Setting the rules for spam and Net privacy

A decorated POW and political maverick, FTC Commissioner Orson Swindle is helping to decide rules that will define the cyberlandscape for the next generation. He's also that rarest of Washington politicians--one who detests most of his colleagues.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
7 min read
ASPEN, Colo.--Orson Swindle is an unusual breed of Washingtonian: a politician who doesn't trust other politicians much at all.

Swindle, 65, is one of five commissioners at the Federal Trade Commission. The FTC's responsibilities involve policing the Internet for fraud and privacy violations; the agency recently compelled Microsoft to make changes to its Passport authentication system.

Swindle believes the private sector typically is better at resolving online problems than are government bureaucrats. It's not a new argument: When the FTC voted 3-2 in May 2000 to ask Congress for more power to regulate Web sites, Swindle was one of the two dissenters.

Appointed to the FTC by then-President Clinton in December 1997, Swindle previously worked as an assistant secretary in the Commerce Department under President Reagan. He was a Marine aviator in Vietnam, and his plane was shot down in 1966. Swindle, who spent the next six years in a prisoner of war camp, won two Purple Hearts during his combat service. CNET News.com recently caught up with Swindle to get his views on Microsoft, Internet privacy and spam, among other subjects on his radar.

Q: Recently the FTC settled its complaint over charges that Microsoft's Passport authentication system was not adequately privacy-protective. How did that play out inside the commission?
A: It played out well. First, we all know that these computer systems come out, and has there ever been one that was perfect? I don't think so. That's why you have betas. I think Microsoft is a great company--they've given us great things. But in this case, Microsoft was claiming that in Passport, your security was protected more than in other systems. In fact, it didn't provide better security, and in fact, they were collecting information that they didn't disclose.

Did Microsoft cooperate with your investigation?
They were cooperative. They goofed. They were responsible enough to say, "We'll make the adjustment. We'll make the improvement. We'll avoid this in the future." I was pleased to see it work out in the way it did.

How can you be sure there's not a repeat occurrence?
I bet Eli Lilly looks far more carefully nowadays. [Ed. Note: In July 2001, the pharmaceutical giant admitted that it had inadvertently released over the Internet the e-mail addresses of more than 600 people who were taking Prozac. In Jan. 2002, the FTC and Eli Lilly reached a settlement.]

A maverick. I'm a Republican most of the time. I'm not a Democrat--mark that down. I do my own thinking.

Microsoft is under orders from the FTC for 20 years. If they do things like they ought to have done, this won't impose a burden. I have every confidence that they're going to make every conceivable effort not to repeat this. Can we guarantee it? Hell, no. But they can certainly be aware that if they make a statement or promise, it's good to live up to it.

You moved pretty quickly compared with the Justice Department's pursuit of Microsoft, which began in 1993 and resumed in late 1997.
It didn't take too long. The economy didn't turn sour because Microsoft was engaged with another federal agency. We didn't have the pain of extended litigation. God knows how many millions of dollars went down the drain because of the uncertainty that their suit presented. We'll never know how much damage was done with the prolongation of it.

You seem to be pretty critical of that antitrust suit. Was it justified?
It was justified. I don't question the justification. I just anguish over how long it took everyone to get it done. The uncertainty wasn't a good thing. The lingering doubts and uncertainty throughout all the litigation, and the appeals and the rhetoric wasn't a good idea in the long run.

Earlier this year, the FTC reversed itself after congressional pressure and said it would not streamline how you divide up merger reviews with the Justice Department. What happens next?
Nothing's changed. We're back to fighting the (clearance process). Doing it the way we proposed to do it would have taken a lot of uncertainty out of the industry.

How do you identify yourself politically?
A maverick. I'm a Republican most of the time. I'm not a Democrat--mark that down. I do my own thinking. I'm a Reagan Republican. I'm a guy who supported Ross Perot, Jack Kemp and Ronald Reagan.

Many politicians, including Senate Commerce Chairman Fritz Hollings, D-S.C., have introduced privacy bills that regulate the private sector's data-collection practices. What's your opinion of them?
Nothing's going to happen this year. There will probably be a major effort in the new (2003) Congress, depending on how elections go, to push some sort of comprehensive legislation such as the Hollings legislation. I have said consistently that we are going to get to the best possible solution on the privacy issue if we continue the dialogue, if the industry officials who understand the technology and the government officials are all talking and cajoling. Then we'll come up with a better solution than if Congress were to pass legislation. (If a new law takes effect) most everybody will stop innovating and finding best practices. They'll just do it the government way. Everyone will take the pack off, and we won't get the best possible solutions.

So you're not hoping for such a law next year, to regulate corporations' data-collection and use practices?
I hope we don't get any blanket regulation next year. People have come around to the view that we could do some real harm here. We could cut down the flow of information and shut down the whole economy. (A few years ago, only 14 percent of Web sites had privacy policies.) Now 100 percent of the big sites do. That's all been accomplished without any new laws.

The FTC has a mammoth spam database, with tens of millions of bulk e-mail messages on file. Do you have any plans to do anything with this strange and amazing resource?
I had a meeting last week. I asked, "What the hell do we do with this thing?" We get over 45,000 pieces of spam a day. We're looking at it, we're trying to track it, and we'll be taking some law enforcement actions. But (going after spammers) is not the easiest thing to do. When we see a spike that shows aggregation of this particular message over and over, we start looking into it.

Can you search the database?
Yes, with word searches. Put in "promise to get rich in two weeks" and you get 4,000 messages that pop up.

Are you preserving this spam data for the historical record? What are you going to do with it?
I don't know about making it available to the public. We do keep track of the frequency of certain types of fraud.

Some politicians have introduced anti-spam bills. A few years ago, one was approved by the House but was not acted on by the Senate. What's your opinion of new anti-spam laws?
Why would someone who is breaking the law pay any attention to the law? It's so difficult to catch 'em. You just wonder what the effect would be. Good people who obey laws probably don't send out a whole lot of spam. Bad people who like to rip people off probably won't pay a lot of attention to the law, since they'll do it anyway.

Bad people who like to rip people off probably won't pay a lot of attention to the law, since they'll do it anyway.

How about spam that is not fraudulent and does not violate any existing federal law--it's legal but annoying?
You're going to hear the First Amendment argument, "I have a right to market." They're going to continue to do this until they're taught that it's destructive, that it's harmful. That's one of the principles of the OECD guidelines that talks about democracy and ethics. Be aware that you can hurt other people.

Should the government set baseline security standards that apply to, for instance, Web sites?
My first question would be: Where does government come up with those ideas? What makes us so smart? We're way behind (in understanding) the evolution of the technology. I'd rather see some suggestions from the private sector. We're never going to solve the problem, but we can encourage industry to find solutions, as I did with the guys on spam. I called a bunch of people in and I said, "Go find me a solution to this."

Who did you meet with?
Backbone providers, ISPs. I said, "What is this? Why can't you solve the problem?" I said, "Go out and find a collaborative solution to this problem."

The entertainment industry is fretting about piracy, and a slew of bills have been introduced in Congress. Some would implant anti-copying technology in hardware, while others would legalize attacks on peer-to-peer networks. What do you think should be done?
It's not something that we've been focused on. It's (more under) the jurisdiction of the FCC. I sympathize with movie producers who put together a movie. There ought to be some way to retain that thing without being copied. But I also think that collaboration will reach a better result than a government mandate. The intricacies of it, the details, the cost, the complexity--that's not what we're best at in government. It's not our cup of tea.
Open-source and free software projects have been growing in popularity. What do you think of such software being adopted inside the federal government?
I got curious about Linux several months ago. I asked our computer people about it, saying I wanted to learn more about it. Our computer person gave me the software. I'm going to put it on my laptop. I'm fascinated by all the good things I hear about it.

When did you first get interested in technology?
I was a financial manager in the Marine Corps from 1977 to 1979. I ran the financial management aspect of the logistics system. We were still using adding machines and little calculators and pencils. I said, "Give me a break. I don't know anything about computers, but this is something we should get." The thinking was, "There will be no proliferation of computers." There was great resistance to that. But the day I retired, they got the first two shipped in.