electronic components, if you will. And a lot of high technical companies are buying various components from this company. And privacy was a big thing for them, even though everything was business to business, because if, for example, you were buying components to work on your next generation product, let's say, and I was your competitor and somehow I accessed that, they felt very confident that they would know what it is you're working on, and what direction your company was headed in.

So I think there it depends a lot on that type of relationship that you have with your customer. Whether it's a individual consumer or a business, and I think they're still debating, Christine, you might be able to speak more on that, but from a EU perspective that there's still talk that that might be considered a personally identifiable information, if you're dealing with one employee, from a particular organization, and you have that person's name, for example.

BOB WIENTZEN

Yes, I think that's really the powerful point here, is that business to business implies that its two inanimate non living things doing business together. When in reality, it's Bill Smith the purchasing agent in company A, dealing with Sally Brown in another company. And they're people, and people have feelings and attitudes, and trust perceptions of other companies. So I think it's very applicable, equally applicable actually.

CHRISTINE VARNEY

Let me try if I might to take that from both a micro and a macro perspective. On the micro level, look, if you're a global company, you've got employees all around the world. And the European directive clearly applies to the information that you've got about your employees. And as you move data around your global networks about employees, if you're going out to search for a new executive, the kinds of material that you can solicit on the potential new employee, the kind of material you can transmit, there are all kinds of laws around the globe.

So if you're a global company, I think it really very much does apply to you. As Susan pointed out, if you're dealing with an authorized agent from another company, you know the identity of the agent. So there's a lot of implication for you on a micro level. On a macro level, for me, and a lot of you have heard me say this before, what growing the medium of e-commerce is about is in part trust. And that is as much in business to business setting as in a retail consumer setting. And trust, I think, has four elements. Security. You know, how do you know that the data that you're transmitting digitally is secure.

Not just, is it encrypted, but the security of the underlying networks. Authenticity. Is the, you know, agent that you're dealing with in the other business authorized to make the purchase that they're executing? Privacy. And recourse. What legal regime is going to apply to the transaction? So I would say, if you're a business engaged in business to business e-commerce, trust is very important, and privacy is an integral part of trust.

BOB WIENTZEN

I'd just add one comment, and that is that the B to B area is the fastest growing e-commerce area. The potential is fantastic. More important, as someone told me recently, the highest order time for their company was early Monday morning. Which they finally figured out was that people who did not have computers at home read about some products and so forth, came into the office and then ordered them first thing Monday morning as a result of their research.

The reason I comment on that, is because some of the practices which we will see put in place regarding B to B are going to influence people in this early stage, and therefore I don't think we want to forget about privacy or security. And it's more a function of security, I think, in a lot of cases. It's just good business. But it's also going to influence the consumer of tomorrow. So we can't afford not to worry about it both from an ethical point of view, and then from a strategic point of view as well.

JOHN PATRICK

Excellent point. Question in the back? Esther?

ESTHER

Yes, this is a short question for the gentleman who's from Visa. (Inaudible)

CHRISTINE VARNEY

A short question for the gentleman from Visa. Would you ever consider having some kind of a privacy policy a condition of getting a Visa merchant account?

BOB WIENTZEN

Great question.

CHRISTINE VARNEY Esther's doing our business to business education here.

(LAUGHTER)

RALPH JOY

The best way to probably answer that at this point in time, is to say that Visa has wholeheartedly endorsed the concept of SET for protection of Internet transactions. And there are various different policies and requirements that go along with SET. But I know that the policies are also under review, and are developing as the time goes along. So I guess the best answer I can give you at this point in time.

JOHN PATRICK

SET does make sure that you know who the merchant really is, and that they know who you really are. But it doesn't really address what each other does with the information that they exchange. So it's sort of a necessary, but not sufficient in terms of Esther's question.

RALPH JOY

And I think the other thing to remember is that Visa as a company, indirectly regulates what our banks do in terms of signing up customers. Both card holders, as well as merchants. So, you know, you can police it to a certain extent. But the thing I would say, is we're developing policies as we're going along, the same way that everybody else is. So stay tuned.

JOHN PATRICK

Yes, that seems to be the one clear thing here, is that we can tell we're certainly at the very beginning of all of this.

BOB WIENTZEN

Could I make one comment about that. And that is I think this is one of the developing issues that is really going to become a bigger and bigger one here in perhaps the next few months. And that is who's data is it anyway kind of question. And technology has advanced to the point of -- just taking a credit card transaction. When I take my credit card, and hand it to somebody over here to pay for a meal, where does that information go?

How many people touch it, or how many corporation entities touch it that I may or may not be aware of? And we think one of the criteria that we've got to start to think about, is what does the customer, the consumer, expect? What do they believe? Because in fact that may be important. So if I hand my card to somebody at a Marriott, maybe I hold the Marriott responsible for that data. If it's a Visa card, maybe I can expect that Visa has some responsibility.

But it may pass to two additional companies, as many of us know it does, before it gets to and from Visa and so forth. So I would stress that if your company is involved in these transactions, many of you are, that you really need to be asking yourself, what does the consumer expect is going to happen to the information about them? And be guided in a lot of ways by your answer to that question. I think this is really an important issue that we're going to have to face, whether we like it or not, in a much more public forum in the coming months, if not the coming year.

JOHN PATRICK

Question in the back?

HARRIET PEARSON

I'd like to ask the panel a hypothetical --

JOHN PATRICK

Could you identify yourself please?

HARRIET PEARSON

I'm Harriet Pearson with IBM. And all of you have been involved on the panel in privacy issues for a while. I'd like to ask a hypothetical that is designed to clarify the differences among your initiatives. And maybe draw out a little bit more of the details. I heard Ira Magaziner talk this morning about the urgency of business doing something. I've heard that individual companies doing -- individual activities is a good thing, but not sufficient. Guide me, if you would, in what my next steps ought to be other than adopting my own privacy policy. Tell me how the alliance that Christine is working on, that a number of companies are working on, would meet the need here. And tell me what TRUSTe or BBB would, you know, how should I inter-relate with the other private sector responses that we're hearing about now?

SUSAN SCOTT

I can talk about that. My phone number is 650 --

(LAUGHTER)

SUSAN SCOTT

No, we have a program that is available right now. You know, my advice to the executive would be to call TRUSTe and find out what the next steps are. As Esther mentioned, there is a licensing agreement that needs to be filled out. There is a fee that starts out $249 and goes up to $5,000, depending on what your company's revenues are. It's a sliding scale based on ability to pay. And when we get those two documents, the check and the agreement in, then we begin review of the privacy policy.

What we've found, though, in many instances, is that the privacy statement hasn't even been created yet. And that's where it can take an excruciatingly long period of time, depending on how big your company is, and how much information you're collecting, and how many people have access to that information. Because to a large extent, it is a strategic decision that is being made at the top, whether -- for one thing, I think people are learning, you know, for the first time, what exactly is happening with the data that's being collected.

And then, is that a good idea? Is that a good idea to articulate that anybody can have access to this at any time? Or is it a better strategy to say, we are going to be making this data available to XYZ, or to no one at all? It'll just be kept internally. So there is some internal decision making that needs to happen. You know, we love it when people come to us and the privacy statement is already there. It makes it a lot easier. We can't help with articulating what your privacy statement is, and what you do with the information. We can help review it. But coming up with the statement itself is that responsibility obviously lies with the site and the company.

RUSS BODOFF

Well, it's a little more difficult for me to answer that question. If you're interested in reliability, as Susan said, give me a call and we have a program for you. If you're interested in privacy, we have made a (Inaudible) decision. We're still looking to see whether the major corporations who have approached us are serious enough to help fund the jump start for us to do this. And we're hoping to learn that over the next few weeks.

So we're in a process right now of talking to a lot of different companies, and going through a learning curve right now, whether this is something that we should engage in. Our BBB On-line board, which is made of 11 leading technology companies, and our Council of Better Business Bureau board, has made it very clear that we are only going to engage in this initiative if the funding is up front to get this started. We're not going to be in a position as an organization -- we're just not in a position financially to go into a hole to jump start this.

I think there's a key here, because there's a message being delivered by the administration. That, you know, that the clock is ticking, and self regulation, if it's going to happen, has to happen fairly soon. And there's a lot of talk, so now's the time to see whether companies are willing to follow up with a check, to the talk. And, again, if you're interested in that scale, I'll give you my phone number as well. But we're talking about some larger dollars that are needed to really get us jump started in this area.

CHRISTINE VARNEY

I guess I would tell you as a senior corporate executive to do two things. You started the hypothetical by saying, you know, what do we need to do besides we already have the privacy policy out? Well, I would go and do sort of a corporation wide audit. What kind of data, very quickly, what kind of data is it that you do collect that's individually identifiable? What do you do with it? And if you're not in the information gathering industry, do you really need it? And to really do some corporation soul searching about the kind of data that you have, what you do with it, what your needs are for it, what's the cost efficiencies.

This in conjunction with that, rather than having a privacy policy up, I would try and foster a corporation culture that respects data collection, data processing principles. So that you really look at who's gathering the data, who's got the access to it, and you make a concerted effort as a corporation to adhere to what I'm sure you've adopted, as the highest level of your information practices. Now if you're concerned about the political message that you're getting, I think as a company, you've got to look at your bottom line.

How much are you going to be driven by whether or not there's legislation, or whether or not there is effective self regulation? If it's irrelevant to your bottom line, great. Check into your trade association, see what they're doing, and you know, be supportive of them. If it's something that is important to you as a company, that you want to show some leadership on, if it does have an impact on your bottom line, get active. Get active, whether it's with BBB, TRUSTe, DMA, the privacy alliance. Wherever it is, make your voice heard, and make it heard now.

Because I do believe on July 1st, the president will be ready to say whether or not he believes comprehensive legislation is needed to protect individual privacy in the United States. And if more corporations don't speak up now, I believe the answer to that will be, yes, we do more comprehensive government action.

BOB WIENTZEN

I would say two things, very quickly. One, if you don't have a privacy statement on your web site, and I would be willing to bet a whole lot of money that some of your companies don't, based on what I know about having looked at that in great detail. Cancel your plans to be here tomorrow, go home tonight, and get it done.

(LAUGHTER)

BOB WIENTZEN

It's ridiculous that there are still some very legitimate companies that don't have a statement of privacy on what their practices are. Nobody's dictating what your practices have to be, just get a statement up so the public knows. Number two, if you are in the direct marketing business in any way, shape or form, get a hold of our guidelines, and our recently announced standards, because we are putting in effect a program that will say, if you do not follow the standards, and we have an enforcement procedure in place, that we will be excluding you from membership in our association.

So please take that seriously, because that is a program that is well underway.

CHRISTINE VARNEY

Bob, it's interesting, you and I have talked before about, you know, when you try and talk to companies, and say, just figure out what you're doing, and disclose it. And they get sort of horrified. Oh my god, we can't tell people what we're doing.

(LAUGHTER)

CHRISTINE VARNEY

What sort of maybe that dictates a revision of the practice. Not to disclose it.

BOB WIENTZEN

Or we don't know what we're doing right.

(LAUGHTER)

RUSS BODOFF

I'll just add one, because I just have to be a little different than what Bob said, when he said, "just get your privacy policy up there," is get a privacy policy up there if you have the commitment within your company. Because one of the things that we've learned as we talk to companies, and the government affairs people start talking to the marketing people, who talk to the web site people, and everybody's going in a different direction. And some sites have thrown up a privacy policy, because it looks good, and the web manager said, this is a great thing to do.

But there's no commitment in the company to stand behind some of the things that are out there. So there are legal concerns, so make sure, and it is important. Get the buy-in from the key people, and get them together to talk about it in the company.

JOHN PATRICK

Lots of good advice here. I have a question. Christine?

CHRISTINE VARNEY

Yes?

JOHN PATRICK

How many approaches should we have? We have three and if you count yourself with the Online Privacy Alliance is four and Web Trust is and AICPA. That's five. Should there be just one?

CHRISTINE VARNEY

No.

JOHN PATRICK

Should we set up a schmooz area --

CHRISTINE VARNEY

No. I don't --

JOHN PATRICK

-- at the reception and force a merger here?

CHRISTINE VARNEY

No. (Laugh). No, but if you want to merge call me. I'm an antitrust lawyer in my spare time. (Laugh). No, I think, first of all you have to acknowledge that privacy issues in the United States have historically been treated sectorially. And I think that's a tradition that we're committed to continuing in this country. So I don't think you'll see a one size fits all approach. I think, in addition, different consumers and different businesses have different needs. So although you run the risk of confusion on the front end of the market place, I believe there will be market winners and that they will provide solutions for the various types of individuals and organizations who need them.

JOHN PATRICK

Okay good. I agree. Question right here.

CHRISTINE VARNEY

STUART?

JOHN PATRICK

Stu Feldman. Stu, hold a second here comes some mike.

STU FELDMAN

In the interim before everything settles out wonderfully assuming there are these four activities plus ICPA, plus several others.

CHRISTINE VARNEY

Four right.

STUART FELDMAN

And here I am just a happy consumer.

CHRISTINE VARNEY

Right.

STUART FELDMAN

Which of these do I believe, as opposed to you know the Jolly Roger pirate.

CHRISTINE VARNEY

Uh-huh.

STUART FELDMAN

shield --

CHRISTINE VARNEY

Right.

STUART FELDMAN

-- which someone else puts up --

CHRISTINE VARNEY

Uh-huh.

STUART FELDMAN

-- which may or may not be indicative. What are going to be the mechanisms that will convince a consumer to be interested?

JOHN PATRICK

Yes.

STUART FELDMAN With due respect, you know I have heard of the Better Business Bureau. DMA I know of only for you know --

CHRISTINE VARNEY

Right.

STUART FELDMAN

-- professional reasons as it were. TRUSTe is an insider's operation in some sense. How is that consumer supposed to work his or her way through this thicket over the next three years?

CHRISTINE VARNEY

Well it's very tough and I think, Stu, as much as anything that's a brand equity question. You know the people that are having great success in retail sales on the net are people that have brand recognition going on. It's much harder to get the brand recognition and build it.

I think it's very tough for a consumer right now to figure out if it's not a company they know of, and if it's not a company that there's a lot of buzz about, whether or not it's legitimate. And I have to say with all due respect for my dear friend Susan and everybody who has worked on TRUSTe including myself, the vast majority of consumers TRUSTe doesn't mean anything to them.

SUSAN SCOTT

Okay my turn.

CHRISTINE VARNEY

Yes. But you got to start somewhere.

SUSAN SCOTT

Exactly right. And granted, branding is something that we're very conscious about. On the other side of the coin, I think the other thing that we're looking at also is, some of the websites that I haven't mentioned, they are some of the largest website that they are out there. If we get consumers who are frequenting these website to continually see our mark there, it's going to mean something.

And I think the credibility that comes with being with an AOL, a Disney, a Yahoo, an Excite, is going to go a long way in branding us and in raising the credibility of the mark. But I would agree, branding is huge and I'm sure a lot of you have had some experience in that. Hundreds of millions of dollars to brand worldwide.

CHRISTINE VARNEY

Yes.

SUSAN SCOTT

So, as I said what our strategy is really to start with the most frequented sites and grow from there and also to get the credibility that comes with being part of one of these very successful sites or a great number of these successful sites.

STUART FELDMAN

So Susan over the next 90 days what percentage of web users do you think will encounter a TRUSTe mark?

SUSAN SCOTT

And that's a good question and that's something that we're trying to figure out, because we think it's going to be substantial. Right now, we have ten of the top twenty websites and you know I think we'll be very close to getting all of the Top 20 in the next 90 days to sign up for the program. So, you know I think it's a very, very high percentage, but that's a number that I'd like to know also.

JOHN PATRICK

Uh-huh. Another question. Yes in the back.

DIANE BARON

Yes this is Diane Baron from IBM. And I have a question for Christine. There's been a lot of activity in terms of self-regulation or discussion of self-regulation and you encourage people to continue that. Can you give us a better idea of what criteria President Clinton will use on July 1st, to make a decision as to whether or not we are ready for self-regulation or the government will have to step in?

CHRISTINE VARNEY

Yes, I think the President will reference the Federal Trade Commission report to the Congress that's due out. I think the two metrics will be the Federal Trade Commission report that's due to the Congress in June and the Commerce Department is due to report to the President in early July. As a matter of fact, last year, the President issued directives to many, many government agencies involved in e-commerce or the promotion of American business doing e-commerce to report back to him on a number of issues.

So he'll have a lot of input. I think fundamentally what the White House is going to look to is whether or not there is, at this point -- I think it's fair to say there won't be a robust and booming market for consumer control of their own data.

So I think it's fair to say that at least they will be looking at whether or not the beginnings of such consumer control of data and business disclosure of data collection and processing is disclosed, is prominent. The FTC and I think you can ask David over dinner, conducted a survey, a research undertaking which I assume David was scientific in every regard. And to look at not even the quality of privacy, as I understand it, privacy policies that were posted on the web but merely the quantity.

And I think it's probably safe to say -- it's sort of an open secret in Washington, that the results of that survey were just dismal, just awful and that's going to influence I think greatly where the President comes out.

Now, on the other hand the Commerce Department is meeting regularly with a number of businesses in this room and the Alliance and a number of others and there are you know a number of companies and trade associations that are really committed to trying to get the robust underpinnings in place and in place quickly and making measurable commitments for this year to roll out a variety of different practices. So, we'll see. I mean it's very tough.

JOHN PATRICK

I'd add one thing, having had a conversation with Secretary Daley on Friday morning about this. I think the issue of information about children and the collection of information about children and how creative we are in trying to deal with the special problems there will be one of sort of a specific additional criteria that's going to be looked at. Yes, Mark Green.

MARK GREEN

Also on the point of what consumer's understanding of this is and the perception they'll when they see these various logos showing up. If I am understanding correctly there's a mixture of purposes for these logos. In some cases, a logo means the site is conforming to a specific --

CHRISTINE VARNEY Right.

MARK GREEN

-- and consistent policy. In other cases, it simply means you have one.

CHRISTINE VARNEY

Uh-huh.

MARK GREEN

And working in other areas where for instance the VISA logo, where the MasterCard logo appears and sort of always means the same thing.

CHRISTINE VARNEY

Uh-huh.

MARK GREEN

I'm worried whether consumers get confused when they see logos that have different meanings.

CHRISTINE VARNEY

I think there is a fair opportunity for consumer confusion. Unfortunately, the alternative is for the government to lay down the standard and administer it. I mean I don't know you know other than letting the market evolve and competition between standards and letting consumers find a standard that suits their needs. Yes, the cost of that is the risk of confusion. The alternative to have a single standard, in my view is not the best alternative for the web.

JOHN PATRICK

But isn't it likely as these various marks become more prevalent that that will raise the awareness that there are marks which will raise the opportunity for the various trade press and public advocacy groups to review those sites and to call out the differences.

CHRISTINE VARNEY

Yes.

JOHN PATRICK

And that will cause competition and that will perhaps cause people to come together and merge or perhaps to separately enhance their individual abilities.

CHRISTINE VARNEY

No that's right and although you know we spend a lot of time and Ira in particular spends a lot of time calling for a seal, you need to keep in mind that, you know my other hat, my antitrust hat, seals have a very nasty history in this country. I mean seals have been used more often to foreclose competition and keep competitors out of a market, than anything else.

JOHN PATRICK

Hmm.

CHRISTINE VARNEY

Troubled by a variety of seals.

JOHN PATRICK

After all you know if you think about the way marketing has grown up in this country, if you think about the early days of home remedies and tonics and what have you and even, even if you look in developing markets it's the issue of brands and brand names and companies building brand awareness for their stable of brands and brand equity that really makes for consumer trust. And in a long term I don't know why we would expect this to be any different.

The companies that today are marketing medications and so forth that we trust are those that have built, over time, some degree of trust and it was the same thing that you know they faced a hundred years ago. So, we're going to see that happen.

That's why I think we need to encourage the legitimate companies that have held back so far. My old employer, Procter and Gamble, perhaps at General Motors and so on have to get in and to market their products with their brand name, so the consumers begin to recognize that there can be trust associated with the products, with the offering et cetera. It'll take a little time, but I think that's what's going to happen. Yes in the back. Esther?

ESTER DYSON

Yes, again somehow consumers have managed to figure out the difference between different annual percentage rates on their credit cards. And one of the most exciting things that I read about in the Wall Street Journal this year was how the home equity, the home mortgage business has turned into a really rotten business, because a number of upstart companies are coming into the market place and offering to refinance people's mortgages at lower rates and the guys who gave mortgages ten years ago thinking consumers were really stupid, and would never refinance are discovering that consumers are smarter than they think they are canny marketers who come into this market with an interesting proposition and I would encourage Visa or MasterCard or American Express to take this to heart. And they could really give their merchants a real edge in the market place by fostering some kind of privacy policy.

JOHN PATRICK

Great point. Well we're just about at an end. We could perhaps handle one more question if there is one a lingering one. All right I guess not.

CHRISTINE VARNEY

I think they're ready for drinks.

JOHN PATRICK

Yes. Well I'd like to thank our panelists. They've been just great.

(APPLAUSE)

JOHN PATRICK

And thank you for your good questions. See you at the reception.

BACK TO MENU