Schemers, Scammers and Blasted Spammers: Where the Web’s Reputation Is at Risk: Transcript of Panel at “Trust or Consequence: The Web’s Reputation at Risk”

Panelists:

  • Joseph Turow, Robert Louis Shayon Professor of Communication,The Annenberg School for Communication, University of Pennsylvania
  • Eileen Harrington, Deputy Director, U.S. Federal Trade Commission
  • Elizabeth Frazee, Principal, Frazee Associates, representing TRUSTe
  • Mitch Lipka, Staff Writer, Philadelphia Inquirer
  • Steven Salter, Vice President, BBB Online
  • Bob Sullivan, Technology Reporter, MSNBC

Note: This is an edited transcript of the proceedings. 

Joseph Turow: We have a panel that’s called “Schemers, Scammers and Blasted Spammers: Where the Web’s Reputation Is at Risk.” In some ways, this carries over from the talk that Jonathan Zittrain just gave, that I think really set up very well the issue of trust, as did the WebWatch survey, and some of the results.

We have a very distinguished group of people here who approach the issue of the Web and trust in a variety of ways. What I thought I would do first is to ask a basic question of each person, who will introduce her or himself. And that is: Where is the Web’s reputation most at risk? Why? And why should we care? Why should society care?

And so what I’d like to do is first, for about five minutes or so, for each person, go down the line and then perhaps probe a bit and we’ll open it up to discussion. So, Eileen Harrington from the Federal Trade Commission.

Eileen Harrington: Thank you. Well, I am Eileen Harrington, and I’m the deputy director of the Bureau of Consumer Protection at the FTC.

It’s a very interesting question. I guess first of all I need to tell you that the remarks that I make today represent my views, and aren’t necessarily representative of the views of the commission or any individual commissioner.

I would say that the Web’s reputation is most at risk in two different places. One is through sort of hyper-reporting of the risks that are posed online. That is, through exaggerated reporting. And by “reporting,” I’m not speaking of the press necessarily, but just however it is that risks are reported out. I think one real risk to the Web is that its reputation is undermined by exaggerated and inaccurate reporting of the message.

There are absolutely risks in the online environment, as there are in the offline environment. Online risks are different and, in some ways, more pernicious to consumers than some of the offline risks.

But it’s also important, I think, to not overstate particular risks. I was really heartened to see, in the WebWatch survey, for example, reports on improvements in the area of spam. There, technologists have really stepped up and, primarily because of what they have done, consumers are seeing less spam arriving in their in-boxes – although, what’s getting through in some instances is far riskier.

But, a few years ago, there was great alarm and concern voiced all over the place about spam potentially, about the potential that spam presented for completely disabling Internet e-mail. That has not happened.

Instead, increasingly, I think ISPs and consumers and others have come to understand what each group’s role is, and what real steps can be taken by each of these groups to help solve the problem. And I think that is the way that we need to move forward with all of these problems.

That said – so we wouldn’t, at the FTC, want people to be afraid of operating in the online environment. Instead, I think that we would want people to be wary, and to be educated. The area that I see right now, and that we see, I think, as probably presenting the greatest risk is in the malware area. The non-consensual, undisclosed loading, downloading of software that can cause big problems onto people’s machines.

And why should we be concerned about it? For every reason that is described in the article in Consumer Reports. It can basically destroy someone’s hard drive and computer, if it’s really malicious stuff. Some malware can result in identity theft, and all sorts of other bad things happening, including people’s computer’s being turned into spamming machines without them knowing about it.

So that’s the area, I think, that presents the greatest risk right now. And I think why we should care about it is fairly obvious.

Joseph Turow: Thank you.

Elizabeth Frazee: Hi, everybody. I’m Elizabeth Frazee; I’m representing TRUSTe today. And for those of you who aren’t familiar with TRUSTe, we’re the leading online privacy non-profit organization enabling trust based on privacy for personal information on the Internet. Most of you are probably very familiar with our brand, the TRUSTe logo on this report we recently published. To get right to the point on Joe’s question, what we see as the biggest threat to the Internet.

We agree that malware is a problem. But we also think that phishing and the resulting identity theft poses one of the biggest problems online for consumers and for businesses as well. When, as the Consumer Reports WebWatch report says, 88% of people responding say that keeping personal information safe and secure is very important for a Web site they visit. Well, if they’re being phished, they may think that the practices on the Web site are good, because they’re trusting that brand they’re going to. Yet, they aren’t, and their ID, their identity could be stolen.

Going to what Eileen also said about the exaggeration of the risks to the Internet, I have some statistics here that I think are pretty interesting, and which have been published recently. Twenty-six percent of identity theft results from information being stolen by friends and relatives. Twenty-nine percent results from stolen or lost wallets, checkbooks and purses – so traditional identity theft. And 2.2% of identity theft results from viruses or hackers. So while we talk a lot about the risks, and they are great, we need to keep them in perspective.

Why should society care? When $53 billion of losses occurred to Americans because of identity theft each year, that’s a reason to care. But, again, let’s keep in perspective that 2.2% of that is resulting from online identity theft.

What TRUSTe is doing is enabling businesses to have best privacy practices. We recently released a report, “How Not to Look Like A Phish” for businesses, that give businesses guidelines on what to follow, what to do, what not to do, in order for their Web sites to be phished. We think it’s really important to arm those companies that want to do the right thing. And there are a lot of those companies out there – all of TRUSTe’s licensees.

It’s very important to arm them with the tools that they need and then, in conjunction with that, consumer education is important. And that’s why we’re so happy about the FTC recently released Web site, OnGuardOnLine. Eileen’s got some information for you on that.

Eileen Harrington: We’ll talk about it later. Brochures for all.

Elizabeth Frazee: I think that sums it up, Joe.

Joseph Turow: Thank you.

Mitch Lipka: Hi, my name is Mitch Lipka. I’m a reporter with the Philadelphia Inquirer. If you could bear with me, I’m not going to get right to the point. I’d like to tell you a little story. It’s about something that I found in South Florida, and then we’ll figure out later what this all, how this all comes back to the question.

One of the most popular scams down there – and, mind you, that is like what I consider the Scam Capital of America – was the moving industry. And they used to get their customers through Yellow Pages ads. So it was a pretty simple thing. They had a nice-looking ad, and people would call the phone numbers, and they would get these ridiculously low prices. And they would find out later that that did not include such extras as the actual moving guys. That it didn’t include the furniture you forgot to mention that you had. Stair charges if they had stairs. Elevator charges if there was an elevator. And it was really only limited by the mover’s imagination and chutzpah. Pretty much anything they dreamed up would be added on to the bill.

In the end, this cheap mover’s price would be tripled, quadrupled, or even more than that, than the original estimate. Quite a bit more than if you actually used the brand-name mover that you decided not to use because they were too expensive. In the end, they would take your furniture if you didn’t pay them right then in cash. They would just drive away with everything. Until you cleared the money with them, your stuff stayed on the truck, locked up.

And it was really quite a racket. So how does this connect back to what we’re all talking about? For years, the complaints would come from these people who either moved within that area or to or from the area, because these were really nickel and dime guys. And then suddenly these phone calls started coming from people in California and Ohio and New Jersey, about the same moving companies. These little operations of like two and three people.

What had happened was, they’d figured out that, instead of using the Yellow Pages, they made a Web site. And the Web site didn’t say that they were some nickel and dime mover in South Florida. It just showed a picture of a brand-new moving truck, a big tractor trailer – these guys didn’t own any tractor trailers – where they digitally put the name of the company onto the truck and it looked like a big moving company.

And so they coupled that with creating these Web-based brokerages, where they would actually bid against themselves for jobs. So it would be like: “Oh, I want to get the best price. Look, there are 10 movers bidding here for my work.” And it was just the same guy with 10 different names, and you go: “Wow. This guy was looking for $3,000; I could get it for $800 from this guy.” They’re all the same guy.

So this kept going. And they realized also that by taking you across the state line, all the rules changed. The local authorities were getting more aggressive, because it was becoming such a PR nightmare to have these bad movers there. So once they crossed the state line, all bets were off. And the state regulators had nothing to do with it any longer, and the federal regulators weren’t so interested in an $800 move unless you – eventually the FBI got involved when it was like hundreds and hundreds of moves, but it really took getting to that level.

Basically the bottom line is that by creating these professional looking Web sites and aggressively marketing themselves, they had this potentially limitless pool of victims. Instead of just the same people in the neighborhood, it was the entire country. And it’s this really unfiltered – there’s no way to protect yourself against it except for being smart, and using simple things like checking out who are these guys? And do they have a track record? Are there any complaints against them?

There are so many places now that you can check these things, but for some reason people are so seduced by getting something for less that, as advanced as we are and as much information is out there, people still keep falling for it. It never, it just never ceases to amaze me that people will go for the same old shtick time after time after time.

So why should we care? Because there are a lot of people out there who are vulnerable, whether they be senior citizens or people who are just not as resourceful. And I just think there needs to be some more attention paid to how do you not just educate people, but put a stop to these guys who are these repeat offenders.

And that’s my story for today. So, thank you.

Steve Salter: I’m Steve Salter. I am the vice president of BBB Online, and that’s a division of the Better Business Bureau system, a program of the Better Business Bureau.

So I guess when it comes to checking the backgrounds of companies, we’re certainly in the middle of that mix as much as anyone. We’ve got one Web site at bbb.org, where you can go look up any company in the U.S. or Canada on which we have a record – about three million companies there. So that’s a resource.

But the BBB Online piece is – and on bbb.org, it’s the good, the bad and the ugly. Scams, members of Better Business Bureaus, long-term established companies, anybody on whom we have a report. On BBB Online, what we try to do is identify good businesses with a positive track record that have good business practices on their sites. We’ve got a little short of 25,000 Web sites identified there.

The upshot of that is that what we do throughout the Bureau’s system every day is review Web sites for good business practices, similar to a lot of the contents of the pledge that was handed out in your package this morning, the Consumer Reports WebWatch pledge, have a lot of elements that we had in a code of online business practices.

So I thought it would be best for me to sort of share some of our experience, and what are we seeing. Sort of the good, the bad and the ugly. I would certainly agree that – in fact, I’ve felt for years that commercial Web sites are not the biggest problem or challenge that consumers face. It’s what comes in to them through e-mail.

Typically, with the exception of phishing, which is a big exception, if you’re going shopping on a Web site, you go out and find the one that you want. You can find a trusted brand that way or someone you know, and you can take your time and check out their background. Get a BBB report or some other report on them, and get a feel for their site.

With the stuff that comes in to e-mail, it’s temptation put right in front of the consumer to pull them to a site that they may or may not know anything about. In fact, the e-mail itself may have a lot of content, including the really bad stuff like spyware and malware that can destroy your computer altogether.

So I’ve long viewed e-mail as a bigger problem than commercial Web-sites. But from our experience with commercial Web sites, my really bugaboo, my pet peeve, is sites that sell supplements, whether herbal or otherwise. They typically sell vitamins. A lot of times they sell stuff that looks like it bumps right up against steroids. I don’t know where the bright line is of what’s legal and what’s not legal, and what are steroids and what’s not. But there are all these sorts of products still being sold out there.

One of the things that we look at in the Better Business Bureau, really our history is about truth and accuracy of advertising. And these sites are the worst, for having advertising claims that are almost impossible to substantiate. These are the same sorts of products sometimes that you see advertised in e-mail that will help your body do all kinds of miraculous things it hasn’t done for the last 50 years. You can grow your hair back, you get stronger, you lose weight. All those great things are out there on the Web. So when it comes to commercial Web sites, those are the biggest problem that I see.

But, they are not by any stretch the biggest problem that consumers face. I would want to acknowledge, certainly, identity theft as the big issue that we’re all fighting with right now. But I would focus on a subset of that that really kind of blossomed this summer, again, and it is more traditional kinds of fraud that are as common offline as they are online. And by that I mean misuse of credit cards, of course, but trickery like the old Nigerian letter scam, where people get sucked into buying something through a false offer.

Typically what we’ve found on the Web is that, through either auction sites, classified listings or other sorts of person-to-person sales – not merchant to consumer, but person to person. An offer is made, perhaps a car or some big-ticket item like that is put up for sale at a very reasonable price, with glowing reviews around it. And so someone will bid on it. And then the phish has been hooked at that level. Once somebody says, “Yeah, I’m interested; I want to buy,” the scammer goes into overdrive trying to get that person to send money, often to wire it – which any of the auction sites will tell you not to do – or to send some chunk of money outside of the country as a down payment. And they’ve got all kinds of good reasons why this is a good car, and so forth and so on. Lot of blandishments to bring the sucker along.

We really saw an explosion of those types of scams running this summer, through online classified ads, online auction sites. And that just, along with a variety of other related kinds of scams, that seems to have blown up again. Of course, the Internet makes that oh so easy to do. You can reach a lot of victims that way.

So I just want to highlight traditional fraud kind of as a subset of identity theft. Because once you do send that money overseas, certainly you’re never going to see it again. It’s big-ticket items, it’s a big chunk of money, and that can really put a consumer off shopping online, probably on a permanent basis.

Bob Sullivan: Hi, I’m Bob Sullivan. I’m a technology reporter for MSNBC. I’ve been writing about Internet scams for about eight years, and last year I had a book come out called Your Evil Twin: Behind the Identity Theft Epidemic. And, a shameless plug, I think there are copies of it somewhere around this building today. I think they’re going at a fire sale.

Which is an interesting part of our conversation, because what I have seen in the last 12 months in particular is a lot of debate about how bad identity theft is, with a corresponding conversation, “Well, what is identity theft?” There’s a lot of credit card fraud, but that’s not really identity theft. And there’s a lot of data that gets stolen, but that’s not really the cause of identity theft.

So I’ll get to that in a minute, but first I want to ask a question, and thank all of you for your patience listening to all of us in a line like that. I know that that’s difficult. It’s the end of October, which for me and probably a lot of you out there, means Oh, no! I haven’t bought my tickets home for Christmas yet! I’ve got to rush to Expedia and see if there’s any discounts left. I live in Seattle; I was born in New Jersey. How many people will be flying somewhere for Christmas? Wow, a lot of you stay here. You’re lucky.

Now, I should have bought my tickets in about June, right? I do this every year, because I’m never quite sure of my plans. But we all know that there is one day somewhere in August, August 7th, perhaps, where for some reason the airlines deeply discount their plane tickets for this time of the year. And if you get one of those three seats, you’re in the money. I’ve flown home for as little as $175 for Christmas, and as much as $600, depending on when I buy my ticket.

Now, I would love if I could get Expedia or Travelocity or one of these companies to reliably send me an e-mail when that date comes. And maybe they can actually do that. I know I’ve tried to sign up for something like that. It has never worked.

But, more importantly, if they did it, consumers would ignore those e-mails now. The problem of phishing, in addition to all this identity theft, is that it has killed that line of communication between companies and consumers. And that’s a shame for everyone. That’s a shame for businesses, which now have to engage in much more expensive ways to stay in touch with their consumers. And it’s a shame for me, because I sure would like that email. It would save me a couple of hundred dollars.

So the hidden cost of the phishing epidemic and a lot of these other scams that we’re talking about, and why we should all be concerned, is because it really is eroding some of the capabilities of the Internet.

I’ll be honest with you, even though it’s clearly in the interests of me selling books to have this be a terrible problem and have people be leaving the Internet in droves, and to have 25% of people not shopping online as a result of all this crisis, I’m skeptical of that number that we heard this morning. I believe, in answer to a poll question, people would say that they’ve stopped shopping online. But their behavior doesn’t indicate that. All of the metrics show that shopping online is actually on the rise.

I suspect that number indicates something else, though. It certainly indicates really hefty concerns about shopping online. And I think it indicates concerns about things like e-mails that they get from retailers and other kinds of communication. And I think that’s the real shame, that the capabilities of what we can do are being narrowed. So now, for example, we know from a lot of studies that people will shop only at brands they know. They won’t go to small Web sites anymore and buy things.

That’s another big shame. The promise of the Internet was that Mom and Pop stores — not Mom and Pop scam artists — Mom and Pop stores could compete with IBM. I remember that IBM commercial about nuns in Europe selling their jam. We don’t do that anymore. Again, because I think the possibilities have been narrowed. That, I think, is the reason why we should all be concerned, because while we’re still shopping on Amazon, we’re not shopping at the bookstore down the street anymore, and that’s too bad.

Let me just say a couple of other things, and then we can get into some questions, hopefully. I got a phone call on February 14th of this year from a woman in California who somehow had found me on Google. And she said, “I have this letter from a company named ChoicePoint. I’ve never heard of them, but it says – I don’t get it. It says they lost my data, and we’re sorry. Do you know what this is, Bob?”

And, fortunately, I’d been writing about this area for a while, and I’d been covering the California disclosure law, so I sensed the language of the letter, and I right away called ChoicePoint. And the public relations folks at ChoicePoint said, “Oh, yeah, we had a couple of people. We had an incident involving a few people in California. But it’s very small, and it’s taken care of.” So, how many people? “Well, we’ll get back to you.” So he comes back in a couple of hours and he says, “Okay, 35,000 people. Which is a small number, considering California’s a big state. But it’s only in California. We had somebody pretend to be a business, who was a legitimate right-holder to access our files. But they were in California, and they only downloaded records from people who live in California.”

Now, I’ve been working on the Microsoft campus for eight years, so I’ve absorbed a little bit of how databases work. And there’s nobody who accesses that thin a slice of data when they’re stealing it. That’s kind of like sorting through the jewels and only taking the rubies and leaving the rest of them in the jewelry box.

So I challenged them on that. And I’ve never done this as a reporter before, but I said to the ChoicePoint PR guy, James Lee, I said, “I’m going to write the story, and I’m going to say that the criminal only stole data from California, and you’re going to look dumb. Are you sure you want to do that?”

And he said, “Yes.” So I did it. And we had a couple of experts underneath saying that that was very unlikely. And then, about 48 hours later, they suddenly discovered that another 140,000 people around the country had also had their records stolen.

Now, I tell the story because that was the incident that began what some have called “the orgy of disclosure.” For the next six months or so we saw, depending on how you count, some 40 million Americans were told in one way or another that their data had been accessed or stolen, or might have been accessed by someone, we’re not sure.

And the latest study I read last week from the Ponemon Institute said that 1 in 10 adult Americans received a letter like this in the past 12 months. I would venture to guess that none of them knew actually what to do in response to this letter. And the point has been made very well here this morning that, despite all of that talk, rarely is that the cause of identity theft. Only 2% of the time is stolen data the beginning of identity theft.

So what’s unfortunate about all of that is, it’s created a lot of confusion in the minds of consumers, who are just sort of hunkered down now. Because these letters basically say: “We’re sorry, we lost your data. Good luck.” But the other side of that issue, which I don’t want to get lost, partly because I think that identity theft is as important an issue as all this noise makes it out to be. I just think we’re discussing some of the wrong things.

Because while the identity theft may not start online, it often finishes online. So the data might have been stolen by a relative, as happened to a colleague of mine at MSNBC, but that relative is going to go online and order phone service, something they would never do in person, because they would be liable to criminal acts.

So I’m glad we’re talking about this issue, I’m glad there’s this much noise about it. Now, hopefully we can hone in on the right issues. Thank you.

Joseph Turow: Thank you. Before opening up, I hope you don’t mind me putting my own two cents in about this. When I’m thinking about where the Web’s reputation is most in risk, I agree with everything everybody said, and I knew I’d have to say something a little bit off topic, because these are the key issues.

But I really think, too, that it’s the feeling that people have that something is going on behind the screen, behind what they know, what they see, and they have no control over it. We’ve done research at the Annenberg Public Policy Center that shows that people understand that they’re being tracked. They know that. They’ve heard about cookies already, a lot of them. A little over 50% know how to get rid of them and say they do.

But if you begin to ask in more detail what happens – do they understand data mining? – not using these terms, but using questions about it. Do they know particulars about how money can be exchanged on the Web? Is price discrimination legal or illegal? People are clueless.

And they’re very nervous, and they don’t trust institutions. And they really – for example, we found, and this parallels some research that we’ve done that we found a couple of years ago – 75% of people who’ve been on the Web in the last 30 days, adults 18 and over, 1,500 people in national survey – 75% of these people agreed that when a Web site has a privacy policy, it means it won’t share its information with any company or person. Okay? And when we reported this, and when I talked to reporters about this, reporters are surprised that that’s not true. So we have all these true/false things.

The other thing I wanted to add to this, too, and this fear, is that it’s not just the small companies. I believe, and I think there’s evidence for this, that fear is being calibrated purposefully on the Web, online and offline, by some of the biggest companies. Partly in order to get people to give or not give their information selectively, so that essentially we’re in a personalization world. Increasingly companies want you to give them your information. They don’t want to steal your privacy. They want it to be legally taken in the way that norms are developing. But they want information from you.

And as a result, they will provide inducements to get that information, which in large part mean that if you don’t give them that information, you’re not going to be in touch with the best discounts. You’re not going to be part of the elite. You’re not going to be the Chosen People. Now, if we move into an era of this kind of niche-personalized marketing, we have a situation where people know that they’re giving their data. But they’re really never sure what it’s going to be used for.

They worry about what I’m increasingly calling niche envy. “Is somebody near me getting better discounts than I am because I gave less good information than somebody else? How do I give the right information to the right people?”

This creates a social comparison process in society that goes beyond keeping up with the Joneses. It’s a new kind of sociology that I think we have to worry about, that is far more than individual scams – not to take anything away – and relates to some extent to fear about sort of privacy infringement and the consequences of that, but makes it legitimate, and at the same time scares people in order to get their information, in order to create worlds around them, so that they can be part of the Chosen People. So I worry about that kind of legitimate taking of information, and what that means for society.

Now, one of the things that becomes the hard issue here is what do we do about it? And I heard a number of people say that education is the answer. Getting people to learn. And what I’d like to ask you guys – because I would love to believe that. In my reports I’ve often said: Education. We have to teach people. And I do believe if you look at consumer education in the United States, it almost doesn’t exist. In elementary schools, in high schools, and certainly Web-related education, the two can be combined terrifically.

But if you look at what people know, given that the Web is at least 10 years old now, how do we really encourage people to do the kinds of things that you’re talking about? To go after the knowledge that they ought to go after? Anybody want to – ? Maybe, since you have a brochure, you can start.

Eileen Harrington: Well, this is a rather low-tech publication about an excellent resource that we would invite you to join with many in making available to everyone who is in your orbit.

The OnGuardOnline Web site was launched earlier this month. It is sponsored by a broad consortium of government, private sector and nonprofit organizations. It is an excellent resource for teaching people what they need to know about safe computing practices, seven basic steps.

We would invite you to, as many organizations have, including AOL on its homepage for a time, put a link right there to OnGuardOnline. It’s a wonderful site that has rich information, but it’s fun. It’s a really well-done product to teach people what they need to look out for to avoid being victimized by phishing. How to make sure that they have good anti-virus software, and that they are updating it, and so on and so forth.

We can use the technology as well as lower tech to educate people. We think, at the FTC, that education is key. But also, the technology itself is key.

We have seen tremendous advances in just two years in the spam arena. Filtering has gotten much better. The Consumer Reports article talks about improvements in the technology that keep dangerous and not so dangerous spam out of consumers’ inboxes. So the technology itself, we think, needs to be developed, research and development need to be encouraged to prevent some of the very problems that the technology has visited upon us.

And, you know, government has a role, too. I’m not here to say that this is all on consumers’ shoulders and all on technologists’ shoulders. Law enforcement has a key role to play. And in some areas there may be a need for additional laws. But all of these responses together, I think, are the solution. Education alone, very important, but it’s not the only ingredient.

I have brochures for everyone here about OnGuardOnline. And I’ll pass them out at the end, and please promote it.

Joseph Turow: Great, thank you.

Elizabeth Frazee: Just to follow up on what Eileen just said, I love the tagline of the FTC campaign, which is, “Stop. Think. Click.” That really is what we need to teach consumers to do. Before they do anything online, they need to think: Is this the right thing? Could this come back and hurt me in the long run?

In addition to the consumer education, there also needs to be business education. And that really is where we come into play as well as BBB, on helping companies do the right thing, and get information out there to consumers.

TRUSTe and the Ponemon Institute recently issued a report called, “The 2005 Most Trusted Companies for Privacy” study. And when you go down the list of the companies, and the top 20 – I’ll just read the top 10 briefly – they have all engaged in some type of customer outreach to educate them. And they also are following very strict guidelines for how they interact with customers.

I agree with what Bob said earlier. It is a shame that companies now aren’t able to use those things, the marketing tools that we thought were so terrific in the beginning, like e-mail and IM [instant messaging] and pop-ups, because you just can’t trust them anymore. And consumers need to stop, think, and then click when they see any of those types of marketing mediums.

But the top 10 companies are: American Express, Amazon, Procter & Gamble, Hewlett-Packard, eBay, AOL, the U.S. Postal Service, Dell, IBM and Earthlink. All of those companies have engaged in customer education, as well as embracing the right practices out there. So Jennifer is here today with some of our brochures, if anyone cares to have the study.

Bob Sullivan: Talking about consumer education is a double-edged sword to me. I am as big a believer in it as anybody. I like to think that’s what I do with my life, is try to educate consumers.

However, my experience covering the credit card industry, for example, has colored my thoughts this way: I think we often have a dualistic nature to how we look at things. So we believe in educating consumers about good debt habits, but we sure pound them when they run up big credit card debts. And in fact we have this sort of debtors’ prison mentality in our country, where if you have a big credit card debt, it’s your fault. And because it’s your fault, it’s not the credit industry’s fault. I believe if someone runs up a big credit card debt, it is their fault – and it is the credit industry’s fault as well. It can be both.

I think when we talk about consumer education and issues like security and scams, a lot of times it’s an excuse to push off the responsibility by corporate America onto people, and that’s a big mistake. I’ll give you an example: Wireless networks. They are shipped very, very insecurely. Half of people who have wireless networks at their home are broadcasting all of their data to all of their neighbors all of the time.

If these things were shipped securely out of the box, that wouldn’t be. And this has been a pattern with the computer industry for a long time. They’ll go for simplicity and danger over safety, and no one stops them. I just got one of these nifty new pocket PC phones which, among lots of other things, it has wi-fi capability. And every time I drive by a wi-fi signal, it goes ding-ding-ding. I had to turn it off, because it was so darn annoying driving around my neighborhood, because there are hotspots from my neighbors everywhere.

Now, again, consumer education is great. We can teach them all how to turn on WPA encryption. But the truth is, the thing should ship safely, and I think we need to start insisting that companies behave that way.

Mitch Lipka: I have a, just sort of forgetting about the technological things where people can steal from you, and just taking the cynical view on consumer education, is that I think it’s great that there are education Web sites. And we – with every story about a consumer thing, will have a link quite often to the FTC. They have rooms full of brochures that are very, very educational.

But I think people, unfortunately, want to do things quickly, instant gratification, and don’t take the time to look at all the great things that are out there to tell them what not to do. And so they do it over and over and over again.

As much as those of us who write about this stuff would like to believe that anybody actually pays any attention to what it is that we say, I can’t tell you how many times that I’ve written something and say – just use the Nigerian letter as an example as something which just doesn’t ever go away, which shows you how many people really are dumb enough to fall for this thing for I don’t know how many decades. And say: Hey, watch out for this thing, it’s still going on. Just don’t send anybody money out of the country, because there’s something wrong with this thing.

And then two days later, somebody sends you an e-mail that says: “You’ve really got to do something about this. Did you see this thing? I sent them $5,000, and now I’m in a lot of trouble.” It’s like, first it was kind of funny, and now it’s really depressing. And so it’s like you can just keep coming back and warning people over and over and over again, and it still takes some common sense on people’s part.

It would be great if there were more that government and businesses could do to protect people, but it still takes that pause that you want to educate people about.

But back to what Joe said, is there isn’t any education at a younger level. It’s like whatever Mom and Dad taught you, there really ought to be some component that says: Here’s some really basic common sense before you go out, not just on the Internet, but that’s certainly the easiest place to get ripped off these days, and you really do have to stop and think before you start sending your money elsewhere.

Eileen Harrington: But whether it’s experience or the result of personal experience, or educational efforts, there’s good news, I think, about the effects of some educational efforts in the Consumer Reports WebWatch study: Fifty-one percent of all online users are reporting that they’re more careful now when they visit Web sites; 38 percent said they download free programs less frequently.

Somehow they’re getting information. Again, whether it’s empirical or something that they’ve read or heard. But they’re getting some information that’s changing behavior, and that’s – I’m encouraged by that. We’re moving in the right direction.

It’s not the only solution. Absolutely not the only solution. If people are waiting for law enforcers at the state or federal level to fix their problems, if they fall victim to any of these scams or particular kinds of frauds, they’re going to be waiting a long time. Some law enforcement will be effective at redressing the injury that consumers have suffered. But much of it won’t be, depending on the kind of area that we’re talking about, because a lot of the kinds of scamsters that you’re talking about – not the moving ones, but others – just aren’t here, they’re not in the United States. Wo finding and then bringing to justice people who are outside of our borders is very difficult, if not impossible.

But on some of the other kinds of risk areas that you were talking about, Bob, in the data security area, there absolutely are remedies that can be obtained through law enforcement, and they will be.

The FTC has already brought one case using its unfairness authority in the B.J.’s Warehouse case, where we’ve challenged a company for failing to take reasonable and adequate measures to protect security. And I can assure you there will be more enforcement actions like that, in terms of these large breaches.

So, really, I think it depends on the problem, the specific problem, in terms of how much we can expect that education can change behavior, and that changed behavior can inoculate consumers. We need to take kind of an issue by issue approach, I think, and have a multifaceted response, not just education. But start with education.

Steve Salter: And there’s clearly beauty in the strength of the Internet to educate. If anything, Eileen undersells this site. Don’t just look at the brochure. You’ve got to go to the site to take quizzes and play the games that are there. They’re real interactive. They’re really cool.

But just as an example of the ability to push out and sort of ripple out through viral campaigns, shortly after the site went up, we sent out through the BBB Online newsletter – which goes to about 43,000 small businesses – an article about it, including a banner that they could put on their Web site to link people back to the FTC site. So you can very quickly get good information out there. And I think it’s true that the survey results are encouraging, where people say they are looking more at privacy notices, etc.

You can either read those as increased mistrust of the Web, or you can say that for those of us sitting up here, they’re doing what we’ve been asking them to do all along. Check businesses out, look at their backgrounds. Don’t just blindly trust, but verify first. The challenge, though – and there was some talk this morning about sort of a master non-profit that would be the setter of standards and the quarantine officer and so forth.

All of us non-profits are resource challenged. We don’t have a lot of money to advertise. And somebody asked: How come online seal programs aren’t better known and respected? Certainly resources are part of that.

So we in turn need help from others to get the word out about the value of checking the background of a company, the various educational components that are out there.

Joseph Turow: Thank you. Let’s open it up. Does anybody have any questions or comments or –?

Male Speaker: Just to talk about what Elizabeth shared with us concerning the sources of ID theft. I’m not an expert on this, but I think you’re referring to the Javelin study.

Elizabeth Frazee: Yes.

Male Speaker: If you look at, and I think it’s important because it gets to this issue of how much responsibility consumers have versus how much technology and businesses have. When I read this study initially, or looked at the questions upon which it was based, all the data that gets reported in the media is based on the question, “If you knew how identity theft occurred, how do you think it happened?” And that was about half of the people. The other half didn’t even know how it happened.

My guess is that the people who don’t have any idea how it happened, a larger percent than 2% happened online. That’s a guess.

But these numbers tend to take on a life of their own very quickly, and nobody qualifies them by saying: This is only based on the half of the sample of those who knew how it happened. So if your sister or your babysitter was the source of the identity theft, you’re more likely to know that than if you have no idea how it ever happened.

So I think we just have to be careful to make these quick assumptions that the Internet has nothing to do with identity theft. That only 2% does. It may be higher. It may be higher.

Elizabeth Frazee: I think that’s a great point. Or it may not be higher. We don’t know from the Javelin study how many of those people had recently been online. So it all has to be qualified.

Male Speaker: Elizabeth, you mentioned earlier approximately six organizations that did a lot of work in educating the consumer as regarding using Web sites, the Internet, and particularly their sites. I wish – would you say that eBay is probably one of them, in terms of money, we’re talking billions of dollars. Is that a reasonable thing to say?

Elizabeth Frazee: I don’t know what eBay’s revenues are, but –

Male Speaker: My point is that I wish somehow or other the government would get involved in requiring some of these vendors – eBay specifically. They educate their consumers, and they tell them how to shop and how to sign up, and how to sign the disclaimer forms that protect eBay. But the fraud transactions that go on on eBay, the misrepresented items that are sold to unsuspecting buyers.

I crack the joke that I’m the dog poop police of my homeowners’ association. You have to pick up after your dog. And on the Internet, when I see a fraud transaction going on, in a number of categories. For example, glass or clocks that are made in China, that are represented to be turn of the century clocks. And unsuspecting consumers buy these things, to find out that they bought something that isn’t what it’s represented. EBay won’t do zilch to help that consumer, because they’ve already signed off; they’re not responsible.

I don’t know how that gets under control. But the old saying caveat emptor, let the buyer damn well beware.

Elizabeth Frazee: I wish somebody from eBay was sitting up here to answer your question, because I certainly can’t. However, I will qualify the TRUSTe Ponemon study by saying that 7,000 respondents were surveyed. And of those, the answers that came in, eBay was number 5 in the response Most Trusted Company.

Male Speaker: Wow.

Eileen Harrington: I don’t want to be an apologist for eBay, but when we think about – if you compare eBay and online auction sites with classified ad sections in newspapers, eBay is all over fraud on their site, compared to what newspaper publishers do. EBay has a very tough fraud prevention and security department. They take sellers off of eBay all the time. And I don’t think it’s the case that eBay will take no action if a buyer is scammed.

Now, if you’re talking about something that falls below the level of fraud on the eBay site, so that the goods or services that are delivered aren’t exactly what is represented, then eBay’s fraud department is in a position of trying to make a determination about how grave the disparity is. And I’m sure that there are unsatisfied buyers who are buying clocks that are represented as being made in England but they’re made in China, or whatever the deal is. And probably on those kinds of sort of credence and qualitative claims, their fraud department is not in a position to make those evaluations.

But when people buy something, when they send their money and they never get anything, that seller is knocked off of eBay. When – and they do a pretty good job of investigating and running down sellers. Certainly, compared to the, for example, the newspaper classified advertising environment, where newspapers do nothing when a classified ad is run for a product that is never delivered, I think actually eBay stacks up reasonably well. Not perfect, by any stretch.

But I’ve been dealing with them for years on the problem of auction fraud, and have found that eBay, out of enlightened self-interest, they’re interested in protecting their brand and not having people afraid to come onto their site for fear of getting scammed. I think that they’ve been pretty aggressive, actually.

Male Speaker: Can I have a follow up?

Eileen Harrington: Absolutely.

Male Speaker: What happens is that, for a specific example, a piece is represented as L.C. Tiffany. And it’s a forgery. It’s done in Savannah, Georgia, and it’s a forgery. And the vendor gets away with it by saying “signed L.C. Tiffany.”

And the unsuspecting buyer buys it thinking, “God, look what I got! I’ve got a genuine L.C. Tiffany piece,” and eBay will do nothing. Their bureaucracy is 10 times as bad as anything the federal government does. They will e-mail you and send you back stuff, back and forth and back and forth. Nothing gets done.

Eileen Harrington: That’s a tough problem in any marketplace, whether it’s on the street corner right up the block here, involving the sale of knockoff items, or online, or – that’s a tough problem that no one seems to be able to solve efficiently for consumers.

Bob Sullivan: You know, I’ve been writing about eBay fraud for years. And eBay is a special case, I think. I mean, I have to say plenty of the consumers who write to me would not agree that eBay is doing a great job of dealing with fraud. I know they have a big fraud staff. I know people who work there. And they have been beefing it up over the years.

But enlightened self-interest is an interesting way to put it. That is the standard right now. We leave to market forces the fraud patrol at something like eBay, which is not a flea market, or it’s not the guy on the street corner. EBay is – exaggeration to make my point – almost a utility on the Internet. If you want the best price to bid for something online, you’ve got to use eBay. And we leave it to eBay’s balance sheet to decide how much money they should spend on protecting us from fraud. Which obviously, shareholders interests are different from the consumers’ interests, when it comes to that.

And I am concerned about how much money eBay spends protecting people from fraud, and I am concerned with how easy it is for people to commit fraud across the world, as opposed to just on the street corner, on eBay.

Male Speaker: I’ve got a question related to the pledge and the privacy policy and things like that. In reviewing it, it makes companies take a pledge of allegiance and say, “We’re going to do the right thing, and we’re going to make sure we don’t do the things that you don’t want us to. Or, if we do, we’re telling you that we’re doing it and you’re accepting our policy.“

But I wonder, maybe it’s directed to the FTC or the BBB, who is actually looking at the mechanisms in place to protect the data they’re storing? Because it’s not a question of the company deciding to give it away. It’s usually a question of someone deciding to send some tapes via UPS when they shouldn’t have done that.

And I wonder why we’re not talking about any of the physical protection issues that go along with doing business electronically. They do it when they do business between themselves and their banks, but they don’t want to do it between themselves and their customers. Or at least that’s my impression.

So I wonder if you’ve got any thoughts on what is the BBB going to be looking into? Are they really following the privacy policies? And, more particularly, are they protecting the data that they’re storing as well as they can? Are they using proper storage protection procedures and policies?

Male Speaker: When you said “the pledge,’ I thought you were talking about the Consumer Reports WebWatch pledge that you –

Male Speaker: Well, it does reference the privacy issue, but it doesn’t talk about [TALKOVER] put in place after [INAUDIBLE] so they can’t get to it.

Steve Salter: Yeah, there’s a privacy – I’ll call it the privacy community, which is a badly overused word, but you get the idea. There are some pretty specific notions about privacy and what that means.

About how policies or notices should be written, about the way they should allow consumers to control data collected by the site, to control outcoming marketing e-mail and that sort of thing – not nearly often enough do those privacy policies, in my view, cross over into security. Which is, I think, what you’re talking about.

Now, I think that the general public probably doesn’t make as clear a distinction between privacy and security. If you say you’re protecting the data, then you’ve got to have, you’ve got to cross that boundary into the security side to protect, lock your server rooms, limit employee access, make sure that the other third parties with whom you’re sharing data have similar protections in place. I think that’s where maybe everybody is falling short at this point on the security side.

The BBB, we actually have two seal programs in BBB Online. One is the BBB Online privacy program, which is similar to TRUSTe, which is a self-regulatory program that asks companies to verify that they have set in place these sorts of standards. And it addresses security to some extent: sharing of data with third parties, protection of servers, and so forth. But it’s voluntary self-regulation.

The payment card industry now has come out with data security standards for merchants who accept credit cards. And I think, frankly, that they’re probably going to have broader reach and better clout in enforcing – well, getting those standards out there; let’s start with that. There are actually about a dozen fairly simple standards that merchants are going to have to come into compliance with, they say, in order to accept Visa cards or MasterCards, etc. So if you want to be a merchant online, you better start to get your act together regarding the protection of data.

There is a big disconnect, though, I can tell you from my experience, between what the Amazons and the eBays and others do in that regard, and the many, many small merchants who are just starting to sell online, because to them it’s like another way of advertising, but they’ve stepped into this arena when they cross over into actually processing transactions online. They have a whole new level of concerns that, frankly, they’re just at the beginning edge of learning about. So this is another piece of education that we’re trying to take on.

We’re actually partnering with a third party to put out, again, business education tips for small businesses, which are primarily the ones that are Better Business Bureau members, to start to get them up to speed. But there’s going to be a big learning curve there, and I think a lot of the folks who pay a lot of attention to identity theft will say that that’s kind of the next frontier. That’s where scammers are going to look next, is the smaller businesses whose databases and Web sites haven’t been hardened yet on those security measures.

Female Speaker: I just wanted to ask a question about seals. That’s one way to get the marketplace working more broadly, if small companies are able to get seals of approval so that consumers can trust in the smaller online companies. And I wondered the extent to which seals are being adopted, especially by small companies, and whether there are any studies about how consumers view those seals. Whether they view them as a promise of trustworthiness by that site.

Steve Salter: A gentleman asked about this in the earlier meeting. How come only 24% of people said that seals are very important to them in determining trustworthiness of the site? And I would point out that the next level of being somewhat concerned, there was another 47%. So, altogether, 71% of people found seals as somewhat valuable in ascertaining the trustworthiness of the site.

I would say online seal programs are dependent on a couple of things. The first and probably foremost is probably consumer name recognition. If consumers don’t – I mean, frankly, for us it’s a little easier. The Better Business Bureau’s been around for 95 years, through no virtue of mine. And people know the name Better Business Bureau. So there’s a general sort of warm fuzzy feeling that goes with it, even if they don’t know the specifics, say, of the code of online business practices and the standards to which we hold companies.

So name recognition is a big, important part of establishing the value of a seal program to consumers. If you don’t have that, you’ve got to build that name recognition from scratch, which takes resources. TrustE has done that in a much shorter period; in the last 10 years or so they’ve built that name recognition. Over the last 10 years or so, there have been a lot of online seals that have started up and then fallen by the wayside.

Ten years ago there were WebWatchdog and Public Eye and other organizations, some of which are still hanging around. But I would say that consumer name recognition and trust in the brand behind the seal is probably the key element.

Elizabeth Frazee: Just to follow up on that, as to the part of your question about the percentages of small business versus larger businesses. I don’t know the exact percentages, but when you consider that thousands of companies have seals on their Web sites, and they’ve complied with either TRUSTe or BBB Online’s requirements for establishing the seal, then a large majority of those are small businesses who realize that the seal is important to them to built that trust, and to have consumers come to their Web site.

In a perfect world, consumers would look for the seal before they do business. And that’s what building the brand is all about. TrustE has been – we launched in 1997. So, almost 10 years, not quite.

Bob Sullivan: Just very quickly, I think seals still don’t have that regard from consumers yet. They don’t say: I won’t shop here because the seal isn’t on here. As a reporter, honestly, I think for credibility purposes, one of the things that the seals could do more of is be critical. One of the reasons Consumer Reports has such a good reputation is because it will say: These products did well, these products did poorly. And that’s something that we don’t see in the world of seals. And, to me, that’s what will bring the seals toward credibility.

Mitch Lipka: Just to ask about the seals themselves in terms of preserving the value of them, a lot of these scam movers I was talking about, they used the BBB seal. So how do you police the seal so that it actually has a value? Because if you looked at that, you’d say: Oh, they’re legit. That’s if you use the seal as your guideline.

Steve Salter: That definitely is a challenge, as scammers do – any one of you can go out, right click on the seal, put it on your Web site, and say that – your system. And they certainly do that.

In fact, one of those guys who was doing one of those auto scans that I talked about earlier, they had it all set up where they claimed to be the Better Business Bureau insurance service. They were the escrow service that was processing payments all under the BBB name.

Funnily enough, you still had to send your money to Greece, but be that as it may –

[End of first tape]

Steve Salter (continued): …seal program, until we can find ways to protect those marks technologically, that’s going to be part of the challenge.

Male Speaker: I think one of the ways to help with that in the next generation of seals we would see would be machine-readable seals. I mean, it’s one thing to put a seal on a box of cereal or a box of whatever, that you can visually look at and make the decision up here.

It’s another thing if a search engine or a filter could actually read those. Because often the way in which people go to Web sites is not through the home page. They don’t scroll down to the bottom to see if there’s a seal. They have a tendency to go into a site at any place.

Now, if there was meta-tagging, if there was a machine-readable code that was related to that seal, which would help also to protect the copyright and so on, which search engines could find and could even bring up at the higher level of the returns.

Yes, you are looking for automobiles, you’re looking for a lawnmower. These are the sites that actually have seals on them. We found those, Google says. I think we’ve got not just more trust. I think there would be much more awareness, and therefore much more willingness to participate in the seal process, and then the consumers get educated as well.