These principles support an open and free Internet. AT&T and Verizon shareholders recently brought up similar, first-time measures at their annual meetings, and the measures received enough votes to meet the threshold to have a place on next year’s ballots.

Today, wireless companies can speed up connections to preferred websites that pay for faster wireless service. This undermines the ability of consumers to access the Internet and website of their choice, and it influences how we use our smartphones and tablets.

Wireless networks like Sprint, Verizon, and AT&T should ensure that consumers have equal access to the websites of their choice. That’s why concerned shareholders are pressing them to operate under net neutrality principles, so Internet users have the freedom to choose where to get information, without any preference given to certain websites.

To learn more this shareholder effort and sign a petition to protect the future of an open Internet, visit the Shareholders for Network Neutrality web site.

WASHINGTON – Consumers Union, the policy and advocacy division of Consumer Reports, has launched a new web page on ConsumerReports.org about cell phone “bill shock,” the surprise charges that appear on your wireless bill, often for exceeding usage limits.

The new “bill shock” page is located at consumerreports.org/cro/billshock. A link to the page will be highlighted periodically on ConsumerReports.org’s home page and its electronics page.

In October 2011 Consumers Union joined the Federal Communications Commission (FCC) and the wireless trade association CTIA to announce an agreement among carriers representing more than 97 percent of the nation’s wireless customers.

The carriers agreed voluntarily provide consumers with free alerts before they go over their voice, data, or text plans. Plus, they agreed to provide free alerts about additional charges when customers use their wireless devices while traveling abroad. The carriers must provide their subscribers with at least two of the four types of alerts by October 17, 2012, and all of the alerts by April 17, 2013.

The new page on ConsumerReports.org features the latest updates from the FCC about carriers’ efforts to comply with the agreement. The FCC recently launched its own web tool devoted to bill shock at http://fcc.us/billshocks, which features a table for tracking the progress made by each of the carriers.

Consumers Union highlights the FCC chart on its new page. The CU page also offers tips for avoiding bill shock.
Contact: David Butler or Kara Kelber, 202-462-6262

WASHINGTON, D.C. – Consumers Union, the policy and advocacy division of Consumer Reports, is calling on Facebook and its users to pay more attention to privacy online.

CU has launched a petition at hearusnow.org to urge Facebook CEO Mark Zuckerberg to provide users with better privacy tools and full information about everything Facebook collects about them.

The consumer organization has a full-page print ad and online banner ads running in Politico today to highlight its concerns and the petition drive. The ad’s headline reads: “Facebook and its users could learn something about sharing.”

The CU ad notes how Facebook keeps track of practically everything users do on the site, as well as other web sites, and will only share some of that information with users. Plus, Facebook is supporting efforts to allow the government broad access to user records.

The ad also mentions findings from Consumer Reports magazine, which spotlights Facebook and privacy matters in its June 2012 issue (read the CR article here and CR press release here) The ad cites a national survey by Consumer Reports that projects nearly 13 million Facebook users have never set privacy controls.

The ad ends with: “Facebook should think twice about how it shares your private information…and so should you.”

The petition site at hearusnow.org also offers a Consumer Reports video to help Facebook users engage the site’s privacy features.

For a full copy of the letter please contact David Butler or Kara Kelber at Consumers Union.

“This is an important step in fighting the shock and anxiety that consumers feel after receiving an unexpectedly large bill,” said Parul P. Desai, policy counsel for Consumers Union, the policy and advocacy division of Consumer Reports. “Bill shock is avoidable with timely, free alerts. And now, with the FCC’s new website, consumers can know with certainty which alerts their wireless carrier is providing.”

In October, Consumers Union joined the FCC and CTIA to announce a new industry initiative to provide free alerts to help customers avoid bill shock. These alerts would be sent to consumers before they reach their limits on voice, text or data services, as well as free alerts to customers when they are about to incur international roaming charges.

The FCC’s newly launched website features a table of participating carriers and outlines the steps they have taken in providing these free alerts. The website will be updated regularly as CTIA provides new information.
By October 17, 2012 participating carriers have committed to providing customers with at least two out of the four notifications for data, voice, text and international roaming, and all of the alerts by April 17, 2013.

Desai said, “With current alert policies varying widely across the industry, we applaud the FCC and CTIA’s efforts to make it clear to consumers what tools they have available to them now. We urge wireless companies to implement these new alerts sooner rather than later.”

For more information, visit http://fcc.us/billshocks.

Why is it important to define who’s who? Because a Do Not Track standard would only minimally impact first parties, while imposing severe restrictions on third parties’ abilities to collect and use information about you on the Web.

Figuring out who is a first party and who is a third party is easy most of the time. If I’m browsing Amazon.com, looking to buy books or DVDs, then Amazon is clearly a first party. I have intentionally chosen to access its site and view its products. On the other hand, if I’m reading an article and in the background, without my knowledge, and ad network is collecting information about me to show me personalized ads, that ad network is a third party.

But what happens when one parent company owns two separate businesses, for example, a candy company and a car insurance company? If I order a box of chocolates from the candy company, should my information automatically be shared with the car insurance company, simply because both are owned by the same parent company?

During the 5th W3C meeting held last week in Washington, DC, Stanford researcher Jonathan Mayer, in conjunction with the Electronic Frontier Foundation (EFF) and the open source software project Mozilla, proposed a rule that would prevent separate businesses owned by the same company from both being considered “first parties” and thus being able to freely share information with each other.

Their proposal looks to user expectation as the primary determinant, not to company ownership. Would consumers expect that the two businesses are actually connected, and thus able to share information between them? One way to make it clear that two sites are connected is through co-branding by, for example, using prominent language like “Brand A, provided by Company B.”

Industry members tend to share the view that businesses owned by the same parent company should be able to share consumer data across company affiliates, even if a user has clicked the Do Not Track button, so as to avoid unnecessary costs and limitations. But consider the fact that some holding companies own a great number of unrelated businesses, all of which would become “first parties” for information sharing purposes if you gave your data to just one.

Our take: Reasonable consumer expectations should determine whether data can be shared or not. If there’s no way to tell that two companies are affiliated, then the average consumer would probably not expect that by giving his information to one, he is also sharing it with the other.

The FTC’s framework consists of five action items; implementing a Do Not Track tool, improving privacy disclosures on mobile applications, creating legislation to provide consumers with access to information about them held by a data broker, explore privacy concerns regarding large platform providers, and promote enforceable self-regulatory codes. The report suggests that a centralized website be created where data brokers (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.

Consumers have a right to know what data third-party websites collect about them, know how this data is used, and have the power to change inaccurate or irrelevant information. When these websites are transparent about their privacy practices, consumers can make choices about which websites they want to use, and which websites do not meet their expectations. Consumers also should be able to opt out of tracking through a Do Not Track tool.

Consumers Union commends the FTC for the goals of this report and plans to take an active role in the implementation process going forward. “This is a good report that reflects the growing concerns about online privacy, especially the fact that we need better tools and information to decide how our personal information is used,” said Ioana Rusu, regulatory counsel for Consumers Union. “When we talk about online privacy, we’re talking about trust. A company needs customers to trust that their personal information is going to be treated with respect. If you don’t trust that a company is going to use your information responsibly, you’re going to be much less likely to adopt new services, and that hurts innovation.”

Sixty-five percent of smartphone owners were “very concerned” that smartphone apps can access their contacts, photos, location, or other data on their devices without their permission.

More than half of respondents also said they were very concerned about:

• Advertisers targeting kids with personalized ads based on data they collect while kids surf the Web (58%)
• Companies holding on to your data, even when they don’t need it anymore (56%); and
• Data about your online activities and purchases being used to deny you employment or affect your ability to get a loan (53%)

When asked about the use of personalized ads and privacy policies:

• 44 percent said they were concerned about advertisers targeting them with personalized ads by collecting data about their interests and purchases online; and
• 42 percent said they were concerned about privacy policies that were too long and complicated.

Consumers Union (CU) submitted these survey results to the National Telecommunications and Information Administration (NTIA) this week in response to a request for comments on its proposal to establish a multistakeholder process. This process seeks to implement the Consumer Privacy Bill of Rights, released by the White House in February 2012, by developing codes of conduct for consumer data privacy.

In addition to its survey, CU reached out to grassroots activists to hear their opinions on which issues the multistakeholder process should take up first. We received over 3,100 responses, which we attached in our comments to the NTIA. You can view our letter here.

In conjunction with other advocacy organizations, CU also asked the NTIA to ensure that the proposed multistakeholder process is transparent and inclusive. To that end, we laid out a list of fundamental principles, developed under the leadership of the World Privacy Forum, which must be adopted in order to create a legitimate process. These can be viewed here.

We commend the NTIA for taking important steps to begin the process of developing appropriate rules of the road for online privacy. Consumers Union plans to play an active role in this process and continue to advocate for greater online privacy protections for all consumers.

¹The Consumer Reports National Research Center conducted a telephone survey using two nationally representative probability samples: landline telephone households and cell phones. 1,017 interviews were completed among adults aged 18+. Interviewing took place over March 29-April 1, 2012. The sampling error is +/- 3.1 percentage points at a 95% confidence level.

National Telecommunications and Information Administration
1401 Constitution Avenue NW.,
Room 4725,
Washington, DC 20230

Submitted via email to privacyrfc2012@ntia.doc.gov

Consumer Comments to the National Telecommunications and Information Administration on
“Multistakeholder Process To Develop Consumer Data Privacy Codes of Conduct”
Docket No. 120214135–2135–01

The National Telecommunications and Information Administration (NTIA) requested comment on the proposal to establish a multistakeholder process to develop voluntary codes of conduct for consumer data privacy.

In response, Consumers Union, the advocacy and public policy arm of Consumer Reports®, conducted a telephone survey among 1,017 random adults (767 landline telephone and 250 cell phone) comprising 509 men and 508 women 18 years of age and older. Interviewing took place over March 29-April 1, 2012. We described several common privacy concerns and asked respondents to tell us whether they are very concerned, somewhat concerned, somewhat unconcerned, or not concerned at all about them.

Our results showed that the most troubling practices related to online privacy regarded the commercial use of personal information without the consumer’s permission: 71% of respondents were “very concerned” about companies selling or sharing their information about them without their permission. In addition, 65% of smartphone owners were “very concerned” that smartphone apps can access their contacts, photos, location and other data on their devices without their permission.

More than half of respondents also reported high concern with:

• Advertisers targeting kids with personalized ads based on data they collect while kids surf the Web (58%);
• Companies holding on to your data, even when they don’t need it anymore (56%);
• Data about your online activities and purchases being used to deny you employment or affect your ability to get a loan (53%).

Around 4 in 10 consumers were concerned about the use of personalized ads and lengthy privacy policies:

• Advertisers targeting you with personalized ads by collecting data about your interests and purchases online (44%); and
• Privacy policies that are too long and complicated (42%).

In addition to our poll, we also reached out to our grassroots activists and asked them to opine on which substantive issues the multistakeholder process should take up first. We received around 3,100 responses, which we have attached to this letter. Many respondents were particularly concerned about data security and identity theft; companies sharing or selling their personal information without their permission; companies holding on to personal data for long periods of time; privacy policies that are too long and complicated; and kids being tracked online.¹

We hope that our survey results, along with consumers’ responses, will help inform future decisions on which substantive issues should be resolved through the multistakeholder process.

Should you have any further questions or concerns, please do not hesitate to contact me at (202) 462-6262, or by email at irusu@consumer.org.

Regards,

Ioana Rusu
Regulatory Counsel
Consumers Union

¹This is not a scientific poll. The results of this poll are not a statistically significant representation of a general audience, but are the opinions of our activists who chose to answer the questions.

National Telecommunications and Information Administration
1401 Constitution Avenue NW.,
Room 4725,
Washington, DC 20230

Submitted via email to privacyrfc2012@ntia.doc.gov

Comments to the National Telecommunications and Information Administration
on
“Multistakeholder Process To Develop Consumer Data Privacy Codes of Conduct”
Docket No. 120214135–2135–01

The undersigned organizations appreciate the opportunity to respond to the National Telecommunications and Information Administration (NTIA) request for comment on the proposal to establish a multistakeholder process to develop voluntary codes of conduct for consumer data privacy.

We commend the Administration for introducing its Consumer Privacy Bill of Rights, which sets out baseline principles that the Administration believes should govern the handling of personal data. We hope that these principles will lay a strong foundation for codes of conduct regarding how consumers’ personal information should be collected and used. We are also pleased that the Administration has called for comprehensive privacy legislation in its white paper, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Innovation in the Global Digital Economy.¹

As a complement to privacy legislation, an open, transparent, consensus-driven multistakeholder process could foster compliance with norms for handling consumer data in specific contexts. In this respect, it would be helpful for the Administration to clarify the scope of the Consumer Privacy Bill of Rights and the multistakeholder process. Are they intended to address the privacy of online data only, or will it also address offline data practices? In today’s interconnected data landscape, where personal information gleaned online and offline is often merged, it is sometimes difficult to draw clear distinctions.

The results of the multistakeholder process will only be legitimate if the process itself is legitimate. To that end, we and other leading consumer, civil liberties, and privacy groups, under the leadership of the World Privacy Forum, have identified a set of fundamental principles that must be implemented if the multistakeholder process is to succeed.² These include, but are not limited to:
• Consumer representation must be robust and reasonably balanced;
• The process must be open and transparent to the greatest extent possible;
• Adequate resources must be made available to facilitate civil society participation in in-person meetings. If funding is not provided, meetings should only be held electronically;
• Decisions must be based on a fair and broad consensus among stakeholders.

A full list of the Multistakeholder Principles is attached to this letter, and will also be submitted as part of a separate formal filing by the World Privacy Forum.

The first order of business should be to convene a meeting of interested stakeholders to develop the rules for how the process will work. This must be done before stakeholders begin discussing any substantive privacy issues. As our principles state, at the end of 12 months, civil society stakeholders may reevaluate the process and make recommendations for changes in rules, procedures, or process going forward. In addition, should NTIA bring on a third party to facilitate the day-to-day interactions and discussions among stakeholders, as it has suggested it may do, we urge the agency to ensure that the third party is unbiased and fair in its implementation of the multistakeholder process.

NTIA has also asked for comment on what substantive issues should be addressed through the privacy multistakeholder process. We wish to note, however, that it is the stakeholders who should ultimately decide what issues should be discussed. As mentioned in the request for comments, NTIA’s role in the privacy multistakeholder process will be to provide a forum for discussion and consensus-building among stakeholders. But as a convener, it should not make ultimate decisions about what topics should be addressed. Only the stakeholders can make that determination.

Our view is that the topics should ultimately be chosen by asking two important questions: 1) which issues are realistically achievable through the process laid out by NTIA, and 2) which issues would significantly advance consumers’ privacy protection. We do not believe that the speed with which consensus may be reached should be the overarching or determining factor.

There are several privacy topics which could be appropriate to address through a multistakeholder process. These include, but are not limited to:
• Data collection and use practices of mobile apps;
• Facial recognition and facial detection software;
• Data minimization through data collection and retention limitations;
• Collection and use of data about children and teens;
• Social media companies’ use of consumers’ personal information;
• Collection and use of data that may affect consumers’ employment, credit, or insurance rates;
• Access and use issues related to consumers’ personal information in cloud computing.

In developing codes of conduct on various privacy issues, we believe that the rights as outlined in the Consumer Bill of Rights must be applied to the fullest extent possible. These rights should serve as a roadmap to guide the multistakeholder process.

Finally, we wish to note that multistakeholder proceedings are likely to be particularly time and resource intensive, and civil society groups often face resource restraints that industry does not. This must be taken into account as the agendas are considered, to ensure that civil society groups are robustly represented in each individual proceeding.

We look forward to participating in creating the operational framework for the multistakeholder process and using the process to advance consumers’ privacy interests.

Regards,

Ioana Rusu
Consumers Union

Susan Grant
Consumer Federation of America

Evan Hendricks
Privacy Times

Amina Fazlullah
The Benton Foundation³

Principles for Multi-Stakeholder Process

February 23, 2012

Civil society groups believe that protecting the online privacy of consumers is crucial to ensuring the availability, utility, and vitality of the Internet. For any approach to privacy to be meaningful, it must reflect fair information practices, including mechanisms to assure accountability. The US Department of Commerce is proposing a multi-stakeholder process for developing better applications of privacy principles. For the multi-stakeholder process to succeed, it must be representative of all stakeholders and must operate under procedures that are fair, transparent, and credible.

We believe the following baseline principles will provide the multi-stakeholder process the legitimacy it needs to succeed.

Principles:

1. No multi-stakeholder process can succeed unless consumer representation is robust and reasonably balanced. Only consumer representatives can determine who speaks for consumers.

2. To the greatest extent practicable, the multi-stakeholder process should occur in the open with public sessions and public documents. All substantial decisions must be made in open sessions.

3. Any stakeholder may submit proposals and those proposals must be addressed and resolved within the consensus process.

4. Participants, but not necessarily observers, must specifically identify their employer and/or the group, industry, or organization whose interest they represent.

5. There must be a fair opportunity for public engagement at all levels of the stakeholder process. Stakeholders must be allowed to communicate with members of their communities about the multi-stakeholder process in any way that the stakeholders see fit, including use of electronic processes such as web sites, social media, and other methods.

6. The formal publication of any consensus document or decision must include dissenting views and statements.

7. Decisions must be based on a fair and broad consensus among stakeholders rather than a majority vote by participants. The process should seek to resolve issues through open discussion, balance, mutual respect for different interests, and consensus.

8. A multi-stakeholder process needs to be fully informed by stakeholders from civil society. As such, in person meetings may only be scheduled if adequate resources are made available to facilitate in person participation by civil society. Otherwise, meetings may only be conducted electronically to facilitate equal participation by all stakeholders. Meeting locations must be chosen with robust input from civil society stakeholders.

9. All stakeholders must receive a copy of a draft document at least ten days prior to consideration or presentation of the document at any level of the stakeholder process.

10. At the end of 12 months or at any other time, civil society participants may decide to reevaluate the multi-stakeholder process and make recommendations for changes in rules, procedures, or process.

Signatories:

World Privacy Forum
American Civil Liberties Union
Center for Digital Democracy
Consumer Action
Consumer Federation of America
Consumers Union
Consumer Watchdog
Electronic Frontier Foundation
National Consumers League
Privacy Rights Clearinghouse
U.S. PIRG

Document information:

Publication date: February 23, 2012
Authors: Signatory organizations
Permalink: http://www.worldprivacyforum.org/pdf/MultiStakeholderPrinciples2012fs.pdf

¹http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.
²See http://www.consumerfed.org/pdfs/MultiStakeholderPrinciples2012fs.pdf.
³The Benton Foundation is a nonprofit organization dedicated to promoting communication in the public interest. These comments [or this press release] reflect the institutional view of the Foundation and, unless obvious from the text, are not intended to reflect the views of individual Foundation officers, directors, or advisors.