There is an old saying that "your right to swing your fist stops
at my nose" and consequently we refuse to passively sit back and grumble
about spam without making any constructive effort to improve the situation.
- Todd Michel McComb
Noting that "the first war on the Internet has been for our attention," Walker (1999) asserts, "The next war will be more personal, more profound. It will be for our data souls - those ever-expanding electronic dossiers about our likes and dislikes ..." And the stakes are high, not only for individuals but also for those whose livelihood depends upon the use of such information.
Singletary (1999) recounts one estimate that puts the annual revenue for the direct-marketing industry - "the guys who get paid to peddle our data" - at $1.5 billion.(1) And that is just for direct forms of marketing. Farhi (1999) reports that market research is a $6 billion-a-year business in support of direct and other forms of marketing. Wells Branscomb (1994, p. 11) notes that:
A somewhat more balanced view was voiced by someone who has a great deal of experience with the tradeoffs involved. In directing agency heads to review agency practices regarding collection or disclosure of personal information in systems of records, the President (Clinton, 1998) framed the issue as follows:
Increased computerization of Federal records permits this information to be used and analyzed in ways that could diminish individual privacy in the absence of additional safeguards. As development and implementation of new information technologies create new possibilities for the management of personal information, it is appropriate to reexamine the Federal Government's role in promoting the interests of a democratic society in personal privacy and the free flow of information.(4)
In the United States there has been growing realization in setting policy that market imperfections must be compared with the imperfections of government or other solutions. Sometimes the cure is worse than the disease. (pp. 8 & 9)
... self-regulation may be drafted with little concern for those outside a given industry, those who are not part of the "self." Privacy advocates fear that self-regulation will not be strict enough and may in practice end up resembling an unregulated market. American proponents of self-regulation respond that firms that agree to self-regulation but do not follow through on their commitments open themselves to private suits for misrepresentation and fraud as well as actions by the Federal Trade Commission and the states to redress unfair trade practices. These remedies, proponents argue, may be even more effective enforcement tools that those deployed by any European-style privacy bureau. Skeptics respond that privacy self-regulation in the United States has not been nearly as strict as European laws. (p. 12)
In the European view, companies should not be able to ship data to places where the information will be used in ways contrary to European law and the expectations of European citizens... common sense suggests that ... organizations should have a way to share information between their European and other operations when good privacy protections are in place. (p. 17)
... transfers are permitted wherever there is "unambiguous consent" in advance by an individual. Unambiguous consent, however, can be interpreted in many ways, depending upon the setting. (p. 18) [In the view of European officials] consent to the proposed transfer requires consent to the particular uses to which the data will be put. (p. 34)
The inclusion of [the word] "identifiable" means that the Directive applies even when a person's name is not listed, but when the person can be identified by reference to an identification number or by other means. (p. 26)
On the other hand, there is nothing inherent in the characteristics of the technology itself requiring that the interests of mass assemblages, hucksters, and snake oil salesmen or even those with the best of intentions be favored over the rights of the enlightened individual him/herself. With technology appropriately applied, the reverse will be true. The golden ages of personal liberty and economic efficiency can and should emerge and prevail simultaneously.
Hagel and Singer (1999) have outlined a vision of how third party vendors can ad value to the Net by helping customers make the rules and thus shape the markets. They highlight the impetus for the new value proposition, as follows:
Behind the continuing invasion of consumer privacy and the constant expansion of product choices lurks an unrecognized truth about consumers and marketers: their wants and needs are misaligned... the customer's demand for selection and comparison is sharply at odds with a deep or exclusive relationship with any one vendor. (p. 12)
While this author does not tremble in fear at the prospect of Big Brother watching, neither does he accept cookies, except on rare and discrete occasions when the value of doing so is apparent. Moreover, he recognizes that his lack of fear stems from having grown up in an environment where Big Brother was not watching and conspiring against him. (Nor has he given others any justifiable need to do so.) On the other hand many people have not been so fortunate (or discreet). Thus, as close as Hagel and Singer may have come to outlining a new and better regime, it seems that they have missed the mark in assuming that consumers will feel comfortable trading a passel of nettlesome "little brothers" for one big one, who like all of us are still motivated in the final analysis by self-interest, however enlightened it may be. Nevertheless, setting aside for the moment that basic and potentially fatal flaw in their logic, the following aspects of Hagel and Singer's business case are also worthy of note:
The second big advantage loyalty leaders enjoy in coping with change is their ability to align the objectives of different members of the business system... The secret to alignment is partnership, and the secret to partnership is compensating each partner with a shared interest in the value he or she helps to create... Loyalty leaders have found that they can most effectively manage every one of a business's constituencies - customers, employees, and investors - through partnership. (p. 287)
However, partnership implies a deeper and broader understanding among the partners than exists in a common, arm's-length transaction between buyers and sellers. Implicit in such understanding is the notion that one partner may profit disproportionately in any particular transaction but that, overall, both will gain more by taking advantage of the partnership than if the opportunity were to be forgone. On the other hand, practically speaking, in the real world, the ability of individuals and organizations to sustain such "understandings" is limited.
The farther any business relationship strays from accounting for the exchange of equal value in distinct, clearly defined, and/or relatively small transactions, the greater the chance for failure. Moreover, the risk is greatly compounded as the number of "partners" grows. Indeed, at a very low number, perhaps no more than two or three, the quality of the relationship may render it a "partnership" in name only. Of course, extenuating factors such as blood or social relationships also affect business relationships, positively or negatively. However, even where large non-monetary values are present, the degree of imbalance that can be tolerated is finite. In the global village of the cyber world, to twist a phrase, the following cautionary note might be applied in recognition of the natural limitations on true partnership: "Beware of 'partners' bearing gifts."
In his discussion of "what it will take to inhabit the twenty-first-century of winning companies," Ostroff (1999) says certain characteristics elicit virtually unanimous agreement. Foremost among them is an "almost single-minded dedication to the customer." In themes similar to Reichheld, Ostroff notes:
However, most organizations are going to end up with mixed structure, retaining a functional organizational structure in those areas where detailed technical expertise is critical.
Likewise, current management trends call for single-minded focus on the organization's core competencies and capabilities, in which it may have a competitive advantage in adding value to a supply chain leading to customers. Extension of these principles to their logical extreme would mean that all that would be left of any organization would be only those elements for which it has particular functional expertise. All other necessary transactions would be outsourced and managed by virtual organizations. Indeed, Ostroff highlights:
Be that as it may, in point of fact, Ostroff still has not reduced the problem to its primitive in terms of information technology. Doing so involves not only redefining the "organization" but also, more importantly, the "individual".(12) When a truly customer-focused orientation is applied, organizations become properties of individuals, rather than the reverse. (See Ambur, 1997, May.)
More specifically, in the context of information technology and systems, organizational data becomes part of a worldwide set of distributed databases owned, operated, and controlled by individuals. That is, organizations become attributes of the people who are their stakeholders.(13) By contrast, in the traditional paradigm, people - that is, their data surrogates - are considered to be property of the organizations. By turning the paradigm on its head, instead of worrying about "acquiring" customers, organizations can be freed to focus on the purposes - which is to say the functions - for which they were formed.
In the short run, the role of intermediaries will be to assist individuals acquire the organizations that best meet their needs and desires. However, in the long run, the infomediaries themselves will be disintermediated as the distributed worldwide directory - managed by all of us - assumes their role in establishing the "connections" desired by individuals. Each and every one of us will own and control access to our own personal data, and we will also "acquire" our own business and social organizational relationships. Such are the shades not only of truly free enterprise but also of truly participatory democracy.
In the future, standing between individuals and the products and services they value is a job for which no one need apply. As the saying goes, positioned in front of a TV, a person becomes "a better door than a window." However, in the digital world that constitutes the market square of the global village, neither a door nor a window nor even a "portal" is required for entry to the concourse of values to be shared and exchanged. Wells Branscomb notes:
It is unfortunate that the author of such a well-named book as "Creating Customer Focused Organizations" misses such a fundamental point as the fact that the customer rightfully owns his or her own data. Any organization with the interests of "the customer" truly foremost in mind will structure itself around its customers' data, and by failing to note as much, Dickinson is perpetuating the very problem he purports to want to solve. His myopia is doubly distressing because each of the five business problems that he identifies so clearly supports the need for a true customer focus.
To understand what customer-focus truly means and how such a new and improved vision will come to be, let's consider three related initiatives that are beginning to show the way - P3P, digital personas, and the international directory standard, X.500.
The purpose of the Platform for Personal Privacy Preferences (P3P) is summarized "in a nutshell" as follows:
P3P gives users the ability to make informed decisions regarding their Web experience and their ability to control the use of their information. Sites can use P3P to increase the level of confidence users place in their services, as well as improve the quality of the services offered, the customization of content, and simplify site access. (Marchiori et al.)
In summarizing the requirements for a P3P query language, Faith Cranor (1998, November) noted:
Lumeria cites as its foundation the principle that "the most valuable part of computing is your personal information. And that your information needs to be safe, well-guarded, and yet easy for you to access." They say their software can increase the effectiveness of the Net in connecting users to the information they need as well as to other people - in order "to enable collaboration, negotiation, commerce, interpersonal relations, learning, entertainment, and community." They note that companies routinely capture personal information and consider it to be their "commercial property". Lumeria says its "SuperProfile profiling technology will allow people to take control of their own personal information on the Net - even to make money from that information, if that's what they want." Their SuperOptOut feature is free service designed to cut down on junk mail and intrusive telemarketing by helping consumers to remove their names from mailing and telemarketing lists.
Yet another vendor of infomediary services is PrivacyBank, which aims to serve those who are "tired of filling out forms, ... want a central point to manage [their] data, or ... are concerned with how [their] private data is used, shared and collected by Web sites ..." Features touted by PrivacyBank include:
In service to that purpose, it is necessary for the vendors to differentiate themselves from each other and maximize the switching costs so as to "lock in" their customers. Therein lies the rub. As Hagel and Singer have noted, there is an inherent misalignment between the interests of the purveyors and their prospective customers. And it plays itself out in proprietary product offerings, divergent database schemas, and general dis-interoperability among the many systems with which individuals are expected to contend.
It has often been noted that one of the beauties of the Web is its lack of rules, structure, and bureaucracy. Moreover, it has been said that the wonderful thing about standards is that there are so many of them from which to choose, and only half in jest, the word "standard" has been defined as "something from which to digress." However, in truth, the real beauty of the Web is that it has been a driving force for implementation and use of standards, which are essential for any community to operate as such. Without TCP/IP, HTTP, and HTML, the Web just ain't happenin'. The quintessential beauty of the Web is that its standards free people from having to deal with lower-level issues of communication and representation, thereby empowering individuals to bring the force of their own creativity to bear on higher-level knowledge (what the Webheads call "content") within their own spheres of expertise.
In politics, the principle of one-person/one-vote is well established. Why can and should it not also be so with respect to digital personas? What valid interest of the individual is served by forcing the use of multiple digital representations of him or herself that are proprietary to their hosts? Some will raise the specter of misuse of a universal personal ID, but how is personal security for individuals enhanced by the maintenance of sensitive personal information in multiple locations out of range of their control and even their knowledge? From the perspective of decency and universal human rights, the problem is not that a unique element of data can be used to identify any person. The problem is that there are too many of "unique" identifiers that are not "personal" at all. That is, too many different "hosts" are being allowed to generate and maintain too many different identifiers for people - completely out of the control and often even without the knowledge of the person involved. Indeed, even when a unique identifier is already available in a repository under the individual's control, others are permitted routinely to commandeer copies of those elements and treat them as their own. Wells Branscomb (1994) notes, for example: "It seems to have gone unnoticed that the telephone number is becoming a more universal identifier, at least for commercial purposes, than the social security number."(17) (p. 48)
From the perspective of customers as individuals, how many different standards are needed to protect the privacy of personal data? How is it that various commercial "transaction sets" are important enough to warrant their own standards (X.12 & EDIFACT) but human beings are not?(18) If personal data were maintained in a standards-compliant directory through which each individual could efficiently restrict and grant access to their own data ... on their own terms ... to anyone else ... worldwide, what basis could there be for continuing to allow other individuals and commercial enterprises to capture and treat it as their own, to be used for purposes not authorized by the individual in question?
Inefficiency of access and uncoordinated distribution of management control among myriad "hosts" are no substitutes for effective control of personal data by the person him or herself, at least not in terms of privacy. If we're truly interested in paying more than lip service to customer focus, what could be more important than establishing a standard means for basic representation of the individual person to any and all applications worldwide? At the very least, we ought to tell it like it is. If we're not really serious about focusing on the customer, then let's stop lying about it. Customer focus means focusing first and directly on the customer, and nothing else. Anything else is in fact something else. Period!
Although many Web-based services may appear anonymous, Macavinta (1999) notes that data repositories can come to back haunt those who use certain portal services. Catlett (in Macavinta) says, "There is an enormous danger here because in the name of personalization, the portals are collecting huge profiles of users which are available under subpoena to any lawyer or investigator." In a series of lawsuits claiming that users slandered their firms, companies have sought to uncover the identity of people who posted messages on Yahoo. Those cases highlight the fact that anonymity and the Net no longer go hand in hand. Portals such as Yahoo are in the same position as ISPs, required to secure the data they escrow and then comply with legal authorities when someone is accused of wrongdoing over their services.
Under the circumstances, Web portal services have little choice but to authenticate users. While some argue that portals should carefully balance their business interests with visitors' privacy protections, there is a basic contradiction in terms with the concept of making "private" thoughts publicly available to anyone in the world via the Net. It's a little bit like crying "fire" in a crowded theater but doing so remotely by wireless microphone linked into the theater's sound system, with one's voice disguised. Fun for the perpetrator perhaps, but quite another matter for anyone else. It's a bit like having a giant, remotely controlled fist with which to smack anyone in the nose without suffering the consequences of having that fist associated with one's arm, much less one's own nose. Who are we kidding here? The thought turns completely on its head the exhortation to "think globally; act locally." It virtually begs for pushing to escalate into shoving.
In fact, it already has. One recent example involves the "anonymous" posting of derogatory and possibly defamatory remarks about a used car dealership on eBay, an online auction market. Segal (1999) reports that eBay does not conduct background checks on any of its participants or edit any of the feedback they provide on its site. Rather, it invites buyers and sellers to publicly review each other after every transaction, hoping the market will police itself by shunning unscrupulous participants. However, as Segal notes, such a hands-off approach offers the potential for competitors to denigrate each other by posing as customers.
The notion of having portals act as institutional agents for those who may wish to "reach out and touch someone" with an anonymous whack is of highly dubious value. To the degree that it has any value at all, those who choose to use the medium in such a fashion should be required to pay the cost of the liability insurance required to indemnify those who are injustly harmed. Moreover, the system itself should provide means that are as quick and easy for claimants to use to obtain just recompense as for those who might use it anonymously to take actions that generate such claims.(19) Such even-handedness is a matter of simple equity but should also be reflected in law.
The answer is not to have "service providers" act as covers for those who would choose to commit wrongdoing, or even to act as seconds for those who would choose to do good. A far better course is a technical standard for individuals to represent themselves not only to other people but also to all automated applications, worldwide. By definition, such a standard must focus on providing directory services expressly designed to meet the needs of "the customer" - which is to say the people who will be using the system.
In a March 8, 1999, press release announcing open-beta testing of Novell Directory Services version 8, Novell calls it the "next-generation scalable Internet directory" and proclaims that it:
Database designers and administrators know very well that the way to reconcile many-to-many relationships is to construct intersecting entities that embody the elements necessary to identify the relationship - including those characterized by true partnership and/or the inverted pyramid, master/slave relationship implicit in a truly customer-focus orientation. Aside from the issue of whether the "customer is always right" or not, as Cook (1996) points out, responsible database design principles dictate that "the basic information about the person ... is only stored once ..." (p. 91) And "... the information about the roles the person plays [is] stored in the role entities." Further elucidating the point, she notes (p. 115):
It turns out that we will need to identify a more generic enterprise business function that creates these cross-functional entities, although the roles that these entities can play can be isolated to a single business function. For example, we have identified that marketing creates the role of prospect, and it is likely that the procurement function creates the role of vendor. However, both functions would need the ability to create a new person or organization if it did not already exist. Therefore, classification theory tells us to pull it out as a separate function. (emphases added)
We can consider the global data classes that do not belong to a specific business function to be cross-functional reference data or master data for the enterprise. In the architecture, the master data and processes that create master data form their own information systems. (emphases added)
X.500 offers a standardized means of providing integrated directory services to a variety of different users and applications. The basic unit of information in an X.500 directory is an entry. Entries are classified by the different types of object they represent. For example the entry for an employee who has access to e-mail, might be classified as an organizational person entry as well as an e-mail user entry. This type of classification determines the information elements or attributes which are to be held in the entries.
Additional classifications and associated attributes may be added to the entry as required. For instance, should an organization assign public key certificates to its employees to be used for encryption, the entries for the employees would also be classified as "strong authentication users", and the appropriate public key certificate attribute would be added to the entries.
The X.500 administrative models enable management of various attributes to be distributed to the appropriate authorities.
That sounds good. However, it is easier said than done, not only technically but also as far as market acceptance is concerned. (See also EMA, 1997.) Johnson (undated) offers the following explanation of the factors that have limited the acceptance and deployment of X.500(21):
Products that might use a directory service are not yet X.500-aware. Implementing an X.500 Directory User Agent (DUA), the Directory Access Protocol (DAP) and ASN.1 encoding is quite a task, and is probably outside the capabilities of many vendors of desktop utilities and e-mail products.
As of yet, there is no real global X.500 Directory Information Tree. Companies which have implemented X.500 can only connect to each other on a peer-to-peer basis. Service providers are not yet offering public X.500 directory services. It can be argued that there can be little current requirement for a global directory if no products yet exist that can use it.
However, three recent technological advances are likely to bootstrap
the requirements for a global directory:
X.500-enabled World Wide Web servers allow users to traverse the X.500 directory using any Web client - many of which are free.
The Lightweight Directory Access Protocol (LDAP) was originally created to simplify access to X.500 directories. It is evolving to become a general-purpose directory access protocol that de-couples the user agent from the technical complexities of the actual directory service being used. LDAP could be used to access a MAPI Address Book or Banyan StreetTalk directory as easily as X.500. Developers can directory-enable their applications by using LDAP. The application is unaware of the directory protocol being used, allowing a single user agent to be successfully used with several different directory services.
Public Key Cryptography is becoming recognized as the best way to provide security services such as digital signatures, content integrity, and encryption. In order to use this technology, a global directory is needed to provide easy access to the public keys.
Some intranet directories will be provided using X.500, and others using proprietary mechanisms. X.500 will only be a small factor in determining the most successful products.
To build a global (Internet) directory, industry consensus must be reached
on two key problems:
How to interconnect intranet directories. X.500 is a possible solution for this.
LDAP will have a key role to play as the preferred directory access mechanism, although it will not become the Internet directory. X.500 will have a role, and possibly a very significant role in the provision of directory services.
Concerning the role of X.500 in supporting Public Key Infrastructures (PKI), Boyen (undated) draws the following summary conclusions:
X.500 directory systems are extremely well suited to the role of the information repository for large scale and interoperable Public Key Infrastructures. The value of the service will be further increased if the same X.500 directory service is used to support the corresponding applications such as electronic commerce, messaging, etc. In addition, the ease of use will be greatly enhanced as the application systems evolve to support standard Application Programming Interfaces (APIs) to access security functions, and as the applications and security functions share a common interface to a single directory service.
Although it is possible for "service providers" to beg, borrow, or steal the digital personas of individuals and thus gain some measure of control over them in their networked relations with others, biometric personas may be another matter. At least, proprietors can be expected to pay a higher price to acquire body parts and functions from individuals than they've been paying for the myriad digital representations of people. Under current law, it is illegal for anyone to acquire an entire, living human body for the purposes of enslavement. Moreover, the number of fingerprints, irises, voices, etc. that may legitimately be associated with any individual is limited.
In a survey of international electronic and digital signature initiatives, the Internet Law and Policy Forum (ILPF), noted the following:
It seems likely, however, that even biometric techniques will require some sort of trust infrastructure - as with cryptographic keys, some trusted third party must confirm the relationship between a particular biometric feature and a particular person or attribute of a person. Thus, it may very well turn out to be the case that the legal issues raised by the operation of a trust infrastructure are fairly generic to all authentication technologies. (footnote 5)
If legislation permits CAs to limit their liability ... it would seem that the market would quickly determine the appropriate range of certificate values and their corresponding costs to users. If there is demand for high value certificates with correspondingly high liability limitations, a CA would presumably charge the holder of the certificate an amount that includes an appropriate risk premium and thereby internalize its costs. Similarly, if there is demand for low value or even "no value" certificates (which many believe will be the most widespread use of digital signatures) the CA would limit its liability to an appropriately small amount (and perhaps forego liability altogether), and the cost to the user would be reduced. The only real hazard of this market driven approach is that third parties will have to be diligent in confirming the validity of a certificate, and the acceptability of any liability limitation it contains, in light of the nature of the transaction. As the value of a transaction increases, however, it seems presumptively more reasonable to impose those duties on third parties. Moreover, if it turns out that the risks for third parties remain too great, they will not accept high value certificates and no market for these certificates will emerge. (footnote 19)
One of the most aggravating instances of the misuse of personal data involves unsolicited phone calls. Whereas E-mail and regular junk mail are asynchronous means of communications, telephone conversations are synchronous - at least on the part of the recipient. One way or another, the recipient is forced to attend to them on a schedule largely dictated by the "host" (i.e., the originator). Quite literally, the telephone system provides a direct link into the heads of anyone who is not deaf and is within earshot of customer "premise" equipment. (pun intended)(24) While Congress has actually enacted a law, the Telephone Consumer Protection Act (TCPA), purported to protect consumers from junk calls, Private Citizen (undated) points out that it is so riddled with loopholes that "telemarketers can drive a boiler-room through it."(25)
Indeed, President Clinton has appealed to Congress to pass new legislation to stop telemarketers from preying on the elderly, declaring that fraudulent business deals offered by telephone pose "the greatest threat that many older Americans face." He noted that Americans lose an estimated $40 billion per year to telephone schemes and that more than half of the victims are older than 50. The proposed legislation would give the Justice Department the authority to terminate telephone service in light of evidence indicating that it has been or will be used for illegal telemarketing. (McAllister) However, so long as telemarketers can freely access and use personal data as if they "own" it, it is difficult to imagine that the government will be able close down illegal operations nearly as rapidly as they can proliferate. Moreover, why on the basis of age discrimination should only half of the problem be addressed?
Leibovich (1999) highlights an aspect of telemarketing that tilts the balance even more ridiculously in favor of its "hosts" - the use of automatic dialers and messages pre-recorded by celebrities. Thus, the purveyors of such unsolicited calls are freed from having to spend any of their own personal time even as they claim the time and attention of their targets, potential customers or not. The TPCA supposedly restricts the use of the telephone to complete unsolicited sales and the Federal Communications Commission believes that it may apply in this instance. However, at best, it is inefficient to place the burden on consumers and the government to stop practices that should automatically be precluded by the technology itself.
O'Harrow (1999, April 23) reports on yet another facet of the problem - the growing "grey market" for personal information gleaned from "pretext calling," whereby information brokers using lies and deception pose as individuals on the phone so as to persuade banks and other institutions to release such information to them. The Federal Trade Commission has charged one broker with using illegal, unfair and deceptive practices. The Comptroller of the Currency, which oversees the operation of national banks, has cautioned them to use better passwords to protect against unauthorized releases of financial information. However, again, it is unlikely that government enforcement actions will ever be equal to the task of stopping such practices when they are so readily facilitated by the technology and accepted business practices.
Moreover, the information brokers have a valid point: Court-sanctioned means of gathering personal data are time-consuming and costly, even when justified to proceed against deadbeat dads and those who fail to pay their bills. On the other hand, two wrongs do not make a right, regardless of who commits the first instance of wrongdoing. A far better solution would be to give individuals control over their own personal data in an internationally standards-compliant directory, supported by statutorily mandated record-keeping requirements, whereby individuals can manage and audit usage of their own data while at the same time others who have valid rights to it can be granted appropriate access as well.(26)
Through the application of an international standard like X.500, people should be empowered to indicate not only their own personal interests but also the parameters within which they choose to receive information from others related to those interests. Aside from the issue of who owns the rights to use personal data, customers should have the right to control what comes at them through their telcos and ISPs, since they pay the tariff for those services. The issue is somewhat more complex as far as postal and broadcast services are concerned, but it might be in the interest of both the U.S. Postal Service as well as the broadcast media service providers to consider the business opportunity for narrowcasting ... before it runs them over.
Privacy is a large and growing issue and obviously so too is electronic commerce. Information technology and proprietary directories are generally viewed as threats to privacy. However, the value proposition that begs realization is to capitalize on the distributed, open-systems nature of X.500 to turn that assumption on its head. Theoretically, each person might have their own, personal X.500 directory built into their own phones and PCs, but telcos, banks, ISPs, and other organizations should consider offering such services based upon an open-systems standard that guarantees interoperability. Thus, far the focus seems to have been on the vendors rather than the consumers, but over the longer term, those who do the best job of meeting the actual needs and desires of the customer will prevail in an unfettered market-based economy.
In a very real sense, personal privacy is the flip side of the notion of "advertising" not only one's wares but also one's life history, expertise, and experiences. Theoretically, people could provide notice of their expertise in an X.500 compliant directory, thereby facilitating query, discovery, connection, establishment, synthesis, and continuous symbiotic expansion of knowledge and knowledge-enhancing relationships worldwide. The potential for the X.500 to connect people should be contemplated within the continuum for the management and discovery of knowledge in general. As Norman (1988) pointed out, knowledge may exist in one of two places - in the world or in people's heads.(27) The X.500 White Pages can serve the role of the "intersecting entity" to connect the knowledge and expertise embodied in people and as yet "uncaptured" in the world. In that sense, it might be called ISO-X-ISO, or ISO-squared (ISO2) - meaning the "In Search Of" standard endorsed for worldwide application by the International Standards Organization.
For governmental services, the X.500 Blue Pages constitute an expertise directory, with a couple levels of indirection between the person submitting the query and the actual information they want. (See Ambur, 1997, December.) The numbers listed in the directory are aliases for the people who answer the phones, and the people who answer the phones are intermediaries - oftentimes needlessly - for the information and/or action desired by the callers. Personal anonymity is a matter of administrative efficiency rather than privacy in this instance, but the effect is the same.(28) Moreover, in most instances the underlying requirement and the desired outcome for the Blue Pages are the same as for DASL, Z39.50, and the DMA - to provide ready access to knowledge, not to engage in conversation, browsing, or "surfing". (For information on DASL, Z39.50, and the Document Management Alliance, see Ambur, 1999, April.)
Consumers pay for their telephone and Internet access services. If they don't like what they see on TV or hear on the radio, they can turn it off or switch channels. Bill Gates et al. are working on Internet "channels" and Vice President Gore et al. feel strongly that parents should be able to control what their children see and hear on TV and the Internet. Theoretically, the X.500 directory could be exploited to give consumers a single point of control over what comes at them via "push" technologies, especially via their telephone and E-mail services.(29) Ultimately, the service might be used to target cable TV and Web page advertisements as well.
As always, the market or absence thereof will determine whether such a service is economically viable. Direct marketers and the vendors of products and services can be expected to fight anything that may shift power to consumers and thereby diminish "proprietary" control and, thus, profitability ... that is, the share of profitability that is based upon controlling consumer behavior rather than serving the unfettered needs and desires of people. Early advocates of the Internet were naive to think that it could be maintained as a commercial-free zone. In the near-term, the services that can be maintained on the Internet without relying upon advertising revenue remain to be seen. However, even the most ardent defenders of the First Amendment would have a difficult time arguing that individuals have no right to control what hits their eyes and ears - especially when they themselves are paying for the channels over which the blows are delivered. Why should one body part - the nose - be given preferential treatment over other sensory organs?
Telcos and ISPs might initially offer customer-focused, consumer-control directory capabilities as a "premium" service. Once the technical capabilities have been established and proven, it will be interesting to see whether a paradigm shift might occur with respect to who "owns" the time and attention of consumers, who should be expected to pay for it, and how. For example, shouldn't those who can be reached by "narrowcasting" pay less for products and services than those who can only be reached via less efficient, more costly broadcasting? And those who are loyal to a brand, for example, might expect to be rewarded more directly for it, especially if they are willing to enter into a contractual or other more or less formal expression of their loyalty.
It would be especially interesting to see what might happen if the X.500 directory, including consumer preference data and access control parameters, were populated in cascading chain-letter fashion using electronic forms (E-forms) distributed via Internet-based E-mail and workflow automation, as well as by voice and key response on the telephone and perhaps even by regular mail.(30) That is, anyone who currently enjoys a personal or professional relationship with anyone else might be empowered to supply a limited amount of metadata (as little as an E-mail or postal address or a phone number) about that person and thereby "nominate" him or her for inclusion in the directory. The "sponsor" would also specify his/her relationship to the nominee.
The nominee would in turn be automatically contacted, by the means specified by his/her sponsor. The nominee would be notified who sponsored the nomination as well as the relationship specified, and would be empowered to confirm or reject the relationship as well as to accept or reject the nomination. In the event the nominee chooses to accept, s/he would be given the opportunity to include as little or much information as s/he chooses and, equally importantly, to specify usage parameters for each element of data supplied. Finally, each nominee who agrees to participate in the directory would be given the opportunity to nominate other friends, family members, and business associates.
Logically, the first participants must be those who propose to supply and support the necessary technical infrastructure. The parameters defining their qualifications, products, and services should be among the initial elements incorporated into the directory, and their appearance in the directory would constitute their offer to potential consumers. To the degree they already have relationships with existing customers, they could then use the system - with tact and care - to "push" their offers to those customers by "nominating" them for an additional business relationship(s) within the directory. No doubt, it will be smart for vendors to offer to host basic X.500 directory services for their existing customers for very low and preferably no additional charge whatsoever. However, once an individual has accepted an nomination and taken control of his or her own persona in the directory, the service provider should be contractually and legally bound to enforce the person's preferences, as specified in the directory.(31)
An editorial in NetworkMagazine (1998, September) lamented the growing intrusion of ads embedded in electronic products. In an E-mail message commending the editorial, the author expressed the following line of reasoning:
Granted, these are radical notions and, to most people, the devil you know is often preferable to the devil you don't. However, if the answers continue to be exclusively slanted in favor of vendors rather than consumers, at least truth-in-advertising should be recognized for what it is - a myth best supplanted by the admonition "buyer beware!" Indeed, when wooed by vendors plying platitudes of customer-focus and service, consumers should respond with a large guffaw. Yet a far better alternative in the interest of all concerned - vendors and customers alike - is to establish a regime in which each individual is indeed and truly the focus, in which each person controls his or her own personal data, and in which both commerce and trust can thrive on the strength of a more perfect union of interests among equal partners to equal-value exchanges.(32)
As the directory grows, legislation should be enacted to require businesses to get the individual's permission to use any of his or her data. Of course, businesses would be free to maintain data on their transactions with any person. However, they might be required to maintain it in a "blind" or even a "double-blind" fashion, so that they could not tie it to any individual without the individual's permission or, in the event of a valid need that conflicts with the interest or ability of the individual to grant permission, with the approval of a duly authorized third party. Use of a person's telephone number for telemarketing or an E-mail or postal address for junk mail without the person's approval, for example, could be taken as prima facie evidence of wrongdoing, subject to reasonable penalties automatically enforced in each instance and which would become prohibitively expensive to any enterprise en masse.(33)
In light of the EU privacy directive and its potential application worldwide, there ought to be tremendous market potential for an open-systems standard enabling people worldwide not only to control access to their own personal data, but also to reveal as much about themselves and their interests as they desire, to whomever else they desire, based upon the attributes their potential contacts choose to reveal about themselves (e.g., their technical expertise to solve a problem). In effect, the directory would become the international personal and professional classifieds. With the connection to the X.509 standard and to Certificate Authorities, it could become the basis for all electronic transactions worldwide.
The combination of Novell's DigitalMe and NDS has been called a "portal buster" and that is exactly what the X.500 directory can and should become. (See Foley, Satran, Surkan, Berinato, and Foley and Sperling.) For what is a "portal" but a Web site that endeavors to hold people hostage long enough to expose them to force-fed propaganda as a precondition to discovering whether the vendor actually offers anything the individual really wants or needs. Portals are based upon the outmoded paradigm of hierarchical management, in which the "clients" are placed in a subservient relationship to the "servers". Indeed, notwithstanding any platitudes about customer-focus and service, by definition, the portal places itself at the pinnacle of the hierarchy.
Potentially, the participants in a standards-based, open-systems worldwide directory could capture and more productively redirect much of the revenue currently going into the advertising and marketing sector of the economy. They could do so by eliminating the needless cost and inefficiency of the current paradigm by bringing people directly together based upon their mutual interests, as reflected in the parameters (person metadata) "embodied" in the directory.
Reportedly, NDS Version 8 will handle up to 1 billion users and devices. Rumor also has it that Novell plans to port NDS and DigitalMe to Linux, and the prospect of a "free" open-systems operating system to support the directory is highly appealing. If Novell can get third-party vendors (e.g., the telcos, banks, etc.) to use DigitalMe to market X.509 certificates to consumers, it may not matter that NDS is not exactly an open-systems X.500-compliant directory.(34) However, as appealing as Novell's strategy may be, people should be no more enamored of the thought that any vendor might "own" their personal data - by virtue of holding it in Novell's proprietary repository - than of continuing to be forced to pay alms to Bill Gates for membership rights to enter Cyberspace.
When push comes to shove:
In the closing chapter of her book, "The Power of Logical Thinking," Marilyn Vos Savant notes: "One of the biggest weaknesses of majority rule is that the majority may be wrong." (p. 166) That may be acceptable as far as politics are concerned since, as oft observed, "democracy is the worst form of government ... except for all the others." However, it is not acceptable to impose the mistakes of the majority upon the individual with respect to privacy, personal choice, and customer-focus. It is widely recognized that, whenever possible, effective self-regulation is clearly preferred over externally imposed control. And so it is that - for the purposes not only of privacy but also optimization of profitable relationships in the cyber marketplace - an open-systems directory standard like X.500 is the quintessential key. Grasping that key firmly in hand and wielding it with enlightened self-interest, individuals working together can build nothing less than a monument to the human spirit - a dynamic worldwide web of affinity, integrity, security, productivity, knowledge, and value-based relationships.
Finally, Ms. Vos Savant references Herbert Simon's concept of "satisficing" - in which people settle for a satisfactory level of winning rather than search for an optimal solution. Consistent with human nature, it is perfectly understandable for those who know no better to continue, like sheep, lending their personas to whatever purposes others may choose for them.
The question is ... why would anyone who knows better do so?
Abram, J. (undated) Who Owns the Customer? - Not You - That's for Sure. Available at: http://www.abramhawkes.plc.uk/artwhoow.htm
Agre, P.E., and Rotenberg, M., Editors. (1997). Technology and Privacy : The New Landscape. Cambridge, MA: MIT Press.
Air Force. The A-76 Independent Review Home Page: Federal, DoD, and Air Force Policy and Guidance on the Performance of Commercial Activities. Available at: http://www.saffm.hq.af.mil/SAFFM/FMC/a76.html
Ambur, O. (1997, December) 1-800 Say-The-Word: The X.500 Blue Pages Key to Stockholder/Customer-Accessible Government. Available at: http://www.erols.com/ambur/BluePage.html
Ambur, O. (1997, May) Automated Forms: Putting the Customer First Through Intelligent Object-Oriented Chunking of Information and Technology. May 1997. Available at: http://www.erols.com/ambur/Eforms.html
Ambur, O. (1999, April) Freedom's Just Another Word ... for Metadata: Knowledge Management and Discovery via DASL, Z39.50, X.500, and the DMA. Available at: http://www.erols.com/ambur/freedom.html
Apple, C., and Rossen, K. (1997, April) RFC 2116: X.500 Implementations Catalog-96. Available at: http://ucnet.canberra.edu.au/RFC/rfc/rfc2116.html
Ashkenas, R., Ulrich, D., Jick, T., and Kerr, S. (1995) The Boundaryless Organization: Breaking the Chains of Organizational Structure. San Francisco, CA: Jossey-Bass. p. 337.
Berinato, S. (1999, March 23) Novell exec highlights work to be done on NDS. PC Week Online. Available at: http://www.zdnet.com/pcweek/stories/news/0,4153,1014204,00.html
Blundon, W. (1997) "When 'push, comes to shove: Push technology is all the rage -- What does this mean for Java?" Available at: http://www.javaworld.com/jw-04-1997/jw-04-blundon.html
Booz-Allen & Hamilton. (1996, June 30) Detailed Design for a Government Electronic Directory. Compiled under contract to the Center for Electronic Messaging Technologies, General Services Administration. Available at: ftp://ftp.fed.gov/pub/emailpmo/X500/design/
Booz, Allen & Hamilton. (1996, July 30) X.500 guidance. Center for Electronic Messaging, General Services Administration. Available at: ftp://ftp.fed.gov/pub/emailpmo/X500/guidance/
Booz-Allen & Hamilton. (1996, November 11) Feasibility Study: Interoperability of On-Line Government Locator Services and the Governmentwide X.500 Electronic Directory. Compiled under contract to the Center for Electronic Messaging Technologies, General Services Administration.
Boyen, S. The Role of X.500 in Support of Public Key Infrastructures (PKI). Messaging Magazine. Available at: http://www.ema.org/html/pubs/mmv2n5/rolex500.htm
Boeyen, S. X.500 Services for Integrated Applications. Messaging Magazine. Available at: http://www.ema.org/html/pubs/mmv1n2/x5serv.htm
Cavoukian, A., and Tapscott, D. (1997) Who Knows: Safeguarding Your Privacy in a Networked World. Washington, DC: McGraw Hill.
Chadwick, D.W. (1994) Understanding X.500 - The Directory. Available at: http://www.salford.ac.uk/its024/Version.Web/Contents.htm
Chromatix. Technical Writeups/Background Information. Available at: http://www.chromatix.com/html/papers.html See especially Directory Frequently Asked Questions (FAQ) at: http://www.chromatix.com/html/faq.html
Clinton, W.J., President of the United States (POTUS) (1998, May 14) Privacy and Personal Information in Federal Records, Memorandum for the Heads of Executive Departments and Agencies. Available at: http://cio.gov/privord.htm
Cook, M.A. (1996) Building Enterprise Information Architectures: Reengineering Information Systems. Upper Saddle River, NJ: Prentice Hall.
Curran, J., and Marine, A. (1992, August) RFC 1355: Privacy and Accuracy Issues in Network Information Center Databases. Available at: http://www.mit.edu:8001/afs/athena/reference/rfc/fyi15.txt and http://web.urz.uni-heidelberg.de/Netzdienste/internet/fyi/fyi15.html
Davenport, T. (1997) Information Ecology: Why Technology Is Not Enough for Success in the Information Age. pp. 8, 9 & 194.
Dickinson, B. (1998) Creating Customer Focused Organizations. Kings Beach, CA: LCI Press.
EMA. (1997, May) Directory Challenge '97, Technical Report. EMA Directories Committee, Directory Challenge Work Group. Available at: http://doro.srv.gc.ca/x500/ema/fin_97~1.htm
European Union. (1995, October) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Reprinted in Appendix A of Swire (1999). Available at: http://www2.echo.lu/legal/en/dataprot/directiv/directiv.html
Faith Cranor, L., editor. (1998, July 21) P3P Guiding Principles. W3C NOTE. Available at: http://www.w3.org/TR/1998/NOTE-P3P10-principles
Faith Cranor, L. (1998, November) Requirements for a P3P Query Language. Available at: http://www.w3.org/TandS/QL/QL98/pp/APPEL-QLW.html
Farhi, P. (1999, February 14) Getting the Goods on Consumers: Marketing Firms Want Basic Data About You and Me, But We're Wising Up to What These Facts Are Worth. The Washington Post. pp. H1 & H14.
Fetherling, D., Editor. (1997) The Privacy Rights Handbook : How to Take Control of Your Personal Information.
Foley, M.J. (1999, ) Who do you want to be today,' is the new question for Internet-centric companies, says Novell chief. Sm@rt Reseller. Available at: http://www.zdnet.com/sr/stories/news/0,4538,2229581,00.html
Foley, M.J., and Sperling, E. (1999, March 23) Forget portals: Novell's new way to shop. Sm@rt Reseller. Available at: http://www.zdnet.com/zdnn/stories/news/0,4586,2230165,00.html
Frank, R.H., and Cook, P.J. (1995) The Winner-Take All Society: Why the Few at the Top Get So Much More Than the Rest of Us. New York, NY: Penguin Books.
General Services Administration. (1998, February). Outsourcing Information Technology. White Paper. Available at: http://www.itpolicy.gsa.gov/mkm/gsaepp/finalout.htm
Givens, B. (1997) The Privacy Rights Handbook: How to Take Control of Your Personal Information. New York, NY: Avon Books.
Hagel, J., and Singer, M. (1999) Net Worth: Shaping Markets When Customers Make the Rules. Boston, MA: Harvard Business School Press.
Holmes, O.W. Fist/Nose quote. Available at: http://www.geocities.com/SoHo/Square/9496/Favquotes.htm
Ignatius, D. (1999, February 24). Mind Your Own Business. The Washington Post. p. A21.
Internet Law and Policy Forum (ILPF). Survey of International Electronic and Digital Signature Initiatives. Available at: http://www.ilpf.org/digsig/survey.htm See especially footnote 4, concerning privacy, and footnote 19, regarding digital signature certificate authorities.
Johnson, B. The North American Directory Forum: Making Directory Infrastructure a Reality. Messaging Magazine. Available at: http://www.ema.org/html/pubs/mmv2n5/nadf.htm
Joslin, P. (1992, January) The User Bill of Rights pertains to the Public Directory. Available at: htttp://eff.bilkent.edu.tr/pub/CAF/news/cafv02n04
Jotter Technologies Inc. Home Page at: www.jotter.com
Junkbusters. The Mission of Junkbusters. Available at: http://www.junkbusters.com/over.html
Kent, S. (1993, February) RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management. Available at: http://sunsite.auc.dk/RFC/rfc/rfc1422.html
Kille, S., ISODE Consortium. X.500 and LDAP. Messaging Magazine. Available at: http://www.ema.org/html/pubs/mmv2n5/x500ldap.htm
Leibovich, M. (1999, January 13). A Familiar Voice on the Phone: Telemarketers Using Pitches by Dick Clark, Other Celebrities. The Washington Post. pp. A1 & A16.
Leith, S., editor. (1997) "When Push Comes to Shove." Dispatch Tech-Page, Word-Ware Interactive. Available at: http://www.mallofcities.com/techpage.htm
Lumeria. What We're About. Available at: http://www.lumeria.com/what.html What is a profile? http://www.superprofile.com/ Lumeria Announces SuperProfile: http://www.lumeria.com/press4.html White Paper - An Infomediary Approach to the Privacy Problem Lumeria's revolutionary Identity Management system puts control and value of consumer information in the hands of the consumer: http://www.superprofile.com/WhitePaper.html
Macavinta, C. (1999) Is privacy the price of personalization? CNet.com. Available at: http://abcnews.go.com/sections/tech/CNET/cnet_portalpersonalization990310.html
Marchiori, M., editor. Platform for Privacy Preferences: P3P Project. Home page. Available at: http://www.w3.org/P3P/
McAllister, B. (1999, February 16). Consumers Are Attached to Self-Adhesive Stamps. The Washington Post. p. A15.
McAllister, B. (1999, April 18). Telemarketing Scams Targeted: Clinton Will Propose Legislation to End Preying on Elderly. The Washington Post. p. A8.
McCarthy, S. (1999, April 26) At last - an Alaska lawmaker submits a bill to regulate e-mail. Government Computer News. p. 47.
McComb, T. M. Spam - A Brief Q&A Session. Available at: http://spam.abuse.net/others/qanda.html
National Institute of Standards and Technology. (1994) An Introduction to X.500. Available at: http://snad.ncsl.nist.gov/snad-staff/tebbutt/x5eg/chapter2_4.html
Nelson, C. (undated) The ABCs of EDI: Standards. Available at: http://www.edi.wales.org/feature4.htm
Norman, D.A. (1988) The Psychology of Everyday Things (POETS). New York, NY: Basic Books. pp. 54 - 80.
Novell. (1999, March 8) Novell Directory Services Grows to Meet Internet Demands Scalable Internet Directory Lays Foundation for Electronic Commerce. Press release. Available at: http://www.novell.com/press/archive/1999/03/pr99018.html
Novell. (1999, March 22) Novell Previews digitalme™: Directory-Enabled Technology For Personal Control of Identity on the Internet Partners with Citigroup, FirstUSA to Create Secure ID Solutions for the Net. Press release. Available at: http://www.novell.com/press/archive/1999/03/pr99028.html
Novell. (undated) Index of articles on DigitalMe. Available at: http://www.digitalme.com/gossip/
O'Harrow, R., Jr. (1999, March 4) Clinton Names Counselor on Privacy. The Washington Post. p. E2.
O'Harrow, R., Jr. (1999, April 23). FTC Charges Firm in a Privacy Sting. The Washington Post. p. E1 & E3.
Ostroff, F. (1999) The Horizontal Organization: What the Organization of the Future Actually Looks Like and How It Delivers Value to Customers. New York, NY: Oxford University Press. p. 61.
Perez, J. (1999, April 14). Novell CEO: Directories key to commerce. Online News. Available at: http://www3.techstocks.com/~wsapi/investor/reply-8923080 and http://www.computerworld.com/home/news.nsf/all/9904143schmidt
PrivacyBank. Who Should Open an Account? Available at: http://www.privacybank.com/WhoOpen.html Home page at: www.privacybank.com/
PrivaSeek. Who is PrivaSeek? Available at: http://www.privaseek.com/whois.html What is a Persona? http://www.privaseek.com/persona.html Home page at: http://www.privaseek.com/
P3P Home Page. (1999) Available at: http://www.w3.org/P3P/
Private Citizen. (undated) About the Telephone Consumer Protection Act of 1991. Available at: http://www.privatecitizen.com/tcpa.htm Home Page at: http://www.privatecitizen.com/
Ray, J. (1998, July 21) Electronic Commerce: Privacy in Cyberspace. Notes on hearing before the House Commerce Subcommittee on Telecommunications, Trade and Consumer Protection. Available at: http://www.itpolicy.gsa.gov/mks/regs-leg/eleccomm.htm
Ray, J. (1998, September 23). Computer Security in the Federal Government: Protecting Personal Information. Notes on hearing before the Senate Governmental Affairs Committee. Available at: http://www.itpolicy.gsa.gov/mks/regs-leg/sgac.htm
Reagle, J. (1999) P3P and Privacy on the Web FAQ. Available at: http://www.w3.org/P3P/P3FAQ.html
Reichheld, F. (1996) The Loyalty Effect: The Hidden Force Behind Growth, Profits, and Lasting Value. Boston, MA: Harvard University Press. pp. 280 & 286.
Samuelson, R.J. (199, March 18) Why I Am Not a Manager. The Washington Post. p. A21.
Satran, D. (1999) NetTrends: Novell's directory for e-commerce, privacy. Available at: http://www.moneynet.com/content/MONEYNET/News/NewsStory.asp?Symbol=NOVL&ID=SF-04/13-AnN13463465@NEWS-P1&Index=0&HeadlineURL=../News/NewsHeadlines.asp&DISABLE_FORM=&NAVSVC=News\Company
Schwartz, A. (1999, April 19). E-mail exchange concerning "Digital You and Digital Me." Center for Democracy and Technology. Home page at: http://www.cdt.org
Segal, D. (1999, April 28) E-Buse Alleged in Online Auction: Car-Seller Says Rival Posted Mileading Message on EBay. The Washington Post. pp. E1 & E3.
Shear, M. (1999, February 25). "Va. Targets Senders of Bulk E-Mail: Offenders Could Face Criminal, Civil Cases." The Washington Post. pp. B1 & B9.
Singletary, M. (1999, January 31) Whose Information Is It, Anyway? Consumers Have Few Rights to Privacy of Personal Data. The Washington Post. p. H2.
Steinberg, J. (1999, April 8). Why Novell will Double Again. Available at: http://www3.techstocks.com/~wsapi/investor/reply-8776106
Steyaert, J.C. (undated) Top Privacy Principles for Federal Web Sites. Memorandum for Chief Information Officers and Federal Webmasters. General Services Administration. Available at: http://www.itpolicy.gsa.gov/mke/fedwebm/privacy.htm
Surkan, M. (1999, April 5) NDS 8 lays firm e-com foundation: Upgrade will ease supply-chain communications, but most sites aren't yet ready. PC Week Labs. Available at: http://www.zdnet.com/pcweek/stories/news/0,4153,397851,00.html
Swire, P.P., and Litan, R.E. (1998) None of Your Business: World Data Flows, Electronic Commerce, & the European Privacy Directive. Washington, DC: Brookings Institution Press.
Timberg, C. (1999, March 6) "Gun Group, ACLU Seek 'Spam' Law Veto." The Washington Post. pp. B1 & B7.
Tucker, M. (1998, October) "Who owns the customer?" KMWorld. p. 14.
Vos Savant, M. (1996) The Power of Logical Thinking: Easy Lessons in the Art of Reasoning ... and Hard Facts About Its Absence in Our Lives. New York, NY: St. Martin's Griffin.
Wagner Decew, J. (1997) In Pursuit of Privacy : Law, Ethics and the Rise of Technology. Ithaca, NY: Cornell University Press.
Walker, L. (1999, Feburary 11) A New Market for Middlemen. The Washington Post. pp. E1 & E8.
The Washington Post. (1996, October 17) "Protesters and Their Targets." p. A22. Available at: http://washingtonpost.com/wp-srv/national/longterm/supcourt/stories/101796a.htm
Wells Branscomb, A. (1994) Who Owns Information?: From Privacy to Public Access. New York, NY: Basic Books.
Woodward, J.D. (1998, July 17) For the National Telecommunications and Information Administration, U.S. Department of Commerce On "Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy." Available at: http://www.ntia.doc.gov/ntiahome/privacy/mail/disk/Woodward.htm
X.500. Additional on-line references:
Online Directory Services: X.500 User Overview, University of Michigan Information Technology Division, Reference R1124, September 1993. Available at: http://ftp.sunet.se/pub/nir/x500/overview.txt
Trinity College Dublin - Computer Science Department, Networks & Telecommunications Research Group. Home page: http://ntrg.cs.tcd.ie/ The X.500 Directory Service, Introduction. Available at: http://ntrg.cs.tcd.ie/4ba2/x500/
Graphical depiction of X.500 http://ganges.cs.tcd.ie/4ba2/x500/martin/compfig.gif
1. Singletary (1999) reports the introduction of the Financial Privacy Act of 1999, which would make it harder for institutions to disclose or sell financial information about their customers without their consent. Her question is, "Who gave companies that right in the first place?" The answer supplied by Marc Rotenberg of the Electronic Privacy Information Center is, "Companies just took it. They just took the right to sell our personal information." Singletary believes that she has "an inherent right to own and control the bits and pieces of information that define who I am..." Norman Magnuson of the Association of Credit Bureaus asks whether she would rather have the government decide that she shouldn't get all those offers for credit, for example, or whether she'd rather make those decisions at her trash can. Her response: She'd rather have her stuff kept private and require companies that want to use it to ask her permission. However, she notes that there is nothing in Federal law to prevent a bank, broker, or insurance firm from taking personal information obtained from customers through their transactions and selling or transferring it to a third party.
The proposed legislation would rectify that problem by requiring institutions to obtain a consumer's informed consent. Singletary objects to the fact the bill would require consumers to opt out, rather than requiring companies to persuade them to opt into a data sharing agreement. Industry officials argue that obtaining affirmative consent from consumers would be excessively costly and wreak havoc with the economy. Singletary doesn't buy it. She notes, "With the technology we have today, it's much easier than ever to click a key on a computer, send a postcard or make a call to say, 'Yes, please put me on all those mailing lists so I can get all those pesky telemarketing telephone calls.'"
2. When Wells Branscomb asked the Postal Service to stop her post office box with unsolicited mail addressed to "occupant," she was told they could not legally comply with her request. (p. 11)
3. The President also noted:
5. Following up on a pledge by Vice President Gore, the President appointed Peter Swire to be the administration's chief counselor on privacy. O'Harrow (1999, March 4) reports that Swire was selected due to his knowledge of the European directive. Privacy advocates praised the appointment but have questioned whether Swire will have enough political clout or financial support to be more than a symbol.
6. Walker (1999) expresses hope that Hagel and Singer are right and that the Internet can help "turn marketing on its head, giving consumers more control over the seemingly random 1 million advertising messages to which they are exposed annually."
7. Hagel and Singer (p. 34) acknowledge that customers will still receive unsolicited messages via the postal service but suggest that they should decline over time. As a matter of interpretation of current U.S. law, direct mailers are presumed to have the right to fill post boxes with unsolicited mail. However, it would be short-sighted of both direct mailers as well as the Postal Service to assume that: a) such an interpretation of the law will always prevail, or b) other alternatives may not supplant the need for many people to have "old-fashioned" mail boxes at all.
Moreover, it should also be recognized that, for purposes of processing business-quality information in a business-quality fashion, E-mail is a stage of immaturity through which we must pass.
8. Hagel and Singer's reference to the role of infomediaries in gathering vendor performance data so as to be able to act as a "mini Consumer Reports" highlights both the flaw in their logic as well as the potential to "get it right." By definition, merchants are opening themselves, their products and services, to scrutiny by whatever "public" with whom they desire to profit by exchange of value. By contrast, individuals are making no such offer in the conduct of their private lives. To the degree that infomediaries can and will enhance the efficiency, effectiveness, and comprehensiveness of vendor performance measures, such services will add real value to the consumer economy and infomediaries are entitled to a reasonable return on such values. However, the appropriate uses of personal data are far more limited and should be severely restricted in instances where the individual him or herself has not explicitly agreed.
9. Hagel and Singer's reference to the benefits of intermediation for "customer acquisition" betrays the bias that pervades the treatment of personal data, even among those who pay lip service to "customer focus." Customers are not slaves nor should they be considered to be "for sale" or "acquisition". In the context of information technology (IT) and systems, individuals are the data by which they are represented. No one but they themselves should have direct access to or control over their digital selves.
10. The Federal Activities Inventory Reform Act of 1998 requires agencies to compile inventories of work that could be outsourced.
OMB Circular A-76 sets forth federal policy for determining whether commercial activities associated with conducting the government's business will be performed by federal employees or private contractors. Recent revisions to the A-76 Supplemental Handbook were designed to enhance federal performance through competition and choice, seek the most cost-effective means of obtaining commercial products and support services, and provide new administrative flexibility in agency decisions to convert to or from in-house, contract, or Interservice Support Agreement (ISSA) performance. (GSA)
Certain functions are inherently Governmental in nature, being so intimately related to the public interest as to mandate performance only by Federal employees. However, Circular A-76 provides that the Government shall not start or carry out any activity to provide a commercial product or service if the product or service can be procured more economically from a commercial source. (Air Force)
The Revised Supplemental Handbook on Circular A-76, dated March 1996, is available at http://www2.whitehouse.gov/WH/EOP/OMB/html/circulars/a076/a076s.html.
11. It seems obvious that a hierarchical structure is not only appropriate but required for some organizations and purposes, such as the military and going to war. While it is beyond the scope of this discourse to consider such examples in any detail, this author suspects that a full and fair analysis might ultimately reveal those purposes to be inappropriate subversions of the rights and interests of the many to the few as well.
12. In explaining why he is not a manager, Samuelson (1999) notes the difficulties they face reconciling the "imperatives" of the "Organization" with the "needs" of the "Individual." He says, "The common craving is control; the common fear is chaos. But the latter is rising while the former is falling." Under the circumstances, he suggests, the best companies can do is, "Pray for dumb competitors."
13. Frank and Cook argue:
1) Describe why the NIC needs the information and how it will use the information.
2) List of all the information being stored in an entry.
3) Detail which information will be made available outside of the NIC, to whom it will be made available, and for what purpose.
4) Provide for notification of any person or organization added to the database at the request of a third party.
5) Explain how to have the information changed or updated.
6) Explain how to get information removed from the database, including any references to one's information in another's database entry.
7) Explain the consequences of removing information from the database and of failing to provide all or part of the information a NIC requests.
16. Satran quotes Schmidt as saying, "Novell views directory and identity as two sides of the same coin."
17. Wells Branscomb goes on to say:
The syntax comprises the rules that define how a message is assembled for exchange. Three syntaxes dominate in the world of EDI: ANSI ASC X.121 (often called ANSI X.12), UNTDI2 and EDIFACT3. ANSI X.12 is the dominant standard in North America and is also widely used in Australia and New Zealand. UNTDI used to dominate in Western Europe, and messages using this syntax are still widely used in the UK as a part of the TRADACOMS message set. However, the only international syntax standard is EDIFACT.
EDIFACT was born in 1985 as a merge between the best features of UNTDI and ANSI X.12 and out of recognition that in the world of commerce, transportation and administration there could no longer be national or regional syntax standards. In fact, no new messages will be developed using ANSI X.12 after 1995 and in many industry sectors, such as insurance, travel and leisure, statistics, health and social administration, the only syntax standard used is EDIFACT. CEN4 will start to adopt chosen EDIFACT messages as the European standard from this year.
An EDI standard comprises the syntax, the message design rules (i.e. the technical rules which must be followed when designing a message) and the directories (i.e. the messages themselves and the building blocks of the messages: segments, data elements and codes).
20. In nature, it is the parasite that benefits from its relationship with the host. However, in the present paradigm of the Net, it is the host who is placed in the position of power to extract disproportionate benefit from the "client" - an interesting case of reverse parasitism. The paradigm becomes even more curious due to the fact that it has yet to generate profits on the Internet for many of the hosts. Perhaps it is time to reconsider the paradigm, especially since a primary impediment to E-commerce is the fear that personal information and resources will be misappropriated and misused.
21. RFC 2116: X.500 Implementations Catalog-96 (Apple and Rossen) lists X.500 implementations based on the results of data collection via a Web page that enabled implementors to submit new or updated descriptions, including commercial products and openly available offerings. RFC 2116 revised RFC 1632, which revised RFC 1292.
22. Woodward (1998) suggests that Congress should encourage biometric applications by mandating the adoption of a biometric blueprint based on a Code of Fair Information Practices (CFIP) embodying five basic principles:
2. Access: The individual (or data subject) has the right to access his information in the database. Specifically, the individual must be able to find out if his biometric identification information is in the database and how it is being used by the data collector. Accordingly, the data collector would be required to disclose its privacy practices.
3. Correction Mechanism: The individual must be able to correct or make changes to any biometric identification information in the database. As one of the technical advantages of biometrics is that they are based on physical characteristics or personal traits which rarely change over time, this principle would likely not be called into play too often.
4. Informed Consent: Before any information can be disclosed to third parties, the individual must consent. The individual must voluntarily and knowingly provide his biometric identification information to the data collector in the primary market. Once in the possession of the data collector, this information would then be governed by a use limitation principle. This means that the individual has consented that the information she provided would be used in the primary market for a purpose defined by the data collector and known to the individual. The individual must knowingly consent to any exchange, such as buying and selling of his biometric identification information, before it could be traded in a secondary market. Reasonable exceptions can be accommodated as appropriate for academic research and law enforcement, for example.
5. Reliability & Safeguarding: The organization responsible for the database must guarantee the reliability of the data and safeguard the information. Any data collector that collects and stores biometric identification information must guarantee the reliability of the data for its intended use and must take precautions to safeguard the data. At its most basic level, appropriate managerial and technical controls must be used to protect the confidentiality and integrity of the information. The controls would include making the database and the computer system physically secure. Data collectors should explore the option of encrypting the biometric data to help further safeguard the information from disclosure. Perhaps, policymakers should consider providing criminal sanctions for willful disclosures, or consider providing for the recovery of civil damages when biometric identification information is disclosed without the consent of the individual.
The value that folks like you might be able to add is the evaluation of the *tools* by which that proposition might best be served. If X.500 might be a worthy vehicle for the assimilation and sharing of personal data in a controlled and secure fashion, consumers may not be smart or grateful enough to compensate you directly. However, perhaps some of your corporate customers might see the wisdom of rewarding you for advice that enlightens them to the vast untapped market potential of the concept.
(In a "winner-take-all society," he who first assumes the role of the intersecting entity in the M:N relationship between consumers and vendors will be well positioned to "cross the chasm" and may be handsomely rewarded for it.)
Value to consumers -- What a concept!
25. In an E-mail exchange dated April 18, 1999, Lorrie Faith Cranor indicated that P3P probably does not have any relationship to telephony "as it is being designed specifically for use with the HTTP protocol." She noted:
27. Norman outlines seven POET principles, the last of which is particularly pertinent to this discussion:
28. Unfortunately, the use of phone numbers and addresses as aliases for people is no longer merely a matter of efficiency with respect to database administration. To an increasing degree, anonymity seems to be a matter of personal security for government officials - not only in terms of personal identification but perhaps even more importantly in terms of location. From a strategic standpoint, it may no longer make sense to mass government workers in huge monuments to politicians. Indeed, ultimately, it may no longer make sense to concentrate power in political oligarchies at all. It is far beyond the scope of this discourse to delineate much less fully explore the logical implications of such a line of thought. However, it is not difficult to imagine a future in which far more than personal IDs and "data elements" are effectively and efficiently represented in a standards-based, worldwide "directory" ... a future in which organizational conformance to the technical standard frees and empowers personal self-expression ... a future in which personal beliefs, preferences, and objectives could be far more productively supported in alliances facilitated by digital means, rather than by firearms, bombs, and other means of "mass" destruction ... or, for that matter, even elections ... which effectively glorify a few, often if not always, directly and indirectly, at the expense of the many.
29. With reference to workflow automaton, some people are beginning to realize that it may not make sense to mix up their E-mail with their "work". Discussion of the appropriate use of E-mail versus electronic document/records management (EDMS/ERMS) technology is beyond the scope of this discourse. Interested readers are invited to refer to the author's home page for further discussion of that topic, at http://www.erols.com/ambur. Suffice to say, "E-mail is a stage of immaturity through which we must pass."
30. The use of non-automated means (e.g., regular mail, paper forms, etc.) to populate a person's record in the directory simply would mean that either they would need to pay or someone else would have to assume the expense of entering and maintaining their data for them. For those who are unequipped or for any reason prefer not to maintain their own data, the role of intermediaries - including non-profit, public interest groups - would be highly appropriate. Indeed, to the degree that substantial public expense could be offset, it would even be justifiable to devote tax dollars to establishing the directory.
31. In terms of direct service offerings, this does not appear to differ substantially from the early vendors of digital persona services. However, what seems to be lacking is a commitment to the use of an open-system standard, whereby individuals truly can "own" their own data and not be bound to any particular vendor. To the degree that current offerings are based upon "proprietary" requirements, they are creating a needless impediment to customer "acquisition" even as they perform a disservice to the customers they do attract.
32. Frank and Cook (p. 123) observe:
33. McCarthy (1999) reports that Senator Murkowski has introduced the Inbox Privacy Act, which would force E-mail marketers to identify themselves by making it illegal to hide behind false addresses. Junk E-mailers would be required to honor requests to be removed from mailing lists and would have to "submit to electronic stop signs put up by Internet domain owners to block unwanted solicitations."
34. At its Brainshare conference, Novell (1999, March 22) announced that Citigroup and FirstUSA are partnering with Novell to create secure ID solutions for the Internet.