Mr R. Pitofsky
Chairman
Federal Trade Commission
601 Pennsylavia Av NW
Washington DC 20580
February 22, 1999
Dear Sir,
This letter is to ask the Commission to consider action it might take to
prevent Intel's Processor Serial Number (PSN) from severely damaging
consumer privacy and consequently stunting the growth of ecommerce.
Most of the media coverage of this issue has incorrectly reported that
"Intel disabled the feature" or that "the number will be off by default."
Both these statements are false. Intel did not change the chip at all;
they merely decided to change the "control utility" software they will
provide to OEMs (PC manufacturers), which the OEMs may or may not use.
The page of questions and answers on the PSN published on Intel's own web
site on or before 2/3 stated that ``While the processor serial number is
activated in the chip, the default control utility setting will turn the
feature to "OFF." The utility then allows the user to choose whether to
enable the processor serial number feature...'' Nothing there suggested
that this "default off" setting would be anything less than universal.
Yet in a 2/18 Reuters story an Intel official admitted that OEMs will be
shipping PCs with the PSN on (contrary to the statement above) in units
destined for the workplace. So in addition to the statements attributed
by the media to Intel, Intel's own directly published statements have not
accurately reflected the reality of their position. We request that the
Commission consider whether its Section 5 authority regarding false
claims and deceptive practices should be brought to bear on Intel.
Beyond the question of deception is the issue of the harm that will be
caused by Intel's actions, whether misrepresented or not. While the case
against the PSN has been stated in many places (such as
http://www.bigbrotherinside.com) the following argument has been
formulated along lines familiar from other actions taken by the
Commission. In summary we believe that:
1) The PSN is likely to cause substantial harm to consumer privacy
and consequently reduce consumers' participation in ecommerce.
2) This harm will not be easily be avoidable by consumers.
3) The harm will not be outweighed by countervailing benefits.
The following paragraphs expand these three points in turn.
1) The PSN is likely to cause substantial harm to consumer privacy
and consequently reduce consumers' participation in ecommerce.
This assertion is based on the following subassertions.
(a) The PSN will be become a de facto standard Global User Identifier
(GUID).
(b) The GUID will be used by companies in information practices that
are unfair.
(c) Such practices will become known to consumers, some of whom will
avoid participation in ecommerce because they apprehend that their
privacy is at risk by doing so.
(a) The PSN is destined to become a de facto standard Global User
Identifier (GUID) for the Internet, much as the Social Security Number
became the GUID for financial transactions. Intel's stated intention to
add the PSN to their other chips, plus their near-monopoly market share
mean that the PSN feature would be present on the majority of PCs in a
few short years. Although other uniquely identifying numbers have been
available on computer hardware, none has had the ubiquity and
attractiveness of the PSN. Intel has listed copyright protection as one
of the advantages of the PSN, and software publishers are certain to
adopt it for the consumer software market. (In the business software
market, similar mechanisms have been available on expensive workstations
for years.) Any piece of software that requires the PSN for copyright
protection could obviously also use it for other purposes.
(b) The GUID will be used by companies in information practices that are
unfair. The history of cookies has shown that browser manufacturers and
web sites have a mutual commercial interest in tracking and targeting
consumers using mechanisms that are turned on by default. Several
companies have already set up schemes to bypass the limitation of cookies
that each site gets a different cookie, allow the sharing of information
about visitors. Having a PSN provided by the browser to web sites would
allow these extra efforts to be bypassed. Given that the browser market
is a duopoly where both duopolists have a significant consumer ecommerce
operations, those manufacturers have a compelling incentive to make the
PSN available to their own sites and to partners. Beyond browsers, other
software such as mail and chat programs might choose to disclose the PSN,
overtly or covertly. (Intel have already indicated one of the intended
uses is to exclude "rogue users" from chat rooms.) In the current legal
environment where web sites (except those targeted at children) are not
required to abide by any code of fair information practice, and where
information on online behavior is a valuable and salable, the PSN will
inevitably be used in unfair, privacy-invasive practices.
(c) Such practices will become known to consumers, some of whom will
avoid participation in ecommerce because they apprehend that their
privacy is at risk by doing so. Surveys such as the 1998 Harris/Business
Week poll indicate that fear for privacy is the number one reason
consumers give for not going online (ahead of price and usability). The
PSN will move reality much closer to these consumers' worst fears. The
considerable media attention and public discussion of Intel's
announcement reflects the high level of concern over the state of online
privacy.
2) This harm will not be easily be avoidable by consumers.
This point follows from each of two assertions.
(i) Many consumers will not know they are using a PSN-enabled machine,
or will not understand the implications of the PSN for privacy.
(ii) Many will be compelled to disclose their PSN.
The most extreme example of compulsion will occur in machines in the
workplace. Intel have listed asset management as an intended use of the
PSN. To support this, organizational buyers would order PCs from the
manufacturers with the PSN permanently enabled in the BIOS. It could be
argued that employees should have no expectation of privacy at the
workplace, but lunchtime private usage actually raises the level of
Internet activity, and many consumers find the cost of establishing an
Internet connection at home prohibitive, so this group will represent a
substantial number of ecommerce participants. Furthermore, business
routinely dispose of PCs to employees, schools and others for personal
use, and few consumers know how to reconfigure a BIOS.
Even on PCs where use of the PSN is ostensibly optional and opt-in,
experience shows that consumers will be coerced into submitting to the
tracking mechanism. Microsoft for example demands cookies as a
precondition to access to large amounts of technical information, some
essential to performing key tasks. Other sites require cookies or
registration as a condition of entry to the site, or as a condition of
purchase, or a condition of using software. This may be as essential as
the operating system or personal finance software. The putative choice is
often illusory.
Returning to point (i), many consumers will not know they are using a
PSN-enabled machine, or will not understand the implications of the PSN
for privacy. Intel has suggested a small taskbar icon as a visual
indication, but this decision is not even in their hands, and
manufacturers are unlikely to voluntarily place a warning label on their
products that explains the privacy implications of a PSN.
3) The harm will not be outweighed by countervailing benefits. Intel
claims various benefits for the PSN, mostly in improving security.
However as documented on http://www.bigbrotherinside.com mentioned above,
several leading technical experts have stated that as a security
mechanism the PSN is too weak to be very useful. In areas such as asset
management and copyright protection, other mechanisms are already in use
that do not depend on a PSN.
This completes our argument that the PSN is likely to cause substantial
harm which will not be easily be avoidable by consumers, and will not be
outweighed by countervailing benefits.
As you may know, privacy groups have consistently called on Intel to
permanently disable the feature since the day it was announced. Some have
asked Intel to recall all product shipped with the feature. We ask the
Commission to consider what action it might take to reduce the harms to
consumer privacy and ecommerce identified here, including any means to
compel the company to disable the feature and order a recall, whether
directly or through PC manufacturers. We also request that Commission
consider whether its Section 5 authority regarding false claims and
deceptive practices should be brought to bear on Intel. Finally, we
request a meeting with the appropriate staff of the Commission to discuss
this matter.
This letter is not a formal petition and complaint to the Commission, but
such a plea might follow at a later date. The Commission's consideration
of this letter and any response will be very much appreciated.
Very respectfully
Jeffrey Chester
The Center for Media Education
2120 L Street, NW Suite 200
Washington, DC 20037
Russ Smith
Consumer.net
PO Box 44232
Washington, DC 20026-4232
Marc Rotenberg
Electronic Privacy Information Center
666 Pennsylvania Av SE
Washington DC 20003
Jason Catlett
Junkbusters Corp.
P.O. Box 7034
Green Brook NJ 08812
Simon Davies
Privacy International
London (c/o EPIC in USA)
Evan Hendricks
Privacy Times
P.O. Box 21501
Washington, D.C. 20009
Beth Givens
Privacy Rights Clearinghouse
1717 Kettner Ave. Suite 105
San Diego, CA 92101
Robert Bulmash
Private Citizen, Inc.
PO Box 233
Naperville, IL 60566
(Correspondence may be addressed to EPIC,
who will summarize and distribute responses, or to all signatories if desired.)