[Federal Register Volume 68, Number 38 (Wednesday, February 26, 2003)]
[Notices]
[Pages 8904-8906]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-4502]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Public Workshops: Workshop 1: Technologies for Protecting 
Personal Information: The Consumer Experience; Workshop 2: Technologies 
for Protecting Personal Information: The Business Experience

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice announcing two public workshops and requesting public 
comment and participation.

-----------------------------------------------------------------------

SUMMARY: The FTC is planning to host two public workshops to explore 
the role of technology in helping consumers and businesses protect the 
privacy of their personal information, including the steps taken to 
keep their information secure. Workshop 1 will focus on technological 
tools available to consumers and whether and how consumers are using 
them. Workshop 2 will focus on how businesses use technology to manage 
their information practices and provide security.

DATES: Workshop 1, The Consumer Experience, will be held on Wednesday, 
May 14, 2003, from 8:30 a.m. to 5 p.m., in the Federal Trade 
Commission's Satellite Building now located at 601 New Jersey Avenue, 
NW., Washington, DC. Workshop 2, The Business Experience, will occur on 
Wednesday, June 4, 2003, also in the Satellite Building. The events are 
open to the public and attendance is free of charge. Pre-registration 
is not required.
    Requests to Participate as a Panelist: As discussed below, written 
requests to participate as a panelist in either or both of the 
workshops must be filed on or before Wednesday, March 26, 2003. Persons 
filing requests to participate as a panelist will be notified on or 
before Wednesday, April 9, 2003, if they have been selected to 
participate.
    Written Comments: Whether or not selected to participate, persons 
may submit written comments on the Questions to be Addressed at the 
workshop. Such comments must be filed on or before Wednesday, April 23, 
2003. For further instructions on submitting comments and requests to 
participate, please see the ``Form and Availability of Comments'' and 
``Requests to Participate as a Panelist in the Workshop'' sections 
below. To read our policy on how we handle the information you may 
submit, please visit http://www.ftc.gov/techworkshop.

ADDRESSES: Written comments and requests to participate as a panelist 
in the workshop should be submitted to: Secretary, Federal Trade 
Commission, Room 159, 600 Pennsylvania Avenue, NW., Washington, DC 
20580. Alternatively, they may be e-mailed to [email protected].

FOR FURTHER INFORMATION CONTACT: Toby Milgrom Levin, Division of 
Financial Practices, 202-326-3713, or James A. Silver, Division of 
Financial Practices, 202-326-3708. The above staff can be reached by 
mail at: Federal Trade Commission, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Background and Proposed Agenda

    Since 1995, the FTC has sought to understand the many consumer 
issues raised by the collection and use of consumers' personal 
information in our fast-changing information economy. Commission 
workshops have examined the privacy issues raised by the use of this 
information and, more recently, the important and complementary role 
that security plays in providing meaningful protections for it. The 
Commission has also undertaken a wide variety of education and 
enforcement initiatives to reduce the harms caused by the disclosure of 
personal information, such as identity theft, unwarranted intrusions, 
violations of privacy promises, and breaches of customer databases. As 
part of this ongoing examination, the Commission is announcing two 
workshops designed to explore the role of technology in protecting 
personal information.
    Technology has been widely heralded as a promising solution to 
challenges that the collection and use of information present. A number 
of

[[Page 8905]]

products promise to help consumers control their sensitive information 
and guard against internal and external threats. Similarly, there are 
an increasing number of products designed to help businesses manage the 
consumer information they maintain and ensure that it is secure. 
Despite the widespread availability of these products, however, it is 
unclear just how much consumers and businesses are using them and 
whether they are meeting consumer and business needs in this area. 
Therefore, as more and more consumers share personal information online 
and use ``always on'' Internet connections, it is useful to examine the 
current role that technology plays in protecting consumers' personal 
information.
    The workshops being announced will examine, first, the role 
technology plays for consumers seeking to protect their own information 
and, second, the role it plays for businesses seeking to protect the 
consumer information that they maintain. Both workshops will also 
examine the changes that have been made in the security area since the 
Federal Trade Commission's May 2002 workshop on consumer information 
security.
    Questions to be addressed at the workshops may include:

A. Workshop 1

Technologies for Protecting Personal Information: The Consumer 
Experience
    1. Are consumers using technology to help manage the collection and 
use of their personal information? Why or why not?
    [sbull] What types of technologies are available or under 
development to help consumers manage the collection and use of their 
personal information?
    [sbull] Which of these technologies are consumers using, which are 
not being used, and why?
    [sbull] What factors influence consumers' willingness to use these 
technologies?
    [sbull] Is there empirical data showing which technologies 
consumers are using and why?
    [sbull] Is consumer education needed to make consumers aware of 
these technologies and to help them use them?
    [sbull] What types of technologies do consumers want that do not 
yet exist?
    2. What role can automated privacy notices, such as P3P, play to 
help consumers manage the collection and use of their personal 
information?
    [sbull] What technologies are available or under development that 
automatically match consumer preferences to businesses' information 
practices? What is their current status of development and/or 
implementation?
    [sbull] What are the strengths and limitations of these 
technologies?
    [sbull] Are there obstacles to widespread adoption of these 
technologies, and if so, how could they be addressed?
    [sbull] How do automated privacy notices interface with the various 
types of privacy notices--e.g., short, layered, full accountability--
currently in use? Do automated notices raise any special liability 
concerns?
    3. Are consumers using technology to help protect their information 
security? Why or why not?
    [sbull] What types of technologies are available or under 
development to help consumers protect their information security?
    [sbull] Which information security-enhancing technologies are 
consumers using, which are not being used, and why?
    [sbull] What factors influence consumers' willingness to use 
information security-enhancing technologies?
    [sbull] Is there any empirical data showing which technologies 
consumers are using and why? For example, are consumers downloading 
patches, updating virus protection, and using firewalls?
    [sbull] What information security-enhancing technologies do 
consumers want that do not yet exist?
    [sbull] Are the available technologies adequate to address known 
vulnerabilities?
    [sbull] Is there a need for more ``built-in'' technology solutions 
and features that are easy for consumers to access and use? Should 
business make it easier for consumers with high-speed access to install 
effective firewalls?
    [sbull] What are business, government agencies, and others doing to 
raise consumer awareness of security issues and help create a ``culture 
of security''?

B. Workshop 2

Technologies for Protecting Personal Information: The Business 
Experience
    1. How are businesses using technology to manage their information 
practices?
    [sbull] What types of technologies are available or under 
development to help businesses manage their information practices and 
verify their website's privacy policy compliance?
    [sbull] Which technologies are businesses using, which are not 
being used, and why?
    [sbull] Is there any empirical data showing which technologies 
businesses are using and why?
    [sbull] How have businesses incorporated information management 
technologies into their business operations? Do such technologies 
affect businesses' efforts to engage in targeted marketing? Have they 
affected businesses' profits?
    [sbull] What are the costs and benefits, including any costs and 
benefits to competition, of implementing their technologies?
    [sbull] Are there limits to technology's ability to manage consumer 
information? What role do people, policies, and organizational 
structure play in implementing effective information management 
programs?
    2. How are businesses using technology to provide security for 
consumer information that they maintain? What progress has been made in 
this area since the FTC's May 2002 Consumer Information Security 
Workshop?
    [sbull] What types of technologies are available or under 
development to help businesses provide security for customer 
information?
    [sbull] Which of these technologies are businesses using, which are 
not being use, and why?
    [sbull] Is there any empirical data showing which technologies 
businesses are using and why?
    [sbull] What are the costs and benefits of implementing these 
technologies?
    [sbull] Do different types of information and information practices 
warrant different types of security protection?
    [sbull] Are their security tools that are low in cost and easy-to-
use, particularly for small businesses? How can we raise awareness of 
security issues among small businesses?
    [sbull] Do security tools work out-of-the-box? What can businesses 
that do not have dedicated security personnel do to protect consumer 
information?
    [sbull] Are their limits to technology's ability to protect 
consumer information? What role do people, policies, and organizational 
structure play in implementing effective safeguards programs?
    [sbull] How are U.S. agencies working with international 
organizations like OECD and APEC to provide security guidance for 
businesses?
    [sbull] What additional steps can businesses take to help create a 
``culture of security?''

Requests to Participate as a Panelist in the Workshop

    Parties seeking to participate as panelists in the workshop must 
notify the FTC in writing of their interest in participating on or 
before Wednesday, March 26, 2003, either by mail to the Security of the 
FTC or by e-mail to [email protected]. Requests to participate as a 
panelist should be captioned ``Technology Workshop--Request to 
Participate, PO34808.''

[[Page 8906]]

Parties are asked to include in their requests a statement setting 
forth their expertise in or knowledge of the issues on which the 
workshop will focus and their contact information, including a 
telephone number, facsimile number, and e-mail address (if available), 
to enable the FTC to notify them if they are selected. An original and 
two copies of each document should be submitted. Panelists will be 
notified on or before Wednesday, April 9. 2003, whether they have been 
selected.
    Using the following criteria, FTC staff will select a limited 
number of panelists to participate in the workshop. The number of 
parties selected will not be so large as to inhibit effective 
discussion among them.
    1. The party has expertise in or knowledge of the issues that are 
the focus of the workshop.
    2. The party's participation would promote a balance of interests 
being represented at the workshop.
    3. The party has been designated by one or more interested parties 
(who timely file requests to participate) as a party who shares group 
interests with the designator(s).
    In addition, there will be time during the workshop for those not 
serving as panelists to ask questions.

Form and Availability of Comments

    The FTC requests that interested parties submit written comments on 
the above questions to foster greater understanding of the issues. 
Especially useful are any studies, surveys, research, and empirical 
data. Comments should be captioned ``Technology Workshop--Comment, 
PO34808,'' and must be filed on or before Wednesday, April 23, 2003.
    Parties sending written comments should submit an original and two 
copies of each document. To enable prompt review and public access, 
paper submissions should include a version on diskette in PDF, ASCII, 
WordPerfect, or Microsoft Word format. Diskettes should be labeled with 
the name of the party, and the name and version of the word processing 
program used to create the document. Alternatively, comments may be 
emailed to [email protected].
    Written comments will be available for public inspection in 
accordance with the Freedom of Information Act, 5 U.S.C. 552, and FTC 
regulations, 16 CFR part 4.9, Monday through Friday between the hours 
of 8:30 a.m. and 5 p.m. at the Public Reference Room 130, Federal Trade 
Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580. This 
notice and, to the extent technologically possible, all comments will 
also be posted on the FTC Web site at http://www.ftc.gov/techworkshop.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 03-4502 Filed 2-25-03; 8:45 am]
BILLING CODE 6750-01-M