To Fund Managers 2/28 · To FTC 2/26 · To FTC 2/22 · To OEMs 2/25 · To OEMs 2/22 · (News on Pentium III)
Background on the Pentium III PSN issue is maintained on our News page. The boycott was called off at the end of April 2000.
[Feedback] Letter sent to managers of socially responsible mutual funds 1999/2/28
The following open letter to socially responsible investors was sent to the managers of the funds listed below. [News release] They range in size from approximately $100 million to one billion dollars. They are leading examples of the importance of social investing and shareholder activism. More than $1 trillion in assets are under management in socially and environmentally responsible portfolios, according to a 1997 report by the nonprofit Social Investment Forum. The manager of one of the funds announced 3/1 that they had begun an investigation. We received a similar undertaking in a letter dated March 4 from Citizens Funds. [Mutual Fund Magazine]
1. Calvert Social Equity Fund (A) (CSIEX)
2. Citizens Emerging Growth Fund (WAEGX)
3. Domini Social Equity Fund (DSEFX)
4. Dreyfus Third Century Fund (DRTHX)
5. Parnassus Fund (PARNX)
6. Smith Barney Concert Social Awareness Fund(A) (SSIAX)
We write to alert you to the socially irresponsible actions of Intel Corporation, and to seek your assistance in averting the severe damage to privacy that Intel is willfully attempting to inflict on the public.
You may have read some of many media reports in the past month that Intel's Pentium III chip, which went on sale Friday 2/26, contains a unique identifier called the Processor Serial Number (PSN). Intel intends to make the PSN a de facto ID number for the Internet: they anticipated that it would be disclosed during visits to Web sites for example. The dangers to privacy are similar to those of the Social Security Number, but on an even larger scale due to the speed, richness and pervasiveness of the Internet in our society.
Four days after Intel announced the PSN feature our groups called a consumer boycott of the company, and Intel responded within hours claiming that it would change the chip's identifier from "normally on" to "normally off." In fact they did not change the chip at all; they merely changed their recommendations to PC manufacturers on how the chip is configured by software.
Following the public outcry as news of the feature spread through the mainstream media, most PC manufacturers have chosen a method of turning off the number more strongly than Intel recommended. But technical reports suggest that the PSN can still be turned on against the user's wishes by attacks such as viruses, and some manufacturers may not maintain or even start with a configuration where the PSN is off. In countries with repressive governments, the PSN could be used as a powerful tool of surveillance against their citizens. We and other privacy groups have consistently asked Intel to permanently remove this feature in the chip, but they have refused to do this.
Intel assert that the PSN feature is useful to improve the security of electronic commerce transactions, but technical experts have rebutted this claim. There remains no credible benefit of the PSN feature to consumers, only severe and obvious harms. The main reason for Intel's intransigence is plainly the expense and embarrassment of removing the feature now that it has shipped some chips. A similar situation occurred a few years ago with a bug in the original Pentium chip, and Intel was very slow to correct and address consumer concerns.
We have asked PC manufacturers not to ship systems containing the chip, but they all began selling systems on Friday. We and other privacy groups have asked the Federal Trade Commission to compel Intel to change the feature, but the Commissioner has indicated that he believes the FTC may lack the legal authority to do so. Other remedies might eventually be arrived at by the FTC, but time is of the essence here.
Because Intel seems deaf to appeals based on societal good (the statements of many of their executives in the press indicate a disturbing arrogance and disregard for consumers), we are reaching out to socially responsible investors to bring economic pressure to bear on Intel to permanently disable this dangerous feature. Privacy is rising in public importance in the age of the Internet in a manner analogous to the rise of environmental concerns a few decades ago: we hope that you consider this fundamental human right merits your attention and effort to protect.
We would welcome your advice on how to best achieve the goal of stopping Intel from damaging privacy. Here are our current proposals to socially responsible investors.
1. Divest Intel holdings as soon as possible.
2. Add Intel to "screening" lists of companies that are to be excluded from investment based on social criteria, specifically a disregard for human rights.
3. Dialog with Intel on the PSN, trying to persuade them that the best choice for their bottom line in the long term is to disable the feature.
4. Support programs of shareholder activism to have the PSN removed, by means such as submitting and voting proxy resolutions.
5. Dialog with PC manufacturers and their shareholders to apply pressure to Intel, by means such as disfavoring Intel processors in their product offerings until the PSN is removed.
If you would like more background information on our campaign, please contact us or visit the home page at http://www.bigbrotherinside.org on the Web. We would welcome the opportunity to hear your thoughts and discuss how best to proceed. We hope that you will be able to help make socially responsible investment a key factor in protecting the fundamental human right of privacy from this significant new danger.
Sincerely
[EPIC, Junkbusters, Privacy International]
[Feedback] Letter sent to FTC 2/26
[Background to this letter is explained in a News release]
Dear Chairman Pitofsky:
By letter dated February 22, 1999, we joined with several other organizations in urging the Commission, in accordance with 16 C.F.R. § 2.2, "to consider action it might take to prevent Intel's Processor Serial Number (PSN) from severely damaging consumer privacy and consequently stunting the growth of e-commerce."
In the days since that letter was transmitted, articles have appeared in the technical press indicating that Intel's representations concerning a software "solution" to the PSN problem are misleading and possibly deceptive. See, e.g., Christian Persson, Pentium III serial number is soft switchable after all, C'T, February 22, 1999 (http://www.heise.de/ct/english/99/05/news1/) (copy attached hereto). We believe that these technical findings may have a direct bearing upon the Commission's consideration of our request for an inquiry.
We understand that the Center for Democracy and Technology ("CDT") has today filed with the Commission a "Complaint and Request for Injunction, Request for Investigation, and for other Relief" with respect to this matter. We hereby request that the Commission consider our pending request for an inquiry and the CDT complaint together, and that we be advised of any Commission decision concerning this matter.
Sincerely,
[EPIC, Junkbusters]
encl.
[Feedback] Letter sent February 25 to CEOs of OEMs
To: Eckhard Pfeiffer, President and CEO, Compaq Computer Corp.,
Michael S. Dell, Chairman and CEO, Dell Computer Corp.
Theodore Waitt, Chairman and CEO, Gateway 2000 Inc.
Lewis Platt, Chairman, President and CEO, Hewlett-Packard Company
Louis V. Gerstner Jr., Chairman and CEO, IBM
Dear Sirs
By letter of February 22 we alerted you to our concerns with the Processor Serial Number feature of the Intel Pentium III. In light of developments since then we are now urging you to order an immediate suspension of all your company's products that contain the Intel Pentium III.
We believe that OEMs have a duty to properly inform their customers about the privacy risks of a PC containing a PSN.
Shipping the Pentium with an assurance that the end user can control the functionality of the PSN would seem premature in light of recent reports to the contrary, such as the article published by the German computer magazine c't on February 22. We believe that such a claim made under current circumstances could constitute a material misrepresentation of the sort prohibited by federal consumer protection laws and regulations.
Sincerely,
[EPIC, Junkbusters, Privacy International]
Other groups are invited to sign on; those have already replied affirmatively include: the Privacy Rights Clearinghouse and Private Citizen, Inc.
[Feedback] Letter sent to FTC 2/22 (before Heise bug was noted)
Mr R. Pitofsky
Chairman
Federal Trade Commission
Dear Sir
This letter is to ask the Commission to consider action it might take to prevent Intel's Processor Serial Number (PSN) from severely damaging consumer privacy and consequently stunting the growth of ecommerce.
Most of the media coverage of this issue has incorrectly reported that "Intel disabled the feature" or that "the number will be off by default." Both these statements are false. Intel did not change the chip at all; they merely decided to change the "control utility" software they will provide to OEMs (PC manufacturers), which the OEMs may or may not use.
The page of questions and answers on the PSN published on Intel's own web site on or before 2/3 stated that ``While the processor serial number is activated in the chip, the default control utility setting will turn the feature to "OFF." The utility then allows the user to choose whether to enable the processor serial number feature...'' Nothing there suggested that this "default off" setting would be anything less than universal. Yet in a 2/18 Reuters story an Intel official admitted that OEMs will be shipping PCs with the PSN on (contrary to the statement above) in units destined for the workplace. So in addition to the statements attributed by the media to Intel, Intel's own directly published statements have not accurately reflected the reality of their position. We request that the Commission consider whether its Section 5 authority regarding false claims and deceptive practices should be brought to bear on Intel.
Beyond the question of deception is the issue of the harm that will be caused by Intel's actions, whether misrepresented or not. While the case against the PSN has been stated in many places (such as http://www.bigbrotherinside.com) the following argument has been formulated along lines familiar from other actions taken by the Commission. In summary we believe that:
1) The PSN is likely to cause substantial harm to consumer privacy and consequently reduce consumers' participation in ecommerce. 2) This harm will not be easily be avoidable by consumers. 3) The harm will not be outweighed by countervailing benefits.
The following paragraphs expand these three points in turn.
1) The PSN is likely to cause substantial harm to consumer privacy and consequently reduce consumers' participation in ecommerce.
This assertion is based on the following subassertions. (a) The PSN will become a de facto standard Global User Identifier (GUID). (b) The GUID will be used by companies in information practices that are unfair. (c) Such practices will become known to consumers, some of whom will avoid participation in ecommerce because they apprehend that their privacy is at risk by doing so.
(a) The PSN is destined to become a de facto standard Global User Identifier (GUID) for the Internet, much as the Social Security Number became the GUID for financial transactions. Intel's stated intention to add the PSN to their other chips, plus their near-monopoly market share mean that the PSN feature would be present on the majority of PCs in a few short years. Although other uniquely identifying numbers have been available on computer hardware, none has had the ubiquity and attractiveness of the PSN. Intel has listed copyright protection as one of the advantages of the PSN, and software publishers are certain to adopt it for the consumer software market. (In the business software market, similar mechanisms have been available on expensive workstations for years.) Any piece of software that requires the PSN for copyright protection could obviously also use it for other purposes.
(b) The GUID will be used by companies in information practices that are unfair. The history of cookies has shown that browser manufacturers and web sites have a mutual commercial interest in tracking and targeting consumers using mechanisms that are turned on by default. Several companies have already set up schemes to bypass the limitation of cookies that each site gets a different cookie, allow the sharing of information about visitors. Having a PSN provided by the browser to web sites would allow these extra efforts to be bypassed. Given that the browser market is a duopoly where both duopolists have a significant consumer ecommerce operations, those manufacturers have a compelling incentive to make the PSN available to their own sites and to partners. Beyond browsers, other software such as mail and chat programs might choose to disclose the PSN, overtly or covertly. (Intel have already indicated one of the intended uses is to exclude "rogue users" from chat rooms.) In the current legal environment where web sites (except those targeted at children) are not required to abide by any code of fair information practice, and where information on online behavior is a valuable and salable, the PSN will inevitably be used in unfair, privacy-invasive practices.
(c) Such practices will become known to consumers, some of whom will avoid participation in ecommerce because they apprehend that their privacy is at risk by doing so. Surveys such as the 1998 Harris/Business Week poll indicate that fear for privacy is the number one reason consumers give for not going online (ahead of price and usability). The PSN will move reality much closer to these consumers' worst fears. The considerable media attention and public discussion of Intel's announcement reflects the high level of concern over the state of online privacy.
2) This harm will not be easily be avoidable by consumers. This point follows from each of two assertions. (i) Many consumers will not know they are using a PSN-enabled machine, or will not understand the implications of the PSN for privacy. (ii) Many will be compelled to disclose their PSN.
The most extreme example of compulsion will occur in machines in the workplace. Intel have listed asset management as an intended use of the PSN. To support this, organizational buyers would order PCs from the manufacturers with the PSN permanently enabled in the BIOS. It could be argued that employees should have no expectation of privacy at the workplace, but lunchtime private usage actually raises the level of Internet activity, and many consumers find the cost of establishing an Internet connection at home prohibitive, so this group will represent a substantial number of ecommerce participants. Furthermore, business routinely dispose of PCs to employees, schools and others for personal use, and few consumers know how to reconfigure a BIOS.
Even on PCs where use of the PSN is ostensibly optional and opt-in, experience shows that consumers will be coerced into submitting to the tracking mechanism. Microsoft for example demands cookies as a precondition to access to large amounts of technical information, some essential to performing key tasks. Other sites require cookies or registration as a condition of entry to the site, or as a condition of purchase, or a condition of using software. This may be as essential as the operating system or personal finance software. The putative choice is often illusory.
Returning to point (i), many consumers will not know they are using a PSN-enabled machine, or will not understand the implications of the PSN for privacy. Intel has suggested a small taskbar icon as a visual indication, but this decision is not even in their hands, and manufacturers are unlikely to voluntarily place a warning label on their products that explains the privacy implications of a PSN.
3) The harm will not be outweighed by countervailing benefits. Intel claims various benefits for the PSN, mostly in improving security. However as documented on http://www.bigbrotherinside.com mentioned above, several leading technical experts have stated that as a security mechanism the PSN is too weak to be very useful. In areas such as asset management and copyright protection, other mechanisms are already in use that do not depend on a PSN.
This completes our argument that the PSN is likely to cause substantial harm which will not be easily be avoidable by consumers, and will not be outweighed by countervailing benefits.
As you may know, privacy groups have consistently called on Intel to permanently disable the feature since the day it was announced. Some have asked Intel to recall all product shipped with the feature. We ask the Commission to consider what action it might take to reduce the harms to consumer privacy and ecommerce identified here, including any means to compel the company to disable the feature and order a recall, whether directly or through PC manufacturers. We also request that Commission consider whether its Section 5 authority regarding false claims and deceptive practices should be brought to bear on Intel. Finally, we request a meeting with the appropriate staff of the Commission to discuss this matter.
This letter is not a formal petition and complaint to the Commission, but such a plea might follow at a later date. The Commission's consideration of this letter and any response will be very much appreciated.
Very respectfully
[Groups who signed on.]
Note: Correspondence may be addressed to EPIC, who will summarize and distribute responses, or to all signatories if desired.
[Feedback] Letters sent to CEOs of PC Manufacturers 2/22
To: Eckhard Pfeiffer, President and CEO, Compaq Computer Corp.,
Michael S. Dell, Chairman and CEO, Dell Computer Corp.
Theodore Waitt, Chairman and CEO, Gateway 2000 Inc.
Lewis Platt, Chairman, President and CEO, Hewlett-Packard Company
Louis V. Gerstner Jr., Chairman and CEO, IBM
Dear Sirs
You may already be aware of the boycott over the Pentium III's Processor Serial Number against Intel; in case you are not familiar with the privacy impact of the PSN, a draft letter to the Chairman of the Federal Trade Commission that summarizes our concerns is available at http://www.junkbusters.com/intel.html on the Web. Background material is also available at the campaign home page, http://www.bigbrotherinside.com.
The organizers are considering extending the boycott to major PC manufacturers who ship Pentium III systems in a configuration that would significantly damage consumer privacy. We request your assistance in providing us with information on your company's intentions, so that we can determine our organization's boycott policy regarding your company and any individual consumer products containing a PSN.
We would welcome any information you consider relevant, but we specifically seek to determine as soon as possible which of the following statements best describes your company's position.
1) Refusing to ship Pentium III systems until Intel disables the PSN in the chip.
2) Not currently planning to ship Pentium III systems, for whatever reason.
3) Planning to ship Pentium III systems with the PSN disabled in the BIOS, so that it cannot be enabled without altering the BIOS.
4) Planning to ship Pentium III systems with the PSN enabled in the BIOS, but disabled by default in the OS or desktop in a manner that allows the PSN to be enabled with a change of configuration and a reboot.
5) Planning to ship Pentium III systems with the PSN enabled by default after startup, but with a mechanism provided to disable the PSN upon request by the user.
6) Planning to ship Pentium III systems with the PSN enabled by default after startup, with no built-in mechanism to disable the PSN. (The user would have to download an application from some web site for example.)
These six alternatives above are listed in increasing order of hostility towards privacy, and we hope that your response will be one of the first two or three.
If your company intends to ship PCs in different configurations to consumer markets vs. the workplace, please provide details for both.
We would also be grateful for answers to the following questions whenever you are able to provide them, but please do not delay answering the crucial question above while preparing this or any additional information. Depending on your plans, some or all of these questions may not apply to your company.
(i) How will the consumer be notified whether the PSN is on? If with a visual indication on the screen, to what extent will this be vulnerable to tampering by viruses or other attacks by hostile applications? What warranty, if any, will you provide to your customers that the PSN will not be disclosed against their wishes?
(ii) Will clear and conspicuous notice of the privacy impact of having the PSN enabled be provided, such as a label on the front panel of the PC, in the printed documentation, or as a popup on the desktop?
(iii) To what extent will your company offer customers alternatives to Intel processors, both generally and specifically in the price/performance space of the Pentium III? In particular, is an offering using the AMD K6-3 planned or available?
(iv) If the PSN is automatically turned off at some point in the startup process, please clarify whether the Microsoft Windows have access to the PSN before it is turned off. If you are aware of whether Windows will store the PSN in the Registry or elsewhere so that it is available to Web browsing functions, please provide details.
We hope that your company will show a true commitment to consumer privacy with actions, not words, in the computer products it ships in the next month. We look forward to hearing from you what these actions will be, so that we can determine our boycott policy and communicate this to consumers, consumer groups and government authorities.
Sincerely
[Groups who signed on.]
Enclosure
Note: Correspondence may be addressed to EPIC, who will summarize and distribute responses, or to all signatories if desired.
[Feedback] Letter sent to consumer and privacy organizations 2/15
The groups that signed on to the letters by 2/22 include the Center for Media Education, consumer.net, EPIC, Junkbusters, Private Citizen, Privacy Rights Clearinghouse, Privacy International, and Privacy Times.
Friends,
I'm writing to seek your support and guidance on the Pentium III boycott.
In the weeks since Intel announced that the Pentium III will contain a Processor Serial Number, two things have emerged clearly.
1) Consumer and privacy groups consistently oppose the PSN feature because it will severely damage online privacy. 2) Intel has refused our calls to disable the feature in hardware. It has offered only cosmetic concessions which do not solve the basic problem, such as changing the default from on to off (which is not even under their control).
I propose two actions, for which I seek your support and guidance.
1) Writing to the FTC asking them to consider what they can do to prevent the harm to privacy that would result from the PSN proliferating.
2) Writing to the heads of the major PC manufacturers, asking them whether and how they intend to use the Pentium III, and putting them on notice that they too might be boycotted in the future, depending on their actions.
Drafts of these two letters are included below. Please let me know if your organization wishes to be included as a signatory. Suggestions for changes and other actions are welcome too of course. None of this requires your organization to endorse a boycott of Intel or any PC manufacturer (though your expressions of support here would also be welcome); the current step is simply asking for improvements and signatures on the letters.
You might also be interested in some of the materials that we have developed with the help of volunteers: a flyer explaining the campaign that prints nicely in color or black and white. You're welcome to include it in your newsletters, on your web site, or wherever you think best gets the message out:
http://www.junkbusters.com/bbi.pdf
This and the graphic elements and a banner ad will soon be available on the campaign home page: http://www.bigbrotherinside.org
We're also providing a facility to help consumers draft letters to PC manufacturers asking them not to ship PCs with a PSN. Here's a sample:
http://www.junkbusters.com/cgi-bin/optout?from=none&to=dell
If you have any questions, comments or suggestions, they are most welcome too. I would like to try to have the letters and signatories settled by Friday February 19, as the Pentium III will be launched at the end of the month. Thanks for your help.
Jason Catlett
[Feedback] Dates and details of the letters
The 2/28 letter to fund managers was sent by regular US mail that day. The 2/26 letter was faxed to the FTC early in the afternoon of Friday 2/26. The 2/25 letter to PC manufacturers (OEMs) was faxed at approximately 2:30pm EST and sent by certified mail later in the afternoon. An earlier letter to OEMs was also faxed and mailed 2/22. The original letter to the FTC was faxed at 3pm on 2/22.