AGENCY:

Federal Trade Commission (FTC).

ACTION:

Notice announcing two public workshops and requesting public comment and participation.

SUMMARY:

The FTC is planning to host two public workshops to explore the role of technology in helping consumers and businesses protect the privacy of their personal information, including the steps taken to keep their information secure. Workshop 1 will focus on technological tools available to consumers and whether and how consumers are using them. Workshop 2 will focus on how businesses use technology to manage their information practices and provide security.

DATES:

Workshop 1, The Consumer Experience, will be held on Wednesday, May 14, 2003, from 8:30 a.m. to 5 p.m., in the Federal Trade Commission's Satellite Building now located at 601 New Jersey Avenue, NW., Washington, DC. Workshop 2, The Business Experience, will occur on Wednesday, June 4, 2003, also in the Satellite Building. The events are open to the public and attendance is free of charge. Pre-registration is not required.

Requests to Participate as a Panelist: As discussed below, written requests to participate as a panelist in either or both of the workshops must be filed on or before Wednesday, March 26, 2003. Persons filing requests to participate as a panelist will be notified on or before Wednesday, April 9, 2003, if they have been selected to participate.

Written Comments: Whether or not selected to participate, persons may submit written comments on the Questions to be Addressed at the workshop. Such comments must be filed on or before Wednesday, April 23, 2003. For further instructions on submitting comments and requests to participate, please see the “Form and Availability of Comments” and “Requests to Participate as a Panelist in the Workshop” sections below. To read our policy on how we handle the information you may submit, please visit http://www.ftc.gov/​techworkshop.

ADDRESSES:

Written comments and requests to participate as a panelist in the workshop should be submitted to: Secretary, Federal Trade Commission, Room 159, 600 Pennsylvania Avenue, NW., Washington, DC 20580. Alternatively, they may be e-mailed to techworkshop@ftc.gov.

FOR FURTHER INFORMATION CONTACT:

Toby Milgrom Levin, Division of Financial Practices, 202-326-3713, or James A. Silver, Division of Financial Practices, 202-326-3708. The above staff can be reached by mail at: Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Background and Proposed Agenda

Since 1995, the FTC has sought to understand the many consumer issues raised by the collection and use of consumers' personal information in our fast-changing information economy. Commission workshops have examined the privacy issues raised by the use of this information and, more recently, the important and complementary role that security plays in providing meaningful protections for it. The Commission has also undertaken a wide variety of education and enforcement initiatives to reduce the harms caused by the disclosure of personal information, such as identity theft, unwarranted intrusions, violations of privacy promises, and breaches of customer databases. As part of this ongoing examination, the Commission is announcing two workshops designed to explore the role of technology in protecting personal information.

Technology has been widely heralded as a promising solution to challenges that the collection and use of information present. A number of Start Printed Page 8905products promise to help consumers control their sensitive information and guard against internal and external threats. Similarly, there are an increasing number of products designed to help businesses manage the consumer information they maintain and ensure that it is secure. Despite the widespread availability of these products, however, it is unclear just how much consumers and businesses are using them and whether they are meeting consumer and business needs in this area. Therefore, as more and more consumers share personal information online and use “always on” Internet connections, it is useful to examine the current role that technology plays in protecting consumers' personal information.

The workshops being announced will examine, first, the role technology plays for consumers seeking to protect their own information and, second, the role it plays for businesses seeking to protect the consumer information that they maintain. Both workshops will also examine the changes that have been made in the security area since the Federal Trade Commission's May 2002 workshop on consumer information security.

Questions to be addressed at the workshops may include:

A. Workshop 1

Technologies for Protecting Personal Information: The Consumer Experience

1. Are consumers using technology to help manage the collection and use of their personal information? Why or why not?

• What types of technologies are available or under development to help consumers manage the collection and use of their personal information?
• Which of these technologies are consumers using, which are not being used, and why?
• What factors influence consumers' willingness to use these technologies?
• Is there empirical data showing which technologies consumers are using and why?
• Is consumer education needed to make consumers aware of these technologies and to help them use them?
• What types of technologies do consumers want that do not yet exist?

2. What role can automated privacy notices, such as P3P, play to help consumers manage the collection and use of their personal information?

• What technologies are available or under development that automatically match consumer preferences to businesses' information practices? What is their current status of development and/or implementation?
• What are the strengths and limitations of these technologies?
• Are there obstacles to widespread adoption of these technologies, and if so, how could they be addressed?
• How do automated privacy notices interface with the various types of privacy notices—e.g., short, layered, full accountability—currently in use? Do automated notices raise any special liability concerns?

3. Are consumers using technology to help protect their information security? Why or why not?

• What types of technologies are available or under development to help consumers protect their information security?
• Which information security-enhancing technologies are consumers using, which are not being used, and why?
• What factors influence consumers' willingness to use information security-enhancing technologies?
• Is there any empirical data showing which technologies consumers are using and why? For example, are consumers downloading patches, updating virus protection, and using firewalls?
• What information security-enhancing technologies do consumers want that do not yet exist?
• Are the available technologies adequate to address known vulnerabilities?
• Is there a need for more “built-in” technology solutions and features that are easy for consumers to access and use? Should business make it easier for consumers with high-speed access to install effective firewalls?
• What are business, government agencies, and others doing to raise consumer awareness of security issues and help create a “culture of security”?

B. Workshop 2

Technologies for Protecting Personal Information: The Business Experience

1. How are businesses using technology to manage their information practices?

• What types of technologies are available or under development to help businesses manage their information practices and verify their website's privacy policy compliance?
• Which technologies are businesses using, which are not being used, and why?
• Is there any empirical data showing which technologies businesses are using and why?
• How have businesses incorporated information management technologies into their business operations? Do such technologies affect businesses' efforts to engage in targeted marketing? Have they affected businesses' profits?
• What are the costs and benefits, including any costs and benefits to competition, of implementing their technologies?
• Are there limits to technology's ability to manage consumer information? What role do people, policies, and organizational structure play in implementing effective information management programs?

2. How are businesses using technology to provide security for consumer information that they maintain? What progress has been made in this area since the FTC's May 2002 Consumer Information Security Workshop?

• What types of technologies are available or under development to help businesses provide security for customer information?
• Which of these technologies are businesses using, which are not being use, and why?
• Is there any empirical data showing which technologies businesses are using and why?
• What are the costs and benefits of implementing these technologies?
• Do different types of information and information practices warrant different types of security protection?
• Are their security tools that are low in cost and easy-to-use, particularly for small businesses? How can we raise awareness of security issues among small businesses?
• Do security tools work out-of-the-box? What can businesses that do not have dedicated security personnel do to protect consumer information?
• Are their limits to technology's ability to protect consumer information? What role do people, policies, and organizational structure play in implementing effective safeguards programs?
• How are U.S. agencies working with international organizations like OECD and APEC to provide security guidance for businesses?
• What additional steps can businesses take to help create a “culture of security?”

Requests to Participate as a Panelist in the Workshop

Parties seeking to participate as panelists in the workshop must notify the FTC in writing of their interest in participating on or before Wednesday, March 26, 2003, either by mail to the Security of the FTC or by e-mail to techworkshop@ftc.gov. Requests to participate as a panelist should be captioned “Technology Workshop—Request to Participate, PO34808.” Start Printed Page 8906Parties are asked to include in their requests a statement setting forth their expertise in or knowledge of the issues on which the workshop will focus and their contact information, including a telephone number, facsimile number, and e-mail address (if available), to enable the FTC to notify them if they are selected. An original and two copies of each document should be submitted. Panelists will be notified on or before Wednesday, April 9. 2003, whether they have been selected.

Using the following criteria, FTC staff will select a limited number of panelists to participate in the workshop. The number of parties selected will not be so large as to inhibit effective discussion among them.

1. The party has expertise in or knowledge of the issues that are the focus of the workshop.

2. The party's participation would promote a balance of interests being represented at the workshop.

3. The party has been designated by one or more interested parties (who timely file requests to participate) as a party who shares group interests with the designator(s).

In addition, there will be time during the workshop for those not serving as panelists to ask questions.

Form and Availability of Comments

The FTC requests that interested parties submit written comments on the above questions to foster greater understanding of the issues. Especially useful are any studies, surveys, research, and empirical data. Comments should be captioned “Technology Workshop—Comment, PO34808,” and must be filed on or before Wednesday, April 23, 2003.

Parties sending written comments should submit an original and two copies of each document. To enable prompt review and public access, paper submissions should include a version on diskette in PDF, ASCII, WordPerfect, or Microsoft Word format. Diskettes should be labeled with the name of the party, and the name and version of the word processing program used to create the document. Alternatively, comments may be emailed to techworkshop@ftc.gov.

Written comments will be available for public inspection in accordance with the Freedom of Information Act, 5 U.S.C. 552, and FTC regulations, 16 CFR part 4.9, Monday through Friday between the hours of 8:30 a.m. and 5 p.m. at the Public Reference Room 130, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580. This notice and, to the extent technologically possible, all comments will also be posted on the FTC Web site at http://www.ftc.gov/​techworkshop.