Complaint and Request for Injunction, Request for Investigation, and for Other Relief

 

Submitted to:

Donald Clark
Office of the Secretary
Federal Trade Commission
6th Street & Pennsylvania Ave NW
Washington, DC 20580

 
February 26, 1999

Before the

Federal Trade Commission

Washington, DC 20580


In the Matter of

Intel Pentium III Processor Serial Number
__________________________________________

)
)
)
)


I. INTRODUCTION

The Center for Democracy and Technology (CDT), Consumer Action, Privacy Rights Clearinghouse, and Private Citizen, Inc. files this Complaint and Request for relief with the Federal Trade Commission (FTC) seeking immediate action to prevent harm to consumer privacy as a result of deployment of the Intel Pentium III Processor Serial Number (PSN). Specifically, we request that the Commission:

In addition, because a substantial number of chips have already been provided to computer manufacturers (OEMs) we also request that the Commission:

The privacy of individuals on the Internet will be substantially harmed unless the Commission acts quickly.

The PSN is a unique identifier. Due to Intel's market dominance, [ 1 ] the PSN has the potential to become the unique identifier for nearly everyone on the Internet -- fundamentally changing the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual's every move is recorded. Our society's experience with unique identifiers suggests that embedding the PSN into computer processors will erode individual privacy. The history of the Social Security Number reveals the unrelenting pressures to expand the use of an identifier once it is created -- even where its use is initially curtailed by federal policy. Once a unique identifier capable of identifying and tracking individuals in the online environment is created, it will be far more difficult to limit its use.

The PSN as designed by Intel is not adequately under the control of the consumer. Nor are there limits -- technical or legal -- on the purposes for which the PSN may be requested or used. There will be tremendous pressure on systems to use the PSN and individuals to provide the PSN for a range of purposes. The result will be increased information collection about individuals, increased compilation and sharing of personal information between entities, and potentially the development of a single online identifier.

Intel has already conceded that the PSN poses a risk to privacy. The announcement of the PSN was met with opposition from privacy and consumer advocates. Nearly immediately, Intel announced that it would address privacy concerns by providing a Software Control Utility that lets consumers turn off the PSN. In response to continued criticism, Intel announced that the Software Utility would default the PSN "off."

Despite these steps, the PSN continues to threaten individual privacy. At least one computer expert claims to have figured out a procedure to switch on the PSN without the individual consumer’s knowledge through software. [ 2 ] Thus before the Software Utility, Intel's "privacy fix," is even on the market, there is evidence that it does not give secure control over the PSN to individual users. In light of the known vulnerability of the Software Utility, Intel's statements that it addresses privacy concerns by providing individuals with control over the disclosure of the PSN are misleading.

As the Commission has documented over the past three years, consumers care about their privacy, and ensuring privacy is critical to the success of online commerce. A central tenet of privacy is that individuals must maintain control over their personal information. The recently passed Children's Online Privacy Protection Act and the Commission's statements on adult privacy have focused on the need for fair information practices, particularly notice to consumers of how data is handled and consent/choice about how it is used. We believe that the PSN as designed does not comport with concepts of privacy protection. At its core, the Pentium III PSN establishes a system that supports the wide spread tracking and monitoring of individuals' online behavior. The Pentium III does not give consumers control over the use and disclosure of the PSN. Our experience warns that without genuine consumer control and policies governing the use of unique identifiers, they pose serious risks to privacy.

CDT believes that embedding the Processor Serial Number (PSN) into the Intel Pentium III is likely to cause substantial injury to consumers, which consumers cannot reasonably avoid, and which is not outweighed by countervailing benefits to consumers or competition. We believe that this issue is within the Commission's jurisdiction to deal with unfair and deceptive practices.

 

II. THE PARTIES

A. The Center for Democracy and Technology

The Center for Democracy and Technology (CDT) is a non-profit, public interest organization incorporated in the District of Columbia and operating as a tax-exempt organization. CDT is dedicated to preserving and enhancing privacy and other democratic values and civil liberties on the Internet and other interactive communications media. CDT pursues its mission through public education, grass roots organizing, litigation, and coalition building.

B. Consumer Action

Consumer Action is a 501(c)(3) non-profit organization engaging in advocacy and education. It distributes free consumer education materials throughout the country, especially to low-income, senior, and non-English speaking consumers. Consumer Action is a membership organization with offices in San Francisco and Los Angeles and was formed in 1971.

C. Privacy Rights Clearinghouse

Privacy Rights Clearinghouse (PRC) is a non-profit consumer information and advocacy program based in San Diego. The PRC’s mission is to raise consumer awareness about how technology affects privacy and to empower consumers to control their own personal information by providing practical tips on privacy protection. The PRC advocates for consumers’ privacy rights in local, state, and federal public policy proceedings.

D. Intel Corporation

Intel introduced the world's first microprocessor in 1971. Today, Intel supplies the computing industry with the chips, boards, systems and software that are the building blocks of computer systems. Intel is reported to have approximately a 75% share of the Central Processing Unit (CPU) market. Thus, Intel's CPUs are found in a large number of consumer-oriented computer products.

 

III. STATEMENT OF FACTS: PENTIUM III PROCESSOR SERIAL NUMBER

A. When individuals surf the World Wide Web today, they are largely anonymous until they choose to actively disclose personally identifying information.

While Web sites and others may collect transactional (click stream) data without providing notice and gaining an individual’s consent, Web sites are generally limited in their capacity to collect identifying data. Introducing a unique identifier such as the Pentium III Processor Serial Number will fundamentally shift the World Wide Web away from anonymity and toward identification by providing a persistent unique identifier that can be easily used to track an individual’s Web interactions. If an individual provides identifying information such as a name and address during any Web interaction, the PSN provides a tool that will allow for a profile of the online activities to be easily compiled. Even if the individual never actively discloses identifying information, the PSN can still be used to track, monitor and even restrict the individual's online interactions.

B. On January 20, 1999, Intel announced that the Pentium III would include a unique Processor Serial Number (PSN).

The PSN is a unique number incorporated into the Pentium III, which, when "called" or requested by a server, [ 3 ] can be transmitted. The PSN will uniquely identify computers, and in many instances, can be associated with individuals. If Intel's market dominance remains constant, the Pentium III PSN eventually could uniquely identify approximately 75% of the computers in the marketplace.

C. As designed, the Pentium III processor provides no ability for individuals to control the disclosure of the PSN.

Consumers cannot remove, change, or "zero-out" the PSN in the Central Processing Unit (CPU). As Intel states at its Web site, "…the processor serial number is activated in the chip…" While manufacturers are free to provide tools that attempt to give individuals control over the PSN, the Pentium III itself does not provide such features.

D. Intel has no control over whether manufacturers disable the PSN or provide computer users with methods to control the PSN.

If manufacturers choose to, they may provide individuals some degree of control over the PSN by:

  • disabling it in the BIOS; [ 4 ]
  • installing a software application that disables it and allows consumers to enable it; or,
  • installing a software application that leaves it enabled and providers consumers the ability to disable it.
  • It is possible that manufacturers can "zero-out" the PSN. Intel introduced a utility that they contend provides users with control over their PSN. Intel's Web site states that the utility will be available at the Intel Web site and on a CD-ROM directly from Intel, and will be shipped with some Pentium III processor-based systems. In the latter cases, it is unclear whether it will be shipped installed or as a CD-ROM. The majority of these approaches require individuals to take additional steps to protect their privacy from the risks created by the PSN.

    Moreover, reported attacks on the Software Utility provided by Intel indicate that the software options may provide little protection from malicious actors.

    To date it is unclear whether all computer manufactures will make efforts to provide users with control over the PSN. IBM has committed to turn it off in the BIOS.

    E. Intel has no control over the applications, proposed and future, that will use the PSN.

    Intel has designed a program that enables servers to retrieve the PSN from computers with Pentium III chips. According to Intel, if an individual's browser is set to prompt the user prior to executing a program, the individual will be notified and able to either allow or prohibit the program to read the PSN. However, if an individual’s browser is set not to prompt prior to executing programs, then the alien program will read the PSN without the individual's knowledge or consent.

    Other companies are likely to develop programs to retrieve the PSN. It is unclear whether they will be designed to provide individuals with notice and some control over the PSN disclosure. Intel has no means of limiting how the PSN is used or how programs developed to retrieve it are designed.

    F.Unique Identifiers pose risks to privacy: the Social Security Number

    The Social Security Number (SSN) offers a compelling example of how a unique identifier can undermine individual privacy and become a de facto national identifier. The SSN was designed solely for the purpose of collecting payments during an individual's work life and paying them back out to the individual upon retirement. [ 5 ] Limits were set prohibiting its use by the government for other purposes. No limits were placed on the private sector's use of the SSN. Since its introduction, the use of the SSN as a general identifier has grown steadily. In 1943, President Roosevelt directed federal agencies to use the Social Security Number whenever a system of accounting for individuals was required. [ 6 ] In 1961, a decision was made to use the SSN as the taxpayer identifier. [ 7 ]

    Today the Social Security Number is the common "key" providing access to records in multiple public and private record systems. The widespread use and availability of the SSN has harmed consumers .

    1. Erosion of Privacy

    The use of the Social Security Number as the record-keeping system by multiple organizations allows information collected and maintained by separate systems to be easily compiled into a single record on an individual. The melding of information, gathered in various contexts and for an assortment of purposes, allows for the creation of dossiers of detailed information on individuals. Such dossiers provide a profile of the individual that can be used for a number of purposes, as seemingly benign as direct marketing, and as harmful as political surveillance.

    2. Escalation of Identity Theft

    The widespread availability of personal information, particularly the SSN, has facilitated the new crime of identity theft. Armed with an individual's SSN, name, address, and date of birth, a thief can open up instant credit accounts at retail stores, apply for credit cards and contract for other services.

    G. OEMs recognize the privacy risks posed by the PSN.

    In response to a letter urging original equipment manufacturers (OEMs) to take steps to protect the privacy of their customers, IBM acknowledged the "legitimate privacy concerns raised by the potential misuse of the [PSN] feature" and committed to take steps to address it. IBM stated that it would "disable the processor ID feature at the BIOS… and [provide] explicit instructions and support via Help materials online and included with their PC." News reports indicate that two other manufacturers, Dell and Compaq, may turn the PSN off in the BIOS due to privacy concerns, but this has not been confirmed. [ 8 ]

     

    IV. GROUNDS FOR RELIEF: THE PENTIUM III PROCESSOR SERIAL NUMBER HARMS CONSUMERS, IS CONTRARY TO ACCEPTED PUBLIC POLICY AND IS UNFAIR AND DECEPTIVE IN VIOLATION OF SECTION 5 OF THE FTC ACT.

    A.Unfairness

    In assessing when to exercise its unfairness jurisdiction under Section 5 of the FTC Act, the Commission generally considers two factors: (1) whether the practice injures consumers; and (2) whether it violates established public policy. [ 9 ]

     

    1.The Processor Serial Number Injures Consumers' Privacy by Depriving Them of Control over Personal Information and Providing a Unique Identifier That Can Be Used Indiscriminately to Track Online Activities.

    In assessing whether a practice injures consumers, the FTC will consider: whether the injury is substantial; whether it can be reasonably avoided by consumers; and, whether the harm is outweighed by countervailing benefits to consumers or competition.

      1. The PSN raises a significant risk of concrete harm to consumers' privacy.
      2. The PSN, whether the default is on or off, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are expected, or even required, to identify themselves in order to participate in online activities, communicate, and make purchases. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumer's online privacy. Many of the activities that individuals engage in on the Web do not require the collection of identifiers or personal information of any type. Consumers desire stronger security for commerce and communication. However, consumers should not be presented with products that require them to sacrifice their privacy in order to gain security. Instead, technical and policy solutions must be developed that provide strong security, offer robust and varied authentication tools to support electronic commerce, and protect individual privacy and anonymity. The Pentium III PSN does not meet this standard. The privacy risks inherent in this unique ID feature outweigh the security gains Intel has stated it is intended to provide.

        There are no technical or legal limits on the collection, use, or disclosure of the PSN. Currently, there are no United States laws that would regulate, generally, the collection or use of the PSN. [ 10 ] Technically, the Pentium III does not limit who can request the PSN, how it is used or disclosed, under what conditions, or for what purposes. We know from our experience with both the Social Security Number and more recently with "cookies" that identifiers can be used for a variety of purposes. The PSN stands to further the collection of personal information in ways that undermine consumers' control. By providing an easy mechanism to track behavior across the Internet, Intel has created the blueprint for a de facto online identification system.

        The PSN will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. The introduction of the all-purpose PSN threatens anonymity and undermines ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased pressure on individuals to permit the collection of the PSN, and other information that can be tied to it, as a quid pro quo of engaging in transactions and interactions online, placing a burden on individuals who choose to protect their privacy.

      3. Consumers cannot reasonably avoid the harm.
      4. Because Intel dominates the CPU market, consumers will have limited options in the market place. Individual control over personal information is critical to privacy protection. Individuals must have the right to determine when to disclose information about themselves and under what circumstances. As designed by Intel, the Pentium III Processor does not provide individuals with adequate control over the PSN. While some manufacturers may turn off the PSN or provide consumers some control over when it is disclosed, the procedures for consumers to activate and deactivate the PSN are cumbersome. If even a small number of Web sites demand the PSN as a prerequisite to doing business, consumers are likely to leave it turned on. In addition, the security of the Intel utility has already been called into question, suggesting that the utility is insufficient privacy protection.

        Due to the cumbersome nature of the software control utility, individuals are likely to leave the PSN on if even a small number of Web sites demand it. [ 11 ] As designed, a consumer must reboot his or her computer to turn the PSN on. (Again, the recent attack suggests that it can be turned on without a reboot.) While it can be deactivated at any time, the process for turning it on will limit consumers' ability to reasonably control the use of the PSN.

      5. The harm to privacy is not outweighed by countervailing benefits to consumers or competition.

    According to respected security experts, the PSN provides little if any added security to consumer transactions in the marketplace. As respected cryptographer and security expert Bruce Schneier writes, "As a cryptographer, I cannot design a secure system to validate identification, enforce copy protection, or secure e-commerce using a processor ID. This kind of system puts us in the same position we were in when the government announced the Clipper Chip: Those who are engaged in illicit activities will subvert the system, while those who don't know any better (the majority of consumers) will find their privacy violated." Jim Yankelevich, director of technical operations for LaptopSales.com, an online retailer, said the new chip is "nothing more than a gimmick to sell computers. Yankelevich said he used to be a software pirate 'in a long forgotten time' and doesn't see how it will be effective in combating piracy." [ 12 ]

    2.The Pentium III Processor Serial Number violates established public policy on protecting individual privacy and undermines ongoing efforts to limit the privacy risks associated with a National ID number.

    Over the past three years, all three branches of the federal government, plus the business community and the advocacy community, have been engaged in efforts to promote privacy- protective business practices online. In addition, several actions have been taken to halt the creation of new unique identifiers and to halt the indiscriminate use of existing identifiers.

    a. Government Policy on Online Privacy

    In December 1996, the Commission released a staff report detailing the findings of the FTC Public Workshop on Consumer Privacy on the Global Information Infrastructure. The report outlined four core elements that industry and advocates believed were critical to protecting privacy online: Notice; Consumer Choice; Data Security; and Consumer Access.

    In June 1998, in its "Privacy Online: A Report to Congress," the Commission further defined and expanded the initial principles: Notice/Awareness; Choice/Consent; Access/Participation; Integrity/Security; and Enforcement/Redress.

    Also in June1998, the Department of Commerce issued a request for comments on its "Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy."

    In October 1998, Congress passed the Children's Online Privacy Protection Act, mandating observance of the core elements outlined above and parental consent prior to collection of information from those 12 and under.

    b.Government Policy on Unique Identifiers

    In July 1998, Vice President Gore called on the Department of Health and Human Services to halt the development of a "unique health identifier."

    In 1998, Congress passed H.R. 4217, delaying the implementation of Department of Transportation regulations to standardize and federalize drivers' licenses regulations, creating what many fear would become a National Identification card. Congress also blocked issuance of a unique health identifier in the Omnibus Appropriations Bill, Pub. L. 105-277.

    Several proposals to limit the use of the Social Security Number were before Congress in the 105th and will be again in the 106th. The Commission has looked at the risk of identity theft associated with the availability of Social Security Numbers. The FTC's "Report to Congress on the Individual Reference Services Industry" included a set of self-regulatory principles designed to limit the wide spread availability of the Social Security Number.

    c. Private Sector Policy on Online Privacy

    Companies all across the private sector have been actively involved in efforts to promote privacy and consumer trust in the Internet. The Online Privacy Alliance, the Better Business Bureau Online's Privacy Seal Program, TrustE and individual company efforts are all evidence of a growing concern for consumer privacy -- and an acknowledgement that privacy is critical to the success of e-commerce. Two core elements of these programs are: notice to the individual of company's information practices; and, individual choice over the use of personal information.

    d. Public Sentiment on Privacy

    Numerous surveys, several of which have been presented to the Commission, have documented the growing consumer concern with privacy. (See CDT's Web site for a review of existing survey data, http://www.cdt.org)

    B. Deception: The introduction of the PSN is likely to mislead consumers acting reasonably to the detriment of their privacy.

    The Commission will find a violation of Section 5 of the FTC Act if there is a representation, omission, or practice that is likely to mislead the consumer acting reasonably under the circumstances, to the consumer’s detriment. [ 13 ] According to the Federal Trade Commission Policy Statement on Deception, the Commission considers three core elements: first, it must find a representation, omission or practice that is likely to mislead the consumer; second, the act or practice must be viewed from the perspective of a consumer acting reasonably in the circumstances; and third, the representation, omission, or practice must be "material," such that it is likely to affect the consumer's conduct or decision with regard to a product or service. [ 14 ]

    1. Intel's statements about the PSN as a security tool.

    Intel's initial public statements highlighted the purported security benefits of the PSN to consumers, [ 15 ] Overall, Intel initially represented the PSN as a security-enhancing device that poses no threat to consumers, downplaying the risks to privacy. However, recent Intel statements indicate that in fact the security that will be enhanced is that of content owners, not consumers. In fact, the statements suggest that one purpose of the PSN is to assist copyright owners in tracking users. ZDNet reports that David Aucsmith, security architect for Intel said, "This is a new focus for the security community…The actual user of the PC -- someone who can do anything they want -- is the enemy." [ 16 ] The article goes on to state that "software companies and content creators are targeting users as a major threat to security." [ 17 ]

    Intel's claims that the PSN is security-enabling is likely to mislead consumers. The majority of Intel's statements have suggested that the PSN can only be used in ways that are positive for consumers. But, recently Intel has undermined this claim by publicly suggesting that the device will be used to facilitate copyright management by tracking users -- a use that could seriously compromise individual privacy and provide the individual no security benefit. In fact the PSN is as likely to be used in ways that are negative. The omission of accurate information about the pros and cons of the PSN deprives consumers of the information necessary to make informed decisions about their privacy.

    2.Intel's statements about user control of the PSN

    Intel has stated that the Software Utility Control will turn the PSN off permanently unless individuals decide to turn it on. This is misleading. A portion of Pentium III equipped computers that enter the market will not have any Software Utility Control installed -- i.e. they will contain no means for users to control the PSN. [ 18 ] Even if the Software Control Utility is installed, security experts have noted that this is not a secure means of protecting the PSN. [ 19 ] In light of these findings, Intel's statements suggesting that the Software Utility places the PSN under individual control are misleading.

    3.The PSN can be used to further deceptive information collection practices.

    The PSN can be used by Web sites and others to further deceptive information practices. Due to the lack of legal or technical limits on the use of PSNs, it is likely to be used to support many non-security related functions, including tracking Internet users. Because Intel's public statements have emphasized the purported security gains of the PSN, individuals may provide their PSN assuming that it is being requested for security purposes -- when in fact it is not. This will place individual privacy and anonymity needlessly at risk.

    There has been little effort to educate consumers about the potential risks posed by the PSN and how they can avoid them. While advocacy organizations will continue efforts to educate the public, it is unlikely that such efforts will be sufficient to educate the public about the privacy issues in the PSN. Neither Intel nor the OEMs have indicated an intent to provide educational materials outlining the PSN's impact on privacy. [ 20 ] Due to the lack of accurate information about the risks of the PSN, the majority of consumers are unlikely to be aware of the privacy risks posed by the PSN, and therefore, unable to take steps to avoid them.

    V. CONCLUSION AND REQUEST FOR RELIEF

    As the largest chip manufacturer in the consumer marketplace, Intel's product design decisions have far-reaching impact on consumers' online privacy. Intel's market dominance, coupled with the lack of accurate material about the privacy implications of the PSN, and the inability of individuals to control the use to which the PSN is put, suggest that the PSN may substantially injure consumers' privacy and become a de facto online identification system. As designed, the product presents an unprecedented opportunity for the tracking of individuals across the Web. It is likely that consumers will be required to disclose this new identifier as a price of gaining entry to Web sites -- fundamentally eliminating the anonymity the World Wide Web currently affords individuals.

    Manufacturers of products are obliged to limit the safety risks their products pose. In designing the Pentium III, Intel created a product that poses substantial risk to consumer privacy. While authentication tools are a requirement for a thriving consumer online marketplace, the PSN inappropriately and unnecessarily places privacy and security at odds.

     

    Respectfully submitted,

     

     

     
    Deirdre K. Mulligan
    Staff Counsel
    Center for Democracy and Technology
    1634 I Street NW
    Washington, DC 20006
    (202) 637-9800
    http://www.cdt.org

    Ken McEldowney
    Executive Director
    Consumer Action
    717 Market Street Suite 310
    San Francisco, CA 94103

    Beth Givens
    Director
    Privacy Rights Clearinghouse
    1717 Kettner Suite 105
    San Diego, CA 92101

    Bob Bullmash
    Director
    Private Citizen, Inc.
    PO Box 233 Naperville, IL 60566




    FOOTNOTES

    [ 1 ] Intel reportedly has 75% - 80% of the microprocessor market. See, Fred Vogelstein, "Intel inside the courtroom," U.S. News Online, March 1, 1999 (News stand edition). At times Intel has been reported to control up to 90% of the market for microprocessor chips. See, "Feds Sue Intel," ABCNEWS.com, June 9, 1998.

    [ 2 ] Christian Persson, Pentium III serial number is soft switchable after all, C'T, February 22, 1999. http://www.heise.de/ct/english/99/05/news1 Intel confirmed that the serial number is soft switchable. Id.

    [ 3 ] Technically, the PSN is requested in an instruction to the chip by software running on the PC. If that software were a web browser for example, it might receive a request from a server and then get the PSN and pass it on.

    [ 4 ] Basic Input Output System. All computer hardware has to work with software through an interface. The BIOS gives the computer a little built-in starter kit to run the rest of software from floppy disks and hard disks. The BIOS is responsible for booting the computer by providing a basic set of instructions. It performs all the tasks that need to be done at start-up time. Furthermore, it provides an interface to the underlying hardware. The BIOS Survival Guide: http://www.lemig.umontreal.ca/bios/defin.htm

    [ 5 ] Social Security Act, P.L. 74-271, August 14, 1935. The Social Security Number is first mentioned in a Bureau of Internal Revenue regulation of November 5, 1936, that directed the Postmaster General or the Social Security Board to assign an account number to each employee. Use of the Social Security Number was expanded to state unemployment insurance programs in 1937. Records, Computers and the Rights of Citizens, at 115.

    [ 6 ] Executive Order 9397.

    [ 7 ] For a more detailed history of the social security number see, Records, Computers and the Rights of Citizens, at 114-122, and Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission, ch. 16 (July 1977).

    [ 8 ] Janet Kornblum, Privacy eclipses P3 chip, USA Today, Feb, 17, 1999. CDT has written all OEMs requesting information about how they intend to handle the PSN in their Pentium III equipped products. IBM is the only company that has responded. (See attached letters).

    [ 9 ] Federal Trade Commission Policy Statement on unfairness, letter to The Honorable Wendell H. Ford, Chairman, Consumer Subcommittee Committee on Commerce, Science, and Transportation and The Honorable John C. Danforth Ranking Minority Member, Consumer Subcommittee Committee on Commerce, Science, and Transportation, December 17, 1980. A third factor, "whether it is unethical or unscrupulous," while articulated, has never been relied upon as an independent basis for a finding of unfairness and in its "Statement on Unfairness" issued in December 17, 1980, the FTC stated that, going forward, it would only act on the first two.

    [ 10 ] But see, the Privacy Act of 1974 and the Children's Online Privacy Protection Act of 1998.

    [ 11 ] Consumers may also be coerced into turning the PSN on by software that requires the number for registration and copyright protection.

    [ 12 ] Polly Sprenger, Pirates Sneer at Intel Chip, Jan. 22, 1999.

    [ 13 ] Federal Trade Commission Policy Statement on Deception, appended to, Cliffdale Associates, Inc., 103 F.T.C. 110, 176 (1984)

    [ 14 ] Id.

    [ 15 ] Processor serial number questions & answers, http://support.intel.com/support/processors/pentiumiii/psqa.htm

    [ 16 ] Robert Lemos, "The biggest security threat: You," ZDNet, Feb. 25, 1999.

    [ 17 ] Id.

    [ 18 ] For example, "Caspar Bowden, director of the Foundation for Information Policy Research in London, a think-tank that analyses information technology issues, says: `It's very hard to see how one can be sure the feature couldn't be switched on remotely." More recently, Intel has confirmed that the PSN can be enabled through software without the individual's knowledge or action. Polly Sprenger, Pirates Sneer at Intel Chip, Jan. 22, 1999.

    [ 19 ] Christian Persson, Pentium III serial number is soft switchable after all, C'T, February 22, 1999. http://www.heise.de/ct/english/99/05/news1 Intel confirmed that the serial number is switchable. Id.

    [ 20 ] IBM's letter to CDT stated that they would provide educational materials about the PSN. (See attached) However, it is unclear whether other OEMs will follow suit.